eapol_test giving up and win-like error?
Hi all. I think I'm near to correctly configure my server... but I incur in a situation that IIUC should be related to win clients only: I get -8<-- WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0x6ac8f8c260c3e171 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -8<-- message and *eapol_test* (run from a *linux* machine!) gives up after about 10 seconds. I checked the FAQ, but couldn't find anything useful. The certs I'm using are from internal CA (actually from an internal intermediate CA, cert chain is certs/ca.pem and is 4.5k; root CA's self-signed cert is pointed by ca_cert= in eapol_test's config file). Server is a plain Debian Squeeze, plus SAMBA 3.5.6 and FreeRADIUS 2.1.10 . Domain is correctly joined and winbindd is running. I followed steps described in http://deployingradius.com/documents/configuration/active_directory.html (then noticed that the two references to ntlm_auth in authenticate sections aren't needed for mschapv2: ntlm_auth gets called by mschap module). The complete output from freeradius -X is: FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Nov 14 2010 at 21:12:30 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/dynamic_clients including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/opendirectory including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel main { user = "freerad" group = "freerad" allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 irt = 2 mrt = 16 mrc = 5 mrd = 30 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 137.204.65.161 { require_message_authenticator = no secret = "testing123qaz" } client 137.204.65.96 { require_message_authenticator = no secret = "testing123qaz" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/freeradius/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/freeradius/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/freeradius/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/freeradius/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap mschap { use_mppe = no require_encryption = no require_strong = no with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{mschap:User-Name}:-%{User-Name:-None}} --domain=%{%{mschap:NT-Domain}:-PERSONALE} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" } Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/freeradius/modules/unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/freeradius/eap.conf eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/freeradius/certs" pem_file_type = yes private_key_file = "/etc/freeradius/certs/server.key" certificate_file = "/etc/freeradius/certs/server.pem" CA_file = "/etc/freeradius/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/freeradius/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/freeradius/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } verify { } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/freeradius/modules/files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" } } # modules } # server server { # from file /etc/freeradius/radiusd.conf modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /etc/freeradius/modules/digest Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /etc/freeradius/modules/detail detail { detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 137.204.65.96 port 37126, id=0, length=154 User-Name = "PERSONALE\\diego.zuccato" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0200001c01504552534f4e414c455c646965676f2e7a75636361746f Message-Authenticator = 0xc68141559c87212c55a2b2741272d0dd # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "PERSONALE\diego.zuccato", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 28 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 0 to 137.204.65.96 port 37126 EAP-Message = 0x010100160410dc4a25c479305ea4fe8c21f192a4dca4 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x43ef683543ee6c2a6e7507d0df55eb21 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 137.204.65.96 port 37126, id=1, length=150 User-Name = "PERSONALE\\diego.zuccato" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020100060319 State = 0x43ef683543ee6c2a6e7507d0df55eb21 Message-Authenticator = 0x4edf220dd0140e17c8aa0857f1b5e29d # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "PERSONALE\diego.zuccato", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 1 to 137.204.65.96 port 37126 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x43ef683542ed712a6e7507d0df55eb21 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 137.204.65.96 port 37126, id=2, length=362 User-Name = "PERSONALE\\diego.zuccato" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020200da1980000000d016030100cb010000c703014f16ccffb3c34f03f4a77654249ab0c21036cd3ece504dc05416ca3a2aea6a2900005ac014c00a0039003800880087c00fc00500350084c012c00800160013c00dc003000ac013c00900330032009a009900450044c00ec004002f00960041c011c007c00cc002000500040015001200090014001100080006000300ff01000044000b000403000102000a00340032000100020003000400050006000700080009000a000b000c000d000e000f001000110012001300140015001600170018001900230000 State = 0x43ef683542ed712a6e7507d0df55eb21 Message-Authenticator = 0x4c68e829881215fc01e273ba9cf55d20 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "PERSONALE\diego.zuccato", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 218 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 208 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 00cb], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0031], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 11ab], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 018d], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 2 to 137.204.65.96 port 37126 EAP-Message = 0x0103040019c00000138116030100310200002d03014f16ccfd1c402dae323a0ef21e5d8a5afe0821a5d3dda9f1705e28a95d80f6f9000039000005ff0100010016030111ab0b0011a70011a40004d6308204d2308202baa003020102020112300d06092a864886f70d01010505003081ba310b3009060355040613024954310e300c060355040813054974616c793110300e06035504071307426f6c6f676e61311e301c060355040a1315556e697665727369746120646920426f6c6f676e6131233021060355040b131a446970617274696d656e746f20646920417374726f6e6f6d69613120301e06035504031317417374726f6e6f6d6961202d20 EAP-Message = 0x434120536572766572733122302006092a864886f70d0109011613646970617374722e736940756e69626f2e69743020170d3131313130383030303030305a180f39393939313233313233353935395a3081bd310b3009060355040613024954310e300c060355040813054974616c793110300e06035504071307426f6c6f676e61311e301c060355040a1315556e697665727369746120646920426f6c6f676e6131233021060355040b131a446970617274696d656e746f20646920417374726f6e6f6d6961312330210603550403131a7261646975732e617374726f6e6f6d69612e756e69626f2e69743122302006092a864886f70d0109011613 EAP-Message = 0x646970617374722e736940756e69626f2e697430819f300d06092a864886f70d010101050003818d0030818902818100c1c3b4a6e9b5fce7249f5440a7511ece035a791f3f621a91d6acbbbb5798f2f1ead6707f98fbeafe84b1593dd3a3794c69b43bff8314a380f52a44db1260043aea665a33823ef1772256b84440d6133ef83f7f2c38b5faf7f1643263c305d7c0fc140c5775b4ea392689908388fa8b973e1e58eb51512e695a011a6d01a3bf970203010001a360305e300c0603551d130101ff04023000301d0603551d0e041604146da6e750d66a1d54e6bbd913a5d85f72e4107999300b0603551d0f0404030205e0300f0603551d11040830 EAP-Message = 0x06870489cc4163301106096086480186f8420101040403020640300d06092a864886f70d0101050500038202010044824e99f11f014714ccfbccd8cba334673d130458ed773eb9fcf1749119e6cbdbbf6195b3e4985e0feaf58ee9f3c2dd284c2b44c5234d23b9428967b822917a65176be6b47985c4ba224df66a5f3b8627f855b53a867e7c8148327dbd43558c9352dc61fbdf59c0570118c2c3c6bc191198b2fa3dc5b4f3cf07b26c1245016c75823bd3e8ea1bd2c7a1dc3fda0ae658ea9a6609a0120f51bd34c64d82b2d094cd3ed063efc2272d0bf6d9440021b9c6827f561656de9b9197c76fc8597ac7b2ac50cd259cdf6145ff80951bdb41a0 EAP-Message = 0xf4833fe432eb73f52556205b Message-Authenticator = 0x00000000000000000000000000000000 State = 0x43ef683541ec712a6e7507d0df55eb21 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 137.204.65.96 port 37126, id=3, length=150 User-Name = "PERSONALE\\diego.zuccato" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020300061900 State = 0x43ef683541ec712a6e7507d0df55eb21 Message-Authenticator = 0xe97e4b03dcea854e92f7807e5a1fec21 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "PERSONALE\diego.zuccato", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 3 to 137.204.65.96 port 37126 EAP-Message = 0x010403fc194013bef304b9b36fd11da95506f7d0ab98d840cc7954ad54619d25a1c07b212902891f1794db9f34496061f993fc975d3383950d58532953b20a516368420d7a1e7b6aaf99cdd32751ea6284092c12b409661afd56165ba3631aceb357115c0de589b66b975930ec93b4f5b1f3bb61858933eb89948a83c0c36d04dd42b59be638427449adba16a390966e64142fc1ba27dba01edd849b8ec8b4ccbbc794c32b0d810a246a8474e0f6b1e49f5cbc8989187f88dd3236507943a11c9ef419c54f05087b6bb0d33e6cb8ee517969594ff8b5e645141c9728786e4d5cb7442bc1ea464003af25294dc9f995b66fe32f25d057592181ef6e91d0 EAP-Message = 0xe7d75768520aef64038d6fba149898a05526ceadd05589b6dde0088d47baff4351da66d5f9f1f40ed2e3b31d09d00006643082066030820448a003020102020102300d06092a864886f70d01010505003081b7310b3009060355040613024954310e300c060355040813054974616c793110300e06035504071307426f6c6f676e61311e301c060355040a1315556e697665727369746120646920426f6c6f676e6131233021060355040b131a446970617274696d656e746f20646920417374726f6e6f6d6961311d301b06035504031314417374726f6e6f6d6961202d20526f6f742043413122302006092a864886f70d0109011613646970617374 EAP-Message = 0x722e736940756e69626f2e6974301e170d3131303431333130333730305a170d3231303431333130333430305a3081ba310b3009060355040613024954310e300c060355040813054974616c793110300e06035504071307426f6c6f676e61311e301c060355040a1315556e697665727369746120646920426f6c6f676e6131233021060355040b131a446970617274696d656e746f20646920417374726f6e6f6d69613120301e06035504031317417374726f6e6f6d6961202d20434120536572766572733122302006092a864886f70d0109011613646970617374722e736940756e69626f2e697430820222300d06092a864886f70d0101010500 EAP-Message = 0x0382020f003082020a0282020100c9a65b653687e1f4bf0d007c1b3aae71b27e2ff3b067da0b00dfbcbf0caf2c00604895c08456621a269599dcc830617f93d9c1deab2811dfd06be62d67b54ca64a5949b6bd8497ec291da11d93f2a2e587db880d812a98c5fda02b3679a241c7cdce479bbc700f03838935a1c53798e14992dce210fad9e9ba9bfd11dc190b32974bd4be6ae0df5c7dce19c7361a16457a3ca455d03d5cdc779d16683f7341e91aecc7700d227730e266b59b9c7e60b44d40a65bbfec45ba31ec7b02123c27edf85863965edf64b3baf16fc717fff7a1e3e836cce5af3998c1f652b61e94ad3c0d929b94dc29a23cf4a4756c786055 EAP-Message = 0x57c1c75cb275e2dc Message-Authenticator = 0x00000000000000000000000000000000 State = 0x43ef683540eb712a6e7507d0df55eb21 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 137.204.65.96 port 37126, id=4, length=150 User-Name = "PERSONALE\\diego.zuccato" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020400061900 State = 0x43ef683540eb712a6e7507d0df55eb21 Message-Authenticator = 0x9e08902da5fd2b646400ed4b41e91a21 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "PERSONALE\diego.zuccato", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 4 to 137.204.65.96 port 37126 EAP-Message = 0x010503fc1940497db7ae62ebca425e91325041df3a0972986b9982f7371bd4b07e006d76de0b75c503345e77d85993d80e68402d8066603ccf88e2a2d326c6ebc6a7af4ee4fc20e5e9db1d9453305b2ed641b1aa87eeaebd1f19a814b71b8b217f93de4891037d8ace80d28d00228cacb32fac30040ee1d17085b30fdbc11703f26fec9db2e33c058fcbbd69e6504b2bd43b292c32f1b1848892dd33e3439d7f1d3e4375e030ec9be5a2ef407d6d85591c43208690b9c257bdb61e0b6e68b9bf1359ea4d08b11ba6a90019e964b3190c4005bf032c72408d3ae0c1b87fa069ed65c7cc25e0de88ab5b723cc11a10d0bc6c6e2e48f11e1c2c8932bb35bc EAP-Message = 0x5bdaf7c2cc256a9dc7993d847f302df8eccf0203010001a3723070300f0603551d130101ff040530030101ff301d0603551d0e04160414bb0d326895f83bd24f85fcfaeabee6cc8a5e5686300b0603551d0f040403020106301106096086480186f8420101040403020007301e06096086480186f842010d0411160f786361206365727469666963617465300d06092a864886f70d0101050500038202010069f6c733df3066b2cf7705a1f4deb879d2c43ccab1b3d44fb22287067333f0517f99f9a07f62b5978fa9e902900370d50c0564d7855beed40c88831d65d07ca6698d4ee10305e0c488e88c1edd57ff1c02a0679cab0af5417459f650aeef EAP-Message = 0x63d5f84fe63dccfc660b1381be5b08341ae7c60ac2c7a5ae1804c253c108bae37c3841472c01cc4fdff69ec7f4636dd47d07836933d9d00cfd445419d2877c82e0a8cea2da6b1f03cd1c583a0873cfa4570ec0aff784d75f5524b66ddf3b0ea2d76d2d51d665c8976babf7fabf17898b3863a6046de6c4e577a726531a141a298c901279807ec540bb6bd07421c74b5ee3e7c0b0002e41e8ae1466b53026a26f95bfa23ae5b3d8b8cdb4bc559a180ffb6bfe375900350f2828889e3c7534fd0efd544b2784efe655c6d8c6fb6d3afe60c877533bef905dca4eacf5a049d76e9f8276cd0eccabc0eccdb1e1e84652ebc8fe6336de3cb78cdb2972929135 EAP-Message = 0xc1fb48eb425e4cbadee88635e5d31cd6f92e459a8060931ca72220f652ecdb6158e6a8362f958d3cda07254a07fa4ead61be4c045ea160919d6b54425411f8871810b5ec45fe79cd08c696dd86f561b15fc6e990d40c14876cb49be71ddbe5a0e884a7a9f418f3a900d72287f2749d4d7a3110aab60298f2b187d3b2e4240ddebdbc520cfa91ddf780f8ab925af7685f5d226b696b58a84a9337b192147712f03b9bd36b320006613082065d30820445a003020102020101300d06092a864886f70d01010505003081b7310b3009060355040613024954310e300c060355040813054974616c793110300e06035504071307426f6c6f676e61311e301c EAP-Message = 0x060355040a131555 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x43ef683547ea712a6e7507d0df55eb21 Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 137.204.65.96 port 37126, id=5, length=150 User-Name = "PERSONALE\\diego.zuccato" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020500061900 State = 0x43ef683547ea712a6e7507d0df55eb21 Message-Authenticator = 0x91d8e3c1b56da793b962e80700e26bf2 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "PERSONALE\diego.zuccato", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 5 to 137.204.65.96 port 37126 EAP-Message = 0x010603fc19406e697665727369746120646920426f6c6f676e6131233021060355040b131a446970617274696d656e746f20646920417374726f6e6f6d6961311d301b06035504031314417374726f6e6f6d6961202d20526f6f742043413122302006092a864886f70d0109011613646970617374722e736940756e69626f2e6974301e170d3131303431333130333430305a170d3231303431333130333430305a3081b7310b3009060355040613024954310e300c060355040813054974616c793110300e06035504071307426f6c6f676e61311e301c060355040a1315556e697665727369746120646920426f6c6f676e6131233021060355040b EAP-Message = 0x131a446970617274696d656e746f20646920417374726f6e6f6d6961311d301b06035504031314417374726f6e6f6d6961202d20526f6f742043413122302006092a864886f70d0109011613646970617374722e736940756e69626f2e697430820222300d06092a864886f70d01010105000382020f003082020a0282020100b572b5d8c13ea37504ee78aa1797f2fd41bae7fcdbbe347b2e82ccb435e534ba0f3a86e855325864418e9a257c6ba9a235490a863d975525a0c61686bacc4c6a2bd72ae802168723c92e69ec9c607c14bab310d68a22d50bc26b67256530554e90110e50adda28f09bb2eb39287b0515b3d5647d28d45de0f483998a15 EAP-Message = 0x71276b02173ab7fcf982697be48847eafd4f3b2a82dc48be9d5a1b5099e012455d40694118097125da6ffb233804f7cae4df233d8269c94afe552d1df57e941087cd758d3bf1a84716470b1d163e61de926f76b1d8a593484ba9e2d9a6f2dbfd2bbe6eaf0297b491c7d2963e497759c90439ef565dbb9ca07afd7acdcd4637652ab48cd2c0d0b71f84881788b1314b40d43e67729cfdefa44d078f16bbf423da10a0cc0911f46afb31ef3c9e03e2fe84808249bd9d58129a6977643b0b2ff1836c41c7f9df69879ecd99a8aacfc951d49dbf311e51ffa4b69f4ce2c0a0c1315d15c0b2c25ed37ef40dd9a1205adce6ce1a45c4e17623d4347025e11e9a EAP-Message = 0xa3284539579fce75d6bb213cb35fd75b22fa9764c34521f8e1f7eca57effa5c78145ab38278e73a25e4ab9e02da62ebe6560a65e4e9e92d35766f7aafc516acc177dbd84e56415f23b93832120a851a012534bf744c46bf37f7258f99697f7d9c7bbad728d63c7dec47b6a9cf6e1288d04e15c8d308296e645517fc297564d06d4e9c76715f10203010001a3723070300f0603551d130101ff040530030101ff301d0603551d0e04160414c82d02f0845d318f4982f8ee767edf32386b435d300b0603551d0f040403020106301106096086480186f8420101040403020007301e06096086480186f842010d0411160f78636120636572746966696361 EAP-Message = 0x7465300d06092a86 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x43ef683546e9712a6e7507d0df55eb21 Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 137.204.65.96 port 37126, id=6, length=150 User-Name = "PERSONALE\\diego.zuccato" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020600061900 State = 0x43ef683546e9712a6e7507d0df55eb21 Message-Authenticator = 0x077edb2d3f7d2398c30c8ca6cfcd209c # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "PERSONALE\diego.zuccato", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 6 to 137.204.65.96 port 37126 EAP-Message = 0x010703af19004886f70d010105050003820201008e9eed3d5cab551c140a2f7a7dc07e8343a21484b60e617e7f9642923c8b976534393d89c5ca72ba6388e878f730f2c45e327b3e05b6bcc3d1d168f06964d9b65c3a6e57c6c376a3b571c092ad0361b0dc4c9bde733f918c41dda48051dff54a7f28616bec00e865abf462533cfd0313a0ddc716844075ed48821e50527728527548ace4f8fa1e6fba70e0bfdb68f5047e4873ebe08cd10874d51823b780ca1406d1c0e864c866888a61cffe76a81e521bbb95be971095789fa1a05b349060e38f543a94372060c15db0eceb71e6e901554a65a98ff82fb5e015af6c3f359aefce149108ba56832a76 EAP-Message = 0x0ccbf811a7b147b57abe282b2f976b874e5d874b4e68b6049f823747eaa603b1d49386876d3f30ce48cb824a34f3334ed56fd85b6b0c52839cda6fffd8a4e58612e29ab9e4790c71dcfaab93a7ba27906745479013f71482d1847cdc32a157fb224a4967d12442112d1d4cb5b27d855399b36e7a6094945cd0dd1d62c8f5b12c44577fc41ec88148a936bffc4155e2471052751decb392dc9ac949b6b571919fb73e06e2cf9fa49f651d690cb2fdd28e4fe9eac7d69e83687a361ced306d185a7c33847c4b11e898a56b46bd6cf06e91a13e77830347dce154020c99b3b1137d6eaaa9bb3e986ad58658cac5325e3205fe1e1aa40f4376ebad56e32738 EAP-Message = 0xaf4629f89f2260261926dbef1e7b538135e845ea5a3f30ca58bc160301018d0c000189008086af5afd81c88476eb4edc6626f30532fc1c25e7fada2ff7f4e984cc33c8f686d5e84b9280c055086728ae16e62b8290c7b385605b8d78891b76b90c6f4079994972d901ff1808add6780846d0764e95394517eee4210bec51c4c21ea3585ed5ccb42f551589f73c5edaec4e85096cfcb129515e33580e35c65bc9a884774f73000102008057e7a7868b2f9d6622e844bcd694740942fc76f79eafdeb7e5a28d52410ef7f5b9995ee56f8b65bed8de7a5bc66e648a48375658ce1ce1554f56b09c98863fde3c626d9e2384cc540ec794038e1d768d7b4676 EAP-Message = 0xb7377cd6c3e2bc0560065d66f46f1cf1802f5c5c309ef2d7156c4709fc094fe932a2e4f553aff9247e6cc8d1d60080209fb36f0a4e491d426154c9f662928c6445de6500998cb2b80a31771909359d6937b561e921877fb7632e2dce99a514c758abcad7e532a631a5beea379bec1cb119ae9a8fca9d8e876737f7077dbccacc5602f69445d55c5854c39e44dbb7f587d6333461ca65b220927bcbfdc01ca1c61d49a0145e663b6c763d233c29516816030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x43ef683545e8712a6e7507d0df55eb21 Finished request 6. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 137.204.65.96 port 37126, id=7, length=352 User-Name = "PERSONALE\\diego.zuccato" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020700d01980000000c6160301008610000082008058cb301e009d8318a60397ed75c8861dd36756ba2532b32838c82c63fa01249f74e1c82e7135b99af9f09cbaa421dd2ce762f4ee6cd653997fa66efb83e6eaf0c759aa67254341e7757487383ca57593ad791519575b775f4621f717f33504c13fdb6d446ce886d493c4a90d876de51c7fc2c13e25ec6e5ab26fad4279f7db7614030100010116030100300dede37dfec28dc8fa13099ce8dfaf7fcb620f48ac259780509a498d305d802212a9e74110e87c0de8945581b1b76d41 State = 0x43ef683545e8712a6e7507d0df55eb21 Message-Authenticator = 0x914cd62018f2bacb1b5e43844427bfe2 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "PERSONALE\diego.zuccato", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 208 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 198 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 7 to 137.204.65.96 port 37126 EAP-Message = 0x010800411900140301000101160301003077355cb0da486b0aea4ca9ed045399695f9f681ed77edc1ced530c75ee8779af5a6e22760acf506e1ff11ff69292a1c0 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x43ef683544e7712a6e7507d0df55eb21 Finished request 7. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 137.204.65.96 port 37126, id=8, length=150 User-Name = "PERSONALE\\diego.zuccato" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020800061900 State = 0x43ef683544e7712a6e7507d0df55eb21 Message-Authenticator = 0x95f257485417d82e8bf94ed289656605 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "PERSONALE\diego.zuccato", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] returns handled Sending Access-Challenge of id 8 to 137.204.65.96 port 37126 EAP-Message = 0x0109002b1900170301002011b3a4baaef394361a7512b0601adb69cd64e7af2263a874925458c57cbb06d5 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x43ef68354be6712a6e7507d0df55eb21 Finished request 8. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 137.204.65.96 port 37126, id=9, length=240 User-Name = "PERSONALE\\diego.zuccato" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0209006019001703010020ca89e914288890073989835b87135e61d123f1b99c9e9dbb59bd00e538fe267017030100303a5233f9f866703fc729d93881a51dfafcf7c271b58e4ad2025ca975dc66e1f50926ecc360a99ed05e0484657b041e79 State = 0x43ef68354be6712a6e7507d0df55eb21 Message-Authenticator = 0x53a08dffdbbacff3b1b6fba2481f6a23 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "PERSONALE\diego.zuccato", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 9 length 96 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - PERSONALE\diego.zuccato [peap] Got inner identity 'PERSONALE\diego.zuccato' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x0209001c01504552534f4e414c455c646965676f2e7a75636361746f server { PEAP: Setting User-Name to PERSONALE\diego.zuccato Sending tunneled request EAP-Message = 0x0209001c01504552534f4e414c455c646965676f2e7a75636361746f FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "PERSONALE\\diego.zuccato" server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "PERSONALE\diego.zuccato", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 9 length 28 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010a00311a010a002c107cfe362585aadb4fa23845b02bcfe01d504552534f4e414c455c646965676f2e7a75636361746f Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd1443252d14e285c0e8360ebb6b84386 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010a00311a010a002c107cfe362585aadb4fa23845b02bcfe01d504552534f4e414c455c646965676f2e7a75636361746f Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd1443252d14e285c0e8360ebb6b84386 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 9 to 137.204.65.96 port 37126 EAP-Message = 0x010a005b19001703010050f9cbc0b02898cb8b33b5aadcf2e5d786e51996bf476af50b8bac872bf606a14a926337af4751a874a5d9847d53369d80d8176dcc4b04a7d78c9d24b8793710676b922857e73b358ee7614e9ff31ff80a Message-Authenticator = 0x00000000000000000000000000000000 State = 0x43ef68354ae5712a6e7507d0df55eb21 Finished request 9. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 137.204.65.96 port 37126, id=10, length=304 User-Name = "PERSONALE\\diego.zuccato" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020a00a01900170301002008596c1f4e70f289a40e621c9dcf0ca40054e79c53f3e2388597359078fe736f1703010070f7b6bde3723b7339008514fd27e63539ac816a7ad2b544ba51e6d690a98eb2985001bb97e6f4ece90a0f0ce5f8680c419e69036afd840b4d9db82fbf2d7f23ec150e3f114d9dfa21a178c3fe04182c840280a7c9a3881db001030c51d19214a245322d9693b21991dc342a7c361803e6 State = 0x43ef68354ae5712a6e7507d0df55eb21 Message-Authenticator = 0x87426031892e2deae424d6c68b5add28 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "PERSONALE\diego.zuccato", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 10 length 160 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020a00521a020a004d315a07b47ea772821852bfa4a104f82bda000000000000000060eb877432cb1abb8ee542673b52a0350cf856409285d6ac00504552534f4e414c455c646965676f2e7a75636361746f server { PEAP: Setting User-Name to PERSONALE\diego.zuccato Sending tunneled request EAP-Message = 0x020a00521a020a004d315a07b47ea772821852bfa4a104f82bda000000000000000060eb877432cb1abb8ee542673b52a0350cf856409285d6ac00504552534f4e414c455c646965676f2e7a75636361746f FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "PERSONALE\\diego.zuccato" State = 0xd1443252d14e285c0e8360ebb6b84386 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "PERSONALE\diego.zuccato", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 10 length 82 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] Creating challenge hash with username: diego.zuccato [mschap] Told to do MS-CHAPv2 for diego.zuccato with NT-Password [mschap] expand: %{mschap:User-Name} -> diego.zuccato [mschap] expand: --username=%{%{mschap:User-Name}:-%{User-Name:-None}} -> --username=diego.zuccato [mschap] expand: %{mschap:NT-Domain} -> PERSONALE [mschap] expand: --domain=%{%{mschap:NT-Domain}:-PERSONALE} -> --domain=PERSONALE [mschap] mschap2: 7c [mschap] Creating challenge hash with username: diego.zuccato [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=a386f8c169a1c226 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=60eb877432cb1abb8ee542673b52a0350cf856409285d6ac Exec-Program output: NT_KEY: 9BB45778B8201310A484C797422B8D27 Exec-Program-Wait: plaintext: NT_KEY: 9BB45778B8201310A484C797422B8D27 Exec-Program: returned: 0 ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010b00331a030a002e533d37343331453632374644453739373334444344324534393334414138303431343633384142373037 Message-Authenticator = 0x00000000000000000000000000000000 [mschapv2] +- entering group MS-CHAP {...} [mschap] Creating challenge hash with username: diego.zuccato [mschap] Told to do MS-CHAPv2 for diego.zuccato with NT-Password [mschap] expand: %{mschap:User-Name} -> diego.zuccato [mschap] expand: --username=%{%{mschap:User-Name}:-%{User-Name:-None}} -> --username=diego.zuccato [mschap] expand: %{mschap:NT-Domain} -> PERSONALE [mschap] expand: --domain=%{%{mschap:NT-Domain}:-PERSONALE} -> --domain=PERSONALE [mschap] mschap2: 7c [mschap] Creating challenge hash with username: diego.zuccato [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=a386f8c169a1c226 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=60eb877432cb1abb8ee542673b52a0350cf856409285d6ac Exec-Program output: NT_KEY: 9BB45778B8201310A484C797422B8D27 Exec-Program-Wait: plaintext: NT_KEY: 9BB45778B8201310A484C797422B8D27 Exec-Program: returned: 0 ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010b00331a030a002e533d37343331453632374644453739373334444344324534393334414138303431343633384142373037 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd1443252d04f285c0e8360ebb6b84386 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010b00331a030a002e533d37343331453632374644453739373334444344324534393334414138303431343633384142373037 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd1443252d04f285c0e8360ebb6b84386 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 10 to 137.204.65.96 port 37126 EAP-Message = 0x010b005b1900170301005045ddd3dfa215dc299b05eb6e78c8401b338a72d790e0c9a68dda5b5b37965481bc9986b0305597baa1886b95b644924146f8e906975675912df555716751ebb66b407cc46ceb46a84c17ac8b178aa6c1 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x43ef683549e4712a6e7507d0df55eb21 Finished request 10. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 0 with timestamp +8 Cleaning up request 1 ID 1 with timestamp +8 Cleaning up request 2 ID 2 with timestamp +8 Cleaning up request 3 ID 3 with timestamp +8 Cleaning up request 4 ID 4 with timestamp +8 Cleaning up request 5 ID 5 with timestamp +8 Cleaning up request 6 ID 6 with timestamp +8 Cleaning up request 7 ID 7 with timestamp +8 Cleaning up request 8 ID 8 with timestamp +8 Cleaning up request 9 ID 9 with timestamp +8 Cleaning up request 10 ID 10 with timestamp +8 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0x43ef683549e4712a did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Ready to process requests. Any hint? TIA! Diego.
NdK wrote:
I think I'm near to correctly configure my server... but I incur in a situation that IIUC should be related to win clients only: I get ... message and *eapol_test* (run from a *linux* machine!) gives up after about 10 seconds.
Then read the error messages from eapol_test. Why does it stop? It should say. Alan DeKok.
Il 18/01/2012 15:25, Alan DeKok ha scritto:
NdK wrote:
I think I'm near to correctly configure my server... but I incur in a situation that IIUC should be related to win clients only: I get ... message and *eapol_test* (run from a *linux* machine!) gives up after about 10 seconds.
Then read the error messages from eapol_test. Why does it stop? It should say. That's eapol_test output. I changed my AD pass to 'testing123' just for the time needed to test, so the values are the real ones. I can't see any error, just a timeout... There's a short delay before "EAPOL: startWhen --> 0" and a long one just after. If needed, I logged output of freeradius -X for this run, too (not posted to avoid spamming the list too much -- nothing changed in its config).
# eapol_test -c /home/ndk/Scaricati/peap-mschapv2.conf -s testing123qaz -a 137.204.65.163 Reading configuration file '/home/ndk/Scaricati/peap-mschapv2.conf' Line: 4 - start of a new network block key_mgmt: 0xd proto: 0x3 group: 0x18 scan_ssid=1 (0x1) mode=0 (0x0) ssid - hexdump_ascii(len=8): 41 4c 4d 41 57 49 46 49 ALMAWIFI pairwise: 0x18 eap methods - hexdump(len=16): 00 00 00 00 19 00 00 00 00 00 00 00 00 00 00 00 password - hexdump_ascii(len=10): 74 65 73 74 69 6e 67 31 32 33 testing123 identity - hexdump_ascii(len=23): 50 45 52 53 4f 4e 41 4c 45 5c 64 69 65 67 6f 2e PERSONALE\diego. 7a 75 63 63 61 74 6f zuccato phase2 - hexdump_ascii(len=15): 70 68 61 73 65 32 3d 4d 53 43 48 41 50 56 32 phase2=MSCHAPV2 ca_cert - hexdump_ascii(len=61): 2f 68 6f 6d 65 2f 6e 64 6b 2f 44 6f 63 75 6d 65 /home/ndk/Docume 6e 74 69 2f 55 66 66 69 63 69 6f 2f 43 41 2f 63 nti/Ufficio/CA/c 65 72 74 73 2f 41 73 74 72 6f 6e 6f 6d 69 61 20 erts/Astronomia 2d 20 52 6f 6f 74 20 43 41 2e 63 72 74 - Root CA.crt Priority group 0 id=0 ssid='ALMAWIFI' Authentication server 137.204.65.163:1812 RADIUS local address: 137.204.65.96:45959 EAPOL: SUPP_PAE entering state DISCONNECTED EAPOL: KEY_RX entering state NO_KEY_RECEIVE EAPOL: SUPP_BE entering state INITIALIZE EAP: EAP entering state DISABLED EAPOL: External notification - portValid=0 EAPOL: External notification - portEnabled=1 EAPOL: SUPP_PAE entering state CONNECTING EAPOL: SUPP_BE entering state IDLE EAP: EAP entering state INITIALIZE EAP: EAP entering state IDLE Sending fake EAP-Request-Identity EAPOL: Received EAP-Packet frame EAPOL: SUPP_PAE entering state RESTART EAP: EAP entering state INITIALIZE EAP: EAP entering state IDLE EAPOL: SUPP_PAE entering state AUTHENTICATING EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=0 method=1 vendor=0 vendorMethod=0 EAP: EAP entering state IDENTITY CTRL-EVENT-EAP-STARTED EAP authentication started EAP: EAP-Request Identity data - hexdump_ascii(len=0): EAP: using real identity - hexdump_ascii(len=23): 50 45 52 53 4f 4e 41 4c 45 5c 64 69 65 67 6f 2e PERSONALE\diego. 7a 75 63 63 61 74 6f zuccato EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp WPA: eapol_test_eapol_send(type=0 len=28) TX EAP -> RADIUS - hexdump(len=28): 02 00 00 1c 01 50 45 52 53 4f 4e 41 4c 45 5c 64 69 65 67 6f 2e 7a 75 63 63 61 74 6f Encapsulating EAP message into a RADIUS packet Learned identity from EAP-Response-Identity - hexdump(len=23): 50 45 52 53 4f 4e 41 4c 45 5c 64 69 65 67 6f 2e 7a 75 63 63 61 74 6f Sending RADIUS message to authentication server RADIUS message: code=1 (Access-Request) identifier=0 length=154 Attribute 1 (User-Name) length=25 Value: 'PERSONALE\diego.zuccato' Attribute 4 (NAS-IP-Address) length=6 Value: 127.0.0.1 Attribute 31 (Calling-Station-Id) length=19 Value: '02-00-00-00-00-01' Attribute 12 (Framed-MTU) length=6 Value: 1400 Attribute 61 (NAS-Port-Type) length=6 Value: 19 Attribute 77 (Connect-Info) length=24 Value: 'CONNECT 11Mbps 802.11b' Attribute 79 (EAP-Message) length=30 Value: 02 00 00 1c 01 50 45 52 53 4f 4e 41 4c 45 5c 64 69 65 67 6f 2e 7a 75 63 63 61 74 6f Attribute 80 (Message-Authenticator) length=18 Value: bd 07 f8 80 77 2d 48 51 d9 90 ce fe 5b e2 8f 35 Next RADIUS client retransmit in 3 seconds EAPOL: SUPP_BE entering state RECEIVE Received 80 bytes from RADIUS server Received RADIUS message RADIUS message: code=11 (Access-Challenge) identifier=0 length=80 Attribute 79 (EAP-Message) length=24 Value: 01 01 00 16 04 10 8e 95 2b d6 0d 0e cf cb ea cf a7 f0 f1 2e 1b 55 Attribute 80 (Message-Authenticator) length=18 Value: 75 9e 8f 62 48 3d 24 33 f9 ba cc ac 8c d3 cc 90 Attribute 24 (State) length=18 Value: 0e 7a a9 3e 0e 7b ad 56 82 24 1d fb 53 ea 51 8c STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.00 sec RADIUS packet matching with station decapsulated EAP packet (code=1 id=1 len=22) from RADIUS server: EAP-Request-MD5 (4) EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=1 method=4 vendor=0 vendorMethod=0 EAP: EAP entering state GET_METHOD EAP: configuration does not allow: vendor 0 method 4 EAP: vendor 0 method 4 not allowed CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=4 -> NAK EAP: Building EAP-Nak (requested type 4 vendor=0 method=0 not allowed) EAP: allowed methods - hexdump(len=1): 19 EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp WPA: eapol_test_eapol_send(type=0 len=6) TX EAP -> RADIUS - hexdump(len=6): 02 01 00 06 03 19 Encapsulating EAP message into a RADIUS packet Copied RADIUS State Attribute Sending RADIUS message to authentication server RADIUS message: code=1 (Access-Request) identifier=1 length=150 Attribute 1 (User-Name) length=25 Value: 'PERSONALE\diego.zuccato' Attribute 4 (NAS-IP-Address) length=6 Value: 127.0.0.1 Attribute 31 (Calling-Station-Id) length=19 Value: '02-00-00-00-00-01' Attribute 12 (Framed-MTU) length=6 Value: 1400 Attribute 61 (NAS-Port-Type) length=6 Value: 19 Attribute 77 (Connect-Info) length=24 Value: 'CONNECT 11Mbps 802.11b' Attribute 79 (EAP-Message) length=8 Value: 02 01 00 06 03 19 Attribute 24 (State) length=18 Value: 0e 7a a9 3e 0e 7b ad 56 82 24 1d fb 53 ea 51 8c Attribute 80 (Message-Authenticator) length=18 Value: f4 93 4a d8 34 35 2b 5c 1e eb 27 a8 94 74 58 f0 Next RADIUS client retransmit in 3 seconds EAPOL: SUPP_BE entering state RECEIVE Received 64 bytes from RADIUS server Received RADIUS message RADIUS message: code=11 (Access-Challenge) identifier=1 length=64 Attribute 79 (EAP-Message) length=8 Value: 01 02 00 06 19 20 Attribute 80 (Message-Authenticator) length=18 Value: ac aa 7a a3 84 ef de 1f eb e0 37 50 27 36 1b db Attribute 24 (State) length=18 Value: 0e 7a a9 3e 0f 78 b0 56 82 24 1d fb 53 ea 51 8c STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.00 sec RADIUS packet matching with station decapsulated EAP packet (code=1 id=2 len=6) from RADIUS server: EAP-Request-PEAP (25) EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=2 method=25 vendor=0 vendorMethod=0 EAP: EAP entering state GET_METHOD CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25 EAP: Initialize selected EAP method: vendor 0 method 25 (PEAP) TLS: Phase2 EAP types - hexdump(len=64): 00 00 00 00 04 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 2f 00 00 00 00 00 00 00 17 00 00 00 TLS: using phase1 config options TLS: Trusted root certificate(s) loaded CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected EAP: EAP entering state METHOD SSL: Received packet(len=6) - Flags 0x20 EAP-PEAP: Start (server ver=0, own ver=1) EAP-PEAP: Using PEAP version 0 SSL: (where=0x10 ret=0x1) SSL: (where=0x1001 ret=0x1) SSL: SSL_connect:before/connect initialization SSL: (where=0x1001 ret=0x1) SSL: SSL_connect:SSLv3 write client hello A SSL: (where=0x1002 ret=0xffffffff) SSL: SSL_connect:error in SSLv3 read server hello A SSL: SSL_connect - want more data SSL: 208 bytes pending from ssl_out SSL: 208 bytes left to be sent out (of total 208 bytes) EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp WPA: eapol_test_eapol_send(type=0 len=218) TX EAP -> RADIUS - hexdump(len=218): 02 02 00 da 19 80 00 00 00 d0 16 03 01 00 cb 01 00 00 c7 03 01 4f 17 c2 ae f3 9d fe d9 e2 75 d7 4f 75 ca e1 c1 ca 35 82 f6 47 7d 7a 61 53 64 f0 68 5f 94 7e 50 00 00 5a c0 14 c0 0a 00 39 00 38 00 88 00 87 c0 0f c0 05 00 35 00 84 c0 12 c0 08 00 16 00 13 c0 0d c0 03 00 0a c0 13 c0 09 00 33 00 32 00 9a 00 99 00 45 00 44 c0 0e c0 04 00 2f 00 96 00 41 c0 11 c0 07 c0 0c c0 02 00 05 00 04 00 15 00 12 00 09 00 14 00 11 00 08 00 06 00 03 00 ff 01 00 00 44 00 0b 00 04 03 00 01 02 00 0a 00 34 00 32 00 01 00 02 00 03 00 04 00 05 00 06 00 07 00 08 00 09 00 0a 00 0b 00 0c 00 0d 00 0e 00 0f 00 10 00 11 00 12 00 13 00 14 00 15 00 16 00 17 00 18 00 19 00 23 00 00 Encapsulating EAP message into a RADIUS packet Copied RADIUS State Attribute Sending RADIUS message to authentication server RADIUS message: code=1 (Access-Request) identifier=2 length=362 Attribute 1 (User-Name) length=25 Value: 'PERSONALE\diego.zuccato' Attribute 4 (NAS-IP-Address) length=6 Value: 127.0.0.1 Attribute 31 (Calling-Station-Id) length=19 Value: '02-00-00-00-00-01' Attribute 12 (Framed-MTU) length=6 Value: 1400 Attribute 61 (NAS-Port-Type) length=6 Value: 19 Attribute 77 (Connect-Info) length=24 Value: 'CONNECT 11Mbps 802.11b' Attribute 79 (EAP-Message) length=220 Value: 02 02 00 da 19 80 00 00 00 d0 16 03 01 00 cb 01 00 00 c7 03 01 4f 17 c2 ae f3 9d fe d9 e2 75 d7 4f 75 ca e1 c1 ca 35 82 f6 47 7d 7a 61 53 64 f0 68 5f 94 7e 50 00 00 5a c0 14 c0 0a 00 39 00 38 00 88 00 87 c0 0f c0 05 00 35 00 84 c0 12 c0 08 00 16 00 13 c0 0d c0 03 00 0a c0 13 c0 09 00 33 00 32 00 9a 00 99 00 45 00 44 c0 0e c0 04 00 2f 00 96 00 41 c0 11 c0 07 c0 0c c0 02 00 05 00 04 00 15 00 12 00 09 00 14 00 11 00 08 00 06 00 03 00 ff 01 00 00 44 00 0b 00 04 03 00 01 02 00 0a 00 34 00 32 00 01 00 02 00 03 00 04 00 05 00 06 00 07 00 08 00 09 00 0a 00 0b 00 0c 00 0d 00 0e 00 0f 00 10 00 11 00 12 00 13 00 14 00 15 00 16 00 17 00 18 00 19 00 23 00 00 Attribute 24 (State) length=18 Value: 0e 7a a9 3e 0f 78 b0 56 82 24 1d fb 53 ea 51 8c Attribute 80 (Message-Authenticator) length=18 Value: 6c e1 f0 96 f9 96 a5 c2 28 f0 13 9d 15 e8 e1 c5 Next RADIUS client retransmit in 3 seconds EAPOL: SUPP_BE entering state RECEIVE Received 1090 bytes from RADIUS server Received RADIUS message RADIUS message: code=11 (Access-Challenge) identifier=2 length=1090 Attribute 79 (EAP-Message) length=255 Value: 01 03 04 00 19 c0 00 00 13 81 16 03 01 00 31 02 00 00 2d 03 01 4f 17 c2 ad a1 f9 7c c0 cb 32 ce a2 f0 15 b7 c7 19 f9 48 34 b0 59 60 47 5e 79 db a0 a7 b4 c3 ed 00 00 39 00 00 05 ff 01 00 01 00 16 03 01 11 ab 0b 00 11 a7 00 11 a4 00 04 d6 30 82 04 d2 30 82 02 ba a0 03 02 01 02 02 01 12 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 30 81 ba 31 0b 30 09 06 03 55 04 06 13 02 49 54 31 0e 30 0c 06 03 55 04 08 13 05 49 74 61 6c 79 31 10 30 0e 06 03 55 04 07 13 07 42 6f 6c 6f 67 6e 61 31 1e 30 1c 06 03 55 04 0a 13 15 55 6e 69 76 65 72 73 69 74 61 20 64 69 20 42 6f 6c 6f 67 6e 61 31 23 30 21 06 03 55 04 0b 13 1a 44 69 70 61 72 74 69 6d 65 6e 74 6f 20 64 69 20 41 73 74 72 6f 6e 6f 6d 69 61 31 20 30 1e 06 03 55 04 03 13 17 41 73 74 72 6f 6e 6f 6d 69 61 20 2d 20 Attribute 79 (EAP-Message) length=255 Value: 43 41 20 53 65 72 76 65 72 73 31 22 30 20 06 09 2a 86 48 86 f7 0d 01 09 01 16 13 64 69 70 61 73 74 72 2e 73 69 40 75 6e 69 62 6f 2e 69 74 30 20 17 0d 31 31 31 31 30 38 30 30 30 30 30 30 5a 18 0f 39 39 39 39 31 32 33 31 32 33 35 39 35 39 5a 30 81 bd 31 0b 30 09 06 03 55 04 06 13 02 49 54 31 0e 30 0c 06 03 55 04 08 13 05 49 74 61 6c 79 31 10 30 0e 06 03 55 04 07 13 07 42 6f 6c 6f 67 6e 61 31 1e 30 1c 06 03 55 04 0a 13 15 55 6e 69 76 65 72 73 69 74 61 20 64 69 20 42 6f 6c 6f 67 6e 61 31 23 30 21 06 03 55 04 0b 13 1a 44 69 70 61 72 74 69 6d 65 6e 74 6f 20 64 69 20 41 73 74 72 6f 6e 6f 6d 69 61 31 23 30 21 06 03 55 04 03 13 1a 72 61 64 69 75 73 2e 61 73 74 72 6f 6e 6f 6d 69 61 2e 75 6e 69 62 6f 2e 69 74 31 22 30 20 06 09 2a 86 48 86 f7 0d 01 09 01 16 13 Attribute 79 (EAP-Message) length=255 Value: 64 69 70 61 73 74 72 2e 73 69 40 75 6e 69 62 6f 2e 69 74 30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 c1 c3 b4 a6 e9 b5 fc e7 24 9f 54 40 a7 51 1e ce 03 5a 79 1f 3f 62 1a 91 d6 ac bb bb 57 98 f2 f1 ea d6 70 7f 98 fb ea fe 84 b1 59 3d d3 a3 79 4c 69 b4 3b ff 83 14 a3 80 f5 2a 44 db 12 60 04 3a ea 66 5a 33 82 3e f1 77 22 56 b8 44 40 d6 13 3e f8 3f 7f 2c 38 b5 fa f7 f1 64 32 63 c3 05 d7 c0 fc 14 0c 57 75 b4 ea 39 26 89 90 83 88 fa 8b 97 3e 1e 58 eb 51 51 2e 69 5a 01 1a 6d 01 a3 bf 97 02 03 01 00 01 a3 60 30 5e 30 0c 06 03 55 1d 13 01 01 ff 04 02 30 00 30 1d 06 03 55 1d 0e 04 16 04 14 6d a6 e7 50 d6 6a 1d 54 e6 bb d9 13 a5 d8 5f 72 e4 10 79 99 30 0b 06 03 55 1d 0f 04 04 03 02 05 e0 30 0f 06 03 55 1d 11 04 08 30 Attribute 79 (EAP-Message) length=255 Value: 06 87 04 89 cc 41 63 30 11 06 09 60 86 48 01 86 f8 42 01 01 04 04 03 02 06 40 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 82 02 01 00 44 82 4e 99 f1 1f 01 47 14 cc fb cc d8 cb a3 34 67 3d 13 04 58 ed 77 3e b9 fc f1 74 91 19 e6 cb db bf 61 95 b3 e4 98 5e 0f ea f5 8e e9 f3 c2 dd 28 4c 2b 44 c5 23 4d 23 b9 42 89 67 b8 22 91 7a 65 17 6b e6 b4 79 85 c4 ba 22 4d f6 6a 5f 3b 86 27 f8 55 b5 3a 86 7e 7c 81 48 32 7d bd 43 55 8c 93 52 dc 61 fb df 59 c0 57 01 18 c2 c3 c6 bc 19 11 98 b2 fa 3d c5 b4 f3 cf 07 b2 6c 12 45 01 6c 75 82 3b d3 e8 ea 1b d2 c7 a1 dc 3f da 0a e6 58 ea 9a 66 09 a0 12 0f 51 bd 34 c6 4d 82 b2 d0 94 cd 3e d0 63 ef c2 27 2d 0b f6 d9 44 00 21 b9 c6 82 7f 56 16 56 de 9b 91 97 c7 6f c8 59 7a c7 b2 ac 50 cd 25 9c df 61 45 ff 80 95 1b db 41 a0 Attribute 79 (EAP-Message) length=14 Value: f4 83 3f e4 32 eb 73 f5 25 56 20 5b Attribute 80 (Message-Authenticator) length=18 Value: 69 b8 41 a8 7d 55 dc f7 0d a7 2c f3 32 e4 22 59 Attribute 24 (State) length=18 Value: 0e 7a a9 3e 0c 79 b0 56 82 24 1d fb 53 ea 51 8c STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.00 sec RADIUS packet matching with station decapsulated EAP packet (code=1 id=3 len=1024) from RADIUS server: EAP-Request-PEAP (25) EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=3 method=25 vendor=0 vendorMethod=0 EAP: EAP entering state METHOD SSL: Received packet(len=1024) - Flags 0xc0 SSL: TLS Message Length: 4993 SSL: Need 3979 bytes more input data SSL: Building ACK (type=25 id=3 ver=0) EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp WPA: eapol_test_eapol_send(type=0 len=6) TX EAP -> RADIUS - hexdump(len=6): 02 03 00 06 19 00 Encapsulating EAP message into a RADIUS packet Copied RADIUS State Attribute Sending RADIUS message to authentication server RADIUS message: code=1 (Access-Request) identifier=3 length=150 Attribute 1 (User-Name) length=25 Value: 'PERSONALE\diego.zuccato' Attribute 4 (NAS-IP-Address) length=6 Value: 127.0.0.1 Attribute 31 (Calling-Station-Id) length=19 Value: '02-00-00-00-00-01' Attribute 12 (Framed-MTU) length=6 Value: 1400 Attribute 61 (NAS-Port-Type) length=6 Value: 19 Attribute 77 (Connect-Info) length=24 Value: 'CONNECT 11Mbps 802.11b' Attribute 79 (EAP-Message) length=8 Value: 02 03 00 06 19 00 Attribute 24 (State) length=18 Value: 0e 7a a9 3e 0c 79 b0 56 82 24 1d fb 53 ea 51 8c Attribute 80 (Message-Authenticator) length=18 Value: 30 3b f8 7f 20 d6 4b 0e 7c f7 af 03 7a c6 0f 71 Next RADIUS client retransmit in 3 seconds EAPOL: SUPP_BE entering state RECEIVE Received 1086 bytes from RADIUS server Received RADIUS message RADIUS message: code=11 (Access-Challenge) identifier=3 length=1086 Attribute 79 (EAP-Message) length=255 Value: 01 04 03 fc 19 40 13 be f3 04 b9 b3 6f d1 1d a9 55 06 f7 d0 ab 98 d8 40 cc 79 54 ad 54 61 9d 25 a1 c0 7b 21 29 02 89 1f 17 94 db 9f 34 49 60 61 f9 93 fc 97 5d 33 83 95 0d 58 53 29 53 b2 0a 51 63 68 42 0d 7a 1e 7b 6a af 99 cd d3 27 51 ea 62 84 09 2c 12 b4 09 66 1a fd 56 16 5b a3 63 1a ce b3 57 11 5c 0d e5 89 b6 6b 97 59 30 ec 93 b4 f5 b1 f3 bb 61 85 89 33 eb 89 94 8a 83 c0 c3 6d 04 dd 42 b5 9b e6 38 42 74 49 ad ba 16 a3 90 96 6e 64 14 2f c1 ba 27 db a0 1e dd 84 9b 8e c8 b4 cc bb c7 94 c3 2b 0d 81 0a 24 6a 84 74 e0 f6 b1 e4 9f 5c bc 89 89 18 7f 88 dd 32 36 50 79 43 a1 1c 9e f4 19 c5 4f 05 08 7b 6b b0 d3 3e 6c b8 ee 51 79 69 59 4f f8 b5 e6 45 14 1c 97 28 78 6e 4d 5c b7 44 2b c1 ea 46 40 03 af 25 29 4d c9 f9 95 b6 6f e3 2f 25 d0 57 59 21 81 ef 6e 91 d0 Attribute 79 (EAP-Message) length=255 Value: e7 d7 57 68 52 0a ef 64 03 8d 6f ba 14 98 98 a0 55 26 ce ad d0 55 89 b6 dd e0 08 8d 47 ba ff 43 51 da 66 d5 f9 f1 f4 0e d2 e3 b3 1d 09 d0 00 06 64 30 82 06 60 30 82 04 48 a0 03 02 01 02 02 01 02 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 30 81 b7 31 0b 30 09 06 03 55 04 06 13 02 49 54 31 0e 30 0c 06 03 55 04 08 13 05 49 74 61 6c 79 31 10 30 0e 06 03 55 04 07 13 07 42 6f 6c 6f 67 6e 61 31 1e 30 1c 06 03 55 04 0a 13 15 55 6e 69 76 65 72 73 69 74 61 20 64 69 20 42 6f 6c 6f 67 6e 61 31 23 30 21 06 03 55 04 0b 13 1a 44 69 70 61 72 74 69 6d 65 6e 74 6f 20 64 69 20 41 73 74 72 6f 6e 6f 6d 69 61 31 1d 30 1b 06 03 55 04 03 13 14 41 73 74 72 6f 6e 6f 6d 69 61 20 2d 20 52 6f 6f 74 20 43 41 31 22 30 20 06 09 2a 86 48 86 f7 0d 01 09 01 16 13 64 69 70 61 73 74 Attribute 79 (EAP-Message) length=255 Value: 72 2e 73 69 40 75 6e 69 62 6f 2e 69 74 30 1e 17 0d 31 31 30 34 31 33 31 30 33 37 30 30 5a 17 0d 32 31 30 34 31 33 31 30 33 34 30 30 5a 30 81 ba 31 0b 30 09 06 03 55 04 06 13 02 49 54 31 0e 30 0c 06 03 55 04 08 13 05 49 74 61 6c 79 31 10 30 0e 06 03 55 04 07 13 07 42 6f 6c 6f 67 6e 61 31 1e 30 1c 06 03 55 04 0a 13 15 55 6e 69 76 65 72 73 69 74 61 20 64 69 20 42 6f 6c 6f 67 6e 61 31 23 30 21 06 03 55 04 0b 13 1a 44 69 70 61 72 74 69 6d 65 6e 74 6f 20 64 69 20 41 73 74 72 6f 6e 6f 6d 69 61 31 20 30 1e 06 03 55 04 03 13 17 41 73 74 72 6f 6e 6f 6d 69 61 20 2d 20 43 41 20 53 65 72 76 65 72 73 31 22 30 20 06 09 2a 86 48 86 f7 0d 01 09 01 16 13 64 69 70 61 73 74 72 2e 73 69 40 75 6e 69 62 6f 2e 69 74 30 82 02 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 Attribute 79 (EAP-Message) length=255 Value: 03 82 02 0f 00 30 82 02 0a 02 82 02 01 00 c9 a6 5b 65 36 87 e1 f4 bf 0d 00 7c 1b 3a ae 71 b2 7e 2f f3 b0 67 da 0b 00 df bc bf 0c af 2c 00 60 48 95 c0 84 56 62 1a 26 95 99 dc c8 30 61 7f 93 d9 c1 de ab 28 11 df d0 6b e6 2d 67 b5 4c a6 4a 59 49 b6 bd 84 97 ec 29 1d a1 1d 93 f2 a2 e5 87 db 88 0d 81 2a 98 c5 fd a0 2b 36 79 a2 41 c7 cd ce 47 9b bc 70 0f 03 83 89 35 a1 c5 37 98 e1 49 92 dc e2 10 fa d9 e9 ba 9b fd 11 dc 19 0b 32 97 4b d4 be 6a e0 df 5c 7d ce 19 c7 36 1a 16 45 7a 3c a4 55 d0 3d 5c dc 77 9d 16 68 3f 73 41 e9 1a ec c7 70 0d 22 77 30 e2 66 b5 9b 9c 7e 60 b4 4d 40 a6 5b bf ec 45 ba 31 ec 7b 02 12 3c 27 ed f8 58 63 96 5e df 64 b3 ba f1 6f c7 17 ff f7 a1 e3 e8 36 cc e5 af 39 98 c1 f6 52 b6 1e 94 ad 3c 0d 92 9b 94 dc 29 a2 3c f4 a4 75 6c 78 60 55 Attribute 79 (EAP-Message) length=10 Value: 57 c1 c7 5c b2 75 e2 dc Attribute 80 (Message-Authenticator) length=18 Value: 5a da 3f cf d7 32 44 98 c9 75 3a 25 d5 bf d2 e0 Attribute 24 (State) length=18 Value: 0e 7a a9 3e 0d 7e b0 56 82 24 1d fb 53 ea 51 8c STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.00 sec RADIUS packet matching with station decapsulated EAP packet (code=1 id=4 len=1020) from RADIUS server: EAP-Request-PEAP (25) EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=4 method=25 vendor=0 vendorMethod=0 EAP: EAP entering state METHOD SSL: Received packet(len=1020) - Flags 0x40 SSL: Need 2965 bytes more input data SSL: Building ACK (type=25 id=4 ver=0) EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp WPA: eapol_test_eapol_send(type=0 len=6) TX EAP -> RADIUS - hexdump(len=6): 02 04 00 06 19 00 Encapsulating EAP message into a RADIUS packet Copied RADIUS State Attribute Sending RADIUS message to authentication server RADIUS message: code=1 (Access-Request) identifier=4 length=150 Attribute 1 (User-Name) length=25 Value: 'PERSONALE\diego.zuccato' Attribute 4 (NAS-IP-Address) length=6 Value: 127.0.0.1 Attribute 31 (Calling-Station-Id) length=19 Value: '02-00-00-00-00-01' Attribute 12 (Framed-MTU) length=6 Value: 1400 Attribute 61 (NAS-Port-Type) length=6 Value: 19 Attribute 77 (Connect-Info) length=24 Value: 'CONNECT 11Mbps 802.11b' Attribute 79 (EAP-Message) length=8 Value: 02 04 00 06 19 00 Attribute 24 (State) length=18 Value: 0e 7a a9 3e 0d 7e b0 56 82 24 1d fb 53 ea 51 8c Attribute 80 (Message-Authenticator) length=18 Value: 53 88 b7 32 cf 61 03 ae 02 8e 2c 1a 8f be 43 ad Next RADIUS client retransmit in 3 seconds EAPOL: SUPP_BE entering state RECEIVE Received 1086 bytes from RADIUS server Received RADIUS message RADIUS message: code=11 (Access-Challenge) identifier=4 length=1086 Attribute 79 (EAP-Message) length=255 Value: 01 05 03 fc 19 40 49 7d b7 ae 62 eb ca 42 5e 91 32 50 41 df 3a 09 72 98 6b 99 82 f7 37 1b d4 b0 7e 00 6d 76 de 0b 75 c5 03 34 5e 77 d8 59 93 d8 0e 68 40 2d 80 66 60 3c cf 88 e2 a2 d3 26 c6 eb c6 a7 af 4e e4 fc 20 e5 e9 db 1d 94 53 30 5b 2e d6 41 b1 aa 87 ee ae bd 1f 19 a8 14 b7 1b 8b 21 7f 93 de 48 91 03 7d 8a ce 80 d2 8d 00 22 8c ac b3 2f ac 30 04 0e e1 d1 70 85 b3 0f db c1 17 03 f2 6f ec 9d b2 e3 3c 05 8f cb bd 69 e6 50 4b 2b d4 3b 29 2c 32 f1 b1 84 88 92 dd 33 e3 43 9d 7f 1d 3e 43 75 e0 30 ec 9b e5 a2 ef 40 7d 6d 85 59 1c 43 20 86 90 b9 c2 57 bd b6 1e 0b 6e 68 b9 bf 13 59 ea 4d 08 b1 1b a6 a9 00 19 e9 64 b3 19 0c 40 05 bf 03 2c 72 40 8d 3a e0 c1 b8 7f a0 69 ed 65 c7 cc 25 e0 de 88 ab 5b 72 3c c1 1a 10 d0 bc 6c 6e 2e 48 f1 1e 1c 2c 89 32 bb 35 bc Attribute 79 (EAP-Message) length=255 Value: 5b da f7 c2 cc 25 6a 9d c7 99 3d 84 7f 30 2d f8 ec cf 02 03 01 00 01 a3 72 30 70 30 0f 06 03 55 1d 13 01 01 ff 04 05 30 03 01 01 ff 30 1d 06 03 55 1d 0e 04 16 04 14 bb 0d 32 68 95 f8 3b d2 4f 85 fc fa ea be e6 cc 8a 5e 56 86 30 0b 06 03 55 1d 0f 04 04 03 02 01 06 30 11 06 09 60 86 48 01 86 f8 42 01 01 04 04 03 02 00 07 30 1e 06 09 60 86 48 01 86 f8 42 01 0d 04 11 16 0f 78 63 61 20 63 65 72 74 69 66 69 63 61 74 65 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 82 02 01 00 69 f6 c7 33 df 30 66 b2 cf 77 05 a1 f4 de b8 79 d2 c4 3c ca b1 b3 d4 4f b2 22 87 06 73 33 f0 51 7f 99 f9 a0 7f 62 b5 97 8f a9 e9 02 90 03 70 d5 0c 05 64 d7 85 5b ee d4 0c 88 83 1d 65 d0 7c a6 69 8d 4e e1 03 05 e0 c4 88 e8 8c 1e dd 57 ff 1c 02 a0 67 9c ab 0a f5 41 74 59 f6 50 ae ef Attribute 79 (EAP-Message) length=255 Value: 63 d5 f8 4f e6 3d cc fc 66 0b 13 81 be 5b 08 34 1a e7 c6 0a c2 c7 a5 ae 18 04 c2 53 c1 08 ba e3 7c 38 41 47 2c 01 cc 4f df f6 9e c7 f4 63 6d d4 7d 07 83 69 33 d9 d0 0c fd 44 54 19 d2 87 7c 82 e0 a8 ce a2 da 6b 1f 03 cd 1c 58 3a 08 73 cf a4 57 0e c0 af f7 84 d7 5f 55 24 b6 6d df 3b 0e a2 d7 6d 2d 51 d6 65 c8 97 6b ab f7 fa bf 17 89 8b 38 63 a6 04 6d e6 c4 e5 77 a7 26 53 1a 14 1a 29 8c 90 12 79 80 7e c5 40 bb 6b d0 74 21 c7 4b 5e e3 e7 c0 b0 00 2e 41 e8 ae 14 66 b5 30 26 a2 6f 95 bf a2 3a e5 b3 d8 b8 cd b4 bc 55 9a 18 0f fb 6b fe 37 59 00 35 0f 28 28 88 9e 3c 75 34 fd 0e fd 54 4b 27 84 ef e6 55 c6 d8 c6 fb 6d 3a fe 60 c8 77 53 3b ef 90 5d ca 4e ac f5 a0 49 d7 6e 9f 82 76 cd 0e cc ab c0 ec cd b1 e1 e8 46 52 eb c8 fe 63 36 de 3c b7 8c db 29 72 92 91 35 Attribute 79 (EAP-Message) length=255 Value: c1 fb 48 eb 42 5e 4c ba de e8 86 35 e5 d3 1c d6 f9 2e 45 9a 80 60 93 1c a7 22 20 f6 52 ec db 61 58 e6 a8 36 2f 95 8d 3c da 07 25 4a 07 fa 4e ad 61 be 4c 04 5e a1 60 91 9d 6b 54 42 54 11 f8 87 18 10 b5 ec 45 fe 79 cd 08 c6 96 dd 86 f5 61 b1 5f c6 e9 90 d4 0c 14 87 6c b4 9b e7 1d db e5 a0 e8 84 a7 a9 f4 18 f3 a9 00 d7 22 87 f2 74 9d 4d 7a 31 10 aa b6 02 98 f2 b1 87 d3 b2 e4 24 0d de bd bc 52 0c fa 91 dd f7 80 f8 ab 92 5a f7 68 5f 5d 22 6b 69 6b 58 a8 4a 93 37 b1 92 14 77 12 f0 3b 9b d3 6b 32 00 06 61 30 82 06 5d 30 82 04 45 a0 03 02 01 02 02 01 01 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 30 81 b7 31 0b 30 09 06 03 55 04 06 13 02 49 54 31 0e 30 0c 06 03 55 04 08 13 05 49 74 61 6c 79 31 10 30 0e 06 03 55 04 07 13 07 42 6f 6c 6f 67 6e 61 31 1e 30 1c Attribute 79 (EAP-Message) length=10 Value: 06 03 55 04 0a 13 15 55 Attribute 80 (Message-Authenticator) length=18 Value: a9 ef 66 e7 21 dc 0d a8 e2 1c 66 d3 0e aa 9a 65 Attribute 24 (State) length=18 Value: 0e 7a a9 3e 0a 7f b0 56 82 24 1d fb 53 ea 51 8c STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.00 sec RADIUS packet matching with station decapsulated EAP packet (code=1 id=5 len=1020) from RADIUS server: EAP-Request-PEAP (25) EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=5 method=25 vendor=0 vendorMethod=0 EAP: EAP entering state METHOD SSL: Received packet(len=1020) - Flags 0x40 SSL: Need 1951 bytes more input data SSL: Building ACK (type=25 id=5 ver=0) EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp WPA: eapol_test_eapol_send(type=0 len=6) TX EAP -> RADIUS - hexdump(len=6): 02 05 00 06 19 00 Encapsulating EAP message into a RADIUS packet Copied RADIUS State Attribute Sending RADIUS message to authentication server RADIUS message: code=1 (Access-Request) identifier=5 length=150 Attribute 1 (User-Name) length=25 Value: 'PERSONALE\diego.zuccato' Attribute 4 (NAS-IP-Address) length=6 Value: 127.0.0.1 Attribute 31 (Calling-Station-Id) length=19 Value: '02-00-00-00-00-01' Attribute 12 (Framed-MTU) length=6 Value: 1400 Attribute 61 (NAS-Port-Type) length=6 Value: 19 Attribute 77 (Connect-Info) length=24 Value: 'CONNECT 11Mbps 802.11b' Attribute 79 (EAP-Message) length=8 Value: 02 05 00 06 19 00 Attribute 24 (State) length=18 Value: 0e 7a a9 3e 0a 7f b0 56 82 24 1d fb 53 ea 51 8c Attribute 80 (Message-Authenticator) length=18 Value: 8f af d6 60 e0 fc 56 49 2f 93 f3 7e 1a dd cd 7c Next RADIUS client retransmit in 3 seconds EAPOL: SUPP_BE entering state RECEIVE Received 1086 bytes from RADIUS server Received RADIUS message RADIUS message: code=11 (Access-Challenge) identifier=5 length=1086 Attribute 79 (EAP-Message) length=255 Value: 01 06 03 fc 19 40 6e 69 76 65 72 73 69 74 61 20 64 69 20 42 6f 6c 6f 67 6e 61 31 23 30 21 06 03 55 04 0b 13 1a 44 69 70 61 72 74 69 6d 65 6e 74 6f 20 64 69 20 41 73 74 72 6f 6e 6f 6d 69 61 31 1d 30 1b 06 03 55 04 03 13 14 41 73 74 72 6f 6e 6f 6d 69 61 20 2d 20 52 6f 6f 74 20 43 41 31 22 30 20 06 09 2a 86 48 86 f7 0d 01 09 01 16 13 64 69 70 61 73 74 72 2e 73 69 40 75 6e 69 62 6f 2e 69 74 30 1e 17 0d 31 31 30 34 31 33 31 30 33 34 30 30 5a 17 0d 32 31 30 34 31 33 31 30 33 34 30 30 5a 30 81 b7 31 0b 30 09 06 03 55 04 06 13 02 49 54 31 0e 30 0c 06 03 55 04 08 13 05 49 74 61 6c 79 31 10 30 0e 06 03 55 04 07 13 07 42 6f 6c 6f 67 6e 61 31 1e 30 1c 06 03 55 04 0a 13 15 55 6e 69 76 65 72 73 69 74 61 20 64 69 20 42 6f 6c 6f 67 6e 61 31 23 30 21 06 03 55 04 0b Attribute 79 (EAP-Message) length=255 Value: 13 1a 44 69 70 61 72 74 69 6d 65 6e 74 6f 20 64 69 20 41 73 74 72 6f 6e 6f 6d 69 61 31 1d 30 1b 06 03 55 04 03 13 14 41 73 74 72 6f 6e 6f 6d 69 61 20 2d 20 52 6f 6f 74 20 43 41 31 22 30 20 06 09 2a 86 48 86 f7 0d 01 09 01 16 13 64 69 70 61 73 74 72 2e 73 69 40 75 6e 69 62 6f 2e 69 74 30 82 02 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 02 0f 00 30 82 02 0a 02 82 02 01 00 b5 72 b5 d8 c1 3e a3 75 04 ee 78 aa 17 97 f2 fd 41 ba e7 fc db be 34 7b 2e 82 cc b4 35 e5 34 ba 0f 3a 86 e8 55 32 58 64 41 8e 9a 25 7c 6b a9 a2 35 49 0a 86 3d 97 55 25 a0 c6 16 86 ba cc 4c 6a 2b d7 2a e8 02 16 87 23 c9 2e 69 ec 9c 60 7c 14 ba b3 10 d6 8a 22 d5 0b c2 6b 67 25 65 30 55 4e 90 11 0e 50 ad da 28 f0 9b b2 eb 39 28 7b 05 15 b3 d5 64 7d 28 d4 5d e0 f4 83 99 8a 15 Attribute 79 (EAP-Message) length=255 Value: 71 27 6b 02 17 3a b7 fc f9 82 69 7b e4 88 47 ea fd 4f 3b 2a 82 dc 48 be 9d 5a 1b 50 99 e0 12 45 5d 40 69 41 18 09 71 25 da 6f fb 23 38 04 f7 ca e4 df 23 3d 82 69 c9 4a fe 55 2d 1d f5 7e 94 10 87 cd 75 8d 3b f1 a8 47 16 47 0b 1d 16 3e 61 de 92 6f 76 b1 d8 a5 93 48 4b a9 e2 d9 a6 f2 db fd 2b be 6e af 02 97 b4 91 c7 d2 96 3e 49 77 59 c9 04 39 ef 56 5d bb 9c a0 7a fd 7a cd cd 46 37 65 2a b4 8c d2 c0 d0 b7 1f 84 88 17 88 b1 31 4b 40 d4 3e 67 72 9c fd ef a4 4d 07 8f 16 bb f4 23 da 10 a0 cc 09 11 f4 6a fb 31 ef 3c 9e 03 e2 fe 84 80 82 49 bd 9d 58 12 9a 69 77 64 3b 0b 2f f1 83 6c 41 c7 f9 df 69 87 9e cd 99 a8 aa cf c9 51 d4 9d bf 31 1e 51 ff a4 b6 9f 4c e2 c0 a0 c1 31 5d 15 c0 b2 c2 5e d3 7e f4 0d d9 a1 20 5a dc e6 ce 1a 45 c4 e1 76 23 d4 34 70 25 e1 1e 9a Attribute 79 (EAP-Message) length=255 Value: a3 28 45 39 57 9f ce 75 d6 bb 21 3c b3 5f d7 5b 22 fa 97 64 c3 45 21 f8 e1 f7 ec a5 7e ff a5 c7 81 45 ab 38 27 8e 73 a2 5e 4a b9 e0 2d a6 2e be 65 60 a6 5e 4e 9e 92 d3 57 66 f7 aa fc 51 6a cc 17 7d bd 84 e5 64 15 f2 3b 93 83 21 20 a8 51 a0 12 53 4b f7 44 c4 6b f3 7f 72 58 f9 96 97 f7 d9 c7 bb ad 72 8d 63 c7 de c4 7b 6a 9c f6 e1 28 8d 04 e1 5c 8d 30 82 96 e6 45 51 7f c2 97 56 4d 06 d4 e9 c7 67 15 f1 02 03 01 00 01 a3 72 30 70 30 0f 06 03 55 1d 13 01 01 ff 04 05 30 03 01 01 ff 30 1d 06 03 55 1d 0e 04 16 04 14 c8 2d 02 f0 84 5d 31 8f 49 82 f8 ee 76 7e df 32 38 6b 43 5d 30 0b 06 03 55 1d 0f 04 04 03 02 01 06 30 11 06 09 60 86 48 01 86 f8 42 01 01 04 04 03 02 00 07 30 1e 06 09 60 86 48 01 86 f8 42 01 0d 04 11 16 0f 78 63 61 20 63 65 72 74 69 66 69 63 61 Attribute 79 (EAP-Message) length=10 Value: 74 65 30 0d 06 09 2a 86 Attribute 80 (Message-Authenticator) length=18 Value: 79 e0 34 38 bd 23 1d c1 9d fa 5f 35 85 1c 48 60 Attribute 24 (State) length=18 Value: 0e 7a a9 3e 0b 7c b0 56 82 24 1d fb 53 ea 51 8c STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.00 sec RADIUS packet matching with station decapsulated EAP packet (code=1 id=6 len=1020) from RADIUS server: EAP-Request-PEAP (25) EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=6 method=25 vendor=0 vendorMethod=0 EAP: EAP entering state METHOD SSL: Received packet(len=1020) - Flags 0x40 SSL: Need 937 bytes more input data SSL: Building ACK (type=25 id=6 ver=0) EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp WPA: eapol_test_eapol_send(type=0 len=6) TX EAP -> RADIUS - hexdump(len=6): 02 06 00 06 19 00 Encapsulating EAP message into a RADIUS packet Copied RADIUS State Attribute Sending RADIUS message to authentication server RADIUS message: code=1 (Access-Request) identifier=6 length=150 Attribute 1 (User-Name) length=25 Value: 'PERSONALE\diego.zuccato' Attribute 4 (NAS-IP-Address) length=6 Value: 127.0.0.1 Attribute 31 (Calling-Station-Id) length=19 Value: '02-00-00-00-00-01' Attribute 12 (Framed-MTU) length=6 Value: 1400 Attribute 61 (NAS-Port-Type) length=6 Value: 19 Attribute 77 (Connect-Info) length=24 Value: 'CONNECT 11Mbps 802.11b' Attribute 79 (EAP-Message) length=8 Value: 02 06 00 06 19 00 Attribute 24 (State) length=18 Value: 0e 7a a9 3e 0b 7c b0 56 82 24 1d fb 53 ea 51 8c Attribute 80 (Message-Authenticator) length=18 Value: 54 f4 db 61 f9 84 54 bc cf 6c 2c 33 d6 30 ec e9 Next RADIUS client retransmit in 3 seconds EAPOL: SUPP_BE entering state RECEIVE Received 1007 bytes from RADIUS server Received RADIUS message RADIUS message: code=11 (Access-Challenge) identifier=6 length=1007 Attribute 79 (EAP-Message) length=255 Value: 01 07 03 af 19 00 48 86 f7 0d 01 01 05 05 00 03 82 02 01 00 8e 9e ed 3d 5c ab 55 1c 14 0a 2f 7a 7d c0 7e 83 43 a2 14 84 b6 0e 61 7e 7f 96 42 92 3c 8b 97 65 34 39 3d 89 c5 ca 72 ba 63 88 e8 78 f7 30 f2 c4 5e 32 7b 3e 05 b6 bc c3 d1 d1 68 f0 69 64 d9 b6 5c 3a 6e 57 c6 c3 76 a3 b5 71 c0 92 ad 03 61 b0 dc 4c 9b de 73 3f 91 8c 41 dd a4 80 51 df f5 4a 7f 28 61 6b ec 00 e8 65 ab f4 62 53 3c fd 03 13 a0 dd c7 16 84 40 75 ed 48 82 1e 50 52 77 28 52 75 48 ac e4 f8 fa 1e 6f ba 70 e0 bf db 68 f5 04 7e 48 73 eb e0 8c d1 08 74 d5 18 23 b7 80 ca 14 06 d1 c0 e8 64 c8 66 88 8a 61 cf fe 76 a8 1e 52 1b bb 95 be 97 10 95 78 9f a1 a0 5b 34 90 60 e3 8f 54 3a 94 37 20 60 c1 5d b0 ec eb 71 e6 e9 01 55 4a 65 a9 8f f8 2f b5 e0 15 af 6c 3f 35 9a ef ce 14 91 08 ba 56 83 2a 76 Attribute 79 (EAP-Message) length=255 Value: 0c cb f8 11 a7 b1 47 b5 7a be 28 2b 2f 97 6b 87 4e 5d 87 4b 4e 68 b6 04 9f 82 37 47 ea a6 03 b1 d4 93 86 87 6d 3f 30 ce 48 cb 82 4a 34 f3 33 4e d5 6f d8 5b 6b 0c 52 83 9c da 6f ff d8 a4 e5 86 12 e2 9a b9 e4 79 0c 71 dc fa ab 93 a7 ba 27 90 67 45 47 90 13 f7 14 82 d1 84 7c dc 32 a1 57 fb 22 4a 49 67 d1 24 42 11 2d 1d 4c b5 b2 7d 85 53 99 b3 6e 7a 60 94 94 5c d0 dd 1d 62 c8 f5 b1 2c 44 57 7f c4 1e c8 81 48 a9 36 bf fc 41 55 e2 47 10 52 75 1d ec b3 92 dc 9a c9 49 b6 b5 71 91 9f b7 3e 06 e2 cf 9f a4 9f 65 1d 69 0c b2 fd d2 8e 4f e9 ea c7 d6 9e 83 68 7a 36 1c ed 30 6d 18 5a 7c 33 84 7c 4b 11 e8 98 a5 6b 46 bd 6c f0 6e 91 a1 3e 77 83 03 47 dc e1 54 02 0c 99 b3 b1 13 7d 6e aa a9 bb 3e 98 6a d5 86 58 ca c5 32 5e 32 05 fe 1e 1a a4 0f 43 76 eb ad 56 e3 27 38 Attribute 79 (EAP-Message) length=255 Value: af 46 29 f8 9f 22 60 26 19 26 db ef 1e 7b 53 81 35 e8 45 ea 5a 3f 30 ca 58 bc 16 03 01 01 8d 0c 00 01 89 00 80 86 af 5a fd 81 c8 84 76 eb 4e dc 66 26 f3 05 32 fc 1c 25 e7 fa da 2f f7 f4 e9 84 cc 33 c8 f6 86 d5 e8 4b 92 80 c0 55 08 67 28 ae 16 e6 2b 82 90 c7 b3 85 60 5b 8d 78 89 1b 76 b9 0c 6f 40 79 99 49 72 d9 01 ff 18 08 ad d6 78 08 46 d0 76 4e 95 39 45 17 ee e4 21 0b ec 51 c4 c2 1e a3 58 5e d5 cc b4 2f 55 15 89 f7 3c 5e da ec 4e 85 09 6c fc b1 29 51 5e 33 58 0e 35 c6 5b c9 a8 84 77 4f 73 00 01 02 00 80 73 16 9f 48 1d 56 5b c1 ce 80 8d 2b 00 90 72 90 cb 86 21 60 9c 92 76 34 a2 a2 1a db 1b c9 89 f1 2b 05 76 8c 63 d5 87 bc 42 8d 7e 5f 50 af 62 e1 89 b4 30 32 6a d2 ed dd fb 35 37 b1 81 1e c3 ae a9 a1 fe a7 d1 49 bc be b0 9e e6 8b 38 2b 18 9b f7 27 93 Attribute 79 (EAP-Message) length=186 Value: c4 ac 31 8b 10 b1 2f 3b 49 4d 7e e1 ae ef 88 d0 38 20 fc 63 9e 3b 2d 8d 70 38 f8 4b 30 0c 13 9c 10 05 95 03 e2 a9 4c ed 86 65 b8 87 f8 00 80 7b a9 33 5b 74 24 1b a4 81 5f 99 2e 31 6d 55 8c 76 32 1b a0 fe 73 58 13 f2 90 62 e9 aa dc 98 26 89 81 29 b3 dd 0a 81 10 ff e6 a0 87 c6 58 a3 89 a1 4c d2 56 87 60 a5 15 9d 59 af 59 c5 7b a7 92 8a 74 5c cc 8d 77 9c f3 3e 27 8b 55 64 29 51 31 69 80 54 ae 6e ef 2f c0 c3 2a 4d 93 21 78 4f b6 2c b8 70 b1 45 43 75 75 2a 74 62 0b 23 5d 42 cf 02 0c 31 bd 14 75 7a b2 c1 24 72 a4 b0 bc 58 3a 16 03 01 00 04 0e 00 00 00 Attribute 80 (Message-Authenticator) length=18 Value: d2 cb 5a 54 7e 60 25 41 99 89 f2 88 8b 8e 7e 57 Attribute 24 (State) length=18 Value: 0e 7a a9 3e 08 7d b0 56 82 24 1d fb 53 ea 51 8c STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.00 sec RADIUS packet matching with station decapsulated EAP packet (code=1 id=7 len=943) from RADIUS server: EAP-Request-PEAP (25) EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=7 method=25 vendor=0 vendorMethod=0 EAP: EAP entering state METHOD SSL: Received packet(len=943) - Flags 0x00 SSL: (where=0x1001 ret=0x1) SSL: SSL_connect:SSLv3 read server hello A TLS: tls_verify_cb - preverify_ok=1 err=0 (ok) ca_cert_verify=1 depth=2 buf='/C=IT/ST=Italy/L=Bologna/O=Universita di Bologna/OU=Dipartimento di Astronomia/CN=Astronomia - Root CA/emailAddress=dipastr.si@unibo.it' CTRL-EVENT-EAP-PEER-CERT depth=2 subject='/C=IT/ST=Italy/L=Bologna/O=Universita di Bologna/OU=Dipartimento di Astronomia/CN=Astronomia - Root CA/emailAddress=dipastr.si@unibo.it' TLS: tls_verify_cb - preverify_ok=1 err=0 (ok) ca_cert_verify=1 depth=1 buf='/C=IT/ST=Italy/L=Bologna/O=Universita di Bologna/OU=Dipartimento di Astronomia/CN=Astronomia - CA Servers/emailAddress=dipastr.si@unibo.it' CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/C=IT/ST=Italy/L=Bologna/O=Universita di Bologna/OU=Dipartimento di Astronomia/CN=Astronomia - CA Servers/emailAddress=dipastr.si@unibo.it' TLS: tls_verify_cb - preverify_ok=1 err=0 (ok) ca_cert_verify=1 depth=0 buf='/C=IT/ST=Italy/L=Bologna/O=Universita di Bologna/OU=Dipartimento di Astronomia/CN=radius.astronomia.unibo.it/emailAddress=dipastr.si@unibo.it' CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=IT/ST=Italy/L=Bologna/O=Universita di Bologna/OU=Dipartimento di Astronomia/CN=radius.astronomia.unibo.it/emailAddress=dipastr.si@unibo.it' SSL: (where=0x1001 ret=0x1) SSL: SSL_connect:SSLv3 read server certificate A SSL: (where=0x1001 ret=0x1) SSL: SSL_connect:SSLv3 read server key exchange A SSL: (where=0x1001 ret=0x1) SSL: SSL_connect:SSLv3 read server done A SSL: (where=0x1001 ret=0x1) SSL: SSL_connect:SSLv3 write client key exchange A SSL: (where=0x1001 ret=0x1) SSL: SSL_connect:SSLv3 write change cipher spec A SSL: (where=0x1001 ret=0x1) SSL: SSL_connect:SSLv3 write finished A SSL: (where=0x1001 ret=0x1) SSL: SSL_connect:SSLv3 flush data SSL: (where=0x1002 ret=0xffffffff) SSL: SSL_connect:error in SSLv3 read finished A SSL: SSL_connect - want more data SSL: 198 bytes pending from ssl_out SSL: 198 bytes left to be sent out (of total 198 bytes) EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp WPA: eapol_test_eapol_send(type=0 len=208) TX EAP -> RADIUS - hexdump(len=208): 02 07 00 d0 19 80 00 00 00 c6 16 03 01 00 86 10 00 00 82 00 80 05 2e 02 c4 02 82 35 d2 a1 67 9a 93 65 42 17 5c 0b 35 d3 b2 7c 35 7f 04 c4 09 f5 d2 dd 3d 82 cd 4c a2 70 22 f9 a5 ef e4 10 63 2f a7 65 ab 51 bc 4f 24 86 2c 7c 30 35 2d c2 d7 e1 f3 88 fe 39 67 4b 38 a4 f3 34 96 30 54 f5 bd 74 e5 0b de ba 76 f3 66 21 e2 a1 44 1f af 7c 67 fe 3d cb 4c a6 9d 4a f1 68 03 0d 82 c1 04 33 ce 15 c1 31 f7 99 41 bc a2 c4 4a 73 96 5c d2 59 ee 58 ae ea fd f8 c7 14 03 01 00 01 01 16 03 01 00 30 2e 3c 25 26 01 51 03 68 8e 2c 7f 4c 17 29 26 8e 5b b2 0e 26 11 ee 12 0d 1e 4d 76 bd b2 e8 5d 60 24 00 cb a7 95 22 b9 84 43 91 58 59 65 69 ef 32 Encapsulating EAP message into a RADIUS packet Copied RADIUS State Attribute Sending RADIUS message to authentication server RADIUS message: code=1 (Access-Request) identifier=7 length=352 Attribute 1 (User-Name) length=25 Value: 'PERSONALE\diego.zuccato' Attribute 4 (NAS-IP-Address) length=6 Value: 127.0.0.1 Attribute 31 (Calling-Station-Id) length=19 Value: '02-00-00-00-00-01' Attribute 12 (Framed-MTU) length=6 Value: 1400 Attribute 61 (NAS-Port-Type) length=6 Value: 19 Attribute 77 (Connect-Info) length=24 Value: 'CONNECT 11Mbps 802.11b' Attribute 79 (EAP-Message) length=210 Value: 02 07 00 d0 19 80 00 00 00 c6 16 03 01 00 86 10 00 00 82 00 80 05 2e 02 c4 02 82 35 d2 a1 67 9a 93 65 42 17 5c 0b 35 d3 b2 7c 35 7f 04 c4 09 f5 d2 dd 3d 82 cd 4c a2 70 22 f9 a5 ef e4 10 63 2f a7 65 ab 51 bc 4f 24 86 2c 7c 30 35 2d c2 d7 e1 f3 88 fe 39 67 4b 38 a4 f3 34 96 30 54 f5 bd 74 e5 0b de ba 76 f3 66 21 e2 a1 44 1f af 7c 67 fe 3d cb 4c a6 9d 4a f1 68 03 0d 82 c1 04 33 ce 15 c1 31 f7 99 41 bc a2 c4 4a 73 96 5c d2 59 ee 58 ae ea fd f8 c7 14 03 01 00 01 01 16 03 01 00 30 2e 3c 25 26 01 51 03 68 8e 2c 7f 4c 17 29 26 8e 5b b2 0e 26 11 ee 12 0d 1e 4d 76 bd b2 e8 5d 60 24 00 cb a7 95 22 b9 84 43 91 58 59 65 69 ef 32 Attribute 24 (State) length=18 Value: 0e 7a a9 3e 08 7d b0 56 82 24 1d fb 53 ea 51 8c Attribute 80 (Message-Authenticator) length=18 Value: 6b 2f 2e d0 ed ee f8 c6 a4 74 1e a9 93 13 49 ca Next RADIUS client retransmit in 3 seconds EAPOL: SUPP_BE entering state RECEIVE Received 123 bytes from RADIUS server Received RADIUS message RADIUS message: code=11 (Access-Challenge) identifier=7 length=123 Attribute 79 (EAP-Message) length=67 Value: 01 08 00 41 19 00 14 03 01 00 01 01 16 03 01 00 30 c9 9b 90 37 fc 28 af f0 57 69 e4 e3 69 b1 03 d7 ac fe 2a ab 6f 95 f1 d3 92 bc 8e 16 43 fa e8 82 1d 1c 12 67 04 ee f4 e4 6f bf b4 02 5c 30 85 5b Attribute 80 (Message-Authenticator) length=18 Value: ce fe bf 29 68 63 cb d8 8b 98 df 7c 72 ac 99 74 Attribute 24 (State) length=18 Value: 0e 7a a9 3e 09 72 b0 56 82 24 1d fb 53 ea 51 8c STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.00 sec RADIUS packet matching with station decapsulated EAP packet (code=1 id=8 len=65) from RADIUS server: EAP-Request-PEAP (25) EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=8 method=25 vendor=0 vendorMethod=0 EAP: EAP entering state METHOD SSL: Received packet(len=65) - Flags 0x00 SSL: (where=0x1001 ret=0x1) SSL: SSL_connect:SSLv3 read finished A SSL: (where=0x20 ret=0x1) SSL: (where=0x1002 ret=0x1) SSL: 0 bytes pending from ssl_out SSL: No Application Data included SSL: No data to be sent out EAP-PEAP: TLS done, proceed to Phase 2 EAP-PEAP: using label 'client EAP encryption' in key derivation EAP-PEAP: Derived key - hexdump(len=64): 65 99 ae 78 31 34 d4 a4 db 05 9d c3 0a 26 4b 69 a5 77 c2 19 e4 0f 9f 8e 9b 56 fd d2 fd b4 fe d8 82 20 09 79 9a fd c1 07 9b 85 7c 07 92 60 58 8d 06 d0 23 76 d5 33 0d 06 4f 91 a8 ea 40 11 cf f1 SSL: Building ACK (type=25 id=8 ver=0) EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp WPA: eapol_test_eapol_send(type=0 len=6) TX EAP -> RADIUS - hexdump(len=6): 02 08 00 06 19 00 Encapsulating EAP message into a RADIUS packet Copied RADIUS State Attribute Sending RADIUS message to authentication server RADIUS message: code=1 (Access-Request) identifier=8 length=150 Attribute 1 (User-Name) length=25 Value: 'PERSONALE\diego.zuccato' Attribute 4 (NAS-IP-Address) length=6 Value: 127.0.0.1 Attribute 31 (Calling-Station-Id) length=19 Value: '02-00-00-00-00-01' Attribute 12 (Framed-MTU) length=6 Value: 1400 Attribute 61 (NAS-Port-Type) length=6 Value: 19 Attribute 77 (Connect-Info) length=24 Value: 'CONNECT 11Mbps 802.11b' Attribute 79 (EAP-Message) length=8 Value: 02 08 00 06 19 00 Attribute 24 (State) length=18 Value: 0e 7a a9 3e 09 72 b0 56 82 24 1d fb 53 ea 51 8c Attribute 80 (Message-Authenticator) length=18 Value: 3f 52 9f 24 52 cd 79 00 3d d1 08 40 2a 33 b4 14 Next RADIUS client retransmit in 3 seconds EAPOL: SUPP_BE entering state RECEIVE Received 101 bytes from RADIUS server Received RADIUS message RADIUS message: code=11 (Access-Challenge) identifier=8 length=101 Attribute 79 (EAP-Message) length=45 Value: 01 09 00 2b 19 00 17 03 01 00 20 9c a5 dc 52 6f 74 36 01 4b 9d f6 45 48 66 c1 4e 23 6a 46 95 c2 36 a2 06 25 36 ad cb b4 90 1c 53 Attribute 80 (Message-Authenticator) length=18 Value: 8e 3c 96 54 33 32 da 7d 39 2e d9 44 5e 61 b5 07 Attribute 24 (State) length=18 Value: 0e 7a a9 3e 06 73 b0 56 82 24 1d fb 53 ea 51 8c STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.00 sec RADIUS packet matching with station decapsulated EAP packet (code=1 id=9 len=43) from RADIUS server: EAP-Request-PEAP (25) EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=9 method=25 vendor=0 vendorMethod=0 EAP: EAP entering state METHOD SSL: Received packet(len=43) - Flags 0x00 EAP-PEAP: received 37 bytes encrypted data for Phase 2 EAP-PEAP: Decrypted Phase 2 EAP - hexdump(len=5): 01 09 00 05 01 EAP-PEAP: received Phase 2: code=1 identifier=9 length=5 EAP-PEAP: Phase 2 Request: type=1 EAP: using real identity - hexdump_ascii(len=23): 50 45 52 53 4f 4e 41 4c 45 5c 64 69 65 67 6f 2e PERSONALE\diego. 7a 75 63 63 61 74 6f zuccato EAP-PEAP: Encrypting Phase 2 data - hexdump(len=28): 02 09 00 1c 01 50 45 52 53 4f 4e 41 4c 45 5c 64 69 65 67 6f 2e 7a 75 63 63 61 74 6f SSL: 90 bytes left to be sent out (of total 90 bytes) EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp WPA: eapol_test_eapol_send(type=0 len=96) TX EAP -> RADIUS - hexdump(len=96): 02 09 00 60 19 00 17 03 01 00 20 27 22 f3 1e 5c e8 88 f5 86 e9 f6 e7 8a 4a b1 56 80 2f c2 8d e8 9a 9b 9a 08 21 80 5d 92 23 35 b5 17 03 01 00 30 4a 1c 6d 37 6c 69 8f 93 9d 8d d0 a3 fb 74 a9 29 1b a2 b4 02 e4 d8 27 33 23 63 c7 9e d1 0f 1f 23 d4 49 42 e0 44 56 96 64 72 f4 71 2c 02 ac 35 9c Encapsulating EAP message into a RADIUS packet Copied RADIUS State Attribute Sending RADIUS message to authentication server RADIUS message: code=1 (Access-Request) identifier=9 length=240 Attribute 1 (User-Name) length=25 Value: 'PERSONALE\diego.zuccato' Attribute 4 (NAS-IP-Address) length=6 Value: 127.0.0.1 Attribute 31 (Calling-Station-Id) length=19 Value: '02-00-00-00-00-01' Attribute 12 (Framed-MTU) length=6 Value: 1400 Attribute 61 (NAS-Port-Type) length=6 Value: 19 Attribute 77 (Connect-Info) length=24 Value: 'CONNECT 11Mbps 802.11b' Attribute 79 (EAP-Message) length=98 Value: 02 09 00 60 19 00 17 03 01 00 20 27 22 f3 1e 5c e8 88 f5 86 e9 f6 e7 8a 4a b1 56 80 2f c2 8d e8 9a 9b 9a 08 21 80 5d 92 23 35 b5 17 03 01 00 30 4a 1c 6d 37 6c 69 8f 93 9d 8d d0 a3 fb 74 a9 29 1b a2 b4 02 e4 d8 27 33 23 63 c7 9e d1 0f 1f 23 d4 49 42 e0 44 56 96 64 72 f4 71 2c 02 ac 35 9c Attribute 24 (State) length=18 Value: 0e 7a a9 3e 06 73 b0 56 82 24 1d fb 53 ea 51 8c Attribute 80 (Message-Authenticator) length=18 Value: fb 1a a9 0a 14 34 13 a7 80 89 f4 a4 23 38 51 f3 Next RADIUS client retransmit in 3 seconds EAPOL: SUPP_BE entering state RECEIVE Received 149 bytes from RADIUS server Received RADIUS message RADIUS message: code=11 (Access-Challenge) identifier=9 length=149 Attribute 79 (EAP-Message) length=93 Value: 01 0a 00 5b 19 00 17 03 01 00 50 e0 3e c1 3d 89 34 69 c6 60 71 cc 28 c6 02 16 f3 ea 86 77 2c 3d fc 30 bb 96 ab 24 fa 13 b9 d8 9f 31 2f 92 33 62 18 c2 d7 2a a8 9f 83 68 6a 7c 07 02 d0 c7 b4 02 c1 cb d3 8a 3e cc 51 d3 66 9b 74 39 2c d6 24 04 7f eb f6 56 0c ad 59 0c 9b 97 26 Attribute 80 (Message-Authenticator) length=18 Value: 8d 25 4c f7 97 a4 e1 31 a5 ce 99 cc cd e0 47 40 Attribute 24 (State) length=18 Value: 0e 7a a9 3e 07 70 b0 56 82 24 1d fb 53 ea 51 8c STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.00 sec RADIUS packet matching with station decapsulated EAP packet (code=1 id=10 len=91) from RADIUS server: EAP-Request-PEAP (25) EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=10 method=25 vendor=0 vendorMethod=0 EAP: EAP entering state METHOD SSL: Received packet(len=91) - Flags 0x00 EAP-PEAP: received 85 bytes encrypted data for Phase 2 EAP-PEAP: Decrypted Phase 2 EAP - hexdump(len=45): 1a 01 0a 00 2c 10 89 1d 7b 28 d8 fb 7e 88 18 33 48 49 5b 31 40 dd 50 45 52 53 4f 4e 41 4c 45 5c 64 69 65 67 6f 2e 7a 75 63 63 61 74 6f EAP-PEAP: received Phase 2: code=1 identifier=10 length=49 EAP-PEAP: Phase 2 Request: type=26 EAP-PEAP: Selected Phase 2 EAP vendor 0 method 26 EAP-MSCHAPV2: RX identifier 10 mschapv2_id 10 EAP-MSCHAPV2: Received challenge EAP-MSCHAPV2: Authentication Servername - hexdump_ascii(len=23): 50 45 52 53 4f 4e 41 4c 45 5c 64 69 65 67 6f 2e PERSONALE\diego. 7a 75 63 63 61 74 6f zuccato EAP-MSCHAPV2: Generating Challenge Response MSCHAPV2: Identity - hexdump_ascii(len=23): 50 45 52 53 4f 4e 41 4c 45 5c 64 69 65 67 6f 2e PERSONALE\diego. 7a 75 63 63 61 74 6f zuccato MSCHAPV2: Username - hexdump_ascii(len=13): 64 69 65 67 6f 2e 7a 75 63 63 61 74 6f diego.zuccato MSCHAPV2: auth_challenge - hexdump(len=16): 89 1d 7b 28 d8 fb 7e 88 18 33 48 49 5b 31 40 dd MSCHAPV2: peer_challenge - hexdump(len=16): a6 7d 2c b6 fb bb f6 6a 02 93 cb 62 90 b5 40 de MSCHAPV2: username - hexdump_ascii(len=13): 64 69 65 67 6f 2e 7a 75 63 63 61 74 6f diego.zuccato MSCHAPV2: password - hexdump_ascii(len=10): 74 65 73 74 69 6e 67 31 32 33 testing123 MSCHAPV2: NT Response - hexdump(len=24): 4d f5 00 14 b4 6f 8b 83 b4 df 5b 7c ec c0 36 6e fe 63 8e 9d 62 dc 71 69 MSCHAPV2: Auth Response - hexdump(len=20): 04 4c a4 9d c3 22 5d 34 24 8d 06 05 e9 12 07 13 c3 68 1b 2d MSCHAPV2: Master Key - hexdump(len=16): e1 46 a5 1a 0a d0 68 a4 da 8f 6c 05 7c b2 d9 bc EAP-MSCHAPV2: TX identifier 10 mschapv2_id 10 (response) EAP-PEAP: Encrypting Phase 2 data - hexdump(len=82): 02 0a 00 52 1a 02 0a 00 4d 31 a6 7d 2c b6 fb bb f6 6a 02 93 cb 62 90 b5 40 de 00 00 00 00 00 00 00 00 4d f5 00 14 b4 6f 8b 83 b4 df 5b 7c ec c0 36 6e fe 63 8e 9d 62 dc 71 69 00 50 45 52 53 4f 4e 41 4c 45 5c 64 69 65 67 6f 2e 7a 75 63 63 61 74 6f SSL: 154 bytes left to be sent out (of total 154 bytes) EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp WPA: eapol_test_eapol_send(type=0 len=160) TX EAP -> RADIUS - hexdump(len=160): 02 0a 00 a0 19 00 17 03 01 00 20 8d 59 9d fa 88 e6 f7 16 ca 8d 2b 13 c2 17 3e 31 17 4b ba 1a 86 c1 d4 98 f4 63 18 e1 f9 4d 45 12 17 03 01 00 70 ae 6d 17 2b 03 fb 2f 6a e4 48 f6 43 53 5d 98 cc d7 5f 04 6e 82 f3 2d 61 ce 2e 4c 29 8a 53 80 19 31 87 fa 40 80 c6 7d 39 46 3e 0d c8 2f 1c 30 97 96 f1 58 34 4d de 75 cf 5a 40 9c 15 64 e6 40 fb 9d 03 9f 4d 5d 56 2d b4 00 70 77 ff 3d d7 96 35 89 a3 ed cb d0 28 c7 5e 80 43 c9 b5 05 82 a0 7a a4 61 a6 00 d5 87 78 67 9e fa 65 14 a6 be a1 82 Encapsulating EAP message into a RADIUS packet Copied RADIUS State Attribute Sending RADIUS message to authentication server RADIUS message: code=1 (Access-Request) identifier=10 length=304 Attribute 1 (User-Name) length=25 Value: 'PERSONALE\diego.zuccato' Attribute 4 (NAS-IP-Address) length=6 Value: 127.0.0.1 Attribute 31 (Calling-Station-Id) length=19 Value: '02-00-00-00-00-01' Attribute 12 (Framed-MTU) length=6 Value: 1400 Attribute 61 (NAS-Port-Type) length=6 Value: 19 Attribute 77 (Connect-Info) length=24 Value: 'CONNECT 11Mbps 802.11b' Attribute 79 (EAP-Message) length=162 Value: 02 0a 00 a0 19 00 17 03 01 00 20 8d 59 9d fa 88 e6 f7 16 ca 8d 2b 13 c2 17 3e 31 17 4b ba 1a 86 c1 d4 98 f4 63 18 e1 f9 4d 45 12 17 03 01 00 70 ae 6d 17 2b 03 fb 2f 6a e4 48 f6 43 53 5d 98 cc d7 5f 04 6e 82 f3 2d 61 ce 2e 4c 29 8a 53 80 19 31 87 fa 40 80 c6 7d 39 46 3e 0d c8 2f 1c 30 97 96 f1 58 34 4d de 75 cf 5a 40 9c 15 64 e6 40 fb 9d 03 9f 4d 5d 56 2d b4 00 70 77 ff 3d d7 96 35 89 a3 ed cb d0 28 c7 5e 80 43 c9 b5 05 82 a0 7a a4 61 a6 00 d5 87 78 67 9e fa 65 14 a6 be a1 82 Attribute 24 (State) length=18 Value: 0e 7a a9 3e 07 70 b0 56 82 24 1d fb 53 ea 51 8c Attribute 80 (Message-Authenticator) length=18 Value: f2 ab 0b d7 4f 36 9b e0 20 7b c8 8c 87 1e fa be Next RADIUS client retransmit in 3 seconds EAPOL: SUPP_BE entering state RECEIVE Received 149 bytes from RADIUS server Received RADIUS message RADIUS message: code=11 (Access-Challenge) identifier=10 length=149 Attribute 79 (EAP-Message) length=93 Value: 01 0b 00 5b 19 00 17 03 01 00 50 55 eb c7 36 70 d6 e4 90 b3 bc f2 78 5a 22 b1 4d a2 d6 d4 1f df 14 37 03 76 7f a3 00 cd 4f 79 8b 2e 13 cf 27 a3 b8 4d 79 9b 78 1a 9a 25 d5 8f ff f3 d1 e4 77 af 65 c7 f3 dc f1 39 a1 c8 86 32 da 76 ef f1 aa 05 00 21 ad d9 be ed 5c f5 b9 7e ea Attribute 80 (Message-Authenticator) length=18 Value: 0e 97 42 d5 36 63 37 33 57 df 91 cc a8 ea a9 05 Attribute 24 (State) length=18 Value: 0e 7a a9 3e 04 71 b0 56 82 24 1d fb 53 ea 51 8c STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.05 sec RADIUS packet matching with station decapsulated EAP packet (code=1 id=11 len=91) from RADIUS server: EAP-Request-PEAP (25) EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=11 method=25 vendor=0 vendorMethod=0 EAP: EAP entering state METHOD SSL: Received packet(len=91) - Flags 0x00 EAP-PEAP: received 85 bytes encrypted data for Phase 2 EAP-PEAP: Decrypted Phase 2 EAP - hexdump(len=47): 1a 03 0a 00 2e 53 3d 32 32 37 34 39 36 33 45 33 37 43 36 36 34 46 42 42 33 30 46 36 34 41 41 36 30 36 33 34 31 31 46 44 44 46 36 35 45 34 41 EAP-PEAP: received Phase 2: code=1 identifier=11 length=51 EAP-PEAP: Phase 2 Request: type=26 EAP-MSCHAPV2: RX identifier 11 mschapv2_id 10 EAP-MSCHAPV2: Received success EAP-MSCHAPV2: Invalid authenticator response in success request EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: startWhen --> 0 EAPOL test timed out EAPOL: EAP key not available EAP: deinitialize previously used EAP method (25, PEAP) at EAP deinit MPPE keys OK: 0 mismatch: 1 FAILURE Tks, Diego
EAP: deinitialize previously used EAP method (25, PEAP) at EAP deinit MPPE keys OK: 0 mismatch: 1 FAILURE
Hmm. I see from your original email that Samba & ntlm_auth are succeeding. There are a couple of buggy version of Samba out there that return invalid response values, and generate these symptoms. Which version of Samba are you running, and on what OS?
Il 19/01/2012 10:03, Phil Mayers ha scritto:
EAP: deinitialize previously used EAP method (25, PEAP) at EAP deinit MPPE keys OK: 0 mismatch: 1 FAILURE These (plus the timeout one) are the lines printed after FR have already cloded session.
Hmm. I see from your original email that Samba & ntlm_auth are succeeding. Yup. I'm quite used to joining machines to AD... Already have about 100 clients and 5 servers, and this one is the one giving me troubles :(
There are a couple of buggy version of Samba out there that return invalid response values, and generate these symptoms. Which version of Samba are you running, and on what OS? Samba 3.5.6 (latest packaged one) on Debian Squeeze. Once it's working, I'll have to move the config to a ZeroShell box with Samba 3.5.10.
Another problem I should fix is the fact that ZS's captive portal passes user@realm credentials instead of realm\user ... rewriting w/ a simple rule in hints file seems to block the rest, so I left it behind, for now. Tks, Diego.
On 19/01/12 11:07, NdK wrote:
Il 19/01/2012 10:03, Phil Mayers ha scritto:
EAP: deinitialize previously used EAP method (25, PEAP) at EAP deinit MPPE keys OK: 0 mismatch: 1 FAILURE These (plus the timeout one) are the lines printed after FR have already cloded session.
Yes.
Hmm. I see from your original email that Samba& ntlm_auth are succeeding. Yup. I'm quite used to joining machines to AD... Already have about 100 clients and 5 servers, and this one is the one giving me troubles :(
There are a couple of buggy version of Samba out there that return invalid response values, and generate these symptoms. Which version of Samba are you running, and on what OS? Samba 3.5.6 (latest packaged one) on Debian Squeeze. Once it's working, I'll have to move the config to a ZeroShell box with Samba 3.5.10.
That version should be ok; we're on 3.5.4 I'm not sure what the problem is then. From your original post, the authentication is failing at the *client*, in the inner EAP section. This normally means the final MSCHAP response is invalid, which only happens if some crypto has gone wrong somewhere.
Another problem I should fix is the fact that ZS's captive portal passes user@realm credentials instead of realm\user ... rewriting w/ a simple rule in hints file seems to block the rest, so I left it behind, for now.
You can't alter usernames in EAP. They are usually mixed into the challenge/response data, and altering them in-flight means the challenge/response will fail. To be honest, there's too much going on in your setup; my advice would be to create a new server (running 2.1.12) and use the default setup. Test your EAP with eapol_test. Make small changes, storing the config into version control at each step. Identify exactly which point the failures start happening at. Most people don't see this problem, so it's something specific to your setup.
Il 19/01/2012 13:01, Phil Mayers ha scritto:
I'm not sure what the problem is then. From your original post, the authentication is failing at the *client*, in the inner EAP section. This normally means the final MSCHAP response is invalid, which only happens if some crypto has gone wrong somewhere. But then it should fail immediately, not after a timeout! And an immediate failure is the result when I *disable* 'with_ntdomain_hack=yes' line in mschap.
No changes even enabling "ntdomain" lines in 'default' and 'inner-tunnel' sites (IIUC those should only detect the domain, regardless of it being prefix or suffix).
Another problem I should fix is the fact that ZS's captive portal passes user@realm credentials instead of realm\user ... rewriting w/ a simple rule in hints file seems to block the rest, so I left it behind, for now. You can't alter usernames in EAP. They are usually mixed into the challenge/response data, and altering them in-flight means the challenge/response will fail. Ok. I'm not going to change 'em.
To be honest, there's too much going on in your setup; my advice would be to create a new server (running 2.1.12) and use the default setup. Test your EAP with eapol_test. Make small changes, storing the config into version control at each step. Identify exactly which point the failures start happening at. That's exactly what I've done till now. The failures start when I enable the auth I need. The problem w/ CP is just an "issue scheduled for later examination" -- nothing configured yet to fix it.
That's my 'hg diff' output (w/o the certs part) from the base config (from the tutorial): diff -r 434b2b3ededc clients.conf --- a/clients.conf Mon Jan 16 15:17:07 2012 +0100 +++ b/clients.conf Fri Jan 20 11:22:45 2012 +0100 @@ -232,3 +232,10 @@ # secret = testing123 # } #} + +client 137.204.65.161 { + secret = testing123qaz +} +client 137.204.65.96 { + secret = testing123qaz +} diff -r 434b2b3ededc modules/mschap --- a/modules/mschap Mon Jan 16 15:17:07 2012 +0100 +++ b/modules/mschap Fri Jan 20 11:22:45 2012 +0100 @@ -34,6 +34,7 @@ # corrects for that incorrect behavior. # #with_ntdomain_hack = no + #with_ntdomain_hack = yes # The module can perform authentication itself, OR # use a Windows Domain Controller. This configuration @@ -63,4 +64,7 @@ # the "best" user name for the request. # #ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" + ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{mschap:User-Name}:-%{User-Name:-None}} --domain=%{%{mschap:NT-Domain}:-PERSONALE} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" +# ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{mschap:User-Name}:-%{Stripped-User-Name}:-%{User-Name}} --domain=%{%{myDomain}:-%{mschap:NT-Domain}:-PERSONALE} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" +# ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{%{myDomain}:-%{mschap:NT-Domain}:-PERSONALE} --username=%{%{Stripped-User-Name}:-%{mschap:Stripped-User-Name}} --password=%{User-Password} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" } diff -r 434b2b3ededc modules/ntlm_auth --- a/modules/ntlm_auth Mon Jan 16 15:17:07 2012 +0100 +++ b/modules/ntlm_auth Fri Jan 20 11:22:45 2012 +0100 @@ -8,5 +8,6 @@ # exec ntlm_auth { wait = yes - program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" +# program = "/usr/bin/ntlm_auth --request-nt-key --domain=%{%{mschap:NT-Domain}:-PERSONALE} --username=%{mschap:User-Name} --password=%{User-Password}" + program = "/usr/bin/ntlm_auth --request-nt-key --domain=%{%{myDomain}:-%{mschap:NT-Domain}:-PERSONALE} --username=%{%{Stripped-User-Name}:-%{mschap:Stripped-User-Name}} --password=%{User-Password} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" } diff -r 434b2b3ededc sites-available/default --- a/sites-available/default Mon Jan 16 15:17:07 2012 +0100 +++ b/sites-available/default Fri Jan 20 11:22:45 2012 +0100 @@ -116,7 +116,7 @@ # the other styles won't be checked. # suffix -# ntdomain + ntdomain # # This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP @@ -306,6 +306,8 @@ # handled # override the "updated" code from attr_filter # } # } + +# ntlm_auth } @@ -347,7 +349,7 @@ # home server as authentication requests. # IPASS suffix -# ntdomain + ntdomain # # Read the 'acct_users' file diff -r 434b2b3ededc sites-available/inner-tunnel --- a/sites-available/inner-tunnel Mon Jan 16 15:17:07 2012 +0100 +++ b/sites-available/inner-tunnel Fri Jan 20 11:22:45 2012 +0100 @@ -89,7 +89,7 @@ # it difficult to bill people for their network activity. # suffix -# ntdomain + ntdomain # # The "suffix" module takes care of stripping the domain @@ -231,6 +231,8 @@ # ldap # } +# ntlm_auth + # # Allow EAP authentication. eap As you can see there are only minimal changes... BYtE, Diego.
On 01/20/2012 10:30 AM, NdK wrote:
Il 19/01/2012 13:01, Phil Mayers ha scritto:
I'm not sure what the problem is then. From your original post, the authentication is failing at the *client*, in the inner EAP section. This normally means the final MSCHAP response is invalid, which only happens if some crypto has gone wrong somewhere. But then it should fail immediately, not after a timeout!
Not so.
And an immediate failure is the result when I *disable* 'with_ntdomain_hack=yes' line in mschap.
That's a different failure mode. EAP/MS-CHAP works as follows: server: send random challenge bytes to client client: send response=crypto(password,challenge) to server server: send crypto(response,password) to client If validation of the 2nd item fails, you'll see an immediate failure at the FreeRADIUS end, because FreeRADIUS is doing the validation. If validation of the 3rd item fails, the client just stops - it gives up, and sends no further packets, because it thinks the server is fake / impersonating. That's why there's a timeout at the FreeRADIUS end.
That's exactly what I've done till now. The failures start when I enable the auth I need. The problem w/ CP is just an "issue scheduled for later examination" -- nothing configured yet to fix it.
That's my 'hg diff' output (w/o the certs part) from the base config (from the tutorial):
If that's really all you've changed, there must be something wrong with Samba; it's getting the final crypto blob wrong, and the client is dropping the packets. You'll need to investigate and fix this.
Il 20/01/2012 11:55, Phil Mayers ha scritto:
If that's really all you've changed, there must be something wrong with Samba; it's getting the final crypto blob wrong, and the client is dropping the packets. You'll need to investigate and fix this. Just tested with radtest (have had to use single quotes and FOUR backslashes! -- my password is obviously in $P): # radtest -t mschap 'PERSONALE\\\\diego.zuccato' "$P" localhost 0 testing123 Sending Access-Request of id 123 to 127.0.0.1 port 1812 User-Name = "PERSONALE\\diego.zuccato" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 MS-CHAP-Challenge = 0x7f218889d9de0c84 MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000015ea491108aa02bb34b5fe79918a67cd8a7b069240091194 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=123, length=84 MS-CHAP-MPPE-Keys = 0x00000000000000003b1acd0b65d7af221df50f6ca50447cf0000000000000000 MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006
And the Access-Accept is quite fast. When using eapol_test, I get the timeout. The difference is that radtest seems to use mschapv1 while eapol_test uses mschapv2. What could be so wrong that v1 works and v2 doesn't? IIUC v2 includes username and client nonce in the authenticator, while v1 doesn't. BYtE, Diego.
Mschap v1 doesn't validate the reply from server to client, which is what is failing with eapol_test. Therefore you're not testing the same path. Try using a local i.e. non samba user to test. I am sure the problem is with your samba daemon. -- Sent from my phone. Please excuse brevity and typos.
Phil Mayers <p.mayers@imperial.ac.uk> wrote:
Mschap v1 doesn't validate the reply from server to client, which is what is failing with eapol_test. Therefore you're not testing the same path.
Try using a local i.e. non samba user to test. I am sure the problem is with your samba daemon. -- Sent from my phone. Please excuse brevity and typos.
See also: https://bugzilla.samba.org/show_bug.cgi?id=6563 ...which I think is the problem you are seeing. Comment 18 gives a way to test this. See also the final comment about "invalid nt key until I restarted winbind" which might be the issue. -- Sent from my phone. Please excuse brevity and typos.
I mentioned exactly that last week but he disregarded it!
Subject: Re: eapol_test giving up and win-like error? From: p.mayers@imperial.ac.uk Date: Mon, 23 Jan 2012 10:12:08 +0000 To: freeradius-users@lists.freeradius.org
Phil Mayers <p.mayers@imperial.ac.uk> wrote:
Mschap v1 doesn't validate the reply from server to client, which is what is failing with eapol_test. Therefore you're not testing the same path.
Try using a local i.e. non samba user to test. I am sure the problem is with your samba daemon. -- Sent from my phone. Please excuse brevity and typos.
See also:
https://bugzilla.samba.org/show_bug.cgi?id=6563
...which I think is the problem you are seeing. Comment 18 gives a way to test this.
See also the final comment about "invalid nt key until I restarted winbind" which might be the issue. -- Sent from my phone. Please excuse brevity and typos.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Il 23/01/2012 11:02, Phil Mayers ha scritto:
Mschap v1 doesn't validate the reply from server to client, which is what is failing with eapol_test. Therefore you're not testing the same path. So radtest isn't actually equivalent to eapol_test. It's just another step for testing.
Try using a local i.e. non samba user to test. I am sure the problem is with your samba daemon. What do you mean by "local user"? One added in users file? I know it works (tested while following the guide), but it's not using mschapv2, IIUC...
From https://bugzilla.samba.org/show_bug.cgi?id=6563 it seems that script only generates NTLMv1 responses... And it references a quite old Samba version. I'm using 3.5.10. From comment 46: "Yes, 3.5.6 has all necessary fixes for this issue. Unless the sernet packages do contain other changes, it should just work with those packages."
I retested, adding "winbind:forcesamlogon = True" and eapol_test is now successful. Might be useful to add to the guide. Seems, after all, it's needed for recent SAMBA releases, too. Just for completeness my (now working) smb.conf is: [global] workgroup = PERSONALE realm = PERSONALE.DIR.UNIBO.IT server string = %v security = ADS restrict anonymous = 2 log level = 3 log file = /var/log/samba/log.%m max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = No dns proxy = No idmap uid = 100000-100000000 idmap gid = 100000-100000000 template shell = /bin/bash winbind use default domain = Yes winbind refresh tickets = Yes winbind offline logon = Yes winbind normalize names = Yes idmap config STUDENTI:range = 50000000 - 99999999 idmap config STUDENTI:base_rid = 500 idmap config STUDENTI:backend = rid idmap config PERSONALE:range = 100000 - 49999999 idmap config PERSONALE:base_rid = 500 idmap config PERSONALE:backend = rid idmap config STUDENTI:default = yes idmap config PERSONALE:default = no winbind:forcesamlogon = True [maybe the whole idmap could be removed, but better not to touch it once it's working...] No need to edit /etc/krb5.conf (interfacing to a native AD domain, so DNS records are OK for auto-discovery of Kerberos servers. Now it's Zeroshell's turn... Tks for the patience. BYtE, Diego.
participants (4)
-
Alan DeKok -
NdK -
Phil Mayers -
Sergio NNX