MSCHAP Machine/User Authentication with Windows
Hi, I've searched high and low for answers/a solution on this and haven't had much luck, so I'm hoping someone on this list might be able to help. I have a near default freeradius3 setup using NTLM to authenticate our PEAP MSCHAP wireless clients. Non-windows machines work fine (mac, phones etc), but I'm having difficulty getting Windows 7/8 authenticated using machine authentication or user authentication. Essentially I'm seeing the below error: Auth: Invalid user: [DOMAIN\\user] or Auth: Invalid user: [host\\MACHINE-NAME] Successful authentications (from a mac) look like this: Auth: Login OK: [user] Running "ntlm_auth --request-nt-key --username=domain\\user" returns NT_STATUS_OK The only real configuration changes I've made are in the mschap mod, having tried both of the following: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}" ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-TESTDOMAIN} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" Below is a debug of a windows 8 wireless client attempting to authenticate. First it tries machine authentication, then it tries user authentication. Any help would be greatly appreciated. Cheers Ready to process requests. Received Access-Request Id 211 from 172.17.6.253:32985 to 192.168.254.181:1812 length 240 User-Name = 'host/win81-ops.in.testdomain' NAS-IP-Address = 172.17.6.253 NAS-Port = 0 NAS-Identifier = 'wirelesscontroller' NAS-Port-Type = Wireless-802.11 Calling-Station-Id = '5C514FFA8C73' Called-Station-Id = '000B869A9037' Service-Type = Framed-User Framed-MTU = 1100 EAP-Message = 0x0201002001686f73742f77696e38312d6f70732e696e2e667265736876696577 Aruba-Essid-Name = 'bandit' Aruba-Location-Id = 'ap1' Aruba-AP-Group = 'syd' Aruba-Device-Type = 'Windows' Message-Authenticator = 0xb1632e4c77e27f16f9cdd51c91aa5ee9 (0) # Executing section authorize from file /etc/freeradius/sites-enabled/default (0) authorize { (0) filter_username filter_username { (0) if (User-Name != "%{tolower:%{User-Name}}") (0) EXPAND %{tolower:%{User-Name}} (0) --> host/win81-ops.in.testdomain (0) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (0) if (User-Name =~ / /) (0) if (User-Name =~ / /) -> FALSE (0) if (User-Name =~ /@.*@/ ) (0) if (User-Name =~ /@.*@/ ) -> FALSE (0) if (User-Name =~ /\\.\\./ ) (0) if (User-Name =~ /\\.\\./ ) -> FALSE (0) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (0) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (0) if (User-Name =~ /\\.$/) (0) if (User-Name =~ /\\.$/) -> FALSE (0) if (User-Name =~ /@\\./) (0) if (User-Name =~ /@\\./) -> FALSE (0) } # filter_username filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix : No '@' in User-Name = "host/win81-ops.in.testdomain", looking up realm NULL (0) suffix : No such realm "NULL" (0) [suffix] = noop (0) eap : EAP packet type response id 1 length 32 (0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = EAP (0) # Executing group from file /etc/freeradius/sites-enabled/default (0) authenticate { (0) eap : Peer sent Identity (1) (0) eap : Calling eap_peap to process EAP data (0) eap_peap : Flushing SSL sessions (of #0) (0) eap_peap : Initiate (0) eap_peap : Start returned 1 (0) eap : New EAP session, adding 'State' attribute to reply 0xaf7aab12af78b29f (0) [eap] = handled (0) } # authenticate = handled Sending Access-Challenge Id 211 from 192.168.254.181:1812 to 172.17.6.253:32985 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xaf7aab12af78b29f91f28722b6106031 (0) Finished request Waking up in 0.3 seconds. Received Access-Request Id 203 from 172.17.6.253:32985 to 192.168.254.181:1812 length 344 User-Name = 'host/win81-ops.in.testdomain' NAS-IP-Address = 172.17.6.253 NAS-Port = 0 NAS-Identifier = 'wirelesscontroller' NAS-Port-Type = Wireless-802.11 Calling-Station-Id = '5C514FFA8C73' Called-Station-Id = '000B869A9037' Service-Type = Framed-User Framed-MTU = 1100 EAP-Message = 0x0202007619800000006c16030100670100006303015550523bf4af127e5fe0dfcfc8c5a896e7cfc31a2a7746ab87d162af997a04a5000018c014c0130035002fc00ac00900380032000a00130005000401000022ff01000100000500050100000000000a0006000400170018000b0002010000230000 State = 0xaf7aab12af78b29f91f28722b6106031 Aruba-Essid-Name = 'bandit' Aruba-Location-Id = 'ap1' Aruba-AP-Group = 'syd' Aruba-Device-Type = 'Windows' Message-Authenticator = 0xa9f4a8b97958f630a9984c92c0fcc7bd (1) # Executing section authorize from file /etc/freeradius/sites-enabled/default (1) authorize { (1) filter_username filter_username { (1) if (User-Name != "%{tolower:%{User-Name}}") (1) EXPAND %{tolower:%{User-Name}} (1) --> host/win81-ops.in.testdomain (1) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (1) if (User-Name =~ / /) (1) if (User-Name =~ / /) -> FALSE (1) if (User-Name =~ /@.*@/ ) (1) if (User-Name =~ /@.*@/ ) -> FALSE (1) if (User-Name =~ /\\.\\./ ) (1) if (User-Name =~ /\\.\\./ ) -> FALSE (1) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (1) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (1) if (User-Name =~ /\\.$/) (1) if (User-Name =~ /\\.$/) -> FALSE (1) if (User-Name =~ /@\\./) (1) if (User-Name =~ /@\\./) -> FALSE (1) } # filter_username filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix : No '@' in User-Name = "host/win81-ops.in.testdomain", looking up realm NULL (1) suffix : No such realm "NULL" (1) [suffix] = noop (1) eap : EAP packet type response id 2 length 118 (1) eap : Continuing tunnel setup. (1) [eap] = ok (1) } # authorize = ok (1) Found Auth-Type = EAP (1) # Executing group from file /etc/freeradius/sites-enabled/default (1) authenticate { (1) eap : Expiring EAP session with state 0xaf7aab12af78b29f (1) eap : Finished EAP session with state 0xaf7aab12af78b29f (1) eap : Previous EAP request found for state 0xaf7aab12af78b29f, released from the list (1) eap : Peer sent PEAP (25) (1) eap : EAP PEAP (25) (1) eap : Calling eap_peap to process EAP data (1) eap_peap : processing EAP-TLS TLS Length 108 (1) eap_peap : Length Included (1) eap_peap : eaptls_verify returned 11 (1) eap_peap : (other): before/accept initialization (1) eap_peap : TLS_accept: before/accept initialization (1) eap_peap : <<< TLS 1.0 Handshake [length 0067], ClientHello (1) eap_peap : TLS_accept: SSLv3 read client hello A (1) eap_peap : >>> TLS 1.0 Handshake [length 0059], ServerHello (1) eap_peap : TLS_accept: SSLv3 write server hello A (1) eap_peap : >>> TLS 1.0 Handshake [length 0c61], Certificate (1) eap_peap : TLS_accept: SSLv3 write certificate A (1) eap_peap : >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange (1) eap_peap : TLS_accept: SSLv3 write key exchange A (1) eap_peap : >>> TLS 1.0 Handshake [length 0004], ServerHelloDone (1) eap_peap : TLS_accept: SSLv3 write server done A (1) eap_peap : TLS_accept: SSLv3 flush data (1) eap_peap : TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode (1) eap_peap : eaptls_process returned 13 (1) eap_peap : FR_TLS_HANDLED (1) eap : New EAP session, adding 'State' attribute to reply 0xaf7aab12ae79b29f (1) [eap] = handled (1) } # authenticate = handled Sending Access-Challenge Id 203 from 192.168.254.181:1812 to 172.17.6.253:32985 EAP-Message = 0x010303ec19c000000e1d1603010059020000550301f9a84ded3c3d019330abd1de6d7ff97f916e4aa4140b0733d9c1a1686ec5ba212041db36e17b59817fcc7a5d510c0ab6febebd2f0dfc04701386f3dad95265c63dc01400000dff01000100000b0004030001021603010c610b000c5d000c5a0004a7308204a33082038ba00302010202030439a3300d06092a864886f70d01010b05003047310b300906035504061302555331163014060355040a130d47656f547275737420496e632e3120301e06035504031317526170696453534c20534841323536204341202d204733301e170d3135303530373033333932305a170d3136303530383233353131385a30819431133011060355040b130a475432333636383233393131302f060355040b1328536565207777772e726170696473736c2e636f6d2f7265736f75726365732f637073202863293135312f302d060355040b1326446f6d61696e20436f6e74726f6c2056616c696461746564202d20526170696453534c2852293119301706035504031310776966692e63616d706d6f6e2e6e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100c2b2d2c1ff3c2380d9d47968c4a76b101501d4b4d3efd5857da81b6610580c9021e898e1beb2f5ea06a98dfd06a3f04bfa7b68fc77481cc7b9eb5777938 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xaf7aab12ae79b29f91f28722b6106031 (1) Finished request Waking up in 0.3 seconds. Received Access-Request Id 213 from 172.17.6.253:32985 to 192.168.254.181:1812 length 232 User-Name = 'host/win81-ops.in.testdomain' NAS-IP-Address = 172.17.6.253 NAS-Port = 0 NAS-Identifier = 'wirelesscontroller' NAS-Port-Type = Wireless-802.11 Calling-Station-Id = '5C514FFA8C73' Called-Station-Id = '000B869A9037' Service-Type = Framed-User Framed-MTU = 1100 EAP-Message = 0x020300061900 State = 0xaf7aab12ae79b29f91f28722b6106031 Aruba-Essid-Name = 'bandit' Aruba-Location-Id = 'ap1' Aruba-AP-Group = 'syd' Aruba-Device-Type = 'Windows' Message-Authenticator = 0x78dd3eaf48cf6c7dbaa005633cb99020 (2) # Executing section authorize from file /etc/freeradius/sites-enabled/default (2) authorize { (2) filter_username filter_username { (2) if (User-Name != "%{tolower:%{User-Name}}") (2) EXPAND %{tolower:%{User-Name}} (2) --> host/win81-ops.in.testdomain (2) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (2) if (User-Name =~ / /) (2) if (User-Name =~ / /) -> FALSE (2) if (User-Name =~ /@.*@/ ) (2) if (User-Name =~ /@.*@/ ) -> FALSE (2) if (User-Name =~ /\\.\\./ ) (2) if (User-Name =~ /\\.\\./ ) -> FALSE (2) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (2) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (2) if (User-Name =~ /\\.$/) (2) if (User-Name =~ /\\.$/) -> FALSE (2) if (User-Name =~ /@\\./) (2) if (User-Name =~ /@\\./) -> FALSE (2) } # filter_username filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix : No '@' in User-Name = "host/win81-ops.in.testdomain", looking up realm NULL (2) suffix : No such realm "NULL" (2) [suffix] = noop (2) eap : EAP packet type response id 3 length 6 (2) eap : Continuing tunnel setup. (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = EAP (2) # Executing group from file /etc/freeradius/sites-enabled/default (2) authenticate { (2) eap : Expiring EAP session with state 0xaf7aab12ae79b29f (2) eap : Finished EAP session with state 0xaf7aab12ae79b29f (2) eap : Previous EAP request found for state 0xaf7aab12ae79b29f, released from the list (2) eap : Peer sent PEAP (25) (2) eap : EAP PEAP (25) (2) eap : Calling eap_peap to process EAP data (2) eap_peap : processing EAP-TLS (2) eap_peap : Received TLS ACK (2) eap_peap : Received TLS ACK (2) eap_peap : ACK handshake fragment handler (2) eap_peap : eaptls_verify returned 1 (2) eap_peap : eaptls_process returned 13 (2) eap_peap : FR_TLS_HANDLED (2) eap : New EAP session, adding 'State' attribute to reply 0xaf7aab12ad7eb29f (2) [eap] = handled (2) } # authenticate = handled Sending Access-Challenge Id 213 from 192.168.254.181:1812 to 172.17.6.253:32985 EAP-Message = 0x010403e8194068747470733a2f2f7777772e726170696473736c2e636f6d2f6c6567616c300d06092a864886f70d01010b05000382010100412ebe33348a8106947be103048d5e4157080515045c19a8462a51e4feeca012ee0dc94be9e68ac04f9f65e221ce68f9fbe8e8168bc96facb82798fc5b13ea06f1ffd6f2a1683b5b7724324583f81c1488b36ebb24dc5fc2869a56deca8df3d8280bd435a6a0da7538811583165a5472ac3083e17d572ee39b22330b526f78ee4cb3a6bddd5da72964d40dc24886262c496e902b113cec927570ad97c97b69139b6e7a3fd880364272157aa9d8d1282b47629eec34e7c9f7e7bcdc542844ef1ad4a5d0af52c5998f3eb7fc16750e053edfd5ec552c3605586e652059d7df62719839c9be47acc6da9bc55822c024b98fd93ea1f864785e73066c022efa89ed7f000429308204253082030da0030201020203023a77300d06092a864886f70d01010b05003042310b300906035504061302555331163014060355040a130d47656f547275737420496e632e311b30190603550403131247656f547275737420476c6f62616c204341301e170d3134303832393231333933325a170d3232303532303231333933325a3047310b300906035504061302555331163014060355040a130d47656f547275737420496e632e3120301e06035504031317526170696 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xaf7aab12ad7eb29f91f28722b6106031 (2) Finished request Waking up in 0.3 seconds. Received Access-Request Id 212 from 172.17.6.253:32985 to 192.168.254.181:1812 length 232 User-Name = 'host/win81-ops.in.testdomain' NAS-IP-Address = 172.17.6.253 NAS-Port = 0 NAS-Identifier = 'wirelesscontroller' NAS-Port-Type = Wireless-802.11 Calling-Station-Id = '5C514FFA8C73' Called-Station-Id = '000B869A9037' Service-Type = Framed-User Framed-MTU = 1100 EAP-Message = 0x020400061900 State = 0xaf7aab12ad7eb29f91f28722b6106031 Aruba-Essid-Name = 'bandit' Aruba-Location-Id = 'ap1' Aruba-AP-Group = 'syd' Aruba-Device-Type = 'Windows' Message-Authenticator = 0x318c68ac9fd3cec956e3ad0fe6630868 (3) # Executing section authorize from file /etc/freeradius/sites-enabled/default (3) authorize { (3) filter_username filter_username { (3) if (User-Name != "%{tolower:%{User-Name}}") (3) EXPAND %{tolower:%{User-Name}} (3) --> host/win81-ops.in.testdomain (3) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (3) if (User-Name =~ / /) (3) if (User-Name =~ / /) -> FALSE (3) if (User-Name =~ /@.*@/ ) (3) if (User-Name =~ /@.*@/ ) -> FALSE (3) if (User-Name =~ /\\.\\./ ) (3) if (User-Name =~ /\\.\\./ ) -> FALSE (3) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (3) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (3) if (User-Name =~ /\\.$/) (3) if (User-Name =~ /\\.$/) -> FALSE (3) if (User-Name =~ /@\\./) (3) if (User-Name =~ /@\\./) -> FALSE (3) } # filter_username filter_username = notfound (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix : No '@' in User-Name = "host/win81-ops.in.testdomain", looking up realm NULL (3) suffix : No such realm "NULL" (3) [suffix] = noop (3) eap : EAP packet type response id 4 length 6 (3) eap : Continuing tunnel setup. (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = EAP (3) # Executing group from file /etc/freeradius/sites-enabled/default (3) authenticate { (3) eap : Expiring EAP session with state 0xaf7aab12ad7eb29f (3) eap : Finished EAP session with state 0xaf7aab12ad7eb29f (3) eap : Previous EAP request found for state 0xaf7aab12ad7eb29f, released from the list (3) eap : Peer sent PEAP (25) (3) eap : EAP PEAP (25) (3) eap : Calling eap_peap to process EAP data (3) eap_peap : processing EAP-TLS (3) eap_peap : Received TLS ACK (3) eap_peap : Received TLS ACK (3) eap_peap : ACK handshake fragment handler (3) eap_peap : eaptls_verify returned 1 (3) eap_peap : eaptls_process returned 13 (3) eap_peap : FR_TLS_HANDLED (3) eap : New EAP session, adding 'State' attribute to reply 0xaf7aab12ac7fb29f (3) [eap] = handled (3) } # authenticate = handled Sending Access-Challenge Id 212 from 192.168.254.181:1812 to 172.17.6.253:32985 EAP-Message = 0x010503e819400105050730018612687474703a2f2f672e73796d63642e636f6d304c0603551d20044530433041060a6086480186f8450107363033303106082b060105050702011625687474703a2f2f7777772e67656f74727573742e636f6d2f7265736f75726365732f637073300d06092a864886f70d01010b05000382010100a3581ec64332acac2f9378b7eaae5440472d7e788d50f6f866acd64f73d644efaf0bcc5bc1f44f9a8f497e60afc227c716f1fb938190a97cef6f7e6e45941684bdec49f1c40ef4af045983870f2c3b97c35a129b7b04357ba39533087b93712242b3a9d96f4f8192fc07b679bc844a9d7709f1c589f2f0b49c54aa127b0dba4fef9319ecef7d4e61a38e769c59cf8c94b18497f71ab907b8b2c64f1379dbbf4f511b7f690d512ac1d615ff3751346551f41ebe386aec0eabbf3d7b39057bf4f3fb1aa1d0c87e4e648dcd8c615590fe3aca5d250ff81da34a74564f1a5540707525a6332eba4ba55d539a0d30e18d5f612cafccefb099a180ff0bf2624c7026980003813082037d308202e6a003020102020312bbe6300d06092a864886f70d0101050500304e310b30090603550406130255533110300e060355040a130745717569666178312d302b060355040b1324457175696661782053656375726520436572746966696361746520417574686f726974793 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xaf7aab12ac7fb29f91f28722b6106031 (3) Finished request Waking up in 0.3 seconds. Received Access-Request Id 215 from 172.17.6.253:32985 to 192.168.254.181:1812 length 232 User-Name = 'host/win81-ops.in.testdomain' NAS-IP-Address = 172.17.6.253 NAS-Port = 0 NAS-Identifier = 'wirelesscontroller' NAS-Port-Type = Wireless-802.11 Calling-Station-Id = '5C514FFA8C73' Called-Station-Id = '000B869A9037' Service-Type = Framed-User Framed-MTU = 1100 EAP-Message = 0x020500061900 State = 0xaf7aab12ac7fb29f91f28722b6106031 Aruba-Essid-Name = 'bandit' Aruba-Location-Id = 'ap1' Aruba-AP-Group = 'syd' Aruba-Device-Type = 'Windows' Message-Authenticator = 0xa1f200dd5a90136447ce1b37b4b067f6 (4) # Executing section authorize from file /etc/freeradius/sites-enabled/default (4) authorize { (4) filter_username filter_username { (4) if (User-Name != "%{tolower:%{User-Name}}") (4) EXPAND %{tolower:%{User-Name}} (4) --> host/win81-ops.in.testdomain (4) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (4) if (User-Name =~ / /) (4) if (User-Name =~ / /) -> FALSE (4) if (User-Name =~ /@.*@/ ) (4) if (User-Name =~ /@.*@/ ) -> FALSE (4) if (User-Name =~ /\\.\\./ ) (4) if (User-Name =~ /\\.\\./ ) -> FALSE (4) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (4) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (4) if (User-Name =~ /\\.$/) (4) if (User-Name =~ /\\.$/) -> FALSE (4) if (User-Name =~ /@\\./) (4) if (User-Name =~ /@\\./) -> FALSE (4) } # filter_username filter_username = notfound (4) [preprocess] = ok (4) [chap] = noop (4) [mschap] = noop (4) [digest] = noop (4) suffix : No '@' in User-Name = "host/win81-ops.in.testdomain", looking up realm NULL (4) suffix : No such realm "NULL" (4) [suffix] = noop (4) eap : EAP packet type response id 5 length 6 (4) eap : Continuing tunnel setup. (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = EAP (4) # Executing group from file /etc/freeradius/sites-enabled/default (4) authenticate { (4) eap : Expiring EAP session with state 0xaf7aab12ac7fb29f (4) eap : Finished EAP session with state 0xaf7aab12ac7fb29f (4) eap : Previous EAP request found for state 0xaf7aab12ac7fb29f, released from the list (4) eap : Peer sent PEAP (25) (4) eap : EAP PEAP (25) (4) eap : Calling eap_peap to process EAP data (4) eap_peap : processing EAP-TLS (4) eap_peap : Received TLS ACK (4) eap_peap : Received TLS ACK (4) eap_peap : ACK handshake fragment handler (4) eap_peap : eaptls_verify returned 1 (4) eap_peap : eaptls_process returned 13 (4) eap_peap : FR_TLS_HANDLED (4) eap : New EAP session, adding 'State' attribute to reply 0xaf7aab12ab7cb29f (4) [eap] = handled (4) } # authenticate = handled Sending Access-Challenge Id 215 from 192.168.254.181:1812 to 172.17.6.253:32985 EAP-Message = 0x0106027d19003a0603551d1f04333031302fa02da02b8629687474703a2f2f63726c2e67656f74727573742e636f6d2f63726c732f73656375726563612e63726c304e0603551d200447304530430604551d2000303b303906082b06010505070201162d68747470733a2f2f7777772e67656f74727573742e636f6d2f7265736f75726365732f7265706f7369746f7279300d06092a864886f70d01010505000381810076e1126e4e4b1612863006b28108cff008c7c7717e66eec2edd43b1ffff0f0c84ed64338b0b9307d18d05583a26acb36119ce84866a36d7fb813d447fe8b5a5c73fcaed91b321938ab973414aa96d2eba31c140849b6bbe591ef8336eb1d566fcadabc736390e47f7b3e22cb3d07ed5f38749ce303504ea1af98ee61f2843f12160301014b0c0001470300174104897a41b10d790abe7d33a7bae7191df884039b23026439f474763fa6cb936641097d6e73ce79a5d3ee3b2dfa1b6742cbcfb4d94a2af4c9fb6f756ba052b43beb01009562f546db63c6a53f98650f9c9d234c62b3baccfd8e26d7b9d6c78e6e3a07a30382f753afb96cb8ec266b728877907a1c97f6c7948f7e9fa2ef2b571fbeb92748fee46d52b20070b28559f1f20027269f02be9d63f5756b166ceaa06afa8c13fcd38c8a4133c0288c9ed1fa2aa55e92d8a3cf16fa192847ce5bbb08ab2fdad640d11 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xaf7aab12ab7cb29f91f28722b6106031 (4) Finished request Waking up in 0.3 seconds. Received Access-Request Id 216 from 172.17.6.253:32985 to 192.168.254.181:1812 length 370 User-Name = 'host/win81-ops.in.testdomain' NAS-IP-Address = 172.17.6.253 NAS-Port = 0 NAS-Identifier = 'wirelesscontroller' NAS-Port-Type = Wireless-802.11 Calling-Station-Id = '5C514FFA8C73' Called-Station-Id = '000B869A9037' Service-Type = Framed-User Framed-MTU = 1100 EAP-Message = 0x020600901980000000861603010046100000424104d85d873dea9326b04b69add1a56edb8644246c919b8f460725f22d19b7bfbf30fe22e7d993c960b2ffeebbd155bb316e63ba7796287a737a52d0367b3ab5eb5614030100010116030100306bf7326dd2963bc5094534034ea75caccf46011de517912c4d0c91d510ef3644496711ac075146320a47c686b17ee94c State = 0xaf7aab12ab7cb29f91f28722b6106031 Aruba-Essid-Name = 'bandit' Aruba-Location-Id = 'ap1' Aruba-AP-Group = 'syd' Aruba-Device-Type = 'Windows' Message-Authenticator = 0x3d5c9d2133066c4b3420ff366a49e175 (5) # Executing section authorize from file /etc/freeradius/sites-enabled/default (5) authorize { (5) filter_username filter_username { (5) if (User-Name != "%{tolower:%{User-Name}}") (5) EXPAND %{tolower:%{User-Name}} (5) --> host/win81-ops.in.testdomain (5) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (5) if (User-Name =~ / /) (5) if (User-Name =~ / /) -> FALSE (5) if (User-Name =~ /@.*@/ ) (5) if (User-Name =~ /@.*@/ ) -> FALSE (5) if (User-Name =~ /\\.\\./ ) (5) if (User-Name =~ /\\.\\./ ) -> FALSE (5) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (5) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (5) if (User-Name =~ /\\.$/) (5) if (User-Name =~ /\\.$/) -> FALSE (5) if (User-Name =~ /@\\./) (5) if (User-Name =~ /@\\./) -> FALSE (5) } # filter_username filter_username = notfound (5) [preprocess] = ok (5) [chap] = noop (5) [mschap] = noop (5) [digest] = noop (5) suffix : No '@' in User-Name = "host/win81-ops.in.testdomain", looking up realm NULL (5) suffix : No such realm "NULL" (5) [suffix] = noop (5) eap : EAP packet type response id 6 length 144 (5) eap : Continuing tunnel setup. (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = EAP (5) # Executing group from file /etc/freeradius/sites-enabled/default (5) authenticate { (5) eap : Expiring EAP session with state 0xaf7aab12ab7cb29f (5) eap : Finished EAP session with state 0xaf7aab12ab7cb29f (5) eap : Previous EAP request found for state 0xaf7aab12ab7cb29f, released from the list (5) eap : Peer sent PEAP (25) (5) eap : EAP PEAP (25) (5) eap : Calling eap_peap to process EAP data (5) eap_peap : processing EAP-TLS TLS Length 134 (5) eap_peap : Length Included (5) eap_peap : eaptls_verify returned 11 (5) eap_peap : <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange (5) eap_peap : TLS_accept: SSLv3 read client key exchange A (5) eap_peap : <<< TLS 1.0 ChangeCipherSpec [length 0001] (5) eap_peap : <<< TLS 1.0 Handshake [length 0010], Finished (5) eap_peap : TLS_accept: SSLv3 read finished A (5) eap_peap : >>> TLS 1.0 ChangeCipherSpec [length 0001] (5) eap_peap : TLS_accept: SSLv3 write change cipher spec A (5) eap_peap : >>> TLS 1.0 Handshake [length 0010], Finished (5) eap_peap : TLS_accept: SSLv3 write finished A (5) eap_peap : TLS_accept: SSLv3 flush data SSL: adding session 41db36e17b59817fcc7a5d510c0ab6febebd2f0dfc04701386f3dad95265c63d to cache (5) eap_peap : (other): SSL negotiation finished successfully SSL Connection Established (5) eap_peap : eaptls_process returned 13 (5) eap_peap : FR_TLS_HANDLED (5) eap : New EAP session, adding 'State' attribute to reply 0xaf7aab12aa7db29f (5) [eap] = handled (5) } # authenticate = handled Sending Access-Challenge Id 216 from 192.168.254.181:1812 to 172.17.6.253:32985 EAP-Message = 0x0107004119001403010001011603010030904c13f5aa90bc06c6a9e4a9a9fe076ac1facca994920e0028b62392ef0d62e3dffb6d45d1198e88cbe9b9ce70df1d39 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xaf7aab12aa7db29f91f28722b6106031 (5) Finished request Waking up in 0.2 seconds. Waking up in 4.6 seconds. Received Access-Request Id 218 from 172.17.6.253:32985 to 192.168.254.181:1812 length 232 User-Name = 'host/win81-ops.in.testdomain' NAS-IP-Address = 172.17.6.253 NAS-Port = 0 NAS-Identifier = 'wirelesscontroller' NAS-Port-Type = Wireless-802.11 Calling-Station-Id = '5C514FFA8C73' Called-Station-Id = '000B869A9037' Service-Type = Framed-User Framed-MTU = 1100 EAP-Message = 0x020700061900 State = 0xaf7aab12aa7db29f91f28722b6106031 Aruba-Essid-Name = 'bandit' Aruba-Location-Id = 'ap1' Aruba-AP-Group = 'syd' Aruba-Device-Type = 'Windows' Message-Authenticator = 0x870a84bb1fdef1e9e576bb097297dafc (6) # Executing section authorize from file /etc/freeradius/sites-enabled/default (6) authorize { (6) filter_username filter_username { (6) if (User-Name != "%{tolower:%{User-Name}}") (6) EXPAND %{tolower:%{User-Name}} (6) --> host/win81-ops.in.testdomain (6) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (6) if (User-Name =~ / /) (6) if (User-Name =~ / /) -> FALSE (6) if (User-Name =~ /@.*@/ ) (6) if (User-Name =~ /@.*@/ ) -> FALSE (6) if (User-Name =~ /\\.\\./ ) (6) if (User-Name =~ /\\.\\./ ) -> FALSE (6) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (6) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (6) if (User-Name =~ /\\.$/) (6) if (User-Name =~ /\\.$/) -> FALSE (6) if (User-Name =~ /@\\./) (6) if (User-Name =~ /@\\./) -> FALSE (6) } # filter_username filter_username = notfound (6) [preprocess] = ok (6) [chap] = noop (6) [mschap] = noop (6) [digest] = noop (6) suffix : No '@' in User-Name = "host/win81-ops.in.testdomain", looking up realm NULL (6) suffix : No such realm "NULL" (6) [suffix] = noop (6) eap : EAP packet type response id 7 length 6 (6) eap : Continuing tunnel setup. (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = EAP (6) # Executing group from file /etc/freeradius/sites-enabled/default (6) authenticate { (6) eap : Expiring EAP session with state 0xaf7aab12aa7db29f (6) eap : Finished EAP session with state 0xaf7aab12aa7db29f (6) eap : Previous EAP request found for state 0xaf7aab12aa7db29f, released from the list (6) eap : Peer sent PEAP (25) (6) eap : EAP PEAP (25) (6) eap : Calling eap_peap to process EAP data (6) eap_peap : processing EAP-TLS (6) eap_peap : Received TLS ACK (6) eap_peap : Received TLS ACK (6) eap_peap : ACK handshake is finished (6) eap_peap : eaptls_verify returned 3 (6) eap_peap : eaptls_process returned 3 (6) eap_peap : FR_TLS_SUCCESS (6) eap_peap : Session established. Decoding tunneled attributes. (6) eap_peap : Peap state TUNNEL ESTABLISHED (6) eap : New EAP session, adding 'State' attribute to reply 0xaf7aab12a972b29f (6) [eap] = handled (6) } # authenticate = handled Sending Access-Challenge Id 218 from 192.168.254.181:1812 to 172.17.6.253:32985 EAP-Message = 0x0108002b19001703010020f022350972cbaf550411b0a05e940de89489d54aaa26eea60fa42c528e37b598 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xaf7aab12a972b29f91f28722b6106031 (6) Finished request Waking up in 0.3 seconds. Received Access-Request Id 219 from 172.17.6.253:32985 to 192.168.254.181:1812 length 301 User-Name = 'host/win81-ops.in.testdomain' NAS-IP-Address = 172.17.6.253 NAS-Port = 0 NAS-Identifier = 'wirelesscontroller' NAS-Port-Type = Wireless-802.11 Calling-Station-Id = '5C514FFA8C73' Called-Station-Id = '000B869A9037' Service-Type = Framed-User Framed-MTU = 1100 EAP-Message = 0x0208004b190017030100401450d110896340dd1527e3b736b40db579761481d7c7bd8df6f8a8bafe346ae902d6eca6adb3ce318e7f8a82345ed565cb364dbaf6fea0c3ea2fe03f596781b8 State = 0xaf7aab12a972b29f91f28722b6106031 Aruba-Essid-Name = 'bandit' Aruba-Location-Id = 'ap1' Aruba-AP-Group = 'syd' Aruba-Device-Type = 'Windows' Message-Authenticator = 0x81748904e69029b5c562279f77a1fa9a (7) # Executing section authorize from file /etc/freeradius/sites-enabled/default (7) authorize { (7) filter_username filter_username { (7) if (User-Name != "%{tolower:%{User-Name}}") (7) EXPAND %{tolower:%{User-Name}} (7) --> host/win81-ops.in.testdomain (7) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (7) if (User-Name =~ / /) (7) if (User-Name =~ / /) -> FALSE (7) if (User-Name =~ /@.*@/ ) (7) if (User-Name =~ /@.*@/ ) -> FALSE (7) if (User-Name =~ /\\.\\./ ) (7) if (User-Name =~ /\\.\\./ ) -> FALSE (7) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (7) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (7) if (User-Name =~ /\\.$/) (7) if (User-Name =~ /\\.$/) -> FALSE (7) if (User-Name =~ /@\\./) (7) if (User-Name =~ /@\\./) -> FALSE (7) } # filter_username filter_username = notfound (7) [preprocess] = ok (7) [chap] = noop (7) [mschap] = noop (7) [digest] = noop (7) suffix : No '@' in User-Name = "host/win81-ops.in.testdomain", looking up realm NULL (7) suffix : No such realm "NULL" (7) [suffix] = noop (7) eap : EAP packet type response id 8 length 75 (7) eap : Continuing tunnel setup. (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = EAP (7) # Executing group from file /etc/freeradius/sites-enabled/default (7) authenticate { (7) eap : Expiring EAP session with state 0xaf7aab12a972b29f (7) eap : Finished EAP session with state 0xaf7aab12a972b29f (7) eap : Previous EAP request found for state 0xaf7aab12a972b29f, released from the list (7) eap : Peer sent PEAP (25) (7) eap : EAP PEAP (25) (7) eap : Calling eap_peap to process EAP data (7) eap_peap : processing EAP-TLS (7) eap_peap : eaptls_verify returned 7 (7) eap_peap : Done initial handshake (7) eap_peap : eaptls_process returned 7 (7) eap_peap : FR_TLS_OK (7) eap_peap : Session established. Decoding tunneled attributes. (7) eap_peap : Peap state WAITING FOR INNER IDENTITY (7) eap_peap : Identity - host/win81-ops.in.testdomain (7) eap_peap : Got inner identity 'host/win81-ops.in.testdomain' (7) eap_peap : Setting default EAP type for tunneled EAP session. (7) eap_peap : Got tunneled request EAP-Message = 0x0208002001686f73742f77696e38312d6f70732e696e2e667265736876696577 server default { (7) eap_peap : Setting User-Name to host/win81-ops.in.testdomain Sending tunneled request EAP-Message = 0x0208002001686f73742f77696e38312d6f70732e696e2e667265736876696577 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'host/win81-ops.in.testdomain' server inner-tunnel { (7) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel (7) authorize { (7) [chap] = noop (7) [mschap] = noop (7) suffix : No '@' in User-Name = "host/win81-ops.in.testdomain", looking up realm NULL (7) suffix : No such realm "NULL" (7) [suffix] = noop (7) ntdomain : No '\' in User-Name = "host/win81-ops.in.testdomain", looking up realm NULL (7) ntdomain : No such realm "NULL" (7) [ntdomain] = noop (7) update control { (7) Proxy-To-Realm := 'LOCAL' (7) } # update control = noop (7) eap : EAP packet type response id 8 length 32 (7) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = EAP (7) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (7) authenticate { (7) eap : Peer sent Identity (1) (7) eap : Calling eap_mschapv2 to process EAP data (7) eap_mschapv2 : Issuing Challenge (7) eap : New EAP session, adding 'State' attribute to reply 0xdf4bb440df42ae97 (7) [eap] = handled (7) } # authenticate = handled } # server inner-tunnel (7) eap_peap : Got tunneled reply code 11 EAP-Message = 0x010900351a0109003010ec2d3f9c331be8cc8f308fb3e36354f7686f73742f77696e38312d6f70732e696e2e667265736876696577 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xdf4bb440df42ae976131f6adcea1c414 (7) eap_peap : Got tunneled reply RADIUS code 11 EAP-Message = 0x010900351a0109003010ec2d3f9c331be8cc8f308fb3e36354f7686f73742f77696e38312d6f70732e696e2e667265736876696577 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xdf4bb440df42ae976131f6adcea1c414 (7) eap_peap : Got tunneled Access-Challenge (7) eap : New EAP session, adding 'State' attribute to reply 0xaf7aab12a873b29f (7) [eap] = handled (7) } # authenticate = handled Sending Access-Challenge Id 219 from 192.168.254.181:1812 to 172.17.6.253:32985 EAP-Message = 0x0109005b1900170301005026e15c112b330ea70a897a62e1e776e56a8cfc3542db91a040be524e2ecd90127236545cd0d513ea877cdd23c887e844dd5fc775bd5cb9fc5aeb0e0d08ee6646e96621abff9801bf0b83f07219a91189 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xaf7aab12a873b29f91f28722b6106031 (7) Finished request Waking up in 0.3 seconds. Received Access-Request Id 217 from 172.17.6.253:32985 to 192.168.254.181:1812 length 349 User-Name = 'host/win81-ops.in.testdomain' NAS-IP-Address = 172.17.6.253 NAS-Port = 0 NAS-Identifier = 'wirelesscontroller' NAS-Port-Type = Wireless-802.11 Calling-Station-Id = '5C514FFA8C73' Called-Station-Id = '000B869A9037' Service-Type = Framed-User Framed-MTU = 1100 EAP-Message = 0x0209007b19001703010070c28751119ce4f468f4da5543f53dfa82dc9fb4ec3663880ebc4225065cf9de7314a32afc8093225d3fc12d012659cc234ee541504d9fde5d06fa80dfe83e331aa6527744476fd0f2aed8b4596f0efd388f1b20164aba971c8de1654bc68e9b63b89c741d4067a43f254bc083a03ea937 State = 0xaf7aab12a873b29f91f28722b6106031 Aruba-Essid-Name = 'bandit' Aruba-Location-Id = 'ap1' Aruba-AP-Group = 'syd' Aruba-Device-Type = 'Windows' Message-Authenticator = 0x60c7b813e29d7f613e573fca00dadb1f (8) # Executing section authorize from file /etc/freeradius/sites-enabled/default (8) authorize { (8) filter_username filter_username { (8) if (User-Name != "%{tolower:%{User-Name}}") (8) EXPAND %{tolower:%{User-Name}} (8) --> host/win81-ops.in.testdomain (8) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (8) if (User-Name =~ / /) (8) if (User-Name =~ / /) -> FALSE (8) if (User-Name =~ /@.*@/ ) (8) if (User-Name =~ /@.*@/ ) -> FALSE (8) if (User-Name =~ /\\.\\./ ) (8) if (User-Name =~ /\\.\\./ ) -> FALSE (8) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (8) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (8) if (User-Name =~ /\\.$/) (8) if (User-Name =~ /\\.$/) -> FALSE (8) if (User-Name =~ /@\\./) (8) if (User-Name =~ /@\\./) -> FALSE (8) } # filter_username filter_username = notfound (8) [preprocess] = ok (8) [chap] = noop (8) [mschap] = noop (8) [digest] = noop (8) suffix : No '@' in User-Name = "host/win81-ops.in.testdomain", looking up realm NULL (8) suffix : No such realm "NULL" (8) [suffix] = noop (8) eap : EAP packet type response id 9 length 123 (8) eap : Continuing tunnel setup. (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = EAP (8) # Executing group from file /etc/freeradius/sites-enabled/default (8) authenticate { (8) eap : Expiring EAP session with state 0xdf4bb440df42ae97 (8) eap : Finished EAP session with state 0xaf7aab12a873b29f (8) eap : Previous EAP request found for state 0xaf7aab12a873b29f, released from the list (8) eap : Peer sent PEAP (25) (8) eap : EAP PEAP (25) (8) eap : Calling eap_peap to process EAP data (8) eap_peap : processing EAP-TLS (8) eap_peap : eaptls_verify returned 7 (8) eap_peap : Done initial handshake (8) eap_peap : eaptls_process returned 7 (8) eap_peap : FR_TLS_OK (8) eap_peap : Session established. Decoding tunneled attributes. (8) eap_peap : Peap state phase2 (8) eap_peap : EAP type MSCHAPv2 (26) (8) eap_peap : Got tunneled request EAP-Message = 0x020900561a020900513145439c4e90869e9f6ceab1d1297c6d380000000000000000d0dd725641db826ddf168b4b2144c203e6d3280c10fec22900686f73742f77696e38312d6f70732e696e2e667265736876696577 server default { (8) eap_peap : Setting User-Name to host/win81-ops.in.testdomain Sending tunneled request EAP-Message = 0x020900561a020900513145439c4e90869e9f6ceab1d1297c6d380000000000000000d0dd725641db826ddf168b4b2144c203e6d3280c10fec22900686f73742f77696e38312d6f70732e696e2e667265736876696577 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'host/win81-ops.in.testdomain' State = 0xdf4bb440df42ae976131f6adcea1c414 server inner-tunnel { (8) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel (8) authorize { (8) [chap] = noop (8) [mschap] = noop (8) suffix : No '@' in User-Name = "host/win81-ops.in.testdomain", looking up realm NULL (8) suffix : No such realm "NULL" (8) [suffix] = noop (8) ntdomain : No '\' in User-Name = "host/win81-ops.in.testdomain", looking up realm NULL (8) ntdomain : No such realm "NULL" (8) [ntdomain] = noop (8) update control { (8) Proxy-To-Realm := 'LOCAL' (8) } # update control = noop (8) eap : EAP packet type response id 9 length 86 (8) eap : No EAP Start, assuming it's an on-going EAP conversation (8) [eap] = updated (8) [files] = noop (8) [expiration] = noop (8) [logintime] = noop (8) [pap] = noop (8) } # authorize = updated (8) Found Auth-Type = EAP (8) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (8) authenticate { (8) eap : Expiring EAP session with state 0xdf4bb440df42ae97 (8) eap : Finished EAP session with state 0xdf4bb440df42ae97 (8) eap : Previous EAP request found for state 0xdf4bb440df42ae97, released from the list (8) eap : Peer sent MSCHAPv2 (26) (8) eap : EAP MSCHAPv2 (26) (8) eap : Calling eap_mschapv2 to process EAP data (8) eap_mschapv2 : # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (8) eap_mschapv2 : Auth-Type MS-CHAP { (8) mschap : Creating challenge hash with username: host/win81-ops.in.testdomain (8) mschap : Client is using MS-CHAPv2 (8) mschap : Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-TESTDOMAIN} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} (8) mschap : EXPAND --username=%{mschap:User-Name:-None} (8) mschap : --> --username=win81-ops$ (8) mschap : EXPAND --domain=%{%{mschap:NT-Domain}:-TESTDOMAIN} (8) mschap : --> --domain=in (8) mschap : Creating challenge hash with username: host/win81-ops.in.testdomain (8) mschap : EXPAND --challenge=%{mschap:Challenge:-00} (8) mschap : --> --challenge=4d7bb6f00f0d7a38 (8) mschap : EXPAND --nt-response=%{mschap:NT-Response:-00} (8) mschap : --> --nt-response=d0dd725641db826ddf168b4b2144c203e6d3280c10fec229 (8) ERROR: mschap : Program returned code (1) and output 'Logon failure (0xc000006d)' (8) mschap : External script failed. (8) ERROR: mschap : External script says: Logon failure (0xc000006d) (8) ERROR: mschap : MS-CHAP2-Response is incorrect (8) [mschap] = reject (8) } # Auth-Type MS-CHAP = reject (8) eap : Freeing handler (8) [eap] = reject (8) } # authenticate = reject (8) Failed to authenticate the user. (8) Login incorrect (mschap: Program returned code (1) and output 'Logon failure (0xc000006d)'): [host/win81-ops.in.testdomain] (from client ap1-38-wlsclt-00 port 0 via TLS tunnel) (8) Using Post-Auth-Type Reject (8) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (8) Post-Auth-Type REJECT { (8) attr_filter.access_reject : EXPAND %{User-Name} (8) attr_filter.access_reject : --> host/win81-ops.in.testdomain (8) attr_filter.access_reject : Matched entry DEFAULT at line 11 (8) [attr_filter.access_reject] = updated (8) } # Post-Auth-Type REJECT = updated } # server inner-tunnel (8) eap_peap : Got tunneled reply code 3 MS-CHAP-Error = '\tE=691 R=1' EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap : Got tunneled reply RADIUS code 3 MS-CHAP-Error = '\tE=691 R=1' EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap : Tunneled authentication was rejected. (8) eap_peap : FAILURE (8) eap : New EAP session, adding 'State' attribute to reply 0xaf7aab12a770b29f (8) [eap] = handled (8) } # authenticate = handled Sending Access-Challenge Id 217 from 192.168.254.181:1812 to 172.17.6.253:32985 EAP-Message = 0x010a002b190017030100200b738039b4f535481dff197a39ee81927b772fac96781dd6e727a46a1fce1378 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xaf7aab12a770b29f91f28722b6106031 (8) Finished request Waking up in 0.3 seconds. Received Access-Request Id 220 from 172.17.6.253:32985 to 192.168.254.181:1812 length 269 User-Name = 'host/win81-ops.in.testdomain' NAS-IP-Address = 172.17.6.253 NAS-Port = 0 NAS-Identifier = 'wirelesscontroller' NAS-Port-Type = Wireless-802.11 Calling-Station-Id = '5C514FFA8C73' Called-Station-Id = '000B869A9037' Service-Type = Framed-User Framed-MTU = 1100 EAP-Message = 0x020a002b19001703010020544957a4f102082595db7a5beab83a5e39c5618bc043779c4640f13519373571 State = 0xaf7aab12a770b29f91f28722b6106031 Aruba-Essid-Name = 'bandit' Aruba-Location-Id = 'ap1' Aruba-AP-Group = 'syd' Aruba-Device-Type = 'Windows' Message-Authenticator = 0x567dfee464244ff803f97a5369736c65 (9) # Executing section authorize from file /etc/freeradius/sites-enabled/default (9) authorize { (9) filter_username filter_username { (9) if (User-Name != "%{tolower:%{User-Name}}") (9) EXPAND %{tolower:%{User-Name}} (9) --> host/win81-ops.in.testdomain (9) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (9) if (User-Name =~ / /) (9) if (User-Name =~ / /) -> FALSE (9) if (User-Name =~ /@.*@/ ) (9) if (User-Name =~ /@.*@/ ) -> FALSE (9) if (User-Name =~ /\\.\\./ ) (9) if (User-Name =~ /\\.\\./ ) -> FALSE (9) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (9) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (9) if (User-Name =~ /\\.$/) (9) if (User-Name =~ /\\.$/) -> FALSE (9) if (User-Name =~ /@\\./) (9) if (User-Name =~ /@\\./) -> FALSE (9) } # filter_username filter_username = notfound (9) [preprocess] = ok (9) [chap] = noop (9) [mschap] = noop (9) [digest] = noop (9) suffix : No '@' in User-Name = "host/win81-ops.in.testdomain", looking up realm NULL (9) suffix : No such realm "NULL" (9) [suffix] = noop (9) eap : EAP packet type response id 10 length 43 (9) eap : Continuing tunnel setup. (9) [eap] = ok (9) } # authorize = ok (9) Found Auth-Type = EAP (9) # Executing group from file /etc/freeradius/sites-enabled/default (9) authenticate { (9) eap : Expiring EAP session with state 0xaf7aab12a770b29f (9) eap : Finished EAP session with state 0xaf7aab12a770b29f (9) eap : Previous EAP request found for state 0xaf7aab12a770b29f, released from the list (9) eap : Peer sent PEAP (25) (9) eap : EAP PEAP (25) (9) eap : Calling eap_peap to process EAP data (9) eap_peap : processing EAP-TLS (9) eap_peap : eaptls_verify returned 7 (9) eap_peap : Done initial handshake (9) eap_peap : eaptls_process returned 7 (9) eap_peap : FR_TLS_OK (9) eap_peap : Session established. Decoding tunneled attributes. (9) eap_peap : Peap state send tlv failure (9) eap_peap : Received EAP-TLV response. (9) eap_peap : The users session was previously rejected: returning reject (again.) (9) eap_peap : *** This means you need to read the PREVIOUS messages in the debug output (9) eap_peap : *** to find out the reason why the user was rejected. (9) eap_peap : *** Look for "reject" or "fail". Those earlier messages will tell you. (9) eap_peap : *** what went wrong, and how to fix the problem. SSL: Removing session 41db36e17b59817fcc7a5d510c0ab6febebd2f0dfc04701386f3dad95265c63d from the cache (9) ERROR: eap : Failed continuing EAP PEAP (25) session. EAP sub-module failed (9) eap : Failed in EAP select (9) [eap] = invalid (9) } # authenticate = invalid (9) Failed to authenticate the user. (9) Login incorrect (eap: Failed continuing EAP PEAP (25) session. EAP sub-module failed): [host/win81-ops.in.testdomain] (from client ap1-38-wlsclt-00 port 0 cli 5C514FFA8C73) (9) Using Post-Auth-Type Reject (9) # Executing group from file /etc/freeradius/sites-enabled/default (9) Post-Auth-Type REJECT { (9) attr_filter.access_reject : EXPAND %{User-Name} (9) attr_filter.access_reject : --> host/win81-ops.in.testdomain (9) attr_filter.access_reject : Matched entry DEFAULT at line 11 (9) [attr_filter.access_reject] = updated (9) eap : Reply already contained an EAP-Message, not inserting EAP-Failure (9) [eap] = noop (9) remove_reply_message_if_eap remove_reply_message_if_eap { (9) if (reply:EAP-Message && reply:Reply-Message) (9) if (reply:EAP-Message && reply:Reply-Message) -> FALSE (9) else else { (9) [noop] = noop (9) } # else else = noop (9) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (9) } # Post-Auth-Type REJECT = updated (9) Delaying response for 1 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (9) Sending delayed response Sending Access-Reject Id 220 from 192.168.254.181:1812 to 172.17.6.253:32985 EAP-Message = 0x040a0004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 2.5 seconds. (0) Cleaning up request packet ID 211 with timestamp +5 (1) Cleaning up request packet ID 203 with timestamp +5 (2) Cleaning up request packet ID 213 with timestamp +5 (3) Cleaning up request packet ID 212 with timestamp +5 (4) Cleaning up request packet ID 215 with timestamp +5 (5) Cleaning up request packet ID 216 with timestamp +5 Waking up in 1.4 seconds. (6) Cleaning up request packet ID 218 with timestamp +7 (7) Cleaning up request packet ID 219 with timestamp +7 (8) Cleaning up request packet ID 217 with timestamp +7 (9) Cleaning up request packet ID 220 with timestamp +7 Ready to process requests. Received Access-Request Id 221 from 172.17.6.253:32985 to 192.168.254.181:1812 length 218 User-Name = 'TESTDOMAIN\\testuser' NAS-IP-Address = 172.17.6.253 NAS-Port = 0 NAS-Identifier = 'wirelesscontroller' NAS-Port-Type = Wireless-802.11 Calling-Station-Id = '5C514FFA8C73' Called-Station-Id = '000B869A9037' Service-Type = Framed-User Framed-MTU = 1100 EAP-Message = 0x02010015014652455348564945575c74796e616e79 Aruba-Essid-Name = 'bandit' Aruba-Location-Id = 'ap1' Aruba-AP-Group = 'syd' Aruba-Device-Type = 'Windows' Message-Authenticator = 0xdd9875a4f200bb105676cc44bbc1990a (10) # Executing section authorize from file /etc/freeradius/sites-enabled/default (10) authorize { (10) filter_username filter_username { (10) if (User-Name != "%{tolower:%{User-Name}}") (10) EXPAND %{tolower:%{User-Name}} (10) --> testdomain\\testuser (10) if (User-Name != "%{tolower:%{User-Name}}") -> TRUE (10) if (User-Name != "%{tolower:%{User-Name}}") { (10) [reject] = reject (10) } # if (User-Name != "%{tolower:%{User-Name}}") = reject (10) } # filter_username filter_username = reject (10) } # authorize = reject (10) Invalid user: [TESTDOMAIN\\testuser] (from client ap1-38-wlsclt-00 port 0 cli 5C514FFA8C73) (10) Using Post-Auth-Type Reject (10) # Executing group from file /etc/freeradius/sites-enabled/default (10) Post-Auth-Type REJECT { (10) attr_filter.access_reject : EXPAND %{User-Name} (10) attr_filter.access_reject : --> TESTDOMAIN\\testuser (10) attr_filter.access_reject : Matched entry DEFAULT at line 11 (10) [attr_filter.access_reject] = updated (10) eap : Request was previously rejected, inserting EAP-Failure (10) [eap] = updated (10) remove_reply_message_if_eap remove_reply_message_if_eap { (10) if (reply:EAP-Message && reply:Reply-Message) (10) if (reply:EAP-Message && reply:Reply-Message) -> FALSE (10) else else { (10) [noop] = noop (10) } # else else = noop (10) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (10) } # Post-Auth-Type REJECT = updated (10) Delaying response for 1 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (10) Sending delayed response Sending Access-Reject Id 221 from 192.168.254.181:1812 to 172.17.6.253:32985 EAP-Message = 0x04010004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. (10) Cleaning up request packet ID 221 with timestamp +12 Ready to process requests.
(8) eap_mschapv2 : Auth-Type MS-CHAP { (8) mschap : Creating challenge hash with username: host/win81-ops.in.testdomain (8) mschap : Client is using MS-CHAPv2 (8) mschap : Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-TESTDOMAIN} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} (8) mschap : EXPAND --username=%{mschap:User-Name:-None} (8) mschap : --> --username=win81-ops$ (8) mschap : EXPAND --domain=%{%{mschap:NT-Domain}:-TESTDOMAIN} (8) mschap : --> --domain=in (8) mschap : Creating challenge hash with username: host/win81-ops.in.testdomain (8) mschap : EXPAND --challenge=%{mschap:Challenge:-00} (8) mschap : --> --challenge=4d7bb6f00f0d7a38 (8) mschap : EXPAND --nt-response=%{mschap:NT-Response:-00} (8) mschap : --> --nt-response=d0dd725641db826ddf168b4b2144c203e6d3280c10fec229 (8) ERROR: mschap : Program returned code (1) and output 'Logon failure (0xc000006d)' (8) mschap : External script failed. (8) ERROR: mschap : External script says: Logon failure (0xc000006d) (8) ERROR: mschap : MS-CHAP2-Response is incorrect
What *should* the username be? "host/win81-ops.in.testdomain"? If so, your User-Name that's being passed to ntlm_auth is incorrect. You'll notice from the above output that mschap believes the username should be 'win81-ops', and the domain should be 'in'. I suspect that's wrong... :-) Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
(8) eap_mschapv2 : Auth-Type MS-CHAP { (8) mschap : Creating challenge hash with username: host/win81-ops.in.testdomain (8) mschap : Client is using MS-CHAPv2 (8) mschap : Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-TESTDOMAIN} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} (8) mschap : EXPAND --username=%{mschap:User-Name:-None} (8) mschap : --> --username=win81-ops$ (8) mschap : EXPAND --domain=%{%{mschap:NT-Domain}:-TESTDOMAIN} (8) mschap : --> --domain=in (8) mschap : Creating challenge hash with username: host/win81-ops.in.testdomain (8) mschap : EXPAND --challenge=%{mschap:Challenge:-00} (8) mschap : --> --challenge=4d7bb6f00f0d7a38 (8) mschap : EXPAND --nt-response=%{mschap:NT-Response:-00} (8) mschap : --> --nt-response=d0dd725641db826ddf168b4b2144c203e6d3280c10fec229 (8) ERROR: mschap : Program returned code (1) and output 'Logon failure (0xc000006d)' (8) mschap : External script failed. (8) ERROR: mschap : External script says: Logon failure (0xc000006d) (8) ERROR: mschap : MS-CHAP2-Response is incorrect
What *should* the username be? "host/win81-ops.in.testdomain"? If so, your User-Name that's being passed to ntlm_auth is incorrect.
You'll notice from the above output that mschap believes the username should be 'win81-ops', and the domain should be 'in'. I suspect that's wrong...
:-)
Stefan Paetow Moonshot Industry & Research Liaison Coordinator
Username = testuser Domain = testdomain FQDN = in.testdomain Computer name = win81-ops I believe that debug is of an attempted machine authentication, which would explain 'host/machine name' (ie host/win81-ops.in.testdomain). Cheers.
(8) mschap : EXPAND --domain=%{%{mschap:NT-Domain}:-TESTDOMAIN} (8) mschap : --> --domain=in [snip] Username = testuser Domain = testdomain [snip] I believe that debug is of an attempted machine authentication, which would explain 'host/machine name' (ie host/win81-ops.in.testdomain).
Ok, then see my quote above... mschap believes that your domain is 'in'. You might want to adjust the ntlm_auth command-line to hardcode the domain name in, or you can use unlang to set the NT-Domain attribute to 'testdomain'. :-) That should make it happ(y|ier). Additionally, Ben's posted a bunch of settings that might be useful in Windows. His dialogs are in German, although that should not really be an issue. Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
On Mon, May 11, 2015 at 6:41 PM, Stefan Paetow <Stefan.Paetow@jisc.ac.uk> wrote:
(8) mschap : EXPAND --domain=%{%{mschap:NT-Domain}:-TESTDOMAIN} (8) mschap : --> --domain=in [snip] Username = testuser Domain = testdomain [snip] I believe that debug is of an attempted machine authentication, which would explain 'host/machine name' (ie host/win81-ops.in.testdomain).
Ok, then see my quote above... mschap believes that your domain is 'in'. You might want to adjust the ntlm_auth command-line to hardcode the domain name in, or you can use unlang to set the NT-Domain attribute to 'testdomain'. :-)
That should make it happ(y|ier).
Additionally, Ben's posted a bunch of settings that might be useful in Windows. His dialogs are in German, although that should not really be an issue.
Stefan Paetow Moonshot Industry & Research Liaison Coordinator
Awesome, manually setting the domain attribute to testdomain fixed machine authentication. My NTLM line now looks like: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=testdomain --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" Thanks for the help.
Awesome, manually setting the domain attribute to testdomain fixed machine authentication. My NTLM line now looks like: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=testdomain --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
You're welcome :-) Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc¹s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
Your computer is in a domain, thus when using user authentication you get as User-Name TESTDOMAIN\\testuser instead of just testuser. If you want your computers to be in a domain I can't help you with configuring FR since I don't know how but I know that you could use huntgroups but it's not advised. But I can help you with configuring the windows clients. Since I'm using german language and the translations are weird I'll link to screenshots of the configuration windows. It's Windows 7 but it's identical to Windows 8. a) http://i.imgur.com/2ChblVs.png 1 enable checkbox 2 select PEAP 3 select if you want to keep the manually entered username and password saved 4 enable if you want to use this network connection in networks (or on ports) without required authentication 5 will lead to the next screenshot 6 leads to the last schreenshot (d) b) http://i.imgur.com/gbz2ZYf.png 1 disable if you don't have a certificate for your Radius server and skip 2,3,4 2 leave it empty 3 select the certificate of the CA that validated your certificate or is the Root of the certificate chain 4 enable if you don't want popups shown when you connect to a new (and yet unknown) server 5 select EAP-MSCHAP v2 6 enable this 7 disable if you don't have a NAP (Network Access Protection - a security feature of Windows Server 2008) 8 disable 9 enable if you want the client to send the correct username only in the TLS tunnel and send the one specified instead for unencrypted connections to the Radius server 10 leads to the next screenshot c) http://i.imgur.com/PSoBDwD.png disable if you want to use different username / password for 802.1x authentication and windows account d) http://i.imgur.com/VwKkIXa.png 1 enable 2 select user authentication 3 enable Single Sign-On if you are in a windows domain using an Active Directory for windows user authentication. 4 click to enter 802.1x authentication credentials right now so you don't get asked later when you first try to connect Signle Sign-On is a feature that only works in an Active Directory. Normally Windows logs the user in and then tries to authenticate with 802.1x which is stupid since you can't log into Active Directory without a working network connection. If you enable this and select "before user login" Windows now does 802.1x authentication and when established logs in the user. If you enable the "different VLAN" setting Windows will additionally update the DHCP lease after you logged in. 2015-05-11 9:18 GMT+02:00 Tynan Young <tynany@gmail.com>:
Hi,
I've searched high and low for answers/a solution on this and haven't had much luck, so I'm hoping someone on this list might be able to help.
I have a near default freeradius3 setup using NTLM to authenticate our PEAP MSCHAP wireless clients. Non-windows machines work fine (mac, phones etc), but I'm having difficulty getting Windows 7/8 authenticated using machine authentication or user authentication. Essentially I'm seeing the below error: Auth: Invalid user: [DOMAIN\\user] or Auth: Invalid user: [host\\MACHINE-NAME]
Successful authentications (from a mac) look like this: Auth: Login OK: [user]
Running "ntlm_auth --request-nt-key --username=domain\\user" returns NT_STATUS_OK
The only real configuration changes I've made are in the mschap mod, having tried both of the following:
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-TESTDOMAIN} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
Below is a debug of a windows 8 wireless client attempting to authenticate. First it tries machine authentication, then it tries user authentication.
Any help would be greatly appreciated.
Cheers
Ready to process requests. Received Access-Request Id 211 from 172.17.6.253:32985 to 192.168.254.181:1812 length 240 User-Name = 'host/win81-ops.in.testdomain' NAS-IP-Address = 172.17.6.253 NAS-Port = 0 NAS-Identifier = 'wirelesscontroller' NAS-Port-Type = Wireless-802.11 Calling-Station-Id = '5C514FFA8C73' Called-Station-Id = '000B869A9037' Service-Type = Framed-User Framed-MTU = 1100 EAP-Message = 0x0201002001686f73742f77696e38312d6f70732e696e2e667265736876696577 Aruba-Essid-Name = 'bandit' Aruba-Location-Id = 'ap1' Aruba-AP-Group = 'syd' Aruba-Device-Type = 'Windows' Message-Authenticator = 0xb1632e4c77e27f16f9cdd51c91aa5ee9 (0) # Executing section authorize from file /etc/freeradius/sites-enabled/default (0) authorize { (0) filter_username filter_username { (0) if (User-Name != "%{tolower:%{User-Name}}") (0) EXPAND %{tolower:%{User-Name}} (0) --> host/win81-ops.in.testdomain (0) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (0) if (User-Name =~ / /) (0) if (User-Name =~ / /) -> FALSE (0) if (User-Name =~ /@.*@/ ) (0) if (User-Name =~ /@.*@/ ) -> FALSE (0) if (User-Name =~ /\\.\\./ ) (0) if (User-Name =~ /\\.\\./ ) -> FALSE (0) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (0) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (0) if (User-Name =~ /\\.$/) (0) if (User-Name =~ /\\.$/) -> FALSE (0) if (User-Name =~ /@\\./) (0) if (User-Name =~ /@\\./) -> FALSE (0) } # filter_username filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix : No '@' in User-Name = "host/win81-ops.in.testdomain", looking up realm NULL (0) suffix : No such realm "NULL" (0) [suffix] = noop (0) eap : EAP packet type response id 1 length 32 (0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = EAP (0) # Executing group from file /etc/freeradius/sites-enabled/default (0) authenticate { (0) eap : Peer sent Identity (1) (0) eap : Calling eap_peap to process EAP data (0) eap_peap : Flushing SSL sessions (of #0) (0) eap_peap : Initiate (0) eap_peap : Start returned 1 (0) eap : New EAP session, adding 'State' attribute to reply 0xaf7aab12af78b29f (0) [eap] = handled (0) } # authenticate = handled Sending Access-Challenge Id 211 from 192.168.254.181:1812 to 172.17.6.253:32985 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xaf7aab12af78b29f91f28722b6106031 (0) Finished request Waking up in 0.3 seconds. Received Access-Request Id 203 from 172.17.6.253:32985 to 192.168.254.181:1812 length 344 User-Name = 'host/win81-ops.in.testdomain' NAS-IP-Address = 172.17.6.253 NAS-Port = 0 NAS-Identifier = 'wirelesscontroller' NAS-Port-Type = Wireless-802.11 Calling-Station-Id = '5C514FFA8C73' Called-Station-Id = '000B869A9037' Service-Type = Framed-User Framed-MTU = 1100 EAP-Message = 0x0202007619800000006c16030100670100006303015550523bf4af127e5fe0dfcfc8c5a896e7cfc31a2a7746ab87d162af997a04a5000018c014c0130035002fc00ac00900380032000a00130005000401000022ff01000100000500050100000000000a0006000400170018000b0002010000230000 State = 0xaf7aab12af78b29f91f28722b6106031 Aruba-Essid-Name = 'bandit' Aruba-Location-Id = 'ap1' Aruba-AP-Group = 'syd' Aruba-Device-Type = 'Windows' Message-Authenticator = 0xa9f4a8b97958f630a9984c92c0fcc7bd (1) # Executing section authorize from file /etc/freeradius/sites-enabled/default (1) authorize { (1) filter_username filter_username { (1) if (User-Name != "%{tolower:%{User-Name}}") (1) EXPAND %{tolower:%{User-Name}} (1) --> host/win81-ops.in.testdomain (1) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (1) if (User-Name =~ / /) (1) if (User-Name =~ / /) -> FALSE (1) if (User-Name =~ /@.*@/ ) (1) if (User-Name =~ /@.*@/ ) -> FALSE (1) if (User-Name =~ /\\.\\./ ) (1) if (User-Name =~ /\\.\\./ ) -> FALSE (1) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (1) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (1) if (User-Name =~ /\\.$/) (1) if (User-Name =~ /\\.$/) -> FALSE (1) if (User-Name =~ /@\\./) (1) if (User-Name =~ /@\\./) -> FALSE (1) } # filter_username filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix : No '@' in User-Name = "host/win81-ops.in.testdomain", looking up realm NULL (1) suffix : No such realm "NULL" (1) [suffix] = noop (1) eap : EAP packet type response id 2 length 118 (1) eap : Continuing tunnel setup. (1) [eap] = ok (1) } # authorize = ok (1) Found Auth-Type = EAP (1) # Executing group from file /etc/freeradius/sites-enabled/default (1) authenticate { (1) eap : Expiring EAP session with state 0xaf7aab12af78b29f (1) eap : Finished EAP session with state 0xaf7aab12af78b29f (1) eap : Previous EAP request found for state 0xaf7aab12af78b29f, released from the list (1) eap : Peer sent PEAP (25) (1) eap : EAP PEAP (25) (1) eap : Calling eap_peap to process EAP data (1) eap_peap : processing EAP-TLS TLS Length 108 (1) eap_peap : Length Included (1) eap_peap : eaptls_verify returned 11 (1) eap_peap : (other): before/accept initialization (1) eap_peap : TLS_accept: before/accept initialization (1) eap_peap : <<< TLS 1.0 Handshake [length 0067], ClientHello (1) eap_peap : TLS_accept: SSLv3 read client hello A (1) eap_peap : >>> TLS 1.0 Handshake [length 0059], ServerHello (1) eap_peap : TLS_accept: SSLv3 write server hello A (1) eap_peap : >>> TLS 1.0 Handshake [length 0c61], Certificate (1) eap_peap : TLS_accept: SSLv3 write certificate A (1) eap_peap : >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange (1) eap_peap : TLS_accept: SSLv3 write key exchange A (1) eap_peap : >>> TLS 1.0 Handshake [length 0004], ServerHelloDone (1) eap_peap : TLS_accept: SSLv3 write server done A (1) eap_peap : TLS_accept: SSLv3 flush data (1) eap_peap : TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode (1) eap_peap : eaptls_process returned 13 (1) eap_peap : FR_TLS_HANDLED (1) eap : New EAP session, adding 'State' attribute to reply 0xaf7aab12ae79b29f (1) [eap] = handled (1) } # authenticate = handled Sending Access-Challenge Id 203 from 192.168.254.181:1812 to 172.17.6.253:32985 EAP-Message = 0x010303ec19c000000e1d1603010059020000550301f9a84ded3c3d019330abd1de6d7ff97f916e4aa4140b0733d9c1a1686ec5ba212041db36e17b59817fcc7a5d510c0ab6febebd2f0dfc04701386f3dad95265c63dc01400000dff01000100000b0004030001021603010c610b000c5d000c5a0004a7308204a33082038ba00302010202030439a3300d06092a864886f70d01010b05003047310b300906035504061302555331163014060355040a130d47656f547275737420496e632e3120301e06035504031317526170696453534c20534841323536204341202d204733301e170d3135303530373033333932305a170d3136303530383233353131385a30819431133011060355040b130a475432333636383233393131302f060355040b1328536565207777772e726170696473736c2e636f6d2f7265736f75726365732f637073202863293135312f302d060355040b1326446f6d61696e20436f6e74726f6c2056616c696461746564202d20526170696453534c2852293119301706035504031310776966692e63616d706d6f6e2e6e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100c2b2d2c1ff3c2380d9d47968c4a76b101501d4b4d3efd5857da81b6610580c9021e898e1beb2f5ea06a98dfd06a3f04bfa7b68fc77481cc7b9eb5777938 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xaf7aab12ae79b29f91f28722b6106031 (1) Finished request Waking up in 0.3 seconds. Received Access-Request Id 213 from 172.17.6.253:32985 to 192.168.254.181:1812 length 232 User-Name = 'host/win81-ops.in.testdomain' NAS-IP-Address = 172.17.6.253 NAS-Port = 0 NAS-Identifier = 'wirelesscontroller' NAS-Port-Type = Wireless-802.11 Calling-Station-Id = '5C514FFA8C73' Called-Station-Id = '000B869A9037' Service-Type = Framed-User Framed-MTU = 1100 EAP-Message = 0x020300061900 State = 0xaf7aab12ae79b29f91f28722b6106031 Aruba-Essid-Name = 'bandit' Aruba-Location-Id = 'ap1' Aruba-AP-Group = 'syd' Aruba-Device-Type = 'Windows' Message-Authenticator = 0x78dd3eaf48cf6c7dbaa005633cb99020 (2) # Executing section authorize from file /etc/freeradius/sites-enabled/default (2) authorize { (2) filter_username filter_username { (2) if (User-Name != "%{tolower:%{User-Name}}") (2) EXPAND %{tolower:%{User-Name}} (2) --> host/win81-ops.in.testdomain (2) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (2) if (User-Name =~ / /) (2) if (User-Name =~ / /) -> FALSE (2) if (User-Name =~ /@.*@/ ) (2) if (User-Name =~ /@.*@/ ) -> FALSE (2) if (User-Name =~ /\\.\\./ ) (2) if (User-Name =~ /\\.\\./ ) -> FALSE (2) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (2) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (2) if (User-Name =~ /\\.$/) (2) if (User-Name =~ /\\.$/) -> FALSE (2) if (User-Name =~ /@\\./) (2) if (User-Name =~ /@\\./) -> FALSE (2) } # filter_username filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix : No '@' in User-Name = "host/win81-ops.in.testdomain", looking up realm NULL (2) suffix : No such realm "NULL" (2) [suffix] = noop (2) eap : EAP packet type response id 3 length 6 (2) eap : Continuing tunnel setup. (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = EAP (2) # Executing group from file /etc/freeradius/sites-enabled/default (2) authenticate { (2) eap : Expiring EAP session with state 0xaf7aab12ae79b29f (2) eap : Finished EAP session with state 0xaf7aab12ae79b29f (2) eap : Previous EAP request found for state 0xaf7aab12ae79b29f, released from the list (2) eap : Peer sent PEAP (25) (2) eap : EAP PEAP (25) (2) eap : Calling eap_peap to process EAP data (2) eap_peap : processing EAP-TLS (2) eap_peap : Received TLS ACK (2) eap_peap : Received TLS ACK (2) eap_peap : ACK handshake fragment handler (2) eap_peap : eaptls_verify returned 1 (2) eap_peap : eaptls_process returned 13 (2) eap_peap : FR_TLS_HANDLED (2) eap : New EAP session, adding 'State' attribute to reply 0xaf7aab12ad7eb29f (2) [eap] = handled (2) } # authenticate = handled Sending Access-Challenge Id 213 from 192.168.254.181:1812 to 172.17.6.253:32985 EAP-Message = 0x010403e8194068747470733a2f2f7777772e726170696473736c2e636f6d2f6c6567616c300d06092a864886f70d01010b05000382010100412ebe33348a8106947be103048d5e4157080515045c19a8462a51e4feeca012ee0dc94be9e68ac04f9f65e221ce68f9fbe8e8168bc96facb82798fc5b13ea06f1ffd6f2a1683b5b7724324583f81c1488b36ebb24dc5fc2869a56deca8df3d8280bd435a6a0da7538811583165a5472ac3083e17d572ee39b22330b526f78ee4cb3a6bddd5da72964d40dc24886262c496e902b113cec927570ad97c97b69139b6e7a3fd880364272157aa9d8d1282b47629eec34e7c9f7e7bcdc542844ef1ad4a5d0af52c5998f3eb7fc16750e053edfd5ec552c3605586e652059d7df62719839c9be47acc6da9bc55822c024b98fd93ea1f864785e73066c022efa89ed7f000429308204253082030da0030201020203023a77300d06092a864886f70d01010b05003042310b300906035504061302555331163014060355040a130d47656f547275737420496e632e311b30190603550403131247656f547275737420476c6f62616c204341301e170d3134303832393231333933325a170d3232303532303231333933325a3047310b300906035504061302555331163014060355040a130d47656f547275737420496e632e3120301e06035504031317526170696 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xaf7aab12ad7eb29f91f28722b6106031 (2) Finished request Waking up in 0.3 seconds. Received Access-Request Id 212 from 172.17.6.253:32985 to 192.168.254.181:1812 length 232 User-Name = 'host/win81-ops.in.testdomain' NAS-IP-Address = 172.17.6.253 NAS-Port = 0 NAS-Identifier = 'wirelesscontroller' NAS-Port-Type = Wireless-802.11 Calling-Station-Id = '5C514FFA8C73' Called-Station-Id = '000B869A9037' Service-Type = Framed-User Framed-MTU = 1100 EAP-Message = 0x020400061900 State = 0xaf7aab12ad7eb29f91f28722b6106031 Aruba-Essid-Name = 'bandit' Aruba-Location-Id = 'ap1' Aruba-AP-Group = 'syd' Aruba-Device-Type = 'Windows' Message-Authenticator = 0x318c68ac9fd3cec956e3ad0fe6630868 (3) # Executing section authorize from file /etc/freeradius/sites-enabled/default (3) authorize { (3) filter_username filter_username { (3) if (User-Name != "%{tolower:%{User-Name}}") (3) EXPAND %{tolower:%{User-Name}} (3) --> host/win81-ops.in.testdomain (3) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (3) if (User-Name =~ / /) (3) if (User-Name =~ / /) -> FALSE (3) if (User-Name =~ /@.*@/ ) (3) if (User-Name =~ /@.*@/ ) -> FALSE (3) if (User-Name =~ /\\.\\./ ) (3) if (User-Name =~ /\\.\\./ ) -> FALSE (3) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (3) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (3) if (User-Name =~ /\\.$/) (3) if (User-Name =~ /\\.$/) -> FALSE (3) if (User-Name =~ /@\\./) (3) if (User-Name =~ /@\\./) -> FALSE (3) } # filter_username filter_username = notfound (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix : No '@' in User-Name = "host/win81-ops.in.testdomain", looking up realm NULL (3) suffix : No such realm "NULL" (3) [suffix] = noop (3) eap : EAP packet type response id 4 length 6 (3) eap : Continuing tunnel setup. (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = EAP (3) # Executing group from file /etc/freeradius/sites-enabled/default (3) authenticate { (3) eap : Expiring EAP session with state 0xaf7aab12ad7eb29f (3) eap : Finished EAP session with state 0xaf7aab12ad7eb29f (3) eap : Previous EAP request found for state 0xaf7aab12ad7eb29f, released from the list (3) eap : Peer sent PEAP (25) (3) eap : EAP PEAP (25) (3) eap : Calling eap_peap to process EAP data (3) eap_peap : processing EAP-TLS (3) eap_peap : Received TLS ACK (3) eap_peap : Received TLS ACK (3) eap_peap : ACK handshake fragment handler (3) eap_peap : eaptls_verify returned 1 (3) eap_peap : eaptls_process returned 13 (3) eap_peap : FR_TLS_HANDLED (3) eap : New EAP session, adding 'State' attribute to reply 0xaf7aab12ac7fb29f (3) [eap] = handled (3) } # authenticate = handled Sending Access-Challenge Id 212 from 192.168.254.181:1812 to 172.17.6.253:32985 EAP-Message = 0x010503e819400105050730018612687474703a2f2f672e73796d63642e636f6d304c0603551d20044530433041060a6086480186f8450107363033303106082b060105050702011625687474703a2f2f7777772e67656f74727573742e636f6d2f7265736f75726365732f637073300d06092a864886f70d01010b05000382010100a3581ec64332acac2f9378b7eaae5440472d7e788d50f6f866acd64f73d644efaf0bcc5bc1f44f9a8f497e60afc227c716f1fb938190a97cef6f7e6e45941684bdec49f1c40ef4af045983870f2c3b97c35a129b7b04357ba39533087b93712242b3a9d96f4f8192fc07b679bc844a9d7709f1c589f2f0b49c54aa127b0dba4fef9319ecef7d4e61a38e769c59cf8c94b18497f71ab907b8b2c64f1379dbbf4f511b7f690d512ac1d615ff3751346551f41ebe386aec0eabbf3d7b39057bf4f3fb1aa1d0c87e4e648dcd8c615590fe3aca5d250ff81da34a74564f1a5540707525a6332eba4ba55d539a0d30e18d5f612cafccefb099a180ff0bf2624c7026980003813082037d308202e6a003020102020312bbe6300d06092a864886f70d0101050500304e310b30090603550406130255533110300e060355040a130745717569666178312d302b060355040b1324457175696661782053656375726520436572746966696361746520417574686f726974793 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xaf7aab12ac7fb29f91f28722b6106031 (3) Finished request Waking up in 0.3 seconds. Received Access-Request Id 215 from 172.17.6.253:32985 to 192.168.254.181:1812 length 232 User-Name = 'host/win81-ops.in.testdomain' NAS-IP-Address = 172.17.6.253 NAS-Port = 0 NAS-Identifier = 'wirelesscontroller' NAS-Port-Type = Wireless-802.11 Calling-Station-Id = '5C514FFA8C73' Called-Station-Id = '000B869A9037' Service-Type = Framed-User Framed-MTU = 1100 EAP-Message = 0x020500061900 State = 0xaf7aab12ac7fb29f91f28722b6106031 Aruba-Essid-Name = 'bandit' Aruba-Location-Id = 'ap1' Aruba-AP-Group = 'syd' Aruba-Device-Type = 'Windows' Message-Authenticator = 0xa1f200dd5a90136447ce1b37b4b067f6 (4) # Executing section authorize from file /etc/freeradius/sites-enabled/default (4) authorize { (4) filter_username filter_username { (4) if (User-Name != "%{tolower:%{User-Name}}") (4) EXPAND %{tolower:%{User-Name}} (4) --> host/win81-ops.in.testdomain (4) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (4) if (User-Name =~ / /) (4) if (User-Name =~ / /) -> FALSE (4) if (User-Name =~ /@.*@/ ) (4) if (User-Name =~ /@.*@/ ) -> FALSE (4) if (User-Name =~ /\\.\\./ ) (4) if (User-Name =~ /\\.\\./ ) -> FALSE (4) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (4) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (4) if (User-Name =~ /\\.$/) (4) if (User-Name =~ /\\.$/) -> FALSE (4) if (User-Name =~ /@\\./) (4) if (User-Name =~ /@\\./) -> FALSE (4) } # filter_username filter_username = notfound (4) [preprocess] = ok (4) [chap] = noop (4) [mschap] = noop (4) [digest] = noop (4) suffix : No '@' in User-Name = "host/win81-ops.in.testdomain", looking up realm NULL (4) suffix : No such realm "NULL" (4) [suffix] = noop (4) eap : EAP packet type response id 5 length 6 (4) eap : Continuing tunnel setup. (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = EAP (4) # Executing group from file /etc/freeradius/sites-enabled/default (4) authenticate { (4) eap : Expiring EAP session with state 0xaf7aab12ac7fb29f (4) eap : Finished EAP session with state 0xaf7aab12ac7fb29f (4) eap : Previous EAP request found for state 0xaf7aab12ac7fb29f, released from the list (4) eap : Peer sent PEAP (25) (4) eap : EAP PEAP (25) (4) eap : Calling eap_peap to process EAP data (4) eap_peap : processing EAP-TLS (4) eap_peap : Received TLS ACK (4) eap_peap : Received TLS ACK (4) eap_peap : ACK handshake fragment handler (4) eap_peap : eaptls_verify returned 1 (4) eap_peap : eaptls_process returned 13 (4) eap_peap : FR_TLS_HANDLED (4) eap : New EAP session, adding 'State' attribute to reply 0xaf7aab12ab7cb29f (4) [eap] = handled (4) } # authenticate = handled Sending Access-Challenge Id 215 from 192.168.254.181:1812 to 172.17.6.253:32985 EAP-Message = 0x0106027d19003a0603551d1f04333031302fa02da02b8629687474703a2f2f63726c2e67656f74727573742e636f6d2f63726c732f73656375726563612e63726c304e0603551d200447304530430604551d2000303b303906082b06010505070201162d68747470733a2f2f7777772e67656f74727573742e636f6d2f7265736f75726365732f7265706f7369746f7279300d06092a864886f70d01010505000381810076e1126e4e4b1612863006b28108cff008c7c7717e66eec2edd43b1ffff0f0c84ed64338b0b9307d18d05583a26acb36119ce84866a36d7fb813d447fe8b5a5c73fcaed91b321938ab973414aa96d2eba31c140849b6bbe591ef8336eb1d566fcadabc736390e47f7b3e22cb3d07ed5f38749ce303504ea1af98ee61f2843f12160301014b0c0001470300174104897a41b10d790abe7d33a7bae7191df884039b23026439f474763fa6cb936641097d6e73ce79a5d3ee3b2dfa1b6742cbcfb4d94a2af4c9fb6f756ba052b43beb01009562f546db63c6a53f98650f9c9d234c62b3baccfd8e26d7b9d6c78e6e3a07a30382f753afb96cb8ec266b728877907a1c97f6c7948f7e9fa2ef2b571fbeb92748fee46d52b20070b28559f1f20027269f02be9d63f5756b166ceaa06afa8c13fcd38c8a4133c0288c9ed1fa2aa55e92d8a3cf16fa192847ce5bbb08ab2fdad640d11 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xaf7aab12ab7cb29f91f28722b6106031 (4) Finished request Waking up in 0.3 seconds. Received Access-Request Id 216 from 172.17.6.253:32985 to 192.168.254.181:1812 length 370 User-Name = 'host/win81-ops.in.testdomain' NAS-IP-Address = 172.17.6.253 NAS-Port = 0 NAS-Identifier = 'wirelesscontroller' NAS-Port-Type = Wireless-802.11 Calling-Station-Id = '5C514FFA8C73' Called-Station-Id = '000B869A9037' Service-Type = Framed-User Framed-MTU = 1100 EAP-Message = 0x020600901980000000861603010046100000424104d85d873dea9326b04b69add1a56edb8644246c919b8f460725f22d19b7bfbf30fe22e7d993c960b2ffeebbd155bb316e63ba7796287a737a52d0367b3ab5eb5614030100010116030100306bf7326dd2963bc5094534034ea75caccf46011de517912c4d0c91d510ef3644496711ac075146320a47c686b17ee94c State = 0xaf7aab12ab7cb29f91f28722b6106031 Aruba-Essid-Name = 'bandit' Aruba-Location-Id = 'ap1' Aruba-AP-Group = 'syd' Aruba-Device-Type = 'Windows' Message-Authenticator = 0x3d5c9d2133066c4b3420ff366a49e175 (5) # Executing section authorize from file /etc/freeradius/sites-enabled/default (5) authorize { (5) filter_username filter_username { (5) if (User-Name != "%{tolower:%{User-Name}}") (5) EXPAND %{tolower:%{User-Name}} (5) --> host/win81-ops.in.testdomain (5) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (5) if (User-Name =~ / /) (5) if (User-Name =~ / /) -> FALSE (5) if (User-Name =~ /@.*@/ ) (5) if (User-Name =~ /@.*@/ ) -> FALSE (5) if (User-Name =~ /\\.\\./ ) (5) if (User-Name =~ /\\.\\./ ) -> FALSE (5) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (5) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (5) if (User-Name =~ /\\.$/) (5) if (User-Name =~ /\\.$/) -> FALSE (5) if (User-Name =~ /@\\./) (5) if (User-Name =~ /@\\./) -> FALSE (5) } # filter_username filter_username = notfound (5) [preprocess] = ok (5) [chap] = noop (5) [mschap] = noop (5) [digest] = noop (5) suffix : No '@' in User-Name = "host/win81-ops.in.testdomain", looking up realm NULL (5) suffix : No such realm "NULL" (5) [suffix] = noop (5) eap : EAP packet type response id 6 length 144 (5) eap : Continuing tunnel setup. (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = EAP (5) # Executing group from file /etc/freeradius/sites-enabled/default (5) authenticate { (5) eap : Expiring EAP session with state 0xaf7aab12ab7cb29f (5) eap : Finished EAP session with state 0xaf7aab12ab7cb29f (5) eap : Previous EAP request found for state 0xaf7aab12ab7cb29f, released from the list (5) eap : Peer sent PEAP (25) (5) eap : EAP PEAP (25) (5) eap : Calling eap_peap to process EAP data (5) eap_peap : processing EAP-TLS TLS Length 134 (5) eap_peap : Length Included (5) eap_peap : eaptls_verify returned 11 (5) eap_peap : <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange (5) eap_peap : TLS_accept: SSLv3 read client key exchange A (5) eap_peap : <<< TLS 1.0 ChangeCipherSpec [length 0001] (5) eap_peap : <<< TLS 1.0 Handshake [length 0010], Finished (5) eap_peap : TLS_accept: SSLv3 read finished A (5) eap_peap : >>> TLS 1.0 ChangeCipherSpec [length 0001] (5) eap_peap : TLS_accept: SSLv3 write change cipher spec A (5) eap_peap : >>> TLS 1.0 Handshake [length 0010], Finished (5) eap_peap : TLS_accept: SSLv3 write finished A (5) eap_peap : TLS_accept: SSLv3 flush data SSL: adding session 41db36e17b59817fcc7a5d510c0ab6febebd2f0dfc04701386f3dad95265c63d to cache (5) eap_peap : (other): SSL negotiation finished successfully SSL Connection Established (5) eap_peap : eaptls_process returned 13 (5) eap_peap : FR_TLS_HANDLED (5) eap : New EAP session, adding 'State' attribute to reply 0xaf7aab12aa7db29f (5) [eap] = handled (5) } # authenticate = handled Sending Access-Challenge Id 216 from 192.168.254.181:1812 to 172.17.6.253:32985 EAP-Message = 0x0107004119001403010001011603010030904c13f5aa90bc06c6a9e4a9a9fe076ac1facca994920e0028b62392ef0d62e3dffb6d45d1198e88cbe9b9ce70df1d39 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xaf7aab12aa7db29f91f28722b6106031 (5) Finished request Waking up in 0.2 seconds. Waking up in 4.6 seconds. Received Access-Request Id 218 from 172.17.6.253:32985 to 192.168.254.181:1812 length 232 User-Name = 'host/win81-ops.in.testdomain' NAS-IP-Address = 172.17.6.253 NAS-Port = 0 NAS-Identifier = 'wirelesscontroller' NAS-Port-Type = Wireless-802.11 Calling-Station-Id = '5C514FFA8C73' Called-Station-Id = '000B869A9037' Service-Type = Framed-User Framed-MTU = 1100 EAP-Message = 0x020700061900 State = 0xaf7aab12aa7db29f91f28722b6106031 Aruba-Essid-Name = 'bandit' Aruba-Location-Id = 'ap1' Aruba-AP-Group = 'syd' Aruba-Device-Type = 'Windows' Message-Authenticator = 0x870a84bb1fdef1e9e576bb097297dafc (6) # Executing section authorize from file /etc/freeradius/sites-enabled/default (6) authorize { (6) filter_username filter_username { (6) if (User-Name != "%{tolower:%{User-Name}}") (6) EXPAND %{tolower:%{User-Name}} (6) --> host/win81-ops.in.testdomain (6) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (6) if (User-Name =~ / /) (6) if (User-Name =~ / /) -> FALSE (6) if (User-Name =~ /@.*@/ ) (6) if (User-Name =~ /@.*@/ ) -> FALSE (6) if (User-Name =~ /\\.\\./ ) (6) if (User-Name =~ /\\.\\./ ) -> FALSE (6) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (6) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (6) if (User-Name =~ /\\.$/) (6) if (User-Name =~ /\\.$/) -> FALSE (6) if (User-Name =~ /@\\./) (6) if (User-Name =~ /@\\./) -> FALSE (6) } # filter_username filter_username = notfound (6) [preprocess] = ok (6) [chap] = noop (6) [mschap] = noop (6) [digest] = noop (6) suffix : No '@' in User-Name = "host/win81-ops.in.testdomain", looking up realm NULL (6) suffix : No such realm "NULL" (6) [suffix] = noop (6) eap : EAP packet type response id 7 length 6 (6) eap : Continuing tunnel setup. (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = EAP (6) # Executing group from file /etc/freeradius/sites-enabled/default (6) authenticate { (6) eap : Expiring EAP session with state 0xaf7aab12aa7db29f (6) eap : Finished EAP session with state 0xaf7aab12aa7db29f (6) eap : Previous EAP request found for state 0xaf7aab12aa7db29f, released from the list (6) eap : Peer sent PEAP (25) (6) eap : EAP PEAP (25) (6) eap : Calling eap_peap to process EAP data (6) eap_peap : processing EAP-TLS (6) eap_peap : Received TLS ACK (6) eap_peap : Received TLS ACK (6) eap_peap : ACK handshake is finished (6) eap_peap : eaptls_verify returned 3 (6) eap_peap : eaptls_process returned 3 (6) eap_peap : FR_TLS_SUCCESS (6) eap_peap : Session established. Decoding tunneled attributes. (6) eap_peap : Peap state TUNNEL ESTABLISHED (6) eap : New EAP session, adding 'State' attribute to reply 0xaf7aab12a972b29f (6) [eap] = handled (6) } # authenticate = handled Sending Access-Challenge Id 218 from 192.168.254.181:1812 to 172.17.6.253:32985 EAP-Message = 0x0108002b19001703010020f022350972cbaf550411b0a05e940de89489d54aaa26eea60fa42c528e37b598 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xaf7aab12a972b29f91f28722b6106031 (6) Finished request Waking up in 0.3 seconds. Received Access-Request Id 219 from 172.17.6.253:32985 to 192.168.254.181:1812 length 301 User-Name = 'host/win81-ops.in.testdomain' NAS-IP-Address = 172.17.6.253 NAS-Port = 0 NAS-Identifier = 'wirelesscontroller' NAS-Port-Type = Wireless-802.11 Calling-Station-Id = '5C514FFA8C73' Called-Station-Id = '000B869A9037' Service-Type = Framed-User Framed-MTU = 1100 EAP-Message = 0x0208004b190017030100401450d110896340dd1527e3b736b40db579761481d7c7bd8df6f8a8bafe346ae902d6eca6adb3ce318e7f8a82345ed565cb364dbaf6fea0c3ea2fe03f596781b8 State = 0xaf7aab12a972b29f91f28722b6106031 Aruba-Essid-Name = 'bandit' Aruba-Location-Id = 'ap1' Aruba-AP-Group = 'syd' Aruba-Device-Type = 'Windows' Message-Authenticator = 0x81748904e69029b5c562279f77a1fa9a (7) # Executing section authorize from file /etc/freeradius/sites-enabled/default (7) authorize { (7) filter_username filter_username { (7) if (User-Name != "%{tolower:%{User-Name}}") (7) EXPAND %{tolower:%{User-Name}} (7) --> host/win81-ops.in.testdomain (7) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (7) if (User-Name =~ / /) (7) if (User-Name =~ / /) -> FALSE (7) if (User-Name =~ /@.*@/ ) (7) if (User-Name =~ /@.*@/ ) -> FALSE (7) if (User-Name =~ /\\.\\./ ) (7) if (User-Name =~ /\\.\\./ ) -> FALSE (7) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (7) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (7) if (User-Name =~ /\\.$/) (7) if (User-Name =~ /\\.$/) -> FALSE (7) if (User-Name =~ /@\\./) (7) if (User-Name =~ /@\\./) -> FALSE (7) } # filter_username filter_username = notfound (7) [preprocess] = ok (7) [chap] = noop (7) [mschap] = noop (7) [digest] = noop (7) suffix : No '@' in User-Name = "host/win81-ops.in.testdomain", looking up realm NULL (7) suffix : No such realm "NULL" (7) [suffix] = noop (7) eap : EAP packet type response id 8 length 75 (7) eap : Continuing tunnel setup. (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = EAP (7) # Executing group from file /etc/freeradius/sites-enabled/default (7) authenticate { (7) eap : Expiring EAP session with state 0xaf7aab12a972b29f (7) eap : Finished EAP session with state 0xaf7aab12a972b29f (7) eap : Previous EAP request found for state 0xaf7aab12a972b29f, released from the list (7) eap : Peer sent PEAP (25) (7) eap : EAP PEAP (25) (7) eap : Calling eap_peap to process EAP data (7) eap_peap : processing EAP-TLS (7) eap_peap : eaptls_verify returned 7 (7) eap_peap : Done initial handshake (7) eap_peap : eaptls_process returned 7 (7) eap_peap : FR_TLS_OK (7) eap_peap : Session established. Decoding tunneled attributes. (7) eap_peap : Peap state WAITING FOR INNER IDENTITY (7) eap_peap : Identity - host/win81-ops.in.testdomain (7) eap_peap : Got inner identity 'host/win81-ops.in.testdomain' (7) eap_peap : Setting default EAP type for tunneled EAP session. (7) eap_peap : Got tunneled request EAP-Message = 0x0208002001686f73742f77696e38312d6f70732e696e2e667265736876696577 server default { (7) eap_peap : Setting User-Name to host/win81-ops.in.testdomain Sending tunneled request EAP-Message = 0x0208002001686f73742f77696e38312d6f70732e696e2e667265736876696577 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'host/win81-ops.in.testdomain' server inner-tunnel { (7) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel (7) authorize { (7) [chap] = noop (7) [mschap] = noop (7) suffix : No '@' in User-Name = "host/win81-ops.in.testdomain", looking up realm NULL (7) suffix : No such realm "NULL" (7) [suffix] = noop (7) ntdomain : No '\' in User-Name = "host/win81-ops.in.testdomain", looking up realm NULL (7) ntdomain : No such realm "NULL" (7) [ntdomain] = noop (7) update control { (7) Proxy-To-Realm := 'LOCAL' (7) } # update control = noop (7) eap : EAP packet type response id 8 length 32 (7) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = EAP (7) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (7) authenticate { (7) eap : Peer sent Identity (1) (7) eap : Calling eap_mschapv2 to process EAP data (7) eap_mschapv2 : Issuing Challenge (7) eap : New EAP session, adding 'State' attribute to reply 0xdf4bb440df42ae97 (7) [eap] = handled (7) } # authenticate = handled } # server inner-tunnel (7) eap_peap : Got tunneled reply code 11 EAP-Message = 0x010900351a0109003010ec2d3f9c331be8cc8f308fb3e36354f7686f73742f77696e38312d6f70732e696e2e667265736876696577 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xdf4bb440df42ae976131f6adcea1c414 (7) eap_peap : Got tunneled reply RADIUS code 11 EAP-Message = 0x010900351a0109003010ec2d3f9c331be8cc8f308fb3e36354f7686f73742f77696e38312d6f70732e696e2e667265736876696577 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xdf4bb440df42ae976131f6adcea1c414 (7) eap_peap : Got tunneled Access-Challenge (7) eap : New EAP session, adding 'State' attribute to reply 0xaf7aab12a873b29f (7) [eap] = handled (7) } # authenticate = handled Sending Access-Challenge Id 219 from 192.168.254.181:1812 to 172.17.6.253:32985 EAP-Message = 0x0109005b1900170301005026e15c112b330ea70a897a62e1e776e56a8cfc3542db91a040be524e2ecd90127236545cd0d513ea877cdd23c887e844dd5fc775bd5cb9fc5aeb0e0d08ee6646e96621abff9801bf0b83f07219a91189 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xaf7aab12a873b29f91f28722b6106031 (7) Finished request Waking up in 0.3 seconds. Received Access-Request Id 217 from 172.17.6.253:32985 to 192.168.254.181:1812 length 349 User-Name = 'host/win81-ops.in.testdomain' NAS-IP-Address = 172.17.6.253 NAS-Port = 0 NAS-Identifier = 'wirelesscontroller' NAS-Port-Type = Wireless-802.11 Calling-Station-Id = '5C514FFA8C73' Called-Station-Id = '000B869A9037' Service-Type = Framed-User Framed-MTU = 1100 EAP-Message = 0x0209007b19001703010070c28751119ce4f468f4da5543f53dfa82dc9fb4ec3663880ebc4225065cf9de7314a32afc8093225d3fc12d012659cc234ee541504d9fde5d06fa80dfe83e331aa6527744476fd0f2aed8b4596f0efd388f1b20164aba971c8de1654bc68e9b63b89c741d4067a43f254bc083a03ea937 State = 0xaf7aab12a873b29f91f28722b6106031 Aruba-Essid-Name = 'bandit' Aruba-Location-Id = 'ap1' Aruba-AP-Group = 'syd' Aruba-Device-Type = 'Windows' Message-Authenticator = 0x60c7b813e29d7f613e573fca00dadb1f (8) # Executing section authorize from file /etc/freeradius/sites-enabled/default (8) authorize { (8) filter_username filter_username { (8) if (User-Name != "%{tolower:%{User-Name}}") (8) EXPAND %{tolower:%{User-Name}} (8) --> host/win81-ops.in.testdomain (8) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (8) if (User-Name =~ / /) (8) if (User-Name =~ / /) -> FALSE (8) if (User-Name =~ /@.*@/ ) (8) if (User-Name =~ /@.*@/ ) -> FALSE (8) if (User-Name =~ /\\.\\./ ) (8) if (User-Name =~ /\\.\\./ ) -> FALSE (8) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (8) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (8) if (User-Name =~ /\\.$/) (8) if (User-Name =~ /\\.$/) -> FALSE (8) if (User-Name =~ /@\\./) (8) if (User-Name =~ /@\\./) -> FALSE (8) } # filter_username filter_username = notfound (8) [preprocess] = ok (8) [chap] = noop (8) [mschap] = noop (8) [digest] = noop (8) suffix : No '@' in User-Name = "host/win81-ops.in.testdomain", looking up realm NULL (8) suffix : No such realm "NULL" (8) [suffix] = noop (8) eap : EAP packet type response id 9 length 123 (8) eap : Continuing tunnel setup. (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = EAP (8) # Executing group from file /etc/freeradius/sites-enabled/default (8) authenticate { (8) eap : Expiring EAP session with state 0xdf4bb440df42ae97 (8) eap : Finished EAP session with state 0xaf7aab12a873b29f (8) eap : Previous EAP request found for state 0xaf7aab12a873b29f, released from the list (8) eap : Peer sent PEAP (25) (8) eap : EAP PEAP (25) (8) eap : Calling eap_peap to process EAP data (8) eap_peap : processing EAP-TLS (8) eap_peap : eaptls_verify returned 7 (8) eap_peap : Done initial handshake (8) eap_peap : eaptls_process returned 7 (8) eap_peap : FR_TLS_OK (8) eap_peap : Session established. Decoding tunneled attributes. (8) eap_peap : Peap state phase2 (8) eap_peap : EAP type MSCHAPv2 (26) (8) eap_peap : Got tunneled request EAP-Message = 0x020900561a020900513145439c4e90869e9f6ceab1d1297c6d380000000000000000d0dd725641db826ddf168b4b2144c203e6d3280c10fec22900686f73742f77696e38312d6f70732e696e2e667265736876696577 server default { (8) eap_peap : Setting User-Name to host/win81-ops.in.testdomain Sending tunneled request EAP-Message = 0x020900561a020900513145439c4e90869e9f6ceab1d1297c6d380000000000000000d0dd725641db826ddf168b4b2144c203e6d3280c10fec22900686f73742f77696e38312d6f70732e696e2e667265736876696577 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'host/win81-ops.in.testdomain' State = 0xdf4bb440df42ae976131f6adcea1c414 server inner-tunnel { (8) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel (8) authorize { (8) [chap] = noop (8) [mschap] = noop (8) suffix : No '@' in User-Name = "host/win81-ops.in.testdomain", looking up realm NULL (8) suffix : No such realm "NULL" (8) [suffix] = noop (8) ntdomain : No '\' in User-Name = "host/win81-ops.in.testdomain", looking up realm NULL (8) ntdomain : No such realm "NULL" (8) [ntdomain] = noop (8) update control { (8) Proxy-To-Realm := 'LOCAL' (8) } # update control = noop (8) eap : EAP packet type response id 9 length 86 (8) eap : No EAP Start, assuming it's an on-going EAP conversation (8) [eap] = updated (8) [files] = noop (8) [expiration] = noop (8) [logintime] = noop (8) [pap] = noop (8) } # authorize = updated (8) Found Auth-Type = EAP (8) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (8) authenticate { (8) eap : Expiring EAP session with state 0xdf4bb440df42ae97 (8) eap : Finished EAP session with state 0xdf4bb440df42ae97 (8) eap : Previous EAP request found for state 0xdf4bb440df42ae97, released from the list (8) eap : Peer sent MSCHAPv2 (26) (8) eap : EAP MSCHAPv2 (26) (8) eap : Calling eap_mschapv2 to process EAP data (8) eap_mschapv2 : # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (8) eap_mschapv2 : Auth-Type MS-CHAP { (8) mschap : Creating challenge hash with username: host/win81-ops.in.testdomain (8) mschap : Client is using MS-CHAPv2 (8) mschap : Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-TESTDOMAIN} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} (8) mschap : EXPAND --username=%{mschap:User-Name:-None} (8) mschap : --> --username=win81-ops$ (8) mschap : EXPAND --domain=%{%{mschap:NT-Domain}:-TESTDOMAIN} (8) mschap : --> --domain=in (8) mschap : Creating challenge hash with username: host/win81-ops.in.testdomain (8) mschap : EXPAND --challenge=%{mschap:Challenge:-00} (8) mschap : --> --challenge=4d7bb6f00f0d7a38 (8) mschap : EXPAND --nt-response=%{mschap:NT-Response:-00} (8) mschap : --> --nt-response=d0dd725641db826ddf168b4b2144c203e6d3280c10fec229 (8) ERROR: mschap : Program returned code (1) and output 'Logon failure (0xc000006d)' (8) mschap : External script failed. (8) ERROR: mschap : External script says: Logon failure (0xc000006d) (8) ERROR: mschap : MS-CHAP2-Response is incorrect (8) [mschap] = reject (8) } # Auth-Type MS-CHAP = reject (8) eap : Freeing handler (8) [eap] = reject (8) } # authenticate = reject (8) Failed to authenticate the user. (8) Login incorrect (mschap: Program returned code (1) and output 'Logon failure (0xc000006d)'): [host/win81-ops.in.testdomain] (from client ap1-38-wlsclt-00 port 0 via TLS tunnel) (8) Using Post-Auth-Type Reject (8) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (8) Post-Auth-Type REJECT { (8) attr_filter.access_reject : EXPAND %{User-Name} (8) attr_filter.access_reject : --> host/win81-ops.in.testdomain (8) attr_filter.access_reject : Matched entry DEFAULT at line 11 (8) [attr_filter.access_reject] = updated (8) } # Post-Auth-Type REJECT = updated } # server inner-tunnel (8) eap_peap : Got tunneled reply code 3 MS-CHAP-Error = '\tE=691 R=1' EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap : Got tunneled reply RADIUS code 3 MS-CHAP-Error = '\tE=691 R=1' EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap : Tunneled authentication was rejected. (8) eap_peap : FAILURE (8) eap : New EAP session, adding 'State' attribute to reply 0xaf7aab12a770b29f (8) [eap] = handled (8) } # authenticate = handled Sending Access-Challenge Id 217 from 192.168.254.181:1812 to 172.17.6.253:32985 EAP-Message = 0x010a002b190017030100200b738039b4f535481dff197a39ee81927b772fac96781dd6e727a46a1fce1378 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xaf7aab12a770b29f91f28722b6106031 (8) Finished request Waking up in 0.3 seconds. Received Access-Request Id 220 from 172.17.6.253:32985 to 192.168.254.181:1812 length 269 User-Name = 'host/win81-ops.in.testdomain' NAS-IP-Address = 172.17.6.253 NAS-Port = 0 NAS-Identifier = 'wirelesscontroller' NAS-Port-Type = Wireless-802.11 Calling-Station-Id = '5C514FFA8C73' Called-Station-Id = '000B869A9037' Service-Type = Framed-User Framed-MTU = 1100 EAP-Message = 0x020a002b19001703010020544957a4f102082595db7a5beab83a5e39c5618bc043779c4640f13519373571 State = 0xaf7aab12a770b29f91f28722b6106031 Aruba-Essid-Name = 'bandit' Aruba-Location-Id = 'ap1' Aruba-AP-Group = 'syd' Aruba-Device-Type = 'Windows' Message-Authenticator = 0x567dfee464244ff803f97a5369736c65 (9) # Executing section authorize from file /etc/freeradius/sites-enabled/default (9) authorize { (9) filter_username filter_username { (9) if (User-Name != "%{tolower:%{User-Name}}") (9) EXPAND %{tolower:%{User-Name}} (9) --> host/win81-ops.in.testdomain (9) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (9) if (User-Name =~ / /) (9) if (User-Name =~ / /) -> FALSE (9) if (User-Name =~ /@.*@/ ) (9) if (User-Name =~ /@.*@/ ) -> FALSE (9) if (User-Name =~ /\\.\\./ ) (9) if (User-Name =~ /\\.\\./ ) -> FALSE (9) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (9) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (9) if (User-Name =~ /\\.$/) (9) if (User-Name =~ /\\.$/) -> FALSE (9) if (User-Name =~ /@\\./) (9) if (User-Name =~ /@\\./) -> FALSE (9) } # filter_username filter_username = notfound (9) [preprocess] = ok (9) [chap] = noop (9) [mschap] = noop (9) [digest] = noop (9) suffix : No '@' in User-Name = "host/win81-ops.in.testdomain", looking up realm NULL (9) suffix : No such realm "NULL" (9) [suffix] = noop (9) eap : EAP packet type response id 10 length 43 (9) eap : Continuing tunnel setup. (9) [eap] = ok (9) } # authorize = ok (9) Found Auth-Type = EAP (9) # Executing group from file /etc/freeradius/sites-enabled/default (9) authenticate { (9) eap : Expiring EAP session with state 0xaf7aab12a770b29f (9) eap : Finished EAP session with state 0xaf7aab12a770b29f (9) eap : Previous EAP request found for state 0xaf7aab12a770b29f, released from the list (9) eap : Peer sent PEAP (25) (9) eap : EAP PEAP (25) (9) eap : Calling eap_peap to process EAP data (9) eap_peap : processing EAP-TLS (9) eap_peap : eaptls_verify returned 7 (9) eap_peap : Done initial handshake (9) eap_peap : eaptls_process returned 7 (9) eap_peap : FR_TLS_OK (9) eap_peap : Session established. Decoding tunneled attributes. (9) eap_peap : Peap state send tlv failure (9) eap_peap : Received EAP-TLV response. (9) eap_peap : The users session was previously rejected: returning reject (again.) (9) eap_peap : *** This means you need to read the PREVIOUS messages in the debug output (9) eap_peap : *** to find out the reason why the user was rejected. (9) eap_peap : *** Look for "reject" or "fail". Those earlier messages will tell you. (9) eap_peap : *** what went wrong, and how to fix the problem. SSL: Removing session 41db36e17b59817fcc7a5d510c0ab6febebd2f0dfc04701386f3dad95265c63d from the cache (9) ERROR: eap : Failed continuing EAP PEAP (25) session. EAP sub-module failed (9) eap : Failed in EAP select (9) [eap] = invalid (9) } # authenticate = invalid (9) Failed to authenticate the user. (9) Login incorrect (eap: Failed continuing EAP PEAP (25) session. EAP sub-module failed): [host/win81-ops.in.testdomain] (from client ap1-38-wlsclt-00 port 0 cli 5C514FFA8C73) (9) Using Post-Auth-Type Reject (9) # Executing group from file /etc/freeradius/sites-enabled/default (9) Post-Auth-Type REJECT { (9) attr_filter.access_reject : EXPAND %{User-Name} (9) attr_filter.access_reject : --> host/win81-ops.in.testdomain (9) attr_filter.access_reject : Matched entry DEFAULT at line 11 (9) [attr_filter.access_reject] = updated (9) eap : Reply already contained an EAP-Message, not inserting EAP-Failure (9) [eap] = noop (9) remove_reply_message_if_eap remove_reply_message_if_eap { (9) if (reply:EAP-Message && reply:Reply-Message) (9) if (reply:EAP-Message && reply:Reply-Message) -> FALSE (9) else else { (9) [noop] = noop (9) } # else else = noop (9) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (9) } # Post-Auth-Type REJECT = updated (9) Delaying response for 1 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (9) Sending delayed response Sending Access-Reject Id 220 from 192.168.254.181:1812 to 172.17.6.253:32985 EAP-Message = 0x040a0004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 2.5 seconds. (0) Cleaning up request packet ID 211 with timestamp +5 (1) Cleaning up request packet ID 203 with timestamp +5 (2) Cleaning up request packet ID 213 with timestamp +5 (3) Cleaning up request packet ID 212 with timestamp +5 (4) Cleaning up request packet ID 215 with timestamp +5 (5) Cleaning up request packet ID 216 with timestamp +5 Waking up in 1.4 seconds. (6) Cleaning up request packet ID 218 with timestamp +7 (7) Cleaning up request packet ID 219 with timestamp +7 (8) Cleaning up request packet ID 217 with timestamp +7 (9) Cleaning up request packet ID 220 with timestamp +7 Ready to process requests. Received Access-Request Id 221 from 172.17.6.253:32985 to 192.168.254.181:1812 length 218 User-Name = 'TESTDOMAIN\\testuser' NAS-IP-Address = 172.17.6.253 NAS-Port = 0 NAS-Identifier = 'wirelesscontroller' NAS-Port-Type = Wireless-802.11 Calling-Station-Id = '5C514FFA8C73' Called-Station-Id = '000B869A9037' Service-Type = Framed-User Framed-MTU = 1100 EAP-Message = 0x02010015014652455348564945575c74796e616e79 Aruba-Essid-Name = 'bandit' Aruba-Location-Id = 'ap1' Aruba-AP-Group = 'syd' Aruba-Device-Type = 'Windows' Message-Authenticator = 0xdd9875a4f200bb105676cc44bbc1990a (10) # Executing section authorize from file /etc/freeradius/sites-enabled/default (10) authorize { (10) filter_username filter_username { (10) if (User-Name != "%{tolower:%{User-Name}}") (10) EXPAND %{tolower:%{User-Name}} (10) --> testdomain\\testuser (10) if (User-Name != "%{tolower:%{User-Name}}") -> TRUE (10) if (User-Name != "%{tolower:%{User-Name}}") { (10) [reject] = reject (10) } # if (User-Name != "%{tolower:%{User-Name}}") = reject (10) } # filter_username filter_username = reject (10) } # authorize = reject (10) Invalid user: [TESTDOMAIN\\testuser] (from client ap1-38-wlsclt-00 port 0 cli 5C514FFA8C73) (10) Using Post-Auth-Type Reject (10) # Executing group from file /etc/freeradius/sites-enabled/default (10) Post-Auth-Type REJECT { (10) attr_filter.access_reject : EXPAND %{User-Name} (10) attr_filter.access_reject : --> TESTDOMAIN\\testuser (10) attr_filter.access_reject : Matched entry DEFAULT at line 11 (10) [attr_filter.access_reject] = updated (10) eap : Request was previously rejected, inserting EAP-Failure (10) [eap] = updated (10) remove_reply_message_if_eap remove_reply_message_if_eap { (10) if (reply:EAP-Message && reply:Reply-Message) (10) if (reply:EAP-Message && reply:Reply-Message) -> FALSE (10) else else { (10) [noop] = noop (10) } # else else = noop (10) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (10) } # Post-Auth-Type REJECT = updated (10) Delaying response for 1 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (10) Sending delayed response Sending Access-Reject Id 221 from 192.168.254.181:1812 to 172.17.6.253:32985 EAP-Message = 0x04010004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. (10) Cleaning up request packet ID 221 with timestamp +12 Ready to process requests.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Mon, May 11, 2015 at 05:18:06PM +1000, Tynan Young wrote:
I have a near default freeradius3 setup using NTLM to authenticate our PEAP MSCHAP wireless clients. Non-windows machines work fine (mac, phones etc), but I'm having difficulty getting Windows 7/8 authenticated using machine authentication or user authentication.
...
Received Access-Request Id 221 from 172.17.6.253:32985 to 192.168.254.181:1812 length 218 User-Name = 'TESTDOMAIN\\testuser' NAS-IP-Address = 172.17.6.253 ... (10) authorize { (10) filter_username filter_username { (10) if (User-Name != "%{tolower:%{User-Name}}") (10) EXPAND %{tolower:%{User-Name}} (10) --> testdomain\\testuser (10) if (User-Name != "%{tolower:%{User-Name}}") -> TRUE (10) if (User-Name != "%{tolower:%{User-Name}}") { (10) [reject] = reject (10) } # if (User-Name != "%{tolower:%{User-Name}}") = reject (10) } # filter_username filter_username = reject (10) } # authorize = reject (10) Invalid user: [TESTDOMAIN\\testuser] (from client ap1-38-wlsclt-00 port 0 cli 5C514FFA8C73)
This. Look at raddb/policy.d/filter, and ensure the unlang in "filter_username" that is to reject mixed-case usernames is commented out. Or upgrade to v3.0.8, where this issue is fixed. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On Mon, May 11, 2015 at 7:48 PM, Matthew Newton <mcn4@leicester.ac.uk> wrote:
On Mon, May 11, 2015 at 05:18:06PM +1000, Tynan Young wrote:
I have a near default freeradius3 setup using NTLM to authenticate our PEAP MSCHAP wireless clients. Non-windows machines work fine (mac, phones etc), but I'm having difficulty getting Windows 7/8 authenticated using machine authentication or user authentication.
...
Received Access-Request Id 221 from 172.17.6.253:32985 to 192.168.254.181:1812 length 218 User-Name = 'TESTDOMAIN\\testuser' NAS-IP-Address = 172.17.6.253 ... (10) authorize { (10) filter_username filter_username { (10) if (User-Name != "%{tolower:%{User-Name}}") (10) EXPAND %{tolower:%{User-Name}} (10) --> testdomain\\testuser (10) if (User-Name != "%{tolower:%{User-Name}}") -> TRUE (10) if (User-Name != "%{tolower:%{User-Name}}") { (10) [reject] = reject (10) } # if (User-Name != "%{tolower:%{User-Name}}") = reject (10) } # filter_username filter_username = reject (10) } # authorize = reject (10) Invalid user: [TESTDOMAIN\\testuser] (from client ap1-38-wlsclt-00 port 0 cli 5C514FFA8C73)
This.
Look at raddb/policy.d/filter, and ensure the unlang in "filter_username" that is to reject mixed-case usernames is commented out.
Or upgrade to v3.0.8, where this issue is fixed.
Matthew
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Great thanks for that. Commenting out the mixed case reject component fixed the issue for user authentication.
participants (4)
-
Ben Humpert -
Matthew Newton -
Stefan Paetow -
Tynan Young