Mac OXS Server version of FreeRadius Error
Hi All I hope you can help. I am having some problems running with Radius Authentication. The radius server is running on a Mac OSX server (ie a version of Freeradius I believe). I have a cisco Acess Point (1250 series) and want to use the Radius server to Authenticate EAP for WiFI users. I have added some users dsaw Cleartext-Password := "XXXXX" test Cleartext-Password := "test" And Clients (as shown in full listing below) However while users can Authenticate with LEAP no other EAP version Authenticates The Mac OSX Server terminal output to radiusd -s -X ends with Failed binding to socket: Address already in use /private/etc/raddb/radiusd.conf[242]: Error binding to port for 0.0.0.0 port 1812 Is this the problem and if so how might i fix it? Any help is greatly appreciated David server10:~ root# radiusd -s -X FreeRADIUS Version 2.1.3, for host i386-apple-darwin10.0, built on Apr 11 2011 at 17:19:07 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /private/etc/raddb/radiusd.conf including configuration file /private/etc/raddb/proxy.conf including configuration file /private/etc/raddb/clients.conf including files in directory /private/etc/raddb/modules/ including configuration file /private/etc/raddb/modules/acct_unique including configuration file /private/etc/raddb/modules/always including configuration file /private/etc/raddb/modules/attr_filter including configuration file /private/etc/raddb/modules/attr_rewrite including configuration file /private/etc/raddb/modules/chap including configuration file /private/etc/raddb/modules/checkval including configuration file /private/etc/raddb/modules/counter including configuration file /private/etc/raddb/modules/detail including configuration file /private/etc/raddb/modules/detail.example.com including configuration file /private/etc/raddb/modules/detail.log including configuration file /private/etc/raddb/modules/digest including configuration file /private/etc/raddb/modules/echo including configuration file /private/etc/raddb/modules/etc_group including configuration file /private/etc/raddb/modules/exec including configuration file /private/etc/raddb/modules/expiration including configuration file /private/etc/raddb/modules/expr including configuration file /private/etc/raddb/modules/files including configuration file /private/etc/raddb/modules/inner-eap including configuration file /private/etc/raddb/modules/ippool including configuration file /private/etc/raddb/modules/krb5 including configuration file /private/etc/raddb/modules/ldap including configuration file /private/etc/raddb/modules/linelog including configuration file /private/etc/raddb/modules/logintime including configuration file /private/etc/raddb/modules/mac2ip including configuration file /private/etc/raddb/modules/mac2vlan including configuration file /private/etc/raddb/modules/mschap including configuration file /private/etc/raddb/modules/opendirectory including configuration file /private/etc/raddb/modules/pam including configuration file /private/etc/raddb/modules/pap including configuration file /private/etc/raddb/modules/passwd including configuration file /private/etc/raddb/modules/perl including configuration file /private/etc/raddb/modules/policy including configuration file /private/etc/raddb/modules/preprocess including configuration file /private/etc/raddb/modules/radutmp including configuration file /private/etc/raddb/modules/realm including configuration file /private/etc/raddb/modules/smbpasswd including configuration file /private/etc/raddb/modules/sql_log including configuration file /private/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /private/etc/raddb/modules/sradutmp including configuration file /private/etc/raddb/modules/unix including configuration file /private/etc/raddb/modules/wimax including configuration file /private/etc/raddb/eap.conf including configuration file /private/etc/raddb/sql.conf including configuration file /private/etc/raddb/sql/sqlite/dialup.conf including configuration file /private/etc/raddb/sql/mysql/counter.conf including configuration file /private/etc/raddb/policy.conf including files in directory /private/etc/raddb/sites-enabled/ including configuration file /private/etc/raddb/sites-enabled/default including configuration file /private/etc/raddb/sites-enabled/inner-tunnel including dictionary file /private/etc/raddb/dictionary main { prefix = "/usr" localstatedir = "/private/var" logdir = "/private/var/log/radius" libdir = "/usr/lib/freeradius" radacctdir = "/private/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/private/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } client ap1250 { ipaddr = 192.168.0.98 netmask = 32 require_message_authenticator = no secret = "TEST" shortname = "ap1250" nastype = "cisco" } client 127.0.0.1 { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" shortname = "localtest" login = "test" password = "test" } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } Module: Linked to module rlm_sql Module: Instantiating sql sql { driver = "rlm_sql_sqlite" server = "localhost" port = "" login = "radius" password = "radpass" radius_db = "radius" read_groups = yes sqltrace = no sqltracefile = "/private/var/log/radius/sqltrace.sql" readclients = yes deletestalesessions = yes num_sql_socks = 5 sql_user_name = "%{User-Name}" default_user_profile = "" nas_query = "SELECT id,nasname,shortname,type,secret FROM nas" authorize_check_query = "" authorize_group_check_query = "" authorize_group_reply_query = "" accounting_onoff_query = "" accounting_update_query = "" accounting_update_query_alt = "" accounting_start_query = "" accounting_start_query_alt = "" accounting_stop_query = "" accounting_stop_query_alt = "" connect_failure_retry_delay = 60 simul_count_query = "" simul_verify_query = "" postauth_query = "" safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" } rlm_sql (sql): Driver rlm_sql_sqlite (module rlm_sql_sqlite) loaded and linked rlm_sql (sql): Attempting to connect to radius@localhost:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_sqlite #0 rlm_sql_sqlite: Opening sqlite database /private/etc/raddb/sqlite_radius_client_database for #0 rlm_sql_sqlite: sqlite3_open() = 0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_sqlite #1 rlm_sql_sqlite: Opening sqlite database /private/etc/raddb/sqlite_radius_client_database for #1 rlm_sql_sqlite: sqlite3_open() = 0 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_sqlite #2 rlm_sql_sqlite: Opening sqlite database /private/etc/raddb/sqlite_radius_client_database for #2 rlm_sql_sqlite: sqlite3_open() = 0 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_sqlite #3 rlm_sql_sqlite: Opening sqlite database /private/etc/raddb/sqlite_radius_client_database for #3 rlm_sql_sqlite: sqlite3_open() = 0 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_sqlite #4 rlm_sql_sqlite: Opening sqlite database /private/etc/raddb/sqlite_radius_client_database for #4 rlm_sql_sqlite: sqlite3_open() = 0 rlm_sql (sql): Connected new DB handle, #4 rlm_sql (sql): Processing generate_sql_clients rlm_sql (sql) in generate_sql_clients: query is SELECT id,nasname,shortname,type,secret FROM nas rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_sqlite: sqlite3_prepare() = 0 rlm_sql_sqlite: sqlite3_step = 101 rlm_sql_sqlite: sqlite3_finalize() = 0 rlm_sql (sql): Released sql socket id: 4 } radiusd: #### Loading Virtual Servers #### server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" use_open_directory = yes } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/private/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "ttls" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/certificates/eo11.net.32F996A897D33C23D8C652B022E96A44E350F98A.key.pem" certificate_file = "/etc/certificates/eo11.net.32F996A897D33C23D8C652B022E96A44E350F98A.cert.pem" CA_file = "/etc/certificates/eo11.net.32F996A897D33C23D8C652B022E96A44E350F98A.chain.pem" private_key_password = "Apple:UseCertAdmin" dh_file = "/etc/raddb/certs/dh" random_file = "/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/private/etc/raddb/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } } rlm_eap: Getting private key passphrase using command "/usr/sbin/certadmin --get-private-key-passphrase "/etc/certificates/eo11.net.32F996A897D33C23D8C652B022E96A44E350F98A.key.pem"" rlm_eap: Password from command = "DD562BC8-164C-4A2F-86F4-8F9AC4EBCB16" Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/private/etc/raddb/users" acctusersfile = "/private/etc/raddb/acct_users" preproxy_usersfile = "/private/etc/raddb/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/private/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "/private/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } } modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_opendirectory Module: Instantiating opendirectory Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/private/etc/raddb/huntgroups" hints = "/private/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/private/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/private/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 Failed binding to socket: Address already in use /private/etc/raddb/radiusd.conf[242]: Error binding to port for 0.0.0.0 port 1812 -- View this message in context: http://freeradius.1045715.n5.nabble.com/Mac-OXS-Server-version-of-FreeRadius... Sent from the FreeRadius - User mailing list archive at Nabble.com.
DavidS wrote:
I have added some users dsaw Cleartext-Password := "XXXXX" test Cleartext-Password := "test"
That should work.
However while users can Authenticate with LEAP no other EAP version Authenticates
So... fix eap.conf. This is documented.
The Mac OSX Server terminal output to radiusd -s -X ends with
Failed binding to socket: Address already in use /private/etc/raddb/radiusd.conf[242]: Error binding to port for 0.0.0.0 port 1812
Is this the problem and if so how might i fix it?
That's a Unix 101 problem. There is already a version of FreeRADIUS running. Stop it, and *then* start the server in debugging mode. Or, read "man radiusd", and start the debugging server on another IP and/or port. Alan DeKok.
Thanks Alan Stopped the other Server instance and of course as you not message resolved to radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. However I still cant get the damn setup to Authenticate. The output during a failed attempt to authenticate a user, to my eyes did not reveal the issue that i need to address in eap (as you propose) or elsewhere Here is the output during a user attempt to authenticate - any thoughts? (Thanks David) Ready to process requests. rad_recv: Access-Request packet from host 192.168.0.98 port 1645, id=1, length=136 User-Name = "dsawcer" Framed-MTU = 1400 Called-Station-Id = "0023.331c.9680" Calling-Station-Id = "9027.e4f9.25b0" Service-Type = Login-User Message-Authenticator = 0x562f50d7ee215e2703a4aa2ca625ccfd EAP-Message = 0x0202000c0164736177636572 NAS-Port-Type = Wireless-802.11 NAS-Port = 257 NAS-Port-Id = "257" NAS-IP-Address = 192.168.0.98 NAS-Identifier = "ap1250" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "dsawcer", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 12 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop rlm_opendirectory: The host 192.168.0.98 does not have an access group. rlm_opendirectory: Could not get the user's uuid. ++[opendirectory] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 1 to 192.168.0.98 port 1645 EAP-Message = 0x010300061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x73a410f073a70568fa17f41fc5620938 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.98 port 1645, id=2, length=306 User-Name = "dsawcer" Framed-MTU = 1400 Called-Station-Id = "0023.331c.9680" Calling-Station-Id = "9027.e4f9.25b0" Service-Type = Login-User Message-Authenticator = 0xaa6d7f080c19541eaf62c4dc81581a09 EAP-Message = 0x020300a415800000009a16030100950100009103014e5b4b3e338c0281aac0bcc701f19deaac117d722a79430407804edc3f8cf6f2000056c00ac009c007c008c013c014c011c012c004c005c002c003c00ec00fc00cc00d002f000500040035000a000900030008000600320033003800390016001500140013001200110034003a0018001b001a00170019000101000012000a00080006001700180019000b00020100 NAS-Port-Type = Wireless-802.11 NAS-Port = 257 NAS-Port-Id = "257" State = 0x73a410f073a70568fa17f41fc5620938 NAS-IP-Address = 192.168.0.98 NAS-Identifier = "ap1250" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "dsawcer", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 164 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 154 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] (other): before/accept initialization [ttls] TLS_accept: before/accept initialization [ttls] <<< TLS 1.0 Handshake [length 0095], ClientHello [ttls] TLS_accept: SSLv3 read client hello A [ttls] >>> TLS 1.0 Handshake [length 002a], ServerHello [ttls] TLS_accept: SSLv3 write server hello A [ttls] >>> TLS 1.0 Handshake [length 0e89], Certificate [ttls] TLS_accept: SSLv3 write certificate A [ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [ttls] TLS_accept: SSLv3 write server done A [ttls] TLS_accept: SSLv3 flush data [ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 2 to 192.168.0.98 port 1645 EAP-Message = 0x0104040015c000000ec6160301002a0200002603014e5b4b3e8bc7ac345e1c5381eba044978c8cc9d815e95029e356c66b83d1b62000002f001603010e890b000e85000e820005933082058f30820477a00302010202072b432e88483c5a300d06092a864886f70d01010505003081ca310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c65311a3018060355040a1311476f44616464792e636f6d2c20496e632e31333031060355040b132a687474703a2f2f6365727469666963617465732e676f64616464792e636f6d2f7265706f7369746f72793130302e06035504 EAP-Message = 0x031327476f204461646479205365637572652043657274696669636174696f6e20417574686f726974793111300f060355040513083037393639323837301e170d3131303831333038323831305a170d3134303733313030313030365a30493111300f060355040a1308656f31312e6e65743121301f060355040b1318446f6d61696e20436f6e74726f6c2056616c6964617465643111300f06035504031308656f31312e6e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100d8a8ebd1991709bf23ed04e56d0d3e20948daed510d217cf642ab2885035a8563f7fc4500fa27834f0b37d52cbdc2769b320cc66 EAP-Message = 0x1991b30d815bf3c2b6e12d2f0e92932210a8f2408c172dcddb05dfb4754ce82a776cf65829058d38cc1738525252759d4eb48e6dcfacc238a48d8b3382dde0f7fcd49a404afaa9ed63e4fd4bd0af702fed8b331841bdeebcc2d50f10fb3de53fc089a5d1b500a53aa6cc7e370b126c00e107c633fba512e5f31117587a6b44c2626cf3a43a97f268a4258c55e5b01343685595b0687253c0916225ca27faed8a30ab3eceb40de2f8a3eef97b61d5dca09bb39e174465e8c8586b8cec54ce634999d12c7c040ef0a3653a81210203010001a38201f8308201f4300f0603551d130101ff04053003010100301d0603551d250416301406082b0601050507 EAP-Message = 0x030106082b06010505070302300e0603551d0f0101ff0404030205a030330603551d1f042c302a3028a026a0248622687474703a2f2f63726c2e676f64616464792e636f6d2f676473312d35342e63726c304d0603551d20044630443042060b6086480186fd6d010717013033303106082b06010505070201162568747470733a2f2f63657274732e676f64616464792e636f6d2f7265706f7369746f72792f30818006082b0601050507010104743072302406082b060105050730018618687474703a2f2f6f6373702e676f64616464792e636f6d2f304a06082b06010505073002863e687474703a2f2f6365727469666963617465732e676f6461 EAP-Message = 0x6464792e636f6d2f7265706f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x73a410f072a00568fa17f41fc5620938 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.98 port 1645, id=3, length=148 User-Name = "dsawcer" Framed-MTU = 1400 Called-Station-Id = "0023.331c.9680" Calling-Station-Id = "9027.e4f9.25b0" Service-Type = Login-User Message-Authenticator = 0x2db3b6c8db5fe348e4b1bd10b20c258f EAP-Message = 0x020400061500 NAS-Port-Type = Wireless-802.11 NAS-Port = 257 NAS-Port-Id = "257" State = 0x73a410f072a00568fa17f41fc5620938 NAS-IP-Address = 192.168.0.98 NAS-Identifier = "ap1250" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "dsawcer", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 3 to 192.168.0.98 port 1645 EAP-Message = 0x0105040015c000000ec67369746f72792f67645f696e7465726d6564696174652e637274301f0603551d23041830168014fdac6132936c45d6e2ee855f9abae7769968cce7306b0603551d11046430628208656f31312e6e6574820c7777772e656f31312e6e65748210736c726e6173302e656f31312e6e65748212736c727377697463682e656f31312e6e6574821173657276657231302e656f31312e6e6574820f736c723837372e656f31312e6e6574301d0603551d0e0416041484060b7bc0cfea495c2307cc9f9e49060817e12c300d06092a864886f70d010105050003820101007cb821a8dcf078841ddde21e6d43bf6d5093b22229cfe913 EAP-Message = 0xd7c27d3ca7efa523743cd8f88e8c2b240558eaef9cfa3ee4c19e678399f4e3daa1952e230c39a9078fb8ad65314ee2e57aab07972822b163f92f6d9ab4ffabf27436a8a4ddec30901fa16a6ed0e7901f16c5d8b6b166f483a55a2e4159c38b80e4537e0b3a56c57195c501d0791276e298670e92b70143f045e3c83f0a4a7ad433e45d4c7e5636a1f2269c7d18587111ae7a07032a934838abd0fcb31f18b97a99fc7594f29874e0ad07b0e68061fbfce4d3b072c45baae778338c7f692c69f7412630972438266946d29e312811ddbad2219713978f459a816c6782954003a2c06231f8d08b8d190004e2308204de308203c6a0030201020202030130 EAP-Message = 0x0d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3036313131363031353433375a170d3236313131363031353433375a3081ca310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c65311a3018060355040a1311476f44616464792e636f6d2c20496e632e31333031060355040b132a687474703a2f2f6365727469 EAP-Message = 0x666963617465732e676f64616464792e636f6d2f7265706f7369746f72793130302e06035504031327476f204461646479205365637572652043657274696669636174696f6e20417574686f726974793111300f06035504051308303739363932383730820122300d06092a864886f70d01010105000382010f003082010a0282010100c42dd5158c9c264cec3235eb5fb859015aa66181593b7063abe3dc3dc72ab8c933d379e43aed3c3023848eb33014b6b287c33d9554049edf99dd0b251e21de65297e35a8a954ebf6f73239d4265595adeffbfe5886d79ef4008d8c2a0cbd4204cea73f04f6ee80f2aaef52a16966dabe1aad5dda2c66ea1a6b EAP-Message = 0xbbe51a514a002f48c79875d8 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x73a410f071a10568fa17f41fc5620938 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.98 port 1645, id=4, length=148 User-Name = "dsawcer" Framed-MTU = 1400 Called-Station-Id = "0023.331c.9680" Calling-Station-Id = "9027.e4f9.25b0" Service-Type = Login-User Message-Authenticator = 0xb4df3ea96b26ccc933e07c8daf238f8c EAP-Message = 0x020500061500 NAS-Port-Type = Wireless-802.11 NAS-Port = 257 NAS-Port-Id = "257" State = 0x73a410f071a10568fa17f41fc5620938 NAS-IP-Address = 192.168.0.98 NAS-Identifier = "ap1250" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "dsawcer", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 4 to 192.168.0.98 port 1645 EAP-Message = 0x0106040015c000000ec6b929c8eef8666d0a9cb3f3fc787ca2f8a3f2b5c3f3b97a91c1a7e6252e9ca8ed12656e6af6124453703095c39c2b582b3d08744af2be51b0bf87d04c27586bb535c59daf1731f80b8feead813605890898cf3aaf2587c049eaa7fd67f7458e97cc1439e23685b57e1a37fd16f671119a743016fe1394a33f840d4f0203010001a38201323082012e301d0603551d0e04160414fdac6132936c45d6e2ee855f9abae7769968cce7301f0603551d23041830168014d2c4b0d291d44c1171b361cb3da1fedda86ad4e330120603551d130101ff040830060101ff020100303306082b0601050507010104273025302306082b0601 EAP-Message = 0x05050730018617687474703a2f2f6f6373702e676f64616464792e636f6d30460603551d1f043f303d303ba039a0378635687474703a2f2f6365727469666963617465732e676f64616464792e636f6d2f7265706f7369746f72792f6764726f6f742e63726c304b0603551d200444304230400604551d20003038303606082b06010505070201162a687474703a2f2f6365727469666963617465732e676f64616464792e636f6d2f7265706f7369746f7279300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100d286c0ecbdf9a1b667ee660ba2063a04508e1572ac4a749553cb37cb4449ef07906b33d996f0 EAP-Message = 0x9456a51330053c8532217bc9c70aa824a490de46d32523140367c210d66f0f5d7b7acc9fc5582ac1c49e21a85af3aca446f39ee463cb2f90a4292901d9722c29df370127bc4fee68d3218fc0b3e4f509edd210aa53b4bef0cc590bd63b961c952449dfceecfda7489114450e3a366fda45b345a241c9d4d7444e3eb97476d5a213552cc687a3b599ac0684877f7506fcbf144c0ecc6ec4df3db71271f4e8f15140222849e01d4b87a834cc06a2dd125ad186366403356f6f776eebf28550985eab0353ad9123631f169ccdb9b205633ae1f4681b1705359553ee00040430820400308202e8a003020102020100300d06092a864886f70d010105050030 EAP-Message = 0x63310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d010101050003 EAP-Message = 0x82010d003082010802820101 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x73a410f070a20568fa17f41fc5620938 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.98 port 1645, id=5, length=148 User-Name = "dsawcer" Framed-MTU = 1400 Called-Station-Id = "0023.331c.9680" Calling-Station-Id = "9027.e4f9.25b0" Service-Type = Login-User Message-Authenticator = 0xa82b2ec6c5b16aac04984c38b383fa96 EAP-Message = 0x020600061500 NAS-Port-Type = Wireless-802.11 NAS-Port = 257 NAS-Port-Id = "257" State = 0x73a410f070a20568fa17f41fc5620938 NAS-IP-Address = 192.168.0.98 NAS-Identifier = "ap1250" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "dsawcer", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 5 to 192.168.0.98 port 1645 EAP-Message = 0x010702ee158000000ec600de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e38 EAP-Message = 0x74c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c90 EAP-Message = 0x1e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x73a410f077a30568fa17f41fc5620938 Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.98 port 1645, id=6, length=480 User-Name = "dsawcer" Framed-MTU = 1400 Called-Station-Id = "0023.331c.9680" Calling-Station-Id = "9027.e4f9.25b0" Service-Type = Login-User Message-Authenticator = 0x49d07e0783dcd34e743f77688134f6a0 EAP-Message = 0x02070150158000000146160301010610000102010073e8769c50931eb8d7510b6242122789975b90912e9b316de5374da9414b4ce049ad52941117dbc7e35eb6f3870db7f47a8f96fcbdedc32f0702ded1d8760af5931b8e482297f6ac6f51e3c9f8bcfe3bf7bc93c08f51afc4b641973a0e6ef0019c4e4f1ce2209d3cb42012fec054feb0345a57846adcb668f81e044b12b161597d0be12795e554410d329fa92ff71bffa30e103aee646b12bfc68defea0eddf3c98fce85893a9710fbfd6150fb59ff1fa64765e6371bc18eb4f3ea56129ce030f491c4d5c6c5ef7cd8f075468406014089200fb186b85c7933a85d2b07daa2674627f70b18300c04 EAP-Message = 0x7afa967ca838b8fcd5e02794142216fb6f234114eba1bedf14030100010116030100309ccb0a854ba537cb852bba4e829095eecc777a146367523ef7408367aa73527e251f324f277a77fd69bd8275e3fb80cf NAS-Port-Type = Wireless-802.11 NAS-Port = 257 NAS-Port-Id = "257" State = 0x73a410f077a30568fa17f41fc5620938 NAS-IP-Address = 192.168.0.98 NAS-Identifier = "ap1250" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "dsawcer", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 326 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [ttls] TLS_accept: SSLv3 read client key exchange A [ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001] [ttls] <<< TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 read finished A [ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001] [ttls] TLS_accept: SSLv3 write change cipher spec A [ttls] >>> TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 write finished A [ttls] TLS_accept: SSLv3 flush data [ttls] (other): SSL negotiation finished successfully SSL Connection Established [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 6 to 192.168.0.98 port 1645 EAP-Message = 0x0108004515800000003b140301000101160301003008670b7dfe3518a23af339575826eb71df43b6f75c4aa3a31a63da1f37fdd335f033ed4d3abed24011738f87683cd142 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x73a410f076ac0568fa17f41fc5620938 Finished request 5. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 1 with timestamp +2511 Cleaning up request 1 ID 2 with timestamp +2511 Cleaning up request 2 ID 3 with timestamp +2511 Cleaning up request 3 ID 4 with timestamp +2511 Cleaning up request 4 ID 5 with timestamp +2511 Cleaning up request 5 ID 6 with timestamp +2511 Ready to process requests. rad_recv: Access-Request packet from host 192.168.0.98 port 1645, id=7, length=285 User-Name = "dsawcer" Framed-MTU = 1400 Called-Station-Id = "0023.331c.9680" Calling-Station-Id = "9027.e4f9.25b0" Service-Type = Login-User Message-Authenticator = 0x97a15db1918171fe49d55d82bda7cba4 EAP-Message = 0x0208008f1580000000851703010080e2d9295b14cae59129b605c441aec00a3187009bb0ed4acc791fd1db3e46a58e9523480b479075cceb0b4af41e536d8005125b4bd7c326fbb382a43ec84f0684a5370e8971afde67d795ece00c588642a7892fcf41526cc4b1e724df9aec0bf4df5cad51ac25ae1489416a68ffac146347ee2cb35435ec593275ea486d85885c NAS-Port-Type = Wireless-802.11 NAS-Port = 257 NAS-Port-Id = "257" State = 0x73a410f076ac0568fa17f41fc5620938 NAS-IP-Address = 192.168.0.98 NAS-Identifier = "ap1250" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "dsawcer", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 143 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 133 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Got tunneled request User-Name = "dsaw" MS-CHAP-Challenge = 0x123df4ae238e051b426c24389c668556 MS-CHAP2-Response = 0x6000312af67f4db149fc6001912cb04a532f0000000000000000b1e7d8a8884d8902ff74532fb08057f83298f346bab1896d FreeRADIUS-Proxied-To = 127.0.0.1 [ttls] Sending tunneled request User-Name = "dsaw" MS-CHAP-Challenge = 0x123df4ae238e051b426c24389c668556 MS-CHAP2-Response = 0x6000312af67f4db149fc6001912cb04a532f0000000000000000b1e7d8a8884d8902ff74532fb08057f83298f346bab1896d FreeRADIUS-Proxied-To = 127.0.0.1 server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok ++[unix] returns notfound [suffix] No '@' in User-Name = "dsaw", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry dsaw at line 236 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = MSCHAP +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for dsaw with NT-Password [mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [mschap] expand: --username=%{Stripped-User-Name:-%{User-Name:-None}} -> --username=dsaw [mschap] mschap2: 12 [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=236c06ebf1d2d1cf [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=b1e7d8a8884d8902ff74532fb08057f83298f346bab1896d [2011/08/29 01:18:16, 0, pid=2301] /SourceCache/samba/samba-235.7/samba/source/utils/ntlm_auth.c:get_winbind_domain(146) could not obtain winbind domain name! Exec-Program output: Reading winbind reply failed! (0xc0000001) Exec-Program-Wait: plaintext: Reading winbind reply failed! (0xc0000001) Exec-Program: returned: 1 [mschap] External script failed. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject Failed to authenticate the user. } # server inner-tunnel [ttls] Got tunneled reply code 3 MS-CHAP-Error = "`E=691 R=1" [ttls] Got tunneled Access-Reject [eap] Handler failed in EAP/ttls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> dsawcer attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 6 for 1 seconds Going to the next request Waking up in 0.6 seconds. Sending delayed reject for request 6 Sending Access-Reject of id 7 to 192.168.0.98 port 1645 EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 4.9 seconds. Cleaning up request 6 ID 7 with timestamp +2521 Ready to process requests. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Mac-OXS-Server-version-of-FreeRadius... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Did you verify ntlm_auth is actually working outside of FreeRADIUS? The stuff below suggests its not... -Arran [mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [mschap] expand: --username=%{Stripped-User-Name:-%{User-Name:-None}} -> --username=dsaw [mschap] mschap2: 12 [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=236c06ebf1d2d1cf [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=b1e7d8a8884d8902ff74532fb08057f83298f346bab1896d [2011/08/29 01:18:16, 0, pid=2301] /SourceCache/samba/samba-235.7/samba/source/utils/ntlm_auth.c:get_winbind_domain(146) could not obtain winbind domain name! Exec-Program output: Reading winbind reply failed! (0xc0000001) Exec-Program-Wait: plaintext: Reading winbind reply failed! (0xc0000001) Exec-Program: returned: 1 [mschap] External script failed. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject On 29 Aug 2011, at 10:52, DavidS wrote:
Thanks Alan Stopped the other Server instance and of course as you not message resolved to
radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests.
However I still cant get the damn setup to Authenticate. The output during a failed attempt to authenticate a user, to my eyes did not reveal the issue that i need to address in eap (as you propose) or elsewhere
Here is the output during a user attempt to authenticate - any thoughts? (Thanks David)
Ready to process requests. rad_recv: Access-Request packet from host 192.168.0.98 port 1645, id=1, length=136 User-Name = "dsawcer" Framed-MTU = 1400 Called-Station-Id = "0023.331c.9680" Calling-Station-Id = "9027.e4f9.25b0" Service-Type = Login-User Message-Authenticator = 0x562f50d7ee215e2703a4aa2ca625ccfd EAP-Message = 0x0202000c0164736177636572 NAS-Port-Type = Wireless-802.11 NAS-Port = 257 NAS-Port-Id = "257" NAS-IP-Address = 192.168.0.98 NAS-Identifier = "ap1250" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "dsawcer", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 12 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop rlm_opendirectory: The host 192.168.0.98 does not have an access group. rlm_opendirectory: Could not get the user's uuid. ++[opendirectory] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 1 to 192.168.0.98 port 1645 EAP-Message = 0x010300061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x73a410f073a70568fa17f41fc5620938 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.98 port 1645, id=2, length=306 User-Name = "dsawcer" Framed-MTU = 1400 Called-Station-Id = "0023.331c.9680" Calling-Station-Id = "9027.e4f9.25b0" Service-Type = Login-User Message-Authenticator = 0xaa6d7f080c19541eaf62c4dc81581a09 EAP-Message = 0x020300a415800000009a16030100950100009103014e5b4b3e338c0281aac0bcc701f19deaac117d722a79430407804edc3f8cf6f2000056c00ac009c007c008c013c014c011c012c004c005c002c003c00ec00fc00cc00d002f000500040035000a000900030008000600320033003800390016001500140013001200110034003a0018001b001a00170019000101000012000a00080006001700180019000b00020100 NAS-Port-Type = Wireless-802.11 NAS-Port = 257 NAS-Port-Id = "257" State = 0x73a410f073a70568fa17f41fc5620938 NAS-IP-Address = 192.168.0.98 NAS-Identifier = "ap1250" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "dsawcer", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 164 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 154 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] (other): before/accept initialization [ttls] TLS_accept: before/accept initialization [ttls] <<< TLS 1.0 Handshake [length 0095], ClientHello [ttls] TLS_accept: SSLv3 read client hello A [ttls] >>> TLS 1.0 Handshake [length 002a], ServerHello [ttls] TLS_accept: SSLv3 write server hello A [ttls] >>> TLS 1.0 Handshake [length 0e89], Certificate [ttls] TLS_accept: SSLv3 write certificate A [ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [ttls] TLS_accept: SSLv3 write server done A [ttls] TLS_accept: SSLv3 flush data [ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 2 to 192.168.0.98 port 1645 EAP-Message = 0x0104040015c000000ec6160301002a0200002603014e5b4b3e8bc7ac345e1c5381eba044978c8cc9d815e95029e356c66b83d1b62000002f001603010e890b000e85000e820005933082058f30820477a00302010202072b432e88483c5a300d06092a864886f70d01010505003081ca310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c65311a3018060355040a1311476f44616464792e636f6d2c20496e632e31333031060355040b132a687474703a2f2f6365727469666963617465732e676f64616464792e636f6d2f7265706f7369746f72793130302e06035504 EAP-Message = 0x031327476f204461646479205365637572652043657274696669636174696f6e20417574686f726974793111300f060355040513083037393639323837301e170d3131303831333038323831305a170d3134303733313030313030365a30493111300f060355040a1308656f31312e6e65743121301f060355040b1318446f6d61696e20436f6e74726f6c2056616c6964617465643111300f06035504031308656f31312e6e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100d8a8ebd1991709bf23ed04e56d0d3e20948daed510d217cf642ab2885035a8563f7fc4500fa27834f0b37d52cbdc2769b320cc66 EAP-Message = 0x1991b30d815bf3c2b6e12d2f0e92932210a8f2408c172dcddb05dfb4754ce82a776cf65829058d38cc1738525252759d4eb48e6dcfacc238a48d8b3382dde0f7fcd49a404afaa9ed63e4fd4bd0af702fed8b331841bdeebcc2d50f10fb3de53fc089a5d1b500a53aa6cc7e370b126c00e107c633fba512e5f31117587a6b44c2626cf3a43a97f268a4258c55e5b01343685595b0687253c0916225ca27faed8a30ab3eceb40de2f8a3eef97b61d5dca09bb39e174465e8c8586b8cec54ce634999d12c7c040ef0a3653a81210203010001a38201f8308201f4300f0603551d130101ff04053003010100301d0603551d250416301406082b0601050507 EAP-Message = 0x030106082b06010505070302300e0603551d0f0101ff0404030205a030330603551d1f042c302a3028a026a0248622687474703a2f2f63726c2e676f64616464792e636f6d2f676473312d35342e63726c304d0603551d20044630443042060b6086480186fd6d010717013033303106082b06010505070201162568747470733a2f2f63657274732e676f64616464792e636f6d2f7265706f7369746f72792f30818006082b0601050507010104743072302406082b060105050730018618687474703a2f2f6f6373702e676f64616464792e636f6d2f304a06082b06010505073002863e687474703a2f2f6365727469666963617465732e676f6461 EAP-Message = 0x6464792e636f6d2f7265706f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x73a410f072a00568fa17f41fc5620938 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.98 port 1645, id=3, length=148 User-Name = "dsawcer" Framed-MTU = 1400 Called-Station-Id = "0023.331c.9680" Calling-Station-Id = "9027.e4f9.25b0" Service-Type = Login-User Message-Authenticator = 0x2db3b6c8db5fe348e4b1bd10b20c258f EAP-Message = 0x020400061500 NAS-Port-Type = Wireless-802.11 NAS-Port = 257 NAS-Port-Id = "257" State = 0x73a410f072a00568fa17f41fc5620938 NAS-IP-Address = 192.168.0.98 NAS-Identifier = "ap1250" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "dsawcer", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 3 to 192.168.0.98 port 1645 EAP-Message = 0x0105040015c000000ec67369746f72792f67645f696e7465726d6564696174652e637274301f0603551d23041830168014fdac6132936c45d6e2ee855f9abae7769968cce7306b0603551d11046430628208656f31312e6e6574820c7777772e656f31312e6e65748210736c726e6173302e656f31312e6e65748212736c727377697463682e656f31312e6e6574821173657276657231302e656f31312e6e6574820f736c723837372e656f31312e6e6574301d0603551d0e0416041484060b7bc0cfea495c2307cc9f9e49060817e12c300d06092a864886f70d010105050003820101007cb821a8dcf078841ddde21e6d43bf6d5093b22229cfe913 EAP-Message = 0xd7c27d3ca7efa523743cd8f88e8c2b240558eaef9cfa3ee4c19e678399f4e3daa1952e230c39a9078fb8ad65314ee2e57aab07972822b163f92f6d9ab4ffabf27436a8a4ddec30901fa16a6ed0e7901f16c5d8b6b166f483a55a2e4159c38b80e4537e0b3a56c57195c501d0791276e298670e92b70143f045e3c83f0a4a7ad433e45d4c7e5636a1f2269c7d18587111ae7a07032a934838abd0fcb31f18b97a99fc7594f29874e0ad07b0e68061fbfce4d3b072c45baae778338c7f692c69f7412630972438266946d29e312811ddbad2219713978f459a816c6782954003a2c06231f8d08b8d190004e2308204de308203c6a0030201020202030130 EAP-Message = 0x0d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3036313131363031353433375a170d3236313131363031353433375a3081ca310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c65311a3018060355040a1311476f44616464792e636f6d2c20496e632e31333031060355040b132a687474703a2f2f6365727469 EAP-Message = 0x666963617465732e676f64616464792e636f6d2f7265706f7369746f72793130302e06035504031327476f204461646479205365637572652043657274696669636174696f6e20417574686f726974793111300f06035504051308303739363932383730820122300d06092a864886f70d01010105000382010f003082010a0282010100c42dd5158c9c264cec3235eb5fb859015aa66181593b7063abe3dc3dc72ab8c933d379e43aed3c3023848eb33014b6b287c33d9554049edf99dd0b251e21de65297e35a8a954ebf6f73239d4265595adeffbfe5886d79ef4008d8c2a0cbd4204cea73f04f6ee80f2aaef52a16966dabe1aad5dda2c66ea1a6b EAP-Message = 0xbbe51a514a002f48c79875d8 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x73a410f071a10568fa17f41fc5620938 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.98 port 1645, id=4, length=148 User-Name = "dsawcer" Framed-MTU = 1400 Called-Station-Id = "0023.331c.9680" Calling-Station-Id = "9027.e4f9.25b0" Service-Type = Login-User Message-Authenticator = 0xb4df3ea96b26ccc933e07c8daf238f8c EAP-Message = 0x020500061500 NAS-Port-Type = Wireless-802.11 NAS-Port = 257 NAS-Port-Id = "257" State = 0x73a410f071a10568fa17f41fc5620938 NAS-IP-Address = 192.168.0.98 NAS-Identifier = "ap1250" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "dsawcer", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 4 to 192.168.0.98 port 1645 EAP-Message = 0x0106040015c000000ec6b929c8eef8666d0a9cb3f3fc787ca2f8a3f2b5c3f3b97a91c1a7e6252e9ca8ed12656e6af6124453703095c39c2b582b3d08744af2be51b0bf87d04c27586bb535c59daf1731f80b8feead813605890898cf3aaf2587c049eaa7fd67f7458e97cc1439e23685b57e1a37fd16f671119a743016fe1394a33f840d4f0203010001a38201323082012e301d0603551d0e04160414fdac6132936c45d6e2ee855f9abae7769968cce7301f0603551d23041830168014d2c4b0d291d44c1171b361cb3da1fedda86ad4e330120603551d130101ff040830060101ff020100303306082b0601050507010104273025302306082b0601 EAP-Message = 0x05050730018617687474703a2f2f6f6373702e676f64616464792e636f6d30460603551d1f043f303d303ba039a0378635687474703a2f2f6365727469666963617465732e676f64616464792e636f6d2f7265706f7369746f72792f6764726f6f742e63726c304b0603551d200444304230400604551d20003038303606082b06010505070201162a687474703a2f2f6365727469666963617465732e676f64616464792e636f6d2f7265706f7369746f7279300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100d286c0ecbdf9a1b667ee660ba2063a04508e1572ac4a749553cb37cb4449ef07906b33d996f0 EAP-Message = 0x9456a51330053c8532217bc9c70aa824a490de46d32523140367c210d66f0f5d7b7acc9fc5582ac1c49e21a85af3aca446f39ee463cb2f90a4292901d9722c29df370127bc4fee68d3218fc0b3e4f509edd210aa53b4bef0cc590bd63b961c952449dfceecfda7489114450e3a366fda45b345a241c9d4d7444e3eb97476d5a213552cc687a3b599ac0684877f7506fcbf144c0ecc6ec4df3db71271f4e8f15140222849e01d4b87a834cc06a2dd125ad186366403356f6f776eebf28550985eab0353ad9123631f169ccdb9b205633ae1f4681b1705359553ee00040430820400308202e8a003020102020100300d06092a864886f70d010105050030 EAP-Message = 0x63310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d010101050003 EAP-Message = 0x82010d003082010802820101 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x73a410f070a20568fa17f41fc5620938 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.98 port 1645, id=5, length=148 User-Name = "dsawcer" Framed-MTU = 1400 Called-Station-Id = "0023.331c.9680" Calling-Station-Id = "9027.e4f9.25b0" Service-Type = Login-User Message-Authenticator = 0xa82b2ec6c5b16aac04984c38b383fa96 EAP-Message = 0x020600061500 NAS-Port-Type = Wireless-802.11 NAS-Port = 257 NAS-Port-Id = "257" State = 0x73a410f070a20568fa17f41fc5620938 NAS-IP-Address = 192.168.0.98 NAS-Identifier = "ap1250" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "dsawcer", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 5 to 192.168.0.98 port 1645 EAP-Message = 0x010702ee158000000ec600de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e38 EAP-Message = 0x74c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c90 EAP-Message = 0x1e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x73a410f077a30568fa17f41fc5620938 Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.98 port 1645, id=6, length=480 User-Name = "dsawcer" Framed-MTU = 1400 Called-Station-Id = "0023.331c.9680" Calling-Station-Id = "9027.e4f9.25b0" Service-Type = Login-User Message-Authenticator = 0x49d07e0783dcd34e743f77688134f6a0 EAP-Message = 0x02070150158000000146160301010610000102010073e8769c50931eb8d7510b6242122789975b90912e9b316de5374da9414b4ce049ad52941117dbc7e35eb6f3870db7f47a8f96fcbdedc32f0702ded1d8760af5931b8e482297f6ac6f51e3c9f8bcfe3bf7bc93c08f51afc4b641973a0e6ef0019c4e4f1ce2209d3cb42012fec054feb0345a57846adcb668f81e044b12b161597d0be12795e554410d329fa92ff71bffa30e103aee646b12bfc68defea0eddf3c98fce85893a9710fbfd6150fb59ff1fa64765e6371bc18eb4f3ea56129ce030f491c4d5c6c5ef7cd8f075468406014089200fb186b85c7933a85d2b07daa2674627f70b18300c04 EAP-Message = 0x7afa967ca838b8fcd5e02794142216fb6f234114eba1bedf14030100010116030100309ccb0a854ba537cb852bba4e829095eecc777a146367523ef7408367aa73527e251f324f277a77fd69bd8275e3fb80cf NAS-Port-Type = Wireless-802.11 NAS-Port = 257 NAS-Port-Id = "257" State = 0x73a410f077a30568fa17f41fc5620938 NAS-IP-Address = 192.168.0.98 NAS-Identifier = "ap1250" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "dsawcer", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 326 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [ttls] TLS_accept: SSLv3 read client key exchange A [ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001] [ttls] <<< TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 read finished A [ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001] [ttls] TLS_accept: SSLv3 write change cipher spec A [ttls] >>> TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 write finished A [ttls] TLS_accept: SSLv3 flush data [ttls] (other): SSL negotiation finished successfully SSL Connection Established [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 6 to 192.168.0.98 port 1645 EAP-Message = 0x0108004515800000003b140301000101160301003008670b7dfe3518a23af339575826eb71df43b6f75c4aa3a31a63da1f37fdd335f033ed4d3abed24011738f87683cd142 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x73a410f076ac0568fa17f41fc5620938 Finished request 5. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 1 with timestamp +2511 Cleaning up request 1 ID 2 with timestamp +2511 Cleaning up request 2 ID 3 with timestamp +2511 Cleaning up request 3 ID 4 with timestamp +2511 Cleaning up request 4 ID 5 with timestamp +2511 Cleaning up request 5 ID 6 with timestamp +2511 Ready to process requests. rad_recv: Access-Request packet from host 192.168.0.98 port 1645, id=7, length=285 User-Name = "dsawcer" Framed-MTU = 1400 Called-Station-Id = "0023.331c.9680" Calling-Station-Id = "9027.e4f9.25b0" Service-Type = Login-User Message-Authenticator = 0x97a15db1918171fe49d55d82bda7cba4 EAP-Message = 0x0208008f1580000000851703010080e2d9295b14cae59129b605c441aec00a3187009bb0ed4acc791fd1db3e46a58e9523480b479075cceb0b4af41e536d8005125b4bd7c326fbb382a43ec84f0684a5370e8971afde67d795ece00c588642a7892fcf41526cc4b1e724df9aec0bf4df5cad51ac25ae1489416a68ffac146347ee2cb35435ec593275ea486d85885c NAS-Port-Type = Wireless-802.11 NAS-Port = 257 NAS-Port-Id = "257" State = 0x73a410f076ac0568fa17f41fc5620938 NAS-IP-Address = 192.168.0.98 NAS-Identifier = "ap1250" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "dsawcer", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 143 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 133 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Got tunneled request User-Name = "dsaw" MS-CHAP-Challenge = 0x123df4ae238e051b426c24389c668556 MS-CHAP2-Response = 0x6000312af67f4db149fc6001912cb04a532f0000000000000000b1e7d8a8884d8902ff74532fb08057f83298f346bab1896d FreeRADIUS-Proxied-To = 127.0.0.1 [ttls] Sending tunneled request User-Name = "dsaw" MS-CHAP-Challenge = 0x123df4ae238e051b426c24389c668556 MS-CHAP2-Response = 0x6000312af67f4db149fc6001912cb04a532f0000000000000000b1e7d8a8884d8902ff74532fb08057f83298f346bab1896d FreeRADIUS-Proxied-To = 127.0.0.1 server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok ++[unix] returns notfound [suffix] No '@' in User-Name = "dsaw", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry dsaw at line 236 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = MSCHAP +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for dsaw with NT-Password [mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [mschap] expand: --username=%{Stripped-User-Name:-%{User-Name:-None}} -> --username=dsaw [mschap] mschap2: 12 [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=236c06ebf1d2d1cf [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=b1e7d8a8884d8902ff74532fb08057f83298f346bab1896d [2011/08/29 01:18:16, 0, pid=2301] /SourceCache/samba/samba-235.7/samba/source/utils/ntlm_auth.c:get_winbind_domain(146) could not obtain winbind domain name! Exec-Program output: Reading winbind reply failed! (0xc0000001) Exec-Program-Wait: plaintext: Reading winbind reply failed! (0xc0000001) Exec-Program: returned: 1 [mschap] External script failed. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject Failed to authenticate the user. } # server inner-tunnel [ttls] Got tunneled reply code 3 MS-CHAP-Error = "`E=691 R=1" [ttls] Got tunneled Access-Reject [eap] Handler failed in EAP/ttls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> dsawcer attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 6 for 1 seconds Going to the next request Waking up in 0.6 seconds. Sending delayed reject for request 6 Sending Access-Reject of id 7 to 192.168.0.98 port 1645 EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 4.9 seconds. Cleaning up request 6 ID 7 with timestamp +2521 Ready to process requests.
-- View this message in context: http://freeradius.1045715.n5.nabble.com/Mac-OXS-Server-version-of-FreeRadius... Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Arran Cudbard-Bell a.cudbardb@freeradius.org RADIUS - Half the complexity of Diameter
Thanks Alan Stopped the other Server instance and of course as you not message resolved to radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. However I still cant get the damn setup to Authenticate. The output during a failed attempt to authenticate a user, to my eyes did not reveal the issue that i need to address in eap (as you propose) or elsewhere Here is the output during a user attempt to authenticate - any thoughts? (Thanks David) PS User-Name = "dsawcer" I am not sure where that "user name" came from - it is not a entry in USERS nor a User on the Access point or Server running the Radius Ready to process requests. rad_recv: Access-Request packet from host 192.168.0.98 port 1645, id=1, length=136 User-Name = "dsawcer" Framed-MTU = 1400 Called-Station-Id = "0023.331c.9680" Calling-Station-Id = "9027.e4f9.25b0" Service-Type = Login-User Message-Authenticator = 0x562f50d7ee215e2703a4aa2ca625ccfd EAP-Message = 0x0202000c0164736177636572 NAS-Port-Type = Wireless-802.11 NAS-Port = 257 NAS-Port-Id = "257" NAS-IP-Address = 192.168.0.98 NAS-Identifier = "ap1250" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "dsawcer", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 12 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop rlm_opendirectory: The host 192.168.0.98 does not have an access group. rlm_opendirectory: Could not get the user's uuid. ++[opendirectory] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 1 to 192.168.0.98 port 1645 EAP-Message = 0x010300061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x73a410f073a70568fa17f41fc5620938 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.98 port 1645, id=2, length=306 User-Name = "dsawcer" Framed-MTU = 1400 Called-Station-Id = "0023.331c.9680" Calling-Station-Id = "9027.e4f9.25b0" Service-Type = Login-User Message-Authenticator = 0xaa6d7f080c19541eaf62c4dc81581a09 EAP-Message = 0x020300a415800000009a16030100950100009103014e5b4b3e338c0281aac0bcc701f19deaac117d722a79430407804edc3f8cf6f2000056c00ac009c007c008c013c014c011c012c004c005c002c003c00ec00fc00cc00d002f000500040035000a000900030008000600320033003800390016001500140013001200110034003a0018001b001a00170019000101000012000a00080006001700180019000b00020100 NAS-Port-Type = Wireless-802.11 NAS-Port = 257 NAS-Port-Id = "257" State = 0x73a410f073a70568fa17f41fc5620938 NAS-IP-Address = 192.168.0.98 NAS-Identifier = "ap1250" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "dsawcer", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 164 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 154 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] (other): before/accept initialization [ttls] TLS_accept: before/accept initialization [ttls] <<< TLS 1.0 Handshake [length 0095], ClientHello [ttls] TLS_accept: SSLv3 read client hello A [ttls] >>> TLS 1.0 Handshake [length 002a], ServerHello [ttls] TLS_accept: SSLv3 write server hello A [ttls] >>> TLS 1.0 Handshake [length 0e89], Certificate [ttls] TLS_accept: SSLv3 write certificate A [ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [ttls] TLS_accept: SSLv3 write server done A [ttls] TLS_accept: SSLv3 flush data [ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 2 to 192.168.0.98 port 1645 EAP-Message = 0x0104040015c000000ec6160301002a0200002603014e5b4b3e8bc7ac345e1c5381eba044978c8cc9d815e95029e356c66b83d1b62000002f001603010e890b000e85000e820005933082058f30820477a00302010202072b432e88483c5a300d06092a864886f70d01010505003081ca310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c65311a3018060355040a1311476f44616464792e636f6d2c20496e632e31333031060355040b132a687474703a2f2f6365727469666963617465732e676f64616464792e636f6d2f7265706f7369746f72793130302e06035504 EAP-Message = 0x031327476f204461646479205365637572652043657274696669636174696f6e20417574686f726974793111300f060355040513083037393639323837301e170d3131303831333038323831305a170d3134303733313030313030365a30493111300f060355040a1308656f31312e6e65743121301f060355040b1318446f6d61696e20436f6e74726f6c2056616c6964617465643111300f06035504031308656f31312e6e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100d8a8ebd1991709bf23ed04e56d0d3e20948daed510d217cf642ab2885035a8563f7fc4500fa27834f0b37d52cbdc2769b320cc66 EAP-Message = 0x1991b30d815bf3c2b6e12d2f0e92932210a8f2408c172dcddb05dfb4754ce82a776cf65829058d38cc1738525252759d4eb48e6dcfacc238a48d8b3382dde0f7fcd49a404afaa9ed63e4fd4bd0af702fed8b331841bdeebcc2d50f10fb3de53fc089a5d1b500a53aa6cc7e370b126c00e107c633fba512e5f31117587a6b44c2626cf3a43a97f268a4258c55e5b01343685595b0687253c0916225ca27faed8a30ab3eceb40de2f8a3eef97b61d5dca09bb39e174465e8c8586b8cec54ce634999d12c7c040ef0a3653a81210203010001a38201f8308201f4300f0603551d130101ff04053003010100301d0603551d250416301406082b0601050507 EAP-Message = 0x030106082b06010505070302300e0603551d0f0101ff0404030205a030330603551d1f042c302a3028a026a0248622687474703a2f2f63726c2e676f64616464792e636f6d2f676473312d35342e63726c304d0603551d20044630443042060b6086480186fd6d010717013033303106082b06010505070201162568747470733a2f2f63657274732e676f64616464792e636f6d2f7265706f7369746f72792f30818006082b0601050507010104743072302406082b060105050730018618687474703a2f2f6f6373702e676f64616464792e636f6d2f304a06082b06010505073002863e687474703a2f2f6365727469666963617465732e676f6461 EAP-Message = 0x6464792e636f6d2f7265706f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x73a410f072a00568fa17f41fc5620938 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.98 port 1645, id=3, length=148 User-Name = "dsawcer" Framed-MTU = 1400 Called-Station-Id = "0023.331c.9680" Calling-Station-Id = "9027.e4f9.25b0" Service-Type = Login-User Message-Authenticator = 0x2db3b6c8db5fe348e4b1bd10b20c258f EAP-Message = 0x020400061500 NAS-Port-Type = Wireless-802.11 NAS-Port = 257 NAS-Port-Id = "257" State = 0x73a410f072a00568fa17f41fc5620938 NAS-IP-Address = 192.168.0.98 NAS-Identifier = "ap1250" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "dsawcer", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 3 to 192.168.0.98 port 1645 EAP-Message = 0x0105040015c000000ec67369746f72792f67645f696e7465726d6564696174652e637274301f0603551d23041830168014fdac6132936c45d6e2ee855f9abae7769968cce7306b0603551d11046430628208656f31312e6e6574820c7777772e656f31312e6e65748210736c726e6173302e656f31312e6e65748212736c727377697463682e656f31312e6e6574821173657276657231302e656f31312e6e6574820f736c723837372e656f31312e6e6574301d0603551d0e0416041484060b7bc0cfea495c2307cc9f9e49060817e12c300d06092a864886f70d010105050003820101007cb821a8dcf078841ddde21e6d43bf6d5093b22229cfe913 EAP-Message = 0xd7c27d3ca7efa523743cd8f88e8c2b240558eaef9cfa3ee4c19e678399f4e3daa1952e230c39a9078fb8ad65314ee2e57aab07972822b163f92f6d9ab4ffabf27436a8a4ddec30901fa16a6ed0e7901f16c5d8b6b166f483a55a2e4159c38b80e4537e0b3a56c57195c501d0791276e298670e92b70143f045e3c83f0a4a7ad433e45d4c7e5636a1f2269c7d18587111ae7a07032a934838abd0fcb31f18b97a99fc7594f29874e0ad07b0e68061fbfce4d3b072c45baae778338c7f692c69f7412630972438266946d29e312811ddbad2219713978f459a816c6782954003a2c06231f8d08b8d190004e2308204de308203c6a0030201020202030130 EAP-Message = 0x0d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3036313131363031353433375a170d3236313131363031353433375a3081ca310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c65311a3018060355040a1311476f44616464792e636f6d2c20496e632e31333031060355040b132a687474703a2f2f6365727469 EAP-Message = 0x666963617465732e676f64616464792e636f6d2f7265706f7369746f72793130302e06035504031327476f204461646479205365637572652043657274696669636174696f6e20417574686f726974793111300f06035504051308303739363932383730820122300d06092a864886f70d01010105000382010f003082010a0282010100c42dd5158c9c264cec3235eb5fb859015aa66181593b7063abe3dc3dc72ab8c933d379e43aed3c3023848eb33014b6b287c33d9554049edf99dd0b251e21de65297e35a8a954ebf6f73239d4265595adeffbfe5886d79ef4008d8c2a0cbd4204cea73f04f6ee80f2aaef52a16966dabe1aad5dda2c66ea1a6b EAP-Message = 0xbbe51a514a002f48c79875d8 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x73a410f071a10568fa17f41fc5620938 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.98 port 1645, id=4, length=148 User-Name = "dsawcer" Framed-MTU = 1400 Called-Station-Id = "0023.331c.9680" Calling-Station-Id = "9027.e4f9.25b0" Service-Type = Login-User Message-Authenticator = 0xb4df3ea96b26ccc933e07c8daf238f8c EAP-Message = 0x020500061500 NAS-Port-Type = Wireless-802.11 NAS-Port = 257 NAS-Port-Id = "257" State = 0x73a410f071a10568fa17f41fc5620938 NAS-IP-Address = 192.168.0.98 NAS-Identifier = "ap1250" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "dsawcer", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 4 to 192.168.0.98 port 1645 EAP-Message = 0x0106040015c000000ec6b929c8eef8666d0a9cb3f3fc787ca2f8a3f2b5c3f3b97a91c1a7e6252e9ca8ed12656e6af6124453703095c39c2b582b3d08744af2be51b0bf87d04c27586bb535c59daf1731f80b8feead813605890898cf3aaf2587c049eaa7fd67f7458e97cc1439e23685b57e1a37fd16f671119a743016fe1394a33f840d4f0203010001a38201323082012e301d0603551d0e04160414fdac6132936c45d6e2ee855f9abae7769968cce7301f0603551d23041830168014d2c4b0d291d44c1171b361cb3da1fedda86ad4e330120603551d130101ff040830060101ff020100303306082b0601050507010104273025302306082b0601 EAP-Message = 0x05050730018617687474703a2f2f6f6373702e676f64616464792e636f6d30460603551d1f043f303d303ba039a0378635687474703a2f2f6365727469666963617465732e676f64616464792e636f6d2f7265706f7369746f72792f6764726f6f742e63726c304b0603551d200444304230400604551d20003038303606082b06010505070201162a687474703a2f2f6365727469666963617465732e676f64616464792e636f6d2f7265706f7369746f7279300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100d286c0ecbdf9a1b667ee660ba2063a04508e1572ac4a749553cb37cb4449ef07906b33d996f0 EAP-Message = 0x9456a51330053c8532217bc9c70aa824a490de46d32523140367c210d66f0f5d7b7acc9fc5582ac1c49e21a85af3aca446f39ee463cb2f90a4292901d9722c29df370127bc4fee68d3218fc0b3e4f509edd210aa53b4bef0cc590bd63b961c952449dfceecfda7489114450e3a366fda45b345a241c9d4d7444e3eb97476d5a213552cc687a3b599ac0684877f7506fcbf144c0ecc6ec4df3db71271f4e8f15140222849e01d4b87a834cc06a2dd125ad186366403356f6f776eebf28550985eab0353ad9123631f169ccdb9b205633ae1f4681b1705359553ee00040430820400308202e8a003020102020100300d06092a864886f70d010105050030 EAP-Message = 0x63310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d010101050003 EAP-Message = 0x82010d003082010802820101 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x73a410f070a20568fa17f41fc5620938 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.98 port 1645, id=5, length=148 User-Name = "dsawcer" Framed-MTU = 1400 Called-Station-Id = "0023.331c.9680" Calling-Station-Id = "9027.e4f9.25b0" Service-Type = Login-User Message-Authenticator = 0xa82b2ec6c5b16aac04984c38b383fa96 EAP-Message = 0x020600061500 NAS-Port-Type = Wireless-802.11 NAS-Port = 257 NAS-Port-Id = "257" State = 0x73a410f070a20568fa17f41fc5620938 NAS-IP-Address = 192.168.0.98 NAS-Identifier = "ap1250" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "dsawcer", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 5 to 192.168.0.98 port 1645 EAP-Message = 0x010702ee158000000ec600de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e38 EAP-Message = 0x74c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c90 EAP-Message = 0x1e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x73a410f077a30568fa17f41fc5620938 Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.98 port 1645, id=6, length=480 User-Name = "dsawcer" Framed-MTU = 1400 Called-Station-Id = "0023.331c.9680" Calling-Station-Id = "9027.e4f9.25b0" Service-Type = Login-User Message-Authenticator = 0x49d07e0783dcd34e743f77688134f6a0 EAP-Message = 0x02070150158000000146160301010610000102010073e8769c50931eb8d7510b6242122789975b90912e9b316de5374da9414b4ce049ad52941117dbc7e35eb6f3870db7f47a8f96fcbdedc32f0702ded1d8760af5931b8e482297f6ac6f51e3c9f8bcfe3bf7bc93c08f51afc4b641973a0e6ef0019c4e4f1ce2209d3cb42012fec054feb0345a57846adcb668f81e044b12b161597d0be12795e554410d329fa92ff71bffa30e103aee646b12bfc68defea0eddf3c98fce85893a9710fbfd6150fb59ff1fa64765e6371bc18eb4f3ea56129ce030f491c4d5c6c5ef7cd8f075468406014089200fb186b85c7933a85d2b07daa2674627f70b18300c04 EAP-Message = 0x7afa967ca838b8fcd5e02794142216fb6f234114eba1bedf14030100010116030100309ccb0a854ba537cb852bba4e829095eecc777a146367523ef7408367aa73527e251f324f277a77fd69bd8275e3fb80cf NAS-Port-Type = Wireless-802.11 NAS-Port = 257 NAS-Port-Id = "257" State = 0x73a410f077a30568fa17f41fc5620938 NAS-IP-Address = 192.168.0.98 NAS-Identifier = "ap1250" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "dsawcer", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 326 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [ttls] TLS_accept: SSLv3 read client key exchange A [ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001] [ttls] <<< TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 read finished A [ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001] [ttls] TLS_accept: SSLv3 write change cipher spec A [ttls] >>> TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 write finished A [ttls] TLS_accept: SSLv3 flush data [ttls] (other): SSL negotiation finished successfully SSL Connection Established [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 6 to 192.168.0.98 port 1645 EAP-Message = 0x0108004515800000003b140301000101160301003008670b7dfe3518a23af339575826eb71df43b6f75c4aa3a31a63da1f37fdd335f033ed4d3abed24011738f87683cd142 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x73a410f076ac0568fa17f41fc5620938 Finished request 5. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 1 with timestamp +2511 Cleaning up request 1 ID 2 with timestamp +2511 Cleaning up request 2 ID 3 with timestamp +2511 Cleaning up request 3 ID 4 with timestamp +2511 Cleaning up request 4 ID 5 with timestamp +2511 Cleaning up request 5 ID 6 with timestamp +2511 Ready to process requests. rad_recv: Access-Request packet from host 192.168.0.98 port 1645, id=7, length=285 User-Name = "dsawcer" Framed-MTU = 1400 Called-Station-Id = "0023.331c.9680" Calling-Station-Id = "9027.e4f9.25b0" Service-Type = Login-User Message-Authenticator = 0x97a15db1918171fe49d55d82bda7cba4 EAP-Message = 0x0208008f1580000000851703010080e2d9295b14cae59129b605c441aec00a3187009bb0ed4acc791fd1db3e46a58e9523480b479075cceb0b4af41e536d8005125b4bd7c326fbb382a43ec84f0684a5370e8971afde67d795ece00c588642a7892fcf41526cc4b1e724df9aec0bf4df5cad51ac25ae1489416a68ffac146347ee2cb35435ec593275ea486d85885c NAS-Port-Type = Wireless-802.11 NAS-Port = 257 NAS-Port-Id = "257" State = 0x73a410f076ac0568fa17f41fc5620938 NAS-IP-Address = 192.168.0.98 NAS-Identifier = "ap1250" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "dsawcer", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 143 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 133 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Got tunneled request User-Name = "dsaw" MS-CHAP-Challenge = 0x123df4ae238e051b426c24389c668556 MS-CHAP2-Response = 0x6000312af67f4db149fc6001912cb04a532f0000000000000000b1e7d8a8884d8902ff74532fb08057f83298f346bab1896d FreeRADIUS-Proxied-To = 127.0.0.1 [ttls] Sending tunneled request User-Name = "dsaw" MS-CHAP-Challenge = 0x123df4ae238e051b426c24389c668556 MS-CHAP2-Response = 0x6000312af67f4db149fc6001912cb04a532f0000000000000000b1e7d8a8884d8902ff74532fb08057f83298f346bab1896d FreeRADIUS-Proxied-To = 127.0.0.1 server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok ++[unix] returns notfound [suffix] No '@' in User-Name = "dsaw", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry dsaw at line 236 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = MSCHAP +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for dsaw with NT-Password [mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [mschap] expand: --username=%{Stripped-User-Name:-%{User-Name:-None}} -> --username=dsaw [mschap] mschap2: 12 [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=236c06ebf1d2d1cf [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=b1e7d8a8884d8902ff74532fb08057f83298f346bab1896d [2011/08/29 01:18:16, 0, pid=2301] /SourceCache/samba/samba-235.7/samba/source/utils/ntlm_auth.c:get_winbind_domain(146) could not obtain winbind domain name! Exec-Program output: Reading winbind reply failed! (0xc0000001) Exec-Program-Wait: plaintext: Reading winbind reply failed! (0xc0000001) Exec-Program: returned: 1 [mschap] External script failed. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject Failed to authenticate the user. } # server inner-tunnel [ttls] Got tunneled reply code 3 MS-CHAP-Error = "`E=691 R=1" [ttls] Got tunneled Access-Reject [eap] Handler failed in EAP/ttls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> dsawcer attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 6 for 1 seconds Going to the next request Waking up in 0.6 seconds. Sending delayed reject for request 6 Sending Access-Reject of id 7 to 192.168.0.98 port 1645 EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 4.9 seconds. Cleaning up request 6 ID 7 with timestamp +2521 Ready to process requests. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Mac-OXS-Server-version-of-FreeRadius... Sent from the FreeRadius - User mailing list archive at Nabble.com.
participants (3)
-
Alan DeKok -
Arran Cudbard-Bell -
DavidS