Re: FreeRadius 2.1.6 + EAP-PEAP issue
I've now enabled ntdomain in sites-available/inner-tunnel and after that modification, authorization of Vista user succeeded. Thank you very much. I would to like to add MAC address authorization. For this purpose I've added MAC address to users file like this: oreshkin Cleartext-Password := "some_password", Calling-Station-Id == "00-16-EA-8A-DE-38" However authorization failed, the result of /usr/local/sbin/radiusd -fX is provided below. --------------------------------- Ready to process requests. rad_recv: Access-Request packet from host 192.168.14.240 port 1072, id=0, length=235 Message-Authenticator = 0xab90b4e8f45b2157028e895bf7f9ffdc Service-Type = Framed-User User-Name = "csd-notebook\\oreshkin" Framed-MTU = 1488 Called-Station-Id = "00-18-6E-8F-73-40:200901azk71And" Calling-Station-Id = "00-16-EA-8A-DE-38" NAS-Identifier = "3Com Access Point 7760" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0200001a016373642d6e6f7465626f6f6b5c6f726573686b696e NAS-IP-Address = 192.168.14.240 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "csd-notebook\oreshkin", looking up realm NULL [suffix] Found realm "DEFAULT" [suffix] Adding Stripped-User-Name = "csd-notebook\oreshkin" [suffix] Adding Realm = "DEFAULT" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [ntdomain] Request already proxied. Ignoring. ++[ntdomain] returns ok [eap] EAP packet type response id 0 length 26 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 159 [files] users: Matched entry DEFAULT at line 178 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.14.240 port 1072 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x010100061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1cd845841cd95ccb36bc9cf89bd12b63 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.14.240 port 1072, id=1, length=359 Message-Authenticator = 0xe9dc83dc1457486ee19d0330fcb4e25e Service-Type = Framed-User User-Name = "csd-notebook\\oreshkin" Framed-MTU = 1488 State = 0x1cd845841cd95ccb36bc9cf89bd12b63 Called-Station-Id = "00-18-6E-8F-73-40:200901azk71And" Calling-Station-Id = "00-16-EA-8A-DE-38" NAS-Identifier = "3Com Access Point 7760" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0201008419800000007a16030100750100007103014a5b3da7091178c5ce612e30c36477888f6351b2a4ec4d31d47d537d05a18634000018002f00350005000ac009c00ac013c0140032003800130004010000300000001a00180000156373642d6e6f7465626f6f6b5c6f726573686b696e000a00080006001700180019000b00020100 NAS-IP-Address = 192.168.14.240 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "csd-notebook\oreshkin", looking up realm NULL [suffix] Found realm "DEFAULT" [suffix] Adding Stripped-User-Name = "csd-notebook\oreshkin" [suffix] Adding Realm = "DEFAULT" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [ntdomain] Request already proxied. Ignoring. ++[ntdomain] returns ok [eap] EAP packet type response id 1 length 132 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 122 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0075], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 084e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 1 to 192.168.14.240 port 1072 EAP-Message = 0x0102040019c00000088b160301002a0200002603014a5b3d483bb3aa596d4ba334157d9f6cdf6639eaf9a88abe2eb765ab6255c24a00002f00160301084e0b00084a0008470003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479 EAP-Message = 0x301e170d3039303632353038343934325a170d3130303632353038343934325a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100afa137c1faa18184c11783fd931dbf08e3b3aab700e05e2d16471c85e470302c6d9db3068b833e463ff3cdaa6b2140447d2b7d151704863ad7439873ea51 EAP-Message = 0xe98c8abecfdd6268e021a8a17fb6966857f052859cef7a6bdcec12d2127ab2bc72c2b785a25f33c61aec0ff80079a53fb35cdbaebbfa29de9b24841a9a6c46a08073d66b09f3149fc840696c56ef61943d5e2679be18fc2733a012e261b9e9e6ae20c7ba01e2c6e4bfb3ce39325000bc51a2230319e4f8b16bffa46deb80631149f3e97333105b307b101958e9b83407c4398deb9cb32f7c23bdba70c091e79258f0c191edd239290beb26d0aaa8adf6f5ece5f633aef45ef0d4fea2c52b56fc39110203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000382010100973882c5663e2d6b29 EAP-Message = 0xf37acb064274e515f88c05490e81fcb594b8678a665ae9d17134a3e3fdb2df801547f84071730fa696eef58f5c1d73841e52aa2c9a4074cf288ef7158e4f3ae68db182c1798f3da6d86bda0a8a9c54de39f2d94d3e0687a8fa46faedcd36bcc64fd9f2cd74055682782684f674d377c0e2457f5ad4efa4ec460c7527c80769a270128e0a6d12cb79d0bb12fe0a1bb81f6c20b98873ac6718cd0d02ebb7de1cdd720360252cc736c2e84bfe1c87a695dcb7e2b4d982f0736305017d65ec72506bed1578f806479bedc2b5bfa83f0e15ccc03bbe908e734351e5843806e9dcb659b98056909aeed953e9e24d7e0e1f8163deb5f4f5076e5c00049b308204 EAP-Message = 0x973082037fa0030201020201 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1cd845841dda5ccb36bc9cf89bd12b63 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.14.240 port 1072, id=2, length=233 Message-Authenticator = 0x6e4c448152aff4fd62c9fa4cb4908f2c Service-Type = Framed-User User-Name = "csd-notebook\\oreshkin" Framed-MTU = 1488 State = 0x1cd845841dda5ccb36bc9cf89bd12b63 Called-Station-Id = "00-18-6E-8F-73-40:200901azk71And" Calling-Station-Id = "00-16-EA-8A-DE-38" NAS-Identifier = "3Com Access Point 7760" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020200061900 NAS-IP-Address = 192.168.14.240 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "csd-notebook\oreshkin", looking up realm NULL [suffix] Found realm "DEFAULT" [suffix] Adding Stripped-User-Name = "csd-notebook\oreshkin" [suffix] Adding Realm = "DEFAULT" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [ntdomain] Request already proxied. Ignoring. ++[ntdomain] returns ok [eap] EAP packet type response id 2 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 2 to 192.168.14.240 port 1072 EAP-Message = 0x010303fc194000300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3039303632353038343934325a170d3130303632353038343934325a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d6577 EAP-Message = 0x6865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100a056d1cfe5b95120cfb2ad67638c20cceb3feca1d22665f5d0379648340127cf5ffe26f48f46c04a1132b032d93b7f49417851f2e110fee7b457fbe2f99b47d3389b630dd2f78acf290b4ecb6d43466a19cb17063f1b2a1eefe1e6f34e1b0a20fa92fa17809a58e7120bc1a87db8865230df04775af5e1 EAP-Message = 0x16b46a471819383d8be674378c3d33bdc0a8d6686542a3ba1c32a97249786aea2c38a22a49992fcfaf54806b50415060a433e9dc013696f9c0240657098f46782b1d0536f691d9667f6c153a4d2982cb2f75a3a9ebfa4831caea445f4bff1ae6fe4ad8eec82213b2a20d02dd1b6cb2dc425698f21ede7c2917aa6f103749084b755046bb83a3746e2f0203010001a381f33081f0301d0603551d0e04160414d64b150fdb7f312ac6c3982680da07466046ab9f3081c00603551d230481b83081b58014d64b150fdb7f312ac6c3982680da07466046ab9fa18199a48196308193310b3009060355040613024652310f300d060355040813065261646975 EAP-Message = 0x733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d010104050003820101008d3084a08170518ab145f6969d1e61d2a228d5ffa21a60c154ab30774674df42fb32f5a22dad55d75ef2c7f44c93bb3e52c92763901b1299530780e1f195a85ccbbd78d8b527b3263bfa340a459ac472b90360b4408e11c10e81afbc325c10ec91fa EAP-Message = 0xde231ca42761b9ba Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1cd845841edb5ccb36bc9cf89bd12b63 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.14.240 port 1072, id=3, length=233 Message-Authenticator = 0x80e476011f2a99d8957c70f5b74469e6 Service-Type = Framed-User User-Name = "csd-notebook\\oreshkin" Framed-MTU = 1488 State = 0x1cd845841edb5ccb36bc9cf89bd12b63 Called-Station-Id = "00-18-6E-8F-73-40:200901azk71And" Calling-Station-Id = "00-16-EA-8A-DE-38" NAS-Identifier = "3Com Access Point 7760" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020300061900 NAS-IP-Address = 192.168.14.240 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "csd-notebook\oreshkin", looking up realm NULL [suffix] Found realm "DEFAULT" [suffix] Adding Stripped-User-Name = "csd-notebook\oreshkin" [suffix] Adding Realm = "DEFAULT" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [ntdomain] Request already proxied. Ignoring. ++[ntdomain] returns ok [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 3 to 192.168.14.240 port 1072 EAP-Message = 0x010400a51900504fbacfc37f212076882bd7b098391319a08e59fc4d3dee5493579716c999ee20be7eed64f3b465e8ff5b718e9751b2c4ca5d1cd6700ccf0341f6a270aed40707094b7b6c39c78c581fa330b26bfb74042202fde6398f0fa591d0e164f5980d197175a49c7b9769cebfa4eef1f5527383f230b4df20935fa3903e171a05d038c6effefc1bf76e95dd86d637a53fc8ae83bdc13ea56d16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1cd845841fdc5ccb36bc9cf89bd12b63 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.14.240 port 1072, id=4, length=565 Message-Authenticator = 0x772a2a7cde5ab90adf1339ea4504e5a4 Service-Type = Framed-User User-Name = "csd-notebook\\oreshkin" Framed-MTU = 1488 State = 0x1cd845841fdc5ccb36bc9cf89bd12b63 Called-Station-Id = "00-18-6E-8F-73-40:200901azk71And" Calling-Station-Id = "00-16-EA-8A-DE-38" NAS-Identifier = "3Com Access Point 7760" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0204015019800000014616030101061000010201007e0ad7dd41a084eb878c4e68afb68bf014a9f7c1f3e239845a2d3c683d0e0768d016e78891c09881ee0d7a8e7ce2c36d2eb9bc120fa3f3f00e461919d881829dd800ee1056bcb575feb18dcaa3c737fe5d8dad26192d39ae4b2db88d753420e750780d180f65253a3e72a72e54aeedd754966ed6727bbfb7ea1d07b5e63b5b96477f2ade51a4b385bbf7cf60eb3ea4f2fdddd13d595230ac701c5995c3097270174cbbf06f73b892f450df27c09267dd250fa560e2e09fef12a49588199615e49944cdbc198e99c327b6366201bd2604f6754d8558edb48d38e1becdcdd34da54fb942d5467276a2 EAP-Message = 0x979f449ded68c732c69107cb0cc5831df7865a7b971f99c91403010001011603010030448cc2e576a615f1026d6e6ca6882439eb3bbfe1802a7c536aae7e8a58dd488073b99646cf5ff348715aff4d7636efff NAS-IP-Address = 192.168.14.240 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "csd-notebook\oreshkin", looking up realm NULL [suffix] Found realm "DEFAULT" [suffix] Adding Stripped-User-Name = "csd-notebook\oreshkin" [suffix] Adding Realm = "DEFAULT" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [ntdomain] Request already proxied. Ignoring. ++[ntdomain] returns ok [eap] EAP packet type response id 4 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 326 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 4 to 192.168.14.240 port 1072 EAP-Message = 0x01050041190014030100010116030100309b044cc51fa4953a63d076b0bf983a8da597f4a0c74479ca71ebd2d725e0a9175492362068f5b0af5ac669b952d43946 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1cd8458418dd5ccb36bc9cf89bd12b63 Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.14.240 port 1072, id=5, length=233 Message-Authenticator = 0x368d297a7de5efd4ecf20c5609bdeec9 Service-Type = Framed-User User-Name = "csd-notebook\\oreshkin" Framed-MTU = 1488 State = 0x1cd8458418dd5ccb36bc9cf89bd12b63 Called-Station-Id = "00-18-6E-8F-73-40:200901azk71And" Calling-Station-Id = "00-16-EA-8A-DE-38" NAS-Identifier = "3Com Access Point 7760" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020500061900 NAS-IP-Address = 192.168.14.240 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "csd-notebook\oreshkin", looking up realm NULL [suffix] Found realm "DEFAULT" [suffix] Adding Stripped-User-Name = "csd-notebook\oreshkin" [suffix] Adding Realm = "DEFAULT" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [ntdomain] Request already proxied. Ignoring. ++[ntdomain] returns ok [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 5 to 192.168.14.240 port 1072 EAP-Message = 0x0106002b19001703010020c6fb5d7268ec78ef1f9d3671de356278fd67065c9cf012d0c1de36c6afbd70b4 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1cd8458419de5ccb36bc9cf89bd12b63 Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.14.240 port 1072, id=6, length=286 Message-Authenticator = 0x550e2114fae741954504321d47da07bd Service-Type = Framed-User User-Name = "csd-notebook\\oreshkin" Framed-MTU = 1488 State = 0x1cd8458419de5ccb36bc9cf89bd12b63 Called-Station-Id = "00-18-6E-8F-73-40:200901azk71And" Calling-Station-Id = "00-16-EA-8A-DE-38" NAS-Identifier = "3Com Access Point 7760" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0206003b19001703010030805ecc8cfaac3addedb0a50794219e83a270716f48eeb8e60a0c3ab3fed53c5198b105fbb713b908f6f8d93e6d536622 NAS-IP-Address = 192.168.14.240 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "csd-notebook\oreshkin", looking up realm NULL [suffix] Found realm "DEFAULT" [suffix] Adding Stripped-User-Name = "csd-notebook\oreshkin" [suffix] Adding Realm = "DEFAULT" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [ntdomain] Request already proxied. Ignoring. ++[ntdomain] returns ok [eap] EAP packet type response id 6 length 59 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Identity - csd-notebook\oreshkin [peap] Got tunneled request EAP-Message = 0x0206001a016373642d6e6f7465626f6f6b5c6f726573686b696e server { PEAP: Got tunneled identity of csd-notebook\oreshkin PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to csd-notebook\oreshkin Sending tunneled request EAP-Message = 0x0206001a016373642d6e6f7465626f6f6b5c6f726573686b696e FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "csd-notebook\\oreshkin" server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [ntdomain] Looking up realm "csd-notebook" for User-Name = "csd-notebook\oreshkin" [ntdomain] Found realm "DEFAULT" [ntdomain] Adding Stripped-User-Name = "oreshkin" [ntdomain] Adding Realm = "DEFAULT" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok ++[control] returns ok [eap] EAP packet type response id 6 length 26 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 159 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x0107002f1a0107002a100251dc4f5cece54da2b8881378dd444c6373642d6e6f7465626f6f6b5c6f726573686b696e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x86b209f786b51352b3578e7a38b869c7 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x0107002f1a0107002a100251dc4f5cece54da2b8881378dd444c6373642d6e6f7465626f6f6b5c6f726573686b696e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x86b209f786b51352b3578e7a38b869c7 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 6 to 192.168.14.240 port 1072 EAP-Message = 0x0107004b1900170301004026664765ea523fba2ed015d3248195d02b335d7579ca0921452aaa563aa2c3a3a50bb02aca55a3cb8db677961421a3580157bbdb57a56a1ac143c69282ad8133 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1cd845841adf5ccb36bc9cf89bd12b63 Finished request 6. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.14.240 port 1072, id=7, length=334 Message-Authenticator = 0x65f839b7d5eac06c3a75e2138584465b Service-Type = Framed-User User-Name = "csd-notebook\\oreshkin" Framed-MTU = 1488 State = 0x1cd845841adf5ccb36bc9cf89bd12b63 Called-Station-Id = "00-18-6E-8F-73-40:200901azk71And" Calling-Station-Id = "00-16-EA-8A-DE-38" NAS-Identifier = "3Com Access Point 7760" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0207006b1900170301006009cf68bc35f1789bb629f7cc6d1dc521f8abe45174ee9ec287237f97a3bad789635c92bc033059ac8e946446e7e0b324748de27694f96a2bf214b2d76e6c826eda7b897c26ed974ed4d2dd73c6c6058942661082dbb9d5a4388f32a96d14348c NAS-IP-Address = 192.168.14.240 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "csd-notebook\oreshkin", looking up realm NULL [suffix] Found realm "DEFAULT" [suffix] Adding Stripped-User-Name = "csd-notebook\oreshkin" [suffix] Adding Realm = "DEFAULT" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [ntdomain] Request already proxied. Ignoring. ++[ntdomain] returns ok [eap] EAP packet type response id 7 length 107 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020700431a0207003e31543b42e36c388e9b55a8ddbfeb34b90a0000000000000000e406ca6b04ef491b2ef4d0b1d86507ad62c94c09492ed747006f726573686b696e server { PEAP: Setting User-Name to csd-notebook\oreshkin Sending tunneled request EAP-Message = 0x020700431a0207003e31543b42e36c388e9b55a8ddbfeb34b90a0000000000000000e406ca6b04ef491b2ef4d0b1d86507ad62c94c09492ed747006f726573686b696e FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "csd-notebook\\oreshkin" State = 0x86b209f786b51352b3578e7a38b869c7 server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [ntdomain] Looking up realm "csd-notebook" for User-Name = "csd-notebook\oreshkin" [ntdomain] Found realm "DEFAULT" [ntdomain] Adding Stripped-User-Name = "oreshkin" [ntdomain] Adding Realm = "DEFAULT" [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok ++[control] returns ok [eap] EAP packet type response id 7 length 67 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 159 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for oreshkin with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\007E=691 R=1" EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\007E=691 R=1" EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 7 to 192.168.14.240 port 1072 EAP-Message = 0x0108002b19001703010020f53ff8fc7bf5c304bfca89826b65c7d28c735a30e86689c6af72a02d870916b7 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1cd845841bd05ccb36bc9cf89bd12b63 Finished request 7. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.14.240 port 1072, id=8, length=270 Message-Authenticator = 0xd5b9303bee9ed637d8fa83cd14602a75 Service-Type = Framed-User User-Name = "csd-notebook\\oreshkin" Framed-MTU = 1488 State = 0x1cd845841bd05ccb36bc9cf89bd12b63 Called-Station-Id = "00-18-6E-8F-73-40:200901azk71And" Calling-Station-Id = "00-16-EA-8A-DE-38" NAS-Identifier = "3Com Access Point 7760" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0208002b1900170301002054077a731a80335cfc0c20507b5d608c8d3c489203490c87691ccfdcda252bd5 NAS-IP-Address = 192.168.14.240 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "csd-notebook\oreshkin", looking up realm NULL [suffix] Found realm "DEFAULT" [suffix] Adding Stripped-User-Name = "csd-notebook\oreshkin" [suffix] Adding Realm = "DEFAULT" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [ntdomain] Request already proxied. Ignoring. ++[ntdomain] returns ok [eap] EAP packet type response id 8 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Had sent TLV failure. User was rejected earlier in this session. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> csd-notebook\oreshkin attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 8 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 8 Sending Access-Reject of id 8 to 192.168.14.240 port 1072 EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. ------------------------------------------ What's wrong ? Is there any other ways of performing such authorization ? Thanks. On Mon, 13 Jul 2009, Ivan Kalik wrote:
Date: Mon, 13 Jul 2009 12:08:42 +0100 (BST) From: Ivan Kalik <tnt@kalik.net> To: Anatoly Oreshkin <Anatoly.Oreshkin@pnpi.spb.ru> Subject: Re: FreeRadius 2.1.6 + EAP-PEAP issue
I've configured realm DEFAULT in proxy.conf again:
realm DEFAULT { type = radius authhost = LOCAL accthost = LOCAL }
and deleted realm csd-notebook because csd-notebook is notebook name rather than domain name.
Also I 've disabled suffix in sites-available/inner-tunnel
But didn't enable ntdomain there (you have enabled it in default virtual server).
On the other hand, if you configure XP supplicant properly (ie. not to send Windows logon name) you won't need any of this.
Ivan Kalik Kalik Informatika ISP
participants (1)
-
Anatoly Oreshkin