Can't autenticate on ldap with PEAP
Hello, we can't authenticate using ldap on eap/mschapv2, the user exists in the ldap database and with the radtest utility sends a ok reply. Here is a part of the debug using the -X option when we try to validate a user using windows xp
Sorry I forgot to attach the debug text Hi we can't authenticate using ldap on eap/mschapv2, the user exists in the ldap database and with the radtest utility sends a ok reply. Here is a part of the debug using the -X option when we try to validate a user using windows xp: rad_recv: Access-Request packet from host 148.202.51.160 port 1086, id=112, length=131 Message-Authenticator = 0x97c28e8ab9f6a7d26ea3e131759aed76 User-Name = "scar_86" NAS-IP-Address = 148.202.51.160 NAS-Port = 1 NAS-Port-Type = Ethernet Calling-Station-Id = "00-1E-0B-3C-06-73" EAP-Message = 0x0201000c01736361725f3836 Framed-MTU = 1000 Called-Station-Id = "0001F4-78-67-60\0003" NAS-Port-Id = "fe.0.1" +- entering group authorize {...} ++[preprocess] returns ok [suffix] No '@' in User-Name = "scar_86", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [files] users: Matched entry DEFAULT at line 154 ++[files] returns ok ++- entering policy redundant {...} [ldap2] performing user authorization for scar_86 [ldap2] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap2] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=scar_86) [ldap2] expand: ou=People,o=cucea.udg.mx,dc=udg,dc=mx -> ou=People,o=cucea.udg.mx,dc=udg,dc=mx rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,o=cucea.udg.mx,dc=udg,dc=mx, with filter (uid=scar_86) request done: ld 0x801266700 msgid 3 [ldap2] Added User-Password = O9ax5ASRUbt17FDIxcrA3s9fEBiHRM5APQxHew== in check items [ldap2] looking for check items in directory... [ldap2] looking for reply items in directory... [ldap2] user scar_86 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[ldap2] returns ok ++- policy redundant returns ok ++[mschap] returns noop ++[chap] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop [eap] EAP packet type response id 1 length 12 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated Found Auth-Type = LDAP Found Auth-Type = EAP Warning: Found 2 auth-types on request for user 'scar_86' !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 112 to 148.202.51.160 port 1086 EAP-Message = 0x01020016041062a23d2fafcccc69bfa5a9915148bb77 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xba75f675ba77f2bbd4b5703aa9944e60 Finished request 9. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 148.202.51.160 port 1086, id=113, length=143 Message-Authenticator = 0x8a6eaa3b0522878674c5affe97f6dc2d User-Name = "scar_86" State = 0xba75f675ba77f2bbd4b5703aa9944e60 NAS-IP-Address = 148.202.51.160 NAS-Port = 1 NAS-Port-Type = Ethernet Calling-Station-Id = "00-1E-0B-3C-06-73" Called-Station-Id = "00-01-F4-78-67-60" Framed-MTU = 1000 EAP-Message = 0x020200060319 NAS-Port-Id = "fe.0.1" +- entering group authorize {...} ++[preprocess] returns ok [suffix] No '@' in User-Name = "scar_86", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [files] users: Matched entry DEFAULT at line 154 ++[files] returns ok ++- entering policy redundant {...} [ldap2] performing user authorization for scar_86 [ldap2] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap2] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=scar_86) [ldap2] expand: ou=People,o=cucea.udg.mx,dc=udg,dc=mx -> ou=People,o=cucea.udg.mx,dc=udg,dc=mx rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,o=cucea.udg.mx,dc=udg,dc=mx, with filter (uid=scar_86) request done: ld 0x801266700 msgid 4 [ldap2] Added User-Password = O9ax5ASRUbt17FDIxcrA3s9fEBiHRM5APQxHew== in check items [ldap2] looking for check items in directory... [ldap2] looking for reply items in directory... [ldap2] user scar_86 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[ldap2] returns ok ++- policy redundant returns ok ++[mschap] returns noop ++[chap] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop [eap] EAP packet type response id 2 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated Found Auth-Type = LDAP Found Auth-Type = EAP Warning: Found 2 auth-types on request for user 'scar_86' !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 113 to 148.202.51.160 port 1086 EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xba75f675bb76efbbd4b5703aa9944e60 Finished request 10. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 148.202.51.160 port 1086, id=114, length=217 Message-Authenticator = 0x5274d88c238f6343c10fa80d4a490641 User-Name = "scar_86" State = 0xba75f675bb76efbbd4b5703aa9944e60 NAS-IP-Address = 148.202.51.160 NAS-Port = 1 NAS-Port-Type = Ethernet Calling-Station-Id = "00-1E-0B-3C-06-73" Called-Station-Id = "00-01-F4-78-67-60" Framed-MTU = 1000 EAP-Message = 0x0203005019800000004616030100410100003d03014ab3d5986ba9727b25a00ded65d5d2b8b03f5302a4e89049e1db65d516731d7e00001600040005000a000900640062000300060013001200630100 NAS-Port-Id = "fe.0.1" +- entering group authorize {...} ++[preprocess] returns ok [suffix] No '@' in User-Name = "scar_86", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [files] users: Matched entry DEFAULT at line 154 ++[files] returns ok ++- entering policy redundant {...} [ldap2] performing user authorization for scar_86 [ldap2] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap2] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=scar_86) [ldap2] expand: ou=People,o=cucea.udg.mx,dc=udg,dc=mx -> ou=People,o=cucea.udg.mx,dc=udg,dc=mx rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,o=cucea.udg.mx,dc=udg,dc=mx, with filter (uid=scar_86) request done: ld 0x801266700 msgid 5 [ldap2] Added User-Password = O9ax5ASRUbt17FDIxcrA3s9fEBiHRM5APQxHew== in check items [ldap2] looking for check items in directory... [ldap2] looking for reply items in directory... [ldap2] user scar_86 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[ldap2] returns ok ++- policy redundant returns ok ++[mschap] returns noop ++[chap] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop [eap] EAP packet type response id 3 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = LDAP Found Auth-Type = EAP Warning: Found 2 auth-types on request for user 'scar_86' !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 70 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0041], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 085e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 114 to 148.202.51.160 port 1086 EAP-Message = 0x010403e419c00000089b160301002a0200002603014ab3d5cfbadbd984c6353c5eb2d828e9c532075d74fbd895175d4cd88295355500000400160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479 EAP-Message = 0x301e170d3039303931343134353235365a170d3130303931343134353235365a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100b8ffbd15e46e10f5ea8b63bddfaa551e55dcbf1e0801757fb9607ec0513fb58fd56980e37ee722a8d0d98b5fa960c5cf7c0ef3e2ca2f8f4e66b4d75b5565 EAP-Message = 0xd4f982870e4e57e23bcabc42de0d6356e7b0014fed8a1446f2f70fef84ba952b86947688324b5500cf71bf95a5c187772abbd78351a2cc120ef9236607516271cfcb4a94e7b1d77f18d54dca0ccc63bfef1f9ab2c0dd89dbb1d94c5f8b5e0f73d042ada31aea777be2d351cb6d61a08521146e508af10f167c8eb5e530db7ac79207dbbc00100c913e2e659b740ccebb2ee21722103d3bd92b51625b047cfcb89c6d62008f72e04269ea5b39b95a83ef3fe8e72d5feab53aadc1c38f132eec057a7f0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038201010074ad95c7e8b4b77637 EAP-Message = 0xd175b7d0b58d35142f3d9e9847f5e52e0b7aca9f887737ecd70f7a92c1bcf8666e501b1f3b9f4616b1bd7b2a0d47e382ad138db2333e099f637ab73c22fb37138908d7d967e3af2ee49a30d1230dda53d7cdd1103652eb2324ad79726f71effd975bf401806e1e72c70dec2a672ed7ea769cd3120658b2897d6b75a9d370ae8af2651972d663ed13e28a437d3d73e6cdadde2b4776bab27368fa43b41e51fd835118b1f5af5d20be2b4a32812464ea54c345927d17a845ad1cab21159e52477b5d62357a484f673cb012711cbcdfd25ddd7a44c3706079ac0cea6e8c37ca3deea3344f717e8a27106c737a3348 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xba75f675b871efbbd4b5703aa9944e60 Finished request 11. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 148.202.51.160 port 1086, id=115, length=143 Message-Authenticator = 0x67f3bfd91c67c4afa33b73803a9e3eaf User-Name = "scar_86" State = 0xba75f675b871efbbd4b5703aa9944e60 NAS-IP-Address = 148.202.51.160 NAS-Port = 1 NAS-Port-Type = Ethernet Calling-Station-Id = "00-1E-0B-3C-06-73" Called-Station-Id = "00-01-F4-78-67-60" Framed-MTU = 1000 EAP-Message = 0x020400061900 NAS-Port-Id = "fe.0.1" +- entering group authorize {...} ++[preprocess] returns ok [suffix] No '@' in User-Name = "scar_86", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [files] users: Matched entry DEFAULT at line 154 ++[files] returns ok ++- entering policy redundant {...} [ldap2] performing user authorization for scar_86 [ldap2] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap2] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=scar_86) [ldap2] expand: ou=People,o=cucea.udg.mx,dc=udg,dc=mx -> ou=People,o=cucea.udg.mx,dc=udg,dc=mx rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,o=cucea.udg.mx,dc=udg,dc=mx, with filter (uid=scar_86) request done: ld 0x801266700 msgid 6 [ldap2] Added User-Password = O9ax5ASRUbt17FDIxcrA3s9fEBiHRM5APQxHew== in check items [ldap2] looking for check items in directory... [ldap2] looking for reply items in directory... [ldap2] user scar_86 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[ldap2] returns ok ++- policy redundant returns ok ++[mschap] returns noop ++[chap] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = LDAP Found Auth-Type = EAP Warning: Found 2 auth-types on request for user 'scar_86' !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 115 to 148.202.51.160 port 1086 EAP-Message = 0x010503e01940f212386f08a5ab720cd90004ab308204a73082038fa003020102020900eb2e03c2a13fe16e300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3039303931343134353235365a170d3130303931343134353235365a308193310b3009060355040613 EAP-Message = 0x024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100ca744131bbd5fc261d372728741022a981a5c538b1a5f109aadd62dfa26690d1a3f09a78335d354881e24fd1e42a2b4ca47b70084fd33f833b13c5717e5bb73b5e5543261e1b7ef63b8d1a612a3f54d63dccb5 EAP-Message = 0x3d0ca12858308eda1b24093e535d19843d1a42bd23aedf52f8200907d7cab23f41685884cc742e1919dd5327a6933d4fd2dcbd49490ba887be9869f4a2da8425765045b66e66cdc0e587dfe8c4030fb526d6aab3f94d36d7644e31f373239760b0ae6bac4bb0047199faa55e05613b74a79ab92389bc14f801683489324aed4a1327b8f8f108172624eca5a87ec4ef408a178cec6d606238ee1c3cc6ade04fe3dea8b70708c54c81e171a732290203010001a381fb3081f8301d0603551d0e0416041431033064bcc1be510209bca4145c6e0be66af8473081c80603551d230481c03081bd801431033064bcc1be510209bca4145c6e0be66af847a181 EAP-Message = 0x99a48196308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900eb2e03c2a13fe16e300c0603551d13040530030101ff300d06092a864886f70d010105050003820101003bf05821afecf65b925c8399ae640dda397577f3658d220ab66c8cb2874530979d6d Message-Authenticator = 0x00000000000000000000000000000000 State = 0xba75f675b970efbbd4b5703aa9944e60 Finished request 12. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 148.202.51.160 port 1086, id=116, length=143 Message-Authenticator = 0x1a8b5245a61bc3d7981b6f501b7f9b97 User-Name = "scar_86" State = 0xba75f675b970efbbd4b5703aa9944e60 NAS-IP-Address = 148.202.51.160 NAS-Port = 1 NAS-Port-Type = Ethernet Calling-Station-Id = "00-1E-0B-3C-06-73" Called-Station-Id = "00-01-F4-78-67-60" Framed-MTU = 1000 EAP-Message = 0x020500061900 NAS-Port-Id = "fe.0.1" +- entering group authorize {...} ++[preprocess] returns ok [suffix] No '@' in User-Name = "scar_86", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [files] users: Matched entry DEFAULT at line 154 ++[files] returns ok ++- entering policy redundant {...} [ldap2] performing user authorization for scar_86 [ldap2] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap2] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=scar_86) [ldap2] expand: ou=People,o=cucea.udg.mx,dc=udg,dc=mx -> ou=People,o=cucea.udg.mx,dc=udg,dc=mx rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,o=cucea.udg.mx,dc=udg,dc=mx, with filter (uid=scar_86) request done: ld 0x801266700 msgid 7 [ldap2] Added User-Password = O9ax5ASRUbt17FDIxcrA3s9fEBiHRM5APQxHew== in check items [ldap2] looking for check items in directory... [ldap2] looking for reply items in directory... [ldap2] user scar_86 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[ldap2] returns ok ++- policy redundant returns ok ++[mschap] returns noop ++[chap] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = LDAP Found Auth-Type = EAP Warning: Found 2 auth-types on request for user 'scar_86' !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 116 to 148.202.51.160 port 1086 EAP-Message = 0x010600ed1900301f5365506830c461df3d539d96513b34043d4d9bf09f2572f8a837297e2abf9328fb0e39ef920f6d72b1be2a3ad75de80140e5afe0d8d8f629556cbc7860cc61f2a211059ac95524261e59a467719a9dbf6ebb4def56d3d8972d162940ec42dc62f43eb6b6da99839875c198df22b91d88f877359867d550edf9ed3095fde1092a2b82bac94d22959a5a2875683b868e5ed6e84ddf836c4bb73ab88aca0030093e419bde2ddcb8103f7a2598cf1d185c1ab016e09695f5744b6946fe666ca73ce3558a0139291c43bf9124721ba91437c71cf3e6fb8643c981169ddee116030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xba75f675be73efbbd4b5703aa9944e60 Finished request 13. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 148.202.51.160 port 1086, id=117, length=459 Message-Authenticator = 0x8581437b3f6d5238fbbd62f1e64038f2 User-Name = "scar_86" State = 0xba75f675be73efbbd4b5703aa9944e60 NAS-IP-Address = 148.202.51.160 NAS-Port = 1 NAS-Port-Type = Ethernet Calling-Station-Id = "00-1E-0B-3C-06-73" Called-Station-Id = "00-01-F4-78-67-60" Framed-MTU = 1000 EAP-Message = 0x020601401980000001361603010106100001020100aee803b843f7db475fc87e0bf494c4257cbd206d8df31756119b04823c902bc2622aad590eb1bf052120c439501799b14672a942abdefd5223a6217fb5b28112cd938d5d9c999386117774ca26d73588d6dd26bbe0541963da972977c178be62b0312fc5fadf3f950ffcd535be76495ec857791edfd008fea7f0266681e5da7201ca77f9b83e2e6830179e450a9dcc23a67f8a2790152fc277a4e5a52f6e3d7be56bc72e1eedcd1619388599f9cdc451305f3fa3e1f26d171c274f2609a09c00dc74a219cf7a019a701bcd3c60e995ad1c586642570ecc6dd77f95f90192ce3e5fe2cd053efe0a05 EAP-Message = 0x320c64d018122709341135434c259d41f0cf3e2ddf2113a11403010001011603010020ee256a74c55ea3574ada47b6a0747a226d1f0678fc6d114901798dd959c35738 NAS-Port-Id = "fe.0.1" +- entering group authorize {...} ++[preprocess] returns ok [suffix] No '@' in User-Name = "scar_86", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [files] users: Matched entry DEFAULT at line 154 ++[files] returns ok ++- entering policy redundant {...} [ldap2] performing user authorization for scar_86 [ldap2] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap2] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=scar_86) [ldap2] expand: ou=People,o=cucea.udg.mx,dc=udg,dc=mx -> ou=People,o=cucea.udg.mx,dc=udg,dc=mx rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,o=cucea.udg.mx,dc=udg,dc=mx, with filter (uid=scar_86) request done: ld 0x801266700 msgid 8 [ldap2] Added User-Password = O9ax5ASRUbt17FDIxcrA3s9fEBiHRM5APQxHew== in check items [ldap2] looking for check items in directory... [ldap2] looking for reply items in directory... [ldap2] user scar_86 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[ldap2] returns ok ++- policy redundant returns ok ++[mschap] returns noop ++[chap] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop [eap] EAP packet type response id 6 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = LDAP Found Auth-Type = EAP Warning: Found 2 auth-types on request for user 'scar_86' !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 310 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 117 to 148.202.51.160 port 1086 EAP-Message = 0x0107003119001403010001011603010020a53c9687739240bbeeb29a74e27519f5b614c5b10b4915514c03b35069e3d665 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xba75f675bf72efbbd4b5703aa9944e60 Finished request 14. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 148.202.51.160 port 1086, id=118, length=143 Message-Authenticator = 0x66e1f9efe9a786e05ac9074cd0b9683a User-Name = "scar_86" State = 0xba75f675bf72efbbd4b5703aa9944e60 NAS-IP-Address = 148.202.51.160 NAS-Port = 1 NAS-Port-Type = Ethernet Calling-Station-Id = "00-1E-0B-3C-06-73" Called-Station-Id = "00-01-F4-78-67-60" Framed-MTU = 1000 EAP-Message = 0x020700061900 NAS-Port-Id = "fe.0.1" +- entering group authorize {...} ++[preprocess] returns ok [suffix] No '@' in User-Name = "scar_86", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [files] users: Matched entry DEFAULT at line 154 ++[files] returns ok ++- entering policy redundant {...} [ldap2] performing user authorization for scar_86 [ldap2] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap2] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=scar_86) [ldap2] expand: ou=People,o=cucea.udg.mx,dc=udg,dc=mx -> ou=People,o=cucea.udg.mx,dc=udg,dc=mx rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,o=cucea.udg.mx,dc=udg,dc=mx, with filter (uid=scar_86) request done: ld 0x801266700 msgid 9 [ldap2] Added User-Password = O9ax5ASRUbt17FDIxcrA3s9fEBiHRM5APQxHew== in check items [ldap2] looking for check items in directory... [ldap2] looking for reply items in directory... [ldap2] user scar_86 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[ldap2] returns ok ++- policy redundant returns ok ++[mschap] returns noop ++[chap] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop [eap] EAP packet type response id 7 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = LDAP Found Auth-Type = EAP Warning: Found 2 auth-types on request for user 'scar_86' !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 118 to 148.202.51.160 port 1086 EAP-Message = 0x01080020190017030100151222976e703d88d92884f88872bdbb57e5387883e2 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xba75f675bc7defbbd4b5703aa9944e60 Finished request 15. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 148.202.51.160 port 1086, id=119, length=172 Message-Authenticator = 0x50c118893598a2a236cfe6f3239d6078 User-Name = "scar_86" State = 0xba75f675bc7defbbd4b5703aa9944e60 NAS-IP-Address = 148.202.51.160 NAS-Port = 1 NAS-Port-Type = Ethernet Calling-Station-Id = "00-1E-0B-3C-06-73" Called-Station-Id = "00-01-F4-78-67-60" Framed-MTU = 1000 EAP-Message = 0x02080023190017030100188983ca8bcfe1a0798b214163d4b3d647ae3711f4590efe66 NAS-Port-Id = "fe.0.1" +- entering group authorize {...} ++[preprocess] returns ok [suffix] No '@' in User-Name = "scar_86", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [files] users: Matched entry DEFAULT at line 154 ++[files] returns ok ++- entering policy redundant {...} [ldap2] performing user authorization for scar_86 [ldap2] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap2] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=scar_86) [ldap2] expand: ou=People,o=cucea.udg.mx,dc=udg,dc=mx -> ou=People,o=cucea.udg.mx,dc=udg,dc=mx rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,o=cucea.udg.mx,dc=udg,dc=mx, with filter (uid=scar_86) request done: ld 0x801266700 msgid 10 [ldap2] Added User-Password = O9ax5ASRUbt17FDIxcrA3s9fEBiHRM5APQxHew== in check items [ldap2] looking for check items in directory... [ldap2] looking for reply items in directory... [ldap2] user scar_86 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[ldap2] returns ok ++- policy redundant returns ok ++[mschap] returns noop ++[chap] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop [eap] EAP packet type response id 8 length 35 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = LDAP Found Auth-Type = EAP Warning: Found 2 auth-types on request for user 'scar_86' !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Identity - scar_86 [peap] Got tunneled request EAP-Message = 0x0208000c01736361725f3836 server { PEAP: Got tunneled identity of scar_86 PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to scar_86 Sending tunneled request EAP-Message = 0x0208000c01736361725f3836 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "scar_86" NAS-IP-Address = 148.202.51.160 NAS-Port = 1 NAS-Port-Type = Ethernet Calling-Station-Id = "00-1E-0B-3C-06-73" Called-Station-Id = "00-01-F4-78-67-60" Framed-MTU = 1000 NAS-Port-Id = "fe.0.1" server { +- entering group authorize {...} ++[preprocess] returns ok [suffix] No '@' in User-Name = "scar_86", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [files] users: Matched entry DEFAULT at line 154 ++[files] returns ok ++- entering policy redundant {...} [ldap2] performing user authorization for scar_86 [ldap2] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap2] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=scar_86) [ldap2] expand: ou=People,o=cucea.udg.mx,dc=udg,dc=mx -> ou=People,o=cucea.udg.mx,dc=udg,dc=mx rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,o=cucea.udg.mx,dc=udg,dc=mx, with filter (uid=scar_86) request done: ld 0x801266700 msgid 11 [ldap2] Added User-Password = O9ax5ASRUbt17FDIxcrA3s9fEBiHRM5APQxHew== in check items [ldap2] looking for check items in directory... [ldap2] looking for reply items in directory... [ldap2] user scar_86 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[ldap2] returns ok ++- policy redundant returns ok ++[mschap] returns noop ++[chap] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop [eap] EAP packet type response id 8 length 12 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated Found Auth-Type = LDAP Found Auth-Type = EAP Warning: Found 2 auth-types on request for user 'scar_86' !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server [peap] Got tunneled reply code 11 EAP-Message = 0x010900211a0109001c10fd6aa46fcf6fd8477fe5c56c175259a6736361725f3836 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6b4b38406b42229cebefc546f28a70e2 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010900211a0109001c10fd6aa46fcf6fd8477fe5c56c175259a6736361725f3836 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6b4b38406b42229cebefc546f28a70e2 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 119 to 148.202.51.160 port 1086 EAP-Message = 0x010900381900170301002d280f4794bebf85c808822dbb97fdb82eb964aad6315923b1af106bd42548cf5f38bec30a0447d17afa47874749 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xba75f675bd7cefbbd4b5703aa9944e60 Finished request 16. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 148.202.51.160 port 1086, id=120, length=226 Message-Authenticator = 0xc33c461c0140487835c2c631aab41e3c User-Name = "scar_86" State = 0xba75f675bd7cefbbd4b5703aa9944e60 NAS-IP-Address = 148.202.51.160 NAS-Port = 1 NAS-Port-Type = Ethernet Calling-Station-Id = "00-1E-0B-3C-06-73" Called-Station-Id = "00-01-F4-78-67-60" Framed-MTU = 1000 EAP-Message = 0x020900591900170301004e26bf32671101588790902b779d47bd74ccb4f5c3cdd6a20230797c28f01ea3bb2bedcf144334514f2d1e2bcb0a71206c8d3a97cdd060bff11f6a7335ee80c45bff2cf10b16f27b7155905a23a0fd NAS-Port-Id = "fe.0.1" +- entering group authorize {...} ++[preprocess] returns ok [suffix] No '@' in User-Name = "scar_86", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [files] users: Matched entry DEFAULT at line 154 ++[files] returns ok ++- entering policy redundant {...} [ldap2] performing user authorization for scar_86 [ldap2] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap2] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=scar_86) [ldap2] expand: ou=People,o=cucea.udg.mx,dc=udg,dc=mx -> ou=People,o=cucea.udg.mx,dc=udg,dc=mx rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,o=cucea.udg.mx,dc=udg,dc=mx, with filter (uid=scar_86) request done: ld 0x801266700 msgid 12 [ldap2] Added User-Password = O9ax5ASRUbt17FDIxcrA3s9fEBiHRM5APQxHew== in check items [ldap2] looking for check items in directory... [ldap2] looking for reply items in directory... [ldap2] user scar_86 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[ldap2] returns ok ++- policy redundant returns ok ++[mschap] returns noop ++[chap] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop [eap] EAP packet type response id 9 length 89 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = LDAP Found Auth-Type = EAP Warning: Found 2 auth-types on request for user 'scar_86' !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020900421a0209003d31100c22dd7513471362d5c79a479f3e890000000000000000d0bb4f51f243ed0e2d84a9dd7a850f273f760b25ee6304bd00736361725f3836 server { PEAP: Setting User-Name to scar_86 Sending tunneled request EAP-Message = 0x020900421a0209003d31100c22dd7513471362d5c79a479f3e890000000000000000d0bb4f51f243ed0e2d84a9dd7a850f273f760b25ee6304bd00736361725f3836 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "scar_86" State = 0x6b4b38406b42229cebefc546f28a70e2 NAS-IP-Address = 148.202.51.160 NAS-Port = 1 NAS-Port-Type = Ethernet Calling-Station-Id = "00-1E-0B-3C-06-73" Called-Station-Id = "00-01-F4-78-67-60" Framed-MTU = 1000 NAS-Port-Id = "fe.0.1" server { +- entering group authorize {...} ++[preprocess] returns ok [suffix] No '@' in User-Name = "scar_86", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [files] users: Matched entry DEFAULT at line 154 ++[files] returns ok ++- entering policy redundant {...} [ldap2] performing user authorization for scar_86 [ldap2] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap2] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=scar_86) [ldap2] expand: ou=People,o=cucea.udg.mx,dc=udg,dc=mx -> ou=People,o=cucea.udg.mx,dc=udg,dc=mx rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,o=cucea.udg.mx,dc=udg,dc=mx, with filter (uid=scar_86) request done: ld 0x801266700 msgid 13 [ldap2] Added User-Password = O9ax5ASRUbt17FDIxcrA3s9fEBiHRM5APQxHew== in check items [ldap2] looking for check items in directory... [ldap2] looking for reply items in directory... [ldap2] user scar_86 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[ldap2] returns ok ++- policy redundant returns ok ++[mschap] returns noop ++[chap] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop [eap] EAP packet type response id 9 length 66 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated Found Auth-Type = LDAP Found Auth-Type = EAP Warning: Found 2 auth-types on request for user 'scar_86' !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for scar_86 with NT-Password [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. Login incorrect: [scar_86] (from client switch port 1 cli 00-1E-0B-3C-06-73 via TLS tunnel) } # server [peap] Got tunneled reply code 3 MS-CHAP-Error = "\tE=691 R=1" EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\tE=691 R=1" EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 120 to 148.202.51.160 port 1086 EAP-Message = 0x010a00261900170301001b9dbb2123ee77d681a5d849eb35d1d86e12a35273c62292acb1f7a7 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xba75f675b27fefbbd4b5703aa9944e60 Finished request 17. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 148.202.51.160 port 1086, id=121, length=175 Message-Authenticator = 0xa04268f26dadb9311c67440e9df3c553 User-Name = "scar_86" State = 0xba75f675b27fefbbd4b5703aa9944e60 NAS-IP-Address = 148.202.51.160 NAS-Port = 1 NAS-Port-Type = Ethernet Calling-Station-Id = "00-1E-0B-3C-06-73" Called-Station-Id = "00-01-F4-78-67-60" Framed-MTU = 1000 EAP-Message = 0x020a00261900170301001bbe6175faee9b978716a66a81f0fdbf6207d115d97dbbd8e384c381 NAS-Port-Id = "fe.0.1" +- entering group authorize {...} ++[preprocess] returns ok [suffix] No '@' in User-Name = "scar_86", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [files] users: Matched entry DEFAULT at line 154 ++[files] returns ok ++- entering policy redundant {...} [ldap2] performing user authorization for scar_86 [ldap2] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap2] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=scar_86) [ldap2] expand: ou=People,o=cucea.udg.mx,dc=udg,dc=mx -> ou=People,o=cucea.udg.mx,dc=udg,dc=mx rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=People,o=cucea.udg.mx,dc=udg,dc=mx, with filter (uid=scar_86) request done: ld 0x801266700 msgid 14 [ldap2] Added User-Password = O9ax5ASRUbt17FDIxcrA3s9fEBiHRM5APQxHew== in check items [ldap2] looking for check items in directory... [ldap2] looking for reply items in directory... [ldap2] user scar_86 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[ldap2] returns ok ++- policy redundant returns ok ++[mschap] returns noop ++[chap] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop [eap] EAP packet type response id 10 length 38 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = LDAP Found Auth-Type = EAP Warning: Found 2 auth-types on request for user 'scar_86' !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Had sent TLV failure. User was rejected earlier in this session. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [scar_86] (from client switch port 1 cli 00-1E-0B-3C-06-73) Delaying reject of request 18 for 1 seconds Going to the next request Waking up in 0.9 seconds.
Hello, we can't authenticate using ldap on eap/mschapv2, the user exists in the ldap database and with the radtest utility sends a ok reply. Here is a part of the debug using the -X option when we try to validate a user using windows xp
1. You can't use ldap authentication with peap: http://deployingradius.com/documents/protocols/oracles.html 2. You can't use encrypted password (on top of that without the header) with peap: http://deployingradius.com/documents/protocols/compatibility.html Ivan Kalik Kalik Informatika ISP
participants (2)
-
Ivan Kalik -
Oscar Pacheco