Hello Gurus. Apologies if this mail arrives twice, the first time i did send it (05/Jul/08), nothing showed on the list nor the archive. I'm new to freeradius 2.0.5, compiled it from sources and installed on CentOS v5.0, xp sp2 clients authenticate without problems with PEAP, but xp sp3 don't. I've searched the entire list, but none reference to xp sp3. Has anybody achieved to authenticate xp sp3 with default 802.1x client to freeradius ? Haven't yet tried Vista, but suspect will have the same problem..... This is the log: Best regards. Oxiel [root@radius ~]# radiusd -X FreeRADIUS Version 2.0.5, for host x86_64-redhat-linux-gnu, built on Jul 5 2008 at 10:14:20 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including configuration file /etc/raddb/snmp.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/ldap including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/krb5 including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/sql.conf including configuration file /etc/raddb/sql/mysql/dialup.conf including configuration file /etc/raddb/sql/mysql/counter.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/inner-tunnel group = radiusd user = radiusd including dictionary file /etc/raddb/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/radius" libdir = "/usr/lib64" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 192.168.100.245 { require_message_authenticator = no secret = "secreto" shortname = "192.168.100.245" } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_check = "none" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --username=%{mschap:User-Name} --request-nt-key --domain=%{mschap:NT-Domain} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/raddb/certs/cert-srv.pem" certificate_file = "/etc/raddb/certs/cert-srv.pem" CA_file = "/etc/raddb/certs/demoCA/cacert.pem" private_key_password = "*l4Pr0.14" dh_file = "/etc/raddb/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" } WARNING: rlm_eap_tls: Unable to set DH parameters. DH cipher suites may not work! WARNING: Fix this by running the OpenSSL command listed in eap.conf Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = yes proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/etc/raddb/users" acctusersfile = "/etc/raddb/acct_users" preproxy_usersfile = "/etc/raddb/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } } server { modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/etc/raddb/huntgroups" hints = "/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } } radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Accounting-Request packet from host 192.168.100.245 port 5001, id=218, length=286 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "2" User-Name = "COSMART\\jat" NAS-Identifier = "001cc5363882" NAS-Port = 268439554 NAS-Port-Id = "unit=1;subslot=0;port=1;vlanid=2" NAS-Port-Type = Ethernet Calling-Station-Id = "0050-bac5-dfa5" Acct-Status-Type = Stop Acct-Authentic = RADIUS Acct-Session-Id = "110500010555d" NAS-IP-Address = 192.168.100.245 Event-Timestamp = "Jan 1 2005 01:57:37 BOT" Acct-Session-Time = 119 Acct-Delay-Time = 39 Acct-Input-Octets = 3232 Acct-Input-Packets = 43 Acct-Output-Octets = 8326 Acct-Output-Packets = 71 Acct-Input-Gigawords = 0 Acct-Output-Gigawords = 0 Acct-Terminate-Cause = Lost-Carrier 3Com-Connect_Id = 81 3com-Attr-29 = 0x00000000 3Com-VLAN-Name = "\000\000\000\000" 3Com-Encryption-Type = "\000\000\000\000" 3Com-Time-Of-Day = "\000\000\000\000" 3com-Attr-22 = 0x00000000 3Com-Ip-Host-Addr = "0.0.0.0 00:50:ba:c5:df:a5" +- entering group preacct ++[preprocess] returns ok rlm_acct_unique: Hashing 'NAS-Port = 268439554,Client-IP-Address = 192.168.100.245,NAS-IP-Address = 192.168.100.245,Acct-Session-Id = "110500010555d",User-Name = "COSMART\\jat"' rlm_acct_unique: Acct-Unique-Session-ID = "ea36fd6add7d8838". ++[acct_unique] returns ok rlm_realm: No '@' in User-Name = "COSMART\jat", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop ++[files] returns noop +- entering group accounting expand: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> /var/log/radius/radacct/192.168.100.245/detail-20080705 rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radius/radacct/192.168.100.245/detail-20080705 expand: %t -> Sat Jul 5 14:30:23 2008 ++[detail] returns ok ++[unix] returns ok expand: /var/log/radius/radutmp -> /var/log/radius/radutmp expand: %{User-Name} -> COSMART\jat ++[radutmp] returns ok expand: %{User-Name} -> COSMART\jat attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] returns updated Sending Accounting-Response of id 218 to 192.168.100.245 port 5001 Finished request 0. Cleaning up request 0 ID 218 with timestamp +2 Going to the next request Ready to process requests. rad_recv: Access-Request packet from host 192.168.100.245 port 5001, id=0, length=240 User-Name = "host/caja02.cosmart.bo" EAP-Message = 0x0201001b01686f73742f63616a6130322e636f736d6172742e626f Message-Authenticator = 0xf1acdc9cf04cb956900a1812f75fc8e0 NAS-IP-Address = 192.168.100.245 NAS-Identifier = "001cc5363882" NAS-Port = 268439553 NAS-Port-Id = "unit=1;subslot=0;port=1;vlanid=1" NAS-Port-Type = Ethernet Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = "0050-bac5-dfa5" 3Com-Connect_Id = 83 3Com-Product-ID = "5500G-EI" 3Com-Ip-Host-Addr = "0.0.0.0 00:50:ba:c5:df:a5" 3Com-NAS-Startup-Timestamp = 1104537612 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "host/caja02.cosmart.bo", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 1 length 27 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound users: Matched entry DEFAULT at line 172 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.100.245 port 5001 Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x73b5ba5073b7a3e2254835034dd3ceef Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.100.245 port 5001, id=1, length=311 User-Name = "host/caja02.cosmart.bo" EAP-Message = 0x0202005019800000004616030100410100003d0301486fbdd4eecfde254716f92a39b631a3684a00787d5d6b063ba9c81cd22e195300001600040005000a000900640062000300060013001200630100 Message-Authenticator = 0xbec7d6563e28ca88de7723c45425b6a4 NAS-IP-Address = 192.168.100.245 NAS-Identifier = "001cc5363882" NAS-Port = 268439553 NAS-Port-Id = "unit=1;subslot=0;port=1;vlanid=1" NAS-Port-Type = Ethernet Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = "0050-bac5-dfa5" State = 0x73b5ba5073b7a3e2254835034dd3ceef 3Com-Connect_Id = 83 3Com-Product-ID = "5500G-EI" 3Com-Ip-Host-Addr = "0.0.0.0 00:50:ba:c5:df:a5" 3Com-NAS-Startup-Timestamp = 1104537612 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "host/caja02.cosmart.bo", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 2 length 80 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS TLS Length 70 rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0666], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 1 to 192.168.100.245 port 5001 EAP-Message = 0x0103040019c0000006c3160301004a020000460301486fbdc4c5c76a2564aa4f526c944a51a1302a3c659a0b0961427630875f60f92028b6d005458c6b196869a0d631f1ce41013c4514747eeebbdd80e7b4bc5969af00040016030106660b00066200065f0002b9308202b53082021ea003020102020104300d06092a864886f70d0101050500308191310b300906035504061302424f311330110603550408130a53616e7461204372757a311330110603550407130a53616e7461204372757a3110300e060355040a1307436f736d6172743111300f060355040b130853697374656d6173311630140603550403130d61646d696e6973747261746f EAP-Message = 0x72311b301906092a864886f70d010901160c6a6174406d61696c2e63736d301e170d3038303730323231333833325a170d3138303633303231333833325a308195310b300906035504061302424f311330110603550408130a53616e7461204372757a311330110603550407130a53616e7461204372757a3110300e060355040a1307436f736d6172743111300f060355040b130853697374656d6173311a3018060355040313117261646975732e636f736d6172742e626f311b301906092a864886f70d010901160c6a6174406d61696c2e63736d30819f300d06092a864886f70d010101050003818d0030818902818100cbeb8d00c58afe573130 EAP-Message = 0x546535d403e375d6bd47f46e40c177715d4ecab36ec81bd674cf9e85001a18c8dff1f6a3c36157c4ae0b1081b6a09d177dd4e43da1feab1ad3611da0b973cc5e69d4ed7ddd58147c6ea6666c86d074dce2b4819153f104b1ce41c4c549231e386a04f5123ae40191488aaf93362f09b31eef336682470203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010505000381810035fdfe43e521364d5c730005b1307d1ed1fb9bbeb88cec2be4e362fe3779c4dd1196f0e5b0bb41cde48da1e7392549e989d1ea0e3af59191d05be8991ced0b557b2ea643c160b150e7c83ab667414bb8b670c1193c53 EAP-Message = 0xae386773f3124b7803f6ada10aa517a81bfa0cfe66d5a557da43773eafabe10cbd705a52e5303e0282c90003a03082039c30820305a003020102020900e224351ea6a8c75e300d06092a864886f70d0101050500308191310b300906035504061302424f311330110603550408130a53616e7461204372757a311330110603550407130a53616e7461204372757a3110300e060355040a1307436f736d6172743111300f060355040b130853697374656d6173311630140603550403130d61646d696e6973747261746f72311b301906092a864886f70d010901160c6a6174406d61696c2e63736d301e170d3038303730323231333435365a170d3138 EAP-Message = 0x303633303231333435365a30 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x73b5ba5072b6a3e2254835034dd3ceef Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.100.245 port 5001, id=2, length=237 User-Name = "host/caja02.cosmart.bo" EAP-Message = 0x020300061900 Message-Authenticator = 0x2690776a323a61b010a03df037aec344 NAS-IP-Address = 192.168.100.245 NAS-Identifier = "001cc5363882" NAS-Port = 268439553 NAS-Port-Id = "unit=1;subslot=0;port=1;vlanid=1" NAS-Port-Type = Ethernet Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = "0050-bac5-dfa5" State = 0x73b5ba5072b6a3e2254835034dd3ceef 3Com-Connect_Id = 83 3Com-Product-ID = "5500G-EI" 3Com-Ip-Host-Addr = "0.0.0.0 00:50:ba:c5:df:a5" 3Com-NAS-Startup-Timestamp = 1104537612 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "host/caja02.cosmart.bo", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 3 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 2 to 192.168.100.245 port 5001 EAP-Message = 0x010402d319008191310b300906035504061302424f311330110603550408130a53616e7461204372757a311330110603550407130a53616e7461204372757a3110300e060355040a1307436f736d6172743111300f060355040b130853697374656d6173311630140603550403130d61646d696e6973747261746f72311b301906092a864886f70d010901160c6a6174406d61696c2e63736d30819f300d06092a864886f70d010101050003818d0030818902818100a646305a573ba9462e50379658300d0d0d8af89c4c30d84d160cde108867f5008c5d5476b473d60cc52067227194c9d8cb838e251fad331103a0ef6b82d2fc1c775065420d91f1 EAP-Message = 0x69d61d23088d5d2fcaca82b78d432ae2e5a7bc2128ab1489512d0d5df2dc8057bcf5ecf9e5c1be94088977ffa69885442de5967c302cbb3a750203010001a381f93081f6301d0603551d0e0416041473a2a24959f00db826a07cf8489b046784765ead3081c60603551d230481be3081bb801473a2a24959f00db826a07cf8489b046784765eada18197a48194308191310b300906035504061302424f311330110603550408130a53616e7461204372757a311330110603550407130a53616e7461204372757a3110300e060355040a1307436f736d6172743111300f060355040b130853697374656d6173311630140603550403130d61646d696e69 EAP-Message = 0x73747261746f72311b301906092a864886f70d010901160c6a6174406d61696c2e63736d820900e224351ea6a8c75e300c0603551d13040530030101ff300d06092a864886f70d010105050003818100012eb34d9f4d44275d7141f817f9754d61b51a1205fe9326b51df1985a69c664e5a572a408ac098247e82621c48c097c72230ef3d4d4607636e721213b3a6bcae16cb65033eb9793e4bad604c5f8a4bd25638163cd556f283862542654cbcae9b86573ac3668cfad36b8b643abedbeb7a1ffb440c3af91d1a3a76d67ac84a2f016030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x73b5ba5071b1a3e2254835034dd3ceef Finished request 3. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.100.245 port 5001, id=3, length=423 User-Name = "host/caja02.cosmart.bo" EAP-Message = 0x020400c01980000000b616030100861000008200800d05f33fc8ee7d6b891fd473b79cbd08c00029c400a4a8b4f66a043855312f1ae4c9ebc4d5935b3dd33a2f8c43a91f5268b8c6feeb2045eb683a038e92faad3c109b80d461449c916764451ae0ad1d9cc5adc79124b328a9e1240a83ffa8cef0833a8f218ce6cffe3c92e4a3a2e421e5d3e31c47deeafb370be2c2ae35840013140301000101160301002071ab2c4c5ef80026ece917f82faa9c4bf68ea263927572bcf2eff9dbc1b51e93 Message-Authenticator = 0x9d34a0ceab1dba8f46192d60879ce9e6 NAS-IP-Address = 192.168.100.245 NAS-Identifier = "001cc5363882" NAS-Port = 268439553 NAS-Port-Id = "unit=1;subslot=0;port=1;vlanid=1" NAS-Port-Type = Ethernet Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = "0050-bac5-dfa5" State = 0x73b5ba5071b1a3e2254835034dd3ceef 3Com-Connect_Id = 83 3Com-Product-ID = "5500G-EI" 3Com-Ip-Host-Addr = "0.0.0.0 00:50:ba:c5:df:a5" 3Com-NAS-Startup-Timestamp = 1104537612 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "host/caja02.cosmart.bo", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 4 length 192 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS TLS Length 182 rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 3 to 192.168.100.245 port 5001 EAP-Message = 0x01050031190014030100010116030100208af84b95006d4b91fba9d7169d916eb6809c68b34efddd8d7bb978243d04922e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x73b5ba5070b0a3e2254835034dd3ceef Finished request 4. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 192.168.100.245 port 5001, id=4, length=237 User-Name = "host/caja02.cosmart.bo" EAP-Message = 0x020500061900 Message-Authenticator = 0xfb42b30cdfd2f35fc4e94d6b7b571349 NAS-IP-Address = 192.168.100.245 NAS-Identifier = "001cc5363882" NAS-Port = 268439553 NAS-Port-Id = "unit=1;subslot=0;port=1;vlanid=1" NAS-Port-Type = Ethernet Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = "0050-bac5-dfa5" State = 0x73b5ba5070b0a3e2254835034dd3ceef 3Com-Connect_Id = 83 3Com-Product-ID = "5500G-EI" 3Com-Ip-Host-Addr = "0.0.0.0 00:50:ba:c5:df:a5" 3Com-NAS-Startup-Timestamp = 1104537612 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "host/caja02.cosmart.bo", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 5 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap_peap: EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 4 to 192.168.100.245 port 5001 EAP-Message = 0x0106002019001703010015bc754e60e537bc8fb1c7d29c5758b542685f2a6b11 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x73b5ba5077b3a3e2254835034dd3ceef Finished request 5. Going to the next request Waking up in 4.6 seconds. rad_recv: Access-Request packet from host 192.168.100.245 port 5001, id=5, length=281 User-Name = "host/caja02.cosmart.bo" EAP-Message = 0x02060032190017030100272290fc8604f7a51d1b40db4729ff215118019fc7cab898e7f7d59299b9ba138f63ad3698ff0d0d Message-Authenticator = 0xdc1ac64c77e6220711e5b9da5a1483c7 NAS-IP-Address = 192.168.100.245 NAS-Identifier = "001cc5363882" NAS-Port = 268439553 NAS-Port-Id = "unit=1;subslot=0;port=1;vlanid=1" NAS-Port-Type = Ethernet Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = "0050-bac5-dfa5" State = 0x73b5ba5077b3a3e2254835034dd3ceef 3Com-Connect_Id = 83 3Com-Product-ID = "5500G-EI" 3Com-Ip-Host-Addr = "0.0.0.0 00:50:ba:c5:df:a5" 3Com-NAS-Startup-Timestamp = 1104537612 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "host/caja02.cosmart.bo", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 6 length 50 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - host/caja02.cosmart.bo PEAP: Got tunneled identity of host/caja02.cosmart.bo PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to host/caja02.cosmart.bo +- entering group authorize ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound rlm_realm: No '@' in User-Name = "host/caja02.cosmart.bo", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop ++[control] returns noop rlm_eap: EAP packet type response id 6 length 27 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled PEAP: Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 5 to 192.168.100.245 port 5001 EAP-Message = 0x010700471900170301003c1e6805da43586305dd52fac9e77e5c0f59cf439f63276da038654693c461d78f2dff4238725874cbf4b94708899dcd5c661d56d09d4ef789e6c8d8ad Message-Authenticator = 0x00000000000000000000000000000000 State = 0x73b5ba5076b2a3e2254835034dd3ceef Finished request 6. Going to the next request Waking up in 4.5 seconds. rad_recv: Access-Request packet from host 192.168.100.245 port 5001, id=6, length=335 User-Name = "host/caja02.cosmart.bo" EAP-Message = 0x020700681900170301005dd9e8df11c1c77181e304f5804625cc6d44f9ab95418534bff216737d94c26604aad2c35ddf65bccfedc9ee52b023fda66d370b6767fd533860ea5b75eb2cdaf251db63feb3991bc812f10e8b41a96942b928746d8e124cd3ff02208321 Message-Authenticator = 0x189158927107c3cc4dbfb70ddcec6879 NAS-IP-Address = 192.168.100.245 NAS-Identifier = "001cc5363882" NAS-Port = 268439553 NAS-Port-Id = "unit=1;subslot=0;port=1;vlanid=1" NAS-Port-Type = Ethernet Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = "0050-bac5-dfa5" State = 0x73b5ba5076b2a3e2254835034dd3ceef 3Com-Connect_Id = 83 3Com-Product-ID = "5500G-EI" 3Com-Ip-Host-Addr = "0.0.0.0 00:50:ba:c5:df:a5" 3Com-NAS-Startup-Timestamp = 1104537612 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "host/caja02.cosmart.bo", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 7 length 104 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 PEAP: Setting User-Name to host/caja02.cosmart.bo +- entering group authorize ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound rlm_realm: No '@' in User-Name = "host/caja02.cosmart.bo", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop ++[control] returns noop rlm_eap: EAP packet type response id 7 length 81 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for host/caja02.cosmart.bo with NT-Password expand: --username=%{mschap:User-Name} -> --username=caja02$ expand: --domain=%{mschap:NT-Domain} -> --domain=cosmart mschap2: ca expand: --challenge=%{mschap:Challenge:-00} -> --challenge=2ee635f36876e135 expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=3e2799722d4ae64a874fca7144dc868ba821b45ab8d3e5c9 Exec-Program output: NT_KEY: 2C5558B32AB95B9348365F364D596970 Exec-Program-Wait: plaintext: NT_KEY: 2C5558B32AB95B9348365F364D596970 Exec-Program: returned: 0 rlm_mschap: adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled PEAP: Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 6 to 192.168.100.245 port 5001 EAP-Message = 0x0108004a1900170301003f5b72a242149b0c849225ef274c8f16078a490d8b7017a19218015a39d51e11d4e4b5ec95727149d5d2d108ca87be5ac4572a1326c0be8912899588ed1dc79d Message-Authenticator = 0x00000000000000000000000000000000 State = 0x73b5ba5075bda3e2254835034dd3ceef Finished request 7. Going to the next request Waking up in 4.4 seconds. rad_recv: Access-Request packet from host 192.168.100.245 port 5001, id=7, length=260 User-Name = "host/caja02.cosmart.bo" EAP-Message = 0x0208001d19001703010012729a793115410148fb3e1894728ed9dd43a2 Message-Authenticator = 0xc0038ec1fb0e803e1447e0c672705c8c NAS-IP-Address = 192.168.100.245 NAS-Identifier = "001cc5363882" NAS-Port = 268439553 NAS-Port-Id = "unit=1;subslot=0;port=1;vlanid=1" NAS-Port-Type = Ethernet Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = "0050-bac5-dfa5" State = 0x73b5ba5075bda3e2254835034dd3ceef 3Com-Connect_Id = 83 3Com-Product-ID = "5500G-EI" 3Com-Ip-Host-Addr = "0.0.0.0 00:50:ba:c5:df:a5" 3Com-NAS-Startup-Timestamp = 1104537612 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "host/caja02.cosmart.bo", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 8 length 29 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 PEAP: Setting User-Name to host/caja02.cosmart.bo +- entering group authorize ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound rlm_realm: No '@' in User-Name = "host/caja02.cosmart.bo", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop ++[control] returns noop rlm_eap: EAP packet type response id 8 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 rlm_eap: Freeing handler ++[eap] returns ok PEAP: Tunneled authentication was successful. rlm_eap_peap: SUCCESS Saving tunneled attributes for later ++[eap] returns handled Sending Access-Challenge of id 7 to 192.168.100.245 port 5001 EAP-Message = 0x010900261900170301001be69227ae08e478000a3caae737a96433d8bb3a4ff3a53f1fbb7c0c Message-Authenticator = 0x00000000000000000000000000000000 State = 0x73b5ba5074bca3e2254835034dd3ceef Finished request 8. Going to the next request Waking up in 4.3 seconds. rad_recv: Access-Request packet from host 192.168.100.245 port 5001, id=8, length=269 User-Name = "host/caja02.cosmart.bo" EAP-Message = 0x020900261900170301001b3916275431b7332459f3aaa1643e31720bc6ac34c224b51e2693c3 Message-Authenticator = 0x7093c15fac997292a12f6fc80059160c NAS-IP-Address = 192.168.100.245 NAS-Identifier = "001cc5363882" NAS-Port = 268439553 NAS-Port-Id = "unit=1;subslot=0;port=1;vlanid=1" NAS-Port-Type = Ethernet Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = "0050-bac5-dfa5" State = 0x73b5ba5074bca3e2254835034dd3ceef 3Com-Connect_Id = 83 3Com-Product-ID = "5500G-EI" 3Com-Ip-Host-Addr = "0.0.0.0 00:50:ba:c5:df:a5" 3Com-NAS-Startup-Timestamp = 1104537612 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "host/caja02.cosmart.bo", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 9 length 38 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Success Using saved attributes from the original Access-Accept rlm_eap: Freeing handler ++[eap] returns ok +- entering group post-auth ++[exec] returns noop Sending Access-Accept of id 8 to 192.168.100.245 port 5001 User-Name = "host/caja02.cosmart.bo" MS-MPPE-Recv-Key = 0xbc92e431af5c7ffb4d5b7995391751603d37b0f0ff4b90fbfecd1785d2d987b9 MS-MPPE-Send-Key = 0x298436d731ecef7178d901f10b1654124cb4b52e1e1ed23fd33b1ec32476b480 EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 Finished request 9. Going to the next request Waking up in 4.3 seconds. rad_recv: Accounting-Request packet from host 192.168.100.245 port 5001, id=219, length=228 User-Name = "host/caja02.cosmart.bo" NAS-Identifier = "001cc5363882" NAS-Port = 268439553 NAS-Port-Id = "unit=1;subslot=0;port=1;vlanid=1" NAS-Port-Type = Ethernet Calling-Station-Id = "0050-bac5-dfa5" Acct-Status-Type = Start Acct-Authentic = RADIUS Acct-Session-Id = "110500010558e" NAS-IP-Address = 192.168.100.245 Event-Timestamp = "Jan 1 2005 01:58:37 BOT" 3Com-Connect_Id = 83 3com-Attr-29 = 0x00000000 3Com-VLAN-Name = "\000\000\000\000" 3Com-Encryption-Type = "\000\000\000\000" 3Com-Time-Of-Day = "\000\000\000\000" 3com-Attr-22 = 0x00000000 3Com-Ip-Host-Addr = "0.0.0.0 00:50:ba:c5:df:a5" +- entering group preacct ++[preprocess] returns ok rlm_acct_unique: Hashing 'NAS-Port = 268439553,Client-IP-Address = 192.168.100.245,NAS-IP-Address = 192.168.100.245,Acct-Session-Id = "110500010558e",User-Name = "host/caja02.cosmart.bo"' rlm_acct_unique: Acct-Unique-Session-ID = "b9beac104c297af0". ++[acct_unique] returns ok rlm_realm: No '@' in User-Name = "host/caja02.cosmart.bo", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop ++[files] returns noop +- entering group accounting expand: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> /var/log/radius/radacct/192.168.100.245/detail-20080705 rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radius/radacct/192.168.100.245/detail-20080705 expand: %t -> Sat Jul 5 14:30:28 2008 ++[detail] returns ok ++[unix] returns ok expand: /var/log/radius/radutmp -> /var/log/radius/radutmp expand: %{User-Name} -> host/caja02.cosmart.bo ++[radutmp] returns ok expand: %{User-Name} -> host/caja02.cosmart.bo attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] returns updated Sending Accounting-Response of id 219 to 192.168.100.245 port 5001 Finished request 10. Cleaning up request 10 ID 219 with timestamp +7 Going to the next request Waking up in 4.2 seconds. Cleaning up request 1 ID 0 with timestamp +6 Cleaning up request 2 ID 1 with timestamp +7 Cleaning up request 3 ID 2 with timestamp +7 Cleaning up request 4 ID 3 with timestamp +7 Cleaning up request 5 ID 4 with timestamp +7 Cleaning up request 6 ID 5 with timestamp +7 Waking up in 0.1 seconds. Cleaning up request 7 ID 6 with timestamp +7 Cleaning up request 8 ID 7 with timestamp +7 Cleaning up request 9 ID 8 with timestamp +7 Ready to process requests. ______________________________________________ Enviado desde Correo Yahoo! La bandeja de entrada más inteligente.
Has anybody achieved to authenticate xp sp3 with default 802.1x client to freeradius ?
You!
Sending Access-Accept of id 8 to 192.168.100.245 port 5001 User-Name = "host/caja02.cosmart.bo" MS-MPPE-Recv-Key = 0xbc92e431af5c7ffb4d5b7995391751603d37b0f0ff4b90fbfecd1785d2d987b9 MS-MPPE-Send-Key = 0x298436d731ecef7178d901f10b1654124cb4b52e1e1ed23fd33b1ec32476b480 EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000
Ivan Kalik Kalik Informatika ISP
Dear Oxiel, Are you using wired or wireless 802.1x? I have been seeing issues on Windows XP SP3 WIRED 802.1X configurations when the MPPE keys are being sent by the RADIUS server (which are not used in (most) wired 802.1X setups):
Sending Access-Accept of id 8 to 192.168.100.245 port 5001 User-Name = "host/caja02.cosmart.bo" MS-MPPE-Recv-Key = 0xbc92e431af5c7ffb4d5b7995391751603d37b0f0ff4b90fbfecd1785d2d987b9 MS-MPPE-Send-Key = 0x298436d731ecef7178d901f10b1654124cb4b52e1e1ed23fd33b1ec32476b480 EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000
If you are using wired try disabling the MPPE keys in Freeradius. Regards, Tom
-----Oorspronkelijk bericht----- Van: freeradius-users-bounces+list=securew2.com@lists.freeradius.org [mailto:freeradius-users-bounces+list=securew2.com@lists.freeradius.org] Namens Ivan Kalik Verzonden: maandag 7 juli 2008 15:32 Aan: freeradius-users@lists.freeradius.org Onderwerp: Re: xp sp3 and freeradius 2.0.5
Has anybody achieved to authenticate xp sp3 with default 802.1x client to freeradius ?
You!
Sending Access-Accept of id 8 to 192.168.100.245 port 5001 User-Name = "host/caja02.cosmart.bo" MS-MPPE-Recv-Key = 0xbc92e431af5c7ffb4d5b7995391751603d37b0f0ff4b90fbfecd1785d2d987b9 MS-MPPE-Send-Key = 0x298436d731ecef7178d901f10b1654124cb4b52e1e1ed23fd33b1ec32476b480 EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I'm seeing the same problems with Vista devices: Sending Access-Accept of id 12 to 131.202.9.32 port 2048 User-Name = "u3t98" Tunnel-Private-Group-Id:0 = "Academic" Tunnel-Type:0 = VLAN MS-MPPE-Recv-Key = 0xce1ea72659c68cceba45498192e03bbb73292f9cdc314bbdea6e5ede0302b86a MS-MPPE-Send-Key = 0xe2cafe2564df85dd04dddb4816c00c8afeea831cbbdb444b45789625771f6c9c EAP-Message = 0x03180004 Message-Authenticator = 0x00000000000000000000000000000000 Even though I have MPPE disabled in FR: mschap { # # As of 0.9, the mschap module does NOT support # reading from /etc/smbpasswd. # # If you are using /etc/smbpasswd, see the 'passwd' # module for an example of how to use /etc/smbpasswd # if use_mppe is not set to no mschap will # add MS-CHAP-MPPE-Keys for MS-CHAPv1 and # MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2 # #use_mppe = no use_mppe = no Thoughts? Matt Ashfield mda@unb.ca -----Original Message----- From: freeradius-users-bounces+mda=unb.ca@lists.freeradius.org [mailto:freeradius-users-bounces+mda=unb.ca@lists.freeradius.org] On Behalf Of SecureW2 (List) Sent: Monday, July 07, 2008 10:58 AM To: 'FreeRadius users mailing list' Subject: RE: xp sp3 and freeradius 2.0.5 Dear Oxiel, Are you using wired or wireless 802.1x? I have been seeing issues on Windows XP SP3 WIRED 802.1X configurations when the MPPE keys are being sent by the RADIUS server (which are not used in (most) wired 802.1X setups):
Sending Access-Accept of id 8 to 192.168.100.245 port 5001 User-Name = "host/caja02.cosmart.bo" MS-MPPE-Recv-Key = 0xbc92e431af5c7ffb4d5b7995391751603d37b0f0ff4b90fbfecd1785d2d987b9 MS-MPPE-Send-Key = 0x298436d731ecef7178d901f10b1654124cb4b52e1e1ed23fd33b1ec32476b480 EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000
If you are using wired try disabling the MPPE keys in Freeradius. Regards, Tom
-----Oorspronkelijk bericht----- Van: freeradius-users-bounces+list=securew2.com@lists.freeradius.org [mailto:freeradius-users-bounces+list=securew2.com@lists.freeradius.org] Namens Ivan Kalik Verzonden: maandag 7 juli 2008 15:32 Aan: freeradius-users@lists.freeradius.org Onderwerp: Re: xp sp3 and freeradius 2.0.5
Has anybody achieved to authenticate xp sp3 with default 802.1x client to freeradius ?
You!
Sending Access-Accept of id 8 to 192.168.100.245 port 5001 User-Name = "host/caja02.cosmart.bo" MS-MPPE-Recv-Key = 0xbc92e431af5c7ffb4d5b7995391751603d37b0f0ff4b90fbfecd1785d2d987b9 MS-MPPE-Send-Key = 0x298436d731ecef7178d901f10b1654124cb4b52e1e1ed23fd33b1ec32476b480 EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
hi, we use FR 2.0.5 (and have used .09 through to the current version too. Vista was supported with 1.1.4 upwards. we've had no issues (so far!) with XP SP3 or Vista systems on 2.0.5 alan
hi, further to previous post - your log shows several WARNING entries - fix those. finally, read eap.conf - especially the part about Windows systems not responding to EAP challenges...which is what your log looks like alan
Hello Alan.
further to previous post - your log shows several WARNING entries - fix those.
Yes, fixed with eap.conf indications.
finally, read eap.conf - especially the part about Windows systems not responding to EAP challenges...which is what your log looks like
I've read it again, this time consciously, but i think is already there, maybe i'm loosing something, please correct me; as i know, sp3 already brings the patch needed with sp2. As you noted the client gets Access-Accept once, but then for some reason i don't know, it looses connection and never gets access to the network, on windows the network icon, shows trying to connect then later get the exclamation sign on the icon, first thought it was something with the vlan assignation, so removed it, and let it stay on vlan 1, but the same behavior . Other things that made me doubt was the username received by fr, most of the time is the machine name: host/caja02.cosmart.bo, instead of the domain username: COSMART\\jat, so as Tom pointed in previous email, i'm using wired configuration service on windows services, i'm not doing wireless at all, so disabled MPPE keys, put use_mppe = no on mschap module, but it continues to appear messages like these with radiusd -X MS-MPPE-Recv-Key = 0xbc92e431af5c7ffb4d5b7995391751603d37b0f0ff4b90fbfecd1785d2d987b9 MS-MPPE-Send-Key = 0x298436d731ecef7178d901f10b1654124cb4b52e1e1ed23fd33b1ec32476b480 Last i will regenerate the certs with the new way, sorry i stayed with 1.X long ago and recently upgraded to 2.0.5, what i did was to copy the certs directory from my previous working setup, guess there's something different. I'll let you know as soon as possible. Best regards. Oxiel
As you noted the client gets Access-Accept once, but then for some reason i don't know, it looses connection and never gets access to the network, on windows the network icon, shows trying to connect then later get the exclamation sign on the icon, first thought it was something with the vlan assignation, so removed it, and let it stay on vlan 1, but the same behavior .
Certificates are fine, radius server is fine. Your NAS is dropping the connection. Debug the NAS and see what is it complaining about. It's quite normal for Windows domain access to authenticate machine first and user later, once machine is on the network. Ivan Kalik Kalik Informatika ISP
Hello Ivan. While negotiating, XP SP3 and switch shows this traffic: [1 User-name ] [26] [host/pccen115.cosmart.bo] [32 NAS-Identifier ] [14] [001cc5363882] [5 NAS-Port ] [6 ] [268439553] [87 NAS_Port_Id ] [34] [unit=1;subslot=0;port=1;vlanid=1] [61 NAS-Port-Type ] [6 ] [15] [31 Caller-ID ] [16] [303030352D356437622D38643561] *0.40057968 5500G-EI RDS/8/DEBUG:- 1 - [40 Acct-Status-Type ] [6 ] [2] [45 Acct-Authentic ] [6 ] [1] [44 Acct-Session-Id ] [15] [110500011106f] [4 NAS-IP-Address ] [6 ] [192.168.100.245] [55 Event-Timestamp ] [6 ] [1104577657] [3com-26 Connect_ID ] [6 ] [35] *0.40057969 5500G-EI RDS/8/DEBUG:- 1 - [3com-29 Input_Peak_Rate ] [6 ] [0] [3com-2 Input_Average_Rate ] [6 ] [0] [3com-4 Output_Peak_Rate ] [6 ] [0] [3com-5 Output_Average_Rate ] [6 ] [0] [3com-22 Priority ] [6 ] [0] [3com-60 Ip-Host-Addr ] [27] [0.0.0.0 00:05:5d:7b:8d:5a] *0.40057969 5500G-EI RDS/8/DEBUG:- 1 - [46 Acct-Session-Time ] [6 ] [97] [41 Acct-Delay-Time ] [6 ] [0] [42 Acct-Input-Octets ] [6 ] [93000] [47 Acct-Input-Packets ] [6 ] [352] [43 Acct-Output-Octets ] [6 ] [126726] [48 Acct-Output-Packets ] [6 ] [698] *0.40057970 5500G-EI RDS/8/DEBUG:- 1 - [52 Acct_Input_Gigawords ] [6 ] [0] [53 Acct_Output_Gigawords ] [6 ] [0] [49 Terminate-Cause ] [6 ] [2] I let the client to stay on VLAN1, not moving to other vlan, the same behavior, the PC gets ACCESS-ACCEPT but then it tries again, until the exclamation icon appears, no ping to the client at all. What can it be ?, what i'm doing wrong ? is the problem XP SP3 ?, or is 3COM 5500G-EI ? Regards. Oxiel El Martes 08 Jul 2008, Ivan Kalik escribió:
As you noted the client gets Access-Accept once, but then for some reason i don't know, it looses connection and never gets access to the network, on windows the network icon, shows trying to connect then later get the exclamation sign on the icon, first thought it was something with the vlan assignation, so removed it, and let it stay on vlan 1, but the same behavior .
Certificates are fine, radius server is fine. Your NAS is dropping the connection. Debug the NAS and see what is it complaining about.
It's quite normal for Windows domain access to authenticate machine first and user later, once machine is on the network.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I let the client to stay on VLAN1, not moving to other vlan, the same behavior, the PC gets ACCESS-ACCEPT but then it tries again, until the exclamation icon appears, no ping to the client at all.
What can it be ?, what i'm doing wrong ? is the problem XP SP3 ?, or is 3COM 5500G-EI ?
Didn't we have exactly the same problem on the list, like a week ago ? You have upgraded to the latest firmware for your 3COM switch right ? Arran -- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900
Arran Cudbard-Bell wrote:
I let the client to stay on VLAN1, not moving to other vlan, the same behavior, the PC gets ACCESS-ACCEPT but then it tries again, until the exclamation icon appears, no ping to the client at all.
What can it be ?, what i'm doing wrong ? is the problem XP SP3 ?, or is 3COM 5500G-EI ?
Didn't we have exactly the same problem on the list, like a week ago ? You have upgraded to the latest firmware for your 3COM switch right ?
Yup. It's me who had this problem. Actually my switches are from 4500 family and Oxiel's are 5500 however those families are kind of similar. Oxiel: use the newest available firmware for your switches (the one from 12th of May) - namely 3.03.1. Then disable handshake (dis)funcion. <5500> system-view [5500] undo dot1x handshake enable And - because I've found another bug - you'll have to use port based authentication method instead of the default mac based [5500] dot1x port-method portbased If you will have any further questions - feel free to ask. Kind regards, -- Lech Karol Pawłaszek <ike> "You will never see me fall from grace" [KoRn]
Hello. Thanks to all for your accurate replies, Lech was right, the problem with 4500 is the handshake (dis)function, it works like a charm!!, so does cisco gear too!!, both with the same setup at FR 2.0.5 and with all clients, XP SP2/SP3, Vista, Win2KX. BUT, 5500 is not working, the characteristics of this switch are: 5500G-EI - 3CR17254-91 os 3.02.04s168 bootrom v 4.0.3 This firmware versión is the latest available as today, and doesn't have the option to disable handshake, so it doesn't work at all, for any soul out there trying to make this switch work, help me out to ask 3COM to correct their software and allow to disable handshake as 4500's do.. Best regards, to all of you, this software and this list rocks!!! Oxiel El Vie 08 Ago 2008, Lech Karol Pawłaszek escribió:
Arran Cudbard-Bell wrote:
I let the client to stay on VLAN1, not moving to other vlan, the same behavior, the PC gets ACCESS-ACCEPT but then it tries again, until the exclamation icon appears, no ping to the client at all.
What can it be ?, what i'm doing wrong ? is the problem XP SP3 ?, or is 3COM 5500G-EI ?
Didn't we have exactly the same problem on the list, like a week ago ? You have upgraded to the latest firmware for your 3COM switch right ?
Yup. It's me who had this problem. Actually my switches are from 4500 family and Oxiel's are 5500 however those families are kind of similar.
Oxiel: use the newest available firmware for your switches (the one from 12th of May) - namely 3.03.1.
Then disable handshake (dis)funcion.
<5500> system-view [5500] undo dot1x handshake enable
And - because I've found another bug - you'll have to use port based authentication method instead of the default mac based
[5500] dot1x port-method portbased
If you will have any further questions - feel free to ask.
Kind regards,
On 2008-08-11 15:10, Oxiel Contreras wrote:
Hello. Hello,
Thanks to all for your accurate replies, Lech was right, the problem with 4500 is the handshake (dis)function, it works like a charm!!, so does cisco gear too!!, both with the same setup at FR 2.0.5 and with all clients, XP SP2/SP3, Vista, Win2KX.
BUT, 5500 is not working, the characteristics of this switch are:
5500G-EI - 3CR17254-91 os 3.02.04s168 bootrom v 4.0.3
This firmware versión is the latest available as today,
No, it is not: http://www.3com.com/products/en_US/result.jsp?selected=6&sort=effdt&sku=3CR1... Filename Release Date Version File Size s4c03_03_01s168.exe 01 Apr 2008 3.03.01 12.77 MB 3CR17254-91 is only a chassis. Best regards, Krzysztof Olędzki
Oxiel Contreras wrote:
Hello.
Thanks to all for your accurate replies, Lech was right, the problem with 4500 is the handshake (dis)function, it works like a charm!!, so does cisco gear too!!, both with the same setup at FR 2.0.5 and with all clients, XP SP2/SP3, Vista, Win2KX.
;-) nice.
BUT, 5500 is not working, the characteristics of this switch are:
5500G-EI - 3CR17254-91 os 3.02.04s168 bootrom v 4.0.3
This firmware versión is the latest available as today, and doesn't have the option to disable handshake, so it doesn't work at all, for any soul out there trying to make this switch work, help me out to ask 3COM to correct their software and allow to disable handshake as 4500's do.. [...]
You might want to check out this page. http://www.3com.com/products/en_US/result.jsp?selected=6&sort=effdt&order=de... Kind regards, -- Lech Karol Pawłaszek <ike> "You will never see me fall from grace" [KoRn]
On 2008-08-11 15:23, Lech Karol Pawłaszek wrote:
Oxiel Contreras wrote:
Hello.
Thanks to all for your accurate replies, Lech was right, the problem with 4500 is the handshake (dis)function, it works like a charm!!, so does cisco gear too!!, both with the same setup at FR 2.0.5 and with all clients, XP SP2/SP3, Vista, Win2KX.
;-) nice.
BUT, 5500 is not working, the characteristics of this switch are:
5500G-EI - 3CR17254-91 os 3.02.04s168 bootrom v 4.0.3
This firmware versión is the latest available as today, and doesn't have the option to disable handshake, so it doesn't work at all, for any soul out there trying to make this switch work, help me out to ask 3COM to correct their software and allow to disable handshake as 4500's do.. [...]
You might want to check out this page.
http://www.3com.com/products/en_US/result.jsp?selected=6&sort=effdt&order=de...
Please note that 3c5500 and 3c5500G are completely different switches, both running a different software. Best regards, Krzysztof Olędzki
participants (10)
-
A.L.M.Buxey@lboro.ac.uk -
Arran Cudbard-Bell -
Ivan Kalik -
Krzysztof Olędzki -
Lech Karol Pawłaszek -
Matt Ashfield -
Oxiel -
Oxiel Contreras -
Oxiel Contreras -
SecureW2 (List)