Lotus Notes Encryption
I have set up a FreeRadius 2 Server that authenticates on a Lotus Notes LDAP Service and it successfully maps. But I'm having a hard time figuring out what is the encryption method used by the Lotus Notes with their passwords. Here is the debug: [ldap] performing user authorization for jeff.barron [ldap] expand: %{Stripped-User-Name} -> [ldap] expand: %{User-Name} -> jeff.barron [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=jeff.barron) [ldap] expand: O=SMPHI -> O=SMPHI rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in O=SMPHI, with filter (uid=jeff.barron) [ldap] looking for check items in directory... rlm_ldap: userPassword -> User-Password == "(GeKF3TVTM9/uS9vzA/dB)" [ldap] looking for reply items in directory... [ldap] user jeff.barron authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +- entering group PAP {...} [pap] login attempt with password "jbp@ssw0rd" [pap] Using clear text password "(GeKF3TVTM9/uS9vzA/dB)" [pap] Passwords don't match Can anyone tell me what encryption is this and what suitable protocol can I use? -- View this message in context: http://old.nabble.com/Lotus-Notes-Encryption-tp29449703p29449703.html Sent from the FreeRadius - User mailing list archive at Nabble.com.
rrperez wrote:
I have set up a FreeRadius 2 Server that authenticates on a Lotus Notes LDAP Service and it successfully maps. But I'm having a hard time figuring out what is the encryption method used by the Lotus Notes with their passwords. ... Can anyone tell me what encryption is this and what suitable protocol can I use?
Few people use Lotus Notes, so I don't know if anyone here can help, sorry. I'd suggest rooting around the net. Alan DeKok.
Hi,
Can anyone tell me what encryption is this and what suitable protocol can I use? Few people use Lotus Notes, so I don't know if anyone here can help, sorry.
Several years ago I tried to use Notes (v5, back then) as a backend. The documentation contained much blah, but did not give away the crypto algorithm, and after much experimenting, I gave up. Notes is meanwhile dead in our company. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473
Thanks for the response Alan and Stefan, I also figure out it now that it is somewhat impossible. I might test my last theoretical solution, that is to make LDAP as the primary directory and also I'll keep on searching the net for any other ways to make this close to possible. :-) -- View this message in context: http://old.nabble.com/Lotus-Notes-Encryption-tp29449703p29477956.html Sent from the FreeRadius - User mailing list archive at Nabble.com.
On Thu, Aug 19, 2010 at 2:51 PM, rrperez <rrperez@apc.edu.ph> wrote:
Thanks for the response Alan and Stefan, I also figure out it now that it is somewhat impossible.
I might test my last theoretical solution, that is to make LDAP as the primary directory and also I'll keep on searching the net for any other ways to make this close to possible. :-)
I think you're approaching this wrong. As per your trace you are trying to do a PAP authentication. If you uncomment "ldap" in the authorize and authenticate sections and make sure PAP is commented out. Then you should be fine. authorize { ldap } authenticate { ldap } Since the Auth-Type is coming through as "PAP" then it's not going to work, get that to be LDAP and then FreeRadius will do a simple bind to the LDAP store using the cleartext username and password and it should be fine.
Thanks Peter, your a savior, I commented out pap in the authorize and authenticate section in my sites-enabled default and inner-tunnel and it did work. But then again, when I tested it out, it only works locally with linux platforms but when I tried to test it with the wifi router and windows clients, it didn't. Here is my debug: rad_recv: Access-Request packet from host 10.96.100.205 port 1400, id=0, length=143 User-Name = "kim.almarez" NAS-IP-Address = 10.96.100.205 Called-Station-Id = "0014bf8abbc5" Calling-Station-Id = "002682a0ed7d" NAS-Identifier = "0014bf8abbc5" NAS-Port = 48 Framed-MTU = 1400 State = 0x12d80ee013da174ed007cbe32dab339b NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020200061900 Message-Authenticator = 0xed627311a6a1881b5ccc49e9a637dbb5 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [suffix] No '@' in User-Name = "kim.almarez", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 0 to 10.96.100.205 port 1400 EAP-Message = 0x010303fc1940a5300d06092a864886f70d010105050030818e310b3009060355040613025048310f300d060355040813064d616e696c61310e300c0603550407130550617361793111300f060355040a1308534d205072696d653123302106092a864886f70d0109011614706572657a2e32726f6e40676d61696c2e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3130303830353231343433315a170d3131303830353231343433315a30818e310b3009060355040613025048310f300d060355040813064d616e696c61310e300c0603550407130550617361793111300f06 EAP-Message = 0x0355040a1308534d205072696d653123302106092a864886f70d0109011614706572657a2e32726f6e40676d61696c2e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c377b277cfce89da192b6975f0e2c6f2860fd64da3fd80309a1ea8bb2ef91fa0d004899dfb920f5bd5bba909cc537b86d0ac729985a36c6c7bb562a02aeb6cbbadbd25c73240631e24c7bc66d8bcc423848426c6094bebdca51e781a251f99361eb4885aaa88541eabb41ccf08250ccfa82eb3f18b3ba6025f53e1994f0e9a5f81 EAP-Message = 0x96ab436778d1b5b28ffa1d177836b9584f8228ae3f38eb1b255e5ecc9ffdb5fd5f41ed8f88d07fb1865be3b978d27fd8f5de8a5f66814c415f2f81948713e5475d61ff81076a6c12afd11a2b4efb8114e2dee083866a63775065a83aecaa60f96d32d41db2651e6523d1dda4968768503b77957ed302e70148af04bea6b33d0203010001a381f63081f3301d0603551d0e04160414eb114a719ea71a316c157f42cb959cbe3d7ad1453081c30603551d230481bb3081b88014eb114a719ea71a316c157f42cb959cbe3d7ad145a18194a4819130818e310b3009060355040613025048310f300d060355040813064d616e696c61310e300c0603550407 EAP-Message = 0x130550617361793111300f060355040a1308534d205072696d653123302106092a864886f70d0109011614706572657a2e32726f6e40676d61696c2e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900e6d6f0b5c23c70a5300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100560f8590dfda5419fd715a32a3c02c7dfea64b4f7ab3f1d76173a6206a9919d372f97837051eba6b10fa29e2f813863875f2f260ce5e7935ddc4267fb7b6230d9c2b4cdaaf825e25b4910d895ed0355c1860eb0cb62961ee54228efe26aa5315820139132002a30d07 EAP-Message = 0xbd4b27e772945483 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x12d80ee010db174ed007cbe32dab339b Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.96.100.205 port 1402, id=0, length=143 User-Name = "kim.almarez" NAS-IP-Address = 10.96.100.205 Called-Station-Id = "0014bf8abbc5" Calling-Station-Id = "002682a0ed7d" NAS-Identifier = "0014bf8abbc5" NAS-Port = 48 Framed-MTU = 1400 State = 0x12d80ee010db174ed007cbe32dab339b NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020300061900 Message-Authenticator = 0xdd9bb4604cc491e52d93993ef5295629 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [suffix] No '@' in User-Name = "kim.almarez", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 0 to 10.96.100.205 port 1402 EAP-Message = 0x0104009e19006f0fd8a5dc5276fa83706f679780f3e60b36f5b3489d5551b7dc0590f2ddf6959d4ba9550b38329c20dce0ab3182205608a19b3d2964953695b467af4cd29ade6a679b18dfa5492a4286fe5b2a13c12d8305450e32b2441a68b97f9701655d60ad7d399f3b693b9562b3353d3bd5d730cab42857c0e5edb72fde0d9b70eeb03dd0afd787e1ceede01810d2c9e83bdc16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x12d80ee011dc174ed007cbe32dab339b Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.96.100.205 port 1404, id=0, length=475 User-Name = "kim.almarez" NAS-IP-Address = 10.96.100.205 Called-Station-Id = "0014bf8abbc5" Calling-Station-Id = "002682a0ed7d" NAS-Identifier = "0014bf8abbc5" NAS-Port = 48 Framed-MTU = 1400 State = 0x12d80ee011dc174ed007cbe32dab339b NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02040150198000000146160301010610000102010072ae88400938d0083fb0c12f09a139a709419f40b8e6e8ee460d4f27084a0dd29e3bd409b6c0ced511e697bf480c470c3610300cc2afb8b6497786541b2d2a0c2ae85b52ded272301ae94bcb6afff2486b216641263acb4e8a84c8bf344b4b11c79e32e69006ff4f7bfdfc0c718bd7432dbdd9a211766d2a88d6d97970d9e96556978300cd185226dde14cd250be748c24f91aa6b64c518248d317ca782879c14db4457507c36f2b283fd7889ec44b7077e4c36ddcb14764bc526453823ef563e726b99fa57b75cfc3df5abceae234481030dbd9b720e37340e45ed41c9b364e731a3f4a129ced89 EAP-Message = 0x01a5d935cf98912a36e4be9e65cbf0cf5ac5463cc4e1628114030100010116030100308f36fda82b7cda0759ab0ee21afa5591d781fce8b1588d36f6ad3c8cf411d7fd2896ed5cf1031dd31ade315efd50fdf0 Message-Authenticator = 0xf19bbe506fd86435dea00fe97bd3d5f7 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [suffix] No '@' in User-Name = "kim.almarez", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 326 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 0 to 10.96.100.205 port 1404 EAP-Message = 0x0105004119001403010001011603010030b2753b377ba0009e0080331ffad6cc2487b5f2964bec77e42cf81df39a55d2390cf58ae71eee164d33308963dff57f80 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x12d80ee016dd174ed007cbe32dab339b Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.96.100.205 port 1406, id=0, length=143 User-Name = "kim.almarez" NAS-IP-Address = 10.96.100.205 Called-Station-Id = "0014bf8abbc5" Calling-Station-Id = "002682a0ed7d" NAS-Identifier = "0014bf8abbc5" NAS-Port = 48 Framed-MTU = 1400 State = 0x12d80ee016dd174ed007cbe32dab339b NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020500061900 Message-Authenticator = 0x01fd398985e73333d344efbb9e9f6397 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [suffix] No '@' in User-Name = "kim.almarez", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 0 to 10.96.100.205 port 1406 EAP-Message = 0x0106002b19001703010020ef046be0ff90417c0226190d61886f677aa0ba56c643c01435e9e1e7a16c550d Message-Authenticator = 0x00000000000000000000000000000000 State = 0x12d80ee017de174ed007cbe32dab339b Finished request 5. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.96.100.205 port 1408, id=0, length=196 User-Name = "kim.almarez" NAS-IP-Address = 10.96.100.205 Called-Station-Id = "0014bf8abbc5" Calling-Station-Id = "002682a0ed7d" NAS-Identifier = "0014bf8abbc5" NAS-Port = 48 Framed-MTU = 1400 State = 0x12d80ee017de174ed007cbe32dab339b NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0206003b190017030100307190bd67cb930b02c0335ee671382000c7ba0ae8e918a20772fdfbf2029c11ac948f85d5ac1db3ec8404869db9d7363d Message-Authenticator = 0x752100cc4f0dcddef59bc1cb270c4b6d +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [suffix] No '@' in User-Name = "kim.almarez", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 59 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Identity - kim.almarez [peap] Got tunneled request EAP-Message = 0x02060010016b696d2e616c6d6172657a server { PEAP: Got tunneled identity of kim.almarez PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to kim.almarez Sending tunneled request EAP-Message = 0x02060010016b696d2e616c6d6172657a FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "kim.almarez" server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "kim.almarez", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 6 length 16 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for kim.almarez [ldap] expand: %{Stripped-User-Name} -> [ldap] expand: %{User-Name} -> kim.almarez [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=kim.almarez) [ldap] expand: O=SMPRIME -> O=SMPRIME rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in O=SMPRIME, with filter (uid=kim.almarez) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user kim.almarez authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010700251a0107002010661c04d831bfa95bcef52c9c9387ef836b696d2e616c6d6172657a Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3a9f4a7c3a985093651140f65e1dbc5b [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010700251a0107002010661c04d831bfa95bcef52c9c9387ef836b696d2e616c6d6172657a Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3a9f4a7c3a985093651140f65e1dbc5b [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 0 to 10.96.100.205 port 1408 EAP-Message = 0x0107004b1900170301004029c7eee1f15e70ef2533d6b5a35d36168624b40f86f1a8004e6794d90be7d45c45319480d61db02f01a3854247418ee133e1707761857dff56a546518c17916f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x12d80ee014df174ed007cbe32dab339b Finished request 6. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.96.100.205 port 1410, id=0, length=244 User-Name = "kim.almarez" NAS-IP-Address = 10.96.100.205 Called-Station-Id = "0014bf8abbc5" Calling-Station-Id = "002682a0ed7d" NAS-Identifier = "0014bf8abbc5" NAS-Port = 48 Framed-MTU = 1400 State = 0x12d80ee014df174ed007cbe32dab339b NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0207006b190017030100606483cdd3ba73bce3c05308c3796c8c70d7479ec7922b1f03240faca33cfa11e64eb753d28d135e4a9a9425236ce6ba32547ad5c3d0420e0f0037413f159124de15166d366801e63e15c9de1bac2ff63e4edf0f11be92452bbb47fa60148ee26a Message-Authenticator = 0xf617ac11a29c2f13dad2ef64e2b03526 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [suffix] No '@' in User-Name = "kim.almarez", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 107 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020700461a02070041315dc57ae46932cd1054bd09e0436fd1fe000000000000000075cc54e270c430cf5e13c4703b5bada0537b38a1aaf0d700006b696d2e616c6d6172657a server { PEAP: Setting User-Name to kim.almarez Sending tunneled request EAP-Message = 0x020700461a02070041315dc57ae46932cd1054bd09e0436fd1fe000000000000000075cc54e270c430cf5e13c4703b5bada0537b38a1aaf0d700006b696d2e616c6d6172657a FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "kim.almarez" State = 0x3a9f4a7c3a985093651140f65e1dbc5b server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "kim.almarez", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 7 length 70 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for kim.almarez [ldap] expand: %{Stripped-User-Name} -> [ldap] expand: %{User-Name} -> kim.almarez [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=kim.almarez) [ldap] expand: O=SMPRIME -> O=SMPRIME rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in O=SMPRIME, with filter (uid=kim.almarez) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user kim.almarez authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] WARNING: Unknown value specified for Auth-Type. Cannot perform requested action. [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 0 to 10.96.100.205 port 1410 EAP-Message = 0x0108002b1900170301002079260559645c9857376d741abe65d55cc54f1a2aa52afabbe7f7ffac0a4c92ee Message-Authenticator = 0x00000000000000000000000000000000 State = 0x12d80ee015d0174ed007cbe32dab339b Finished request 7. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.96.100.205 port 1412, id=0, length=180 User-Name = "kim.almarez" NAS-IP-Address = 10.96.100.205 Called-Station-Id = "0014bf8abbc5" Calling-Station-Id = "002682a0ed7d" NAS-Identifier = "0014bf8abbc5" NAS-Port = 48 Framed-MTU = 1400 State = 0x12d80ee015d0174ed007cbe32dab339b NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0208002b1900170301002098690ec5e9147f0af3b0e762ad2031c2406ea7bfc98262f36fbd12a2b813e5a9 Message-Authenticator = 0x106af60537eb38932efe628a03dea9b3 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [suffix] No '@' in User-Name = "kim.almarez", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Had sent TLV failure. User was rejected earlier in this session. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> kim.almarez attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 8 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 8 Sending Access-Reject of id 0 to 10.96.100.205 port 1412 EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.7 seconds. Cleaning up request 0 ID 0 with timestamp +14 Cleaning up request 1 ID 0 with timestamp +15 Cleaning up request 2 ID 0 with timestamp +15 Cleaning up request 3 ID 0 with timestamp +15 Cleaning up request 4 ID 0 with timestamp +15 Cleaning up request 5 ID 0 with timestamp +15 Cleaning up request 6 ID 0 with timestamp +15 Cleaning up request 7 ID 0 with timestamp +15 Waking up in 1.0 seconds. Cleaning up request 8 ID 0 with timestamp +15 Ready to process requests. The only error I found in this debug was with the mschapv2, I don't know what might be the problem? -- View this message in context: http://old.nabble.com/Lotus-Notes-Encryption-tp29449703p29478724.html Sent from the FreeRadius - User mailing list archive at Nabble.com.
Hi,
But then again, when I tested it out, it only works locally with linux platforms but when I tried to test it with the wifi router and windows clients, it didn't.
That's because your Windows clients use PEAP. PEAP encrypts the user's password, while Notes encrypts it in a different, and incompatible way. Due to that, PEAP and Notes *will not work*. You could possibly remedy this with a windows client that speaks TTLS-PAP instead. But that's extra software to install and may or may not be practical for you. Greetings, Stefan Winter
Here is my debug:
rad_recv: Access-Request packet from host 10.96.100.205 port 1400, id=0, length=143 User-Name = "kim.almarez" NAS-IP-Address = 10.96.100.205 Called-Station-Id = "0014bf8abbc5" Calling-Station-Id = "002682a0ed7d" NAS-Identifier = "0014bf8abbc5" NAS-Port = 48 Framed-MTU = 1400 State = 0x12d80ee013da174ed007cbe32dab339b NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020200061900 Message-Authenticator = 0xed627311a6a1881b5ccc49e9a637dbb5 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [suffix] No '@' in User-Name = "kim.almarez", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 0 to 10.96.100.205 port 1400 EAP-Message = 0x010303fc1940a5300d06092a864886f70d010105050030818e310b3009060355040613025048310f300d060355040813064d616e696c61310e300c0603550407130550617361793111300f060355040a1308534d205072696d653123302106092a864886f70d0109011614706572657a2e32726f6e40676d61696c2e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3130303830353231343433315a170d3131303830353231343433315a30818e310b3009060355040613025048310f300d060355040813064d616e696c61310e300c0603550407130550617361793111300f06 EAP-Message = 0x0355040a1308534d205072696d653123302106092a864886f70d0109011614706572657a2e32726f6e40676d61696c2e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c377b277cfce89da192b6975f0e2c6f2860fd64da3fd80309a1ea8bb2ef91fa0d004899dfb920f5bd5bba909cc537b86d0ac729985a36c6c7bb562a02aeb6cbbadbd25c73240631e24c7bc66d8bcc423848426c6094bebdca51e781a251f99361eb4885aaa88541eabb41ccf08250ccfa82eb3f18b3ba6025f53e1994f0e9a5f81 EAP-Message = 0x96ab436778d1b5b28ffa1d177836b9584f8228ae3f38eb1b255e5ecc9ffdb5fd5f41ed8f88d07fb1865be3b978d27fd8f5de8a5f66814c415f2f81948713e5475d61ff81076a6c12afd11a2b4efb8114e2dee083866a63775065a83aecaa60f96d32d41db2651e6523d1dda4968768503b77957ed302e70148af04bea6b33d0203010001a381f63081f3301d0603551d0e04160414eb114a719ea71a316c157f42cb959cbe3d7ad1453081c30603551d230481bb3081b88014eb114a719ea71a316c157f42cb959cbe3d7ad145a18194a4819130818e310b3009060355040613025048310f300d060355040813064d616e696c61310e300c0603550407 EAP-Message = 0x130550617361793111300f060355040a1308534d205072696d653123302106092a864886f70d0109011614706572657a2e32726f6e40676d61696c2e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900e6d6f0b5c23c70a5300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100560f8590dfda5419fd715a32a3c02c7dfea64b4f7ab3f1d76173a6206a9919d372f97837051eba6b10fa29e2f813863875f2f260ce5e7935ddc4267fb7b6230d9c2b4cdaaf825e25b4910d895ed0355c1860eb0cb62961ee54228efe26aa5315820139132002a30d07 EAP-Message = 0xbd4b27e772945483 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x12d80ee010db174ed007cbe32dab339b Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.96.100.205 port 1402, id=0, length=143 User-Name = "kim.almarez" NAS-IP-Address = 10.96.100.205 Called-Station-Id = "0014bf8abbc5" Calling-Station-Id = "002682a0ed7d" NAS-Identifier = "0014bf8abbc5" NAS-Port = 48 Framed-MTU = 1400 State = 0x12d80ee010db174ed007cbe32dab339b NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020300061900 Message-Authenticator = 0xdd9bb4604cc491e52d93993ef5295629 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [suffix] No '@' in User-Name = "kim.almarez", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 0 to 10.96.100.205 port 1402 EAP-Message = 0x0104009e19006f0fd8a5dc5276fa83706f679780f3e60b36f5b3489d5551b7dc0590f2ddf6959d4ba9550b38329c20dce0ab3182205608a19b3d2964953695b467af4cd29ade6a679b18dfa5492a4286fe5b2a13c12d8305450e32b2441a68b97f9701655d60ad7d399f3b693b9562b3353d3bd5d730cab42857c0e5edb72fde0d9b70eeb03dd0afd787e1ceede01810d2c9e83bdc16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x12d80ee011dc174ed007cbe32dab339b Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.96.100.205 port 1404, id=0, length=475 User-Name = "kim.almarez" NAS-IP-Address = 10.96.100.205 Called-Station-Id = "0014bf8abbc5" Calling-Station-Id = "002682a0ed7d" NAS-Identifier = "0014bf8abbc5" NAS-Port = 48 Framed-MTU = 1400 State = 0x12d80ee011dc174ed007cbe32dab339b NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02040150198000000146160301010610000102010072ae88400938d0083fb0c12f09a139a709419f40b8e6e8ee460d4f27084a0dd29e3bd409b6c0ced511e697bf480c470c3610300cc2afb8b6497786541b2d2a0c2ae85b52ded272301ae94bcb6afff2486b216641263acb4e8a84c8bf344b4b11c79e32e69006ff4f7bfdfc0c718bd7432dbdd9a211766d2a88d6d97970d9e96556978300cd185226dde14cd250be748c24f91aa6b64c518248d317ca782879c14db4457507c36f2b283fd7889ec44b7077e4c36ddcb14764bc526453823ef563e726b99fa57b75cfc3df5abceae234481030dbd9b720e37340e45ed41c9b364e731a3f4a129ced89 EAP-Message = 0x01a5d935cf98912a36e4be9e65cbf0cf5ac5463cc4e1628114030100010116030100308f36fda82b7cda0759ab0ee21afa5591d781fce8b1588d36f6ad3c8cf411d7fd2896ed5cf1031dd31ade315efd50fdf0 Message-Authenticator = 0xf19bbe506fd86435dea00fe97bd3d5f7 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [suffix] No '@' in User-Name = "kim.almarez", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 326 [peap] Length Included [peap] eaptls_verify returned 11 [peap]<<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap]<<< TLS 1.0 ChangeCipherSpec [length 0001] [peap]<<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap]>>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap]>>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 0 to 10.96.100.205 port 1404 EAP-Message = 0x0105004119001403010001011603010030b2753b377ba0009e0080331ffad6cc2487b5f2964bec77e42cf81df39a55d2390cf58ae71eee164d33308963dff57f80 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x12d80ee016dd174ed007cbe32dab339b Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.96.100.205 port 1406, id=0, length=143 User-Name = "kim.almarez" NAS-IP-Address = 10.96.100.205 Called-Station-Id = "0014bf8abbc5" Calling-Station-Id = "002682a0ed7d" NAS-Identifier = "0014bf8abbc5" NAS-Port = 48 Framed-MTU = 1400 State = 0x12d80ee016dd174ed007cbe32dab339b NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020500061900 Message-Authenticator = 0x01fd398985e73333d344efbb9e9f6397 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [suffix] No '@' in User-Name = "kim.almarez", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 0 to 10.96.100.205 port 1406 EAP-Message = 0x0106002b19001703010020ef046be0ff90417c0226190d61886f677aa0ba56c643c01435e9e1e7a16c550d Message-Authenticator = 0x00000000000000000000000000000000 State = 0x12d80ee017de174ed007cbe32dab339b Finished request 5. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.96.100.205 port 1408, id=0, length=196 User-Name = "kim.almarez" NAS-IP-Address = 10.96.100.205 Called-Station-Id = "0014bf8abbc5" Calling-Station-Id = "002682a0ed7d" NAS-Identifier = "0014bf8abbc5" NAS-Port = 48 Framed-MTU = 1400 State = 0x12d80ee017de174ed007cbe32dab339b NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0206003b190017030100307190bd67cb930b02c0335ee671382000c7ba0ae8e918a20772fdfbf2029c11ac948f85d5ac1db3ec8404869db9d7363d Message-Authenticator = 0x752100cc4f0dcddef59bc1cb270c4b6d +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [suffix] No '@' in User-Name = "kim.almarez", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 59 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Identity - kim.almarez [peap] Got tunneled request EAP-Message = 0x02060010016b696d2e616c6d6172657a server { PEAP: Got tunneled identity of kim.almarez PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to kim.almarez Sending tunneled request EAP-Message = 0x02060010016b696d2e616c6d6172657a FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "kim.almarez" server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "kim.almarez", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 6 length 16 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for kim.almarez [ldap] expand: %{Stripped-User-Name} -> [ldap] expand: %{User-Name} -> kim.almarez [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=kim.almarez) [ldap] expand: O=SMPRIME -> O=SMPRIME rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in O=SMPRIME, with filter (uid=kim.almarez) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user kim.almarez authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010700251a0107002010661c04d831bfa95bcef52c9c9387ef836b696d2e616c6d6172657a Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3a9f4a7c3a985093651140f65e1dbc5b [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010700251a0107002010661c04d831bfa95bcef52c9c9387ef836b696d2e616c6d6172657a Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3a9f4a7c3a985093651140f65e1dbc5b [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 0 to 10.96.100.205 port 1408 EAP-Message = 0x0107004b1900170301004029c7eee1f15e70ef2533d6b5a35d36168624b40f86f1a8004e6794d90be7d45c45319480d61db02f01a3854247418ee133e1707761857dff56a546518c17916f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x12d80ee014df174ed007cbe32dab339b Finished request 6. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.96.100.205 port 1410, id=0, length=244 User-Name = "kim.almarez" NAS-IP-Address = 10.96.100.205 Called-Station-Id = "0014bf8abbc5" Calling-Station-Id = "002682a0ed7d" NAS-Identifier = "0014bf8abbc5" NAS-Port = 48 Framed-MTU = 1400 State = 0x12d80ee014df174ed007cbe32dab339b NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0207006b190017030100606483cdd3ba73bce3c05308c3796c8c70d7479ec7922b1f03240faca33cfa11e64eb753d28d135e4a9a9425236ce6ba32547ad5c3d0420e0f0037413f159124de15166d366801e63e15c9de1bac2ff63e4edf0f11be92452bbb47fa60148ee26a Message-Authenticator = 0xf617ac11a29c2f13dad2ef64e2b03526 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [suffix] No '@' in User-Name = "kim.almarez", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 107 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020700461a02070041315dc57ae46932cd1054bd09e0436fd1fe000000000000000075cc54e270c430cf5e13c4703b5bada0537b38a1aaf0d700006b696d2e616c6d6172657a server { PEAP: Setting User-Name to kim.almarez Sending tunneled request EAP-Message = 0x020700461a02070041315dc57ae46932cd1054bd09e0436fd1fe000000000000000075cc54e270c430cf5e13c4703b5bada0537b38a1aaf0d700006b696d2e616c6d6172657a FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "kim.almarez" State = 0x3a9f4a7c3a985093651140f65e1dbc5b server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "kim.almarez", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 7 length 70 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for kim.almarez [ldap] expand: %{Stripped-User-Name} -> [ldap] expand: %{User-Name} -> kim.almarez [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=kim.almarez) [ldap] expand: O=SMPRIME -> O=SMPRIME rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in O=SMPRIME, with filter (uid=kim.almarez) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user kim.almarez authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] WARNING: Unknown value specified for Auth-Type. Cannot perform requested action. [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 0 to 10.96.100.205 port 1410 EAP-Message = 0x0108002b1900170301002079260559645c9857376d741abe65d55cc54f1a2aa52afabbe7f7ffac0a4c92ee Message-Authenticator = 0x00000000000000000000000000000000 State = 0x12d80ee015d0174ed007cbe32dab339b Finished request 7. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.96.100.205 port 1412, id=0, length=180 User-Name = "kim.almarez" NAS-IP-Address = 10.96.100.205 Called-Station-Id = "0014bf8abbc5" Calling-Station-Id = "002682a0ed7d" NAS-Identifier = "0014bf8abbc5" NAS-Port = 48 Framed-MTU = 1400 State = 0x12d80ee015d0174ed007cbe32dab339b NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0208002b1900170301002098690ec5e9147f0af3b0e762ad2031c2406ea7bfc98262f36fbd12a2b813e5a9 Message-Authenticator = 0x106af60537eb38932efe628a03dea9b3 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [suffix] No '@' in User-Name = "kim.almarez", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Had sent TLV failure. User was rejected earlier in this session. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> kim.almarez attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 8 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 8 Sending Access-Reject of id 0 to 10.96.100.205 port 1412 EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.7 seconds. Cleaning up request 0 ID 0 with timestamp +14 Cleaning up request 1 ID 0 with timestamp +15 Cleaning up request 2 ID 0 with timestamp +15 Cleaning up request 3 ID 0 with timestamp +15 Cleaning up request 4 ID 0 with timestamp +15 Cleaning up request 5 ID 0 with timestamp +15 Cleaning up request 6 ID 0 with timestamp +15 Cleaning up request 7 ID 0 with timestamp +15 Waking up in 1.0 seconds. Cleaning up request 8 ID 0 with timestamp +15 Ready to process requests.
The only error I found in this debug was with the mschapv2, I don't know what might be the problem?
-- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473
Thanks for the quick response Stefan. Regarding with practicality issues, its not a problem. I want to try all the possibility for me to be able to make this work.
Due to that, PEAP and Notes *will not work*. You could possibly remedy this with a windows client that speaks TTLS-PAP instead. But that's extra software to install and may or may not be practical for you.
I'm not familiar with the TTLS-PAP protocol and using PAP for authentication might make my server not work again with regards to LDAP, but still I want to give it a try. And also what are these "softwares" that will help me work this TTLS-PAP protocol? -- View this message in context: http://old.nabble.com/Lotus-Notes-Encryption-tp29449703p29478963.html Sent from the FreeRadius - User mailing list archive at Nabble.com.
Hi, google for "supplicant TTLS-PAP". There are numerous products for numerous platforms. Stefan Am 19.08.2010 08:38, schrieb rrperez:
Thanks for the quick response Stefan.
Regarding with practicality issues, its not a problem. I want to try all the possibility for me to be able to make this work.
Due to that, PEAP and Notes *will not work*. You could possibly remedy this with a windows client that speaks TTLS-PAP instead. But that's extra software to install and may or may not be practical for you. I'm not familiar with the TTLS-PAP protocol and using PAP for authentication might make my server not work again with regards to LDAP, but still I want to give it a try. And also what are these "softwares" that will help me work this TTLS-PAP protocol?
-- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473
On Thu, Aug 19, 2010 at 6:38 PM, rrperez <rrperez@apc.edu.ph> wrote:
Thanks for the quick response Stefan.
Regarding with practicality issues, its not a problem. I want to try all the possibility for me to be able to make this work.
Due to that, PEAP and Notes *will not work*. You could possibly remedy this with a windows client that speaks TTLS-PAP instead. But that's extra software to install and may or may not be practical for you.
I'm not familiar with the TTLS-PAP protocol and using PAP for authentication might make my server not work again with regards to LDAP, but still I want to give it a try. And also what are these "softwares" that will help me work this TTLS-PAP protocol?
It means that your clients will send the password to the radius server in cleartext rather than PEAP encrypting them. There isn't any way to authenticate against your Notes box with anything other than a cleartext password.
Thanks for the quick response Peter,
It means that your clients will send the password to the radius server in cleartext rather than PEAP encrypting them. There isn't any way to authenticate against your Notes box with anything other than a cleartext password.
I somewhat understand what your pointing at, but I don't know how to do this. My goal is to authenticate the users stored in notes ldap for my wireless network. Is it possible for me to do this? -- View this message in context: http://old.nabble.com/Lotus-Notes-Encryption-tp29449703p29479316.html Sent from the FreeRadius - User mailing list archive at Nabble.com.
On Thu, Aug 19, 2010 at 7:42 PM, rrperez <rrperez@apc.edu.ph> wrote:
Thanks for the quick response Peter,
It means that your clients will send the password to the radius server in cleartext rather than PEAP encrypting them. There isn't any way to authenticate against your Notes box with anything other than a cleartext password.
I somewhat understand what your pointing at, but I don't know how to do this. My goal is to authenticate the users stored in notes ldap for my wireless network. Is it possible for me to do this?
Yes, I think Stefan more than answered the process you will need to take: google for "supplicant TTLS-PAP". There are numerous products for numerous platforms. It will mean that you will need to change your clients to get it working (installing a different supplicant rather than the standard windows one), and that the clients will talk to the access point over SSL (TTLS) but since it's using PAP the password is sent not hashed or encrypted. So then when the NAS (Wireless access point) talks to FreeRadius and sends the password not encrypted or hashed.
Hi,
It will mean that you will need to change your clients to get it working (installing a different supplicant rather than the standard windows one), and that the clients will talk to the access point over SSL (TTLS) but since it's using PAP the password is sent not hashed or encrypted. So then when the NAS (Wireless access point) talks to FreeRadius and sends the password not encrypted or hashed.
Uh, that last part is not true. The NAS doesn't see or transmit any passwords in the clear. The TLS tunnel spans from the client to the RADIUS server. The RADIUS server will then see the clear-text password, *no one else*. It's a popular urban legend that TTLS sends clear text passwords, but it's not true. Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473
Thanks for the quick response Peter and Stefan, Can you specifically tell me what do I need to make this TTLS-PAP? I have windows clients so do I need to download supplicant for windows? -- View this message in context: http://old.nabble.com/Lotus-Notes-Encryption-tp29449703p29479742.html Sent from the FreeRadius - User mailing list archive at Nabble.com.
Thanks for the response Alan, I have downloaded Open1x in my windows client, but I don't know how to configure it... -- View this message in context: http://old.nabble.com/Lotus-Notes-Encryption-tp29449703p29488293.html Sent from the FreeRadius - User mailing list archive at Nabble.com.
participants (5)
-
Alan Buxey -
Alan DeKok -
Peter Lambrechtsen -
rrperez -
Stefan Winter