Freeradius2.1.3 + Fedora9 + PEAP + AD = problem
Hello everyone, is there any progress resolving this issue? I have samba 3.5.6 on FC14 and have the SAME problem like I've had with FC9/10, Freeradius2 and samba included with distribution. The problem is I cant rollback to older Samba version as it does not support Windows 2008R2 domain.... Also I've got one point....I am running Fedora 8 with freeradius 1, with Samba 3.5.3 and radius is working fine for my wireless clients but I wanted to use freeradius 2 on newer Fedora distros - cant make it working, spent a loooot of time with this and still stucked on same issue like described above. Anyone has a suggestion pls? (Yes I have included the XP extensions - same certificate working OK with freeradius 1 and samba 3.5.3 on MS clients) Thanks! Lukas MSCHAP Success ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x01f700331a03f6002e533d363346434138453641313741443238314644303643423431 30373237353139413233364537433744 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2f3b45522ecc5ffaf0daaa4d5068ce69 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x01f700331a03f6002e533d363346434138453641313741443238314644303643423431 30373237353139413233364537433744 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2f3b45522ecc5ffaf0daaa4d5068ce69 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 122 to 172.31.183.1 port 2048 EAP-Message = 0x01f7005b190017030100509b7087b2a112825ea5aa08f802b90731b5f46e59349a2cde dc81a89f4103967283ba2f8990331ecb9ec7535a4f77b110e189f58f6162dbdc9a713a14 d562f0f4fa52f6838fccc6a9be5003515e0b1263 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2e4eb3ac29b9aa99635005e47464e6cc Finished request 12. Going to the next request Waking up in 1.4 seconds. Cleaning up request 0 ID 110 with timestamp +9 Cleaning up request 1 ID 111 with timestamp +9 Cleaning up request 2 ID 112 with timestamp +9 Cleaning up request 3 ID 113 with timestamp +9 Cleaning up request 4 ID 114 with timestamp +9 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0xbed60aebbaf213e9 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -- View this message in context: http://freeradius.1045715.n5.nabble.com/Freeradius2-1-3-Fedora9-PEAP-AD- problem-tp2780544p3384416.html Sent from the FreeRadius - User mailing list archive at Nabble.com.
Hi, first off, i dont think this is a SAMBA issue...thats just me though - the SAMBA issue manifests itself in the authentication phase where ntlm_auth blows up (or rather is a damp squib)
is there any progress resolving this issue? I have samba 3.5.6 on FC14 and have the SAME problem like I've had with FC9/10, Freeradius2 and samba included with distribution. The problem is I cant rollback to older Samba version as it does not support Windows 2008R2 domain....
using 3.0.33 with 2008R2 here - I'd be very suprised if anything released after that version didnt work with 2008R2....
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0xbed60aebbaf213e9 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
is your config on the new distro the same as that on the old distro? there really is no reason why you cant just clone/copy the configs if its the same version of FR! I'm wondering if something else hasnt been enabled/checked here. either that of its pointing to an OpenSSL issue - which would be nice (not) 2.1.11 has some extra tweaks in the PEAP code - might try the GIT release just to check? alan
Alan Buxey wrote:
first off, i dont think this is a SAMBA issue...thats just me though - the SAMBA issue manifests itself in the authentication phase where ntlm_auth blows up (or rather is a damp squib)
Sometimes ntlm_auth returns the *wrong* results, and only the client PC knows that they're wrong. In that case, the same thing happens. The client goes "huh?" and drops the connection part way through. Alan DeKok.
Hi,
Sometimes ntlm_auth returns the *wrong* results, and only the client PC knows that they're wrong.
In that case, the same thing happens. The client goes "huh?" and drops the connection part way through.
the supplied tiny bit of output snippet didnt show any ntlm_auth..... so I can only use witchcraft and cojecture to work out whats going on here! ;-) hint to original requester: radiusd -X with full output sent to this list os the magic that gets things working alan
here's the output of radius -X: (hope its long enough:)) [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 245 length 59 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - host/W400210.interoute.com [peap] Got inner identity 'host/W400210.interoute.com' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x02f5001f01686f73742f573430303231302e696e7465726f7574652e636f6d server { PEAP: Setting User-Name to host/W400210.interoute.com Sending tunneled request EAP-Message = 0x02f5001f01686f73742f573430303231302e696e7465726f7574652e636f6d FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "host/W400210.interoute.com" server inner-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/W400210.interoute.com", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 245 length 31 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x01f600341a01f6002f10d576c25ad42b277594f37dbd0b1284a1686f73742f573430303231302e696e7465726f7574652e636f6d Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2f3b45522fcd5ffaf0daaa4d5068ce69 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x01f600341a01f6002f10d576c25ad42b277594f37dbd0b1284a1686f73742f573430303231302e696e7465726f7574652e636f6d Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2f3b45522fcd5ffaf0daaa4d5068ce69 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 121 to 172.31.183.1 port 2048 EAP-Message = 0x01f6005b19001703010050a99c434c2e7686d5c708631a745b9e1982e54f18e4dfab6a20a90729cc9464e6f8d585f1866fadc0e7e525f2a5940b1b2de54e6e353c60626f2f3fbe5d1ae5fc81667651806079097e04173bb57b71c5 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2e4eb3ac28b8aa99635005e47464e6cc Finished request 11. Going to the next request Waking up in 1.4 seconds. rad_recv: Access-Request packet from host 172.31.183.1 port 2048, id=122, length=292 User-Name = "host/W400210.interoute.com" NAS-Port = 0 Called-Station-Id = "00-15-6D-E4-20-94:ubnt" Calling-Station-Id = "00-21-6B-2C-7B-60" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x02f6007b19001703010070bc9400c25ae1409e8e6edfc302aa1453d9f1b79fa4987803574a67e7b3d9afb5e1840df879867c8fb327c2c2a34c33891b5544069c789c36f0458efacfb4c0ed51c84a882afc1c92b0c8654ec6142a108a66abcfe4ca6e4511b9657465e88872612bff4edde5ced368931fc78925ce3d State = 0x2e4eb3ac28b8aa99635005e47464e6cc Message-Authenticator = 0x73d26de7784b67dc7b93fefb4b637fa2 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "host/W400210.interoute.com", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 246 length 123 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x02f600551a02f6005031725e21a5376765a7fd43620480eb763b00000000000000006a5b56a2f5eab6d72234ec6efdf4c164d03e9ea01cd22a1400686f73742f573430303231302e696e7465726f7574652e636f6d server { PEAP: Setting User-Name to host/W400210.interoute.com Sending tunneled request EAP-Message = 0x02f600551a02f6005031725e21a5376765a7fd43620480eb763b00000000000000006a5b56a2f5eab6d72234ec6efdf4c164d03e9ea01cd22a1400686f73742f573430303231302e696e7465726f7574652e636f6d FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "host/W400210.interoute.com" State = 0x2f3b45522fcd5ffaf0daaa4d5068ce69 server inner-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/W400210.interoute.com", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 246 length 85 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] Creating challenge hash with username: host/W400210.interoute.com [mschap] Told to do MS-CHAPv2 for host/W400210.interoute.com with NT-Password [mschap] expand: %{mschap:NT-Domain} -> interoute [mschap] expand: --domain=%{%{mschap:NT-Domain}:-INTEROUTE} -> --domain=interoute [mschap] expand: --username=%{mschap:User-Name:-None} -> --username=W400210$ [mschap] mschap2: d5 [mschap] Creating challenge hash with username: host/W400210.interoute.com [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=e0f779583568ced2 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=6a5b56a2f5eab6d72234ec6efdf4c164d03e9ea01cd22a14 Exec-Program output: NT_KEY: 7AABD556DB5C9B2B59B26FDDBEF05A7E Exec-Program-Wait: plaintext: NT_KEY: 7AABD556DB5C9B2B59B26FDDBEF05A7E Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x01f700331a03f6002e533d36334643413845364131374144323831464430364342343130373237353139413233364537433744 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2f3b45522ecc5ffaf0daaa4d5068ce69 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x01f700331a03f6002e533d36334643413845364131374144323831464430364342343130373237353139413233364537433744 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2f3b45522ecc5ffaf0daaa4d5068ce69 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 122 to 172.31.183.1 port 2048 EAP-Message = 0x01f7005b190017030100509b7087b2a112825ea5aa08f802b90731b5f46e59349a2cdedc81a89f4103967283ba2f8990331ecb9ec7535a4f77b110e189f58f6162dbdc9a713a14d562f0f4fa52f6838fccc6a9be5003515e0b1263 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2e4eb3ac29b9aa99635005e47464e6cc Finished request 12. Going to the next request Waking up in 1.4 seconds. Cleaning up request 0 ID 110 with timestamp +9 Cleaning up request 1 ID 111 with timestamp +9 Cleaning up request 2 ID 112 with timestamp +9 Cleaning up request 3 ID 113 with timestamp +9 Cleaning up request 4 ID 114 with timestamp +9 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0xbed60aebbaf213e9 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -- View this message in context: http://freeradius.1045715.n5.nabble.com/Freeradius2-1-3-Fedora9-PEAP-AD-prob... Sent from the FreeRadius - User mailing list archive at Nabble.com.
complete debug here: including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/opendirectory including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/dynamic_clients including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/inner-tunnel including configuration file /etc/raddb/sites-enabled/control-socket main { user = "radiusd" group = "radiusd" allow_core_dumps = no } including dictionary file /etc/raddb/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/radius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 irt = 2 mrt = 16 mrc = 5 mrd = 30 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } realm interoute.com { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 172.31.183.1 { require_message_authenticator = no secret = "IrtS3cr3t" shortname = "test" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/raddb/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/raddb/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/raddb/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/raddb/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/raddb/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/raddb/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/raddb/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{%{mschap:NT-Domain}:-INTEROUTE} --username=%{mschap:User-Name:-None} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" } Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/raddb/modules/unix unix { radwtmp = "/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/raddb/eap.conf eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = yes cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/raddb/certs" pem_file_type = yes private_key_file = "/etc/raddb/certs/server.pem" certificate_file = "/etc/raddb/certs/server.pem" CA_file = "/etc/raddb/certs/ca.pem" private_key_password = "irts3cr3t" dh_file = "/etc/raddb/certs/dh" random_file = "/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" cache { enable = no lifetime = 24 max_entries = 255 } verify { } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "peap" copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/raddb/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/raddb/modules/files files { usersfile = "/etc/raddb/users" acctusersfile = "/etc/raddb/acct_users" preproxy_usersfile = "/etc/raddb/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/raddb/modules/radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "reply_log" from file /etc/raddb/modules/detail.log detail reply_log { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.access_reject" from file /etc/raddb/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } # modules } # server server { # from file /etc/raddb/radiusd.conf modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /etc/raddb/modules/digest Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/raddb/modules/preprocess preprocess { huntgroups = "/etc/raddb/huntgroups" hints = "/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/raddb/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Instantiating module "detail" from file /etc/raddb/modules/detail detail { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating module "attr_filter.accounting_response" from file /etc/raddb/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "control" listen { socket = "/var/run/radiusd/radiusd.sock" } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 172.31.183.1 port 2048, id=0, length=182 User-Name = "host/W400210.interoute.com" NAS-Port = 0 Called-Station-Id = "00-15-6D-E4-20-94:ubnt" Calling-Station-Id = "00-21-6B-2C-7B-60" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x02c6001f01686f73742f573430303231302e696e7465726f7574652e636f6d Message-Authenticator = 0x2086936057abb685028c0d6a822aa868 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "host/W400210.interoute.com", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 198 length 31 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 0 to 172.31.183.1 port 2048 EAP-Message = 0x01c700061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x19e1d7f91926cef35112512f3e4cf22e Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.31.183.1 port 2048, id=1, length=304 User-Name = "host/W400210.interoute.com" NAS-Port = 0 Called-Station-Id = "00-15-6D-E4-20-94:ubnt" Calling-Station-Id = "00-21-6B-2C-7B-60" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x02c7008719800000007d16030100780100007403014d5a7b14534aa09ca41c7bd17987c203df165ab6b0dc965e5858cde700cb70ad000018002f00350005000ac013c014c009c00a003200380013000401000033ff010001000000001a0018000015773430303231302e696e7465726f7574652e636f6d000a0006000400170018000b00020100 State = 0x19e1d7f91926cef35112512f3e4cf22e Message-Authenticator = 0x2b32f799723a82e5c7e2b5062d75b6d1 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "host/W400210.interoute.com", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 199 length 135 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 125 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0078], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0031], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 08e8], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 1 to 172.31.183.1 port 2048 EAP-Message = 0x01c8040019c00000092c16030100310200002d03014d5a7b12c27c74aa4c7199933b707d720a50d680b8535dd48d326e4a5fd59f8100002f000005ff0100010016030108e80b0008e40008e10003dd308203d9308202c1a003020102020101300d06092a864886f70d01010405003081ae310b300906035504061302554b310f300d06035504081306526164697573310f300d060355040713064c6f6e646f6e31263024060355040a131d496e7465726f75746520436f6d6d756e69636174696f6e73206c74642e3128302606092a864886f70d010901161969742e68656c706465736b40696e7465726f7574652e636f6d312b302906035504031322 EAP-Message = 0x496e7465726f75746520495420436572746966696361746520417574686f72697479301e170d3131303231343132313830305a170d3231303231313132313830305a308197310b300906035504061302554b310f300d0603550408130652616469757331263024060355040a131d496e7465726f75746520436f6d6d756e69636174696f6e73206c74642e312530230603550403131c496e7465726f757465205365727665722043657274696669636174653128302606092a864886f70d010901161969742e68656c706465736b40696e7465726f7574652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100 EAP-Message = 0xa741f250249c994d40ad311681f0ed4afac50ebb473bb114100ffe680a1056a94812766d66791df08c98d9b105961bcba77f22ce41d00679d3490dec55afd62b24482d986abccc3410c0f17fe90ba7b66f828614990d638ef8a6f15acc58c36de84d008fab9f93b3a97363279d5eef67d0a134eb7a8999df1ad3492148eeb0dd4395cb48da5f1c2f5000b61f17ffeb109cbe37c9b8ae91a544f1f19025b9bd22d3f7d9d934e8bb99e65a6e35bbfa32d3d9aa9c7727d05e3ffcfd640895c2038495b36b5df7769cfc27d9a841b10bcde211a88350f02792d08cdab74aa1d5d4c20f878639b0de7c6cf1a45c5754ac0f93f6ac8511b79d036ed7923ed11c EAP-Message = 0x467a1f0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003820101008c6249969e0bbf0f52c4c402628416aa516c3fe2839d359bdcee1489336e1ad56d7a84e1f5f8c7a2de0723f02222b6af107c9ca953c50abc7e6302f1631791b0b99110830162625478b8bed900f68e1a967919b2943e4eafa226b2e42058a49cd7d08c2fd08c7b5aaf6287d9a95a645921a26ee9a74cf5f9586f3ffff736b35a491faa31e2e6ea909991a33ba9074ea06574ade7bf5cd82fe3e26dc559733e99ddf6df8a501229b4c14f5e7b9c5293eb2ab7c5bff5d07e3240f3eb373af4233ad1b874dc56564ab1 EAP-Message = 0xa5a20e9aaf752bf43a8bd5f7 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x19e1d7f91829cef35112512f3e4cf22e Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.31.183.1 port 2048, id=2, length=175 User-Name = "host/W400210.interoute.com" NAS-Port = 0 Called-Station-Id = "00-15-6D-E4-20-94:ubnt" Calling-Station-Id = "00-21-6B-2C-7B-60" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x02c800061900 State = 0x19e1d7f91829cef35112512f3e4cf22e Message-Authenticator = 0x57d908a8c58e889747df1a768055cc61 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "host/W400210.interoute.com", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 200 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 2 to 172.31.183.1 port 2048 EAP-Message = 0x01c903fc194039d50a4217ab95935d20be66ebff6649dacec6aedec09483ebb8ce284f56a6219109150ffe43c6011fdab1c60004fe308204fa308203e2a003020102020900d532b93c5d7d3788300d06092a864886f70d01010505003081ae310b300906035504061302554b310f300d06035504081306526164697573310f300d060355040713064c6f6e646f6e31263024060355040a131d496e7465726f75746520436f6d6d756e69636174696f6e73206c74642e3128302606092a864886f70d010901161969742e68656c706465736b40696e7465726f7574652e636f6d312b302906035504031322496e7465726f757465204954204365727469 EAP-Message = 0x66696361746520417574686f72697479301e170d3131303231343132313830305a170d3231303231313132313830305a3081ae310b300906035504061302554b310f300d06035504081306526164697573310f300d060355040713064c6f6e646f6e31263024060355040a131d496e7465726f75746520436f6d6d756e69636174696f6e73206c74642e3128302606092a864886f70d010901161969742e68656c706465736b40696e7465726f7574652e636f6d312b302906035504031322496e7465726f75746520495420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a EAP-Message = 0x0282010100ad2cb86b0ab683de1fa8af7f6335dc0f3e26c8d5ee1f6669b0cb078507dc996f6b48784fa5a10da3e502ad6c91776bfcc9b6e358d6fc1e11da9cff912f9e6ba807d307e97d65752ac7dfb6a95e82f58e6f41200f129d6b84b691c83f80b0bd7fde6e4aa9c38068a0c84aa2d9d0b338110f3995c456c9e1ebad8c5dd11bcfc25bc1ad7dde428b8f42266b5fc1e3f5251c46f4f18d1247a16fd4f2c3581f33d66d32ccff8c79cd332cd8b01bf663d93df5cf8b321d33036f702cc45e35b737579c9a85b79804a403e1ca463148ef392146b9bff8ad7448e81e4eb5851c67fb86fb507e45e13d2bcd52d21153eded421bb8d513968488ddda4e EAP-Message = 0x3ba42382197015f70203010001a382011730820113301d0603551d0e04160414ffcee6d977ba79a7d9cd13ae8dea04b28ba09d243081e30603551d230481db3081d88014ffcee6d977ba79a7d9cd13ae8dea04b28ba09d24a181b4a481b13081ae310b300906035504061302554b310f300d06035504081306526164697573310f300d060355040713064c6f6e646f6e31263024060355040a131d496e7465726f75746520436f6d6d756e69636174696f6e73206c74642e3128302606092a864886f70d010901161969742e68656c706465736b40696e7465726f7574652e636f6d312b302906035504031322496e7465726f75746520495420436572 EAP-Message = 0x7469666963617465 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x19e1d7f91b28cef35112512f3e4cf22e Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.31.183.1 port 2048, id=3, length=175 User-Name = "host/W400210.interoute.com" NAS-Port = 0 Called-Station-Id = "00-15-6D-E4-20-94:ubnt" Calling-Station-Id = "00-21-6B-2C-7B-60" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x02c900061900 State = 0x19e1d7f91b28cef35112512f3e4cf22e Message-Authenticator = 0x8368c99d80a0c2050239201e6ad3de5d # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "host/W400210.interoute.com", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 201 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 3 to 172.31.183.1 port 2048 EAP-Message = 0x01ca0146190020417574686f72697479820900d532b93c5d7d3788300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100619cae19f9a350653f93714f980b3b872ee91d00b2838d2472ef7acd24a5eab771dbf48973ab6645f9d0a45ec1306d6491cc6a2d7647be5590c6a50beceb4bda1d229d6578c2bf8bf00e736aa977f17a05cfdefa2955f2d30f2ede8bcb9ecfffd1af321c9f7c6541a58e431a6d74b8d20d79ec4c47c08c56d15b5eec1fe075ea8be888a2a1ecd647231640df34131cc7a575c20484f5cc0d3925584681fb904bb53ed9467c62995e00c8fd0315eac0a3202b7ebdf08cbf01efa6752889f5bfc9 EAP-Message = 0xbc288dcc6bc7b07c43c88f13f54b5c7485e021bff9937f97b61c4cd9955a882483f3ccdc7873db9696aa33939eb4f07d443a72b411a4aedc78127e68abf964b316030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x19e1d7f91a2bcef35112512f3e4cf22e Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.31.183.1 port 2048, id=4, length=507 User-Name = "host/W400210.interoute.com" NAS-Port = 0 Called-Station-Id = "00-15-6D-E4-20-94:ubnt" Calling-Station-Id = "00-21-6B-2C-7B-60" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x02ca015019800000014616030101061000010201001fb89e07dfa9a129193e2a1aeb835708c851baca448425dd4e4ba8c7a89ec15c4c9c348e55fa010f68be5b01431f09ddb666c390488888655f9def8bfa37e304aba6ce2a27ffd30efbd9494ccaa8bc410dda67abfb001c7ba06588c83603857b89f240a178c2172ae9b18f77d10d2715508f26638dae6c137e6d95f6b200ded55a46d1a7b99b41da59758e1bb176b05fb1a49f8c649a72c940d62947557d78443a640b27c0aaf3e00fcb4a5d46371d9893c876b5e5a8000e3219bfb7acfc9b1d727c50bdb624dd2b4553e7d5567146d6820708e2680df5d6955d511f878192b8b6728d785fafd5ac EAP-Message = 0x877f6395546d8ffceaea1763554dabad7e75b521cb256a3a14030100010116030100301ad6918ae3ce346cb0fb0b534e1f0bf6311c52f276fbab653c3a63fb2059f7681c703e56444d8edb85454c6e6562d957 State = 0x19e1d7f91a2bcef35112512f3e4cf22e Message-Authenticator = 0x4f7da646facf5c2ed28c6deace803451 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "host/W400210.interoute.com", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 202 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 326 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 4 to 172.31.183.1 port 2048 EAP-Message = 0x01cb004119001403010001011603010030248cbdc2a3316feb233b176f3f28bcb92266193fbc9481ad9a3ea539e9c27b211e3e1a2a84f764b8ac6f81cfd9773f3c Message-Authenticator = 0x00000000000000000000000000000000 State = 0x19e1d7f91d2acef35112512f3e4cf22e Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.31.183.1 port 2048, id=5, length=175 User-Name = "host/W400210.interoute.com" NAS-Port = 0 Called-Station-Id = "00-15-6D-E4-20-94:ubnt" Calling-Station-Id = "00-21-6B-2C-7B-60" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x02cb00061900 State = 0x19e1d7f91d2acef35112512f3e4cf22e Message-Authenticator = 0x3917594470892589955f46dbd7ded8e6 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "host/W400210.interoute.com", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 203 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] returns handled Sending Access-Challenge of id 5 to 172.31.183.1 port 2048 EAP-Message = 0x01cc002b1900170301002024c86ff58159a892da454ce68a8e5bcb76cd981375b48604954f63bc1b9a0d48 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x19e1d7f91c2dcef35112512f3e4cf22e Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.31.183.1 port 2048, id=6, length=228 User-Name = "host/W400210.interoute.com" NAS-Port = 0 Called-Station-Id = "00-15-6D-E4-20-94:ubnt" Calling-Station-Id = "00-21-6B-2C-7B-60" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x02cc003b19001703010030117425fe92b858e8621bda5cb1482b3111d44b846727f45e8783197f5142426d1f1d72ccb275fa02c48e18c244f5229c State = 0x19e1d7f91c2dcef35112512f3e4cf22e Message-Authenticator = 0x1f50e10e8c2ef873e3cd519aff3e72a4 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "host/W400210.interoute.com", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 204 length 59 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - host/W400210.interoute.com [peap] Got inner identity 'host/W400210.interoute.com' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x02cc001f01686f73742f573430303231302e696e7465726f7574652e636f6d server { PEAP: Setting User-Name to host/W400210.interoute.com Sending tunneled request EAP-Message = 0x02cc001f01686f73742f573430303231302e696e7465726f7574652e636f6d FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "host/W400210.interoute.com" server inner-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/W400210.interoute.com", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 204 length 31 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x01cd00341a01cd002f1057722d12d13b1d380aa5470e97b0bcbb686f73742f573430303231302e696e7465726f7574652e636f6d Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4eba3bab4e7721758a40bcf3cb7c5bef [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x01cd00341a01cd002f1057722d12d13b1d380aa5470e97b0bcbb686f73742f573430303231302e696e7465726f7574652e636f6d Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4eba3bab4e7721758a40bcf3cb7c5bef [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 6 to 172.31.183.1 port 2048 EAP-Message = 0x01cd005b190017030100507260d72eb44b851576b154d0aaa426ede523d2e9de4427407e1e781f542c24dae58cde0bb9475d097898b6f0b838c0accf9712d43e8e415f6eba600a7efea5ccb46ec000d385c7081cfeb7bd92e5f38e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x19e1d7f91f2ccef35112512f3e4cf22e Finished request 6. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.31.183.1 port 2048, id=7, length=292 User-Name = "host/W400210.interoute.com" NAS-Port = 0 Called-Station-Id = "00-15-6D-E4-20-94:ubnt" Calling-Station-Id = "00-21-6B-2C-7B-60" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x02cd007b190017030100702f2857601a1fe414858915ac7fbee32e7db867e167d66f94e0a2f4b1ee272f671ea79d51172815af5324572525c944d49a1ac532ec140ecd462ef176a3eebdd4876a31fc716f157b82339f32e263b78968d1cd5252d784b5a254e392925d204515953dc9fe453cf89aca147b92b24876 State = 0x19e1d7f91f2ccef35112512f3e4cf22e Message-Authenticator = 0x03b65bc02ccb65fa2ccf5f595523e4a6 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "host/W400210.interoute.com", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 205 length 123 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x02cd00551a02cd00503104dcfa4b78eb4fb62591cdc364285b290000000000000000352a79d5d709e4b799e55cf1e44fafdf90c58612d1b635c700686f73742f573430303231302e696e7465726f7574652e636f6d server { PEAP: Setting User-Name to host/W400210.interoute.com Sending tunneled request EAP-Message = 0x02cd00551a02cd00503104dcfa4b78eb4fb62591cdc364285b290000000000000000352a79d5d709e4b799e55cf1e44fafdf90c58612d1b635c700686f73742f573430303231302e696e7465726f7574652e636f6d FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "host/W400210.interoute.com" State = 0x4eba3bab4e7721758a40bcf3cb7c5bef server inner-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/W400210.interoute.com", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 205 length 85 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] Creating challenge hash with username: host/W400210.interoute.com [mschap] Told to do MS-CHAPv2 for host/W400210.interoute.com with NT-Password [mschap] expand: %{mschap:NT-Domain} -> interoute [mschap] expand: --domain=%{%{mschap:NT-Domain}:-INTEROUTE} -> --domain=interoute [mschap] expand: --username=%{mschap:User-Name:-None} -> --username=W400210$ [mschap] mschap2: 57 [mschap] Creating challenge hash with username: host/W400210.interoute.com [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=f835392290550f39 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=352a79d5d709e4b799e55cf1e44fafdf90c58612d1b635c7 Exec-Program output: NT_KEY: 7AABD556DB5C9B2B59B26FDDBEF05A7E Exec-Program-Wait: plaintext: NT_KEY: 7AABD556DB5C9B2B59B26FDDBEF05A7E Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x01ce00331a03cd002e533d43444435464341413246353237303741424432383345354333353232463637333545433533373434 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4eba3bab4f7421758a40bcf3cb7c5bef [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x01ce00331a03cd002e533d43444435464341413246353237303741424432383345354333353232463637333545433533373434 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4eba3bab4f7421758a40bcf3cb7c5bef [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 7 to 172.31.183.1 port 2048 EAP-Message = 0x01ce005b19001703010050c5800385fb460624aa757a36a2effe4e77491667921ecd2cc6b6b8f0b7e14eb54819e5382594071eaf4a512897aaf2923a0a13ab90403e4a5ca01475999bb16c80582d5ebf3979299b38e9d16ee92263 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x19e1d7f91e2fcef35112512f3e4cf22e Finished request 7. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 0 with timestamp +4382 Cleaning up request 1 ID 1 with timestamp +4382 Cleaning up request 2 ID 2 with timestamp +4382 Cleaning up request 3 ID 3 with timestamp +4382 Cleaning up request 4 ID 4 with timestamp +4382 Cleaning up request 5 ID 5 with timestamp +4382 Cleaning up request 6 ID 6 with timestamp +4382 Cleaning up request 7 ID 7 with timestamp +4382 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0x19e1d7f91e2fcef3 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -- View this message in context: http://freeradius.1045715.n5.nabble.com/Freeradius2-1-3-Fedora9-PEAP-AD-prob... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Hi Alan, Thanks for quick reply I have read the log several times however nothing points me to the right direction...thats why I posted a question here... when I use username@domain.com I get access-reject as ntlm authentication fails so from this point its working ok I guess. Also I dont think its a certificate problem as I've got same results with linux / windows 7 clients.
From the debug I see ntlm authentication went OK then EAP session does not finish, but why this is happening? Do you think I am really facing the certificate compatibility problem? Even its working fine with freeradius 1.1.7? I've tried to create a new one but same results... Or have I missed anything else? Sorry FR 2.x.x is still new to me
Thanks Lukas -- View this message in context: http://freeradius.1045715.n5.nabble.com/Freeradius2-1-3-Fedora9-PEAP-AD-prob... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Pretty new to FR as well but from what it looks like to me is your using Workstation login not user login. The portion [suffix] No '@' in User-Name = "host/W400210.interoute.com", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 198 length 31 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP looks like your supplicant is sending workstation logins and your LDAP server is rejecting them. I don't know though, I am not a big log reader, I skim over them to find the error, I really need to get into them more:) Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE
On Wednesday, February 16, 2011 at 1:38 AM, in message <1297849120978-3387353.post@n5.nabble.com>, lucky79 <lukas.hofrichtr@interoute.com> wrote:
Hi Alan, Thanks for quick reply I have read the log several times however nothing points me to the right direction...thats why I posted a question here... when I use username@domain.com I get access-reject as ntlm authentication fails so from this point its working ok I guess. Also I dont think its a certificate problem as I've got same results with linux / windows 7 clients.
From the debug I see ntlm authentication went OK then EAP session does not finish, but why this is happening? Do you think I am really facing the certificate compatibility problem? Even its working fine with freeradius 1.1.7? I've tried to create a new one but same results... Or have I missed anything else? Sorry FR 2.x.x is still new to me
Thanks Lukas -- View this message in context: http://freeradius.1045715.n5.nabble.com/Freeradius2-1-3-Fedora9-PEAP-AD-prob... Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
OK guys, I've managed to get things working... It was a samba issue as mentioned before, I've had to include following line in smb.conf: winbind forcesamlogon = true took a little while googling but first of all my freeradius server was configured correctly... Thanks all for your time Lukas -- View this message in context: http://freeradius.1045715.n5.nabble.com/Freeradius2-1-3-Fedora9-PEAP-AD-prob... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Hi Alan, my previous config is for FR 1.x, now I want to use FR 2.1.x so I dont think I can use same config files as there are some differences between FR 1 & 2, right? Its really strange as I've tried to build the system on FC10 last year already - configured from scratch but now with FC14 still facing the same problem which I couldn't solve yet. Problem I have with FR1 on FC8 is that sometimes (randomly) the daemon hangs and need to be restarted (its a VM running on ESX) so I was thinking to upgrade to FR2 because if that, also FC8 is already quite old distribution... Will try the GIT release as suggested.. thanks for now Lukas -- View this message in context: http://freeradius.1045715.n5.nabble.com/Freeradius2-1-3-Fedora9-PEAP-AD-prob... Sent from the FreeRadius - User mailing list archive at Nabble.com.
participants (5)
-
Alan Buxey -
Alan DeKok -
Brett Littrell -
lucky79 -
Lukas Hofrichtr