I have been able to install freeradius using the Synaptic Package Manager. I installed these two packages openssl and the freeradius. I have also installed certificates. I have been able to get everything to work with freeradius except PEAP and TLS. Do I need to install other packages or do anything else in order to get PEAP and TLS to work? Thanks Scott
On Mon, Jun 27, 2011 at 8:16 AM, Gilmour, Scott <sgilmour@enterasys.com> wrote:
I have been able to install freeradius using the Synaptic Package Manager.
I installed these two packages openssl and the freeradius.
I have also installed certificates.
I have been able to get everything to work with freeradius except PEAP and TLS.
What's the error you get? What's the output of "freeradius -X"?
Do I need to install other packages or do anything else in order to get PEAP and TLS to work?
The defaults should be enough. Unless if you're trying AD integration. -- Fajar
Thanks for the reply here is my debug log Looks like it is failing here. Tue Jun 21 09:35:28 2011 : Info: [mschap] No Cleartext-Password configured. Cannot create LM-Password. Tue Jun 21 09:35:28 2011 : Info: [mschap] No Cleartext-Password configured. Cannot create NT-Password. Tue Jun 21 09:35:28 2011 : Info: [mschap] NT Domain delimeter found, should we have enabled with_ntdomain_hack? Tue Jun 21 09:35:28 2011 : Info: [mschap] Told to do MS-CHAPv2 for SQA\Administrator with NT-Password Tue Jun 21 09:35:28 2011 : Info: [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. Tue Jun 21 09:35:28 2011 : Info: [mschap] FAILED: MS-CHAP2-Response is incorrect Tue Jun 21 09:35:28 2011 : Info: ++[mschap] returns reject Tue Jun 21 09:35:28 2011 : Info: [eap] Freeing handler Tue Jun 21 09:35:28 2011 : Info: ++[eap] returns reject root@Ubuntu-FreeRadius:/etc/freeradius# freeradius -X -X -X Tue Jun 21 13:06:55 2011 : Info: FreeRADIUS Version 2.1.8, for host i486-pc-linux-gnu, built on Jan 5 2010 at 02:49:11 Tue Jun 21 13:06:55 2011 : Info: Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. Tue Jun 21 13:06:55 2011 : Info: There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A Tue Jun 21 13:06:55 2011 : Info: PARTICULAR PURPOSE. Tue Jun 21 13:06:55 2011 : Info: You may redistribute copies of FreeRADIUS under the terms of the Tue Jun 21 13:06:55 2011 : Info: GNU General Public License v2. Tue Jun 21 13:06:55 2011 : Info: Starting - reading configuration files ... Tue Jun 21 13:06:55 2011 : Debug: including configuration file /etc/freeradius/radiusd.conf Tue Jun 21 13:06:55 2011 : Debug: including configuration file /etc/freeradius/proxy.conf Tue Jun 21 13:06:55 2011 : Debug: including configuration file /etc/freeradius/clients.conf Tue Jun 21 13:06:55 2011 : Debug: including files in directory /etc/freeradius/modules/ Tue Jun 21 13:06:55 2011 : Debug: including configuration file /etc/freeradius/modules/mac2ip Tue Jun 21 13:06:55 2011 : Debug: including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login Tue Jun 21 13:06:55 2011 : Debug: including configuration file /etc/freeradius/modules/wimax Tue Jun 21 13:06:55 2011 : Debug: including configuration file /etc/freeradius/modules/detail.example.com Tue Jun 21 13:06:55 2011 : Debug: including configuration file /etc/freeradius/modules/detail.log Tue Jun 21 13:06:55 2011 : Debug: including configuration file /etc/freeradius/modules/digest Tue Jun 21 13:06:55 2011 : Debug: including configuration file /etc/freeradius/modules/chap Tue Jun 21 13:06:55 2011 : Debug: including configuration file /etc/freeradius/modules/pap Tue Jun 21 13:06:55 2011 : Debug: including configuration file /etc/freeradius/modules/logintime Tue Jun 21 13:06:55 2011 : Debug: including configuration file /etc/freeradius/modules/smsotp Tue Jun 21 13:06:55 2011 : Debug: including configuration file /etc/freeradius/modules/ippool Tue Jun 21 13:06:55 2011 : Debug: including configuration file /etc/freeradius/modules/sql_log Tue Jun 21 13:06:55 2011 : Debug: including configuration file /etc/freeradius/modules/mac2vlan Tue Jun 21 13:06:55 2011 : Debug: including configuration file /etc/freeradius/modules/krb5 Tue Jun 21 13:06:55 2011 : Debug: including configuration file /etc/freeradius/modules/inner-eap Tue Jun 21 13:06:55 2011 : Debug: including configuration file /etc/freeradius/modules/passwd Tue Jun 21 13:06:55 2011 : Debug: including configuration file /etc/freeradius/modules/preprocess Tue Jun 21 13:06:55 2011 : Debug: including configuration file /etc/freeradius/modules/expr Tue Jun 21 13:06:55 2011 : Debug: including configuration file /etc/freeradius/modules/always Tue Jun 21 13:06:55 2011 : Debug: including configuration file /etc/freeradius/modules/pam Tue Jun 21 13:06:55 2011 : Debug: including configuration file /etc/freeradius/modules/exec Tue Jun 21 13:06:55 2011 : Debug: including configuration file /etc/freeradius/modules/unix Tue Jun 21 13:06:55 2011 : Debug: including configuration file /etc/freeradius/modules/etc_group Tue Jun 21 13:06:55 2011 : Debug: including configuration file /etc/freeradius/modules/policy Tue Jun 21 13:06:55 2011 : Debug: including configuration file /etc/freeradius/modules/cui Tue Jun 21 13:06:55 2011 : Debug: including configuration file /etc/freeradius/modules/checkval Tue Jun 21 13:06:55 2011 : Debug: including configuration file /etc/freeradius/modules/radutmp Tue Jun 21 13:06:55 2011 : Debug: including configuration file /etc/freeradius/modules/echo Tue Jun 21 13:06:55 2011 : Debug: including configuration file /etc/freeradius/modules/linelog Tue Jun 21 13:06:55 2011 : Debug: including configuration file /etc/freeradius/modules/attr_rewrite Tue Jun 21 13:06:55 2011 : Debug: including configuration file /etc/freeradius/modules/smbpasswd Tue Jun 21 13:06:55 2011 : Debug: including configuration file /etc/freeradius/modules/acct_unique Tue Jun 21 13:06:55 2011 : Debug: including configuration file /etc/freeradius/modules/ldap Tue Jun 21 13:06:55 2011 : Debug: including configuration file /etc/freeradius/modules/detail Tue Jun 21 13:06:55 2011 : Debug: including configuration file /etc/freeradius/modules/realm Tue Jun 21 13:06:55 2011 : Debug: including configuration file /etc/freeradius/modules/expiration Tue Jun 21 13:06:55 2011 : Debug: including configuration file /etc/freeradius/modules/otp Tue Jun 21 13:06:55 2011 : Debug: including configuration file /etc/freeradius/modules/counter Tue Jun 21 13:06:55 2011 : Debug: including configuration file /etc/freeradius/modules/ntlm_auth Tue Jun 21 13:06:55 2011 : Debug: including configuration file /etc/freeradius/modules/sradutmp Tue Jun 21 13:06:55 2011 : Debug: including configuration file /etc/freeradius/modules/mschap Tue Jun 21 13:06:55 2011 : Debug: including configuration file /etc/freeradius/modules/perl Tue Jun 21 13:06:55 2011 : Debug: including configuration file /etc/freeradius/modules/files Tue Jun 21 13:06:55 2011 : Debug: including configuration file /etc/freeradius/modules/attr_filter Tue Jun 21 13:06:55 2011 : Debug: including configuration file /etc/freeradius/eap.conf Tue Jun 21 13:06:55 2011 : Debug: including configuration file /etc/freeradius/policy.conf Tue Jun 21 13:06:55 2011 : Debug: including files in directory /etc/freeradius/sites-enabled/ Tue Jun 21 13:06:55 2011 : Debug: including configuration file /etc/freeradius/sites-enabled/inner-tunnel Tue Jun 21 13:06:55 2011 : Debug: including configuration file /etc/freeradius/sites-enabled/default Tue Jun 21 13:06:55 2011 : Debug: main { Tue Jun 21 13:06:55 2011 : Debug: user = "freerad" Tue Jun 21 13:06:55 2011 : Debug: group = "freerad" Tue Jun 21 13:06:55 2011 : Debug: allow_core_dumps = no Tue Jun 21 13:06:55 2011 : Debug: } Tue Jun 21 13:06:55 2011 : Debug: including dictionary file /etc/freeradius/dictionary Tue Jun 21 13:06:55 2011 : Debug: main { Tue Jun 21 13:06:55 2011 : Debug: prefix = "/etc" Tue Jun 21 13:06:55 2011 : Debug: localstatedir = "/etc" Tue Jun 21 13:06:55 2011 : Debug: logdir = "/var/log/radius" Tue Jun 21 13:06:55 2011 : Debug: libdir = "/usr/lib/freeradius" Tue Jun 21 13:06:55 2011 : Debug: radacctdir = "/var/log/radius/radacct" Tue Jun 21 13:06:55 2011 : Debug: hostname_lookups = no Tue Jun 21 13:06:55 2011 : Debug: max_request_time = 30 Tue Jun 21 13:06:55 2011 : Debug: cleanup_delay = 5 Tue Jun 21 13:06:55 2011 : Debug: max_requests = 1024 Tue Jun 21 13:06:55 2011 : Debug: pidfile = "/etc/run/freeradius/freeradius.pid" Tue Jun 21 13:06:55 2011 : Debug: checkrad = "/etc/sbin/checkrad" Tue Jun 21 13:06:55 2011 : Debug: debug_level = 0 Tue Jun 21 13:06:55 2011 : Debug: proxy_requests = yes Tue Jun 21 13:06:55 2011 : Debug: log { Tue Jun 21 13:06:55 2011 : Debug: stripped_names = no Tue Jun 21 13:06:55 2011 : Debug: auth = no Tue Jun 21 13:06:55 2011 : Debug: auth_badpass = no Tue Jun 21 13:06:55 2011 : Debug: auth_goodpass = no Tue Jun 21 13:06:55 2011 : Debug: } Tue Jun 21 13:06:55 2011 : Debug: security { Tue Jun 21 13:06:55 2011 : Debug: max_attributes = 200 Tue Jun 21 13:06:55 2011 : Debug: reject_delay = 1 Tue Jun 21 13:06:55 2011 : Debug: status_server = yes Tue Jun 21 13:06:55 2011 : Debug: } Tue Jun 21 13:06:55 2011 : Debug: } Tue Jun 21 13:06:55 2011 : Debug: radiusd: #### Loading Realms and Home Servers #### Tue Jun 21 13:06:55 2011 : Debug: proxy server { Tue Jun 21 13:06:55 2011 : Debug: retry_delay = 5 Tue Jun 21 13:06:55 2011 : Debug: retry_count = 3 Tue Jun 21 13:06:55 2011 : Debug: default_fallback = no Tue Jun 21 13:06:55 2011 : Debug: dead_time = 120 Tue Jun 21 13:06:55 2011 : Debug: wake_all_if_all_dead = no Tue Jun 21 13:06:55 2011 : Debug: } Tue Jun 21 13:06:55 2011 : Debug: home_server localhost { Tue Jun 21 13:06:55 2011 : Debug: ipaddr = 127.0.0.1 Tue Jun 21 13:06:55 2011 : Debug: port = 1812 Tue Jun 21 13:06:55 2011 : Debug: type = "auth" Tue Jun 21 13:06:55 2011 : Debug: secret = "testing123" Tue Jun 21 13:06:55 2011 : Debug: response_window = 20 Tue Jun 21 13:06:55 2011 : Debug: max_outstanding = 65536 Tue Jun 21 13:06:55 2011 : Debug: require_message_authenticator = no Tue Jun 21 13:06:55 2011 : Debug: zombie_period = 40 Tue Jun 21 13:06:55 2011 : Debug: status_check = "status-server" Tue Jun 21 13:06:55 2011 : Debug: ping_interval = 30 Tue Jun 21 13:06:55 2011 : Debug: check_interval = 30 Tue Jun 21 13:06:55 2011 : Debug: num_answers_to_alive = 3 Tue Jun 21 13:06:55 2011 : Debug: num_pings_to_alive = 3 Tue Jun 21 13:06:55 2011 : Debug: revive_interval = 120 Tue Jun 21 13:06:55 2011 : Debug: status_check_timeout = 4 Tue Jun 21 13:06:55 2011 : Debug: irt = 2 Tue Jun 21 13:06:55 2011 : Debug: mrt = 16 Tue Jun 21 13:06:55 2011 : Debug: mrc = 5 Tue Jun 21 13:06:55 2011 : Debug: mrd = 30 Tue Jun 21 13:06:55 2011 : Debug: } Tue Jun 21 13:06:55 2011 : Debug: home_server_pool my_auth_failover { Tue Jun 21 13:06:55 2011 : Debug: type = fail-over Tue Jun 21 13:06:55 2011 : Debug: home_server = localhost Tue Jun 21 13:06:55 2011 : Debug: } Tue Jun 21 13:06:55 2011 : Debug: realm example.com { Tue Jun 21 13:06:55 2011 : Debug: auth_pool = my_auth_failover Tue Jun 21 13:06:55 2011 : Debug: } Tue Jun 21 13:06:55 2011 : Debug: realm LOCAL { Tue Jun 21 13:06:55 2011 : Debug: } Tue Jun 21 13:06:55 2011 : Debug: radiusd: #### Loading Clients #### Tue Jun 21 13:06:55 2011 : Debug: client localhost { Tue Jun 21 13:06:55 2011 : Debug: ipaddr = 127.0.0.1 Tue Jun 21 13:06:55 2011 : Debug: require_message_authenticator = no Tue Jun 21 13:06:55 2011 : Debug: secret = "testing123" Tue Jun 21 13:06:55 2011 : Debug: nastype = "other" Tue Jun 21 13:06:55 2011 : Debug: } Tue Jun 21 13:06:55 2011 : Debug: client 192.168.150.0/24 { Tue Jun 21 13:06:55 2011 : Debug: require_message_authenticator = no Tue Jun 21 13:06:55 2011 : Debug: secret = "enterasys" Tue Jun 21 13:06:55 2011 : Debug: shortname = "C3" Tue Jun 21 13:06:55 2011 : Debug: } Tue Jun 21 13:06:55 2011 : Debug: client 192.168.175.0/24 { Tue Jun 21 13:06:55 2011 : Debug: require_message_authenticator = no Tue Jun 21 13:06:55 2011 : Debug: secret = "enterasys" Tue Jun 21 13:06:55 2011 : Debug: shortname = "C5" Tue Jun 21 13:06:55 2011 : Debug: } Tue Jun 21 13:06:55 2011 : Debug: client 192.168.200.0/24 { Tue Jun 21 13:06:55 2011 : Debug: require_message_authenticator = no Tue Jun 21 13:06:55 2011 : Debug: secret = "enterasys" Tue Jun 21 13:06:55 2011 : Debug: shortname = "G3" Tue Jun 21 13:06:55 2011 : Debug: } Tue Jun 21 13:06:55 2011 : Debug: client 192.168.225.0/24 { Tue Jun 21 13:06:55 2011 : Debug: require_message_authenticator = no Tue Jun 21 13:06:55 2011 : Debug: secret = "enterasys" Tue Jun 21 13:06:55 2011 : Debug: shortname = "XSR" Tue Jun 21 13:06:55 2011 : Debug: } Tue Jun 21 13:06:55 2011 : Debug: client 10.1.146.0/24 { Tue Jun 21 13:06:55 2011 : Debug: require_message_authenticator = no Tue Jun 21 13:06:55 2011 : Debug: secret = "enterasys" Tue Jun 21 13:06:55 2011 : Debug: shortname = "NAT" Tue Jun 21 13:06:55 2011 : Debug: } Tue Jun 21 13:06:55 2011 : Debug: client 10.1.141.0/24 { Tue Jun 21 13:06:55 2011 : Debug: require_message_authenticator = no Tue Jun 21 13:06:55 2011 : Debug: secret = "enterasys" Tue Jun 21 13:06:55 2011 : Debug: shortname = "tony-network" Tue Jun 21 13:06:55 2011 : Debug: } Tue Jun 21 13:06:55 2011 : Debug: radiusd: #### Instantiating modules #### Tue Jun 21 13:06:55 2011 : Debug: instantiate { Tue Jun 21 13:06:55 2011 : Debug: (Loaded rlm_exec, checking if it's valid) Tue Jun 21 13:06:55 2011 : Debug: Module: Linked to module rlm_exec Tue Jun 21 13:06:55 2011 : Debug: Module: Instantiating exec Tue Jun 21 13:06:55 2011 : Debug: exec { Tue Jun 21 13:06:55 2011 : Debug: wait = no Tue Jun 21 13:06:55 2011 : Debug: input_pairs = "request" Tue Jun 21 13:06:55 2011 : Debug: shell_escape = yes Tue Jun 21 13:06:55 2011 : Debug: } Tue Jun 21 13:06:55 2011 : Debug: (Loaded rlm_expr, checking if it's valid) Tue Jun 21 13:06:55 2011 : Debug: Module: Linked to module rlm_expr Tue Jun 21 13:06:55 2011 : Debug: Module: Instantiating expr Tue Jun 21 13:06:55 2011 : Debug: (Loaded rlm_expiration, checking if it's valid) Tue Jun 21 13:06:55 2011 : Debug: Module: Linked to module rlm_expiration Tue Jun 21 13:06:55 2011 : Debug: Module: Instantiating expiration Tue Jun 21 13:06:55 2011 : Debug: expiration { Tue Jun 21 13:06:55 2011 : Debug: reply-message = "Password Has Expired " Tue Jun 21 13:06:55 2011 : Debug: } Tue Jun 21 13:06:55 2011 : Debug: (Loaded rlm_logintime, checking if it's valid) Tue Jun 21 13:06:55 2011 : Debug: Module: Linked to module rlm_logintime Tue Jun 21 13:06:55 2011 : Debug: Module: Instantiating logintime Tue Jun 21 13:06:55 2011 : Debug: logintime { Tue Jun 21 13:06:55 2011 : Debug: reply-message = "You are calling outside your allowed timespan " Tue Jun 21 13:06:55 2011 : Debug: minimum-timeout = 60 Tue Jun 21 13:06:55 2011 : Debug: } Tue Jun 21 13:06:55 2011 : Debug: } Tue Jun 21 13:06:55 2011 : Debug: radiusd: #### Loading Virtual Servers #### Tue Jun 21 13:06:55 2011 : Debug: server inner-tunnel { Tue Jun 21 13:06:55 2011 : Debug: modules { Tue Jun 21 13:06:55 2011 : Debug: Module: Checking authenticate {...} for more modules to load Tue Jun 21 13:06:55 2011 : Debug: (Loaded rlm_pap, checking if it's valid) Tue Jun 21 13:06:55 2011 : Debug: Module: Linked to module rlm_pap Tue Jun 21 13:06:55 2011 : Debug: Module: Instantiating pap Tue Jun 21 13:06:55 2011 : Debug: pap { Tue Jun 21 13:06:55 2011 : Debug: encryption_scheme = "auto" Tue Jun 21 13:06:55 2011 : Debug: auto_header = no Tue Jun 21 13:06:55 2011 : Debug: } Tue Jun 21 13:06:55 2011 : Debug: (Loaded rlm_chap, checking if it's valid) Tue Jun 21 13:06:55 2011 : Debug: Module: Linked to module rlm_chap Tue Jun 21 13:06:55 2011 : Debug: Module: Instantiating chap Tue Jun 21 13:06:55 2011 : Debug: (Loaded rlm_mschap, checking if it's valid) Tue Jun 21 13:06:55 2011 : Debug: Module: Linked to module rlm_mschap Tue Jun 21 13:06:55 2011 : Debug: Module: Instantiating mschap Tue Jun 21 13:06:55 2011 : Debug: mschap { Tue Jun 21 13:06:55 2011 : Debug: use_mppe = yes Tue Jun 21 13:06:55 2011 : Debug: require_encryption = no Tue Jun 21 13:06:55 2011 : Debug: require_strong = no Tue Jun 21 13:06:55 2011 : Debug: with_ntdomain_hack = no Tue Jun 21 13:06:55 2011 : Debug: } Tue Jun 21 13:06:55 2011 : Debug: (Loaded rlm_unix, checking if it's valid) Tue Jun 21 13:06:55 2011 : Debug: Module: Linked to module rlm_unix Tue Jun 21 13:06:55 2011 : Debug: Module: Instantiating unix Tue Jun 21 13:06:55 2011 : Debug: unix { Tue Jun 21 13:06:55 2011 : Debug: radwtmp = "/var/log/radius/radwtmp" Tue Jun 21 13:06:55 2011 : Debug: } Tue Jun 21 13:06:55 2011 : Debug: (Loaded rlm_eap, checking if it's valid) Tue Jun 21 13:06:55 2011 : Debug: Module: Linked to module rlm_eap Tue Jun 21 13:06:55 2011 : Debug: Module: Instantiating eap Tue Jun 21 13:06:55 2011 : Debug: eap { Tue Jun 21 13:06:55 2011 : Debug: default_eap_type = "md5" Tue Jun 21 13:06:55 2011 : Debug: timer_expire = 60 Tue Jun 21 13:06:55 2011 : Debug: ignore_unknown_eap_types = no Tue Jun 21 13:06:55 2011 : Debug: cisco_accounting_username_bug = no Tue Jun 21 13:06:55 2011 : Debug: max_sessions = 4096 Tue Jun 21 13:06:55 2011 : Debug: } Tue Jun 21 13:06:55 2011 : Debug: Module: Linked to sub-module rlm_eap_md5 Tue Jun 21 13:06:55 2011 : Debug: Module: Instantiating eap-md5 Tue Jun 21 13:06:55 2011 : Debug: Module: Linked to sub-module rlm_eap_leap Tue Jun 21 13:06:55 2011 : Debug: Module: Instantiating eap-leap Tue Jun 21 13:06:55 2011 : Debug: Module: Linked to sub-module rlm_eap_gtc Tue Jun 21 13:06:55 2011 : Debug: Module: Instantiating eap-gtc Tue Jun 21 13:06:55 2011 : Debug: gtc { Tue Jun 21 13:06:55 2011 : Debug: challenge = "Password: " Tue Jun 21 13:06:55 2011 : Debug: auth_type = "PAP" Tue Jun 21 13:06:55 2011 : Debug: } Tue Jun 21 13:06:55 2011 : Debug: Module: Linked to sub-module rlm_eap_tls Tue Jun 21 13:06:55 2011 : Debug: Module: Instantiating eap-tls Tue Jun 21 13:06:55 2011 : Debug: tls { Tue Jun 21 13:06:55 2011 : Debug: rsa_key_exchange = no Tue Jun 21 13:06:55 2011 : Debug: dh_key_exchange = yes Tue Jun 21 13:06:55 2011 : Debug: rsa_key_length = 512 Tue Jun 21 13:06:55 2011 : Debug: dh_key_length = 512 Tue Jun 21 13:06:55 2011 : Debug: verify_depth = 0 Tue Jun 21 13:06:55 2011 : Debug: pem_file_type = yes Tue Jun 21 13:06:55 2011 : Debug: private_key_file = "/etc/freeradius/certs/server.pem" Tue Jun 21 13:06:55 2011 : Debug: certificate_file = "/etc/freeradius/certs/server.pem" Tue Jun 21 13:06:55 2011 : Debug: CA_file = "/etc/freeradius/certs/ca.pem" Tue Jun 21 13:06:55 2011 : Debug: private_key_password = "password" Tue Jun 21 13:06:55 2011 : Debug: dh_file = "/etc/freeradius/certs/dh" Tue Jun 21 13:06:55 2011 : Debug: random_file = "/etc/freeradius/certs/random" Tue Jun 21 13:06:55 2011 : Debug: fragment_size = 1024 Tue Jun 21 13:06:55 2011 : Debug: include_length = yes Tue Jun 21 13:06:55 2011 : Debug: check_crl = no Tue Jun 21 13:06:55 2011 : Debug: cipher_list = "DEFAULT" Tue Jun 21 13:06:55 2011 : Debug: make_cert_command = "/etc/freeradius/certs/bootstrap" Tue Jun 21 13:06:55 2011 : Debug: cache { Tue Jun 21 13:06:55 2011 : Debug: enable = no Tue Jun 21 13:06:55 2011 : Debug: lifetime = 24 Tue Jun 21 13:06:55 2011 : Debug: max_entries = 255 Tue Jun 21 13:06:55 2011 : Debug: } Tue Jun 21 13:06:55 2011 : Debug: } Tue Jun 21 13:06:56 2011 : Debug: Module: Linked to sub-module rlm_eap_ttls Tue Jun 21 13:06:56 2011 : Debug: Module: Instantiating eap-ttls Tue Jun 21 13:06:56 2011 : Debug: ttls { Tue Jun 21 13:06:56 2011 : Debug: default_eap_type = "md5" Tue Jun 21 13:06:56 2011 : Debug: copy_request_to_tunnel = no Tue Jun 21 13:06:56 2011 : Debug: use_tunneled_reply = no Tue Jun 21 13:06:56 2011 : Debug: virtual_server = "inner-tunnel" Tue Jun 21 13:06:56 2011 : Debug: include_length = yes Tue Jun 21 13:06:56 2011 : Debug: } Tue Jun 21 13:06:56 2011 : Debug: Module: Linked to sub-module rlm_eap_peap Tue Jun 21 13:06:56 2011 : Debug: Module: Instantiating eap-peap Tue Jun 21 13:06:56 2011 : Debug: peap { Tue Jun 21 13:06:56 2011 : Debug: default_eap_type = "mschapv2" Tue Jun 21 13:06:56 2011 : Debug: copy_request_to_tunnel = no Tue Jun 21 13:06:56 2011 : Debug: use_tunneled_reply = no Tue Jun 21 13:06:56 2011 : Debug: proxy_tunneled_request_as_eap = yes Tue Jun 21 13:06:56 2011 : Debug: virtual_server = "inner-tunnel" Tue Jun 21 13:06:56 2011 : Debug: } Tue Jun 21 13:06:56 2011 : Debug: Module: Linked to sub-module rlm_eap_mschapv2 Tue Jun 21 13:06:56 2011 : Debug: Module: Instantiating eap-mschapv2 Tue Jun 21 13:06:56 2011 : Debug: mschapv2 { Tue Jun 21 13:06:56 2011 : Debug: with_ntdomain_hack = no Tue Jun 21 13:06:56 2011 : Debug: } Tue Jun 21 13:06:56 2011 : Debug: Module: Checking authorize {...} for more modules to load Tue Jun 21 13:06:56 2011 : Debug: (Loaded rlm_realm, checking if it's valid) Tue Jun 21 13:06:56 2011 : Debug: Module: Linked to module rlm_realm Tue Jun 21 13:06:56 2011 : Debug: Module: Instantiating suffix Tue Jun 21 13:06:56 2011 : Debug: realm suffix { Tue Jun 21 13:06:56 2011 : Debug: format = "suffix" Tue Jun 21 13:06:56 2011 : Debug: delimiter = "@" Tue Jun 21 13:06:56 2011 : Debug: ignore_default = no Tue Jun 21 13:06:56 2011 : Debug: ignore_null = no Tue Jun 21 13:06:56 2011 : Debug: } Tue Jun 21 13:06:56 2011 : Debug: (Loaded rlm_files, checking if it's valid) Tue Jun 21 13:06:56 2011 : Debug: Module: Linked to module rlm_files Tue Jun 21 13:06:56 2011 : Debug: Module: Instantiating files Tue Jun 21 13:06:56 2011 : Debug: files { Tue Jun 21 13:06:56 2011 : Debug: usersfile = "/etc/freeradius/users" Tue Jun 21 13:06:56 2011 : Debug: acctusersfile = "/etc/freeradius/acct_users" Tue Jun 21 13:06:56 2011 : Debug: preproxy_usersfile = "/etc/freeradius/preproxy_users" Tue Jun 21 13:06:56 2011 : Debug: compat = "no" Tue Jun 21 13:06:56 2011 : Debug: } Tue Jun 21 13:06:56 2011 : Debug: Module: Checking session {...} for more modules to load Tue Jun 21 13:06:56 2011 : Debug: (Loaded rlm_radutmp, checking if it's valid) Tue Jun 21 13:06:56 2011 : Debug: Module: Linked to module rlm_radutmp Tue Jun 21 13:06:56 2011 : Debug: Module: Instantiating radutmp Tue Jun 21 13:06:56 2011 : Debug: radutmp { Tue Jun 21 13:06:56 2011 : Debug: filename = "/var/log/radius/radutmp" Tue Jun 21 13:06:56 2011 : Debug: username = "%{User-Name}" Tue Jun 21 13:06:56 2011 : Debug: case_sensitive = yes Tue Jun 21 13:06:56 2011 : Debug: check_with_nas = yes Tue Jun 21 13:06:56 2011 : Debug: perm = 384 Tue Jun 21 13:06:56 2011 : Debug: callerid = yes Tue Jun 21 13:06:56 2011 : Debug: } Tue Jun 21 13:06:56 2011 : Debug: Module: Checking post-proxy {...} for more modules to load Tue Jun 21 13:06:56 2011 : Debug: Module: Checking post-auth {...} for more modules to load Tue Jun 21 13:06:56 2011 : Debug: (Loaded rlm_attr_filter, checking if it's valid) Tue Jun 21 13:06:56 2011 : Debug: Module: Linked to module rlm_attr_filter Tue Jun 21 13:06:56 2011 : Debug: Module: Instantiating attr_filter.access_reject Tue Jun 21 13:06:56 2011 : Debug: attr_filter attr_filter.access_reject { Tue Jun 21 13:06:56 2011 : Debug: attrsfile = "/etc/freeradius/attrs.access_reject" Tue Jun 21 13:06:56 2011 : Debug: key = "%{User-Name}" Tue Jun 21 13:06:56 2011 : Debug: } Tue Jun 21 13:06:56 2011 : Debug: } # modules Tue Jun 21 13:06:56 2011 : Debug: } # server Tue Jun 21 13:06:56 2011 : Debug: server { Tue Jun 21 13:06:56 2011 : Debug: modules { Tue Jun 21 13:06:56 2011 : Debug: Module: Checking authenticate {...} for more modules to load Tue Jun 21 13:06:56 2011 : Debug: Module: Checking authorize {...} for more modules to load Tue Jun 21 13:06:56 2011 : Debug: (Loaded rlm_preprocess, checking if it's valid) Tue Jun 21 13:06:56 2011 : Debug: Module: Linked to module rlm_preprocess Tue Jun 21 13:06:56 2011 : Debug: Module: Instantiating preprocess Tue Jun 21 13:06:56 2011 : Debug: preprocess { Tue Jun 21 13:06:56 2011 : Debug: huntgroups = "/etc/freeradius/huntgroups" Tue Jun 21 13:06:56 2011 : Debug: hints = "/etc/freeradius/hints" Tue Jun 21 13:06:56 2011 : Debug: with_ascend_hack = no Tue Jun 21 13:06:56 2011 : Debug: ascend_channels_per_line = 23 Tue Jun 21 13:06:56 2011 : Debug: with_ntdomain_hack = no Tue Jun 21 13:06:56 2011 : Debug: with_specialix_jetstream_hack = no Tue Jun 21 13:06:56 2011 : Debug: with_cisco_vsa_hack = no Tue Jun 21 13:06:56 2011 : Debug: with_alvarion_vsa_hack = no Tue Jun 21 13:06:56 2011 : Debug: } Tue Jun 21 13:06:56 2011 : Debug: Module: Checking preacct {...} for more modules to load Tue Jun 21 13:06:56 2011 : Debug: (Loaded rlm_acct_unique, checking if it's valid) Tue Jun 21 13:06:56 2011 : Debug: Module: Linked to module rlm_acct_unique Tue Jun 21 13:06:56 2011 : Debug: Module: Instantiating acct_unique Tue Jun 21 13:06:56 2011 : Debug: acct_unique { Tue Jun 21 13:06:56 2011 : Debug: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Tue Jun 21 13:06:56 2011 : Debug: } Tue Jun 21 13:06:56 2011 : Debug: Module: Checking accounting {...} for more modules to load Tue Jun 21 13:06:56 2011 : Debug: (Loaded rlm_detail, checking if it's valid) Tue Jun 21 13:06:56 2011 : Debug: Module: Linked to module rlm_detail Tue Jun 21 13:06:56 2011 : Debug: Module: Instantiating detail Tue Jun 21 13:06:56 2011 : Debug: detail { Tue Jun 21 13:06:56 2011 : Debug: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" Tue Jun 21 13:06:56 2011 : Debug: header = "%t" Tue Jun 21 13:06:56 2011 : Debug: detailperm = 384 Tue Jun 21 13:06:56 2011 : Debug: dirperm = 493 Tue Jun 21 13:06:56 2011 : Debug: locking = no Tue Jun 21 13:06:56 2011 : Debug: log_packet_header = no Tue Jun 21 13:06:56 2011 : Debug: } Tue Jun 21 13:06:56 2011 : Debug: Module: Instantiating attr_filter.accounting_response Tue Jun 21 13:06:56 2011 : Debug: attr_filter attr_filter.accounting_response { Tue Jun 21 13:06:56 2011 : Debug: attrsfile = "/etc/freeradius/attrs.accounting_response" Tue Jun 21 13:06:56 2011 : Debug: key = "%{User-Name}" Tue Jun 21 13:06:56 2011 : Debug: } Tue Jun 21 13:06:56 2011 : Debug: Module: Checking session {...} for more modules to load Tue Jun 21 13:06:56 2011 : Debug: Module: Checking post-proxy {...} for more modules to load Tue Jun 21 13:06:56 2011 : Debug: Module: Checking post-auth {...} for more modules to load Tue Jun 21 13:06:56 2011 : Debug: } # modules Tue Jun 21 13:06:56 2011 : Debug: } # server Tue Jun 21 13:06:56 2011 : Debug: radiusd: #### Opening IP addresses and Ports #### Tue Jun 21 13:06:56 2011 : Debug: listen { Tue Jun 21 13:06:56 2011 : Debug: type = "auth" Tue Jun 21 13:06:56 2011 : Debug: ipaddr = 20.1.180.45 Tue Jun 21 13:06:56 2011 : Debug: port = 0 Tue Jun 21 13:06:56 2011 : Debug: } Tue Jun 21 13:06:56 2011 : Debug: listen { Tue Jun 21 13:06:56 2011 : Debug: type = "acct" Tue Jun 21 13:06:56 2011 : Debug: ipaddr = * Tue Jun 21 13:06:56 2011 : Debug: port = 0 Tue Jun 21 13:06:56 2011 : Debug: } Tue Jun 21 13:06:56 2011 : Debug: Listening on authentication address 20.1.180.45 port 1812 Tue Jun 21 13:06:56 2011 : Debug: Listening on accounting address * port 1813 Tue Jun 21 13:06:56 2011 : Debug: Listening on proxy address 20.1.180.45 port 1814 Tue Jun 21 13:06:56 2011 : Info: Ready to process requests. rad_recv: Access-Request packet from host 192.168.175.60 port 49369, id=49, length=157 User-Name = "SQA\\Administrator" Service-Type = Framed-User Called-Station-Id = "00-1F-45-47-49-84" Calling-Station-Id = "00-18-8B-B9-C2-E3" NAS-IP-Address = 192.168.175.60 NAS-Port = 1 NAS-Port-Id = "ge.1.1" Framed-MTU = 1500 NAS-Port-Type = Ethernet EAP-Message = 0x02010016015351415c41646d696e6973747261746f72 Message-Authenticator = 0x7c48a72d3cd785ad696afb62b9200c12 Tue Jun 21 13:07:07 2011 : Info: +- entering group authorize {...} Tue Jun 21 13:07:07 2011 : Info: ++[preprocess] returns ok Tue Jun 21 13:07:07 2011 : Info: ++[chap] returns noop Tue Jun 21 13:07:07 2011 : Info: ++[mschap] returns noop Tue Jun 21 13:07:07 2011 : Info: [suffix] No '@' in User-Name = "SQA\Administrator", looking up realm NULL Tue Jun 21 13:07:07 2011 : Info: [suffix] No such realm "NULL" Tue Jun 21 13:07:07 2011 : Info: ++[suffix] returns noop Tue Jun 21 13:07:07 2011 : Info: [eap] EAP packet type response id 1 length 22 Tue Jun 21 13:07:07 2011 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation Tue Jun 21 13:07:07 2011 : Info: ++[eap] returns updated Tue Jun 21 13:07:07 2011 : Info: ++[unix] returns notfound Tue Jun 21 13:07:07 2011 : Info: [files] users: Matched entry SQA\Administrator at line 93 Tue Jun 21 13:07:07 2011 : Info: ++[files] returns ok Tue Jun 21 13:07:07 2011 : Info: ++[expiration] returns noop Tue Jun 21 13:07:07 2011 : Info: ++[logintime] returns noop Tue Jun 21 13:07:07 2011 : Info: [pap] Found existing Auth-Type, not changing it. Tue Jun 21 13:07:07 2011 : Info: ++[pap] returns noop Tue Jun 21 13:07:07 2011 : Info: Found Auth-Type = EAP Tue Jun 21 13:07:07 2011 : Info: +- entering group authenticate {...} Tue Jun 21 13:07:07 2011 : Info: [eap] EAP Identity Tue Jun 21 13:07:07 2011 : Info: [eap] processing type md5 Tue Jun 21 13:07:07 2011 : Debug: rlm_eap_md5: Issuing Challenge Tue Jun 21 13:07:07 2011 : Info: ++[eap] returns handled Sending Access-Challenge of id 49 to 192.168.175.60 port 49369 Filter-Id = "Enterasys:version=1:mgmt=su:policy=PEAP" EAP-Message = 0x01020016041098dd3fdd618fe72b12d5e38b61fd54a8 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfa9c4868fa9e4c6ee67926093dbdabe5 Tue Jun 21 13:07:07 2011 : Info: Finished request 0. Tue Jun 21 13:07:07 2011 : Debug: Going to the next request Tue Jun 21 13:07:07 2011 : Debug: Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.175.60 port 49369, id=50, length=159 User-Name = "SQA\\Administrator" Service-Type = Framed-User Called-Station-Id = "00-1F-45-47-49-84" Calling-Station-Id = "00-18-8B-B9-C2-E3" NAS-IP-Address = 192.168.175.60 NAS-Port = 1 NAS-Port-Id = "ge.1.1" Framed-MTU = 1500 NAS-Port-Type = Ethernet State = 0xfa9c4868fa9e4c6ee67926093dbdabe5 EAP-Message = 0x020200060319 Message-Authenticator = 0x3a89f8cb98339ebc60d975363cae3028 Tue Jun 21 13:07:08 2011 : Info: +- entering group authorize {...} Tue Jun 21 13:07:08 2011 : Info: ++[preprocess] returns ok Tue Jun 21 13:07:08 2011 : Info: ++[chap] returns noop Tue Jun 21 13:07:08 2011 : Info: ++[mschap] returns noop Tue Jun 21 13:07:08 2011 : Info: [suffix] No '@' in User-Name = "SQA\Administrator", looking up realm NULL Tue Jun 21 13:07:08 2011 : Info: [suffix] No such realm "NULL" Tue Jun 21 13:07:08 2011 : Info: ++[suffix] returns noop Tue Jun 21 13:07:08 2011 : Info: [eap] EAP packet type response id 2 length 6 Tue Jun 21 13:07:08 2011 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation Tue Jun 21 13:07:08 2011 : Info: ++[eap] returns updated Tue Jun 21 13:07:08 2011 : Info: ++[unix] returns notfound Tue Jun 21 13:07:08 2011 : Info: [files] users: Matched entry SQA\Administrator at line 93 Tue Jun 21 13:07:08 2011 : Info: ++[files] returns ok Tue Jun 21 13:07:08 2011 : Info: ++[expiration] returns noop Tue Jun 21 13:07:08 2011 : Info: ++[logintime] returns noop Tue Jun 21 13:07:08 2011 : Info: [pap] Found existing Auth-Type, not changing it. Tue Jun 21 13:07:08 2011 : Info: ++[pap] returns noop Tue Jun 21 13:07:08 2011 : Info: Found Auth-Type = EAP Tue Jun 21 13:07:08 2011 : Info: +- entering group authenticate {...} Tue Jun 21 13:07:08 2011 : Info: [eap] Request found, released from the list Tue Jun 21 13:07:08 2011 : Info: [eap] EAP NAK Tue Jun 21 13:07:08 2011 : Info: [eap] EAP-NAK asked for EAP-Type/peap Tue Jun 21 13:07:08 2011 : Info: [eap] processing type tls Tue Jun 21 13:07:08 2011 : Info: [tls] Initiate Tue Jun 21 13:07:08 2011 : Info: [tls] Start returned 1 Tue Jun 21 13:07:08 2011 : Info: ++[eap] returns handled Sending Access-Challenge of id 50 to 192.168.175.60 port 49369 Filter-Id = "Enterasys:version=1:mgmt=su:policy=PEAP" EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfa9c4868fb9f516ee67926093dbdabe5 Tue Jun 21 13:07:08 2011 : Info: Finished request 1. Tue Jun 21 13:07:08 2011 : Debug: Going to the next request Tue Jun 21 13:07:08 2011 : Debug: Waking up in 3.9 seconds. rad_recv: Access-Request packet from host 192.168.175.60 port 49369, id=51, length=284 User-Name = "SQA\\Administrator" Service-Type = Framed-User Called-Station-Id = "00-1F-45-47-49-84" Calling-Station-Id = "00-18-8B-B9-C2-E3" NAS-IP-Address = 192.168.175.60 NAS-Port = 1 NAS-Port-Id = "ge.1.1" Framed-MTU = 1500 NAS-Port-Type = Ethernet State = 0xfa9c4868fb9f516ee67926093dbdabe5 EAP-Message = 0x0203008319800000007916030100740100007003014e00d091a8b128b95191d1b28554012484ea27af95f7978c7c88f46677b70cad000018002f00350005000ac013c014c009c00a00320038001300040100002fff010001000000001600140000117371615c61646d696e6973747261746f72000a0006000400170018000b00020100 Message-Authenticator = 0xeebcdd38318368737ff3a493d034627f Tue Jun 21 13:07:08 2011 : Info: +- entering group authorize {...} Tue Jun 21 13:07:08 2011 : Info: ++[preprocess] returns ok Tue Jun 21 13:07:08 2011 : Info: ++[chap] returns noop Tue Jun 21 13:07:08 2011 : Info: ++[mschap] returns noop Tue Jun 21 13:07:08 2011 : Info: [suffix] No '@' in User-Name = "SQA\Administrator", looking up realm NULL Tue Jun 21 13:07:08 2011 : Info: [suffix] No such realm "NULL" Tue Jun 21 13:07:08 2011 : Info: ++[suffix] returns noop Tue Jun 21 13:07:08 2011 : Info: [eap] EAP packet type response id 3 length 131 Tue Jun 21 13:07:08 2011 : Info: [eap] Continuing tunnel setup. Tue Jun 21 13:07:08 2011 : Info: ++[eap] returns ok Tue Jun 21 13:07:08 2011 : Info: Found Auth-Type = EAP Tue Jun 21 13:07:08 2011 : Info: +- entering group authenticate {...} Tue Jun 21 13:07:08 2011 : Info: [eap] Request found, released from the list Tue Jun 21 13:07:08 2011 : Info: [eap] EAP/peap Tue Jun 21 13:07:08 2011 : Info: [eap] processing type peap Tue Jun 21 13:07:08 2011 : Info: [peap] processing EAP-TLS Tue Jun 21 13:07:08 2011 : Debug: TLS Length 121 Tue Jun 21 13:07:08 2011 : Info: [peap] Length Included Tue Jun 21 13:07:08 2011 : Info: [peap] eaptls_verify returned 11 Tue Jun 21 13:07:08 2011 : Info: [peap] (other): before/accept initialization Tue Jun 21 13:07:08 2011 : Info: [peap] TLS_accept: before/accept initialization Tue Jun 21 13:07:08 2011 : Info: [peap] <<< TLS 1.0 Handshake [length 0074], ClientHello Tue Jun 21 13:07:08 2011 : Info: [peap] TLS_accept: SSLv3 read client hello A Tue Jun 21 13:07:08 2011 : Info: [peap] >>> TLS 1.0 Handshake [length 0031], ServerHello Tue Jun 21 13:07:08 2011 : Info: [peap] TLS_accept: SSLv3 write server hello A Tue Jun 21 13:07:08 2011 : Info: [peap] >>> TLS 1.0 Handshake [length 0885], Certificate Tue Jun 21 13:07:08 2011 : Info: [peap] TLS_accept: SSLv3 write certificate A Tue Jun 21 13:07:08 2011 : Info: [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone Tue Jun 21 13:07:08 2011 : Info: [peap] TLS_accept: SSLv3 write server done A Tue Jun 21 13:07:08 2011 : Info: [peap] TLS_accept: SSLv3 flush data Tue Jun 21 13:07:08 2011 : Info: [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A Tue Jun 21 13:07:08 2011 : Debug: In SSL Handshake Phase Tue Jun 21 13:07:08 2011 : Debug: In SSL Accept mode Tue Jun 21 13:07:08 2011 : Info: [peap] eaptls_process returned 13 Tue Jun 21 13:07:08 2011 : Info: [peap] EAPTLS_HANDLED Tue Jun 21 13:07:08 2011 : Info: ++[eap] returns handled Sending Access-Challenge of id 51 to 192.168.175.60 port 49369 EAP-Message = 0x0104040019c0000008c916030100310200002d03014e00cfbcc0b358875c40f5bedd5bb9431cbc6483970c10cf692e41297c8c28c900002f000005ff0100010016030108850b00088100087e0003ba308203b63082029ea003020102020101300d06092a864886f70d0101040500308199310b3009060355040613025553310b3009060355040813024d413110300e06035504071307416e646f766572311b3019060355040a1312456e74657261737973204e6574776f726b733124302206092a864886f70d0109011615737570706f727440656e746572617379732e636f6d312830260603550403131f535141204672656552616469757320526f6f EAP-Message = 0x74204365727469666963617465301e170d3131303531363230333732395a170d3231303531333230333732395a308189310b3009060355040613025553310b3009060355040813024d41311b3019060355040a1312456e74657261737973204e6574776f726b73312a3028060355040313215351412046726565526164697573205365727665722043657274696669636174653124302206092a864886f70d0109011615737570706f727440656e746572617379732e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100c572ff3f1e2c9bf418de5de7529c70601118287b6c825610fa2f814adefde8502fb35f EAP-Message = 0x2e87aef5c5ad67737b8217b9aef1f3b182f40c9933dd9774386b4f59143866b7d4ca2b508e63bf306737d7c3d44ec924c99efe55ba2299b38055e9096f4d0b2e0d57b334171b1a831d2f4876f3a0c423a068e98a2a1d436ba6c1493fc24a2625f9a2880ce3e408acafc5a00db869f9963e34b8beac9ac1f855a4209915077f001d94fc7faf6f875611910726f23984938dc71c318de89f5b3c1db3e6cddae763ae2fde6a82812444535d8312e88ba32fe04976847fac1bc6c27545464bd94e2e552fe4a68929eb172819f59cdcf3dae2bb85c374259b5aa3f1b6b7ecb50203010001a317301530130603551d25040c300a06082b06010505070301300d EAP-Message = 0x06092a864886f70d010104050003820101008e1b34368ebbaa77a13dc485f5aff69b4dbeb68d92644c02709aedab34a68130818ec1607752da5ed29ea77650ae330b10afac8b88d8b23ed8d53f0e40f24fda758ef2add2999fba306f85d7f0e913bc6de50c9d627ab8f17ed741ac4f9d0c3c38a8dfb40191ace57fdd78f0f6d88906fe6841f74642230cd3fef052fcc9dfd4435bac82925b4dfd9f1eda672fe461d0a671f724b1f6c4956d2dbedd6819e1fae49cda141a0d5bc00a62bec5a74f347c35736882ee6a107e97473a75c5c4e2add6390c3dd6e73ce02cc0812f125459b819bcae7bf70cf7a819a4c772302bf681e700af354d3a994009f1d3 EAP-Message = 0x828801a751e8aa4c229cc3ab Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfa9c4868f898516ee67926093dbdabe5 Tue Jun 21 13:07:08 2011 : Info: Finished request 2. Tue Jun 21 13:07:08 2011 : Debug: Going to the next request Tue Jun 21 13:07:08 2011 : Debug: Waking up in 3.9 seconds. rad_recv: Access-Request packet from host 192.168.175.60 port 49369, id=52, length=159 User-Name = "SQA\\Administrator" Service-Type = Framed-User Called-Station-Id = "00-1F-45-47-49-84" Calling-Station-Id = "00-18-8B-B9-C2-E3" NAS-IP-Address = 192.168.175.60 NAS-Port = 1 NAS-Port-Id = "ge.1.1" Framed-MTU = 1500 NAS-Port-Type = Ethernet State = 0xfa9c4868f898516ee67926093dbdabe5 EAP-Message = 0x020400061900 Message-Authenticator = 0x46755f288c55faef4470fbd80b662371 Tue Jun 21 13:07:08 2011 : Info: +- entering group authorize {...} Tue Jun 21 13:07:08 2011 : Info: ++[preprocess] returns ok Tue Jun 21 13:07:08 2011 : Info: ++[chap] returns noop Tue Jun 21 13:07:08 2011 : Info: ++[mschap] returns noop Tue Jun 21 13:07:08 2011 : Info: [suffix] No '@' in User-Name = "SQA\Administrator", looking up realm NULL Tue Jun 21 13:07:08 2011 : Info: [suffix] No such realm "NULL" Tue Jun 21 13:07:08 2011 : Info: ++[suffix] returns noop Tue Jun 21 13:07:08 2011 : Info: [eap] EAP packet type response id 4 length 6 Tue Jun 21 13:07:08 2011 : Info: [eap] Continuing tunnel setup. Tue Jun 21 13:07:08 2011 : Info: ++[eap] returns ok Tue Jun 21 13:07:08 2011 : Info: Found Auth-Type = EAP Tue Jun 21 13:07:08 2011 : Info: +- entering group authenticate {...} Tue Jun 21 13:07:08 2011 : Info: [eap] Request found, released from the list Tue Jun 21 13:07:08 2011 : Info: [eap] EAP/peap Tue Jun 21 13:07:08 2011 : Info: [eap] processing type peap Tue Jun 21 13:07:08 2011 : Info: [peap] processing EAP-TLS Tue Jun 21 13:07:08 2011 : Info: [peap] Received TLS ACK Tue Jun 21 13:07:08 2011 : Info: [peap] ACK handshake fragment handler Tue Jun 21 13:07:08 2011 : Info: [peap] eaptls_verify returned 1 Tue Jun 21 13:07:08 2011 : Info: [peap] eaptls_process returned 13 Tue Jun 21 13:07:08 2011 : Info: [peap] EAPTLS_HANDLED Tue Jun 21 13:07:08 2011 : Info: ++[eap] returns handled Sending Access-Challenge of id 52 to 192.168.175.60 port 49369 EAP-Message = 0x010503fc1940a7f1e72ff6139a062d0004be308204ba308203a2a003020102020900dbd5d3879aa8ad84300d06092a864886f70d0101050500308199310b3009060355040613025553310b3009060355040813024d413110300e06035504071307416e646f766572311b3019060355040a1312456e74657261737973204e6574776f726b733124302206092a864886f70d0109011615737570706f727440656e746572617379732e636f6d312830260603550403131f535141204672656552616469757320526f6f74204365727469666963617465301e170d3131303531363230333732385a170d3231303531333230333732385a308199310b300906 EAP-Message = 0x0355040613025553310b3009060355040813024d413110300e06035504071307416e646f766572311b3019060355040a1312456e74657261737973204e6574776f726b733124302206092a864886f70d0109011615737570706f727440656e746572617379732e636f6d312830260603550403131f535141204672656552616469757320526f6f7420436572746966696361746530820122300d06092a864886f70d01010105000382010f003082010a0282010100ba5ff7eca38688710d603e1d5cd0da3808e0d1f6cc150c4db2f79381be2c9794b0a30a53418877e2cd5537324f84d306a0e9c47b68d95e2a7c32dbe7a5aa8a6ba088bcf2d6e92522 EAP-Message = 0x87dd001a74c75e3516e85abf7629e1559eaa50930c752d3661d112b615adb7131b916e427abe3c805d4da4e63393c9f000ffc4da814ab997077dc91e6e1c69ccf73f4650f71ac4bea3bca12d445ed9a2a6f3d1fa3e6e136085a8b61234c05b53af6d902a71d2d2dfd1d66ba19dacd4187e71732fa06e65f098bc3e54fdef1940464bb0bcab812f81b0e52ad7936e9fdbb9340687787c7581909201460b56decd0818ea0150a2df97d3d0f37707f34d2723fcdea6f297ed3d0203010001a38201013081fe301d0603551d0e041604145361843fe756ebbfd78b683f7ff0ab9394c237c93081ce0603551d230481c63081c380145361843fe756ebbfd78b EAP-Message = 0x683f7ff0ab9394c237c9a1819fa4819c308199310b3009060355040613025553310b3009060355040813024d413110300e06035504071307416e646f766572311b3019060355040a1312456e74657261737973204e6574776f726b733124302206092a864886f70d0109011615737570706f727440656e746572617379732e636f6d312830260603550403131f535141204672656552616469757320526f6f74204365727469666963617465820900dbd5d3879aa8ad84300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100150875ab6f7d235df9461e53a5eb6af98a6f3f3224216a6272e6a099d028dad4287142d2 EAP-Message = 0x1ba9e41ca593bf7c Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfa9c4868f999516ee67926093dbdabe5 Tue Jun 21 13:07:08 2011 : Info: Finished request 3. Tue Jun 21 13:07:08 2011 : Debug: Going to the next request Tue Jun 21 13:07:08 2011 : Debug: Waking up in 3.9 seconds. rad_recv: Access-Request packet from host 192.168.175.60 port 49369, id=53, length=159 User-Name = "SQA\\Administrator" Service-Type = Framed-User Called-Station-Id = "00-1F-45-47-49-84" Calling-Station-Id = "00-18-8B-B9-C2-E3" NAS-IP-Address = 192.168.175.60 NAS-Port = 1 NAS-Port-Id = "ge.1.1" Framed-MTU = 1500 NAS-Port-Type = Ethernet State = 0xfa9c4868f999516ee67926093dbdabe5 EAP-Message = 0x020500061900 Message-Authenticator = 0x464d50fa189ac461396230ba78c6f4a8 Tue Jun 21 13:07:08 2011 : Info: +- entering group authorize {...} Tue Jun 21 13:07:08 2011 : Info: ++[preprocess] returns ok Tue Jun 21 13:07:08 2011 : Info: ++[chap] returns noop Tue Jun 21 13:07:08 2011 : Info: ++[mschap] returns noop Tue Jun 21 13:07:08 2011 : Info: [suffix] No '@' in User-Name = "SQA\Administrator", looking up realm NULL Tue Jun 21 13:07:08 2011 : Info: [suffix] No such realm "NULL" Tue Jun 21 13:07:08 2011 : Info: ++[suffix] returns noop Tue Jun 21 13:07:08 2011 : Info: [eap] EAP packet type response id 5 length 6 Tue Jun 21 13:07:08 2011 : Info: [eap] Continuing tunnel setup. Tue Jun 21 13:07:08 2011 : Info: ++[eap] returns ok Tue Jun 21 13:07:08 2011 : Info: Found Auth-Type = EAP Tue Jun 21 13:07:08 2011 : Info: +- entering group authenticate {...} Tue Jun 21 13:07:08 2011 : Info: [eap] Request found, released from the list Tue Jun 21 13:07:08 2011 : Info: [eap] EAP/peap Tue Jun 21 13:07:08 2011 : Info: [eap] processing type peap Tue Jun 21 13:07:08 2011 : Info: [peap] processing EAP-TLS Tue Jun 21 13:07:08 2011 : Info: [peap] Received TLS ACK Tue Jun 21 13:07:08 2011 : Info: [peap] ACK handshake fragment handler Tue Jun 21 13:07:08 2011 : Info: [peap] eaptls_verify returned 1 Tue Jun 21 13:07:08 2011 : Info: [peap] eaptls_process returned 13 Tue Jun 21 13:07:08 2011 : Info: [peap] EAPTLS_HANDLED Tue Jun 21 13:07:08 2011 : Info: ++[eap] returns handled Sending Access-Challenge of id 53 to 192.168.175.60 port 49369 EAP-Message = 0x010600e319009295ba455cbc8a3b52cbde90139c8f9939a1a7bc92170dd2eb28665cb9f662da4df21d1e5a4843e4a82e0b462e31062e41914f9f7aa5166bafeedcaeec0a3dc72ce2170ac9eb8744ff3c66b02275e5d22fde73c9a091c2f92df5b696b2dcd6a2d53eb7237b523e1869a928e8ca794ecc0f3e024af4b9728ad0ccff0a1319e2b2928d874daa8f6783ad4133b7962c23b60dbe05646d7a41b551bf588d3907c769439d6ba29fd099623c59a68c5bb62a5cb463138dfc459c6f5a9b829399d47400f65effc50422500a80896b95226cc41dd0bddc8c16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfa9c4868fe9a516ee67926093dbdabe5 Tue Jun 21 13:07:08 2011 : Info: Finished request 4. Tue Jun 21 13:07:08 2011 : Debug: Going to the next request Tue Jun 21 13:07:08 2011 : Debug: Waking up in 3.9 seconds. rad_recv: Access-Request packet from host 192.168.175.60 port 49369, id=54, length=491 User-Name = "SQA\\Administrator" Service-Type = Framed-User Called-Station-Id = "00-1F-45-47-49-84" Calling-Station-Id = "00-18-8B-B9-C2-E3" NAS-IP-Address = 192.168.175.60 NAS-Port = 1 NAS-Port-Id = "ge.1.1" Framed-MTU = 1500 NAS-Port-Type = Ethernet State = 0xfa9c4868fe9a516ee67926093dbdabe5 EAP-Message = 0x0206015019800000014616030101061000010201006016999f497869cf5909a29d539a595236d8d7d481a3d40ee58d8359b5e83d124d0b3a0643a0d2a7f5cc9b6d95ada9df2dcf5d6e0a0e0fa53a55bb52a6e9af7d5b2db3d6784aa0e51f785a039733eb175892a7e334f01d8a7c3ac3754c911184ed12b111f1a386510e7eb7b5190c3928979d9b9488f39a40d1caadc29373eed61c1a7b2b46f19650a6aa90d35d886a2386346066af0c8dd2c9991eeccbca7bd0284d3ded62484352cd7e33b6ba9af835c89c2c0d6d4d813f8ef290ee5a1bee8e8c739344105f47dcecca0d7f2062a2e9916fb33cabd81bb1e07ce0e857e937aef7c503d19ed1e50d EAP-Message = 0x3708883971c2fa73c90267b1e2920e41604d57f2b6f7bf4514030100010116030100309e7acad7a738358a9edf66bde721e2eedcac64b5d76b706f3effa1f95647b968f1c14ba5edc61d6afcb66e17bf07e764 Message-Authenticator = 0x003e2d4dc59da1079886c948b73ca0bc Tue Jun 21 13:07:08 2011 : Info: +- entering group authorize {...} Tue Jun 21 13:07:08 2011 : Info: ++[preprocess] returns ok Tue Jun 21 13:07:08 2011 : Info: ++[chap] returns noop Tue Jun 21 13:07:08 2011 : Info: ++[mschap] returns noop Tue Jun 21 13:07:08 2011 : Info: [suffix] No '@' in User-Name = "SQA\Administrator", looking up realm NULL Tue Jun 21 13:07:08 2011 : Info: [suffix] No such realm "NULL" Tue Jun 21 13:07:08 2011 : Info: ++[suffix] returns noop Tue Jun 21 13:07:08 2011 : Info: [eap] EAP packet type response id 6 length 253 Tue Jun 21 13:07:08 2011 : Info: [eap] Continuing tunnel setup. Tue Jun 21 13:07:08 2011 : Info: ++[eap] returns ok Tue Jun 21 13:07:08 2011 : Info: Found Auth-Type = EAP Tue Jun 21 13:07:08 2011 : Info: +- entering group authenticate {...} Tue Jun 21 13:07:08 2011 : Info: [eap] Request found, released from the list Tue Jun 21 13:07:08 2011 : Info: [eap] EAP/peap Tue Jun 21 13:07:08 2011 : Info: [eap] processing type peap Tue Jun 21 13:07:08 2011 : Info: [peap] processing EAP-TLS Tue Jun 21 13:07:08 2011 : Debug: TLS Length 326 Tue Jun 21 13:07:08 2011 : Info: [peap] Length Included Tue Jun 21 13:07:08 2011 : Info: [peap] eaptls_verify returned 11 Tue Jun 21 13:07:08 2011 : Info: [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange Tue Jun 21 13:07:09 2011 : Info: [peap] TLS_accept: SSLv3 read client key exchange A Tue Jun 21 13:07:09 2011 : Info: [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] Tue Jun 21 13:07:09 2011 : Info: [peap] <<< TLS 1.0 Handshake [length 0010], Finished Tue Jun 21 13:07:09 2011 : Info: [peap] TLS_accept: SSLv3 read finished A Tue Jun 21 13:07:09 2011 : Info: [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] Tue Jun 21 13:07:09 2011 : Info: [peap] TLS_accept: SSLv3 write change cipher spec A Tue Jun 21 13:07:09 2011 : Info: [peap] >>> TLS 1.0 Handshake [length 0010], Finished Tue Jun 21 13:07:09 2011 : Info: [peap] TLS_accept: SSLv3 write finished A Tue Jun 21 13:07:09 2011 : Info: [peap] TLS_accept: SSLv3 flush data Tue Jun 21 13:07:09 2011 : Info: [peap] (other): SSL negotiation finished successfully Tue Jun 21 13:07:09 2011 : Debug: SSL Connection Established Tue Jun 21 13:07:09 2011 : Info: [peap] eaptls_process returned 13 Tue Jun 21 13:07:09 2011 : Info: [peap] EAPTLS_HANDLED Tue Jun 21 13:07:09 2011 : Info: ++[eap] returns handled Sending Access-Challenge of id 54 to 192.168.175.60 port 49369 EAP-Message = 0x010700411900140301000101160301003005e74ab74ce53c43c0e5e3a5fef907ee826f8475864ef53e24b68e420527dd5d923a4909cd77edab2c213b31fca8a275 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfa9c4868ff9b516ee67926093dbdabe5 Tue Jun 21 13:07:09 2011 : Info: Finished request 5. Tue Jun 21 13:07:09 2011 : Debug: Going to the next request Tue Jun 21 13:07:09 2011 : Debug: Waking up in 3.9 seconds. rad_recv: Access-Request packet from host 192.168.175.60 port 49369, id=55, length=159 User-Name = "SQA\\Administrator" Service-Type = Framed-User Called-Station-Id = "00-1F-45-47-49-84" Calling-Station-Id = "00-18-8B-B9-C2-E3" NAS-IP-Address = 192.168.175.60 NAS-Port = 1 NAS-Port-Id = "ge.1.1" Framed-MTU = 1500 NAS-Port-Type = Ethernet State = 0xfa9c4868ff9b516ee67926093dbdabe5 EAP-Message = 0x020700061900 Message-Authenticator = 0x6c971efaa56daa1eff637df5ea582180 Tue Jun 21 13:07:09 2011 : Info: +- entering group authorize {...} Tue Jun 21 13:07:09 2011 : Info: ++[preprocess] returns ok Tue Jun 21 13:07:09 2011 : Info: ++[chap] returns noop Tue Jun 21 13:07:09 2011 : Info: ++[mschap] returns noop Tue Jun 21 13:07:09 2011 : Info: [suffix] No '@' in User-Name = "SQA\Administrator", looking up realm NULL Tue Jun 21 13:07:09 2011 : Info: [suffix] No such realm "NULL" Tue Jun 21 13:07:09 2011 : Info: ++[suffix] returns noop Tue Jun 21 13:07:09 2011 : Info: [eap] EAP packet type response id 7 length 6 Tue Jun 21 13:07:09 2011 : Info: [eap] Continuing tunnel setup. Tue Jun 21 13:07:09 2011 : Info: ++[eap] returns ok Tue Jun 21 13:07:09 2011 : Info: Found Auth-Type = EAP Tue Jun 21 13:07:09 2011 : Info: +- entering group authenticate {...} Tue Jun 21 13:07:09 2011 : Info: [eap] Request found, released from the list Tue Jun 21 13:07:09 2011 : Info: [eap] EAP/peap Tue Jun 21 13:07:09 2011 : Info: [eap] processing type peap Tue Jun 21 13:07:09 2011 : Info: [peap] processing EAP-TLS Tue Jun 21 13:07:09 2011 : Info: [peap] Received TLS ACK Tue Jun 21 13:07:09 2011 : Info: [peap] ACK handshake is finished Tue Jun 21 13:07:09 2011 : Info: [peap] eaptls_verify returned 3 Tue Jun 21 13:07:09 2011 : Info: [peap] eaptls_process returned 3 Tue Jun 21 13:07:09 2011 : Info: [peap] EAPTLS_SUCCESS Tue Jun 21 13:07:09 2011 : Info: ++[eap] returns handled Sending Access-Challenge of id 55 to 192.168.175.60 port 49369 EAP-Message = 0x0108002b19001703010020307286386c83c576eba3c545aeaac56d15a6866f28cfc66225ee2e94150a13cc Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfa9c4868fc94516ee67926093dbdabe5 Tue Jun 21 13:07:09 2011 : Info: Finished request 6. Tue Jun 21 13:07:09 2011 : Debug: Going to the next request Tue Jun 21 13:07:09 2011 : Debug: Waking up in 3.9 seconds. rad_recv: Access-Request packet from host 192.168.175.60 port 49369, id=56, length=212 User-Name = "SQA\\Administrator" Service-Type = Framed-User Called-Station-Id = "00-1F-45-47-49-84" Calling-Station-Id = "00-18-8B-B9-C2-E3" NAS-IP-Address = 192.168.175.60 NAS-Port = 1 NAS-Port-Id = "ge.1.1" Framed-MTU = 1500 NAS-Port-Type = Ethernet State = 0xfa9c4868fc94516ee67926093dbdabe5 EAP-Message = 0x0208003b190017030100302395e6a16580181d6580543ed5b3cbe68e539544554693a77f8d011cd346f18ddd28d45e51e3b31b55573ac659347af7 Message-Authenticator = 0x38739cdfd3d2f4efee28f4ba4ced2995 Tue Jun 21 13:07:09 2011 : Info: +- entering group authorize {...} Tue Jun 21 13:07:09 2011 : Info: ++[preprocess] returns ok Tue Jun 21 13:07:09 2011 : Info: ++[chap] returns noop Tue Jun 21 13:07:09 2011 : Info: ++[mschap] returns noop Tue Jun 21 13:07:09 2011 : Info: [suffix] No '@' in User-Name = "SQA\Administrator", looking up realm NULL Tue Jun 21 13:07:09 2011 : Info: [suffix] No such realm "NULL" Tue Jun 21 13:07:09 2011 : Info: ++[suffix] returns noop Tue Jun 21 13:07:09 2011 : Info: [eap] EAP packet type response id 8 length 59 Tue Jun 21 13:07:09 2011 : Info: [eap] Continuing tunnel setup. Tue Jun 21 13:07:09 2011 : Info: ++[eap] returns ok Tue Jun 21 13:07:09 2011 : Info: Found Auth-Type = EAP Tue Jun 21 13:07:09 2011 : Info: +- entering group authenticate {...} Tue Jun 21 13:07:09 2011 : Info: [eap] Request found, released from the list Tue Jun 21 13:07:09 2011 : Info: [eap] EAP/peap Tue Jun 21 13:07:09 2011 : Info: [eap] processing type peap Tue Jun 21 13:07:09 2011 : Info: [peap] processing EAP-TLS Tue Jun 21 13:07:09 2011 : Info: [peap] eaptls_verify returned 7 Tue Jun 21 13:07:09 2011 : Info: [peap] Done initial handshake Tue Jun 21 13:07:09 2011 : Info: [peap] eaptls_process returned 7 Tue Jun 21 13:07:09 2011 : Info: [peap] EAPTLS_OK Tue Jun 21 13:07:09 2011 : Info: [peap] Session established. Decoding tunneled attributes. PEAP tunnel data in 0000: 01 53 51 41 5c 41 64 6d 69 6e 69 73 74 72 61 74 PEAP tunnel data in 0010: 6f 72 Tue Jun 21 13:07:09 2011 : Info: [peap] Identity - SQA\Administrator Tue Jun 21 13:07:09 2011 : Info: [peap] Got tunneled request EAP-Message = 0x02080016015351415c41646d696e6973747261746f72 server { Tue Jun 21 13:07:09 2011 : Debug: PEAP: Got tunneled identity of SQA\Administrator Tue Jun 21 13:07:09 2011 : Debug: PEAP: Setting default EAP type for tunneled EAP session. Tue Jun 21 13:07:09 2011 : Debug: PEAP: Setting User-Name to SQA\Administrator Sending tunneled request EAP-Message = 0x02080016015351415c41646d696e6973747261746f72 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "SQA\\Administrator" server inner-tunnel { Tue Jun 21 13:07:09 2011 : Info: +- entering group authorize {...} Tue Jun 21 13:07:09 2011 : Info: ++[chap] returns noop Tue Jun 21 13:07:09 2011 : Info: ++[mschap] returns noop Tue Jun 21 13:07:09 2011 : Info: ++[unix] returns notfound Tue Jun 21 13:07:09 2011 : Info: [suffix] No '@' in User-Name = "SQA\Administrator", looking up realm NULL Tue Jun 21 13:07:09 2011 : Info: [suffix] No such realm "NULL" Tue Jun 21 13:07:09 2011 : Info: ++[suffix] returns noop Tue Jun 21 13:07:09 2011 : Info: ++[control] returns noop Tue Jun 21 13:07:09 2011 : Info: [eap] EAP packet type response id 8 length 22 Tue Jun 21 13:07:09 2011 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation Tue Jun 21 13:07:09 2011 : Info: ++[eap] returns updated Tue Jun 21 13:07:09 2011 : Info: [files] users: Matched entry SQA\Administrator at line 93 Tue Jun 21 13:07:09 2011 : Info: ++[files] returns ok Tue Jun 21 13:07:09 2011 : Info: ++[expiration] returns noop Tue Jun 21 13:07:09 2011 : Info: ++[logintime] returns noop Tue Jun 21 13:07:09 2011 : Info: [pap] Found existing Auth-Type, not changing it. Tue Jun 21 13:07:09 2011 : Info: ++[pap] returns noop Tue Jun 21 13:07:09 2011 : Info: Found Auth-Type = EAP Tue Jun 21 13:07:09 2011 : Info: +- entering group authenticate {...} Tue Jun 21 13:07:09 2011 : Info: [eap] EAP Identity Tue Jun 21 13:07:09 2011 : Info: [eap] processing type mschapv2 Tue Jun 21 13:07:09 2011 : Debug: rlm_eap_mschapv2: Issuing Challenge Tue Jun 21 13:07:09 2011 : Info: ++[eap] returns handled } # server inner-tunnel Tue Jun 21 13:07:09 2011 : Info: [peap] Got tunneled reply code 11 Filter-Id = "Enterasys:version=1:mgmt=su:policy=PEAP" EAP-Message = 0x0109002b1a0109002610a27cf4de468d1966f93d06a719dcbafa5351415c41646d696e6973747261746f72 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x88616ecc886874cdb68f9ca1d1effce7 Tue Jun 21 13:07:09 2011 : Info: [peap] Got tunneled reply RADIUS code 11 Filter-Id = "Enterasys:version=1:mgmt=su:policy=PEAP" EAP-Message = 0x0109002b1a0109002610a27cf4de468d1966f93d06a719dcbafa5351415c41646d696e6973747261746f72 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x88616ecc886874cdb68f9ca1d1effce7 Tue Jun 21 13:07:09 2011 : Info: [peap] Got tunneled Access-Challenge PEAP tunnel data out 0000: 1a 01 09 00 26 10 a2 7c f4 de 46 8d 19 66 f9 3d PEAP tunnel data out 0010: 06 a7 19 dc ba fa 53 51 41 5c 41 64 6d 69 6e 69 PEAP tunnel data out 0020: 73 74 72 61 74 6f 72 Tue Jun 21 13:07:09 2011 : Info: ++[eap] returns handled Sending Access-Challenge of id 56 to 192.168.175.60 port 49369 EAP-Message = 0x0109004b19001703010040bbbd0ec59148043d95bbb1941fa6cc5a36bb501baeb363227370c720982b909c42d5a2ad750688d595d06db57a0fdec810c437ca264583fb39254ee44c484463 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfa9c4868fd95516ee67926093dbdabe5 Tue Jun 21 13:07:09 2011 : Info: Finished request 7. Tue Jun 21 13:07:09 2011 : Debug: Going to the next request Tue Jun 21 13:07:09 2011 : Debug: Waking up in 3.9 seconds. rad_recv: Access-Request packet from host 192.168.175.60 port 49369, id=57, length=260 User-Name = "SQA\\Administrator" Service-Type = Framed-User Called-Station-Id = "00-1F-45-47-49-84" Calling-Station-Id = "00-18-8B-B9-C2-E3" NAS-IP-Address = 192.168.175.60 NAS-Port = 1 NAS-Port-Id = "ge.1.1" Framed-MTU = 1500 NAS-Port-Type = Ethernet State = 0xfa9c4868fd95516ee67926093dbdabe5 EAP-Message = 0x0209006b1900170301006074a487ffa037c1d85d8bc5a072044aa56e4caff4a566a1e652469c45eb4389d9b5c41d04c88e504679e64037b3146795fd9867cac8ddc6087a2bf8f8c498f556f1b79b4fd07f501a25c75a7b9fc30f358f7a6630b0cc8d680d6f8a5f5fe62de6 Message-Authenticator = 0xd54e10ca79a6683c4fbf5ca48ac80ce4 Tue Jun 21 13:07:09 2011 : Info: +- entering group authorize {...} Tue Jun 21 13:07:09 2011 : Info: ++[preprocess] returns ok Tue Jun 21 13:07:09 2011 : Info: ++[chap] returns noop Tue Jun 21 13:07:09 2011 : Info: ++[mschap] returns noop Tue Jun 21 13:07:09 2011 : Info: [suffix] No '@' in User-Name = "SQA\Administrator", looking up realm NULL Tue Jun 21 13:07:09 2011 : Info: [suffix] No such realm "NULL" Tue Jun 21 13:07:09 2011 : Info: ++[suffix] returns noop Tue Jun 21 13:07:09 2011 : Info: [eap] EAP packet type response id 9 length 107 Tue Jun 21 13:07:09 2011 : Info: [eap] Continuing tunnel setup. Tue Jun 21 13:07:09 2011 : Info: ++[eap] returns ok Tue Jun 21 13:07:09 2011 : Info: Found Auth-Type = EAP Tue Jun 21 13:07:09 2011 : Info: +- entering group authenticate {...} Tue Jun 21 13:07:09 2011 : Info: [eap] Request found, released from the list Tue Jun 21 13:07:09 2011 : Info: [eap] EAP/peap Tue Jun 21 13:07:09 2011 : Info: [eap] processing type peap Tue Jun 21 13:07:09 2011 : Info: [peap] processing EAP-TLS Tue Jun 21 13:07:09 2011 : Info: [peap] eaptls_verify returned 7 Tue Jun 21 13:07:09 2011 : Info: [peap] Done initial handshake Tue Jun 21 13:07:09 2011 : Info: [peap] eaptls_process returned 7 Tue Jun 21 13:07:09 2011 : Info: [peap] EAPTLS_OK Tue Jun 21 13:07:09 2011 : Info: [peap] Session established. Decoding tunneled attributes. PEAP tunnel data in 0000: 1a 02 09 00 47 31 2c 34 8d 35 6c 2a a0 08 19 08 PEAP tunnel data in 0010: a4 aa 14 e0 c9 61 00 00 00 00 00 00 00 00 af f2 PEAP tunnel data in 0020: 48 84 dc 2d d6 d2 b8 f1 4c aa a5 45 eb 27 ed 97 PEAP tunnel data in 0030: ab 70 70 19 d0 ce 00 53 51 41 5c 41 64 6d 69 6e PEAP tunnel data in 0040: 69 73 74 72 61 74 6f 72 Tue Jun 21 13:07:09 2011 : Info: [peap] EAP type mschapv2 Tue Jun 21 13:07:09 2011 : Info: [peap] Got tunneled request EAP-Message = 0x0209004c1a02090047312c348d356c2aa0081908a4aa14e0c9610000000000000000aff24884dc2dd6d2b8f14caaa545eb27ed97ab707019d0ce005351415c41646d696e6973747261746f72 server { Tue Jun 21 13:07:09 2011 : Debug: PEAP: Setting User-Name to SQA\Administrator Sending tunneled request EAP-Message = 0x0209004c1a02090047312c348d356c2aa0081908a4aa14e0c9610000000000000000aff24884dc2dd6d2b8f14caaa545eb27ed97ab707019d0ce005351415c41646d696e6973747261746f72 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "SQA\\Administrator" State = 0x88616ecc886874cdb68f9ca1d1effce7 server inner-tunnel { Tue Jun 21 13:07:09 2011 : Info: +- entering group authorize {...} Tue Jun 21 13:07:09 2011 : Info: ++[chap] returns noop Tue Jun 21 13:07:09 2011 : Info: ++[mschap] returns noop Tue Jun 21 13:07:09 2011 : Info: ++[unix] returns notfound Tue Jun 21 13:07:09 2011 : Info: [suffix] No '@' in User-Name = "SQA\Administrator", looking up realm NULL Tue Jun 21 13:07:09 2011 : Info: [suffix] No such realm "NULL" Tue Jun 21 13:07:09 2011 : Info: ++[suffix] returns noop Tue Jun 21 13:07:09 2011 : Info: ++[control] returns noop Tue Jun 21 13:07:09 2011 : Info: [eap] EAP packet type response id 9 length 76 Tue Jun 21 13:07:09 2011 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation Tue Jun 21 13:07:09 2011 : Info: ++[eap] returns updated Tue Jun 21 13:07:09 2011 : Info: [files] users: Matched entry SQA\Administrator at line 93 Tue Jun 21 13:07:09 2011 : Info: ++[files] returns ok Tue Jun 21 13:07:09 2011 : Info: ++[expiration] returns noop Tue Jun 21 13:07:09 2011 : Info: ++[logintime] returns noop Tue Jun 21 13:07:09 2011 : Info: [pap] Found existing Auth-Type, not changing it. Tue Jun 21 13:07:09 2011 : Info: ++[pap] returns noop Tue Jun 21 13:07:09 2011 : Info: Found Auth-Type = EAP Tue Jun 21 13:07:09 2011 : Info: +- entering group authenticate {...} Tue Jun 21 13:07:09 2011 : Info: [eap] Request found, released from the list Tue Jun 21 13:07:09 2011 : Info: [eap] EAP/mschapv2 Tue Jun 21 13:07:09 2011 : Info: [eap] processing type mschapv2 Tue Jun 21 13:07:09 2011 : Info: [mschapv2] +- entering group MS-CHAP {...} Tue Jun 21 13:07:09 2011 : Info: [mschap] NT Domain delimeter found, should we have enabled with_ntdomain_hack? Tue Jun 21 13:07:09 2011 : Info: [mschap] Told to do MS-CHAPv2 for SQA\Administrator with NT-Password Tue Jun 21 13:07:09 2011 : Info: [mschap] FAILED: MS-CHAP2-Response is incorrect Tue Jun 21 13:07:09 2011 : Info: ++[mschap] returns reject Tue Jun 21 13:07:09 2011 : Info: [eap] Freeing handler Tue Jun 21 13:07:09 2011 : Info: ++[eap] returns reject Tue Jun 21 13:07:09 2011 : Info: Failed to authenticate the user. } # server inner-tunnel Tue Jun 21 13:07:09 2011 : Info: [peap] Got tunneled reply code 3 Filter-Id = "Enterasys:version=1:mgmt=su:policy=PEAP" MS-CHAP-Error = "\tE=691 R=1" EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 Tue Jun 21 13:07:09 2011 : Info: [peap] Got tunneled reply RADIUS code 3 Filter-Id = "Enterasys:version=1:mgmt=su:policy=PEAP" MS-CHAP-Error = "\tE=691 R=1" EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 Tue Jun 21 13:07:09 2011 : Info: [peap] Tunneled authentication was rejected. Tue Jun 21 13:07:09 2011 : Info: [peap] FAILURE Tue Jun 21 13:07:09 2011 : Info: ++[eap] returns handled Sending Access-Challenge of id 57 to 192.168.175.60 port 49369 EAP-Message = 0x010a002b1900170301002044c7f112a20e7ece668519cc758a09bb6e46926c62dacf84d3a7c72f0415add2 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfa9c4868f296516ee67926093dbdabe5 Tue Jun 21 13:07:09 2011 : Info: Finished request 8. Tue Jun 21 13:07:09 2011 : Debug: Going to the next request Tue Jun 21 13:07:09 2011 : Debug: Waking up in 3.8 seconds. rad_recv: Access-Request packet from host 192.168.175.60 port 49369, id=58, length=196 User-Name = "SQA\\Administrator" Service-Type = Framed-User Called-Station-Id = "00-1F-45-47-49-84" Calling-Station-Id = "00-18-8B-B9-C2-E3" NAS-IP-Address = 192.168.175.60 NAS-Port = 1 NAS-Port-Id = "ge.1.1" Framed-MTU = 1500 NAS-Port-Type = Ethernet State = 0xfa9c4868f296516ee67926093dbdabe5 EAP-Message = 0x020a002b190017030100200689d71259348a130c7e450d070ec394c6f9acbf4065c6b7084ea2baf294e008 Message-Authenticator = 0xfe143df53474b98a2df9289a2429eb30 Tue Jun 21 13:07:09 2011 : Info: +- entering group authorize {...} Tue Jun 21 13:07:09 2011 : Info: ++[preprocess] returns ok Tue Jun 21 13:07:09 2011 : Info: ++[chap] returns noop Tue Jun 21 13:07:09 2011 : Info: ++[mschap] returns noop Tue Jun 21 13:07:09 2011 : Info: [suffix] No '@' in User-Name = "SQA\Administrator", looking up realm NULL Tue Jun 21 13:07:09 2011 : Info: [suffix] No such realm "NULL" Tue Jun 21 13:07:09 2011 : Info: ++[suffix] returns noop Tue Jun 21 13:07:09 2011 : Info: [eap] EAP packet type response id 10 length 43 Tue Jun 21 13:07:09 2011 : Info: [eap] Continuing tunnel setup. Tue Jun 21 13:07:09 2011 : Info: ++[eap] returns ok Tue Jun 21 13:07:09 2011 : Info: Found Auth-Type = EAP Tue Jun 21 13:07:09 2011 : Info: +- entering group authenticate {...} Tue Jun 21 13:07:09 2011 : Info: [eap] Request found, released from the list Tue Jun 21 13:07:09 2011 : Info: [eap] EAP/peap Tue Jun 21 13:07:09 2011 : Info: [eap] processing type peap Tue Jun 21 13:07:09 2011 : Info: [peap] processing EAP-TLS Tue Jun 21 13:07:09 2011 : Info: [peap] eaptls_verify returned 7 Tue Jun 21 13:07:09 2011 : Info: [peap] Done initial handshake Tue Jun 21 13:07:09 2011 : Info: [peap] eaptls_process returned 7 Tue Jun 21 13:07:09 2011 : Info: [peap] EAPTLS_OK Tue Jun 21 13:07:09 2011 : Info: [peap] Session established. Decoding tunneled attributes. PEAP tunnel data in 0000: 02 0a 00 0b 21 80 03 00 02 00 02 Tue Jun 21 13:07:09 2011 : Info: [peap] Received EAP-TLV response. Tue Jun 21 13:07:09 2011 : Info: [peap] Had sent TLV failure. User was rejected earlier in this session. Tue Jun 21 13:07:09 2011 : Info: [eap] Handler failed in EAP/peap Tue Jun 21 13:07:09 2011 : Info: [eap] Failed in EAP select Tue Jun 21 13:07:09 2011 : Info: ++[eap] returns invalid Tue Jun 21 13:07:09 2011 : Info: Failed to authenticate the user. Tue Jun 21 13:07:09 2011 : Info: Using Post-Auth-Type Reject Tue Jun 21 13:07:09 2011 : Info: +- entering group REJECT {...} Tue Jun 21 13:07:09 2011 : Info: [attr_filter.access_reject] expand: %{User-Name} -> SQA\Administrator Tue Jun 21 13:07:09 2011 : Debug: attr_filter: Matched entry DEFAULT at line 11 Tue Jun 21 13:07:09 2011 : Info: ++[attr_filter.access_reject] returns updated Tue Jun 21 13:07:09 2011 : Info: Delaying reject of request 9 for 1 seconds Tue Jun 21 13:07:09 2011 : Debug: Going to the next request Tue Jun 21 13:07:09 2011 : Debug: Waking up in 0.9 seconds. Tue Jun 21 13:07:10 2011 : Info: Sending delayed reject for request 9 Sending Access-Reject of id 58 to 192.168.175.60 port 49369 EAP-Message = 0x040a0004 Message-Authenticator = 0x00000000000000000000000000000000 Tue Jun 21 13:07:10 2011 : Debug: Waking up in 2.8 seconds. Tue Jun 21 13:07:12 2011 : Info: Cleaning up request 0 ID 49 with timestamp +11 Tue Jun 21 13:07:12 2011 : Debug: Waking up in 1.0 seconds. Tue Jun 21 13:07:13 2011 : Info: Cleaning up request 1 ID 50 with timestamp +12 Tue Jun 21 13:07:13 2011 : Info: Cleaning up request 2 ID 51 with timestamp +12 Tue Jun 21 13:07:13 2011 : Info: Cleaning up request 3 ID 52 with timestamp +12 Tue Jun 21 13:07:13 2011 : Info: Cleaning up request 4 ID 53 with timestamp +12 Tue Jun 21 13:07:14 2011 : Info: Cleaning up request 5 ID 54 with timestamp +12 Tue Jun 21 13:07:14 2011 : Info: Cleaning up request 6 ID 55 with timestamp +13 Tue Jun 21 13:07:14 2011 : Info: Cleaning up request 7 ID 56 with timestamp +13 Tue Jun 21 13:07:14 2011 : Info: Cleaning up request 8 ID 57 with timestamp +13 Tue Jun 21 13:07:14 2011 : Debug: Waking up in 1.0 seconds. Tue Jun 21 13:07:15 2011 : Info: Cleaning up request 9 ID 58 with timestamp +13 Tue Jun 21 13:07:15 2011 : Info: Ready to process requests. -- View this message in context: http://freeradius.1045715.n5.nabble.com/How-to-setup-Freeradius-tp4526799p45... Sent from the FreeRadius - User mailing list archive at Nabble.com.
On Thu, Jun 30, 2011 at 9:00 AM, sgilmour <sgilmour@enterasys.com> wrote:
Thanks for the reply here is my debug log Looks like it is failing here.
Tue Jun 21 09:35:28 2011 : Info: [mschap] No Cleartext-Password configured. Cannot create LM-Password. Tue Jun 21 09:35:28 2011 : Info: [mschap] No Cleartext-Password configured. Cannot create NT-Password. Tue Jun 21 09:35:28 2011 : Info: [mschap] NT Domain delimeter found, should we have enabled with_ntdomain_hack? Tue Jun 21 09:35:28 2011 : Info: [mschap] Told to do MS-CHAPv2 for SQA\Administrator with NT-Password Tue Jun 21 09:35:28 2011 : Info: [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. Tue Jun 21 09:35:28 2011 : Info: [mschap] FAILED: MS-CHAP2-Response is incorrect Tue Jun 21 09:35:28 2011 : Info: ++[mschap] returns reject Tue Jun 21 09:35:28 2011 : Info: [eap] Freeing handler Tue Jun 21 09:35:28 2011 : Info: ++[eap] returns reject
Are you using users file? From [files] users: Matched entry SQA\Administrator at line 93 it seems that you are. If that's the case then it's simple. The lines Tue Jun 21 09:35:28 2011 : Info: [mschap] No Cleartext-Password configured. Cannot create LM-Password. Tue Jun 21 09:35:28 2011 : Info: [mschap] No Cleartext-Password configured. Cannot create NT-Password. said it all. You need either a clear-text password, or NT-Password in the users file. Here's an example in my setup (the mail client might wrap it, but it's all in one line): testuser NT-Password := "35CCBA9168B1D5CA6093B4B7D56C619B", LM-Password := "3AE6CCCE2A2A253F93E28745B8BF4BA6" or testuser Cleartext-Password := "testpass" The first example should be able to handle pap and mschap, and is encrypted, but it won't work if you use EAP-MD5 (which needs cleartext-password). The second example should be able to handle any authentication method, but some might say it's a security risk since the password is stored as clear text. NT and LM password can be created using the tool smbencrypt (part of freeradius-utils package) # smbencrypt testpass LM Hash NT Hash -------------------------------- -------------------------------- 3AE6CCCE2A2A253F93E28745B8BF4BA6 35CCBA9168B1D5CA6093B4B7D56C619B
root@Ubuntu-FreeRadius:/etc/freeradius# freeradius -X -X -X
freeradius -X is enough, no need for extra Xs. It makes it harder to read.
Tue Jun 21 13:06:55 2011 : Info: FreeRADIUS Version 2.1.8, for host i486-pc-linux-gnu, built on Jan 5 2010 at 02:49:11
You don't mention which OS you use. Debian and Ubuntu both have 2.1.10. There was a post on this list where someone was having a problem with an older freeradius server even when he has both NT-Password and LM-Password stored in LDAP, so if you've provided those two passwords but still unable to authenticate with mschap, try upgrading. -- Fajar
Fajar, I am using freeradius with Ubuntu 11.04 with freeradius version 2.1.8. I don't have Debian installed. I only installed the freeradius that came with Ubuntu 11.04 using the synaptic package manager. Here is my user file configuration. root@Ubuntu-FreeRadius:/etc/freeradius# freeradius -v freeradius: FreeRADIUS Version 2.1.8, for host i486-pc-linux-gnu, built on Jan 5 2010 at 02:49:11 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. Here is my users file. # Note that there is NO 'Fall-Through' attribute, so the user will not # be given any additional resources. # #Test User bob Cleartext-Password := "hello" #Radius Users sqa Auth-Type := Local, Cleartext-Password := "sqa" Filter-Id = "Enterasys:version=1:mgmt=su" # sqarw Auth-Type := Local, Cleartext-Password := "sqa" Filter-Id = "Enterasys:version=1:mgmt=rw" # sqaro Auth-Type := Local, Cleartext-Password := "sqa" Filter-Id = "Enterasys:version=1:mgmt=ro" # MSCHAP-V2 jitc Auth-Type := mschap, Cleartext-Password := "jitc" Filter-Id = "Enterasys:version=1:mgmt=su" # jitcrw Auth-Type := mschap, Cleartext-Password := "jitc" Filter-Id = "Enterasys:version=1:mgmt=rw" # jitcro Auth-Type := mschap, Cleartext-Password := "jitc" Filter-Id = "Enterasys:version=1:mgmt=ro" #PWA Users pwapap Auth-Type := PAP, Cleartext-Password := "pwa" # Service-Type = Administrative-User # Filter-Id = "Enterasys:version=1:mgmt=su:policy=PWA-PAP" pwachap Auth-Type := CHAP, Cleartext-Password := "pwa" # Service-Type = Administrative-User Filter-Id = "Enterasys:version=1:mgmt=su:policy=PWA-CHAP" # #MAC Users 00-18-8B-B9-C2-E3 Auth-Type := Local, Cleartext-Password := "NOPASSWORD" Service-Type = Framed-User, Filter-Id = "Switched Ixia" #MD5 Users sqamd5 Auth-Type := EAP, Cleartext-Password := "sqamd5" # Service-Type = Administrative-User Filter-Id = "Enterasys:version=1:mgmt=su:policy=MD5" #PEAP Users Administrator Auth-Type := EAP, Cleartext-Password := "enterasys" # Service-Type = Administrative-User Filter-Id = "Enterasys:version=1:mgmt=su:policy=MD5" # sqapeap Auth-Type := EAP, Cleartext-Password := "sqapeap" # Service-Type = Administrative-User Filter-Id = "Enterasys:version=1:mgmt=su:policy=PEAP" #TLS Users sqatls Auth-Type := EAP, Cleartext-Password := "sqatls" # Service-Type = Administrative-User Filter-Id = "Enterasys:version=1:mgmt=su:policy=TLS" #lameuser Auth-Type := Reject # Reply-Message = "Your account has been disabled." # -- View this message in context: http://freeradius.1045715.n5.nabble.com/How-to-setup-Freeradius-tp4526799p45... Sent from the FreeRadius - User mailing list archive at Nabble.com.
On Sat, Jul 2, 2011 at 10:37 AM, sgilmour <sgilmour@enterasys.com> wrote:
Fajar, I am using freeradius with Ubuntu 11.04 with freeradius version 2.1.8. I
You either wrote the wrong Ubuntu version, or messed up the repository somehow. See http://packages.ubuntu.com/freeradius
Here is my users file.
That can't be right. Did you edit the users file somehow? The debug clearly says line 93. What's on that line? Also, what's with lots of "Auth-Type"? In normal circumstances you should not need to set it manually, unless it's for Accept or Reject. See http://wiki.freeradius.org/Auth%20Type -- Fajar
hi, do not set Auth-Type := EAP, or AuthType := local in your users file. the server is quite capable od dealing with these things - there are only a very very few times when you might need to even think about setting the type. can you say what doc you were following that told you to set that value in your users file (so we can liaise with the author to fix such erroneous docs) alan
Here is a site where I say the auth-type post plus I have seen it in other posts and sites online. http://www.dslreports.com/forum/remark,9286052 I will give it a try without it and let you know the results. Currently I am using 10.04 LTS. I did just load 11.04 Ubuntu but haven't installed fkereeradius on this version. Hence all my questions before I setup freeradius on 11.04. My mistake. Thanks Scott -- View this message in context: http://freeradius.1045715.n5.nabble.com/How-to-setup-Freeradius-tp4526799p45... Sent from the FreeRadius - User mailing list archive at Nabble.com.
I am going to be setting up both PEAP and TLS for authentication. Do I need to setup certificateson my freeradius server in order to do PEAP Authentication the same way I would do for 2008 Server and my Windows 7 Client? I am assuming yes. Thanks Scott -- View this message in context: http://freeradius.1045715.n5.nabble.com/How-to-setup-Freeradius-tp4526799p45... Sent from the FreeRadius - User mailing list archive at Nabble.com.
On Wed, Jul 6, 2011 at 10:49 AM, sgilmour <sgilmour@enterasys.com> wrote:
I am going to be setting up both PEAP and TLS for authentication. Do I need to setup certificateson my freeradius server in order to do PEAP Authentication the same way I would do for 2008 Server and my Windows 7 Client? I am assuming yes.
Yup. See https://github.com/alandekok/freeradius-server/blob/v2.1.x/raddb/certs/READM... -- Fajar
I had to uncheck validate certificates on the client. I also had to uncheck use logon on username and password so it would ask me for the credentials. The server does not like when the client sends domain info. On the server side I had to change the users file so it doesn't include the Auth-Type as previously recommended. My Question is on my PC's Winows 7 and Windows XP clients. How do I get my user to work in a domain environment with PEAP and EAP-TLS so that I don't need to manually login with my client. This would be the preferred way for us to authenticate to the network. This is how we do it with our Windows 2003/2008 Servers. -- View this message in context: http://freeradius.1045715.n5.nabble.com/How-to-setup-Freeradius-tp4526799p45... Sent from the FreeRadius - User mailing list archive at Nabble.com.
sgilmour wrote:
My Question is on my PC's Winows 7 and Windows XP clients. How do I get my user to work in a domain environment with PEAP and EAP-TLS so that I don't need to manually login with my client. This would be the preferred way for us to authenticate to the network. This is how we do it with our Windows 2003/2008 Servers.
See http://deployingradius.com It contains instructions for how to configure EAP-TLS, and domain logins to Active Directory. Alan DeKok.
Hi,
I had to uncheck validate certificates on the client. I also had to uncheck use logon on username and password so it would ask me for the credentials. The server does not like when the client sends domain info. On the server side I had to change the users file so it doesn't include the Auth-Type as previously recommended. My Question is on my PC's Winows 7 and Windows XP clients. How do I get my user to work in a domain environment with PEAP and EAP-TLS so that I don't need to manually login with my client. This would be the preferred way for us to authenticate to the network. This is how we do it with our Windows 2003/2008 Servers.
bind your FreeRADIUS into the AD and use the NTLM and AD login stuff. the FreeRADIUS server is quite able to handle these - you just need to configure it to do so...if you dont, then yes, you cant login with your AD identity - we happily do this with the machine identity for our local people on our 802.1X wireless network (and wired network) alan
I just want to make sure I understand this. The only way is to be able to login to my PC with a Domain is to incorporate freeradius with an Active Directory server. There isn't a way to do this without using Active Directory and to have freeradius do this independantly? -- View this message in context: http://freeradius.1045715.n5.nabble.com/How-to-setup-Freeradius-tp4526799p45... Sent from the FreeRadius - User mailing list archive at Nabble.com.
On 07/13/2011 04:20 PM, sgilmour wrote:
I just want to make sure I understand this. The only way is to be able to login to my PC with a Domain is to incorporate freeradius with an Active Directory server. There isn't a way to do this without using Active Directory and to have freeradius do this independantly?
To login with domain credentials, FreeRADIUS must be able to check domain credentials. To check domain credentials, FreeRADIUS must be able to talk to Samba as a domain member.
On 2011/07/13 05:49 PM, Phil Mayers wrote:
To login with domain credentials, FreeRADIUS must be able to check domain credentials.
To check domain credentials, FreeRADIUS must be able to talk to Samba as a domain member. -
Just for interest sake... We use a lot of Samba Domain Controllers (samba3, NT4 style domain) Can you get this to work if you dont want Windows on your network? (Not something I'm trying to achieve, just curious) -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 -------------------- Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html
On 07/13/2011 05:40 PM, Johan Meiring wrote:
Just for interest sake...
We use a lot of Samba Domain Controllers (samba3, NT4 style domain)
I should have been more precise: my comments apply to Microsoft domain controllers. If you are using Samba as your domain controllers, then you have access to the SAM and can extract the LM/NT hash from whatever backend you use. So you can just feed that info straight to FreeRADIUS. No need to use ntlm_auth / samba membership - just dump the NT hashes somewhere FreeRADIUS can get at them, or if you're using LDAP, point FreeRADIUS at that LDAP server and make sure it can read the ntPassword attribute. This is preferable to using ntlm_auth in fact.
Thanks for everyones help. I will follow the http://deployingradius.com/documents/configuration/active_directory.html Looks like all I need to do is setup the samba, and the ntml_auth file and I should be all set. I should be able to setup the smb.conf file so it will work with both my 2003 and 2008 Servers Active Directory files? Thanks Scott -- View this message in context: http://freeradius.1045715.n5.nabble.com/How-to-setup-Freeradius-tp4526799p45... Sent from the FreeRadius - User mailing list archive at Nabble.com.
On 2011/07/13 06:51 PM, Phil Mayers wrote:
If you are using Samba as your domain controllers, then you have access to the SAM and can extract the LM/NT hash from whatever backend you use.
So you can just feed that info straight to FreeRADIUS. No need to use ntlm_auth / samba membership - just dump the NT hashes somewhere FreeRADIUS can get at them, or if you're using LDAP, point FreeRADIUS at that LDAP server and make sure it can read the ntPassword attribute.
This is preferable to using ntlm_auth in fact.
OK... So the ntlm_auth "hack" is just because a Microsoft Domain Controller/LDAP refuses to share the ntPassword attribute with anyone that does not look like Microsoft? Hopefully Samba4 changes that as it should have a copy of the AD database! Thanks! -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 -------------------- Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html
On 14/07/11 08:45, Johan Meiring wrote:
On 2011/07/13 06:51 PM, Phil Mayers wrote:
If you are using Samba as your domain controllers, then you have access to the SAM and can extract the LM/NT hash from whatever backend you use.
So you can just feed that info straight to FreeRADIUS. No need to use ntlm_auth / samba membership - just dump the NT hashes somewhere FreeRADIUS can get at them, or if you're using LDAP, point FreeRADIUS at that LDAP server and make sure it can read the ntPassword attribute.
This is preferable to using ntlm_auth in fact.
OK...
So the ntlm_auth "hack" is just because a Microsoft Domain
Point of clarity: It's not a hack. It's the same things windows does - this is how IAS/NPS authenticates MS-CHAP. That's what the RPC call is for, and they are core, documented Microsoft authenticator APIs.
Controller/LDAP refuses to share the ntPassword attribute with anyone that does not look like Microsoft?
Yes
Hopefully Samba4 changes that as it should have a copy of the AD database!
Perhaps. Personally I'm doubtful it will be useful for that many people. Think about it: the argument goes as follows: 1. Samba 3 & ntlm_auth are too hard to set up / maintain 2. Therefore we'll install Samba 4, make it a domain controller so it can replicate the SAM, and that will be much easier Not a convincing argument, I feel. Even if you can convince your AD admins to *permit* you to promote a Samba 4 to a DC role, I don't see how it'll be any less hassle to run than a Samba 3 in a server role. There are a small number of sites who may be able to use this route, but for complete "ease of use", there's no ideal solution.
sgilmour wrote:
I just want to make sure I understand this. The only way is to be able to login to my PC with a Domain is to incorporate freeradius with an Active Directory server. There isn't a way to do this without using Active Directory and to have freeradius do this independantly?
If there was such a method, we would have said so. We're not in the business of lying to people about solutions. Alan DeKok.
On Wed, 13 Jul 2011 08:20 -0700, "sgilmour" <sgilmour@enterasys.com> wrote:
I just want to make sure I understand this. The only way is to be able to login to my PC with a Domain is to incorporate freeradius with an Active Directory server. There isn't a way to do this without using Active Directory and to have freeradius do this independantly?
Correct, but it's not too difficult. Here are some docs I followed to get a Debian machine joined to my AD domain: http://www.surlyjake.com/2009/05/join-debian-lenny-to-active-directory-using... https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto http://wiki.debian.org/Authenticating_Linux_With_Active_Directory You can stop after you've joined the domain, you don't need to proceed through the setting up authentication steps. After that, go to the section "Configuring FreeRADIUS to use ntlm_auth" at http://deployingradius.com/documents/configuration/active_directory.html and try it out.
Nick, I will take a look. Thanks Scott From: Nick Kartsioukas [via FreeRadius] [mailto:ml-node+4583281-225081943-107363@n5.nabble.com] Sent: Wednesday, July 13, 2011 12:31 PM To: Gilmour, Scott Subject: Re: How to setup Freeradius in a Domain On Wed, 13 Jul 2011 08:20 -0700, "sgilmour" <[hidden email]</user/SendEmail.jtp?type=node&node=4583281&i=0>> wrote:
I just want to make sure I understand this. The only way is to be able to login to my PC with a Domain is to incorporate freeradius with an Active Directory server. There isn't a way to do this without using Active Directory and to have freeradius do this independantly?
Correct, but it's not too difficult. Here are some docs I followed to get a Debian machine joined to my AD domain: http://www.surlyjake.com/2009/05/join-debian-lenny-to-active-directory-using... https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto http://wiki.debian.org/Authenticating_Linux_With_Active_Directory You can stop after you've joined the domain, you don't need to proceed through the setting up authentication steps. After that, go to the section "Configuring FreeRADIUS to use ntlm_auth" at http://deployingradius.com/documents/configuration/active_directory.html and try it out. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ________________________________ If you reply to this email, your message will be added to the discussion below: http://freeradius.1045715.n5.nabble.com/How-to-setup-Freeradius-tp4526799p45... To unsubscribe from How to setup Freeradius, click here<http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=4526799&code=c2dpbG1vdXJAZW50ZXJhc3lzLmNvbXw0NTI2Nzk5fDczMDY1MTY5NQ==>. -- View this message in context: http://freeradius.1045715.n5.nabble.com/How-to-setup-Freeradius-tp4526799p45... Sent from the FreeRadius - User mailing list archive at Nabble.com.
On Jul 13, 2011, at 5:20 PM, sgilmour wrote:
I just want to make sure I understand this. The only way is to be able to login to my PC with a Domain is to incorporate freeradius with an Active Directory server.
No as the others have said, unless you're looking to qualify a username using the value of the domain field in the login box, in which case yes its possible. e.g. User: 010103523 Domain: STAFF You can then proxy the request based on the domain, use it to determine which directory to query, or to check group membership (though thats a little weird and undomainy). -Arran Arran Cudbard-Bell a.cudbardb@freeradius.org RADIUS - Half the complexity of Diameter
participants (9)
-
Alan Buxey -
Alan DeKok -
Arran Cudbard-Bell -
Fajar A. Nugraha -
Gilmour, Scott -
Johan Meiring -
Nick Kartsioukas -
Phil Mayers -
sgilmour