Active directory and MS-CHAP Authentication.
Hi, I have a problem with the authentication of active directory users on freeradius. I correctly set up samba and kerberos and if I write: # ntlm_auth --request-nt-key --domain=mydomain --username=myuser if I insert the correct password I receive the authentication ok. My problem is to configure the mschap module on freeradius. My mschap config is: mschap { auth-type = MS-CHAP with_ntdomain_hack = yes ntlm_auth ="/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" } If I insert in the users file "DEFAULT Auth-Type := MS-CHAP", in the log file I read this error: rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NM-Password. rlm_mschap: No MS-CHAP-Challenge in the request If I remove the DAFAULT user in the users file in the log I can't find a mschap authentication and the user is reject. What is wrong? Thanks a lot Bye Antonio
Antonio Matera <antonio.matera@create-net.it> wrote:
If I insert in the users file "DEFAULT Auth-Type := MS-CHAP", in the log file I read this error:
Which is why the documentation says to NOT set Auth-Type. You didn't post the rest of the debug log (i.e. the packet), but it's obvious what's happening. The server is getting a packet without ms-chap, and you told it to do ms-chap, so it doesn't work. The solution is don't break the configuration of the server.
If I remove the DAFAULT user in the users file in the log I can't find a mschap authentication and the user is reject.
I doubt that very much. The default config works. If you're using "radtest", then it doesn't do ms-chap authentication, so you can't use it to test ms-chap on the server. You have to use another client. Alan DeKok.
Hallo, thanks for your answer. Now I post all my configuration and log, in this way I suppose that is much easy understand my problem. my eap.conf file is: eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } leap { } gtc { auth_type = PAP } tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/masterkeys2/cert-srv.pem certificate_file = ${raddbdir}/certs/masterkeys2/cert-srv.pem # Trusted Root CA list CA_file = ${raddbdir}/certs/masterkeys2/root.pem CA_path = ${raddbdir}/certs/masterkeys2/ dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random fragment_size = 1024 include_length = yes # Check the Certificate Revocation List check_crl = yes check_cert_cn = %{User-Name} } peap { default_eap_type = mschapv2 copy_request_to_tunnel = yes #use_tunneled_reply = no # proxy_tunneled_request_as_eap = yes } mschapv2 { } } I have a EAP-TLS configuration but I suppose that it isn't a problem. The radiusd.conf file has: mschap { authtype = MS-CHAP ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" } authorize { preprocess mschap suffix #eap files } authenticate { Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } Auth-Type LDAP { ldap } #eap } I don't know if I have to insert in the authorize and authenticate module eap. Whitout it I have this log: Ready to process requests. rad_recv: Access-Request packet from host 192.168.20.4:1645, id=93, length=180 User-Name = "create-net\\antonio" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=cn-test" Service-Type = Login-User Message-Authenticator = 0x2f697be434714d8586f8cc481b01874f EAP-Message = 0x02010017016372656174652d6e65745c616e746f6e696f NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "291" NAS-Port = 291 NAS-IP-Address = 192.168.20.4 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "create-net\antonio", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 modcall[authorize]: module "files" returns notfound for request 0 modcall: leaving group authorize (returns ok) for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [create-net\\antonio/<no User-Password attribute>] (from client ap-test-ivan port 291 cli 000c.f135.f1ba) Delaying request 0 for 1 seconds Finished request 0 and with eap I have: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 1812 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: bind_address = 192.168.20.2 IP address [192.168.20.2] main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = no proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = yes main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = yes mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" Module: Instantiated mschap (mschap) Module: Loaded LDAP ldap: server = "localhost" ldap: port = 389 ldap: net_timeout = 1 ldap: timeout = 4 ldap: timelimit = 3 ldap: identity = "" ldap: tls_mode = no ldap: start_tls = no ldap: tls_cacertfile = "(null)" ldap: tls_cacertdir = "(null)" ldap: tls_certfile = "(null)" ldap: tls_keyfile = "(null)" ldap: tls_randfile = "(null)" ldap: tls_require_cert = "allow" ldap: password = "" ldap: basedn = "dc=create-net,dc=org" ldap: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" ldap: base_filter = "(objectclass=radiusprofile)" ldap: default_profile = "(null)" ldap: profile_attribute = "(null)" ldap: password_header = "(null)" ldap: password_attribute = "userPassword" ldap: access_attr = "(null)" ldap: groupname_attribute = "cn" ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" ldap: groupmembership_attribute = "(null)" ldap: dictionary_mapping = "/usr/local/etc/raddb/ldap.attrmap" ldap: ldap_debug = 0 ldap: ldap_connections_number = 5 ldap: compare_check_items = no ldap: access_attr_used_for_allow = yes ldap: do_xlat = yes ldap: set_auth_type = yes rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /usr/local/etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message conns: 0x8e63138 Module: Instantiated ldap (ldap) Module: Loaded eap eap: default_eap_type = "tls" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "/usr/local/etc/raddb/certs/masterkeys2/" tls: pem_file_type = yes tls: private_key_file = "/usr/local/etc/raddb/certs/masterkeys2/cert-srv.pem" tls: certificate_file = "/usr/local/etc/raddb/certs/masterkeys2/cert-srv.pem" tls: CA_file = "/usr/local/etc/raddb/certs/masterkeys2/root.pem" tls: private_key_password = "whatever" tls: dh_file = "/usr/local/etc/raddb/certs/dh" tls: random_file = "/usr/local/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = yes tls: check_cert_cn = "%{User-Name}" rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = yes peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = yes Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/usr/local/etc/raddb/users" files: acctusersfile = "/usr/local/etc/raddb/acct_users" files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "/etc/shadow" unix: group = "(null)" unix: radwtmp = "/usr/local/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded radutmp radutmp: filename = "/usr/local/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication 192.168.20.2:1812 Listening on accounting 192.168.20.2:1813 Ready to process requests. rad_recv: Access-Request packet from host 192.168.20.4:1645, id=45, length=180 User-Name = "create-net\\antonio" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=cn-test" Service-Type = Login-User Message-Authenticator = 0x013d2a6afd29bd2556daee278fe075b4 EAP-Message = 0x02010017016372656174652d6e65745c616e746f6e696f NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "267" NAS-Port = 267 NAS-IP-Address = 192.168.20.4 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "create-net\antonio", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 modcall[authorize]: module "files" returns notfound for request 0 modcall: leaving group authorize (returns ok) for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [create-net\\antonio/<no User-Password attribute>] (from client ap-test-ivan port 267 cli 000c.f135.f1ba) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 45 to 192.168.20.4 port 1645 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 45 with timestamp 446198f5 Nothing to do. Sleeping until we see a request. Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 1812 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: bind_address = 192.168.20.2 IP address [192.168.20.2] main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = no proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = yes main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = yes mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" Module: Instantiated mschap (mschap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = yes Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded eap eap: default_eap_type = "tls" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "/usr/local/etc/raddb/certs/masterkeys2/" tls: pem_file_type = yes tls: private_key_file = "/usr/local/etc/raddb/certs/masterkeys2/cert-srv.pem" tls: certificate_file = "/usr/local/etc/raddb/certs/masterkeys2/cert-srv.pem" tls: CA_file = "/usr/local/etc/raddb/certs/masterkeys2/root.pem" tls: private_key_password = "whatever" tls: dh_file = "/usr/local/etc/raddb/certs/dh" tls: random_file = "/usr/local/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = yes tls: check_cert_cn = "%{User-Name}" rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = yes peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded files files: usersfile = "/usr/local/etc/raddb/users" files: acctusersfile = "/usr/local/etc/raddb/acct_users" files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "/etc/shadow" unix: group = "(null)" unix: radwtmp = "/usr/local/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded radutmp radutmp: filename = "/usr/local/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication 192.168.20.2:1812 Listening on accounting 192.168.20.2:1813 Ready to process requests. rad_recv: Access-Request packet from host 192.168.20.4:1645, id=85, length=180 User-Name = "create-net\\antonio" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=cn-test" Service-Type = Login-User Message-Authenticator = 0xdd3a1e5aaa36d303e7009f7e1f2da8d7 EAP-Message = 0x02010017016372656174652d6e65745c616e746f6e696f NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "283" NAS-Port = 283 NAS-IP-Address = 192.168.20.4 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "create-net\antonio", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 1 length 23 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 modcall[authorize]: module "files" returns notfound for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" ERROR: Unknown value specified for Auth-Type. Cannot perform requested action. auth: Failed to validate the user. Login incorrect: [create-net\\antonio/<no User-Password attribute>] (from client ap-test-ivan port 283 cli 000c.f135.f1ba) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Request packet from host 192.168.20.4:1645, id=86, length=180 User-Name = "create-net\\antonio" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=cn-test" Service-Type = Login-User Message-Authenticator = 0x63937b177de95f58fc530d735cd24806 EAP-Message = 0x02010017016372656174652d6e65745c616e746f6e696f NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "284" NAS-Port = 284 NAS-IP-Address = 192.168.20.4 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "create-net\antonio", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 1 length 23 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 modcall[authorize]: module "files" returns notfound for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" ERROR: Unknown value specified for Auth-Type. Cannot perform requested action. auth: Failed to validate the user. Login incorrect: [create-net\\antonio/<no User-Password attribute>] (from client ap-test-ivan port 284 cli 000c.f135.f1ba) Delaying request 1 for 1 seconds Finished request 1 Going to the next request Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 85 to 192.168.20.4 port 1645 Sending Access-Reject of id 86 to 192.168.20.4 port 1645 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 85 with timestamp 44619a3e Cleaning up request 1 ID 86 with timestamp 44619a3e Nothing to do. Sleeping until we see a request. Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 1812 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: bind_address = 192.168.20.2 IP address [192.168.20.2] main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = no proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = yes main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = yes mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" Module: Instantiated mschap (mschap) Module: Loaded eap eap: default_eap_type = "tls" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "/usr/local/etc/raddb/certs/masterkeys2/" tls: pem_file_type = yes tls: private_key_file = "/usr/local/etc/raddb/certs/masterkeys2/cert-srv.pem" tls: certificate_file = "/usr/local/etc/raddb/certs/masterkeys2/cert-srv.pem" tls: CA_file = "/usr/local/etc/raddb/certs/masterkeys2/root.pem" tls: private_key_password = "whatever" tls: dh_file = "/usr/local/etc/raddb/certs/dh" tls: random_file = "/usr/local/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = yes tls: check_cert_cn = "%{User-Name}" rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = yes peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = yes Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/usr/local/etc/raddb/users" files: acctusersfile = "/usr/local/etc/raddb/acct_users" files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "/etc/shadow" unix: group = "(null)" unix: radwtmp = "/usr/local/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded radutmp radutmp: filename = "/usr/local/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication 192.168.20.2:1812 Listening on accounting 192.168.20.2:1813 Ready to process requests. rad_recv: Access-Request packet from host 192.168.20.4:1645, id=116, length=180 User-Name = "create-net\\antonio" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=cn-test" Service-Type = Login-User Message-Authenticator = 0x4689ca731f1671fe47b9e772ba963b3b EAP-Message = 0x02010017016372656174652d6e65745c616e746f6e696f NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "298" NAS-Port = 298 NAS-IP-Address = 192.168.20.4 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "create-net\antonio", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 1 length 23 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 modcall[authorize]: module "files" returns notfound for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 116 to 192.168.20.4 port 1645 EAP-Message = 0x010200060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7078d497654015d4e9ffac34c1f69dba Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.20.4:1645, id=117, length=181 User-Name = "create-net\\antonio" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=cn-test" Service-Type = Login-User Message-Authenticator = 0x67d07687e13a023149efa9d5209569f7 EAP-Message = 0x020200060319 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "298" NAS-Port = 298 State = 0x7078d497654015d4e9ffac34c1f69dba NAS-IP-Address = 192.168.20.4 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "create-net\antonio", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 2 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 modcall[authorize]: module "files" returns notfound for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/peap rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 1 modcall: leaving group authenticate (returns handled) for request 1 Sending Access-Challenge of id 117 to 192.168.20.4 port 1645 EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x214439adc1f5064d306391aa74819e33 Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.20.4:1645, id=118, length=281 User-Name = "create-net\\antonio" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=cn-test" Service-Type = Login-User Message-Authenticator = 0x3a743361e356903d37d8a39d97abf926 EAP-Message = 0x0203006a198000000060160301005b01000057030144619b897b6ae039294c3a2335211479a1c27d2d9ed2b81220b04ffd33e89ad100003000390038003500160013000a00330032002f0066000500040065006400630062006000150012000900140011000800030100 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "298" NAS-Port = 298 State = 0x214439adc1f5064d306391aa74819e33 NAS-IP-Address = 192.168.20.4 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: No '@' in User-Name = "create-net\antonio", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 2 rlm_eap: EAP packet type response id 3 length 106 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 modcall[authorize]: module "files" returns notfound for request 2 modcall: leaving group authorize (returns updated) for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 005b], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0673], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 2 modcall: leaving group authenticate (returns handled) for request 2 Sending Access-Challenge of id 118 to 192.168.20.4 port 1645 EAP-Message = 0x0104040a19c0000006d0160301004a02000046030144619b6ab0457599907bd0dfbdff0a0df822e2b23393a73181d9d8ca10968a3120e94aa539ca0a5176b10d0e535d7edfb5651373eb94b935018ba68f15f97906fc00350016030106730b00066f00066c0002bd308202b930820222a003020102020101300d06092a864886f70d0101050500308194310b3009060355040613024954310e300c060355040813054974616c79310f300d060355040713065472656e746f31133011060355040a130a4352454154452d4e455431133011060355040b130a4352454154452d4e4554310d300b06035504031304524f4f54312b302906092a864886f70d EAP-Message = 0x010901161c616e746f6e696f2e6d6174657261406372656174652d6e65742e6974301e170d3036303331353135313230345a170d3037303331353135313230345a308196310b3009060355040613024954310e300c060355040813054974616c79310f300d060355040713065472656e746f31133011060355040a130a4352454154452d4e455431133011060355040b130a4352454154452d4e4554310f300d06035504031306534552564552312b302906092a864886f70d010901161c616e746f6e696f2e6d6174657261406372656174652d6e65742e697430819f300d06092a864886f70d010101050003818d0030818902818100e81d9a2a8804 EAP-Message = 0x4b630c0153075c2a1dc066c99392cc5af660adbbad91ef4eeff866c5f20fa2c5fb7965a3c12b674f90f04985eab710cd97852b1ce3e08f04aa06d4717254338f62a05d6344c311578a02f9fae0aca2aa336ed9121874c86c1124fd4a7f8832b652be20f2c3ad20951e1099300f4d6c27a695aeb757501c36383d0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010505000381810026e9f99eee1bd9d0a221d725e9dad88ad2b9d1385db136076fda84de1ccfc1e2a5a3fa237fd9c88c4fb98267dd827f96418a007782246380e2c488310eb1df77e5fda4b05143777dcd627fe6f6a948be43e0 EAP-Message = 0x377fa815cd412cb80b442714852fe94cb9aae46c08f2e84cc7092bdf887d069e2ab1fd2cf56c9332b87e83990d670003a9308203a53082030ea003020102020900d6c51af184c17a13300d06092a864886f70d0101050500308194310b3009060355040613024954310e300c060355040813054974616c79310f300d060355040713065472656e746f31133011060355040a130a4352454154452d4e455431133011060355040b130a4352454154452d4e4554310d300b06035504031304524f4f54312b302906092a864886f70d010901161c616e746f6e696f2e6d6174657261406372656174652d6e65742e6974301e170d30363033313531353130 EAP-Message = 0x30305a170d3038303331343135313030305a30819431 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcdade1c297ef345ee14a30af41907d95 Finished request 2 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.20.4:1645, id=119, length=181 User-Name = "create-net\\antonio" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=cn-test" Service-Type = Login-User Message-Authenticator = 0xc81faebb51a4b05feb72e6f30de54232 EAP-Message = 0x020400061900 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "298" NAS-Port = 298 State = 0xcdade1c297ef345ee14a30af41907d95 NAS-IP-Address = 192.168.20.4 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "mschap" returns noop for request 3 rlm_realm: No '@' in User-Name = "create-net\antonio", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 3 rlm_eap: EAP packet type response id 4 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 3 modcall[authorize]: module "files" returns notfound for request 3 modcall: leaving group authorize (returns updated) for request 3 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 3 modcall: leaving group authenticate (returns handled) for request 3 Sending Access-Challenge of id 119 to 192.168.20.4 port 1645 EAP-Message = 0x010502d619000b3009060355040613024954310e300c060355040813054974616c79310f300d060355040713065472656e746f31133011060355040a130a4352454154452d4e455431133011060355040b130a4352454154452d4e4554310d300b06035504031304524f4f54312b302906092a864886f70d010901161c616e746f6e696f2e6d6174657261406372656174652d6e65742e697430819f300d06092a864886f70d010101050003818d0030818902818100b9d2e4970beba1cac75125d76679fcede5da675985ae70ca7a7414cca08fa27f7de577e293ad03a5217d3d5c8f48a3d39ed4579e38ac4e7fbf650f80d3b80253683e15948edebf EAP-Message = 0x789e3379e90e8eb5690af994d98cc6d4e702e96db90bbb1bfc642b2ddbdd026812efdcd22664bf27ae6b5cd56737db61cf5b22c2eaa415ce0b0203010001a381fc3081f9301d0603551d0e04160414f877a449a82f70e28ff7d3238ed22fca5f76d7b43081c90603551d230481c13081be8014f877a449a82f70e28ff7d3238ed22fca5f76d7b4a1819aa48197308194310b3009060355040613024954310e300c060355040813054974616c79310f300d060355040713065472656e746f31133011060355040a130a4352454154452d4e455431133011060355040b130a4352454154452d4e4554310d300b06035504031304524f4f54312b30290609 EAP-Message = 0x2a864886f70d010901161c616e746f6e696f2e6d6174657261406372656174652d6e65742e6974820900d6c51af184c17a13300c0603551d13040530030101ff300d06092a864886f70d0101050500038181009afe6349178f51966293fa52eafafe825e9441722f5f86ebb1e995589569640a40f04f3c969ea63173a875d9f055a0b19dc2c463a1c5de3a447dc04f369d5fb56fdff6bca5ef16e785a46f3646e062ac0c7cacc7cbfd163ccbb314bc66e8bbc68ac6d594e47d0cd76d66aec45508952892553bbe957973f8e6c5ac901f86881b16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd1b33ebf766f32bd02ac1218c6ab0773 Finished request 3 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.20.4:1645, id=120, length=383 User-Name = "create-net\\antonio" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=cn-test" Service-Type = Login-User Message-Authenticator = 0x09b15accb2d5990b246e768358f7c62f EAP-Message = 0x020500d01980000000c6160301008610000082008011c4672df05a1702efe782790a045aa376013e71a9bf0e35f33bc5c4e4e5c2ea8fd014f588a822d0628db20071571b4940ddf8ab60b5dc837b111a12dbbf51ad8d1c173b0fa3c928c6364496abe68b4f57948ec2187c9f5492dc752115bf1756bd97ed1105e4f9d4e4fddfa597003a4a54134ff46d88b5cb6a8088b68eb322bc1403010001011603010030bbd76fd1e8317c2d8da5de1e73dbd24aabfb92fc2f5abd33d1f542a0b2a47e91e91e4e1ac4bb838e368a9a7397fe7edf NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "298" NAS-Port = 298 State = 0xd1b33ebf766f32bd02ac1218c6ab0773 NAS-IP-Address = 192.168.20.4 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 modcall[authorize]: module "mschap" returns noop for request 4 rlm_realm: No '@' in User-Name = "create-net\antonio", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 4 rlm_eap: EAP packet type response id 5 length 208 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 modcall[authorize]: module "files" returns notfound for request 4 modcall: leaving group authorize (returns updated) for request 4 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 4 modcall: leaving group authenticate (returns handled) for request 4 Sending Access-Challenge of id 120 to 192.168.20.4 port 1645 EAP-Message = 0x01060041190014030100010116030100301c68c162410a59004fc3222c41efc32b11ab9c2d2f37ca2ec06a92265d2c69191d2136aa5059ff8ae838241bc84f795b Message-Authenticator = 0x00000000000000000000000000000000 State = 0x794f9dc43c91b1671a730e2975cdd639 Finished request 4 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.20.4:1645, id=121, length=181 User-Name = "create-net\\antonio" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=cn-test" Service-Type = Login-User Message-Authenticator = 0x2ed02e409d91ef49bc159389d745f9f8 EAP-Message = 0x020600061900 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "298" NAS-Port = 298 State = 0x794f9dc43c91b1671a730e2975cdd639 NAS-IP-Address = 192.168.20.4 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_realm: No '@' in User-Name = "create-net\antonio", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 5 rlm_eap: EAP packet type response id 6 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 modcall[authorize]: module "files" returns notfound for request 5 modcall: leaving group authorize (returns updated) for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap_peap: EAPTLS_SUCCESS modcall[authenticate]: module "eap" returns handled for request 5 modcall: leaving group authenticate (returns handled) for request 5 Sending Access-Challenge of id 121 to 192.168.20.4 port 1645 EAP-Message = 0x0107005019001703010020bbd90b904dc723d66d36fd1af4b58c6c65bb025370acf98a7f1af4a0bd93b9e617030100207e05857c1d290580b581c571201394893630a8db7785104f6d4e55f3475fd2b1 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa8d74feb3df35c485dc76d9fb5357ec3 Finished request 5 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.20.4:1645, id=122, length=271 User-Name = "create-net\\antonio" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=cn-test" Service-Type = Login-User Message-Authenticator = 0xad718ebf13b1257f31d18c5022aff07f EAP-Message = 0x02070060190017030100202129be555177c48c3f5141721ab34827949098e33876273cb5693ff7f446a57a1703010030c7a61433edd0219c0a366026eba728bbe63c5d32943c35fbb4d01072a12959e7893e7c109f2dde239212a7bf41f3af7f NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "298" NAS-Port = 298 State = 0xa8d74feb3df35c485dc76d9fb5357ec3 NAS-IP-Address = 192.168.20.4 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: No '@' in User-Name = "create-net\antonio", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 6 rlm_eap: EAP packet type response id 7 length 96 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 modcall[authorize]: module "files" returns notfound for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - create-net\antonio rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled identity of create-net\antonio PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to create-net\antonio Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: No '@' in User-Name = "create-net\antonio", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 6 rlm_eap: EAP packet type response id 7 length 23 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 modcall[authorize]: module "files" returns notfound for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 6 modcall: leaving group authenticate (returns handled) for request 6 PEAP: Got tunneled Access-Challenge modcall[authenticate]: module "eap" returns handled for request 6 modcall: leaving group authenticate (returns handled) for request 6 Sending Access-Challenge of id 122 to 192.168.20.4 port 1645 EAP-Message = 0x0108007019001703010020b131c7991eef9cae67c0bae03404fed5be8df806097f0fec54b78cb1a3309af21703010040c1ee99a53bcab8e374839925aadabe538a814e8273c14740fd398b7545ef80f411c1e85e9079c18362cf4293464db334d17a9fa0dba80cdaa1518c91a441a6df Message-Authenticator = 0x00000000000000000000000000000000 State = 0x75b845e17e1fcb6b158bd81702b47466 Finished request 6 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.20.4:1645, id=123, length=180 User-Name = "create-net\\antonio" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=cn-test" Service-Type = Login-User Message-Authenticator = 0x5635b56a303a83e59e60521981978c54 EAP-Message = 0x02010017016372656174652d6e65745c616e746f6e696f NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "299" NAS-Port = 299 NAS-IP-Address = 192.168.20.4 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_realm: No '@' in User-Name = "create-net\antonio", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 7 rlm_eap: EAP packet type response id 1 length 23 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 modcall[authorize]: module "files" returns notfound for request 7 modcall: leaving group authorize (returns updated) for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 7 modcall: leaving group authenticate (returns handled) for request 7 Sending Access-Challenge of id 123 to 192.168.20.4 port 1645 EAP-Message = 0x010200060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6c79567ac2bbb6c4cc7faf735d77b1d9 Finished request 7 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.20.4:1645, id=124, length=181 User-Name = "create-net\\antonio" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=cn-test" Service-Type = Login-User Message-Authenticator = 0x2a84b8c8a791aa8589bb7ddbd8ec6f9f EAP-Message = 0x020200060319 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "299" NAS-Port = 299 State = 0x6c79567ac2bbb6c4cc7faf735d77b1d9 NAS-IP-Address = 192.168.20.4 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 modcall[authorize]: module "preprocess" returns ok for request 8 modcall[authorize]: module "mschap" returns noop for request 8 rlm_realm: No '@' in User-Name = "create-net\antonio", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 8 rlm_eap: EAP packet type response id 2 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 8 modcall[authorize]: module "files" returns notfound for request 8 modcall: leaving group authorize (returns updated) for request 8 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/peap rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 8 modcall: leaving group authenticate (returns handled) for request 8 Sending Access-Challenge of id 124 to 192.168.20.4 port 1645 EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6f00b2c41be51dfe80e655278ffd38f4 Finished request 8 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.20.4:1645, id=125, length=281 User-Name = "create-net\\antonio" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=cn-test" Service-Type = Login-User Message-Authenticator = 0x8996c98463dcc86342f01ea0d24a6e7d EAP-Message = 0x0203006a198000000060160301005b01000057030144619b89eb4b209dee29c3968727bf23ff7d96e1332df693ca83f4de07d6681900003000390038003500160013000a00330032002f0066000500040065006400630062006000150012000900140011000800030100 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "299" NAS-Port = 299 State = 0x6f00b2c41be51dfe80e655278ffd38f4 NAS-IP-Address = 192.168.20.4 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 9 modcall[authorize]: module "preprocess" returns ok for request 9 modcall[authorize]: module "mschap" returns noop for request 9 rlm_realm: No '@' in User-Name = "create-net\antonio", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 9 rlm_eap: EAP packet type response id 3 length 106 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 9 modcall[authorize]: module "files" returns notfound for request 9 modcall: leaving group authorize (returns updated) for request 9 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 9 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 005b], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0673], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 9 modcall: leaving group authenticate (returns handled) for request 9 Sending Access-Challenge of id 125 to 192.168.20.4 port 1645 EAP-Message = 0x0104040a19c0000006d0160301004a02000046030144619b6a4b02a7512ba70b82ededf45a470e12e67bcd95dcbe33366b3a8479f02056e4158900eeaae4d8ab9228e74c3f3a88d3711eab4bf4f82a7de25858ba41eb00350016030106730b00066f00066c0002bd308202b930820222a003020102020101300d06092a864886f70d0101050500308194310b3009060355040613024954310e300c060355040813054974616c79310f300d060355040713065472656e746f31133011060355040a130a4352454154452d4e455431133011060355040b130a4352454154452d4e4554310d300b06035504031304524f4f54312b302906092a864886f70d EAP-Message = 0x010901161c616e746f6e696f2e6d6174657261406372656174652d6e65742e6974301e170d3036303331353135313230345a170d3037303331353135313230345a308196310b3009060355040613024954310e300c060355040813054974616c79310f300d060355040713065472656e746f31133011060355040a130a4352454154452d4e455431133011060355040b130a4352454154452d4e4554310f300d06035504031306534552564552312b302906092a864886f70d010901161c616e746f6e696f2e6d6174657261406372656174652d6e65742e697430819f300d06092a864886f70d010101050003818d0030818902818100e81d9a2a8804 EAP-Message = 0x4b630c0153075c2a1dc066c99392cc5af660adbbad91ef4eeff866c5f20fa2c5fb7965a3c12b674f90f04985eab710cd97852b1ce3e08f04aa06d4717254338f62a05d6344c311578a02f9fae0aca2aa336ed9121874c86c1124fd4a7f8832b652be20f2c3ad20951e1099300f4d6c27a695aeb757501c36383d0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010505000381810026e9f99eee1bd9d0a221d725e9dad88ad2b9d1385db136076fda84de1ccfc1e2a5a3fa237fd9c88c4fb98267dd827f96418a007782246380e2c488310eb1df77e5fda4b05143777dcd627fe6f6a948be43e0 EAP-Message = 0x377fa815cd412cb80b442714852fe94cb9aae46c08f2e84cc7092bdf887d069e2ab1fd2cf56c9332b87e83990d670003a9308203a53082030ea003020102020900d6c51af184c17a13300d06092a864886f70d0101050500308194310b3009060355040613024954310e300c060355040813054974616c79310f300d060355040713065472656e746f31133011060355040a130a4352454154452d4e455431133011060355040b130a4352454154452d4e4554310d300b06035504031304524f4f54312b302906092a864886f70d010901161c616e746f6e696f2e6d6174657261406372656174652d6e65742e6974301e170d30363033313531353130 EAP-Message = 0x30305a170d3038303331343135313030305a30819431 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0020158401d472c8bf55c967ad21e856 Finished request 9 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.20.4:1645, id=126, length=181 User-Name = "create-net\\antonio" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=cn-test" Service-Type = Login-User Message-Authenticator = 0x39ad505b2b5565d68799b3661a00690e EAP-Message = 0x020400061900 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "299" NAS-Port = 299 State = 0x0020158401d472c8bf55c967ad21e856 NAS-IP-Address = 192.168.20.4 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 10 modcall[authorize]: module "preprocess" returns ok for request 10 modcall[authorize]: module "mschap" returns noop for request 10 rlm_realm: No '@' in User-Name = "create-net\antonio", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 10 rlm_eap: EAP packet type response id 4 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 10 modcall[authorize]: module "files" returns notfound for request 10 modcall: leaving group authorize (returns updated) for request 10 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 10 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 10 modcall: leaving group authenticate (returns handled) for request 10 Sending Access-Challenge of id 126 to 192.168.20.4 port 1645 EAP-Message = 0x010502d619000b3009060355040613024954310e300c060355040813054974616c79310f300d060355040713065472656e746f31133011060355040a130a4352454154452d4e455431133011060355040b130a4352454154452d4e4554310d300b06035504031304524f4f54312b302906092a864886f70d010901161c616e746f6e696f2e6d6174657261406372656174652d6e65742e697430819f300d06092a864886f70d010101050003818d0030818902818100b9d2e4970beba1cac75125d76679fcede5da675985ae70ca7a7414cca08fa27f7de577e293ad03a5217d3d5c8f48a3d39ed4579e38ac4e7fbf650f80d3b80253683e15948edebf EAP-Message = 0x789e3379e90e8eb5690af994d98cc6d4e702e96db90bbb1bfc642b2ddbdd026812efdcd22664bf27ae6b5cd56737db61cf5b22c2eaa415ce0b0203010001a381fc3081f9301d0603551d0e04160414f877a449a82f70e28ff7d3238ed22fca5f76d7b43081c90603551d230481c13081be8014f877a449a82f70e28ff7d3238ed22fca5f76d7b4a1819aa48197308194310b3009060355040613024954310e300c060355040813054974616c79310f300d060355040713065472656e746f31133011060355040a130a4352454154452d4e455431133011060355040b130a4352454154452d4e4554310d300b06035504031304524f4f54312b30290609 EAP-Message = 0x2a864886f70d010901161c616e746f6e696f2e6d6174657261406372656174652d6e65742e6974820900d6c51af184c17a13300c0603551d13040530030101ff300d06092a864886f70d0101050500038181009afe6349178f51966293fa52eafafe825e9441722f5f86ebb1e995589569640a40f04f3c969ea63173a875d9f055a0b19dc2c463a1c5de3a447dc04f369d5fb56fdff6bca5ef16e785a46f3646e062ac0c7cacc7cbfd163ccbb314bc66e8bbc68ac6d594e47d0cd76d66aec45508952892553bbe957973f8e6c5ac901f86881b16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6fb344f276334e17c5366c08afd9f1e7 Finished request 10 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.20.4:1645, id=127, length=383 User-Name = "create-net\\antonio" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=cn-test" Service-Type = Login-User Message-Authenticator = 0x4466cca9dbdd714fa57d213f35b88d17 EAP-Message = 0x020500d01980000000c616030100861000008200809e775e311f66f680ff5091fb907861d20ee14e886af13ca3ec929ad8362962f5a858e0abbdce80c4da61fa91a2a24ea7011e31002caf80f1b808b5758fcb32ebf72808ebfde666677f9ab22e4d4cc6e0219549c2377d8738e68d0ba7b08c1ac915c3a51fd920115852bf11be419c372677bcda9e2b66dbcb2697f1d01891a5f914030100010116030100306eb490fbc5228bb610320535ac44e66fbab19132096b6e1de47d20205b750803b6c9fa5276394c65fd8004a84ba332f9 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "299" NAS-Port = 299 State = 0x6fb344f276334e17c5366c08afd9f1e7 NAS-IP-Address = 192.168.20.4 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 11 modcall[authorize]: module "preprocess" returns ok for request 11 modcall[authorize]: module "mschap" returns noop for request 11 rlm_realm: No '@' in User-Name = "create-net\antonio", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 11 rlm_eap: EAP packet type response id 5 length 208 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 11 modcall[authorize]: module "files" returns notfound for request 11 modcall: leaving group authorize (returns updated) for request 11 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 11 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 11 modcall: leaving group authenticate (returns handled) for request 11 Sending Access-Challenge of id 127 to 192.168.20.4 port 1645 EAP-Message = 0x010600411900140301000101160301003095c113681002b9ebab907a6687261e0bb2ef1ef69552ca17be310c06ec73b907fb2e6454eb09922ba34b384d5fb436f2 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x553761a5a78cfa8b5274698ffadd6a1e Finished request 11 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.20.4:1645, id=128, length=181 User-Name = "create-net\\antonio" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=cn-test" Service-Type = Login-User Message-Authenticator = 0xa59d5be2c35c3d931e4391f2457867ec EAP-Message = 0x020600061900 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "299" NAS-Port = 299 State = 0x553761a5a78cfa8b5274698ffadd6a1e NAS-IP-Address = 192.168.20.4 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 12 modcall[authorize]: module "preprocess" returns ok for request 12 modcall[authorize]: module "mschap" returns noop for request 12 rlm_realm: No '@' in User-Name = "create-net\antonio", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 12 rlm_eap: EAP packet type response id 6 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 12 modcall[authorize]: module "files" returns notfound for request 12 modcall: leaving group authorize (returns updated) for request 12 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 12 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap_peap: EAPTLS_SUCCESS modcall[authenticate]: module "eap" returns handled for request 12 modcall: leaving group authenticate (returns handled) for request 12 Sending Access-Challenge of id 128 to 192.168.20.4 port 1645 EAP-Message = 0x0107005019001703010020e0bff9b284ec84452a7efb49123ef5db591bed955b9706c0232d7531bf46dc10170301002093712e7c24cd9752530af1f2e3acac9f7a87f926311592daf2cbfbbd9e345699 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd97101c4f9c28ba2350124da55c59ec3 Finished request 12 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.20.4:1645, id=129, length=271 User-Name = "create-net\\antonio" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=cn-test" Service-Type = Login-User Message-Authenticator = 0x033b89d322ba7fa0a3ad46d470f69119 EAP-Message = 0x0207006019001703010020c11e3555238ee4ad15cc9f6d2c7e57ac822481dbbf6014443a504a599e5edfc7170301003093ce7a947886a076c151050cac65b260f87273a86177b9475d86e5d3493aa0c577ab18a204f09380c2484d7d4a267782 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "299" NAS-Port = 299 State = 0xd97101c4f9c28ba2350124da55c59ec3 NAS-IP-Address = 192.168.20.4 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 13 modcall[authorize]: module "preprocess" returns ok for request 13 modcall[authorize]: module "mschap" returns noop for request 13 rlm_realm: No '@' in User-Name = "create-net\antonio", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 13 rlm_eap: EAP packet type response id 7 length 96 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 13 modcall[authorize]: module "files" returns notfound for request 13 modcall: leaving group authorize (returns updated) for request 13 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 13 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - create-net\antonio rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled identity of create-net\antonio PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to create-net\antonio Processing the authorize section of radiusd.conf modcall: entering group authorize for request 13 modcall[authorize]: module "preprocess" returns ok for request 13 modcall[authorize]: module "mschap" returns noop for request 13 rlm_realm: No '@' in User-Name = "create-net\antonio", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 13 rlm_eap: EAP packet type response id 7 length 23 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 13 modcall[authorize]: module "files" returns notfound for request 13 modcall: leaving group authorize (returns updated) for request 13 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 13 rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 13 modcall: leaving group authenticate (returns handled) for request 13 PEAP: Got tunneled Access-Challenge modcall[authenticate]: module "eap" returns handled for request 13 modcall: leaving group authenticate (returns handled) for request 13 Sending Access-Challenge of id 129 to 192.168.20.4 port 1645 EAP-Message = 0x0108007019001703010020c29c4d290cf573a17108c95ff8a439dbd0fffa49d72f2f0b28e2273b0102a6fd1703010040dea801076b9a22410691839215ef52879139b8898ab28457921cc3827c52faf8ddb0cb0e50abc1b5083013c6ea9624c0d11857f52be415423bbcbf7d65f62c6f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x95075d4dcb79ab0ebdacb9728c3494f8 Finished request 13 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.20.4:1645, id=130, length=319 User-Name = "create-net\\antonio" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=cn-test" Service-Type = Login-User Message-Authenticator = 0x71f9a58ea58241a92054f4a7e8d6c00d EAP-Message = 0x0208009019001703010020594a88c304d09eb0732b89e79ba40b1ee4ecaf0712f342791d3d606c3cb424de17030100601ea441d59af9832c3de109c77fb79c76a1493d909043a3acc1f23445b396e6f25521925847409f203f7c548b29aa9349c88471a6809833e226d9881344051afebd1cc7c1f1e74570529103c2ea9392f3d8a0402811ec5572664e39c2f8c146c1 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "299" NAS-Port = 299 State = 0x95075d4dcb79ab0ebdacb9728c3494f8 NAS-IP-Address = 192.168.20.4 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 14 modcall[authorize]: module "preprocess" returns ok for request 14 modcall[authorize]: module "mschap" returns noop for request 14 rlm_realm: No '@' in User-Name = "create-net\antonio", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 14 rlm_eap: EAP packet type response id 8 length 144 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 14 modcall[authorize]: module "files" returns notfound for request 14 modcall: leaving group authorize (returns updated) for request 14 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 14 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Setting User-Name to create-net\antonio PEAP: Adding old state with da 5f Processing the authorize section of radiusd.conf modcall: entering group authorize for request 14 modcall[authorize]: module "preprocess" returns ok for request 14 modcall[authorize]: module "mschap" returns noop for request 14 rlm_realm: No '@' in User-Name = "create-net\antonio", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 14 rlm_eap: EAP packet type response id 8 length 77 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 14 modcall[authorize]: module "files" returns notfound for request 14 modcall: leaving group authorize (returns updated) for request 14 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 14 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 14 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for antonio with NT-Password radius_xlat: Running registered xlat function of module mschap for string 'NT-Domain' radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: 6b radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '/usr/bin/ntlm_auth --request-nt-key --domain=create-net --username=antonio --challenge=bede046aa1e50281 --nt-response=d483da3fd5896df961259f08a02a57a8e6d1e5de14c5ac81' Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=create-net --username=antonio --challenge=bede046aa1e50281 --nt-response=d483da3fd5896df961259f08a02a57a8e6d1e5de14c5ac81 Exec-Program output: Logon failure (0xc000006d) Exec-Program-Wait: plaintext: Logon failure (0xc000006d) Exec-Program: returned: 1 rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 14 modcall: leaving group MS-CHAP (returns reject) for request 14 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 14 modcall: leaving group authenticate (returns reject) for request 14 auth: Failed to validate the user. Login incorrect: [create-net\\antonio/<no User-Password attribute>] (from client cn-radius port 299 cli 000c.f135.f1ba) PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE modcall[authenticate]: module "eap" returns handled for request 14 modcall: leaving group authenticate (returns handled) for request 14 Sending Access-Challenge of id 130 to 192.168.20.4 port 1645 EAP-Message = 0x010900501900170301002017a8c7804c669134ce5470ff557afd425785018a89d3ae565641ae49bef6202d1703010020831e156b1ccfdea1032f92c0db9352fb820d192298c99780d36351a961d6462c Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcd8399f25420353544f29a1769a77b43 Finished request 14 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.20.4:1645, id=131, length=255 User-Name = "create-net\\antonio" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=cn-test" Service-Type = Login-User Message-Authenticator = 0x23d6eafb525a98891ed7910a6ec48442 EAP-Message = 0x02090050190017030100209210f7668d2920dbf89af8cd2c06ca059afa741dc2e78e21c8a0233501bcf4bf170301002090034080f6f9c21882ca088401957fdfc84942b8ca82179176efc2eb1e0f4f96 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "299" NAS-Port = 299 State = 0xcd8399f25420353544f29a1769a77b43 NAS-IP-Address = 192.168.20.4 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 15 modcall[authorize]: module "preprocess" returns ok for request 15 modcall[authorize]: module "mschap" returns noop for request 15 rlm_realm: No '@' in User-Name = "create-net\antonio", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 15 rlm_eap: EAP packet type response id 9 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 15 modcall[authorize]: module "files" returns notfound for request 15 modcall: leaving group authorize (returns updated) for request 15 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 15 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 15 modcall: leaving group authenticate (returns invalid) for request 15 auth: Failed to validate the user. Login incorrect: [create-net\\antonio/<no User-Password attribute>] (from client ap-test-ivan port 299 cli 000c.f135.f1ba) Delaying request 15 for 1 seconds Finished request 15 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.20.4:1645, id=131, length=255 Sending Access-Reject of id 131 to 192.168.20.4 port 1645 EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Nothing to do. Sleeping until we see a request. In this case I have a radius_xlat entry with the ntlm_auth request, but it is rejected. Can you help me? Thanks bye Antonio on 09/05/2006 18.26 Alan DeKok said the following:
If I insert in the users file "DEFAULT Auth-Type := MS-CHAP", in the log file I read this error:
Which is why the documentation says to NOT set Auth-Type.
You didn't post the rest of the debug log (i.e. the packet), but it's obvious what's happening. The server is getting a packet without ms-chap, and you told it to do ms-chap, so it doesn't work.
The solution is don't break the configuration of the server.
If I remove the DAFAULT user in the users file in the log I can't find a mschap authentication and the user is reject.
I doubt that very much. The default config works.
If you're using "radtest", then it doesn't do ms-chap authentication, so you can't use it to test ms-chap on the server. You have to use another client.
Alan DeKok.
Antonio Matera wrote:
Hallo, thanks for your answer. Now I post all my configuration and log, in this way I suppose that is much easy understand my problem.
my eap.conf file is:
Your eap.conf is irrelevant because...
authorize { preprocess mschap suffix #eap files }
...you've disabled eap by commenting it out. Why do people insist on breaking the server? Start with the default config and make small changes to work towards what you need. Making massive changes without understanding the consequences just breaks it.
authenticate {
Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap }
Auth-Type LDAP { ldap }
#eap }
I don't know if I have to insert in the authorize and authenticate module eap. Whitout it I have this log:
Of course you do. How else would EAP work?
Ready to process requests. rad_recv: Access-Request packet from host 192.168.20.4:1645, id=93, length=180 User-Name = "create-net\\antonio" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=cn-test" Service-Type = Login-User Message-Authenticator = 0x2f697be434714d8586f8cc481b01874f EAP-Message = 0x02010017016372656174652d6e65745c616e746f6e696f
...and since this is an EAP request, you need eap to work. This really isn't that hard...
Your eap.conf is irrelevant because...
authorize { preprocess mschap suffix #eap files }
...you've disabled eap by commenting it out.
Why do people insist on breaking the server? Start with the default config and make small changes to work towards what you need. Making massive changes without understanding the consequences just breaks it.
In the second part off my last mail I have insert the log with eap config. The changes in my server are for the EAP-TLS authentication. I need two different authentication for my purpose.
I don't know if I have to insert in the authorize and authenticate module eap. Whitout it I have this log:
Of course you do. How else would EAP work?
I re-write my log with eap conf. Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 1812 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: bind_address = 192.168.20.2 IP address [192.168.20.2] main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = no proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = yes main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = yes mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" Module: Instantiated mschap (mschap) Module: Loaded LDAP ldap: server = "localhost" ldap: port = 389 ldap: net_timeout = 1 ldap: timeout = 4 ldap: timelimit = 3 ldap: identity = "" ldap: tls_mode = no ldap: start_tls = no ldap: tls_cacertfile = "(null)" ldap: tls_cacertdir = "(null)" ldap: tls_certfile = "(null)" ldap: tls_keyfile = "(null)" ldap: tls_randfile = "(null)" ldap: tls_require_cert = "allow" ldap: password = "" ldap: basedn = "dc=create-net,dc=org" ldap: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" ldap: base_filter = "(objectclass=radiusprofile)" ldap: default_profile = "(null)" ldap: profile_attribute = "(null)" ldap: password_header = "(null)" ldap: password_attribute = "userPassword" ldap: access_attr = "(null)" ldap: groupname_attribute = "cn" ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" ldap: groupmembership_attribute = "(null)" ldap: dictionary_mapping = "/usr/local/etc/raddb/ldap.attrmap" ldap: ldap_debug = 0 ldap: ldap_connections_number = 5 ldap: compare_check_items = no ldap: access_attr_used_for_allow = yes ldap: do_xlat = yes ldap: set_auth_type = yes rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /usr/local/etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message conns: 0x8e63138 Module: Instantiated ldap (ldap) Module: Loaded eap eap: default_eap_type = "tls" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "/usr/local/etc/raddb/certs/masterkeys2/" tls: pem_file_type = yes tls: private_key_file = "/usr/local/etc/raddb/certs/masterkeys2/cert-srv.pem" tls: certificate_file = "/usr/local/etc/raddb/certs/masterkeys2/cert-srv.pem" tls: CA_file = "/usr/local/etc/raddb/certs/masterkeys2/root.pem" tls: private_key_password = "whatever" tls: dh_file = "/usr/local/etc/raddb/certs/dh" tls: random_file = "/usr/local/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = yes tls: check_cert_cn = "%{User-Name}" rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = yes peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = yes Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/usr/local/etc/raddb/users" files: acctusersfile = "/usr/local/etc/raddb/acct_users" files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "/etc/shadow" unix: group = "(null)" unix: radwtmp = "/usr/local/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded radutmp radutmp: filename = "/usr/local/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication 192.168.20.2:1812 Listening on accounting 192.168.20.2:1813 Ready to process requests. rad_recv: Access-Request packet from host 192.168.20.4:1645, id=45, length=180 User-Name = "create-net\\antonio" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=cn-test" Service-Type = Login-User Message-Authenticator = 0x013d2a6afd29bd2556daee278fe075b4 EAP-Message = 0x02010017016372656174652d6e65745c616e746f6e696f NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "267" NAS-Port = 267 NAS-IP-Address = 192.168.20.4 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "create-net\antonio", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 modcall[authorize]: module "files" returns notfound for request 0 modcall: leaving group authorize (returns ok) for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [create-net\\antonio/<no User-Password attribute>] (from client ap-test-ivan port 267 cli 000c.f135.f1ba) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 45 to 192.168.20.4 port 1645 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 45 with timestamp 446198f5 Nothing to do. Sleeping until we see a request. Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 1812 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: bind_address = 192.168.20.2 IP address [192.168.20.2] main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = no proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = yes main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = yes mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" Module: Instantiated mschap (mschap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = yes Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded eap eap: default_eap_type = "tls" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "/usr/local/etc/raddb/certs/masterkeys2/" tls: pem_file_type = yes tls: private_key_file = "/usr/local/etc/raddb/certs/masterkeys2/cert-srv.pem" tls: certificate_file = "/usr/local/etc/raddb/certs/masterkeys2/cert-srv.pem" tls: CA_file = "/usr/local/etc/raddb/certs/masterkeys2/root.pem" tls: private_key_password = "whatever" tls: dh_file = "/usr/local/etc/raddb/certs/dh" tls: random_file = "/usr/local/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = yes tls: check_cert_cn = "%{User-Name}" rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = yes peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded files files: usersfile = "/usr/local/etc/raddb/users" files: acctusersfile = "/usr/local/etc/raddb/acct_users" files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "/etc/shadow" unix: group = "(null)" unix: radwtmp = "/usr/local/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded radutmp radutmp: filename = "/usr/local/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication 192.168.20.2:1812 Listening on accounting 192.168.20.2:1813 Ready to process requests. rad_recv: Access-Request packet from host 192.168.20.4:1645, id=85, length=180 User-Name = "create-net\\antonio" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=cn-test" Service-Type = Login-User Message-Authenticator = 0xdd3a1e5aaa36d303e7009f7e1f2da8d7 EAP-Message = 0x02010017016372656174652d6e65745c616e746f6e696f NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "283" NAS-Port = 283 NAS-IP-Address = 192.168.20.4 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "create-net\antonio", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 1 length 23 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 modcall[authorize]: module "files" returns notfound for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" ERROR: Unknown value specified for Auth-Type. Cannot perform requested action. auth: Failed to validate the user. Login incorrect: [create-net\\antonio/<no User-Password attribute>] (from client ap-test-ivan port 283 cli 000c.f135.f1ba) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Request packet from host 192.168.20.4:1645, id=86, length=180 User-Name = "create-net\\antonio" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=cn-test" Service-Type = Login-User Message-Authenticator = 0x63937b177de95f58fc530d735cd24806 EAP-Message = 0x02010017016372656174652d6e65745c616e746f6e696f NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "284" NAS-Port = 284 NAS-IP-Address = 192.168.20.4 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "create-net\antonio", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 1 length 23 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 modcall[authorize]: module "files" returns notfound for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" ERROR: Unknown value specified for Auth-Type. Cannot perform requested action. auth: Failed to validate the user. Login incorrect: [create-net\\antonio/<no User-Password attribute>] (from client ap-test-ivan port 284 cli 000c.f135.f1ba) Delaying request 1 for 1 seconds Finished request 1 Going to the next request Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 85 to 192.168.20.4 port 1645 Sending Access-Reject of id 86 to 192.168.20.4 port 1645 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 85 with timestamp 44619a3e Cleaning up request 1 ID 86 with timestamp 44619a3e Nothing to do. Sleeping until we see a request. Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 1812 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: bind_address = 192.168.20.2 IP address [192.168.20.2] main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = no proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = yes main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = yes mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" Module: Instantiated mschap (mschap) Module: Loaded eap eap: default_eap_type = "tls" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "/usr/local/etc/raddb/certs/masterkeys2/" tls: pem_file_type = yes tls: private_key_file = "/usr/local/etc/raddb/certs/masterkeys2/cert-srv.pem" tls: certificate_file = "/usr/local/etc/raddb/certs/masterkeys2/cert-srv.pem" tls: CA_file = "/usr/local/etc/raddb/certs/masterkeys2/root.pem" tls: private_key_password = "whatever" tls: dh_file = "/usr/local/etc/raddb/certs/dh" tls: random_file = "/usr/local/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = yes tls: check_cert_cn = "%{User-Name}" rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = yes peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = yes Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/usr/local/etc/raddb/users" files: acctusersfile = "/usr/local/etc/raddb/acct_users" files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "/etc/shadow" unix: group = "(null)" unix: radwtmp = "/usr/local/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded radutmp radutmp: filename = "/usr/local/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication 192.168.20.2:1812 Listening on accounting 192.168.20.2:1813 Ready to process requests. rad_recv: Access-Request packet from host 192.168.20.4:1645, id=116, length=180 User-Name = "create-net\\antonio" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=cn-test" Service-Type = Login-User Message-Authenticator = 0x4689ca731f1671fe47b9e772ba963b3b EAP-Message = 0x02010017016372656174652d6e65745c616e746f6e696f NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "298" NAS-Port = 298 NAS-IP-Address = 192.168.20.4 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "create-net\antonio", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 1 length 23 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 modcall[authorize]: module "files" returns notfound for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 116 to 192.168.20.4 port 1645 EAP-Message = 0x010200060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7078d497654015d4e9ffac34c1f69dba Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.20.4:1645, id=117, length=181 User-Name = "create-net\\antonio" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=cn-test" Service-Type = Login-User Message-Authenticator = 0x67d07687e13a023149efa9d5209569f7 EAP-Message = 0x020200060319 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "298" NAS-Port = 298 State = 0x7078d497654015d4e9ffac34c1f69dba NAS-IP-Address = 192.168.20.4 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "create-net\antonio", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 2 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 modcall[authorize]: module "files" returns notfound for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/peap rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 1 modcall: leaving group authenticate (returns handled) for request 1 Sending Access-Challenge of id 117 to 192.168.20.4 port 1645 EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x214439adc1f5064d306391aa74819e33 Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.20.4:1645, id=118, length=281 User-Name = "create-net\\antonio" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=cn-test" Service-Type = Login-User Message-Authenticator = 0x3a743361e356903d37d8a39d97abf926 EAP-Message = 0x0203006a198000000060160301005b01000057030144619b897b6ae039294c3a2335211479a1c27d2d9ed2b81220b04ffd33e89ad100003000390038003500160013000a00330032002f0066000500040065006400630062006000150012000900140011000800030100 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "298" NAS-Port = 298 State = 0x214439adc1f5064d306391aa74819e33 NAS-IP-Address = 192.168.20.4 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: No '@' in User-Name = "create-net\antonio", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 2 rlm_eap: EAP packet type response id 3 length 106 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 modcall[authorize]: module "files" returns notfound for request 2 modcall: leaving group authorize (returns updated) for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 005b], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0673], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 2 modcall: leaving group authenticate (returns handled) for request 2 Sending Access-Challenge of id 118 to 192.168.20.4 port 1645 EAP-Message = 0x0104040a19c0000006d0160301004a02000046030144619b6ab0457599907bd0dfbdff0a0df822e2b23393a73181d9d8ca10968a3120e94aa539ca0a5176b10d0e535d7edfb5651373eb94b935018ba68f15f97906fc00350016030106730b00066f00066c0002bd308202b930820222a003020102020101300d06092a864886f70d0101050500308194310b3009060355040613024954310e300c060355040813054974616c79310f300d060355040713065472656e746f31133011060355040a130a4352454154452d4e455431133011060355040b130a4352454154452d4e4554310d300b06035504031304524f4f54312b302906092a864886f70d EAP-Message = 0x010901161c616e746f6e696f2e6d6174657261406372656174652d6e65742e6974301e170d3036303331353135313230345a170d3037303331353135313230345a308196310b3009060355040613024954310e300c060355040813054974616c79310f300d060355040713065472656e746f31133011060355040a130a4352454154452d4e455431133011060355040b130a4352454154452d4e4554310f300d06035504031306534552564552312b302906092a864886f70d010901161c616e746f6e696f2e6d6174657261406372656174652d6e65742e697430819f300d06092a864886f70d010101050003818d0030818902818100e81d9a2a8804 EAP-Message = 0x4b630c0153075c2a1dc066c99392cc5af660adbbad91ef4eeff866c5f20fa2c5fb7965a3c12b674f90f04985eab710cd97852b1ce3e08f04aa06d4717254338f62a05d6344c311578a02f9fae0aca2aa336ed9121874c86c1124fd4a7f8832b652be20f2c3ad20951e1099300f4d6c27a695aeb757501c36383d0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010505000381810026e9f99eee1bd9d0a221d725e9dad88ad2b9d1385db136076fda84de1ccfc1e2a5a3fa237fd9c88c4fb98267dd827f96418a007782246380e2c488310eb1df77e5fda4b05143777dcd627fe6f6a948be43e0 EAP-Message = 0x377fa815cd412cb80b442714852fe94cb9aae46c08f2e84cc7092bdf887d069e2ab1fd2cf56c9332b87e83990d670003a9308203a53082030ea003020102020900d6c51af184c17a13300d06092a864886f70d0101050500308194310b3009060355040613024954310e300c060355040813054974616c79310f300d060355040713065472656e746f31133011060355040a130a4352454154452d4e455431133011060355040b130a4352454154452d4e4554310d300b06035504031304524f4f54312b302906092a864886f70d010901161c616e746f6e696f2e6d6174657261406372656174652d6e65742e6974301e170d30363033313531353130 EAP-Message = 0x30305a170d3038303331343135313030305a30819431 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcdade1c297ef345ee14a30af41907d95 Finished request 2 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.20.4:1645, id=119, length=181 User-Name = "create-net\\antonio" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=cn-test" Service-Type = Login-User Message-Authenticator = 0xc81faebb51a4b05feb72e6f30de54232 EAP-Message = 0x020400061900 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "298" NAS-Port = 298 State = 0xcdade1c297ef345ee14a30af41907d95 NAS-IP-Address = 192.168.20.4 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "mschap" returns noop for request 3 rlm_realm: No '@' in User-Name = "create-net\antonio", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 3 rlm_eap: EAP packet type response id 4 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 3 modcall[authorize]: module "files" returns notfound for request 3 modcall: leaving group authorize (returns updated) for request 3 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 3 modcall: leaving group authenticate (returns handled) for request 3 Sending Access-Challenge of id 119 to 192.168.20.4 port 1645 EAP-Message = 0x010502d619000b3009060355040613024954310e300c060355040813054974616c79310f300d060355040713065472656e746f31133011060355040a130a4352454154452d4e455431133011060355040b130a4352454154452d4e4554310d300b06035504031304524f4f54312b302906092a864886f70d010901161c616e746f6e696f2e6d6174657261406372656174652d6e65742e697430819f300d06092a864886f70d010101050003818d0030818902818100b9d2e4970beba1cac75125d76679fcede5da675985ae70ca7a7414cca08fa27f7de577e293ad03a5217d3d5c8f48a3d39ed4579e38ac4e7fbf650f80d3b80253683e15948edebf EAP-Message = 0x789e3379e90e8eb5690af994d98cc6d4e702e96db90bbb1bfc642b2ddbdd026812efdcd22664bf27ae6b5cd56737db61cf5b22c2eaa415ce0b0203010001a381fc3081f9301d0603551d0e04160414f877a449a82f70e28ff7d3238ed22fca5f76d7b43081c90603551d230481c13081be8014f877a449a82f70e28ff7d3238ed22fca5f76d7b4a1819aa48197308194310b3009060355040613024954310e300c060355040813054974616c79310f300d060355040713065472656e746f31133011060355040a130a4352454154452d4e455431133011060355040b130a4352454154452d4e4554310d300b06035504031304524f4f54312b30290609 EAP-Message = 0x2a864886f70d010901161c616e746f6e696f2e6d6174657261406372656174652d6e65742e6974820900d6c51af184c17a13300c0603551d13040530030101ff300d06092a864886f70d0101050500038181009afe6349178f51966293fa52eafafe825e9441722f5f86ebb1e995589569640a40f04f3c969ea63173a875d9f055a0b19dc2c463a1c5de3a447dc04f369d5fb56fdff6bca5ef16e785a46f3646e062ac0c7cacc7cbfd163ccbb314bc66e8bbc68ac6d594e47d0cd76d66aec45508952892553bbe957973f8e6c5ac901f86881b16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd1b33ebf766f32bd02ac1218c6ab0773 Finished request 3 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.20.4:1645, id=120, length=383 User-Name = "create-net\\antonio" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=cn-test" Service-Type = Login-User Message-Authenticator = 0x09b15accb2d5990b246e768358f7c62f EAP-Message = 0x020500d01980000000c6160301008610000082008011c4672df05a1702efe782790a045aa376013e71a9bf0e35f33bc5c4e4e5c2ea8fd014f588a822d0628db20071571b4940ddf8ab60b5dc837b111a12dbbf51ad8d1c173b0fa3c928c6364496abe68b4f57948ec2187c9f5492dc752115bf1756bd97ed1105e4f9d4e4fddfa597003a4a54134ff46d88b5cb6a8088b68eb322bc1403010001011603010030bbd76fd1e8317c2d8da5de1e73dbd24aabfb92fc2f5abd33d1f542a0b2a47e91e91e4e1ac4bb838e368a9a7397fe7edf NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "298" NAS-Port = 298 State = 0xd1b33ebf766f32bd02ac1218c6ab0773 NAS-IP-Address = 192.168.20.4 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 modcall[authorize]: module "mschap" returns noop for request 4 rlm_realm: No '@' in User-Name = "create-net\antonio", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 4 rlm_eap: EAP packet type response id 5 length 208 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 modcall[authorize]: module "files" returns notfound for request 4 modcall: leaving group authorize (returns updated) for request 4 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 4 modcall: leaving group authenticate (returns handled) for request 4 Sending Access-Challenge of id 120 to 192.168.20.4 port 1645 EAP-Message = 0x01060041190014030100010116030100301c68c162410a59004fc3222c41efc32b11ab9c2d2f37ca2ec06a92265d2c69191d2136aa5059ff8ae838241bc84f795b Message-Authenticator = 0x00000000000000000000000000000000 State = 0x794f9dc43c91b1671a730e2975cdd639 Finished request 4 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.20.4:1645, id=121, length=181 User-Name = "create-net\\antonio" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=cn-test" Service-Type = Login-User Message-Authenticator = 0x2ed02e409d91ef49bc159389d745f9f8 EAP-Message = 0x020600061900 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "298" NAS-Port = 298 State = 0x794f9dc43c91b1671a730e2975cdd639 NAS-IP-Address = 192.168.20.4 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_realm: No '@' in User-Name = "create-net\antonio", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 5 rlm_eap: EAP packet type response id 6 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 modcall[authorize]: module "files" returns notfound for request 5 modcall: leaving group authorize (returns updated) for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap_peap: EAPTLS_SUCCESS modcall[authenticate]: module "eap" returns handled for request 5 modcall: leaving group authenticate (returns handled) for request 5 Sending Access-Challenge of id 121 to 192.168.20.4 port 1645 EAP-Message = 0x0107005019001703010020bbd90b904dc723d66d36fd1af4b58c6c65bb025370acf98a7f1af4a0bd93b9e617030100207e05857c1d290580b581c571201394893630a8db7785104f6d4e55f3475fd2b1 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa8d74feb3df35c485dc76d9fb5357ec3 Finished request 5 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.20.4:1645, id=122, length=271 User-Name = "create-net\\antonio" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=cn-test" Service-Type = Login-User Message-Authenticator = 0xad718ebf13b1257f31d18c5022aff07f EAP-Message = 0x02070060190017030100202129be555177c48c3f5141721ab34827949098e33876273cb5693ff7f446a57a1703010030c7a61433edd0219c0a366026eba728bbe63c5d32943c35fbb4d01072a12959e7893e7c109f2dde239212a7bf41f3af7f NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "298" NAS-Port = 298 State = 0xa8d74feb3df35c485dc76d9fb5357ec3 NAS-IP-Address = 192.168.20.4 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: No '@' in User-Name = "create-net\antonio", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 6 rlm_eap: EAP packet type response id 7 length 96 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 modcall[authorize]: module "files" returns notfound for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - create-net\antonio rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled identity of create-net\antonio PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to create-net\antonio Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: No '@' in User-Name = "create-net\antonio", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 6 rlm_eap: EAP packet type response id 7 length 23 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 modcall[authorize]: module "files" returns notfound for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 6 modcall: leaving group authenticate (returns handled) for request 6 PEAP: Got tunneled Access-Challenge modcall[authenticate]: module "eap" returns handled for request 6 modcall: leaving group authenticate (returns handled) for request 6 Sending Access-Challenge of id 122 to 192.168.20.4 port 1645 EAP-Message = 0x0108007019001703010020b131c7991eef9cae67c0bae03404fed5be8df806097f0fec54b78cb1a3309af21703010040c1ee99a53bcab8e374839925aadabe538a814e8273c14740fd398b7545ef80f411c1e85e9079c18362cf4293464db334d17a9fa0dba80cdaa1518c91a441a6df Message-Authenticator = 0x00000000000000000000000000000000 State = 0x75b845e17e1fcb6b158bd81702b47466 Finished request 6 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.20.4:1645, id=123, length=180 User-Name = "create-net\\antonio" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=cn-test" Service-Type = Login-User Message-Authenticator = 0x5635b56a303a83e59e60521981978c54 EAP-Message = 0x02010017016372656174652d6e65745c616e746f6e696f NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "299" NAS-Port = 299 NAS-IP-Address = 192.168.20.4 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_realm: No '@' in User-Name = "create-net\antonio", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 7 rlm_eap: EAP packet type response id 1 length 23 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 modcall[authorize]: module "files" returns notfound for request 7 modcall: leaving group authorize (returns updated) for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 7 modcall: leaving group authenticate (returns handled) for request 7 Sending Access-Challenge of id 123 to 192.168.20.4 port 1645 EAP-Message = 0x010200060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6c79567ac2bbb6c4cc7faf735d77b1d9 Finished request 7 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.20.4:1645, id=124, length=181 User-Name = "create-net\\antonio" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=cn-test" Service-Type = Login-User Message-Authenticator = 0x2a84b8c8a791aa8589bb7ddbd8ec6f9f EAP-Message = 0x020200060319 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "299" NAS-Port = 299 State = 0x6c79567ac2bbb6c4cc7faf735d77b1d9 NAS-IP-Address = 192.168.20.4 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 modcall[authorize]: module "preprocess" returns ok for request 8 modcall[authorize]: module "mschap" returns noop for request 8 rlm_realm: No '@' in User-Name = "create-net\antonio", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 8 rlm_eap: EAP packet type response id 2 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 8 modcall[authorize]: module "files" returns notfound for request 8 modcall: leaving group authorize (returns updated) for request 8 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/peap rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 8 modcall: leaving group authenticate (returns handled) for request 8 Sending Access-Challenge of id 124 to 192.168.20.4 port 1645 EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6f00b2c41be51dfe80e655278ffd38f4 Finished request 8 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.20.4:1645, id=125, length=281 User-Name = "create-net\\antonio" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=cn-test" Service-Type = Login-User Message-Authenticator = 0x8996c98463dcc86342f01ea0d24a6e7d EAP-Message = 0x0203006a198000000060160301005b01000057030144619b89eb4b209dee29c3968727bf23ff7d96e1332df693ca83f4de07d6681900003000390038003500160013000a00330032002f0066000500040065006400630062006000150012000900140011000800030100 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "299" NAS-Port = 299 State = 0x6f00b2c41be51dfe80e655278ffd38f4 NAS-IP-Address = 192.168.20.4 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 9 modcall[authorize]: module "preprocess" returns ok for request 9 modcall[authorize]: module "mschap" returns noop for request 9 rlm_realm: No '@' in User-Name = "create-net\antonio", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 9 rlm_eap: EAP packet type response id 3 length 106 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 9 modcall[authorize]: module "files" returns notfound for request 9 modcall: leaving group authorize (returns updated) for request 9 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 9 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 005b], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0673], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 9 modcall: leaving group authenticate (returns handled) for request 9 Sending Access-Challenge of id 125 to 192.168.20.4 port 1645 EAP-Message = 0x0104040a19c0000006d0160301004a02000046030144619b6a4b02a7512ba70b82ededf45a470e12e67bcd95dcbe33366b3a8479f02056e4158900eeaae4d8ab9228e74c3f3a88d3711eab4bf4f82a7de25858ba41eb00350016030106730b00066f00066c0002bd308202b930820222a003020102020101300d06092a864886f70d0101050500308194310b3009060355040613024954310e300c060355040813054974616c79310f300d060355040713065472656e746f31133011060355040a130a4352454154452d4e455431133011060355040b130a4352454154452d4e4554310d300b06035504031304524f4f54312b302906092a864886f70d EAP-Message = 0x010901161c616e746f6e696f2e6d6174657261406372656174652d6e65742e6974301e170d3036303331353135313230345a170d3037303331353135313230345a308196310b3009060355040613024954310e300c060355040813054974616c79310f300d060355040713065472656e746f31133011060355040a130a4352454154452d4e455431133011060355040b130a4352454154452d4e4554310f300d06035504031306534552564552312b302906092a864886f70d010901161c616e746f6e696f2e6d6174657261406372656174652d6e65742e697430819f300d06092a864886f70d010101050003818d0030818902818100e81d9a2a8804 EAP-Message = 0x4b630c0153075c2a1dc066c99392cc5af660adbbad91ef4eeff866c5f20fa2c5fb7965a3c12b674f90f04985eab710cd97852b1ce3e08f04aa06d4717254338f62a05d6344c311578a02f9fae0aca2aa336ed9121874c86c1124fd4a7f8832b652be20f2c3ad20951e1099300f4d6c27a695aeb757501c36383d0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010505000381810026e9f99eee1bd9d0a221d725e9dad88ad2b9d1385db136076fda84de1ccfc1e2a5a3fa237fd9c88c4fb98267dd827f96418a007782246380e2c488310eb1df77e5fda4b05143777dcd627fe6f6a948be43e0 EAP-Message = 0x377fa815cd412cb80b442714852fe94cb9aae46c08f2e84cc7092bdf887d069e2ab1fd2cf56c9332b87e83990d670003a9308203a53082030ea003020102020900d6c51af184c17a13300d06092a864886f70d0101050500308194310b3009060355040613024954310e300c060355040813054974616c79310f300d060355040713065472656e746f31133011060355040a130a4352454154452d4e455431133011060355040b130a4352454154452d4e4554310d300b06035504031304524f4f54312b302906092a864886f70d010901161c616e746f6e696f2e6d6174657261406372656174652d6e65742e6974301e170d30363033313531353130 EAP-Message = 0x30305a170d3038303331343135313030305a30819431 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0020158401d472c8bf55c967ad21e856 Finished request 9 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.20.4:1645, id=126, length=181 User-Name = "create-net\\antonio" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=cn-test" Service-Type = Login-User Message-Authenticator = 0x39ad505b2b5565d68799b3661a00690e EAP-Message = 0x020400061900 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "299" NAS-Port = 299 State = 0x0020158401d472c8bf55c967ad21e856 NAS-IP-Address = 192.168.20.4 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 10 modcall[authorize]: module "preprocess" returns ok for request 10 modcall[authorize]: module "mschap" returns noop for request 10 rlm_realm: No '@' in User-Name = "create-net\antonio", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 10 rlm_eap: EAP packet type response id 4 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 10 modcall[authorize]: module "files" returns notfound for request 10 modcall: leaving group authorize (returns updated) for request 10 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 10 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 10 modcall: leaving group authenticate (returns handled) for request 10 Sending Access-Challenge of id 126 to 192.168.20.4 port 1645 EAP-Message = 0x010502d619000b3009060355040613024954310e300c060355040813054974616c79310f300d060355040713065472656e746f31133011060355040a130a4352454154452d4e455431133011060355040b130a4352454154452d4e4554310d300b06035504031304524f4f54312b302906092a864886f70d010901161c616e746f6e696f2e6d6174657261406372656174652d6e65742e697430819f300d06092a864886f70d010101050003818d0030818902818100b9d2e4970beba1cac75125d76679fcede5da675985ae70ca7a7414cca08fa27f7de577e293ad03a5217d3d5c8f48a3d39ed4579e38ac4e7fbf650f80d3b80253683e15948edebf EAP-Message = 0x789e3379e90e8eb5690af994d98cc6d4e702e96db90bbb1bfc642b2ddbdd026812efdcd22664bf27ae6b5cd56737db61cf5b22c2eaa415ce0b0203010001a381fc3081f9301d0603551d0e04160414f877a449a82f70e28ff7d3238ed22fca5f76d7b43081c90603551d230481c13081be8014f877a449a82f70e28ff7d3238ed22fca5f76d7b4a1819aa48197308194310b3009060355040613024954310e300c060355040813054974616c79310f300d060355040713065472656e746f31133011060355040a130a4352454154452d4e455431133011060355040b130a4352454154452d4e4554310d300b06035504031304524f4f54312b30290609 EAP-Message = 0x2a864886f70d010901161c616e746f6e696f2e6d6174657261406372656174652d6e65742e6974820900d6c51af184c17a13300c0603551d13040530030101ff300d06092a864886f70d0101050500038181009afe6349178f51966293fa52eafafe825e9441722f5f86ebb1e995589569640a40f04f3c969ea63173a875d9f055a0b19dc2c463a1c5de3a447dc04f369d5fb56fdff6bca5ef16e785a46f3646e062ac0c7cacc7cbfd163ccbb314bc66e8bbc68ac6d594e47d0cd76d66aec45508952892553bbe957973f8e6c5ac901f86881b16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6fb344f276334e17c5366c08afd9f1e7 Finished request 10 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.20.4:1645, id=127, length=383 User-Name = "create-net\\antonio" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=cn-test" Service-Type = Login-User Message-Authenticator = 0x4466cca9dbdd714fa57d213f35b88d17 EAP-Message = 0x020500d01980000000c616030100861000008200809e775e311f66f680ff5091fb907861d20ee14e886af13ca3ec929ad8362962f5a858e0abbdce80c4da61fa91a2a24ea7011e31002caf80f1b808b5758fcb32ebf72808ebfde666677f9ab22e4d4cc6e0219549c2377d8738e68d0ba7b08c1ac915c3a51fd920115852bf11be419c372677bcda9e2b66dbcb2697f1d01891a5f914030100010116030100306eb490fbc5228bb610320535ac44e66fbab19132096b6e1de47d20205b750803b6c9fa5276394c65fd8004a84ba332f9 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "299" NAS-Port = 299 State = 0x6fb344f276334e17c5366c08afd9f1e7 NAS-IP-Address = 192.168.20.4 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 11 modcall[authorize]: module "preprocess" returns ok for request 11 modcall[authorize]: module "mschap" returns noop for request 11 rlm_realm: No '@' in User-Name = "create-net\antonio", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 11 rlm_eap: EAP packet type response id 5 length 208 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 11 modcall[authorize]: module "files" returns notfound for request 11 modcall: leaving group authorize (returns updated) for request 11 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 11 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 11 modcall: leaving group authenticate (returns handled) for request 11 Sending Access-Challenge of id 127 to 192.168.20.4 port 1645 EAP-Message = 0x010600411900140301000101160301003095c113681002b9ebab907a6687261e0bb2ef1ef69552ca17be310c06ec73b907fb2e6454eb09922ba34b384d5fb436f2 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x553761a5a78cfa8b5274698ffadd6a1e Finished request 11 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.20.4:1645, id=128, length=181 User-Name = "create-net\\antonio" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=cn-test" Service-Type = Login-User Message-Authenticator = 0xa59d5be2c35c3d931e4391f2457867ec EAP-Message = 0x020600061900 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "299" NAS-Port = 299 State = 0x553761a5a78cfa8b5274698ffadd6a1e NAS-IP-Address = 192.168.20.4 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 12 modcall[authorize]: module "preprocess" returns ok for request 12 modcall[authorize]: module "mschap" returns noop for request 12 rlm_realm: No '@' in User-Name = "create-net\antonio", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 12 rlm_eap: EAP packet type response id 6 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 12 modcall[authorize]: module "files" returns notfound for request 12 modcall: leaving group authorize (returns updated) for request 12 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 12 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap_peap: EAPTLS_SUCCESS modcall[authenticate]: module "eap" returns handled for request 12 modcall: leaving group authenticate (returns handled) for request 12 Sending Access-Challenge of id 128 to 192.168.20.4 port 1645 EAP-Message = 0x0107005019001703010020e0bff9b284ec84452a7efb49123ef5db591bed955b9706c0232d7531bf46dc10170301002093712e7c24cd9752530af1f2e3acac9f7a87f926311592daf2cbfbbd9e345699 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd97101c4f9c28ba2350124da55c59ec3 Finished request 12 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.20.4:1645, id=129, length=271 User-Name = "create-net\\antonio" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=cn-test" Service-Type = Login-User Message-Authenticator = 0x033b89d322ba7fa0a3ad46d470f69119 EAP-Message = 0x0207006019001703010020c11e3555238ee4ad15cc9f6d2c7e57ac822481dbbf6014443a504a599e5edfc7170301003093ce7a947886a076c151050cac65b260f87273a86177b9475d86e5d3493aa0c577ab18a204f09380c2484d7d4a267782 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "299" NAS-Port = 299 State = 0xd97101c4f9c28ba2350124da55c59ec3 NAS-IP-Address = 192.168.20.4 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 13 modcall[authorize]: module "preprocess" returns ok for request 13 modcall[authorize]: module "mschap" returns noop for request 13 rlm_realm: No '@' in User-Name = "create-net\antonio", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 13 rlm_eap: EAP packet type response id 7 length 96 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 13 modcall[authorize]: module "files" returns notfound for request 13 modcall: leaving group authorize (returns updated) for request 13 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 13 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - create-net\antonio rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled identity of create-net\antonio PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to create-net\antonio Processing the authorize section of radiusd.conf modcall: entering group authorize for request 13 modcall[authorize]: module "preprocess" returns ok for request 13 modcall[authorize]: module "mschap" returns noop for request 13 rlm_realm: No '@' in User-Name = "create-net\antonio", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 13 rlm_eap: EAP packet type response id 7 length 23 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 13 modcall[authorize]: module "files" returns notfound for request 13 modcall: leaving group authorize (returns updated) for request 13 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 13 rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 13 modcall: leaving group authenticate (returns handled) for request 13 PEAP: Got tunneled Access-Challenge modcall[authenticate]: module "eap" returns handled for request 13 modcall: leaving group authenticate (returns handled) for request 13 Sending Access-Challenge of id 129 to 192.168.20.4 port 1645 EAP-Message = 0x0108007019001703010020c29c4d290cf573a17108c95ff8a439dbd0fffa49d72f2f0b28e2273b0102a6fd1703010040dea801076b9a22410691839215ef52879139b8898ab28457921cc3827c52faf8ddb0cb0e50abc1b5083013c6ea9624c0d11857f52be415423bbcbf7d65f62c6f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x95075d4dcb79ab0ebdacb9728c3494f8 Finished request 13 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.20.4:1645, id=130, length=319 User-Name = "create-net\\antonio" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=cn-test" Service-Type = Login-User Message-Authenticator = 0x71f9a58ea58241a92054f4a7e8d6c00d EAP-Message = 0x0208009019001703010020594a88c304d09eb0732b89e79ba40b1ee4ecaf0712f342791d3d606c3cb424de17030100601ea441d59af9832c3de109c77fb79c76a1493d909043a3acc1f23445b396e6f25521925847409f203f7c548b29aa9349c88471a6809833e226d9881344051afebd1cc7c1f1e74570529103c2ea9392f3d8a0402811ec5572664e39c2f8c146c1 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "299" NAS-Port = 299 State = 0x95075d4dcb79ab0ebdacb9728c3494f8 NAS-IP-Address = 192.168.20.4 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 14 modcall[authorize]: module "preprocess" returns ok for request 14 modcall[authorize]: module "mschap" returns noop for request 14 rlm_realm: No '@' in User-Name = "create-net\antonio", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 14 rlm_eap: EAP packet type response id 8 length 144 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 14 modcall[authorize]: module "files" returns notfound for request 14 modcall: leaving group authorize (returns updated) for request 14 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 14 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Setting User-Name to create-net\antonio PEAP: Adding old state with da 5f Processing the authorize section of radiusd.conf modcall: entering group authorize for request 14 modcall[authorize]: module "preprocess" returns ok for request 14 modcall[authorize]: module "mschap" returns noop for request 14 rlm_realm: No '@' in User-Name = "create-net\antonio", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 14 rlm_eap: EAP packet type response id 8 length 77 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 14 modcall[authorize]: module "files" returns notfound for request 14 modcall: leaving group authorize (returns updated) for request 14 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 14 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 14 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for antonio with NT-Password radius_xlat: Running registered xlat function of module mschap for string 'NT-Domain' radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: 6b radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '/usr/bin/ntlm_auth --request-nt-key --domain=create-net --username=antonio --challenge=bede046aa1e50281 --nt-response=d483da3fd5896df961259f08a02a57a8e6d1e5de14c5ac81' Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=create-net --username=antonio --challenge=bede046aa1e50281 --nt-response=d483da3fd5896df961259f08a02a57a8e6d1e5de14c5ac81 Exec-Program output: Logon failure (0xc000006d) Exec-Program-Wait: plaintext: Logon failure (0xc000006d) Exec-Program: returned: 1 rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 14 modcall: leaving group MS-CHAP (returns reject) for request 14 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 14 modcall: leaving group authenticate (returns reject) for request 14 auth: Failed to validate the user. Login incorrect: [create-net\\antonio/<no User-Password attribute>] (from client cn-radius port 299 cli 000c.f135.f1ba) PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE modcall[authenticate]: module "eap" returns handled for request 14 modcall: leaving group authenticate (returns handled) for request 14 Sending Access-Challenge of id 130 to 192.168.20.4 port 1645 EAP-Message = 0x010900501900170301002017a8c7804c669134ce5470ff557afd425785018a89d3ae565641ae49bef6202d1703010020831e156b1ccfdea1032f92c0db9352fb820d192298c99780d36351a961d6462c Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcd8399f25420353544f29a1769a77b43 Finished request 14 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.20.4:1645, id=131, length=255 User-Name = "create-net\\antonio" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=cn-test" Service-Type = Login-User Message-Authenticator = 0x23d6eafb525a98891ed7910a6ec48442 EAP-Message = 0x02090050190017030100209210f7668d2920dbf89af8cd2c06ca059afa741dc2e78e21c8a0233501bcf4bf170301002090034080f6f9c21882ca088401957fdfc84942b8ca82179176efc2eb1e0f4f96 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "299" NAS-Port = 299 State = 0xcd8399f25420353544f29a1769a77b43 NAS-IP-Address = 192.168.20.4 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 15 modcall[authorize]: module "preprocess" returns ok for request 15 modcall[authorize]: module "mschap" returns noop for request 15 rlm_realm: No '@' in User-Name = "create-net\antonio", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 15 rlm_eap: EAP packet type response id 9 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 15 modcall[authorize]: module "files" returns notfound for request 15 modcall: leaving group authorize (returns updated) for request 15 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 15 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 15 modcall: leaving group authenticate (returns invalid) for request 15 auth: Failed to validate the user. Login incorrect: [create-net\\antonio/<no User-Password attribute>] (from client ap-test-ivan port 299 cli 000c.f135.f1ba) Delaying request 15 for 1 seconds Finished request 15 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.20.4:1645, id=131, length=255 Sending Access-Reject of id 131 to 192.168.20.4 port 1645 EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Nothing to do. Sleeping until we see a request. Thanks and bye Antonio
Antonio Matera wrote:
Your eap.conf is irrelevant because...
authorize { preprocess mschap suffix #eap files }
...you've disabled eap by commenting it out.
Why do people insist on breaking the server? Start with the default config and make small changes to work towards what you need. Making massive changes without understanding the consequences just breaks it.
In the second part off my last mail I have insert the log with eap config. The changes in my server are for the EAP-TLS authentication. I need two different authentication for my purpose.
I don't understand you here.
I don't know if I have to insert in the authorize and authenticate module eap. Whitout it I have this log:
Of course you do. How else would EAP work?
I re-write my log with eap conf.
radius_xlat: '/usr/bin/ntlm_auth --request-nt-key --domain=create-net --username=antonio --challenge=bede046aa1e50281 --nt-response=d483da3fd5896df961259f08a02a57a8e6d1e5de14c5ac81' Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=create-net --username=antonio --challenge=bede046aa1e50281 --nt-response=d483da3fd5896df961259f08a02a57a8e6d1e5de14c5ac81 Exec-Program output: Logon failure (0xc000006d) Exec-Program-Wait: plaintext: Logon failure (0xc000006d) It's hard to be sure since it looks like you've pasted together 3 or 4 runs of the server into one debug log, but the above message is very clear. Logon failure. The radius server is working fine. For some reason ntlm_auth is failing your password. This could be because you've typed it wrong, or a samba or AD/NT misconfiguration. Try removing the "--domain" argument from the ntlm_auth helper. If "create-net" is your default domain it should not be needed and I've seen issues with it before. Does "ntlm_auth --username=antonio --password=yourpass" work?
Hallo, ok now it works, there was a problem with the nt domain. one question: it is possible to configure in the same time a MS-CHAP module like this with nt-domain and another with LDAP? I have tried it but if I activate the MS-CHAP module the LDAP authentication doesn't work, whitout MS-CHAP, LDAP works. Any idea? Thanks a lot for your time Bye Antonio
Antonio Matera wrote:
Hallo, ok now it works, there was a problem with the nt domain.
one question: it is possible to configure in the same time a MS-CHAP module like this with nt-domain and another with LDAP?
I'm not sure I understand what you mean. Could you be more specific?
I have tried it but if I activate the MS-CHAP module the LDAP authentication doesn't work, whitout MS-CHAP, LDAP works.
Any idea?
Thanks a lot for your time Bye Antonio - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I'm not sure I understand what you mean. Could you be more specific?
Now I have the MS-CHAP module configured ad it works with the nt users authentication. I have a LDAP server where I have other users. I have configured the LDAP module on freeradius ad it works. The problem is that if I activate both modules, the LDAP authentication doesn't works, but if I remove MS-CHAP auth LDAP works fine. I suppose that there is a problem with the check of the correct user in the correct module. Thanks, bye Antonio
Hi, im working with machine authentication and EAP-TLS Zertifikates. When a machine authenticates I get the name of the mchine like "host/250-IT" . I nee the searchString at LDAP like 250-IT$. How can I strip away that host/ and add $ for the search at the LDAP Directory? Thanks for helping me. Greetings Armin
Hi, im working with machine authentication and EAP-TLS Zertifikates. When a machine authenticates I get the name of the mchine like "host/250-IT" and the search String on LDAP is like "host/250-IT". I nee the searchString at LDAP like 250-IT$. How can I strip away that host/ and add $ for the search at the LDAP Directory? Thanks for helping me. Greetings Armin
--On Saturday, 22 July 2006 09:23 +0200 Krämer Armin <Kraemer.Armin@web.de> wrote:
Hi,
im working with machine authentication and EAP-TLS Zertifikates.
When a machine authenticates I get the name of the mchine like "host/250-IT" and the search String on LDAP is like "host/250-IT".
I nee the searchString at LDAP like 250-IT$. How can I strip away that host/ and add $ for the search at the LDAP Directory?
In your LDAP section of radiusd.conf, replace this: %{Stripped-User-Name:-%{User-Name}} with this: %{Stripped-User-Name:-%{mschap:User-Name}} Regards, James -- James J J Hooper, Information Services University of Bristol --
Thanks, i tried out this now and got the following warning: rlm_ldap: performing user authorization for host/notebook-armin Sat Jul 22 12:25:24 2006 : Debug: WARNING: Attempt to use unknown xlat function, or non-existent attribute in string %{mschap:User-Name} Sat Jul 22 12:25:24 2006 : Debug: radius_xlat: '(&(uid=)(objectclass=radiusprofile))' Sat Jul 22 12:25:24 2006 : Debug: radius_xlat: 'ou=users,ou=radius,dc=ak-server,dc=de' And the search finishes with "NOT FOUND" rlm_ldap: waiting for bind result ... Sat Jul 22 12:25:24 2006 : Debug: rlm_ldap: Bind was successful Sat Jul 22 12:25:24 2006 : Debug: rlm_ldap: performing search in ou=users,ou=radius,dc=ak-server,dc=de, with filter (&(uid=)(objectclass=radiusprofile)) Sat Jul 22 12:25:24 2006 : Debug: rlm_ldap: object not found or got ambiguous search result Sat Jul 22 12:25:24 2006 : Debug: rlm_ldap: search failed Any idea fort this? Looks like the searchString is complete emty now?? I made an LDAP Entry which looks like " uid=host/notebook-armin$ " Thanks for answering! Greetings Armin -----Ursprüngliche Nachricht----- Von: freeradius-users-bounces+kraemer.armin=web.de@lists.freeradius.org [mailto:freeradius-users-bounces+kraemer.armin=web.de@lists.freeradius.org] Im Auftrag von James J J Hooper Gesendet: Samstag, 22. Juli 2006 10:31 An: FreeRadius users mailing list Betreff: Re: Since 2 Month noone any idea how to do this ? Stripping Username Question *important* --On Saturday, 22 July 2006 09:23 +0200 Krämer Armin <Kraemer.Armin@web.de> wrote:
Hi,
im working with machine authentication and EAP-TLS Zertifikates.
When a machine authenticates I get the name of the mchine like "host/250-IT" and the search String on LDAP is like "host/250-IT".
I nee the searchString at LDAP like 250-IT$. How can I strip away that host/ and add $ for the search at the LDAP Directory?
In your LDAP section of radiusd.conf, replace this: %{Stripped-User-Name:-%{User-Name}} with this: %{Stripped-User-Name:-%{mschap:User-Name}} Regards, James -- James J J Hooper, Information Services University of Bristol -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--On Saturday, 22 July 2006 11:19 +0200 Krämer Armin <Kraemer.Armin@web.de> wrote:
Thanks, i tried out this now and got the following warning:
rlm_ldap: performing user authorization for host/notebook-armin Sat Jul 22 12:25:24 2006 : Debug: WARNING: Attempt to use unknown xlat function, or non-existent attribute in string %{mschap:User-Name} Sat Jul 22 12:25:24 2006 : Debug: radius_xlat: '(&(uid=)(objectclass=radiusprofile))' Sat Jul 22 12:25:24 2006 : Debug: radius_xlat: 'ou=users,ou=radius,dc=ak-server,dc=de'
And the search finishes with "NOT FOUND"
rlm_ldap: waiting for bind result ... Sat Jul 22 12:25:24 2006 : Debug: rlm_ldap: Bind was successful Sat Jul 22 12:25:24 2006 : Debug: rlm_ldap: performing search in ou=users,ou=radius,dc=ak-server,dc=de, with filter (&(uid=)(objectclass=radiusprofile)) Sat Jul 22 12:25:24 2006 : Debug: rlm_ldap: object not found or got ambiguous search result Sat Jul 22 12:25:24 2006 : Debug: rlm_ldap: search failed
Any idea fort this? Looks like the searchString is complete emty now??
I made an LDAP Entry which looks like " uid=host/notebook-armin$ "
Thanks for answering!
Greetings
Armin
-----Ursprüngliche Nachricht----- Von: freeradius-users-bounces+kraemer.armin=web.de@lists.freeradius.org [mailto:freeradius-users-bounces+kraemer.armin=web.de@lists.freeradius.or g] Im Auftrag von James J J Hooper Gesendet: Samstag, 22. Juli 2006 10:31 An: FreeRadius users mailing list Betreff: Re: Since 2 Month noone any idea how to do this ? Stripping Username Question *important*
--On Saturday, 22 July 2006 09:23 +0200 Krämer Armin <Kraemer.Armin@web.de> wrote:
Hi,
im working with machine authentication and EAP-TLS Zertifikates.
When a machine authenticates I get the name of the mchine like "host/250-IT" and the search String on LDAP is like "host/250-IT".
I nee the searchString at LDAP like 250-IT$. How can I strip away that host/ and add $ for the search at the LDAP Directory?
In your LDAP section of radiusd.conf, replace this: %{Stripped-User-Name:-%{User-Name}} with this: %{Stripped-User-Name:-%{mschap:User-Name}}
Regards, James
Sorry, what i suggested may only work in the mschap section, not in the LDAP bit... :( James.
James J J Hooper wrote:
In your LDAP section of radiusd.conf, replace this: %{Stripped-User-Name:-%{User-Name}} with this: %{Stripped-User-Name:-%{mschap:User-Name}}
Regards, James
Sorry, what i suggested may only work in the mschap section, not in the LDAP bit... :(
No, it should work anywhere, but he does need to have the mschap module configured, and I think it needs to be *before* the ldap module in authorize.
Okay, thanks now it works quite well with the mschap module :-) -----Ursprüngliche Nachricht----- Von: freeradius-users-bounces+kraemer.armin=web.de@lists.freeradius.org [mailto:freeradius-users-bounces+kraemer.armin=web.de@lists.freeradius.org] Im Auftrag von Phil Mayers Gesendet: Montag, 24. Juli 2006 12:28 An: FreeRadius users mailing list Betreff: Re: AW: Since 2 Month noone any idea how to do this ? Stripping Username Question *important* James J J Hooper wrote:
In your LDAP section of radiusd.conf, replace this: %{Stripped-User-Name:-%{User-Name}} with this: %{Stripped-User-Name:-%{mschap:User-Name}}
Regards, James
Sorry, what i suggested may only work in the mschap section, not in the LDAP bit... :(
No, it should work anywhere, but he does need to have the mschap module configured, and I think it needs to be *before* the ldap module in authorize. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Okay,this morning i was happy that the xlat functions works now well and changes host/Name to Name$ for example. The String host/Mane is only given if a machine authenticates with the machine certificate. In my setup first the computer authenticates and the after logon to the domain the user authenticates again with his own certificate. This time the mxchap function only changes Usernames which have host/ at the beginning but not Usernames from the User Certifikates which comes as "Username" only without host/ at the beginning. How can I add a $ at the end of this Username? Any idea? Thanks Armin -----Ursprüngliche Nachricht----- Von: freeradius-users-bounces+kraemer.armin=web.de@lists.freeradius.org [mailto:freeradius-users-bounces+kraemer.armin=web.de@lists.freeradius.org] Im Auftrag von Krämer Armin Gesendet: Dienstag, 25. Juli 2006 12:36 An: 'FreeRadius users mailing list' Betreff: AW: AW: Since 2 Month noone any idea how to do this ?Stripping Username Question *important* Okay, thanks now it works quite well with the mschap module :-) -----Ursprüngliche Nachricht----- Von: freeradius-users-bounces+kraemer.armin=web.de@lists.freeradius.org [mailto:freeradius-users-bounces+kraemer.armin=web.de@lists.freeradius.org] Im Auftrag von Phil Mayers Gesendet: Montag, 24. Juli 2006 12:28 An: FreeRadius users mailing list Betreff: Re: AW: Since 2 Month noone any idea how to do this ? Stripping Username Question *important* James J J Hooper wrote:
In your LDAP section of radiusd.conf, replace this: %{Stripped-User-Name:-%{User-Name}} with this: %{Stripped-User-Name:-%{mschap:User-Name}}
Regards, James
Sorry, what i suggested may only work in the mschap section, not in the LDAP bit... :(
No, it should work anywhere, but he does need to have the mschap module configured, and I think it needs to be *before* the ldap module in authorize. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Armin, You may be able to use the attr_rewrite module to rewrite the value of the attribute in the authorize section. You can use a regular expression, something like: search_string = "^([^/]*)/(.*)$" replace_string = "%{2}$" You may need to escape some characters (for example the forward slash), you'll have to try it... Hope that helps. regards, Mike Krämer Armin wrote:
When a machine authenticates I get the name of the mchine like "host/250-IT" and the search String on LDAP is like "host/250-IT".
I nee the searchString at LDAP like 250-IT$. How can I strip away that host/ and add $ for the search at the LDAP Directory?
Okay i tried a little and my result is now that my attr_rewirite looks like: search_string = "(host/)" replace_string = "" That works to delete the "host/" part. But i need a "$" appended to the User-Name. How can i do this? Mit freundlichen Grüßen Armin -----Ursprüngliche Nachricht----- Von: freeradius-users-bounces+kraemer.armin=web.de@lists.freeradius.org [mailto:freeradius-users-bounces+kraemer.armin=web.de@lists.freeradius.org] Im Auftrag von Michael Mitchell Gesendet: Samstag, 22. Juli 2006 11:42 An: FreeRadius users mailing list Betreff: Re: Since 2 Month noone any idea how to do this ? Stripping Username Question *important* Hi Armin, You may be able to use the attr_rewrite module to rewrite the value of the attribute in the authorize section. You can use a regular expression, something like: search_string = "^([^/]*)/(.*)$" replace_string = "%{2}$" You may need to escape some characters (for example the forward slash), you'll have to try it... Hope that helps. regards, Mike Krämer Armin wrote:
When a machine authenticates I get the name of the mchine like "host/250-IT" and the search String on LDAP is like "host/250-IT".
I nee the searchString at LDAP like 250-IT$. How can I strip away that host/ and add $ for the search at the LDAP Directory?
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Armin Krämer wrote:
Okay i tried a little and my result is now that my attr_rewirite looks like:
search_string = "(host/)" replace_string = ""
That works to delete the "host/" part. But i need a "$" appended to the User-Name. How can i do this?
You should use the mschap module and a version of FreeRadius >= 1.1.0, set "with_ntdomain_hack = yes" and it will do the correct thing for you. You will as previously mentioned need to use: %{mschap:User-Name} ...as your variable
participants (7)
-
Alan DeKok -
Antonio Matera -
Armin Krämer -
James J J Hooper -
Krämer Armin -
Michael Mitchell -
Phil Mayers