Re: Freeradius-Users Digest, Vol 42, Issue 169
Here is a debug example (should be sanitized) for an authentication that didn't work. Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /private/etc/raddb/proxy.conf Config: including file: /private/etc/raddb/clients.conf Config: including file: /private/etc/raddb/snmp.conf Config: including file: /private/etc/raddb/eap.conf Config: including file: /private/etc/raddb/sql.conf main: prefix = "/" main: localstatedir = "/private/var" main: logdir = "/private/var/log/radius" main: libdir = "//lib" main: radacctdir = "/private/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = "/private/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/private/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "//sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" pap: auto_header = no Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded opendirectory opendirectory: passwd = "(null)" Module: Instantiated opendirectory (opendirectory) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/private/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "ttls" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/certificates/ directory.DOMAIN.wisc.edu.key" tls: certificate_file = "/etc/certificates/ directory.DOMAIN.wisc.edu.crt" tls: CA_file = "/etc/certificates/directory.DOMAIN.wisc.edu.chcrt" tls: private_key_password = "135a*res$ij-Z#Kq&uf%SDc$x" tls: dh_file = "/private/etc/raddb/certs/dh" tls: random_file = "/private/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" tls: cipher_list = "(null)" tls: check_cert_issuer = "(null)" rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls ttls: default_eap_type = "mschapv2" ttls: copy_request_to_tunnel = no ttls: use_tunneled_reply = no rlm_eap: Loaded and initialized type ttls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/private/etc/raddb/huntgroups" preprocess: hints = "/private/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) realm: format = "prefix" realm: delimiter = "\" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (DOMAIN) Module: Loaded files files: usersfile = "/private/etc/raddb/users" files: acctusersfile = "/private/etc/raddb/acct_users" files: preproxy_usersfile = "/private/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/private/var/log/radius/radacct/%{Client-IP- Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/private/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Module: Loaded SQL sql: driver = "rlm_sql_sqlite" sql: server = "localhost" sql: port = "" sql: login = "root" sql: password = "rootpass" sql: radius_db = "radius" sql: nas_table = "nas" sql: sqltrace = no sql: sqltracefile = "/private/var/log/radius/sqltrace.sql" sql: readclients = yes sql: deletestalesessions = yes sql: num_sql_socks = 5 sql: sql_user_name = "%{User-Name}" sql: default_user_profile = "" sql: query_on_not_found = no sql: authorize_check_query = "SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = '%{SQL-User- Name}' ORDER BY id" sql: authorize_reply_query = "SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = '%{SQL-User- Name}' ORDER BY id" sql: authorize_group_check_query = "SELECT radgroupcheck .id ,radgroupcheck .GroupName ,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id" sql: authorize_group_reply_query = "SELECT radgroupreply .id ,radgroupreply .GroupName ,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id" sql: accounting_onoff_query = "UPDATE radacct SET AcctStopTime='%S', AcctSessionTime=unix_timestamp('%S') - unix_timestamp(AcctStartTime), AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct- Delay-Time}' WHERE AcctSessionTime=0 AND AcctStopTime=0 AND NASIPAddress= '%{NAS-IP-Address}' AND AcctStartTime <= '%S'" sql: accounting_update_query = " UPDATE radacct SET FramedIPAddress = '%{Framed-IP- Address}', AcctSessionTime = '%{Acct-Session- Time}', AcctInputOctets = '%{Acct-Input- Gigawords:-0}' << 32 | '%{Acct- Input-Octets:-0}', AcctOutputOctets = '%{Acct-Output- Gigawords:-0}' << 32 | '%{Acct- Output-Octets:-0}' WHERE AcctSessionId = '%{Acct-Session- Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}'" sql: accounting_update_query_alt = " INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, XAscendSessionSvrKey) VALUES ('%{Acct-Session- Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User- Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS- Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0}) SECOND), '%{Acct-Session-Time}', '% {Acct-Authentic}', '', '%{Acct-Input-Gigawords:-0}' << 32 | '%{Acct-Input-Octets:-0}', '%{Acct-Output- Gigawords:-0}' << 32 | '%{Acct-Output- Octets:-0}', '%{Called-Station-Id}', '%{Calling-Station- Id}', '%{Service-Type}', '%{Framed- Protocol}', '%{Framed-IP-Address}', '0', '% {X-Ascend-Session-Svr-Key}')" sql: accounting_start_query = " INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay, XAscendSessionSvrKey) VALUES ('%{Acct-Session- Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User- Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS- Port}', '%{NAS-Port-Type}', '%S', '0', '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP- Address}', '%{Acct-Delay-Time:-0}', '0', '%{X-Ascend- Session-Svr-Key}')" sql: accounting_start_query_alt = "UPDATE radacct SET AcctStartTime = '%S', AcctStartDelay = '%{Acct-Delay-Time}', ConnectInfo_start = '% {Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}'" sql: accounting_stop_query = " UPDATE radacct SET AcctStopTime = '%S', AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets = '%{Acct-Input-Gigawords:-0}' << 32 | '%{Acct-Input- Octets:-0}', AcctOutputOctets = '%{Acct-Output- Gigawords:-0}' << 32 | '%{Acct- Output-Octets:-0}', AcctTerminateCause = '%{Acct- Terminate-Cause}', AcctStopDelay = '%{Acct-Delay- Time:-0}', ConnectInfo_stop = '%{Connect- Info}' WHERE AcctSessionId = '%{Acct-Session- Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}'" sql: accounting_stop_query_alt = " INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) VALUES ('%{Acct- Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User- Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS- Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0}) SECOND), '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '% {Connect-Info}', '%{Acct-Input-Gigawords:-0}' << 32 | '%{Acct-Input-Octets:-0}', '%{Acct-Output- Gigawords:-0}' << 32 | '%{Acct-Output- Octets:-0}', '%{Called-Station-Id}', '%{Calling-Station- Id}', '%{Acct-Terminate-Cause}', '%{Service- Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{Acct-Delay-Time:-0}')" sql: group_membership_query = "SELECT GroupName FROM usergroup WHERE UserName='%{SQL-User-Name}'" sql: connect_failure_retry_delay = 60 sql: simul_count_query = "" sql: simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM radacct WHERE UserName='%{SQL-User- Name}' AND AcctStopTime = 0" sql: postauth_query = "INSERT into radpostauth (user, pass, reply, date) values ('%{User-Name}', '%{User-Password:-Chap-Password}', '% {reply:Packet-Type}', NOW())" sql: safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" rlm_sql (sql): Driver rlm_sql_sqlite (module rlm_sql_sqlite) loaded and linked rlm_sql (sql): Attempting to connect to root@localhost:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_sqlite #0 rlm_sql_sqlite: Opening sqlite database for #0 rlm_sql_sqlite: sqlite3_open() = 0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_sqlite #1 rlm_sql_sqlite: Opening sqlite database for #1 rlm_sql_sqlite: sqlite3_open() = 0 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_sqlite #2 rlm_sql_sqlite: Opening sqlite database for #2 rlm_sql_sqlite: sqlite3_open() = 0 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_sqlite #3 rlm_sql_sqlite: Opening sqlite database for #3 rlm_sql_sqlite: sqlite3_open() = 0 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_sqlite #4 rlm_sql_sqlite: Opening sqlite database for #4 rlm_sql_sqlite: sqlite3_open() = 0 rlm_sql (sql): Connected new DB handle, #4 rlm_sql (sql): - generate_sql_clients rlm_sql (sql): Query: SELECT * FROM nas rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_sqlite: sqlite3_prepare() = 0 rlm_sql_sqlite: sqlite3_step = 100 rlm_sql (sql): Read entry nasname=10.0.1.7,shortname=DOMAINWireless,secret=somesecret rlm_sql (sql): Adding client 10.0.1.7 (DOMAINWireless) to clients list rlm_sql_sqlite: sqlite3_step = 100 rlm_sql (sql): Read entry nasname=10.0.2.5,shortname=DOMAINWireless,secret=somesecret rlm_sql (sql): Adding client 10.0.2.5 (DOMAINWireless) to clients list rlm_sql_sqlite: sqlite3_step = 100 rlm_sql (sql): Read entry nasname=10.0.2.6,shortname=DOMAINWireless,secret=somesecret rlm_sql (sql): Adding client 10.0.2.6 (DOMAINWireless) to clients list rlm_sql_sqlite: sqlite3_step = 100 rlm_sql (sql): Read entry nasname=10.0.2.7,shortname=DOMAINWireless,secret=somesecret rlm_sql (sql): Adding client 10.0.2.7 (DOMAINWireless) to clients list rlm_sql_sqlite: sqlite3_step = 100 rlm_sql (sql): Read entry nasname=10.0.2.8,shortname=DOMAINWireless,secret=somesecret rlm_sql (sql): Adding client 10.0.2.8 (DOMAINWireless) to clients list rlm_sql_sqlite: sqlite3_step = 100 rlm_sql (sql): Read entry nasname=10.0.2.9,shortname=DOMAINWireless,secret=somesecret rlm_sql (sql): Adding client 10.0.2.9 (DOMAINWireless) to clients list rlm_sql_sqlite: sqlite3_step = 100 rlm_sql (sql): Read entry nasname=10.0.2.10,shortname=DOMAINWireless,secret=somesecret rlm_sql (sql): Adding client 10.0.2.10 (DOMAINWireless) to clients list rlm_sql_sqlite: sqlite3_step = 100 rlm_sql (sql): Read entry nasname=10.0.2.11,shortname=DOMAINWireless,secret=somesecret rlm_sql (sql): Adding client 10.0.2.11 (DOMAINWireless) to clients list rlm_sql_sqlite: sqlite3_step = 100 rlm_sql (sql): Read entry nasname=10.0.2.12,shortname=DOMAINWireless,secret=somesecret rlm_sql (sql): Adding client 10.0.2.12 (DOMAINWireless) to clients list rlm_sql_sqlite: sqlite3_step = 100 rlm_sql (sql): Read entry nasname=10.0.2.13,shortname=DOMAINWireless,secret=somesecret rlm_sql (sql): Adding client 10.0.2.13 (DOMAINWireless) to clients list rlm_sql_sqlite: sqlite3_step = 100 rlm_sql (sql): Read entry nasname=10.0.2.17,shortname=DOMAINWireless,secret=somesecret rlm_sql (sql): Adding client 10.0.2.17 (DOMAINWireless) to clients list rlm_sql_sqlite: sqlite3_step = 100 rlm_sql (sql): Read entry nasname=10.0.1.5,shortname=DOMAINWireless,secret=somesecret rlm_sql (sql): Adding client 10.0.1.5 (DOMAINWireless) to clients list rlm_sql_sqlite: sqlite3_step = 100 rlm_sql (sql): Read entry nasname=10.0.1.6,shortname=DOMAINWireless,secret=somesecret rlm_sql (sql): Adding client 10.0.1.6 (DOMAINWireless) to clients list rlm_sql_sqlite: sqlite3_step = 100 rlm_sql (sql): Read entry nasname=10.0.1.8,shortname=DOMAINWireless,secret=somesecret rlm_sql (sql): Adding client 10.0.1.8 (DOMAINWireless) to clients list rlm_sql_sqlite: sqlite3_step = 100 rlm_sql (sql): Read entry nasname=10.0.1.9,shortname=DOMAINWireless,secret=somesecret rlm_sql (sql): Adding client 10.0.1.9 (DOMAINWireless) to clients list rlm_sql_sqlite: sqlite3_step = 100 rlm_sql (sql): Read entry nasname=10.0.1.10,shortname=DOMAINWireless,secret=somesecret rlm_sql (sql): Adding client 10.0.1.10 (DOMAINWireless) to clients list rlm_sql_sqlite: sqlite3_step = 100 rlm_sql (sql): Read entry nasname=10.0.1.11,shortname=DOMAINWireless,secret=somesecret rlm_sql (sql): Adding client 10.0.1.11 (DOMAINWireless) to clients list rlm_sql_sqlite: sqlite3_step = 100 rlm_sql (sql): Read entry nasname=10.0.1.12,shortname=DOMAINWireless,secret=somesecret rlm_sql (sql): Adding client 10.0.1.12 (DOMAINWireless) to clients list rlm_sql_sqlite: sqlite3_step = 100 rlm_sql (sql): Read entry nasname=10.0.1.13,shortname=DOMAINWireless,secret=somesecret rlm_sql (sql): Adding client 10.0.1.13 (DOMAINWireless) to clients list rlm_sql_sqlite: sqlite3_step = 100 rlm_sql (sql): Read entry nasname=10.0.1.15,shortname=DOMAINWireless,secret=somesecret rlm_sql (sql): Adding client 10.0.1.15 (DOMAINWireless) to clients list rlm_sql_sqlite: sqlite3_step = 100 rlm_sql (sql): Read entry nasname=10.0.1.16,shortname=DOMAINWireless,secret=somesecret rlm_sql (sql): Adding client 10.0.1.16 (DOMAINWireless) to clients list rlm_sql_sqlite: sqlite3_step = 100 rlm_sql (sql): Read entry nasname=10.0.1.17,shortname=DOMAINWireless,secret=somesecret rlm_sql (sql): Adding client 10.0.1.17 (DOMAINWireless) to clients list rlm_sql_sqlite: sqlite3_step = 100 rlm_sql (sql): Read entry nasname=10.0.1.18,shortname=DOMAINWireless,secret=somesecret rlm_sql (sql): Adding client 10.0.1.18 (DOMAINWireless) to clients list rlm_sql_sqlite: sqlite3_step = 100 rlm_sql (sql): Read entry nasname=10.0.1.19,shortname=DOMAINWireless,secret=somesecret rlm_sql (sql): Adding client 10.0.1.19 (DOMAINWireless) to clients list rlm_sql_sqlite: sqlite3_step = 100 rlm_sql (sql): Read entry nasname=10.0.1.20,shortname=DOMAINWireless,secret=somesecret rlm_sql (sql): Adding client 10.0.1.20 (DOMAINWireless) to clients list rlm_sql_sqlite: sqlite3_step = 100 rlm_sql (sql): Read entry nasname=10.0.1.21,shortname=DOMAINWireless,secret=somesecret rlm_sql (sql): Adding client 10.0.1.21 (DOMAINWireless) to clients list rlm_sql_sqlite: sqlite3_step = 100 rlm_sql (sql): Read entry nasname=10.0.1.14,shortname=DOMAINWireless,secret=somesecret rlm_sql (sql): Adding client 10.0.1.14 (DOMAINWireless) to clients list rlm_sql_sqlite: sqlite3_step = 101 rlm_sql_sqlite: sqlite3_finalize() = 0 rlm_sql (sql): Released sql socket id: 4 Module: Instantiated sql (sql) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 10.0.1.18:1645, id=111, length=139 User-Name = "DOMAIN\\testuser" Framed-MTU = 1400 Called-Station-Id = "0012.014d.d511" Calling-Station-Id = "001f.5bbe.f006" Service-Type = Login-User Message-Authenticator = 0x3872b3f61f7ac52e849a52979e0a74b8 EAP-Message = 0x020200140142494f4348454d5c6b77746f62696e NAS-Port-Type = Wireless-802.11 NAS-Port = 11710 NAS-IP-Address = 10.0.1.18 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "DOMAIN\testuser", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN \testuser" rlm_realm: Found realm "DOMAIN" rlm_realm: Adding Stripped-User-Name = "testuser" rlm_realm: Proxying request from user testuser to realm DOMAIN rlm_realm: Adding Realm = "DOMAIN" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "DOMAIN" returns noop for request 0 rlm_eap: EAP packet type response id 2 length 20 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 153 modcall[authorize]: module "files" returns ok for request 0 rlm_opendirectory: The SACL group "com.apple.access_radius" does not exist on this system. rlm_opendirectory: The host 10.0.1.18 does not have an access group. rlm_opendirectory: no access control groups, all users allowed. modcall[authorize]: module "opendirectory" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 111 to 10.0.1.18 port 1645 EAP-Message = 0x010300061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1afaa77fee512c191c542a0d38deecdb Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.0.1.18:1645, id=112, length=143 User-Name = "DOMAIN\\testuser" Framed-MTU = 1400 Called-Station-Id = "0012.014d.d511" Calling-Station-Id = "001f.5bbe.f006" Service-Type = Login-User Message-Authenticator = 0x67fbf7c534cf8bfffe377a05ee735b87 EAP-Message = 0x020300060319 NAS-Port-Type = Wireless-802.11 NAS-Port = 11710 State = 0x1afaa77fee512c191c542a0d38deecdb NAS-IP-Address = 10.0.1.18 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "DOMAIN\testuser", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN \testuser" rlm_realm: Found realm "DOMAIN" rlm_realm: Adding Stripped-User-Name = "testuser" rlm_realm: Proxying request from user testuser to realm DOMAIN rlm_realm: Adding Realm = "DOMAIN" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "DOMAIN" returns noop for request 1 rlm_eap: EAP packet type response id 3 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched entry DEFAULT at line 153 modcall[authorize]: module "files" returns ok for request 1 rlm_opendirectory: The SACL group "com.apple.access_radius" does not exist on this system. rlm_opendirectory: The host 10.0.1.18 does not have an access group. rlm_opendirectory: no access control groups, all users allowed. modcall[authorize]: module "opendirectory" returns ok for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/peap rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 1 modcall: leaving group authenticate (returns handled) for request 1 Sending Access-Challenge of id 112 to 10.0.1.18 port 1645 EAP-Message = 0x010400061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x213d9fea32566a03bf00145aa202ee95 Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.0.1.18:1645, id=113, length=263 User-Name = "DOMAIN\\testuser" Framed-MTU = 1400 Called-Station-Id = "0012.014d.d511" Calling-Station-Id = "001f.5bbe.f006" Service-Type = Login-User Message-Authenticator = 0xcaf5261f114b8a427301da998303f355 EAP-Message = 0x0204007e198000000074160301006f0100006b030148ee28a6353ef38a7357c1eb520b102f907c1c42da8e89adf612a0dab58a0311000018002f00350005000ac009c00ac013c01400320038001300040100002a00000014001200000f62696f6368656d5c6b77746f62696e000a00080006001700180019000b00020100 NAS-Port-Type = Wireless-802.11 NAS-Port = 11710 State = 0x213d9fea32566a03bf00145aa202ee95 NAS-IP-Address = 10.0.1.18 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: No '@' in User-Name = "DOMAIN\testuser", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 2 rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN \testuser" rlm_realm: Found realm "DOMAIN" rlm_realm: Adding Stripped-User-Name = "testuser" rlm_realm: Proxying request from user testuser to realm DOMAIN rlm_realm: Adding Realm = "DOMAIN" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "DOMAIN" returns noop for request 2 rlm_eap: EAP packet type response id 4 length 126 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 users: Matched entry DEFAULT at line 153 modcall[authorize]: module "files" returns ok for request 2 rlm_opendirectory: The SACL group "com.apple.access_radius" does not exist on this system. rlm_opendirectory: The host 10.0.1.18 does not have an access group. rlm_opendirectory: no access control groups, all users allowed. modcall[authorize]: module "opendirectory" returns ok for request 2 modcall: leaving group authorize (returns updated) for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 006f], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0652], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 2 modcall: leaving group authenticate (returns handled) for request 2 Sending Access-Challenge of id 113 to 10.0.1.18 port 1645 EAP-Message = 0x0105040a19c0000006af160301004a02000046030148ee28a6862ecd4f1c75d0941135498d5589d0f8923dcecd0327b7d4c25e298720b469cc938d3696cc7ba04a3385633dff0ceca5c66a59f0ec8b0137ad1c72e8a6002f0016030106520b00064e00064b0003213082031d30820286a003020102020309f4cf300d06092a864886f70d0101050500304e310b30090603550406130255533110300e060355040a130745717569666178312d302b060355040b1324457175696661782053656375726520436572746966696361746520417574686f72697479301e170d3038313030373137353331385a170d3130313030383137353331385a3081a731 EAP-Message = 0x0b30090603550406130255533112301006035504081309576973636f6e73696e3110300e060355040713074d616469736f6e31283026060355040a131f556e6976657273697479206f6620576973636f6e73696e2d4d616469736f6e31233021060355040b131a4465706172746d656e74206f662042696f6368656d6973747279312330210603550403131a6469726563746f72792e62696f6368656d2e776973632e65647530819f300d06092a864886f70d010101050003818d0030818902818100cca2a234e44460f5581769f32d3db1c9c6a392606f399af6949cf226a89ba21bed5eb7a8232c984d62b482798bccda8c7167b5c94610adab12c3 EAP-Message = 0x5d6e4a169057cacdca0c241f7664b4ee357d2c195a77ff58a109372cfed1b47c5f55cd3aecd5614cde8a5e5af7189832b523df01f3b19a045d0820752335dbe76c5001bd86b90203010001a381ae3081ab300e0603551d0f0101ff0404030204f0301d0603551d0e0416041470ebf51284bbf75477107119daa2431c45e66da8303a0603551d1f04333031302fa02da02b8629687474703a2f2f63726c2e67656f74727573742e636f6d2f63726c732f73656375726563612e63726c301f0603551d2304183016801448e668f92bd2b295d747d82320104f3398909fd4301d0603551d250416301406082b0601050507030106082b0601050507030230 EAP-Message = 0x0d06092a864886f70d0101050500038181009ef534fbfd107c74a784add2cd43b697dc7419168de8d3fa40618c2dbd7e1f47476212609fb0abbb792dac5fe1c99efed42c5c9ccee72ce50bde41fa3451d395e1d74254655d2033badfa8999590a4ae14b0ee3448e8687ce1f19472e6d3edfa92827c061f246a8e99e42ef3429f0bb64d4f6f174628e1d4d95d2903f57719580003243082032030820289a003020102020435def4cf300d06092a864886f70d0101050500304e310b30090603550406130255533110300e060355040a130745717569666178312d302b060355040b13244571756966617820536563757265204365727469666963617465 EAP-Message = 0x20417574686f72697479301e170d3938303832323136 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4fc9bff8a885a91d1d81c360abc301c8 Finished request 2 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.0.1.18:1645, id=114, length=143 User-Name = "DOMAIN\\testuser" Framed-MTU = 1400 Called-Station-Id = "0012.014d.d511" Calling-Station-Id = "001f.5bbe.f006" Service-Type = Login-User Message-Authenticator = 0x9fe661434064a4c571b910b9ee4b071e EAP-Message = 0x020500061900 NAS-Port-Type = Wireless-802.11 NAS-Port = 11710 State = 0x4fc9bff8a885a91d1d81c360abc301c8 NAS-IP-Address = 10.0.1.18 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "chap" returns noop for request 3 modcall[authorize]: module "mschap" returns noop for request 3 rlm_realm: No '@' in User-Name = "DOMAIN\testuser", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 3 rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN \testuser" rlm_realm: Found realm "DOMAIN" rlm_realm: Adding Stripped-User-Name = "testuser" rlm_realm: Proxying request from user testuser to realm DOMAIN rlm_realm: Adding Realm = "DOMAIN" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "DOMAIN" returns noop for request 3 rlm_eap: EAP packet type response id 5 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 3 users: Matched entry DEFAULT at line 153 modcall[authorize]: module "files" returns ok for request 3 rlm_opendirectory: The SACL group "com.apple.access_radius" does not exist on this system. rlm_opendirectory: The host 10.0.1.18 does not have an access group. rlm_opendirectory: no access control groups, all users allowed. modcall[authorize]: module "opendirectory" returns ok for request 3 modcall: leaving group authorize (returns updated) for request 3 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 3 modcall: leaving group authenticate (returns handled) for request 3 Sending Access-Challenge of id 114 to 10.0.1.18 port 1645 EAP-Message = 0x010602b51900343135315a170d3138303832323136343135315a304e310b30090603550406130255533110300e060355040a130745717569666178312d302b060355040b1324457175696661782053656375726520436572746966696361746520417574686f7269747930819f300d06092a864886f70d010101050003818d0030818902818100c15db158670862eea09a2d1f086d911468980a1efeda046f13846221c3d17cce9f05e0b801f04e34ece28a950464acf16b535f05b3cb6780bf42028efedd0109ece100144ffcfbf00cdd43ba5b2be11f80709915579316f10f976ab7c268231ccc4d5930ac511e3baf2bd6ee63457bc5d95f50d2e350 EAP-Message = 0x0f3a88e7bf14fde0c7b90203010001a38201093082010530700603551d1f046930673065a063a061a45f305d310b30090603550406130255533110300e060355040a130745717569666178312d302b060355040b1324457175696661782053656375726520436572746966696361746520417574686f72697479310d300b0603550403130443524c31301a0603551d1004133011810f32303138303832323136343135315a300b0603551d0f040403020106301f0603551d2304183016801448e668f92bd2b295d747d82320104f3398909fd4301d0603551d0e0416041448e668f92bd2b295d747d82320104f3398909fd4300c0603551d1304053003 EAP-Message = 0x0101ff301a06092a864886f67d074100040d300b1b0556332e3063030206c0300d06092a864886f70d01010505000381810058ce29eafcf7deb5ce02b917b585d1b9e3e095cc25310d00a6926e7fb692639e5095d19a6fe411de63856e98eea8ff5ac8d355b2667157dec021eb3d2aa72349010486427bfcee7fa21652b56767d340db3b2658b228773dae147761d6fa2a6627a00dfaa7735cea70f1942165445ffafcef2968a9a28779ef79ef4fac07773816030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa0aad0c5eb884d3249945e643391a47d Finished request 3 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.0.1.18:1645, id=115, length=345 User-Name = "DOMAIN\\testuser" Framed-MTU = 1400 Called-Station-Id = "0012.014d.d511" Calling-Station-Id = "001f.5bbe.f006" Service-Type = Login-User Message-Authenticator = 0xb8dadac61b8901eb220dba61d01750e3 EAP-Message = 0x020600d01980000000c61603010086100000820080597c1d11cc49a47c6c3ee78302bd41eee0e1323c3fc3840f9fe2dc48a457a019b9906d58621f0c5a874b1caf12c1a7ceea0857bd7522fef11b34665136d9eb1f8bacb11b4c4ef77d00599668698a365d225cffcf22aa6e169c3d11ca370ab08aab0a208f7e484cbfa734f3f978d9e111a782bd85406e8d5fdc3fd481f68caf371403010001011603010030ab1dfccc59cbc56427d043f0693f7f42fde9832d113038fee966cd63a0a7cd822200e3e15caecb94f28dbb3e40d8a3db NAS-Port-Type = Wireless-802.11 NAS-Port = 11710 State = 0xa0aad0c5eb884d3249945e643391a47d NAS-IP-Address = 10.0.1.18 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 modcall[authorize]: module "chap" returns noop for request 4 modcall[authorize]: module "mschap" returns noop for request 4 rlm_realm: No '@' in User-Name = "DOMAIN\testuser", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 4 rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN \testuser" rlm_realm: Found realm "DOMAIN" rlm_realm: Adding Stripped-User-Name = "testuser" rlm_realm: Proxying request from user testuser to realm DOMAIN rlm_realm: Adding Realm = "DOMAIN" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "DOMAIN" returns noop for request 4 rlm_eap: EAP packet type response id 6 length 208 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 users: Matched entry DEFAULT at line 153 modcall[authorize]: module "files" returns ok for request 4 rlm_opendirectory: The SACL group "com.apple.access_radius" does not exist on this system. rlm_opendirectory: The host 10.0.1.18 does not have an access group. rlm_opendirectory: no access control groups, all users allowed. modcall[authorize]: module "opendirectory" returns ok for request 4 modcall: leaving group authorize (returns updated) for request 4 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 4 modcall: leaving group authenticate (returns handled) for request 4 Sending Access-Challenge of id 115 to 10.0.1.18 port 1645 EAP-Message = 0x01070041190014030100010116030100303c15e3a238727d4976ae66e07ca837f4e9d2ef10993d36c683d53629e171c9a15bf79a9bc8a7d0516b347176e27fb31c Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6e85d2d72db4ae8cb56d58cfe9e7d6d1 Finished request 4 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.0.1.18:1645, id=116, length=143 User-Name = "DOMAIN\\testuser" Framed-MTU = 1400 Called-Station-Id = "0012.014d.d511" Calling-Station-Id = "001f.5bbe.f006" Service-Type = Login-User Message-Authenticator = 0xc8e894313a4d893c6c9dca3213aa855a EAP-Message = 0x020700061900 NAS-Port-Type = Wireless-802.11 NAS-Port = 11710 State = 0x6e85d2d72db4ae8cb56d58cfe9e7d6d1 NAS-IP-Address = 10.0.1.18 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "chap" returns noop for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_realm: No '@' in User-Name = "DOMAIN\testuser", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 5 rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN \testuser" rlm_realm: Found realm "DOMAIN" rlm_realm: Adding Stripped-User-Name = "testuser" rlm_realm: Proxying request from user testuser to realm DOMAIN rlm_realm: Adding Realm = "DOMAIN" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "DOMAIN" returns noop for request 5 rlm_eap: EAP packet type response id 7 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 users: Matched entry DEFAULT at line 153 modcall[authorize]: module "files" returns ok for request 5 rlm_opendirectory: The SACL group "com.apple.access_radius" does not exist on this system. rlm_opendirectory: The host 10.0.1.18 does not have an access group. rlm_opendirectory: no access control groups, all users allowed. modcall[authorize]: module "opendirectory" returns ok for request 5 modcall: leaving group authorize (returns updated) for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap_peap: EAPTLS_SUCCESS modcall[authenticate]: module "eap" returns handled for request 5 modcall: leaving group authenticate (returns handled) for request 5 Sending Access-Challenge of id 116 to 10.0.1.18 port 1645 EAP-Message = 0x0108002b19001703010020894ebfef510203bfdefc2be5b2af64ed79409fbc312aa91620d20c1ef6c9e99e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x667f72d2b9b60cc8c792446ba47b3535 Finished request 5 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.0.1.18:1645, id=117, length=196 User-Name = "DOMAIN\\testuser" Framed-MTU = 1400 Called-Station-Id = "0012.014d.d511" Calling-Station-Id = "001f.5bbe.f006" Service-Type = Login-User Message-Authenticator = 0xfe1d76cf140ffb4b80272d1ad544207a EAP-Message = 0x0208003b1900170301003074a58eab1fe15f4dd295b7bb5753d8d28000d7d98c25f35a410b307417f7e78903fa0e2e62d2c71a3a4ebfffbc5dabcf NAS-Port-Type = Wireless-802.11 NAS-Port = 11710 State = 0x667f72d2b9b60cc8c792446ba47b3535 NAS-IP-Address = 10.0.1.18 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "chap" returns noop for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: No '@' in User-Name = "DOMAIN\testuser", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 6 rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN \testuser" rlm_realm: Found realm "DOMAIN" rlm_realm: Adding Stripped-User-Name = "testuser" rlm_realm: Proxying request from user testuser to realm DOMAIN rlm_realm: Adding Realm = "DOMAIN" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "DOMAIN" returns noop for request 6 rlm_eap: EAP packet type response id 8 length 59 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 users: Matched entry DEFAULT at line 153 modcall[authorize]: module "files" returns ok for request 6 rlm_opendirectory: The SACL group "com.apple.access_radius" does not exist on this system. rlm_opendirectory: The host 10.0.1.18 does not have an access group. rlm_opendirectory: no access control groups, all users allowed. modcall[authorize]: module "opendirectory" returns ok for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - DOMAIN\testuser rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x020800140142494f4348454d5c6b77746f62696e PEAP: Got tunneled identity of DOMAIN\testuser PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to DOMAIN\testuser PEAP: Sending tunneled request EAP-Message = 0x020800140142494f4348454d5c6b77746f62696e FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "DOMAIN\\testuser" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "chap" returns noop for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: No '@' in User-Name = "DOMAIN\testuser", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 6 rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN \testuser" rlm_realm: Found realm "DOMAIN" rlm_realm: Adding Stripped-User-Name = "testuser" rlm_realm: Proxying request from user testuser to realm DOMAIN rlm_realm: Adding Realm = "DOMAIN" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "DOMAIN" returns noop for request 6 rlm_eap: EAP packet type response id 8 length 20 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 users: Matched entry DEFAULT at line 153 modcall[authorize]: module "files" returns ok for request 6 rlm_opendirectory: The SACL group "com.apple.access_radius" does not exist on this system. rlm_opendirectory: The host 127.0.0.1 does not have an access group. rlm_opendirectory: no access control groups, all users allowed. modcall[authorize]: module "opendirectory" returns ok for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 6 modcall: leaving group authenticate (returns handled) for request 6 PEAP: Got tunneled reply RADIUS code 11 EAP-Message = 0x010900291a0109002410ada228177cea587da67e8a14293003e242494f4348454d5c6b77746f62696e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6fd611116704dd8d3a6e60122839a38a PEAP: Processing from tunneled session code 0x1cf7f0 11 EAP-Message = 0x010900291a0109002410ada228177cea587da67e8a14293003e242494f4348454d5c6b77746f62696e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6fd611116704dd8d3a6e60122839a38a PEAP: Got tunneled Access-Challenge modcall[authenticate]: module "eap" returns handled for request 6 modcall: leaving group authenticate (returns handled) for request 6 Sending Access-Challenge of id 117 to 10.0.1.18 port 1645 EAP-Message = 0x0109004b190017030100409dc1d2e3de18e332ee1f354ca7ea42430cb28bec284d6e1df399470a7c773512c64e0ca325af994b916a1687863104e07da4f713eab336e6e31d5128d181fe8a Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb07d9a64054ccfa304b5e8c9258b22eb Finished request 6 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.0.1.18:1645, id=118, length=244 User-Name = "DOMAIN\\testuser" Framed-MTU = 1400 Called-Station-Id = "0012.014d.d511" Calling-Station-Id = "001f.5bbe.f006" Service-Type = Login-User Message-Authenticator = 0xc9e25c759079c60070f69a4cc4cc4dbb EAP-Message = 0x0209006b19001703010060565fea2824b81092422bbb4e6ca95a963bc2bed89a5f126b55c7fc0f68da56e6857926921aa51aa5a3fa6d6cb2192eddbffa695a21da747cda6b2b65aba5f904d479265e8b74d6b5e3498d4cb9bda71463cb3ba1ae9725a53b816ae906b22f75 NAS-Port-Type = Wireless-802.11 NAS-Port = 11710 State = 0xb07d9a64054ccfa304b5e8c9258b22eb NAS-IP-Address = 10.0.1.18 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 modcall[authorize]: module "chap" returns noop for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_realm: No '@' in User-Name = "DOMAIN\testuser", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 7 rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN \testuser" rlm_realm: Found realm "DOMAIN" rlm_realm: Adding Stripped-User-Name = "testuser" rlm_realm: Proxying request from user testuser to realm DOMAIN rlm_realm: Adding Realm = "DOMAIN" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "DOMAIN" returns noop for request 7 rlm_eap: EAP packet type response id 9 length 107 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 users: Matched entry DEFAULT at line 153 modcall[authorize]: module "files" returns ok for request 7 rlm_opendirectory: The SACL group "com.apple.access_radius" does not exist on this system. rlm_opendirectory: The host 10.0.1.18 does not have an access group. rlm_opendirectory: no access control groups, all users allowed. modcall[authorize]: module "opendirectory" returns ok for request 7 modcall: leaving group authorize (returns updated) for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x0209004a1a0209004531e06d9dd10abb52b1ca8256dc2991d6b0000000000000000049660c6e4fd26fa0eb5869b4a1542b6d2ac4fcdca827e46a0042494f4348454d5c6b77746f62696e PEAP: Setting User-Name to DOMAIN\testuser PEAP: Adding old state with 6f d6 PEAP: Sending tunneled request EAP-Message = 0x0209004a1a0209004531e06d9dd10abb52b1ca8256dc2991d6b0000000000000000049660c6e4fd26fa0eb5869b4a1542b6d2ac4fcdca827e46a0042494f4348454d5c6b77746f62696e FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "DOMAIN\\testuser" State = 0x6fd611116704dd8d3a6e60122839a38a Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 modcall[authorize]: module "chap" returns noop for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_realm: No '@' in User-Name = "DOMAIN\testuser", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 7 rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN \testuser" rlm_realm: Found realm "DOMAIN" rlm_realm: Adding Stripped-User-Name = "testuser" rlm_realm: Proxying request from user testuser to realm DOMAIN rlm_realm: Adding Realm = "DOMAIN" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "DOMAIN" returns noop for request 7 rlm_eap: EAP packet type response id 9 length 74 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 users: Matched entry DEFAULT at line 153 modcall[authorize]: module "files" returns ok for request 7 rlm_opendirectory: The SACL group "com.apple.access_radius" does not exist on this system. rlm_opendirectory: The host 127.0.0.1 does not have an access group. rlm_opendirectory: no access control groups, all users allowed. modcall[authorize]: module "opendirectory" returns ok for request 7 modcall: leaving group authorize (returns updated) for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 7 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: NT Domain delimeter found, should we have enabled with_ntdomain_hack? rlm_mschap: Told to do MS-CHAPv2 for DOMAIN\testuser with NT-Password rlm_mschap: No NT-Password configured. Trying DirectoryService Authentication. rlm_mschap: getUserNodeRef(): dsGetRecordList() status = 0, recCount=0 rlm_osx_od: ds_mschap_auth: getUserNodeRef failed modcall[authenticate]: module "mschap" returns fail for request 7 modcall: leaving group MS-CHAP (returns fail) for request 7 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 7 modcall: leaving group authenticate (returns reject) for request 7 auth: Failed to validate the user. Login incorrect: [testuser] (from client localhost port 0) PEAP: Got tunneled reply RADIUS code 3 EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Processing from tunneled session code 0x1d3610 3 EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE modcall[authenticate]: module "eap" returns handled for request 7 modcall: leaving group authenticate (returns handled) for request 7 Sending Access-Challenge of id 118 to 10.0.1.18 port 1645 EAP-Message = 0x010a002b1900170301002098b863d032fc27588e4f45f63277db6a504a4bd8e4932bbdbd35d7f79843a0e1 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe943c6bde4e335aea5e91e7bad008121 Finished request 7 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.0.1.18:1645, id=119, length=180 User-Name = "DOMAIN\\testuser" Framed-MTU = 1400 Called-Station-Id = "0012.014d.d511" Calling-Station-Id = "001f.5bbe.f006" Service-Type = Login-User Message-Authenticator = 0x4316a82bd1b1e481b8db80d0a7212dc1 EAP-Message = 0x020a002b1900170301002015ce2466699e563b85fe4b34ad1795d3183f4bfde6c6ad9ca4dbb03415e4df45 NAS-Port-Type = Wireless-802.11 NAS-Port = 11710 State = 0xe943c6bde4e335aea5e91e7bad008121 NAS-IP-Address = 10.0.1.18 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 modcall[authorize]: module "preprocess" returns ok for request 8 modcall[authorize]: module "chap" returns noop for request 8 modcall[authorize]: module "mschap" returns noop for request 8 rlm_realm: No '@' in User-Name = "DOMAIN\testuser", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 8 rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN \testuser" rlm_realm: Found realm "DOMAIN" rlm_realm: Adding Stripped-User-Name = "testuser" rlm_realm: Proxying request from user testuser to realm DOMAIN rlm_realm: Adding Realm = "DOMAIN" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "DOMAIN" returns noop for request 8 rlm_eap: EAP packet type response id 10 length 43 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 8 users: Matched entry DEFAULT at line 153 modcall[authorize]: module "files" returns ok for request 8 rlm_opendirectory: The SACL group "com.apple.access_radius" does not exist on this system. rlm_opendirectory: The host 10.0.1.18 does not have an access group. rlm_opendirectory: no access control groups, all users allowed. modcall[authorize]: module "opendirectory" returns ok for request 8 modcall: leaving group authorize (returns updated) for request 8 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 8 modcall: leaving group authenticate (returns invalid) for request 8 auth: Failed to validate the user. Login incorrect: [testuser] (from client DOMAINWireless port 11710 cli 001f.5bbe.f006) Delaying request 8 for 1 seconds Finished request 8 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.0.1.18:1645, id=119, length=180 Sending Access-Reject of id 119 to 10.0.1.18 port 1645 EAP-Message = 0x040a0004 Message-Authenticator = 0x00000000000000000000000000000000 --- Walking the entire request list --- Cleaning up request 0 ID 111 with timestamp 48ee28a6 Cleaning up request 1 ID 112 with timestamp 48ee28a6 Cleaning up request 2 ID 113 with timestamp 48ee28a6 Cleaning up request 3 ID 114 with timestamp 48ee28a6 Cleaning up request 4 ID 115 with timestamp 48ee28a6 Cleaning up request 5 ID 116 with timestamp 48ee28a6 Cleaning up request 6 ID 117 with timestamp 48ee28a6 Cleaning up request 7 ID 118 with timestamp 48ee28a6 Cleaning up request 8 ID 119 with timestamp 48ee28a6 Nothing to do. Sleeping until we see a request. Kerry Tobin
Date: Wed, 29 Oct 2008 20:48:57 +0100 From: <tnt@kalik.net> Subject: Re: Unable to authenticate to Open Directory To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Message-ID: <2IU0N0fo.1225309737.1973290.tnt@kalik.net> Content-Type: text/plain; charset=ISO-8859-2
You should really include the debug with this. It seems that you need to add ntdomain to the authorize section (below suffix) in order to get stripped username.
Ivan Kalik Kalik Informatika ISP
Dana 29/10/2008, "Kerry Tobin" <kwtobin@wisc.edu> pi?e:
I'm trying to use the version of FreeRadius built into OS X for wireless single sign-on and I'm running into some issues. I believe this has come up before and I found the following thread http://lists.freeradius.org/mailman/htdig/freeradius-users/2008-September/ms... .. I've tried to follow what was suggested there but it doesn't seem to be working. Can someone provide some slightly more thorough instructions of what I should be attempting?
Authentication works perfectly for our Macintosh systems and any Windows machine if we don't send a domain for authentication but not when the domain is included. I can authenticate if I add DOMAIN \username as a username for one of the accounts but that's not a "clean" option as far as I'm concerned. No matter what I try with proxies, nthack, etc. I can't seem to get authentication to work for Windows machines.
Kerry Tobin
participants (2)
-
Kerry Tobin -
tnt@kalik.net