Freeradius with LDAP, PEAP MSCHAPv2
Hello, I'm trying to set up authentication over PEAP-MSCHAPv2. In LDAP I have NTLM-hashed passwords Version is 3.0.13 from CentOS 7 repository. Testing with radtest is successful: Sent Access-Request Id 72 from 0.0.0.0:36799 to 127.0.0.1:1812 length 87 User-Name = "robert_plestenjak" User-Password = "XXX" NAS-IP-Address = X.X.X.X NAS-Port = 1812 Message-Authenticator = 0x00 Cleartext-Password = "XXX" Received Access-Accept Id 72 from 127.0.0.1:1812 to 0.0.0.0:0 length 20 When I test with Wifi (Cisco Meraki), it fails: (0) Received Access-Request Id 60 from X.X.X.X:37829 to X.X.X.X:1812 length 271 (0) User-Name = "robert_plestenjak" (0) NAS-IP-Address = X.X.X.X (0) Called-Station-Id = "82-15-54-A9-EB-44:Blubber" (0) NAS-Port-Type = Wireless-802.11 (0) Service-Type = Framed-User (0) Calling-Station-Id = "18-F0-E4-3B-AA-02" (0) Connect-Info = "CONNECT 54.00 Mbps, 802.11ac, RSSI: 31, Channel: 108" (0) Acct-Session-Id = "AE4E038CE2ACDB0A" (0) Acct-Multi-Session-Id = "3F1C9E9F7EE1D184" (0) WLAN-Pairwise-Cipher = 1027076 (0) WLAN-Group-Cipher = 1027076 (0) WLAN-AKM-Suite = 1027073 (0) Meraki-Device-Name = "olai" (0) Framed-MTU = 1400 (0) EAP-Message = 0x0229001601726f626572745f706c657374656e6a616b (0) Message-Authenticator = 0x0a1c310be4f79d6acca1eb4a67deb60e (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "robert_plestenjak", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: Peer sent EAP Response (code 2) ID 41 length 22 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /etc/raddb/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_md5 to process data (0) eap_md5: Issuing MD5 Challenge (0) eap: Sending EAP Request (code 1) ID 42 length 22 (0) eap: EAP session adding &reply:State = 0x46c8d21046e2d6bc (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Challenge { ... } # empty sub-section is ignored (0) Sent Access-Challenge Id 60 from X.X.X.X:1812 to X.X.X.X:37829 length 0 (0) EAP-Message = 0x012a00160410dddf52a2d853bc9017a6c96d00a0b389 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x46c8d21046e2d6bc6e5900b0d6f9d128 (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 61 from X.X.X.X:37829 to X.X.X.X:1812 length 273 (1) User-Name = "robert_plestenjak" (1) NAS-IP-Address = X.X.X.X (1) Called-Station-Id = "82-15-54-A9-EB-44:Blubber" (1) NAS-Port-Type = Wireless-802.11 (1) Service-Type = Framed-User (1) Calling-Station-Id = "18-F0-E4-3B-AA-02" (1) Connect-Info = "CONNECT 54.00 Mbps, 802.11ac, RSSI: 31, Channel: 108" (1) Acct-Session-Id = "AE4E038CE2ACDB0A" (1) Acct-Multi-Session-Id = "3F1C9E9F7EE1D184" (1) WLAN-Pairwise-Cipher = 1027076 (1) WLAN-Group-Cipher = 1027076 (1) WLAN-AKM-Suite = 1027073 (1) Meraki-Device-Name = "olai" (1) Framed-MTU = 1400 (1) EAP-Message = 0x022a00060319 (1) State = 0x46c8d21046e2d6bc6e5900b0d6f9d128 (1) Message-Authenticator = 0xd3ffb74c0af4b8f5b52afbf18d82b8d2 (1) session-state: No cached attributes (1) # Executing section authorize from file /etc/raddb/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "robert_plestenjak", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: Peer sent EAP Response (code 2) ID 42 length 6 (1) eap: No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) [files] = noop rlm_ldap (ldap): Reserved connection (0) (1) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (1) ldap: --> (uid=robert_plestenjak) (1) ldap: Performing search in "dc=xlab,dc=si" with filter "(uid=robert_plestenjak)", scope "sub" (1) ldap: Waiting for search result... (1) ldap: User object found at DN "cn=Robert Plestenjak,ou=people,ou=xlab-research,dc=xlab,dc=si" (1) ldap: Processing user attributes (1) ldap: control:Password-With-Header += 'XXX' rlm_ldap (ldap): Released connection (0) Need 5 more connections to reach 10 spares rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used rlm_ldap (ldap): Connecting to ldaps://auth3.xlab.si:636 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (1) [ldap] = updated (1) if ((ok || updated) && User-Password) { (1) if ((ok || updated) && User-Password) -> FALSE (1) [expiration] = noop (1) [logintime] = noop (1) pap: No {...} in Password-With-Header, re-writing to Cleartext-Password (1) pap: Removing &control:Password-With-Header (1) pap: WARNING: Auth-Type already set. Not setting to PAP (1) [pap] = noop (1) } # authorize = updated (1) Found Auth-Type = eap (1) # Executing group from file /etc/raddb/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0x46c8d21046e2d6bc (1) eap: Finished EAP session with state 0x46c8d21046e2d6bc (1) eap: Previous EAP request found for state 0x46c8d21046e2d6bc, released from the list (1) eap: Peer sent packet with method EAP NAK (3) (1) eap: Found mutually acceptable type PEAP (25) (1) eap: Calling submodule eap_peap to process data (1) eap_peap: Initiating new EAP-TLS session (1) eap_peap: [eaptls start] = request (1) eap: Sending EAP Request (code 1) ID 43 length 6 (1) eap: EAP session adding &reply:State = 0x46c8d21047e3cbbc (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) # Executing group from file /etc/raddb/sites-enabled/default (1) Challenge { ... } # empty sub-section is ignored (1) Sent Access-Challenge Id 61 from X.X.X.X:1812 to X.X.X.X:37829 length 0 (1) EAP-Message = 0x012b00061920 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x46c8d21047e3cbbc6e5900b0d6f9d128 (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 62 from X.X.X.X:37829 to X.X.X.X:1812 length 416 (2) User-Name = "robert_plestenjak" (2) NAS-IP-Address = X.X.X.X (2) Called-Station-Id = "82-15-54-A9-EB-44:Blubber" (2) NAS-Port-Type = Wireless-802.11 (2) Service-Type = Framed-User (2) Calling-Station-Id = "18-F0-E4-3B-AA-02" (2) Connect-Info = "CONNECT 54.00 Mbps, 802.11ac, RSSI: 31, Channel: 108" (2) Acct-Session-Id = "AE4E038CE2ACDB0A" (2) Acct-Multi-Session-Id = "3F1C9E9F7EE1D184" (2) WLAN-Pairwise-Cipher = 1027076 (2) WLAN-Group-Cipher = 1027076 (2) WLAN-AKM-Suite = 1027073 (2) Meraki-Device-Name = "olai" (2) Framed-MTU = 1400 (2) EAP-Message = 0x022b009519800000008b160301008601000082030318104905101d0258ca25ae0986254aedf90b1c8fdf08e710e17c259b38fd5ad000002ac02bc02fc02cc030cca9cca8c009c023c013c027c00ac024c014c028009c009d002f003c0035003d000a0100002fff0100010000170000000d0010000e0403 (2) State = 0x46c8d21047e3cbbc6e5900b0d6f9d128 (2) Message-Authenticator = 0x8d7c5c5560d235684aceeb01ee99f66b (2) session-state: No cached attributes (2) # Executing section authorize from file /etc/raddb/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: No '@' in User-Name = "robert_plestenjak", looking up realm NULL (2) suffix: No such realm "NULL" (2) [suffix] = noop (2) eap: Peer sent EAP Response (code 2) ID 43 length 149 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = eap (2) # Executing group from file /etc/raddb/sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0x46c8d21047e3cbbc (2) eap: Finished EAP session with state 0x46c8d21047e3cbbc (2) eap: Previous EAP request found for state 0x46c8d21047e3cbbc, released from the list (2) eap: Peer sent packet with method EAP PEAP (25) (2) eap: Calling submodule eap_peap to process data (2) eap_peap: Continuing EAP-TLS (2) eap_peap: Peer indicated complete TLS record size will be 139 bytes (2) eap_peap: Got complete TLS record (139 bytes) (2) eap_peap: [eaptls verify] = length included (2) eap_peap: (other): before/accept initialization (2) eap_peap: TLS_accept: before/accept initialization (2) eap_peap: <<< recv TLS 1.2 [length 0086] (2) eap_peap: TLS_accept: SSLv3 read client hello A (2) eap_peap: >>> send TLS 1.2 [length 0039] (2) eap_peap: TLS_accept: SSLv3 write server hello A (2) eap_peap: >>> send TLS 1.2 [length 08d3] (2) eap_peap: TLS_accept: SSLv3 write certificate A (2) eap_peap: >>> send TLS 1.2 [length 014d] (2) eap_peap: TLS_accept: SSLv3 write key exchange A (2) eap_peap: >>> send TLS 1.2 [length 0004] (2) eap_peap: TLS_accept: SSLv3 write server done A (2) eap_peap: TLS_accept: SSLv3 flush data (2) eap_peap: TLS_accept: SSLv3 read client certificate A (2) eap_peap: TLS_accept: Need to read more data: SSLv3 read client key exchange A (2) eap_peap: TLS_accept: Need to read more data: SSLv3 read client key exchange A (2) eap_peap: In SSL Handshake Phase (2) eap_peap: In SSL Accept mode (2) eap_peap: [eaptls process] = handled (2) eap: Sending EAP Request (code 1) ID 44 length 1004 (2) eap: EAP session adding &reply:State = 0x46c8d21044e4cbbc (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) # Executing group from file /etc/raddb/sites-enabled/default (2) Challenge { ... } # empty sub-section is ignored (2) Sent Access-Challenge Id 62 from X.X.X.X:1812 to X.X.X.X:37829 length 0 (2) EAP-Message = 0x012c03ec19c000000a711603030039020000350303ea32a5d7a1bbfdbf9e7ee34e29050563b1ffc93c77c2247fb4634b9936ff065600c02f00000dff01000100000b00040300010216030308d30b0008cf0008cc0003de308203da308202c2a003020102020101300d06092a864886f70d01010b050030 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0x46c8d21044e4cbbc6e5900b0d6f9d128 (2) Finished request Waking up in 4.9 seconds. (3) Received Access-Request Id 63 from X.X.X.X:37829 to X.X.X.X:1812 length 273 (3) User-Name = "robert_plestenjak" (3) NAS-IP-Address = X.X.X.X (3) Called-Station-Id = "82-15-54-A9-EB-44:Blubber" (3) NAS-Port-Type = Wireless-802.11 (3) Service-Type = Framed-User (3) Calling-Station-Id = "18-F0-E4-3B-AA-02" (3) Connect-Info = "CONNECT 54.00 Mbps, 802.11ac, RSSI: 31, Channel: 108" (3) Acct-Session-Id = "AE4E038CE2ACDB0A" (3) Acct-Multi-Session-Id = "3F1C9E9F7EE1D184" (3) WLAN-Pairwise-Cipher = 1027076 (3) WLAN-Group-Cipher = 1027076 (3) WLAN-AKM-Suite = 1027073 (3) Meraki-Device-Name = "olai" (3) Framed-MTU = 1400 (3) EAP-Message = 0x022c00061900 (3) State = 0x46c8d21044e4cbbc6e5900b0d6f9d128 (3) Message-Authenticator = 0x44ed2c1a2c57511fb51626d94cea998d (3) session-state: No cached attributes (3) # Executing section authorize from file /etc/raddb/sites-enabled/default (3) authorize { (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = notfound (3) } # policy filter_username = notfound (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix: Checking for suffix after "@" (3) suffix: No '@' in User-Name = "robert_plestenjak", looking up realm NULL (3) suffix: No such realm "NULL" (3) [suffix] = noop (3) eap: Peer sent EAP Response (code 2) ID 44 length 6 (3) eap: Continuing tunnel setup (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = eap (3) # Executing group from file /etc/raddb/sites-enabled/default (3) authenticate { (3) eap: Expiring EAP session with state 0x46c8d21044e4cbbc (3) eap: Finished EAP session with state 0x46c8d21044e4cbbc (3) eap: Previous EAP request found for state 0x46c8d21044e4cbbc, released from the list (3) eap: Peer sent packet with method EAP PEAP (25) (3) eap: Calling submodule eap_peap to process data (3) eap_peap: Continuing EAP-TLS (3) eap_peap: Peer ACKed our handshake fragment (3) eap_peap: [eaptls verify] = request (3) eap_peap: [eaptls process] = handled (3) eap: Sending EAP Request (code 1) ID 45 length 1000 (3) eap: EAP session adding &reply:State = 0x46c8d21045e5cbbc (3) [eap] = handled (3) } # authenticate = handled (3) Using Post-Auth-Type Challenge (3) # Executing group from file /etc/raddb/sites-enabled/default (3) Challenge { ... } # empty sub-section is ignored (3) Sent Access-Challenge Id 63 from X.X.X.X:1812 to X.X.X.X:37829 length 0 (3) EAP-Message = 0x012d03e819402dbdf62800fd47c44b6189df90644cc345df23b390e938143137414b4dc3906a2aefff96f82551639cf9a10ead226ee8a9d0d7c4bf51bcca698315290b7a181527f2841445909d7d420004e8308204e4308203cca003020102020900d20da3179fcff6af300d06092a864886f70d01010b (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0x46c8d21045e5cbbc6e5900b0d6f9d128 (3) Finished request Waking up in 4.9 seconds. (4) Received Access-Request Id 64 from X.X.X.X:37829 to X.X.X.X:1812 length 273 (4) User-Name = "robert_plestenjak" (4) NAS-IP-Address = X.X.X.X (4) Called-Station-Id = "82-15-54-A9-EB-44:Blubber" (4) NAS-Port-Type = Wireless-802.11 (4) Service-Type = Framed-User (4) Calling-Station-Id = "18-F0-E4-3B-AA-02" (4) Connect-Info = "CONNECT 54.00 Mbps, 802.11ac, RSSI: 31, Channel: 108" (4) Acct-Session-Id = "AE4E038CE2ACDB0A" (4) Acct-Multi-Session-Id = "3F1C9E9F7EE1D184" (4) WLAN-Pairwise-Cipher = 1027076 (4) WLAN-Group-Cipher = 1027076 (4) WLAN-AKM-Suite = 1027073 (4) Meraki-Device-Name = "olai" (4) Framed-MTU = 1400 (4) EAP-Message = 0x022d00061900 (4) State = 0x46c8d21045e5cbbc6e5900b0d6f9d128 (4) Message-Authenticator = 0xa82ea1907b66b0e0486d7358963589a7 (4) session-state: No cached attributes (4) # Executing section authorize from file /etc/raddb/sites-enabled/default (4) authorize { (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = notfound (4) } # policy filter_username = notfound (4) [preprocess] = ok (4) [chap] = noop (4) [mschap] = noop (4) [digest] = noop (4) suffix: Checking for suffix after "@" (4) suffix: No '@' in User-Name = "robert_plestenjak", looking up realm NULL (4) suffix: No such realm "NULL" (4) [suffix] = noop (4) eap: Peer sent EAP Response (code 2) ID 45 length 6 (4) eap: Continuing tunnel setup (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = eap (4) # Executing group from file /etc/raddb/sites-enabled/default (4) authenticate { (4) eap: Expiring EAP session with state 0x46c8d21045e5cbbc (4) eap: Finished EAP session with state 0x46c8d21045e5cbbc (4) eap: Previous EAP request found for state 0x46c8d21045e5cbbc, released from the list (4) eap: Peer sent packet with method EAP PEAP (25) (4) eap: Calling submodule eap_peap to process data (4) eap_peap: Continuing EAP-TLS (4) eap_peap: Peer ACKed our handshake fragment (4) eap_peap: [eaptls verify] = request (4) eap_peap: [eaptls process] = handled (4) eap: Sending EAP Request (code 1) ID 46 length 691 (4) eap: EAP session adding &reply:State = 0x46c8d21042e6cbbc (4) [eap] = handled (4) } # authenticate = handled (4) Using Post-Auth-Type Challenge (4) # Executing group from file /etc/raddb/sites-enabled/default (4) Challenge { ... } # empty sub-section is ignored (4) Sent Access-Challenge Id 64 from X.X.X.X:1812 to X.X.X.X:37829 length 0 (4) EAP-Message = 0x012e02b319000530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b0500038201010082ec17a6a7053cdb07445b2a8258e5e5f0cad094486cb4a81527d41f7ff73f (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0x46c8d21042e6cbbc6e5900b0d6f9d128 (4) Finished request Waking up in 4.9 seconds. (5) Received Access-Request Id 65 from X.X.X.X:37829 to X.X.X.X:1812 length 403 (5) User-Name = "robert_plestenjak" (5) NAS-IP-Address = X.X.X.X (5) Called-Station-Id = "82-15-54-A9-EB-44:Blubber" (5) NAS-Port-Type = Wireless-802.11 (5) Service-Type = Framed-User (5) Calling-Station-Id = "18-F0-E4-3B-AA-02" (5) Connect-Info = "CONNECT 54.00 Mbps, 802.11ac, RSSI: 31, Channel: 108" (5) Acct-Session-Id = "AE4E038CE2ACDB0A" (5) Acct-Multi-Session-Id = "3F1C9E9F7EE1D184" (5) WLAN-Pairwise-Cipher = 1027076 (5) WLAN-Group-Cipher = 1027076 (5) WLAN-AKM-Suite = 1027073 (5) Meraki-Device-Name = "olai" (5) Framed-MTU = 1400 (5) EAP-Message = 0x022e008819800000007e1603030046100000424104fb2e08dfc5eb824bcf64fbb8ff77906d79826239bbc5ff15023c4371596d0422c7ea05f73a3fdffa848b11c8d757eba23c64302d202b63022e12e35a6f23fc48140303000101160303002800000000000000005b6195d7b05366d7ac3d11cf44f77c (5) State = 0x46c8d21042e6cbbc6e5900b0d6f9d128 (5) Message-Authenticator = 0xcdb102cb862715a789a736e630c4b31f (5) session-state: No cached attributes (5) # Executing section authorize from file /etc/raddb/sites-enabled/default (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [preprocess] = ok (5) [chap] = noop (5) [mschap] = noop (5) [digest] = noop (5) suffix: Checking for suffix after "@" (5) suffix: No '@' in User-Name = "robert_plestenjak", looking up realm NULL (5) suffix: No such realm "NULL" (5) [suffix] = noop (5) eap: Peer sent EAP Response (code 2) ID 46 length 136 (5) eap: Continuing tunnel setup (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = eap (5) # Executing group from file /etc/raddb/sites-enabled/default (5) authenticate { (5) eap: Expiring EAP session with state 0x46c8d21042e6cbbc (5) eap: Finished EAP session with state 0x46c8d21042e6cbbc (5) eap: Previous EAP request found for state 0x46c8d21042e6cbbc, released from the list (5) eap: Peer sent packet with method EAP PEAP (25) (5) eap: Calling submodule eap_peap to process data (5) eap_peap: Continuing EAP-TLS (5) eap_peap: Peer indicated complete TLS record size will be 126 bytes (5) eap_peap: Got complete TLS record (126 bytes) (5) eap_peap: [eaptls verify] = length included (5) eap_peap: <<< recv TLS 1.2 [length 0046] (5) eap_peap: TLS_accept: SSLv3 read client key exchange A (5) eap_peap: TLS_accept: SSLv3 read certificate verify A (5) eap_peap: <<< recv TLS 1.2 [length 0001] (5) eap_peap: <<< recv TLS 1.2 [length 0010] (5) eap_peap: TLS_accept: SSLv3 read finished A (5) eap_peap: >>> send TLS 1.2 [length 0001] (5) eap_peap: TLS_accept: SSLv3 write change cipher spec A (5) eap_peap: >>> send TLS 1.2 [length 0010] (5) eap_peap: TLS_accept: SSLv3 write finished A (5) eap_peap: TLS_accept: SSLv3 flush data (5) eap_peap: (other): SSL negotiation finished successfully (5) eap_peap: SSL Connection Established (5) eap_peap: [eaptls process] = handled (5) eap: Sending EAP Request (code 1) ID 47 length 57 (5) eap: EAP session adding &reply:State = 0x46c8d21043e7cbbc (5) [eap] = handled (5) } # authenticate = handled (5) Using Post-Auth-Type Challenge (5) # Executing group from file /etc/raddb/sites-enabled/default (5) Challenge { ... } # empty sub-section is ignored (5) Sent Access-Challenge Id 65 from X.X.X.X:1812 to X.X.X.X:37829 length 0 (5) EAP-Message = 0x012f003919001403030001011603030028652f3ff10fb2c5ec7eaba85c96965e3cdaebaab760ef337bdf697193d7580a6381d9bc98fce6eb16 (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0x46c8d21043e7cbbc6e5900b0d6f9d128 (5) Finished request Waking up in 4.9 seconds. (6) Received Access-Request Id 66 from X.X.X.X:37829 to X.X.X.X:1812 length 273 (6) User-Name = "robert_plestenjak" (6) NAS-IP-Address = X.X.X.X (6) Called-Station-Id = "82-15-54-A9-EB-44:Blubber" (6) NAS-Port-Type = Wireless-802.11 (6) Service-Type = Framed-User (6) Calling-Station-Id = "18-F0-E4-3B-AA-02" (6) Connect-Info = "CONNECT 54.00 Mbps, 802.11ac, RSSI: 31, Channel: 108" (6) Acct-Session-Id = "AE4E038CE2ACDB0A" (6) Acct-Multi-Session-Id = "3F1C9E9F7EE1D184" (6) WLAN-Pairwise-Cipher = 1027076 (6) WLAN-Group-Cipher = 1027076 (6) WLAN-AKM-Suite = 1027073 (6) Meraki-Device-Name = "olai" (6) Framed-MTU = 1400 (6) EAP-Message = 0x022f00061900 (6) State = 0x46c8d21043e7cbbc6e5900b0d6f9d128 (6) Message-Authenticator = 0xf613e30b444fdc6251b89176c4ea98e3 (6) session-state: No cached attributes (6) # Executing section authorize from file /etc/raddb/sites-enabled/default (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) [preprocess] = ok (6) [chap] = noop (6) [mschap] = noop (6) [digest] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "robert_plestenjak", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) eap: Peer sent EAP Response (code 2) ID 47 length 6 (6) eap: Continuing tunnel setup (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = eap (6) # Executing group from file /etc/raddb/sites-enabled/default (6) authenticate { (6) eap: Expiring EAP session with state 0x46c8d21043e7cbbc (6) eap: Finished EAP session with state 0x46c8d21043e7cbbc (6) eap: Previous EAP request found for state 0x46c8d21043e7cbbc, released from the list (6) eap: Peer sent packet with method EAP PEAP (25) (6) eap: Calling submodule eap_peap to process data (6) eap_peap: Continuing EAP-TLS (6) eap_peap: Peer ACKed our handshake fragment. handshake is finished (6) eap_peap: [eaptls verify] = success (6) eap_peap: [eaptls process] = success (6) eap_peap: Session established. Decoding tunneled attributes (6) eap_peap: PEAP state TUNNEL ESTABLISHED (6) eap: Sending EAP Request (code 1) ID 48 length 40 (6) eap: EAP session adding &reply:State = 0x46c8d21040f8cbbc (6) [eap] = handled (6) } # authenticate = handled (6) Using Post-Auth-Type Challenge (6) # Executing group from file /etc/raddb/sites-enabled/default (6) Challenge { ... } # empty sub-section is ignored (6) Sent Access-Challenge Id 66 from X.X.X.X:1812 to X.X.X.X:37829 length 0 (6) EAP-Message = 0x013000281900170303001d652f3ff10fb2c5edc396f1fb96534d5a09ed3bd8844d3cb98c691e6cdd (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0x46c8d21040f8cbbc6e5900b0d6f9d128 (6) Finished request Waking up in 4.9 seconds. (7) Received Access-Request Id 67 from X.X.X.X:37829 to X.X.X.X:1812 length 320 (7) User-Name = "robert_plestenjak" (7) NAS-IP-Address = X.X.X.X (7) Called-Station-Id = "82-15-54-A9-EB-44:Blubber" (7) NAS-Port-Type = Wireless-802.11 (7) Service-Type = Framed-User (7) Calling-Station-Id = "18-F0-E4-3B-AA-02" (7) Connect-Info = "CONNECT 54.00 Mbps, 802.11ac, RSSI: 31, Channel: 108" (7) Acct-Session-Id = "AE4E038CE2ACDB0A" (7) Acct-Multi-Session-Id = "3F1C9E9F7EE1D184" (7) WLAN-Pairwise-Cipher = 1027076 (7) WLAN-Group-Cipher = 1027076 (7) WLAN-AKM-Suite = 1027073 (7) Meraki-Device-Name = "olai" (7) Framed-MTU = 1400 (7) EAP-Message = 0x023000351900170303002a000000000000000125e0edd772c07188d67f8ac17c95b08291f4d8ee740ac579a17566729c283e4de6c8 (7) State = 0x46c8d21040f8cbbc6e5900b0d6f9d128 (7) Message-Authenticator = 0x12f53a0a6021756bf2a6b2fc55a901a3 (7) session-state: No cached attributes (7) # Executing section authorize from file /etc/raddb/sites-enabled/default (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) [preprocess] = ok (7) [chap] = noop (7) [mschap] = noop (7) [digest] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "robert_plestenjak", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) eap: Peer sent EAP Response (code 2) ID 48 length 53 (7) eap: Continuing tunnel setup (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = eap (7) # Executing group from file /etc/raddb/sites-enabled/default (7) authenticate { (7) eap: Expiring EAP session with state 0x46c8d21040f8cbbc (7) eap: Finished EAP session with state 0x46c8d21040f8cbbc (7) eap: Previous EAP request found for state 0x46c8d21040f8cbbc, released from the list (7) eap: Peer sent packet with method EAP PEAP (25) (7) eap: Calling submodule eap_peap to process data (7) eap_peap: Continuing EAP-TLS (7) eap_peap: [eaptls verify] = ok (7) eap_peap: Done initial handshake (7) eap_peap: [eaptls process] = ok (7) eap_peap: Session established. Decoding tunneled attributes (7) eap_peap: PEAP state WAITING FOR INNER IDENTITY (7) eap_peap: Identity - robert_plestenjak (7) eap_peap: Got inner identity 'robert_plestenjak' (7) eap_peap: Setting default EAP type for tunneled EAP session (7) eap_peap: Got tunneled request (7) eap_peap: EAP-Message = 0x0230001601726f626572745f706c657374656e6a616b (7) eap_peap: Setting User-Name to robert_plestenjak (7) eap_peap: Sending tunneled request to inner-tunnel (7) eap_peap: EAP-Message = 0x0230001601726f626572745f706c657374656e6a616b (7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (7) eap_peap: User-Name = "robert_plestenjak" (7) Virtual server inner-tunnel received request (7) EAP-Message = 0x0230001601726f626572745f706c657374656e6a616b (7) FreeRADIUS-Proxied-To = 127.0.0.1 (7) User-Name = "robert_plestenjak" (7) WARNING: Outer and inner identities are the same. User privacy is compromised. (7) server inner-tunnel { (7) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) [chap] = noop (7) [mschap] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "robert_plestenjak", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) update control { (7) &Proxy-To-Realm := LOCAL (7) } # update control = noop (7) eap: Peer sent EAP Response (code 2) ID 48 length 22 (7) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = eap (7) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (7) authenticate { (7) eap: Peer sent packet with method EAP Identity (1) (7) eap: Calling submodule eap_mschapv2 to process data (7) eap_mschapv2: Issuing Challenge (7) eap: Sending EAP Request (code 1) ID 49 length 43 (7) eap: EAP session adding &reply:State = 0xb9b0a1f1b981bb6e (7) [eap] = handled (7) } # authenticate = handled (7) } # server inner-tunnel (7) Virtual server sending reply (7) EAP-Message = 0x0131002b1a0131002610c55413e285b325a381cfe991245249f6667265657261646975732d332e302e3133 (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0xb9b0a1f1b981bb6ee399006fef12b2ad (7) eap_peap: Got tunneled reply code 11 (7) eap_peap: EAP-Message = 0x0131002b1a0131002610c55413e285b325a381cfe991245249f6667265657261646975732d332e302e3133 (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: State = 0xb9b0a1f1b981bb6ee399006fef12b2ad (7) eap_peap: Got tunneled reply RADIUS code 11 (7) eap_peap: EAP-Message = 0x0131002b1a0131002610c55413e285b325a381cfe991245249f6667265657261646975732d332e302e3133 (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: State = 0xb9b0a1f1b981bb6ee399006fef12b2ad (7) eap_peap: Got tunneled Access-Challenge (7) eap: Sending EAP Request (code 1) ID 49 length 74 (7) eap: EAP session adding &reply:State = 0x46c8d21041f9cbbc (7) [eap] = handled (7) } # authenticate = handled (7) Using Post-Auth-Type Challenge (7) # Executing group from file /etc/raddb/sites-enabled/default (7) Challenge { ... } # empty sub-section is ignored (7) Sent Access-Challenge Id 67 from X.X.X.X:1812 to X.X.X.X:37829 length 0 (7) EAP-Message = 0x0131004a1900170303003f652f3ff10fb2c5ee7d1dc7c9e2a8eab376bcf614675fc6b749d9d35b70d018df036218eb66b192f7a667d1512441f23b4b8ed103e7e51abcc1ccb629d4b709 (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0x46c8d21041f9cbbc6e5900b0d6f9d128 (7) Finished request Waking up in 4.9 seconds. (8) Received Access-Request Id 68 from X.X.X.X:37829 to X.X.X.X:1812 length 374 (8) User-Name = "robert_plestenjak" (8) NAS-IP-Address = X.X.X.X (8) Called-Station-Id = "82-15-54-A9-EB-44:Blubber" (8) NAS-Port-Type = Wireless-802.11 (8) Service-Type = Framed-User (8) Calling-Station-Id = "18-F0-E4-3B-AA-02" (8) Connect-Info = "CONNECT 54.00 Mbps, 802.11ac, RSSI: 31, Channel: 108" (8) Acct-Session-Id = "AE4E038CE2ACDB0A" (8) Acct-Multi-Session-Id = "3F1C9E9F7EE1D184" (8) WLAN-Pairwise-Cipher = 1027076 (8) WLAN-Group-Cipher = 1027076 (8) WLAN-AKM-Suite = 1027073 (8) Meraki-Device-Name = "olai" (8) Framed-MTU = 1400 (8) EAP-Message = 0x0231006b1900170303006000000000000000023889c5f8167aca23ac8159b1f565ea917ee16b989cfa799eec8b81911bc2fd6c32b4c44cd11d900a80376691793a616e041565552c1f286df0b04e830cc018dea39f6666cf1486ce3f36872ee5611b78130639007839772d (8) State = 0x46c8d21041f9cbbc6e5900b0d6f9d128 (8) Message-Authenticator = 0xd7d29fba79fdde7e4401eef1926543e4 (8) session-state: No cached attributes (8) # Executing section authorize from file /etc/raddb/sites-enabled/default (8) authorize { (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = notfound (8) } # policy filter_username = notfound (8) [preprocess] = ok (8) [chap] = noop (8) [mschap] = noop (8) [digest] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "robert_plestenjak", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) eap: Peer sent EAP Response (code 2) ID 49 length 107 (8) eap: Continuing tunnel setup (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = eap (8) # Executing group from file /etc/raddb/sites-enabled/default (8) authenticate { (8) eap: Expiring EAP session with state 0xb9b0a1f1b981bb6e (8) eap: Finished EAP session with state 0x46c8d21041f9cbbc (8) eap: Previous EAP request found for state 0x46c8d21041f9cbbc, released from the list (8) eap: Peer sent packet with method EAP PEAP (25) (8) eap: Calling submodule eap_peap to process data (8) eap_peap: Continuing EAP-TLS (8) eap_peap: [eaptls verify] = ok (8) eap_peap: Done initial handshake (8) eap_peap: [eaptls process] = ok (8) eap_peap: Session established. Decoding tunneled attributes (8) eap_peap: PEAP state phase2 (8) eap_peap: EAP method MSCHAPv2 (26) (8) eap_peap: Got tunneled request (8) eap_peap: EAP-Message = 0x0231004c1a023100473134d1e890f521ae70fbd338821cf2707b0000000000000000eeae867724f7f70ac517e7c1d96c26cb95f034fbd44e93dd00726f626572745f706c657374656e6a616b (8) eap_peap: Setting User-Name to robert_plestenjak (8) eap_peap: Sending tunneled request to inner-tunnel (8) eap_peap: EAP-Message = 0x0231004c1a023100473134d1e890f521ae70fbd338821cf2707b0000000000000000eeae867724f7f70ac517e7c1d96c26cb95f034fbd44e93dd00726f626572745f706c657374656e6a616b (8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (8) eap_peap: User-Name = "robert_plestenjak" (8) eap_peap: State = 0xb9b0a1f1b981bb6ee399006fef12b2ad (8) Virtual server inner-tunnel received request (8) EAP-Message = 0x0231004c1a023100473134d1e890f521ae70fbd338821cf2707b0000000000000000eeae867724f7f70ac517e7c1d96c26cb95f034fbd44e93dd00726f626572745f706c657374656e6a616b (8) FreeRADIUS-Proxied-To = 127.0.0.1 (8) User-Name = "robert_plestenjak" (8) State = 0xb9b0a1f1b981bb6ee399006fef12b2ad (8) WARNING: Outer and inner identities are the same. User privacy is compromised. (8) server inner-tunnel { (8) session-state: No cached attributes (8) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (8) authorize { (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = notfound (8) } # policy filter_username = notfound (8) [chap] = noop (8) [mschap] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "robert_plestenjak", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) update control { (8) &Proxy-To-Realm := LOCAL (8) } # update control = noop (8) eap: Peer sent EAP Response (code 2) ID 49 length 76 (8) eap: No EAP Start, assuming it's an on-going EAP conversation (8) [eap] = updated (8) [files] = noop rlm_ldap (ldap): Reserved connection (1) (8) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (8) ldap: --> (uid=robert_plestenjak) (8) ldap: Performing search in "dc=xlab,dc=si" with filter "(uid=robert_plestenjak)", scope "sub" (8) ldap: Waiting for search result... (8) ldap: User object found at DN "cn=Robert Plestenjak,ou=people,ou=xlab-research,dc=xlab,dc=si" (8) ldap: Processing user attributes (8) ldap: control:Password-With-Header += 'XXX' rlm_ldap (ldap): Released connection (1) (8) [ldap] = updated (8) [expiration] = noop (8) [logintime] = noop (8) pap: No {...} in Password-With-Header, re-writing to Cleartext-Password (8) pap: Removing &control:Password-With-Header (8) pap: WARNING: Auth-Type already set. Not setting to PAP (8) [pap] = noop (8) } # authorize = updated (8) Found Auth-Type = eap (8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (8) authenticate { (8) eap: Expiring EAP session with state 0xb9b0a1f1b981bb6e (8) eap: Finished EAP session with state 0xb9b0a1f1b981bb6e (8) eap: Previous EAP request found for state 0xb9b0a1f1b981bb6e, released from the list (8) eap: Peer sent packet with method EAP MSCHAPv2 (26) (8) eap: Calling submodule eap_mschapv2 to process data (8) eap_mschapv2: # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (8) eap_mschapv2: authenticate { (8) mschap: Found Cleartext-Password, hashing to create NT-Password (8) mschap: Found Cleartext-Password, hashing to create LM-Password (8) mschap: Creating challenge hash with username: robert_plestenjak (8) mschap: Client is using MS-CHAPv2 (8) mschap: ERROR: MS-CHAP2-Response is incorrect (8) [mschap] = reject (8) } # authenticate = reject (8) eap: Sending EAP Failure (code 4) ID 49 length 4 (8) eap: Freeing handler (8) [eap] = reject (8) } # authenticate = reject (8) Failed to authenticate the user (8) Using Post-Auth-Type Reject (8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (8) Post-Auth-Type REJECT { (8) attr_filter.access_reject: EXPAND %{User-Name} (8) attr_filter.access_reject: --> robert_plestenjak (8) attr_filter.access_reject: Matched entry DEFAULT at line 11 (8) [attr_filter.access_reject] = updated (8) update outer.session-state { (8) &Module-Failure-Message := &request:Module-Failure-Message -> 'mschap: MS-CHAP2-Response is incorrect' (8) } # update outer.session-state = noop (8) } # Post-Auth-Type REJECT = updated (8) } # server inner-tunnel (8) Virtual server sending reply (8) MS-CHAP-Error = "1E=691 R=1 C=d8407b0aa2c7a010f49f4e37fef85724 V=3 M=Authentication failed" (8) EAP-Message = 0x04310004 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: Got tunneled reply code 3 (8) eap_peap: MS-CHAP-Error = "1E=691 R=1 C=d8407b0aa2c7a010f49f4e37fef85724 V=3 M=Authentication failed" (8) eap_peap: EAP-Message = 0x04310004 (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: Got tunneled reply RADIUS code 3 (8) eap_peap: MS-CHAP-Error = "1E=691 R=1 C=d8407b0aa2c7a010f49f4e37fef85724 V=3 M=Authentication failed" (8) eap_peap: EAP-Message = 0x04310004 (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: Tunneled authentication was rejected (8) eap_peap: FAILURE (8) eap: Sending EAP Request (code 1) ID 50 length 46 (8) eap: EAP session adding &reply:State = 0x46c8d2104efacbbc (8) [eap] = handled (8) } # authenticate = handled (8) Using Post-Auth-Type Challenge (8) # Executing group from file /etc/raddb/sites-enabled/default (8) Challenge { ... } # empty sub-section is ignored (8) session-state: Saving cached attributes (8) Module-Failure-Message := "mschap: MS-CHAP2-Response is incorrect" (8) Sent Access-Challenge Id 68 from X.X.X.X:1812 to X.X.X.X:37829 length 0 (8) EAP-Message = 0x0132002e19001703030023652f3ff10fb2c5ef30b7fb1e252f2bf6a22244994486f4debfdf66bcd18faa30877532 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) State = 0x46c8d2104efacbbc6e5900b0d6f9d128 (8) Finished request Waking up in 4.8 seconds. (9) Received Access-Request Id 69 from X.X.X.X:37829 to X.X.X.X:1812 length 313 (9) User-Name = "robert_plestenjak" (9) NAS-IP-Address = X.X.X.X (9) Called-Station-Id = "82-15-54-A9-EB-44:Blubber" (9) NAS-Port-Type = Wireless-802.11 (9) Service-Type = Framed-User (9) Calling-Station-Id = "18-F0-E4-3B-AA-02" (9) Connect-Info = "CONNECT 54.00 Mbps, 802.11ac, RSSI: 31, Channel: 108" (9) Acct-Session-Id = "AE4E038CE2ACDB0A" (9) Acct-Multi-Session-Id = "3F1C9E9F7EE1D184" (9) WLAN-Pairwise-Cipher = 1027076 (9) WLAN-Group-Cipher = 1027076 (9) WLAN-AKM-Suite = 1027073 (9) Meraki-Device-Name = "olai" (9) Framed-MTU = 1400 (9) EAP-Message = 0x0232002e19001703030023000000000000000389125c7c96bd31281466aa12830d3193192521ab1698685080c754 (9) State = 0x46c8d2104efacbbc6e5900b0d6f9d128 (9) Message-Authenticator = 0xfd042959aaae54e9dd9ac31800d0667b (9) Restoring &session-state (9) &session-state:Module-Failure-Message := "mschap: MS-CHAP2-Response is incorrect" (9) # Executing section authorize from file /etc/raddb/sites-enabled/default (9) authorize { (9) policy filter_username { (9) if (&User-Name) { (9) if (&User-Name) -> TRUE (9) if (&User-Name) { (9) if (&User-Name =~ / /) { (9) if (&User-Name =~ / /) -> FALSE (9) if (&User-Name =~ /@[^@]*@/ ) { (9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (9) if (&User-Name =~ /\.\./ ) { (9) if (&User-Name =~ /\.\./ ) -> FALSE (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (9) if (&User-Name =~ /\.$/) { (9) if (&User-Name =~ /\.$/) -> FALSE (9) if (&User-Name =~ /@\./) { (9) if (&User-Name =~ /@\./) -> FALSE (9) } # if (&User-Name) = notfound (9) } # policy filter_username = notfound (9) [preprocess] = ok (9) [chap] = noop (9) [mschap] = noop (9) [digest] = noop (9) suffix: Checking for suffix after "@" (9) suffix: No '@' in User-Name = "robert_plestenjak", looking up realm NULL (9) suffix: No such realm "NULL" (9) [suffix] = noop (9) eap: Peer sent EAP Response (code 2) ID 50 length 46 (9) eap: Continuing tunnel setup (9) [eap] = ok (9) } # authorize = ok (9) Found Auth-Type = eap (9) # Executing group from file /etc/raddb/sites-enabled/default (9) authenticate { (9) eap: Expiring EAP session with state 0x46c8d2104efacbbc (9) eap: Finished EAP session with state 0x46c8d2104efacbbc (9) eap: Previous EAP request found for state 0x46c8d2104efacbbc, released from the list (9) eap: Peer sent packet with method EAP PEAP (25) (9) eap: Calling submodule eap_peap to process data (9) eap_peap: Continuing EAP-TLS (9) eap_peap: [eaptls verify] = ok (9) eap_peap: Done initial handshake (9) eap_peap: [eaptls process] = ok (9) eap_peap: Session established. Decoding tunneled attributes (9) eap_peap: PEAP state send tlv failure (9) eap_peap: Received EAP-TLV response (9) eap_peap: ERROR: The users session was previously rejected: returning reject (again.) (9) eap_peap: This means you need to read the PREVIOUS messages in the debug output (9) eap_peap: to find out the reason why the user was rejected (9) eap_peap: Look for "reject" or "fail". Those earlier messages will tell you (9) eap_peap: what went wrong, and how to fix the problem (9) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (9) eap: Sending EAP Failure (code 4) ID 50 length 4 (9) eap: Failed in EAP select (9) [eap] = invalid (9) } # authenticate = invalid (9) Failed to authenticate the user (9) Using Post-Auth-Type Reject (9) # Executing group from file /etc/raddb/sites-enabled/default (9) Post-Auth-Type REJECT { (9) attr_filter.access_reject: EXPAND %{User-Name} (9) attr_filter.access_reject: --> robert_plestenjak (9) attr_filter.access_reject: Matched entry DEFAULT at line 11 (9) [attr_filter.access_reject] = updated (9) [eap] = noop (9) policy remove_reply_message_if_eap { (9) if (&reply:EAP-Message && &reply:Reply-Message) { (9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (9) else { (9) [noop] = noop (9) } # else = noop (9) } # policy remove_reply_message_if_eap = noop (9) } # Post-Auth-Type REJECT = updated (9) Delaying response for 1.000000 seconds Waking up in 0.6 seconds. Waking up in 0.3 seconds. (9) Sending delayed response (9) Sent Access-Reject Id 69 from X.X.X.X:1812 to X.X.X.X:37829 length 44 (9) EAP-Message = 0x04320004 (9) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.8 seconds. (0) Cleaning up request packet ID 60 with timestamp +9 (1) Cleaning up request packet ID 61 with timestamp +9 (2) Cleaning up request packet ID 62 with timestamp +9 (3) Cleaning up request packet ID 63 with timestamp +9 (4) Cleaning up request packet ID 64 with timestamp +9 (5) Cleaning up request packet ID 65 with timestamp +9 (6) Cleaning up request packet ID 66 with timestamp +9 (7) Cleaning up request packet ID 67 with timestamp +9 (8) Cleaning up request packet ID 68 with timestamp +9 (9) Cleaning up request packet ID 69 with timestamp +9 Ready to process requests (10) Received Access-Request Id 10 from X.X.X.X:51991 to X.X.X.X:1812 length 268 (10) User-Name = "robert_plestenjak" (10) NAS-IP-Address = X.X.X.X (10) Called-Station-Id = "82-15-44-A9-EB-44:Blubber" (10) NAS-Port-Type = Wireless-802.11 (10) Service-Type = Framed-User (10) Calling-Station-Id = "18-F0-E4-3B-AA-02" (10) Connect-Info = "CONNECT 54.00 Mbps, 802.11n, RSSI: 44, Channel: 1" (10) Acct-Session-Id = "6325D4B9D8CD9D01" (10) Acct-Multi-Session-Id = "33B691AA5B968946" (10) WLAN-Pairwise-Cipher = 1027076 (10) WLAN-Group-Cipher = 1027076 (10) WLAN-AKM-Suite = 1027073 (10) Meraki-Device-Name = "olai" (10) Framed-MTU = 1400 (10) EAP-Message = 0x02cd001601726f626572745f706c657374656e6a616b (10) Message-Authenticator = 0x9ef397887365b4a9c8d560ba66702b4c (10) # Executing section authorize from file /etc/raddb/sites-enabled/default (10) authorize { (10) policy filter_username { (10) if (&User-Name) { (10) if (&User-Name) -> TRUE (10) if (&User-Name) { (10) if (&User-Name =~ / /) { (10) if (&User-Name =~ / /) -> FALSE (10) if (&User-Name =~ /@[^@]*@/ ) { (10) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (10) if (&User-Name =~ /\.\./ ) { (10) if (&User-Name =~ /\.\./ ) -> FALSE (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (10) if (&User-Name =~ /\.$/) { (10) if (&User-Name =~ /\.$/) -> FALSE (10) if (&User-Name =~ /@\./) { (10) if (&User-Name =~ /@\./) -> FALSE (10) } # if (&User-Name) = notfound (10) } # policy filter_username = notfound (10) [preprocess] = ok (10) [chap] = noop (10) [mschap] = noop (10) [digest] = noop (10) suffix: Checking for suffix after "@" (10) suffix: No '@' in User-Name = "robert_plestenjak", looking up realm NULL (10) suffix: No such realm "NULL" (10) [suffix] = noop (10) eap: Peer sent EAP Response (code 2) ID 205 length 22 (10) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (10) [eap] = ok (10) } # authorize = ok (10) Found Auth-Type = eap (10) # Executing group from file /etc/raddb/sites-enabled/default (10) authenticate { (10) eap: Peer sent packet with method EAP Identity (1) (10) eap: Calling submodule eap_md5 to process data (10) eap_md5: Issuing MD5 Challenge (10) eap: Sending EAP Request (code 1) ID 206 length 22 (10) eap: EAP session adding &reply:State = 0x13b4f8c8137afc0c (10) [eap] = handled (10) } # authenticate = handled (10) Using Post-Auth-Type Challenge (10) # Executing group from file /etc/raddb/sites-enabled/default (10) Challenge { ... } # empty sub-section is ignored (10) Sent Access-Challenge Id 10 from X.X.X.X:1812 to X.X.X.X:51991 length 0 (10) EAP-Message = 0x01ce001604109894d79a35a2fc5f9745add589aedd82 (10) Message-Authenticator = 0x00000000000000000000000000000000 (10) State = 0x13b4f8c8137afc0caef2d3fb04d37962 (10) Finished request Waking up in 4.9 seconds. (11) Received Access-Request Id 11 from X.X.X.X:51991 to X.X.X.X:1812 length 270 (11) User-Name = "robert_plestenjak" (11) NAS-IP-Address = X.X.X.X (11) Called-Station-Id = "82-15-44-A9-EB-44:Blubber" (11) NAS-Port-Type = Wireless-802.11 (11) Service-Type = Framed-User (11) Calling-Station-Id = "18-F0-E4-3B-AA-02" (11) Connect-Info = "CONNECT 54.00 Mbps, 802.11n, RSSI: 44, Channel: 1" (11) Acct-Session-Id = "6325D4B9D8CD9D01" (11) Acct-Multi-Session-Id = "33B691AA5B968946" (11) WLAN-Pairwise-Cipher = 1027076 (11) WLAN-Group-Cipher = 1027076 (11) WLAN-AKM-Suite = 1027073 (11) Meraki-Device-Name = "olai" (11) Framed-MTU = 1400 (11) EAP-Message = 0x02ce00060319 (11) State = 0x13b4f8c8137afc0caef2d3fb04d37962 (11) Message-Authenticator = 0xd17920bf05e0fcb93caee9ebdc02bb6e (11) session-state: No cached attributes (11) # Executing section authorize from file /etc/raddb/sites-enabled/default (11) authorize { (11) policy filter_username { (11) if (&User-Name) { (11) if (&User-Name) -> TRUE (11) if (&User-Name) { (11) if (&User-Name =~ / /) { (11) if (&User-Name =~ / /) -> FALSE (11) if (&User-Name =~ /@[^@]*@/ ) { (11) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (11) if (&User-Name =~ /\.\./ ) { (11) if (&User-Name =~ /\.\./ ) -> FALSE (11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (11) if (&User-Name =~ /\.$/) { (11) if (&User-Name =~ /\.$/) -> FALSE (11) if (&User-Name =~ /@\./) { (11) if (&User-Name =~ /@\./) -> FALSE (11) } # if (&User-Name) = notfound (11) } # policy filter_username = notfound (11) [preprocess] = ok (11) [chap] = noop (11) [mschap] = noop (11) [digest] = noop (11) suffix: Checking for suffix after "@" (11) suffix: No '@' in User-Name = "robert_plestenjak", looking up realm NULL (11) suffix: No such realm "NULL" (11) [suffix] = noop (11) eap: Peer sent EAP Response (code 2) ID 206 length 6 (11) eap: No EAP Start, assuming it's an on-going EAP conversation (11) [eap] = updated (11) [files] = noop rlm_ldap (ldap): Reserved connection (2) (11) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (11) ldap: --> (uid=robert_plestenjak) (11) ldap: Performing search in "dc=xlab,dc=si" with filter "(uid=robert_plestenjak)", scope "sub" (11) ldap: Waiting for search result... (11) ldap: User object found at DN "cn=Robert Plestenjak,ou=people,ou=xlab-research,dc=xlab,dc=si" (11) ldap: Processing user attributes (11) ldap: control:Password-With-Header += 'XXX' rlm_ldap (ldap): Released connection (2) Need 4 more connections to reach 10 spares rlm_ldap (ldap): Opening additional connection (6), 1 of 26 pending slots used rlm_ldap (ldap): Connecting to ldaps://auth3.xlab.si:636 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (11) [ldap] = updated (11) if ((ok || updated) && User-Password) { (11) if ((ok || updated) && User-Password) -> FALSE (11) [expiration] = noop (11) [logintime] = noop (11) pap: No {...} in Password-With-Header, re-writing to Cleartext-Password (11) pap: Removing &control:Password-With-Header (11) pap: WARNING: Auth-Type already set. Not setting to PAP (11) [pap] = noop (11) } # authorize = updated (11) Found Auth-Type = eap (11) # Executing group from file /etc/raddb/sites-enabled/default (11) authenticate { (11) eap: Expiring EAP session with state 0x13b4f8c8137afc0c (11) eap: Finished EAP session with state 0x13b4f8c8137afc0c (11) eap: Previous EAP request found for state 0x13b4f8c8137afc0c, released from the list (11) eap: Peer sent packet with method EAP NAK (3) (11) eap: Found mutually acceptable type PEAP (25) (11) eap: Calling submodule eap_peap to process data (11) eap_peap: Initiating new EAP-TLS session (11) eap_peap: [eaptls start] = request (11) eap: Sending EAP Request (code 1) ID 207 length 6 (11) eap: EAP session adding &reply:State = 0x13b4f8c8127be10c (11) [eap] = handled (11) } # authenticate = handled (11) Using Post-Auth-Type Challenge (11) # Executing group from file /etc/raddb/sites-enabled/default (11) Challenge { ... } # empty sub-section is ignored (11) Sent Access-Challenge Id 11 from X.X.X.X:1812 to X.X.X.X:51991 length 0 (11) EAP-Message = 0x01cf00061920 (11) Message-Authenticator = 0x00000000000000000000000000000000 (11) State = 0x13b4f8c8127be10caef2d3fb04d37962 (11) Finished request Waking up in 4.9 seconds. (12) Received Access-Request Id 12 from X.X.X.X:51991 to X.X.X.X:1812 length 413 (12) User-Name = "robert_plestenjak" (12) NAS-IP-Address = X.X.X.X (12) Called-Station-Id = "82-15-44-A9-EB-44:Blubber" (12) NAS-Port-Type = Wireless-802.11 (12) Service-Type = Framed-User (12) Calling-Station-Id = "18-F0-E4-3B-AA-02" (12) Connect-Info = "CONNECT 54.00 Mbps, 802.11n, RSSI: 44, Channel: 1" (12) Acct-Session-Id = "6325D4B9D8CD9D01" (12) Acct-Multi-Session-Id = "33B691AA5B968946" (12) WLAN-Pairwise-Cipher = 1027076 (12) WLAN-Group-Cipher = 1027076 (12) WLAN-AKM-Suite = 1027073 (12) Meraki-Device-Name = "olai" (12) Framed-MTU = 1400 (12) EAP-Message = 0x02cf009519800000008b1603010086010000820303a92d448a03d30bd55ed9e4048a71e3b984078789666a59e4f0b55047909bfaa900002ac02bc02fc02cc030cca9cca8c009c023c013c027c00ac024c014c028009c009d002f003c0035003d000a0100002fff0100010000170000000d0010000e0403 (12) State = 0x13b4f8c8127be10caef2d3fb04d37962 (12) Message-Authenticator = 0x75773d8e25d838dba548709fa45c599d (12) session-state: No cached attributes (12) # Executing section authorize from file /etc/raddb/sites-enabled/default (12) authorize { (12) policy filter_username { (12) if (&User-Name) { (12) if (&User-Name) -> TRUE (12) if (&User-Name) { (12) if (&User-Name =~ / /) { (12) if (&User-Name =~ / /) -> FALSE (12) if (&User-Name =~ /@[^@]*@/ ) { (12) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (12) if (&User-Name =~ /\.\./ ) { (12) if (&User-Name =~ /\.\./ ) -> FALSE (12) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (12) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (12) if (&User-Name =~ /\.$/) { (12) if (&User-Name =~ /\.$/) -> FALSE (12) if (&User-Name =~ /@\./) { (12) if (&User-Name =~ /@\./) -> FALSE (12) } # if (&User-Name) = notfound (12) } # policy filter_username = notfound (12) [preprocess] = ok (12) [chap] = noop (12) [mschap] = noop (12) [digest] = noop (12) suffix: Checking for suffix after "@" (12) suffix: No '@' in User-Name = "robert_plestenjak", looking up realm NULL (12) suffix: No such realm "NULL" (12) [suffix] = noop (12) eap: Peer sent EAP Response (code 2) ID 207 length 149 (12) eap: Continuing tunnel setup (12) [eap] = ok (12) } # authorize = ok (12) Found Auth-Type = eap (12) # Executing group from file /etc/raddb/sites-enabled/default (12) authenticate { (12) eap: Expiring EAP session with state 0x13b4f8c8127be10c (12) eap: Finished EAP session with state 0x13b4f8c8127be10c (12) eap: Previous EAP request found for state 0x13b4f8c8127be10c, released from the list (12) eap: Peer sent packet with method EAP PEAP (25) (12) eap: Calling submodule eap_peap to process data (12) eap_peap: Continuing EAP-TLS (12) eap_peap: Peer indicated complete TLS record size will be 139 bytes (12) eap_peap: Got complete TLS record (139 bytes) (12) eap_peap: [eaptls verify] = length included (12) eap_peap: (other): before/accept initialization (12) eap_peap: TLS_accept: before/accept initialization (12) eap_peap: <<< recv TLS 1.2 [length 0086] (12) eap_peap: TLS_accept: SSLv3 read client hello A (12) eap_peap: >>> send TLS 1.2 [length 0039] (12) eap_peap: TLS_accept: SSLv3 write server hello A (12) eap_peap: >>> send TLS 1.2 [length 08d3] (12) eap_peap: TLS_accept: SSLv3 write certificate A (12) eap_peap: >>> send TLS 1.2 [length 014d] (12) eap_peap: TLS_accept: SSLv3 write key exchange A (12) eap_peap: >>> send TLS 1.2 [length 0004] (12) eap_peap: TLS_accept: SSLv3 write server done A (12) eap_peap: TLS_accept: SSLv3 flush data (12) eap_peap: TLS_accept: SSLv3 read client certificate A (12) eap_peap: TLS_accept: Need to read more data: SSLv3 read client key exchange A (12) eap_peap: TLS_accept: Need to read more data: SSLv3 read client key exchange A (12) eap_peap: In SSL Handshake Phase (12) eap_peap: In SSL Accept mode (12) eap_peap: [eaptls process] = handled (12) eap: Sending EAP Request (code 1) ID 208 length 1004 (12) eap: EAP session adding &reply:State = 0x13b4f8c81164e10c (12) [eap] = handled (12) } # authenticate = handled (12) Using Post-Auth-Type Challenge (12) # Executing group from file /etc/raddb/sites-enabled/default (12) Challenge { ... } # empty sub-section is ignored (12) Sent Access-Challenge Id 12 from X.X.X.X:1812 to X.X.X.X:51991 length 0 (12) EAP-Message = 0x01d003ec19c000000a7116030300390200003503039ce049344384b2cbc710136022def40542d08e2187ae8522a95d7ea0da1a504100c02f00000dff01000100000b00040300010216030308d30b0008cf0008cc0003de308203da308202c2a003020102020101300d06092a864886f70d01010b050030 (12) Message-Authenticator = 0x00000000000000000000000000000000 (12) State = 0x13b4f8c81164e10caef2d3fb04d37962 (12) Finished request Waking up in 4.9 seconds. (13) Received Access-Request Id 13 from X.X.X.X:51991 to X.X.X.X:1812 length 270 (13) User-Name = "robert_plestenjak" (13) NAS-IP-Address = X.X.X.X (13) Called-Station-Id = "82-15-44-A9-EB-44:Blubber" (13) NAS-Port-Type = Wireless-802.11 (13) Service-Type = Framed-User (13) Calling-Station-Id = "18-F0-E4-3B-AA-02" (13) Connect-Info = "CONNECT 54.00 Mbps, 802.11n, RSSI: 44, Channel: 1" (13) Acct-Session-Id = "6325D4B9D8CD9D01" (13) Acct-Multi-Session-Id = "33B691AA5B968946" (13) WLAN-Pairwise-Cipher = 1027076 (13) WLAN-Group-Cipher = 1027076 (13) WLAN-AKM-Suite = 1027073 (13) Meraki-Device-Name = "olai" (13) Framed-MTU = 1400 (13) EAP-Message = 0x02d000061900 (13) State = 0x13b4f8c81164e10caef2d3fb04d37962 (13) Message-Authenticator = 0xecee55183201a215ec44e13e79ca257c (13) session-state: No cached attributes (13) # Executing section authorize from file /etc/raddb/sites-enabled/default (13) authorize { (13) policy filter_username { (13) if (&User-Name) { (13) if (&User-Name) -> TRUE (13) if (&User-Name) { (13) if (&User-Name =~ / /) { (13) if (&User-Name =~ / /) -> FALSE (13) if (&User-Name =~ /@[^@]*@/ ) { (13) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (13) if (&User-Name =~ /\.\./ ) { (13) if (&User-Name =~ /\.\./ ) -> FALSE (13) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (13) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (13) if (&User-Name =~ /\.$/) { (13) if (&User-Name =~ /\.$/) -> FALSE (13) if (&User-Name =~ /@\./) { (13) if (&User-Name =~ /@\./) -> FALSE (13) } # if (&User-Name) = notfound (13) } # policy filter_username = notfound (13) [preprocess] = ok (13) [chap] = noop (13) [mschap] = noop (13) [digest] = noop (13) suffix: Checking for suffix after "@" (13) suffix: No '@' in User-Name = "robert_plestenjak", looking up realm NULL (13) suffix: No such realm "NULL" (13) [suffix] = noop (13) eap: Peer sent EAP Response (code 2) ID 208 length 6 (13) eap: Continuing tunnel setup (13) [eap] = ok (13) } # authorize = ok (13) Found Auth-Type = eap (13) # Executing group from file /etc/raddb/sites-enabled/default (13) authenticate { (13) eap: Expiring EAP session with state 0x13b4f8c81164e10c (13) eap: Finished EAP session with state 0x13b4f8c81164e10c (13) eap: Previous EAP request found for state 0x13b4f8c81164e10c, released from the list (13) eap: Peer sent packet with method EAP PEAP (25) (13) eap: Calling submodule eap_peap to process data (13) eap_peap: Continuing EAP-TLS (13) eap_peap: Peer ACKed our handshake fragment (13) eap_peap: [eaptls verify] = request (13) eap_peap: [eaptls process] = handled (13) eap: Sending EAP Request (code 1) ID 209 length 1000 (13) eap: EAP session adding &reply:State = 0x13b4f8c81065e10c (13) [eap] = handled (13) } # authenticate = handled (13) Using Post-Auth-Type Challenge (13) # Executing group from file /etc/raddb/sites-enabled/default (13) Challenge { ... } # empty sub-section is ignored (13) Sent Access-Challenge Id 13 from X.X.X.X:1812 to X.X.X.X:51991 length 0 (13) EAP-Message = 0x01d103e819402dbdf62800fd47c44b6189df90644cc345df23b390e938143137414b4dc3906a2aefff96f82551639cf9a10ead226ee8a9d0d7c4bf51bcca698315290b7a181527f2841445909d7d420004e8308204e4308203cca003020102020900d20da3179fcff6af300d06092a864886f70d01010b (13) Message-Authenticator = 0x00000000000000000000000000000000 (13) State = 0x13b4f8c81065e10caef2d3fb04d37962 (13) Finished request Waking up in 4.9 seconds. (14) Received Access-Request Id 14 from X.X.X.X:51991 to X.X.X.X:1812 length 270 (14) User-Name = "robert_plestenjak" (14) NAS-IP-Address = X.X.X.X (14) Called-Station-Id = "82-15-44-A9-EB-44:Blubber" (14) NAS-Port-Type = Wireless-802.11 (14) Service-Type = Framed-User (14) Calling-Station-Id = "18-F0-E4-3B-AA-02" (14) Connect-Info = "CONNECT 54.00 Mbps, 802.11n, RSSI: 44, Channel: 1" (14) Acct-Session-Id = "6325D4B9D8CD9D01" (14) Acct-Multi-Session-Id = "33B691AA5B968946" (14) WLAN-Pairwise-Cipher = 1027076 (14) WLAN-Group-Cipher = 1027076 (14) WLAN-AKM-Suite = 1027073 (14) Meraki-Device-Name = "olai" (14) Framed-MTU = 1400 (14) EAP-Message = 0x02d100061900 (14) State = 0x13b4f8c81065e10caef2d3fb04d37962 (14) Message-Authenticator = 0x6808057d61ed210c43b2e7f0ed27c6b0 (14) session-state: No cached attributes (14) # Executing section authorize from file /etc/raddb/sites-enabled/default (14) authorize { (14) policy filter_username { (14) if (&User-Name) { (14) if (&User-Name) -> TRUE (14) if (&User-Name) { (14) if (&User-Name =~ / /) { (14) if (&User-Name =~ / /) -> FALSE (14) if (&User-Name =~ /@[^@]*@/ ) { (14) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (14) if (&User-Name =~ /\.\./ ) { (14) if (&User-Name =~ /\.\./ ) -> FALSE (14) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (14) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (14) if (&User-Name =~ /\.$/) { (14) if (&User-Name =~ /\.$/) -> FALSE (14) if (&User-Name =~ /@\./) { (14) if (&User-Name =~ /@\./) -> FALSE (14) } # if (&User-Name) = notfound (14) } # policy filter_username = notfound (14) [preprocess] = ok (14) [chap] = noop (14) [mschap] = noop (14) [digest] = noop (14) suffix: Checking for suffix after "@" (14) suffix: No '@' in User-Name = "robert_plestenjak", looking up realm NULL (14) suffix: No such realm "NULL" (14) [suffix] = noop (14) eap: Peer sent EAP Response (code 2) ID 209 length 6 (14) eap: Continuing tunnel setup (14) [eap] = ok (14) } # authorize = ok (14) Found Auth-Type = eap (14) # Executing group from file /etc/raddb/sites-enabled/default (14) authenticate { (14) eap: Expiring EAP session with state 0x13b4f8c81065e10c (14) eap: Finished EAP session with state 0x13b4f8c81065e10c (14) eap: Previous EAP request found for state 0x13b4f8c81065e10c, released from the list (14) eap: Peer sent packet with method EAP PEAP (25) (14) eap: Calling submodule eap_peap to process data (14) eap_peap: Continuing EAP-TLS (14) eap_peap: Peer ACKed our handshake fragment (14) eap_peap: [eaptls verify] = request (14) eap_peap: [eaptls process] = handled (14) eap: Sending EAP Request (code 1) ID 210 length 691 (14) eap: EAP session adding &reply:State = 0x13b4f8c81766e10c (14) [eap] = handled (14) } # authenticate = handled (14) Using Post-Auth-Type Challenge (14) # Executing group from file /etc/raddb/sites-enabled/default (14) Challenge { ... } # empty sub-section is ignored (14) Sent Access-Challenge Id 14 from X.X.X.X:1812 to X.X.X.X:51991 length 0 (14) EAP-Message = 0x01d202b319000530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b0500038201010082ec17a6a7053cdb07445b2a8258e5e5f0cad094486cb4a81527d41f7ff73f (14) Message-Authenticator = 0x00000000000000000000000000000000 (14) State = 0x13b4f8c81766e10caef2d3fb04d37962 (14) Finished request Waking up in 4.9 seconds. (15) Received Access-Request Id 15 from X.X.X.X:51991 to X.X.X.X:1812 length 400 (15) User-Name = "robert_plestenjak" (15) NAS-IP-Address = X.X.X.X (15) Called-Station-Id = "82-15-44-A9-EB-44:Blubber" (15) NAS-Port-Type = Wireless-802.11 (15) Service-Type = Framed-User (15) Calling-Station-Id = "18-F0-E4-3B-AA-02" (15) Connect-Info = "CONNECT 54.00 Mbps, 802.11n, RSSI: 44, Channel: 1" (15) Acct-Session-Id = "6325D4B9D8CD9D01" (15) Acct-Multi-Session-Id = "33B691AA5B968946" (15) WLAN-Pairwise-Cipher = 1027076 (15) WLAN-Group-Cipher = 1027076 (15) WLAN-AKM-Suite = 1027073 (15) Meraki-Device-Name = "olai" (15) Framed-MTU = 1400 (15) EAP-Message = 0x02d2008819800000007e16030300461000004241046e9952972e88d85f4c8a0fec97f6921a748c8f3a9359e4c2f899fbfff13d0352d105d5dc817989b8830aa2e75623dbf2252b4df0338d9af3efac1ffbcb283d9714030300010116030300280000000000000000ba7043669f9c5cf21290c8c78fedd6 (15) State = 0x13b4f8c81766e10caef2d3fb04d37962 (15) Message-Authenticator = 0xdbfcb1ec8b36b3555264d93298e44ba3 (15) session-state: No cached attributes (15) # Executing section authorize from file /etc/raddb/sites-enabled/default (15) authorize { (15) policy filter_username { (15) if (&User-Name) { (15) if (&User-Name) -> TRUE (15) if (&User-Name) { (15) if (&User-Name =~ / /) { (15) if (&User-Name =~ / /) -> FALSE (15) if (&User-Name =~ /@[^@]*@/ ) { (15) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (15) if (&User-Name =~ /\.\./ ) { (15) if (&User-Name =~ /\.\./ ) -> FALSE (15) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (15) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (15) if (&User-Name =~ /\.$/) { (15) if (&User-Name =~ /\.$/) -> FALSE (15) if (&User-Name =~ /@\./) { (15) if (&User-Name =~ /@\./) -> FALSE (15) } # if (&User-Name) = notfound (15) } # policy filter_username = notfound (15) [preprocess] = ok (15) [chap] = noop (15) [mschap] = noop (15) [digest] = noop (15) suffix: Checking for suffix after "@" (15) suffix: No '@' in User-Name = "robert_plestenjak", looking up realm NULL (15) suffix: No such realm "NULL" (15) [suffix] = noop (15) eap: Peer sent EAP Response (code 2) ID 210 length 136 (15) eap: Continuing tunnel setup (15) [eap] = ok (15) } # authorize = ok (15) Found Auth-Type = eap (15) # Executing group from file /etc/raddb/sites-enabled/default (15) authenticate { (15) eap: Expiring EAP session with state 0x13b4f8c81766e10c (15) eap: Finished EAP session with state 0x13b4f8c81766e10c (15) eap: Previous EAP request found for state 0x13b4f8c81766e10c, released from the list (15) eap: Peer sent packet with method EAP PEAP (25) (15) eap: Calling submodule eap_peap to process data (15) eap_peap: Continuing EAP-TLS (15) eap_peap: Peer indicated complete TLS record size will be 126 bytes (15) eap_peap: Got complete TLS record (126 bytes) (15) eap_peap: [eaptls verify] = length included (15) eap_peap: <<< recv TLS 1.2 [length 0046] (15) eap_peap: TLS_accept: SSLv3 read client key exchange A (15) eap_peap: TLS_accept: SSLv3 read certificate verify A (15) eap_peap: <<< recv TLS 1.2 [length 0001] (15) eap_peap: <<< recv TLS 1.2 [length 0010] (15) eap_peap: TLS_accept: SSLv3 read finished A (15) eap_peap: >>> send TLS 1.2 [length 0001] (15) eap_peap: TLS_accept: SSLv3 write change cipher spec A (15) eap_peap: >>> send TLS 1.2 [length 0010] (15) eap_peap: TLS_accept: SSLv3 write finished A (15) eap_peap: TLS_accept: SSLv3 flush data (15) eap_peap: (other): SSL negotiation finished successfully (15) eap_peap: SSL Connection Established (15) eap_peap: [eaptls process] = handled (15) eap: Sending EAP Request (code 1) ID 211 length 57 (15) eap: EAP session adding &reply:State = 0x13b4f8c81667e10c (15) [eap] = handled (15) } # authenticate = handled (15) Using Post-Auth-Type Challenge (15) # Executing group from file /etc/raddb/sites-enabled/default (15) Challenge { ... } # empty sub-section is ignored (15) Sent Access-Challenge Id 15 from X.X.X.X:1812 to X.X.X.X:51991 length 0 (15) EAP-Message = 0x01d3003919001403030001011603030028c4d6cba0b48752b4673199c19d6aadd4b7ef802d79b2977018b55347e106ae975f42a0bae3224e60 (15) Message-Authenticator = 0x00000000000000000000000000000000 (15) State = 0x13b4f8c81667e10caef2d3fb04d37962 (15) Finished request Waking up in 4.8 seconds. (16) Received Access-Request Id 16 from X.X.X.X:51991 to X.X.X.X:1812 length 270 (16) User-Name = "robert_plestenjak" (16) NAS-IP-Address = X.X.X.X (16) Called-Station-Id = "82-15-44-A9-EB-44:Blubber" (16) NAS-Port-Type = Wireless-802.11 (16) Service-Type = Framed-User (16) Calling-Station-Id = "18-F0-E4-3B-AA-02" (16) Connect-Info = "CONNECT 54.00 Mbps, 802.11n, RSSI: 44, Channel: 1" (16) Acct-Session-Id = "6325D4B9D8CD9D01" (16) Acct-Multi-Session-Id = "33B691AA5B968946" (16) WLAN-Pairwise-Cipher = 1027076 (16) WLAN-Group-Cipher = 1027076 (16) WLAN-AKM-Suite = 1027073 (16) Meraki-Device-Name = "olai" (16) Framed-MTU = 1400 (16) EAP-Message = 0x02d300061900 (16) State = 0x13b4f8c81667e10caef2d3fb04d37962 (16) Message-Authenticator = 0x8a8f5afa9a3ca20b6a6e02804b573aeb (16) session-state: No cached attributes (16) # Executing section authorize from file /etc/raddb/sites-enabled/default (16) authorize { (16) policy filter_username { (16) if (&User-Name) { (16) if (&User-Name) -> TRUE (16) if (&User-Name) { (16) if (&User-Name =~ / /) { (16) if (&User-Name =~ / /) -> FALSE (16) if (&User-Name =~ /@[^@]*@/ ) { (16) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (16) if (&User-Name =~ /\.\./ ) { (16) if (&User-Name =~ /\.\./ ) -> FALSE (16) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (16) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (16) if (&User-Name =~ /\.$/) { (16) if (&User-Name =~ /\.$/) -> FALSE (16) if (&User-Name =~ /@\./) { (16) if (&User-Name =~ /@\./) -> FALSE (16) } # if (&User-Name) = notfound (16) } # policy filter_username = notfound (16) [preprocess] = ok (16) [chap] = noop (16) [mschap] = noop (16) [digest] = noop (16) suffix: Checking for suffix after "@" (16) suffix: No '@' in User-Name = "robert_plestenjak", looking up realm NULL (16) suffix: No such realm "NULL" (16) [suffix] = noop (16) eap: Peer sent EAP Response (code 2) ID 211 length 6 (16) eap: Continuing tunnel setup (16) [eap] = ok (16) } # authorize = ok (16) Found Auth-Type = eap (16) # Executing group from file /etc/raddb/sites-enabled/default (16) authenticate { (16) eap: Expiring EAP session with state 0x13b4f8c81667e10c (16) eap: Finished EAP session with state 0x13b4f8c81667e10c (16) eap: Previous EAP request found for state 0x13b4f8c81667e10c, released from the list (16) eap: Peer sent packet with method EAP PEAP (25) (16) eap: Calling submodule eap_peap to process data (16) eap_peap: Continuing EAP-TLS (16) eap_peap: Peer ACKed our handshake fragment. handshake is finished (16) eap_peap: [eaptls verify] = success (16) eap_peap: [eaptls process] = success (16) eap_peap: Session established. Decoding tunneled attributes (16) eap_peap: PEAP state TUNNEL ESTABLISHED (16) eap: Sending EAP Request (code 1) ID 212 length 40 (16) eap: EAP session adding &reply:State = 0x13b4f8c81560e10c (16) [eap] = handled (16) } # authenticate = handled (16) Using Post-Auth-Type Challenge (16) # Executing group from file /etc/raddb/sites-enabled/default (16) Challenge { ... } # empty sub-section is ignored (16) Sent Access-Challenge Id 16 from X.X.X.X:1812 to X.X.X.X:51991 length 0 (16) EAP-Message = 0x01d400281900170303001dc4d6cba0b48752b596fbd582271ba5144d0b07e037cdeb3c8872832bf8 (16) Message-Authenticator = 0x00000000000000000000000000000000 (16) State = 0x13b4f8c81560e10caef2d3fb04d37962 (16) Finished request Waking up in 4.8 seconds. (17) Received Access-Request Id 17 from X.X.X.X:51991 to X.X.X.X:1812 length 317 (17) User-Name = "robert_plestenjak" (17) NAS-IP-Address = X.X.X.X (17) Called-Station-Id = "82-15-44-A9-EB-44:Blubber" (17) NAS-Port-Type = Wireless-802.11 (17) Service-Type = Framed-User (17) Calling-Station-Id = "18-F0-E4-3B-AA-02" (17) Connect-Info = "CONNECT 54.00 Mbps, 802.11n, RSSI: 44, Channel: 1" (17) Acct-Session-Id = "6325D4B9D8CD9D01" (17) Acct-Multi-Session-Id = "33B691AA5B968946" (17) WLAN-Pairwise-Cipher = 1027076 (17) WLAN-Group-Cipher = 1027076 (17) WLAN-AKM-Suite = 1027073 (17) Meraki-Device-Name = "olai" (17) Framed-MTU = 1400 (17) EAP-Message = 0x02d400351900170303002a0000000000000001d156dcb306795b1a5490d8115263cc725c1acd8c76588e31d9d4d985562c98bda7f5 (17) State = 0x13b4f8c81560e10caef2d3fb04d37962 (17) Message-Authenticator = 0xdffaa6c92233672ac826e8759d82c057 (17) session-state: No cached attributes (17) # Executing section authorize from file /etc/raddb/sites-enabled/default (17) authorize { (17) policy filter_username { (17) if (&User-Name) { (17) if (&User-Name) -> TRUE (17) if (&User-Name) { (17) if (&User-Name =~ / /) { (17) if (&User-Name =~ / /) -> FALSE (17) if (&User-Name =~ /@[^@]*@/ ) { (17) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (17) if (&User-Name =~ /\.\./ ) { (17) if (&User-Name =~ /\.\./ ) -> FALSE (17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (17) if (&User-Name =~ /\.$/) { (17) if (&User-Name =~ /\.$/) -> FALSE (17) if (&User-Name =~ /@\./) { (17) if (&User-Name =~ /@\./) -> FALSE (17) } # if (&User-Name) = notfound (17) } # policy filter_username = notfound (17) [preprocess] = ok (17) [chap] = noop (17) [mschap] = noop (17) [digest] = noop (17) suffix: Checking for suffix after "@" (17) suffix: No '@' in User-Name = "robert_plestenjak", looking up realm NULL (17) suffix: No such realm "NULL" (17) [suffix] = noop (17) eap: Peer sent EAP Response (code 2) ID 212 length 53 (17) eap: Continuing tunnel setup (17) [eap] = ok (17) } # authorize = ok (17) Found Auth-Type = eap (17) # Executing group from file /etc/raddb/sites-enabled/default (17) authenticate { (17) eap: Expiring EAP session with state 0x13b4f8c81560e10c (17) eap: Finished EAP session with state 0x13b4f8c81560e10c (17) eap: Previous EAP request found for state 0x13b4f8c81560e10c, released from the list (17) eap: Peer sent packet with method EAP PEAP (25) (17) eap: Calling submodule eap_peap to process data (17) eap_peap: Continuing EAP-TLS (17) eap_peap: [eaptls verify] = ok (17) eap_peap: Done initial handshake (17) eap_peap: [eaptls process] = ok (17) eap_peap: Session established. Decoding tunneled attributes (17) eap_peap: PEAP state WAITING FOR INNER IDENTITY (17) eap_peap: Identity - robert_plestenjak (17) eap_peap: Got inner identity 'robert_plestenjak' (17) eap_peap: Setting default EAP type for tunneled EAP session (17) eap_peap: Got tunneled request (17) eap_peap: EAP-Message = 0x02d4001601726f626572745f706c657374656e6a616b (17) eap_peap: Setting User-Name to robert_plestenjak (17) eap_peap: Sending tunneled request to inner-tunnel (17) eap_peap: EAP-Message = 0x02d4001601726f626572745f706c657374656e6a616b (17) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (17) eap_peap: User-Name = "robert_plestenjak" (17) Virtual server inner-tunnel received request (17) EAP-Message = 0x02d4001601726f626572745f706c657374656e6a616b (17) FreeRADIUS-Proxied-To = 127.0.0.1 (17) User-Name = "robert_plestenjak" (17) WARNING: Outer and inner identities are the same. User privacy is compromised. (17) server inner-tunnel { (17) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (17) authorize { (17) policy filter_username { (17) if (&User-Name) { (17) if (&User-Name) -> TRUE (17) if (&User-Name) { (17) if (&User-Name =~ / /) { (17) if (&User-Name =~ / /) -> FALSE (17) if (&User-Name =~ /@[^@]*@/ ) { (17) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (17) if (&User-Name =~ /\.\./ ) { (17) if (&User-Name =~ /\.\./ ) -> FALSE (17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (17) if (&User-Name =~ /\.$/) { (17) if (&User-Name =~ /\.$/) -> FALSE (17) if (&User-Name =~ /@\./) { (17) if (&User-Name =~ /@\./) -> FALSE (17) } # if (&User-Name) = notfound (17) } # policy filter_username = notfound (17) [chap] = noop (17) [mschap] = noop (17) suffix: Checking for suffix after "@" (17) suffix: No '@' in User-Name = "robert_plestenjak", looking up realm NULL (17) suffix: No such realm "NULL" (17) [suffix] = noop (17) update control { (17) &Proxy-To-Realm := LOCAL (17) } # update control = noop (17) eap: Peer sent EAP Response (code 2) ID 212 length 22 (17) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (17) [eap] = ok (17) } # authorize = ok (17) Found Auth-Type = eap (17) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (17) authenticate { (17) eap: Peer sent packet with method EAP Identity (1) (17) eap: Calling submodule eap_mschapv2 to process data (17) eap_mschapv2: Issuing Challenge (17) eap: Sending EAP Request (code 1) ID 213 length 43 (17) eap: EAP session adding &reply:State = 0x8f45c9568f90d385 (17) [eap] = handled (17) } # authenticate = handled (17) } # server inner-tunnel (17) Virtual server sending reply (17) EAP-Message = 0x01d5002b1a01d50026103481537f998fa1371fd68721d06fd7c1667265657261646975732d332e302e3133 (17) Message-Authenticator = 0x00000000000000000000000000000000 (17) State = 0x8f45c9568f90d3857e52bda50653607d (17) eap_peap: Got tunneled reply code 11 (17) eap_peap: EAP-Message = 0x01d5002b1a01d50026103481537f998fa1371fd68721d06fd7c1667265657261646975732d332e302e3133 (17) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (17) eap_peap: State = 0x8f45c9568f90d3857e52bda50653607d (17) eap_peap: Got tunneled reply RADIUS code 11 (17) eap_peap: EAP-Message = 0x01d5002b1a01d50026103481537f998fa1371fd68721d06fd7c1667265657261646975732d332e302e3133 (17) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (17) eap_peap: State = 0x8f45c9568f90d3857e52bda50653607d (17) eap_peap: Got tunneled Access-Challenge (17) eap: Sending EAP Request (code 1) ID 213 length 74 (17) eap: EAP session adding &reply:State = 0x13b4f8c81461e10c (17) [eap] = handled (17) } # authenticate = handled (17) Using Post-Auth-Type Challenge (17) # Executing group from file /etc/raddb/sites-enabled/default (17) Challenge { ... } # empty sub-section is ignored (17) Sent Access-Challenge Id 17 from X.X.X.X:1812 to X.X.X.X:51991 length 0 (17) EAP-Message = 0x01d5004a1900170303003fc4d6cba0b48752b678685a1c20d35c1495eeb8b7b68d48af7559cb23b1794638500578a62c50725d1c13f70559dd2ab4ccbc5f333da3c269bb54861de08c5d (17) Message-Authenticator = 0x00000000000000000000000000000000 (17) State = 0x13b4f8c81461e10caef2d3fb04d37962 (17) Finished request Waking up in 4.8 seconds. (18) Received Access-Request Id 18 from X.X.X.X:51991 to X.X.X.X:1812 length 371 (18) User-Name = "robert_plestenjak" (18) NAS-IP-Address = X.X.X.X (18) Called-Station-Id = "82-15-44-A9-EB-44:Blubber" (18) NAS-Port-Type = Wireless-802.11 (18) Service-Type = Framed-User (18) Calling-Station-Id = "18-F0-E4-3B-AA-02" (18) Connect-Info = "CONNECT 54.00 Mbps, 802.11n, RSSI: 44, Channel: 1" (18) Acct-Session-Id = "6325D4B9D8CD9D01" (18) Acct-Multi-Session-Id = "33B691AA5B968946" (18) WLAN-Pairwise-Cipher = 1027076 (18) WLAN-Group-Cipher = 1027076 (18) WLAN-AKM-Suite = 1027073 (18) Meraki-Device-Name = "olai" (18) Framed-MTU = 1400 (18) EAP-Message = 0x02d5006b1900170303006000000000000000020c47825d8d203487343c1cb7cf937baaa3da3ec65947d11d4899785cfde46b828ddf938c7d8be000eeaa66195bd54d33f0cac081834d0215acdfd165302a9c12f09e8c2df780ccda3057bcbf23228b4b9817ae6a78a96c2c (18) State = 0x13b4f8c81461e10caef2d3fb04d37962 (18) Message-Authenticator = 0x542d7969f2658b6f35989a19866db2dc (18) session-state: No cached attributes (18) # Executing section authorize from file /etc/raddb/sites-enabled/default (18) authorize { (18) policy filter_username { (18) if (&User-Name) { (18) if (&User-Name) -> TRUE (18) if (&User-Name) { (18) if (&User-Name =~ / /) { (18) if (&User-Name =~ / /) -> FALSE (18) if (&User-Name =~ /@[^@]*@/ ) { (18) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (18) if (&User-Name =~ /\.\./ ) { (18) if (&User-Name =~ /\.\./ ) -> FALSE (18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (18) if (&User-Name =~ /\.$/) { (18) if (&User-Name =~ /\.$/) -> FALSE (18) if (&User-Name =~ /@\./) { (18) if (&User-Name =~ /@\./) -> FALSE (18) } # if (&User-Name) = notfound (18) } # policy filter_username = notfound (18) [preprocess] = ok (18) [chap] = noop (18) [mschap] = noop (18) [digest] = noop (18) suffix: Checking for suffix after "@" (18) suffix: No '@' in User-Name = "robert_plestenjak", looking up realm NULL (18) suffix: No such realm "NULL" (18) [suffix] = noop (18) eap: Peer sent EAP Response (code 2) ID 213 length 107 (18) eap: Continuing tunnel setup (18) [eap] = ok (18) } # authorize = ok (18) Found Auth-Type = eap (18) # Executing group from file /etc/raddb/sites-enabled/default (18) authenticate { (18) eap: Expiring EAP session with state 0x8f45c9568f90d385 (18) eap: Finished EAP session with state 0x13b4f8c81461e10c (18) eap: Previous EAP request found for state 0x13b4f8c81461e10c, released from the list (18) eap: Peer sent packet with method EAP PEAP (25) (18) eap: Calling submodule eap_peap to process data (18) eap_peap: Continuing EAP-TLS (18) eap_peap: [eaptls verify] = ok (18) eap_peap: Done initial handshake (18) eap_peap: [eaptls process] = ok (18) eap_peap: Session established. Decoding tunneled attributes (18) eap_peap: PEAP state phase2 (18) eap_peap: EAP method MSCHAPv2 (26) (18) eap_peap: Got tunneled request (18) eap_peap: EAP-Message = 0x02d5004c1a02d5004731d8d694eb0e711635a2a5c6d011d44414000000000000000080648d3803f60d505ec6b8f76843d49dd4a6a7854eee97fa00726f626572745f706c657374656e6a616b (18) eap_peap: Setting User-Name to robert_plestenjak (18) eap_peap: Sending tunneled request to inner-tunnel (18) eap_peap: EAP-Message = 0x02d5004c1a02d5004731d8d694eb0e711635a2a5c6d011d44414000000000000000080648d3803f60d505ec6b8f76843d49dd4a6a7854eee97fa00726f626572745f706c657374656e6a616b (18) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (18) eap_peap: User-Name = "robert_plestenjak" (18) eap_peap: State = 0x8f45c9568f90d3857e52bda50653607d (18) Virtual server inner-tunnel received request (18) EAP-Message = 0x02d5004c1a02d5004731d8d694eb0e711635a2a5c6d011d44414000000000000000080648d3803f60d505ec6b8f76843d49dd4a6a7854eee97fa00726f626572745f706c657374656e6a616b (18) FreeRADIUS-Proxied-To = 127.0.0.1 (18) User-Name = "robert_plestenjak" (18) State = 0x8f45c9568f90d3857e52bda50653607d (18) WARNING: Outer and inner identities are the same. User privacy is compromised. (18) server inner-tunnel { (18) session-state: No cached attributes (18) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (18) authorize { (18) policy filter_username { (18) if (&User-Name) { (18) if (&User-Name) -> TRUE (18) if (&User-Name) { (18) if (&User-Name =~ / /) { (18) if (&User-Name =~ / /) -> FALSE (18) if (&User-Name =~ /@[^@]*@/ ) { (18) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (18) if (&User-Name =~ /\.\./ ) { (18) if (&User-Name =~ /\.\./ ) -> FALSE (18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (18) if (&User-Name =~ /\.$/) { (18) if (&User-Name =~ /\.$/) -> FALSE (18) if (&User-Name =~ /@\./) { (18) if (&User-Name =~ /@\./) -> FALSE (18) } # if (&User-Name) = notfound (18) } # policy filter_username = notfound (18) [chap] = noop (18) [mschap] = noop (18) suffix: Checking for suffix after "@" (18) suffix: No '@' in User-Name = "robert_plestenjak", looking up realm NULL (18) suffix: No such realm "NULL" (18) [suffix] = noop (18) update control { (18) &Proxy-To-Realm := LOCAL (18) } # update control = noop (18) eap: Peer sent EAP Response (code 2) ID 213 length 76 (18) eap: No EAP Start, assuming it's an on-going EAP conversation (18) [eap] = updated (18) [files] = noop rlm_ldap (ldap): Reserved connection (3) (18) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (18) ldap: --> (uid=robert_plestenjak) (18) ldap: Performing search in "dc=xlab,dc=si" with filter "(uid=robert_plestenjak)", scope "sub" (18) ldap: Waiting for search result... (18) ldap: User object found at DN "cn=Robert Plestenjak,ou=people,ou=xlab-research,dc=xlab,dc=si" (18) ldap: Processing user attributes (18) ldap: control:Password-With-Header += 'XXX' rlm_ldap (ldap): Released connection (3) (18) [ldap] = updated (18) [expiration] = noop (18) [logintime] = noop (18) pap: No {...} in Password-With-Header, re-writing to Cleartext-Password (18) pap: Removing &control:Password-With-Header (18) pap: WARNING: Auth-Type already set. Not setting to PAP (18) [pap] = noop (18) } # authorize = updated (18) Found Auth-Type = eap (18) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (18) authenticate { (18) eap: Expiring EAP session with state 0x8f45c9568f90d385 (18) eap: Finished EAP session with state 0x8f45c9568f90d385 (18) eap: Previous EAP request found for state 0x8f45c9568f90d385, released from the list (18) eap: Peer sent packet with method EAP MSCHAPv2 (26) (18) eap: Calling submodule eap_mschapv2 to process data (18) eap_mschapv2: # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (18) eap_mschapv2: authenticate { (18) mschap: Found Cleartext-Password, hashing to create NT-Password (18) mschap: Found Cleartext-Password, hashing to create LM-Password (18) mschap: Creating challenge hash with username: robert_plestenjak (18) mschap: Client is using MS-CHAPv2 (18) mschap: ERROR: MS-CHAP2-Response is incorrect (18) [mschap] = reject (18) } # authenticate = reject (18) eap: Sending EAP Failure (code 4) ID 213 length 4 (18) eap: Freeing handler (18) [eap] = reject (18) } # authenticate = reject (18) Failed to authenticate the user (18) Using Post-Auth-Type Reject (18) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (18) Post-Auth-Type REJECT { (18) attr_filter.access_reject: EXPAND %{User-Name} (18) attr_filter.access_reject: --> robert_plestenjak (18) attr_filter.access_reject: Matched entry DEFAULT at line 11 (18) [attr_filter.access_reject] = updated (18) update outer.session-state { (18) &Module-Failure-Message := &request:Module-Failure-Message -> 'mschap: MS-CHAP2-Response is incorrect' (18) } # update outer.session-state = noop (18) } # Post-Auth-Type REJECT = updated (18) } # server inner-tunnel (18) Virtual server sending reply (18) MS-CHAP-Error = "\325E=691 R=1 C=2ca3a2ed3d4ef46ebff14aded477265f V=3 M=Authentication failed" (18) EAP-Message = 0x04d50004 (18) Message-Authenticator = 0x00000000000000000000000000000000 (18) eap_peap: Got tunneled reply code 3 (18) eap_peap: MS-CHAP-Error = "\325E=691 R=1 C=2ca3a2ed3d4ef46ebff14aded477265f V=3 M=Authentication failed" (18) eap_peap: EAP-Message = 0x04d50004 (18) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (18) eap_peap: Got tunneled reply RADIUS code 3 (18) eap_peap: MS-CHAP-Error = "\325E=691 R=1 C=2ca3a2ed3d4ef46ebff14aded477265f V=3 M=Authentication failed" (18) eap_peap: EAP-Message = 0x04d50004 (18) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (18) eap_peap: Tunneled authentication was rejected (18) eap_peap: FAILURE (18) eap: Sending EAP Request (code 1) ID 214 length 46 (18) eap: EAP session adding &reply:State = 0x13b4f8c81b62e10c (18) [eap] = handled (18) } # authenticate = handled (18) Using Post-Auth-Type Challenge (18) # Executing group from file /etc/raddb/sites-enabled/default (18) Challenge { ... } # empty sub-section is ignored (18) session-state: Saving cached attributes (18) Module-Failure-Message := "mschap: MS-CHAP2-Response is incorrect" (18) Sent Access-Challenge Id 18 from X.X.X.X:1812 to X.X.X.X:51991 length 0 (18) EAP-Message = 0x01d6002e19001703030023c4d6cba0b48752b7f8f87842178ba52177865f6c1cef5524f872ed8897901cb80d3a00 (18) Message-Authenticator = 0x00000000000000000000000000000000 (18) State = 0x13b4f8c81b62e10caef2d3fb04d37962 (18) Finished request Waking up in 4.8 seconds. (19) Received Access-Request Id 19 from X.X.X.X:51991 to X.X.X.X:1812 length 310 (19) User-Name = "robert_plestenjak" (19) NAS-IP-Address = X.X.X.X (19) Called-Station-Id = "82-15-44-A9-EB-44:Blubber" (19) NAS-Port-Type = Wireless-802.11 (19) Service-Type = Framed-User (19) Calling-Station-Id = "18-F0-E4-3B-AA-02" (19) Connect-Info = "CONNECT 54.00 Mbps, 802.11n, RSSI: 44, Channel: 1" (19) Acct-Session-Id = "6325D4B9D8CD9D01" (19) Acct-Multi-Session-Id = "33B691AA5B968946" (19) WLAN-Pairwise-Cipher = 1027076 (19) WLAN-Group-Cipher = 1027076 (19) WLAN-AKM-Suite = 1027073 (19) Meraki-Device-Name = "olai" (19) Framed-MTU = 1400 (19) EAP-Message = 0x02d6002e19001703030023000000000000000308fa96363a074f0d6a71b51ac3f369d6bb554270c5c198b63ca951 (19) State = 0x13b4f8c81b62e10caef2d3fb04d37962 (19) Message-Authenticator = 0xb04cbd1a88e53186c391121c6b9f62b1 (19) Restoring &session-state (19) &session-state:Module-Failure-Message := "mschap: MS-CHAP2-Response is incorrect" (19) # Executing section authorize from file /etc/raddb/sites-enabled/default (19) authorize { (19) policy filter_username { (19) if (&User-Name) { (19) if (&User-Name) -> TRUE (19) if (&User-Name) { (19) if (&User-Name =~ / /) { (19) if (&User-Name =~ / /) -> FALSE (19) if (&User-Name =~ /@[^@]*@/ ) { (19) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (19) if (&User-Name =~ /\.\./ ) { (19) if (&User-Name =~ /\.\./ ) -> FALSE (19) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (19) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (19) if (&User-Name =~ /\.$/) { (19) if (&User-Name =~ /\.$/) -> FALSE (19) if (&User-Name =~ /@\./) { (19) if (&User-Name =~ /@\./) -> FALSE (19) } # if (&User-Name) = notfound (19) } # policy filter_username = notfound (19) [preprocess] = ok (19) [chap] = noop (19) [mschap] = noop (19) [digest] = noop (19) suffix: Checking for suffix after "@" (19) suffix: No '@' in User-Name = "robert_plestenjak", looking up realm NULL (19) suffix: No such realm "NULL" (19) [suffix] = noop (19) eap: Peer sent EAP Response (code 2) ID 214 length 46 (19) eap: Continuing tunnel setup (19) [eap] = ok (19) } # authorize = ok (19) Found Auth-Type = eap (19) # Executing group from file /etc/raddb/sites-enabled/default (19) authenticate { (19) eap: Expiring EAP session with state 0x13b4f8c81b62e10c (19) eap: Finished EAP session with state 0x13b4f8c81b62e10c (19) eap: Previous EAP request found for state 0x13b4f8c81b62e10c, released from the list (19) eap: Peer sent packet with method EAP PEAP (25) (19) eap: Calling submodule eap_peap to process data (19) eap_peap: Continuing EAP-TLS (19) eap_peap: [eaptls verify] = ok (19) eap_peap: Done initial handshake (19) eap_peap: [eaptls process] = ok (19) eap_peap: Session established. Decoding tunneled attributes (19) eap_peap: PEAP state send tlv failure (19) eap_peap: Received EAP-TLV response (19) eap_peap: ERROR: The users session was previously rejected: returning reject (again.) (19) eap_peap: This means you need to read the PREVIOUS messages in the debug output (19) eap_peap: to find out the reason why the user was rejected (19) eap_peap: Look for "reject" or "fail". Those earlier messages will tell you (19) eap_peap: what went wrong, and how to fix the problem (19) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (19) eap: Sending EAP Failure (code 4) ID 214 length 4 (19) eap: Failed in EAP select (19) [eap] = invalid (19) } # authenticate = invalid (19) Failed to authenticate the user (19) Using Post-Auth-Type Reject (19) # Executing group from file /etc/raddb/sites-enabled/default (19) Post-Auth-Type REJECT { (19) attr_filter.access_reject: EXPAND %{User-Name} (19) attr_filter.access_reject: --> robert_plestenjak (19) attr_filter.access_reject: Matched entry DEFAULT at line 11 (19) [attr_filter.access_reject] = updated (19) [eap] = noop (19) policy remove_reply_message_if_eap { (19) if (&reply:EAP-Message && &reply:Reply-Message) { (19) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (19) else { (19) [noop] = noop (19) } # else = noop (19) } # policy remove_reply_message_if_eap = noop (19) } # Post-Auth-Type REJECT = updated (19) Delaying response for 1.000000 seconds Waking up in 0.6 seconds. Waking up in 0.3 seconds. (19) Sending delayed response (19) Sent Access-Reject Id 19 from X.X.X.X:1812 to X.X.X.X:51991 length 44 (19) EAP-Message = 0x04d60004 (19) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.8 seconds. (10) Cleaning up request packet ID 10 with timestamp +25 (11) Cleaning up request packet ID 11 with timestamp +25 (12) Cleaning up request packet ID 12 with timestamp +25 (13) Cleaning up request packet ID 13 with timestamp +25 (14) Cleaning up request packet ID 14 with timestamp +25 (15) Cleaning up request packet ID 15 with timestamp +25 (16) Cleaning up request packet ID 16 with timestamp +25 (17) Cleaning up request packet ID 17 with timestamp +25 (18) Cleaning up request packet ID 18 with timestamp +25 (19) Cleaning up request packet ID 19 with timestamp +25 Ready to process requests
On Mar 28, 2018, at 9:07 AM, Robert Plestenjak <robert.plestenjak@xlab.si> wrote:
I'm trying to set up authentication over PEAP-MSCHAPv2. In LDAP I have NTLM-hashed passwords Version is 3.0.13 from CentOS 7 repository.
Testing with radtest is successful:
We don't need to see the output of radtest. See http://wiki.freeradius.org/list-help
When I test with Wifi (Cisco Meraki), it fails:
Reading the debug output helps. As the Wiki page shows, look for ERROR or WARNING. It's that simple.
... (18) ldap: Performing search in "dc=xlab,dc=si" with filter "(uid=robert_plestenjak)", scope "sub" (18) ldap: Waiting for search result... (18) ldap: User object found at DN "cn=Robert Plestenjak,ou=people,ou=xlab-research,dc=xlab,dc=si" (18) ldap: Processing user attributes (18) ldap: control:Password-With-Header += 'XXX'
Which should be your "known good" password. I presume you've read the debug output enough to see the password and edit it. Why not keep reading it?
... (18) mschap: Found Cleartext-Password, hashing to create NT-Password (18) mschap: Found Cleartext-Password, hashing to create LM-Password (18) mschap: Creating challenge hash with username: robert_plestenjak (18) mschap: Client is using MS-CHAPv2 (18) mschap: ERROR: MS-CHAP2-Response is incorrect
That's pretty clear. You entered the wrong password on the client. Alan DeKok.
In LDAP I have LM hashed passwords (LM-Password) and radtest with PAP auth metod is successful, but when I switch to MSCHAP it fails. So the problem is probably that clients (radtest, ...) sends NTLM hashes (NT-Password)? On Mar 28, 2018, at 9:07 AM, Robert Plestenjak <robert.plestenjak@xlab.si> wrote:
I'm trying to set up authentication over PEAP-MSCHAPv2. In LDAP I have NTLM-hashed passwords Version is 3.0.13 from CentOS 7 repository.
Testing with radtest is successful:
We don't need to see the output of radtest. See http://wiki.freeradius.org/list-help
When I test with Wifi (Cisco Meraki), it fails:
Reading the debug output helps. As the Wiki page shows, look for ERROR or WARNING. It's that simple.
... (18) ldap: Performing search in "dc=xlab,dc=si" with filter "(uid=robert_plestenjak)", scope "sub" (18) ldap: Waiting for search result... (18) ldap: User object found at DN "cn=Robert Plestenjak,ou=people,ou=xlab-research,dc=xlab,dc=si" (18) ldap: Processing user attributes (18) ldap: control:Password-With-Header += 'XXX'
Which should be your "known good" password. I presume you've read the debug output enough to see the password and edit it. Why not keep reading it?
... (18) mschap: Found Cleartext-Password, hashing to create NT-Password (18) mschap: Found Cleartext-Password, hashing to create LM-Password (18) mschap: Creating challenge hash with username: robert_plestenjak (18) mschap: Client is using MS-CHAPv2 (18) mschap: ERROR: MS-CHAP2-Response is incorrect
That's pretty clear. You entered the wrong password on the client. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Tested by replacing LM-hased password in LDAP with NT-hased and it works. [root@x-radius ~]# smbencrypt password LM Hash NT Hash -------------------------------- -------------------------------- E52CAC67419A9A224A3B108F3FA6CB6D 8846F7EAEE8FB117AD06BDD830B7586C
On Mar 29, 2018, at 3:51 AM, Robert Plestenjak <robert.plestenjak@xlab.si> wrote:
In LDAP I have LM hashed passwords (LM-Password) and radtest with PAP auth metod is successful, but when I switch to MSCHAP it fails.
So the problem is probably that clients (radtest, ...) sends NTLM hashes (NT-Password)?
Yes. You should NEVER us LM hashes for ANYTHING. They were insecure, and deprecated 20 years ago. Delete all LM hashes from your database, and you will be better off. Alan DeKok.
Problem solved. Besides LM-hashed password field (legacy reasons) in our LDAP server, we now also have NT-hashed one. Thanks
participants (2)
-
Alan DeKok -
Robert Plestenjak