Hello, I have a little problem with auth in Windows AD by using userPrincipalName (using samAccountName works fine). In mschap file i have: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{User-Name}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" and ldap file: filter = "(userPrincipalName=%{%{Stripped-User-Name}:-%{User-Name}})" In debug I see: rad_recv: Access-Request packet from host 10.65.100.41 port 32775, id=207, length=318 User-Name = "aa.aa@stud.wcc.domain.pl" Chargeable-User-Identity = "" Location-Capable = Civix-Location Calling-Station-Id = "b4-74-9f-ea-2a-1e" Called-Station-Id = "54-78-1a-5f-08-e0:RADIUS-TEST" NAS-Port = 2 Cisco-AVPair = "audit-session-id=0a41642900000d4a57628ef2" Acct-Session-Id = "57628ef2/b4:74:9f:ea:2a:1e/3674" NAS-IP-Address = 10.65.100.41 NAS-Identifier = "WLC-1-wcc-Mat13-MDF-1" Airespace-Wlan-Id = 4 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "216" EAP-Message = 0x0203001d0161612e616140737475642e6173702e6b72616b6f772e706c Message-Authenticator = 0x398163ea5774aa56b4a9a5bb7f1ec443 # Executing section authorize from file /etc/freeradius-eduroam//sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [eap] EAP packet type response id 3 length 29 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [ldap] Entering ldap_groupcmp() [files] expand: dc=wcc,dc=local -> dc=wcc,dc=local [files] expand: %{Stripped-User-Name} -> [files] ... expanding second conditional [files] expand: %{User-Name} -> aa.aa@stud.wcc.domain.pl [files] expand: (userPrincipalName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (userPrincipalName=aa.aa@stud.wcc.domain.pl) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to pdc.wcc.local:389, authentication 0 [ldap] bind as cn=freeradius,ou=Services,dc=wcc,dc=local/rad--wcc--02 to pdc.wcc.local:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in dc=wcc,dc=local, with filter (userPrincipalName=aa.aa@stud.wcc.domain.pl) [ldap] ldap_release_conn: Release Id: 0 [files] expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=CN\3daa aa\2cCN\3dUsers\2cDC\3dwcc\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3daa aa\2cCN\3dUsers\2cDC\3dwcc\2cDC\3dlocal))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=wcc,dc=local, with filter (&(cn=workers)(|(&(objectClass=GroupOfNames)(member=CN\3daa aa\2cCN\3dUsers\2cDC\3dwcc\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3daa aa\2cCN\3dUsers\2cDC\3dwcc\2cDC\3dlocal)))) [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in CN=aa aa,CN=Users,DC=wcc,DC=local, with filter (objectclass=*) [ldap] performing search in CN=students,CN=Users,DC=wcc,DC=local, with filter (cn=workers) [ldap] object not found rlm_ldap::groupcmp: Group workers not found or user not a member [ldap] ldap_release_conn: Release Id: 0 [ldap] Entering ldap_groupcmp() [files] expand: dc=wcc,dc=local -> dc=wcc,dc=local [files] expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=CN\3daa aa\2cCN\3dUsers\2cDC\3dwcc\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3daa aa\2cCN\3dUsers\2cDC\3dwcc\2cDC\3dlocal))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=wcc,dc=local, with filter (&(cn=students)(|(&(objectClass=GroupOfNames)(member=CN\3daa aa\2cCN\3dUsers\2cDC\3dwcc\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3daa aa\2cCN\3dUsers\2cDC\3dwcc\2cDC\3dlocal)))) [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in CN=aa aa,CN=Users,DC=wcc,DC=local, with filter (objectclass=*) [ldap] performing search in CN=students,CN=Users,DC=wcc,DC=local, with filter (cn=students) rlm_ldap::ldap_groupcmp: User found in group students [ldap] ldap_release_conn: Release Id: 0 [files] users: Matched entry DEFAULT at line 8 ++[files] returns ok [ldap] performing user authorization for aa.aa@stud.wcc.domain.pl [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> aa.aa@stud.wcc.domain.pl [ldap] expand: (userPrincipalName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (userPrincipalName=aa.aa@stud.wcc.domain.pl) [ldap] expand: dc=wcc,dc=local -> dc=wcc,dc=local [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=wcc,dc=local, with filter (userPrincipalName=aa.aa@stud.wcc.domain.pl) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] sAMAccountName -> AD-Samaccountname = "s87030702814" WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user aa.aa@stud.wcc.domain.pl authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius-eduroam//sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 207 to 10.65.100.41 port 32775 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 := "216" EAP-Message = 0x01040016041018835bd878d0921cb20627ef9ffb1eac Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe4e07f21e4e47b7995348cff618d76b9 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.65.100.41 port 32775, id=208, length=313 User-Name = "aa.aa@stud.wcc.domain.pl" Chargeable-User-Identity = "" Location-Capable = Civix-Location Calling-Station-Id = "b4-74-9f-ea-2a-1e" Called-Station-Id = "54-78-1a-5f-08-e0:RADIUS-TEST" NAS-Port = 2 Cisco-AVPair = "audit-session-id=0a41642900000d4a57628ef2" Acct-Session-Id = "57628ef2/b4:74:9f:ea:2a:1e/3674" NAS-IP-Address = 10.65.100.41 NAS-Identifier = "WLC-1-wcc-Mat13-MDF-1" Airespace-Wlan-Id = 4 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "216" EAP-Message = 0x020400060319 State = 0xe4e07f21e4e47b7995348cff618d76b9 Message-Authenticator = 0xee09ae2d1c397db4c44fa8ef0ada48ae # Executing section authorize from file /etc/freeradius-eduroam//sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [eap] EAP packet type response id 4 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [ldap] Entering ldap_groupcmp() [files] expand: dc=wcc,dc=local -> dc=wcc,dc=local [files] expand: %{Stripped-User-Name} -> [files] ... expanding second conditional [files] expand: %{User-Name} -> aa.aa@stud.wcc.domain.pl [files] expand: (userPrincipalName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (userPrincipalName=aa.aa@stud.wcc.domain.pl) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=wcc,dc=local, with filter (userPrincipalName=aa.aa@stud.wcc.domain.pl) [ldap] ldap_release_conn: Release Id: 0 [files] expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=CN\3daa aa\2cCN\3dUsers\2cDC\3dwcc\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3daa aa\2cCN\3dUsers\2cDC\3dwcc\2cDC\3dlocal))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=wcc,dc=local, with filter (&(cn=workers)(|(&(objectClass=GroupOfNames)(member=CN\3daa aa\2cCN\3dUsers\2cDC\3dwcc\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3daa aa\2cCN\3dUsers\2cDC\3dwcc\2cDC\3dlocal)))) [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in CN=aa aa,CN=Users,DC=wcc,DC=local, with filter (objectclass=*) [ldap] performing search in CN=students,CN=Users,DC=wcc,DC=local, with filter (cn=workers) [ldap] object not found rlm_ldap::groupcmp: Group workers not found or user not a member [ldap] ldap_release_conn: Release Id: 0 [ldap] Entering ldap_groupcmp() [files] expand: dc=wcc,dc=local -> dc=wcc,dc=local [files] expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=CN\3daa aa\2cCN\3dUsers\2cDC\3dwcc\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3daa aa\2cCN\3dUsers\2cDC\3dwcc\2cDC\3dlocal))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=wcc,dc=local, with filter (&(cn=students)(|(&(objectClass=GroupOfNames)(member=CN\3daa aa\2cCN\3dUsers\2cDC\3dwcc\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3daa aa\2cCN\3dUsers\2cDC\3dwcc\2cDC\3dlocal)))) [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in CN=aa aa,CN=Users,DC=wcc,DC=local, with filter (objectclass=*) [ldap] performing search in CN=students,CN=Users,DC=wcc,DC=local, with filter (cn=students) rlm_ldap::ldap_groupcmp: User found in group students [ldap] ldap_release_conn: Release Id: 0 [files] users: Matched entry DEFAULT at line 8 ++[files] returns ok [ldap] performing user authorization for aa.aa@stud.wcc.domain.pl [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> aa.aa@stud.wcc.domain.pl [ldap] expand: (userPrincipalName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (userPrincipalName=aa.aa@stud.wcc.domain.pl) [ldap] expand: dc=wcc,dc=local -> dc=wcc,dc=local [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=wcc,dc=local, with filter (userPrincipalName=aa.aa@stud.wcc.domain.pl) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] sAMAccountName -> AD-Samaccountname = "s87030702814" WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user aa.aa@stud.wcc.domain.pl authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius-eduroam//sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 208 to 10.65.100.41 port 32775 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 := "216" EAP-Message = 0x010500061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe4e07f21e5e5667995348cff618d76b9 Finished request 1. Going to the next request Waking up in 3.9 seconds. rad_recv: Access-Request packet from host 10.65.100.41 port 32775, id=209, length=429 User-Name = "aa.aa@stud.wcc.domain.pl" Chargeable-User-Identity = "" Location-Capable = Civix-Location Calling-Station-Id = "b4-74-9f-ea-2a-1e" Called-Station-Id = "54-78-1a-5f-08-e0:RADIUS-TEST" NAS-Port = 2 Cisco-AVPair = "audit-session-id=0a41642900000d4a57628ef2" Acct-Session-Id = "57628ef2/b4:74:9f:ea:2a:1e/3674" NAS-IP-Address = 10.65.100.41 NAS-Identifier = "WLC-1-wcc-Mat13-MDF-1" Airespace-Wlan-Id = 4 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "216" EAP-Message = 0x0205007a198000000070160301006b01000067030157628ed30f67b761e282d085d72f59adfd847fc69ee371cc28ea1f91446a23bc000018c014c0130035002fc00ac00900380032000a00130005000401000026000500050100000000000a0006000400170018000b000201000023000000170000ff01000100 State = 0xe4e07f21e5e5667995348cff618d76b9 Message-Authenticator = 0xcf052b361d54c7fb8dbea484cc3bd8de # Executing section authorize from file /etc/freeradius-eduroam//sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [eap] EAP packet type response id 5 length 122 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius-eduroam//sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 112 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 006b], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0039], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 078d], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 00cb], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 209 to 10.65.100.41 port 32775 EAP-Message = 0x0106040019c0000008a9160301003902000035030157628ef51c8afd7fb1a076f303a422ca51d2b0b157bfe72a963d0b55b3ff1f5c00c01400000dff01000100000b000403000102160301078d0b00078900078600031d3082031930820282a00302010202020a24300d06092a864886f70d01010505003081d1310b300906035504061302504c311330110603550408130a4d616c6f706f6c736b61310f300d060355040713064b72616b6f77313c303a060355040a1333416b6164656d696120537a74756b205069656b6e79636820696d2e204a616e61204d6174656a6b692077204b72616b6f77696531133011060355040b130a415350204b7261 EAP-Message = 0x6b6f77312830260603550403131f43656e7472756d20436572747966696b61636a6920415350204b72616b6f77311f301d06092a864886f70d01090116106361406173702e6b72616b6f772e706c301e170d3132313133303037333035335a170d3137313130343037333035335a3081b8310b300906035504061302504c311330110603550408130a4d616c6f706f6c736b61313c303a060355040a1333416b6164656d696120537a74756b205069656b6e79636820696d2e204a616e61204d6174656a6b692077204b72616b6f77696531133011060355040b130a415350204b72616b6f77311d301b060355040313147261646975732e6173702e6b EAP-Message = 0x72616b6f772e706c3122302006092a864886f70d01090116137261647573406173702e6b72616b6f772e706c30819f300d06092a864886f70d010101050003818d0030818902818100d104dba6ea4dcc1f522aeb1ef52a86ea70daff5728a5f3dcecbc1f3dcbd8a3b840919e4d9eee002ec9bcfc9adfc3030050b8bcfc0f414e11877289a6626075c1664b411ea67703a64a8510ebdec3a85d2c5afdc5853a3039abdf0ba901165ba55ea3012dade844a9cb0780dafba5610ca856e0adea76dc942ee56d2c7b1d40a50203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010105050003818100c722e8 EAP-Message = 0x55a3fa1f28f8c936f5d92f075c229f043ef9e11442d330ff17008ced8eb9330d3dd78a33bf318996cb00b95fcb15e56efcf114dbedb041c8b9931c5ed9e4820d9d026677d869e8e65f484dd83dab13036f1b2593424245117da396e0ae30184dc39de0f290490955998c5627f12f874c74211a9fd17435bc2d32529f240004633082045f308203c8a00302010202090085c7c43a6326f0ab300d06092a864886f70d01010505003081d1310b300906035504061302504c311330110603550408130a4d616c6f706f6c736b61310f300d060355040713064b72616b6f77313c303a060355040a1333416b6164656d696120537a74756b205069656b6e79 EAP-Message = 0x636820696d2e204a616e6120 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe4e07f21e6e6667995348cff618d76b9 Finished request 2. Going to the next request Waking up in 3.9 seconds. rad_recv: Access-Request packet from host 10.65.100.41 port 32775, id=210, length=313 User-Name = "aa.aa@stud.wcc.domain.pl" Chargeable-User-Identity = "" Location-Capable = Civix-Location Calling-Station-Id = "b4-74-9f-ea-2a-1e" Called-Station-Id = "54-78-1a-5f-08-e0:RADIUS-TEST" NAS-Port = 2 Cisco-AVPair = "audit-session-id=0a41642900000d4a57628ef2" Acct-Session-Id = "57628ef2/b4:74:9f:ea:2a:1e/3674" NAS-IP-Address = 10.65.100.41 NAS-Identifier = "WLC-1-wcc-Mat13-MDF-1" Airespace-Wlan-Id = 4 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "216" EAP-Message = 0x020600061900 State = 0xe4e07f21e6e6667995348cff618d76b9 Message-Authenticator = 0x00d087c8c9b2868d9b3d87e1cc5bcce0 # Executing section authorize from file /etc/freeradius-eduroam//sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius-eduroam//sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 210 to 10.65.100.41 port 32775 EAP-Message = 0x010703fc19404d6174656a6b692077204b72616b6f77696531133011060355040b130a415350204b72616b6f77312830260603550403131f43656e7472756d20436572747966696b61636a6920415350204b72616b6f77311f301d06092a864886f70d01090116106361406173702e6b72616b6f772e706c301e170d3131313133303131313431325a170d3331303831373131313431325a3081d1310b300906035504061302504c311330110603550408130a4d616c6f706f6c736b61310f300d060355040713064b72616b6f77313c303a060355040a1333416b6164656d696120537a74756b205069656b6e79636820696d2e204a616e61204d6174 EAP-Message = 0x656a6b692077204b72616b6f77696531133011060355040b130a415350204b72616b6f77312830260603550403131f43656e7472756d20436572747966696b61636a6920415350204b72616b6f77311f301d06092a864886f70d01090116106361406173702e6b72616b6f772e706c30819f300d06092a864886f70d010101050003818d0030818902818100fb2478b3fd733307f8bf3790b6b4c2ceed0cf07b15c6e2efbfb96b0a8f443abccfac270016fcc6d35950019c0e348b79fc97cebc3f1c698fb02f4e2f782b300b3f0b538e746d3a73006eacbec068cfc328acb96b3e0ceb89e1495ebd82891049de3efaa20cf28545a5a7975ba56f8e50aa EAP-Message = 0x1b0d750d85d4484ecfee6d1b11e5390203010001a382013b30820137301d0603551d0e041604141677035f5e86f248944b24b93a5292e9568b1dc8308201060603551d230481fe3081fb80141677035f5e86f248944b24b93a5292e9568b1dc8a181d7a481d43081d1310b300906035504061302504c311330110603550408130a4d616c6f706f6c736b61310f300d060355040713064b72616b6f77313c303a060355040a1333416b6164656d696120537a74756b205069656b6e79636820696d2e204a616e61204d6174656a6b692077204b72616b6f77696531133011060355040b130a415350204b72616b6f77312830260603550403131f43656e EAP-Message = 0x7472756d20436572747966696b61636a6920415350204b72616b6f77311f301d06092a864886f70d01090116106361406173702e6b72616b6f772e706c82090085c7c43a6326f0ab300c0603551d13040530030101ff300d06092a864886f70d010105050003818100d1e891bba4b193f5695ec8b356834e9f65245c68012ad88452e406ec3eb8d11119925ad0283664476e78d00dd6395c62971acffcdf869907be7c9221bfb0c8801a17f00904f354801c6a564b12c99692a3608e68688e33f114e702aaef01871570ac4426bc8e35a8c9dff188f1752506d9f458b32ba311568d7ac64e303a042e16030100cb0c0000c70300174104d035cf0e22d5 EAP-Message = 0xb2c02889833be395 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe4e07f21e7e7667995348cff618d76b9 Finished request 3. Going to the next request Waking up in 3.9 seconds. rad_recv: Access-Request packet from host 10.65.100.41 port 32775, id=211, length=313 User-Name = "aa.aa@stud.wcc.domain.pl" Chargeable-User-Identity = "" Location-Capable = Civix-Location Calling-Station-Id = "b4-74-9f-ea-2a-1e" Called-Station-Id = "54-78-1a-5f-08-e0:RADIUS-TEST" NAS-Port = 2 Cisco-AVPair = "audit-session-id=0a41642900000d4a57628ef2" Acct-Session-Id = "57628ef2/b4:74:9f:ea:2a:1e/3674" NAS-IP-Address = 10.65.100.41 NAS-Identifier = "WLC-1-wcc-Mat13-MDF-1" Airespace-Wlan-Id = 4 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "216" EAP-Message = 0x020700061900 State = 0xe4e07f21e7e7667995348cff618d76b9 Message-Authenticator = 0x01ec9033518a72159b2dea4263cd2b77 # Executing section authorize from file /etc/freeradius-eduroam//sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [eap] EAP packet type response id 7 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius-eduroam//sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 211 to 10.65.100.41 port 32775 EAP-Message = 0x010800c319007d817762afcedcd239ec14513684f7f94d191494faccaa06effad9e58d39820e4f5647daa052abd7e7b49074cbfacb3bd2e1008066b7e15b1e17ba1642140c22bba1027378e36599e026c9eca4b4b3d904e5a5fd45f5751be89edcd9a4c22da741ac95da243fbdb7e39730fd9c50fdd1658591c0bbf771333f4a7cd1eb0105c985cc8df4e627aeca1f02e7b4c713741eb2165d5e181545175e76bf823f6dff2781dea2ee0736037352635b7398d0e7e9b2e157fe16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe4e07f21e0e8667995348cff618d76b9 Finished request 4. Going to the next request Waking up in 3.8 seconds. rad_recv: Access-Request packet from host 10.65.100.41 port 32775, id=212, length=451 User-Name = "aa.aa@stud.wcc.domain.pl" Chargeable-User-Identity = "" Location-Capable = Civix-Location Calling-Station-Id = "b4-74-9f-ea-2a-1e" Called-Station-Id = "54-78-1a-5f-08-e0:RADIUS-TEST" NAS-Port = 2 Cisco-AVPair = "audit-session-id=0a41642900000d4a57628ef2" Acct-Session-Id = "57628ef2/b4:74:9f:ea:2a:1e/3674" NAS-IP-Address = 10.65.100.41 NAS-Identifier = "WLC-1-wcc-Mat13-MDF-1" Airespace-Wlan-Id = 4 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "216" EAP-Message = 0x02080090198000000086160301004610000042410403e7081c98bcda62512f4d203b9f598447197d8eb63d2adbb6a1d31bcaf8637dde11be3ddfb9091e7be0b91c333ce0b1af1f78796a25b5c02df37a0432872eea1403010001011603010030cb2050690622d017ed0a6963816b8b78cc278b9e6b166ef8094a5ae870be8b97a42f70cecc570cf8f43008896dfbbbbf State = 0xe4e07f21e0e8667995348cff618d76b9 Message-Authenticator = 0xa935f4a4d0d32ad7fcda0d8e2660fb83 # Executing section authorize from file /etc/freeradius-eduroam//sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [eap] EAP packet type response id 8 length 144 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius-eduroam//sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 134 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 212 to 10.65.100.41 port 32775 EAP-Message = 0x01090041190014030100010116030100301ed6f53ea85d9c6f1c9486e2141d4a680224a377f835dcc3fcdfbdcafb604c309d2af9bce8e8e9d39ee13f6229050ac8 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe4e07f21e1e9667995348cff618d76b9 Finished request 5. Going to the next request Waking up in 3.8 seconds. rad_recv: Access-Request packet from host 10.65.100.41 port 32775, id=213, length=313 User-Name = "aa.aa@stud.wcc.domain.pl" Chargeable-User-Identity = "" Location-Capable = Civix-Location Calling-Station-Id = "b4-74-9f-ea-2a-1e" Called-Station-Id = "54-78-1a-5f-08-e0:RADIUS-TEST" NAS-Port = 2 Cisco-AVPair = "audit-session-id=0a41642900000d4a57628ef2" Acct-Session-Id = "57628ef2/b4:74:9f:ea:2a:1e/3674" NAS-IP-Address = 10.65.100.41 NAS-Identifier = "WLC-1-wcc-Mat13-MDF-1" Airespace-Wlan-Id = 4 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "216" EAP-Message = 0x020900061900 State = 0xe4e07f21e1e9667995348cff618d76b9 Message-Authenticator = 0x5366466fff4c6b7bcd1d24a6f3d72b0c # Executing section authorize from file /etc/freeradius-eduroam//sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [eap] EAP packet type response id 9 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius-eduroam//sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] returns handled Sending Access-Challenge of id 213 to 10.65.100.41 port 32775 EAP-Message = 0x010a002b19001703010020c623b3d76abff3c81e73899a1eb587af56e8d00f3ad966be957be1a171bb62b3 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe4e07f21e2ea667995348cff618d76b9 Finished request 6. Going to the next request Waking up in 3.8 seconds. rad_recv: Access-Request packet from host 10.65.100.41 port 32775, id=214, length=366 User-Name = "aa.aa@stud.wcc.domain.pl" Chargeable-User-Identity = "" Location-Capable = Civix-Location Calling-Station-Id = "b4-74-9f-ea-2a-1e" Called-Station-Id = "54-78-1a-5f-08-e0:RADIUS-TEST" NAS-Port = 2 Cisco-AVPair = "audit-session-id=0a41642900000d4a57628ef2" Acct-Session-Id = "57628ef2/b4:74:9f:ea:2a:1e/3674" NAS-IP-Address = 10.65.100.41 NAS-Identifier = "WLC-1-wcc-Mat13-MDF-1" Airespace-Wlan-Id = 4 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "216" EAP-Message = 0x020a003b1900170301003062c1068fd1c72ce5d715510b021fb2920d5d8f847a99de6e5dee35df22f834e58116a0458fa2e25ae7f188f891007d34 State = 0xe4e07f21e2ea667995348cff618d76b9 Message-Authenticator = 0x6bf348b944190d74383badd3fd272279 # Executing section authorize from file /etc/freeradius-eduroam//sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [eap] EAP packet type response id 10 length 59 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius-eduroam//sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - aa.aa@stud.wcc.domain.pl [peap] Got inner identity 'aa.aa@stud.wcc.domain.pl' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x020a001d0161612e616140737475642e6173702e6b72616b6f772e706c server { [peap] Setting User-Name to aa.aa@stud.wcc.domain.pl Sending tunneled request EAP-Message = 0x020a001d0161612e616140737475642e6173702e6b72616b6f772e706c FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "aa.aa@stud.wcc.domain.pl" Chargeable-User-Identity = "" Location-Capable = Civix-Location Calling-Station-Id = "b4-74-9f-ea-2a-1e" Called-Station-Id = "54-78-1a-5f-08-e0:RADIUS-TEST" NAS-Port = 2 Cisco-AVPair = "audit-session-id=0a41642900000d4a57628ef2" Acct-Session-Id = "57628ef2/b4:74:9f:ea:2a:1e/3674" NAS-IP-Address = 10.65.100.41 NAS-Identifier = "WLC-1-wcc-Mat13-MDF-1" Airespace-Wlan-Id = 4 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "216" server inner-tunnel { # Executing section authorize from file /etc/freeradius-eduroam//sites-enabled/inner-tunnel +- entering group authorize {...} ++[mschap] returns noop ++[control] returns noop [eap] EAP packet type response id 10 length 29 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [ldap] Entering ldap_groupcmp() [files] expand: dc=wcc,dc=local -> dc=wcc,dc=local [files] expand: %{Stripped-User-Name} -> [files] ... expanding second conditional [files] expand: %{User-Name} -> aa.aa@stud.wcc.domain.pl [files] expand: (userPrincipalName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (userPrincipalName=aa.aa@stud.wcc.domain.pl) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=wcc,dc=local, with filter (userPrincipalName=aa.aa@stud.wcc.domain.pl) [ldap] ldap_release_conn: Release Id: 0 [files] expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=CN\3daa aa\2cCN\3dUsers\2cDC\3dwcc\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3daa aa\2cCN\3dUsers\2cDC\3dwcc\2cDC\3dlocal))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=wcc,dc=local, with filter (&(cn=workers)(|(&(objectClass=GroupOfNames)(member=CN\3daa aa\2cCN\3dUsers\2cDC\3dwcc\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3daa aa\2cCN\3dUsers\2cDC\3dwcc\2cDC\3dlocal)))) [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in CN=aa aa,CN=Users,DC=wcc,DC=local, with filter (objectclass=*) [ldap] performing search in CN=students,CN=Users,DC=wcc,DC=local, with filter (cn=workers) [ldap] object not found rlm_ldap::groupcmp: Group workers not found or user not a member [ldap] ldap_release_conn: Release Id: 0 [ldap] Entering ldap_groupcmp() [files] expand: dc=wcc,dc=local -> dc=wcc,dc=local [files] expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=CN\3daa aa\2cCN\3dUsers\2cDC\3dwcc\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3daa aa\2cCN\3dUsers\2cDC\3dwcc\2cDC\3dlocal))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=wcc,dc=local, with filter (&(cn=students)(|(&(objectClass=GroupOfNames)(member=CN\3daa aa\2cCN\3dUsers\2cDC\3dwcc\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3daa aa\2cCN\3dUsers\2cDC\3dwcc\2cDC\3dlocal)))) [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in CN=aa aa,CN=Users,DC=wcc,DC=local, with filter (objectclass=*) [ldap] performing search in CN=students,CN=Users,DC=wcc,DC=local, with filter (cn=students) rlm_ldap::ldap_groupcmp: User found in group students [ldap] ldap_release_conn: Release Id: 0 [files] users: Matched entry DEFAULT at line 8 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = ntlm_auth Found Auth-Type = EAP Warning: Found 2 auth-types on request for user 'aa.aa@stud.wcc.domain.pl' # Executing group from file /etc/freeradius-eduroam//sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 := "216" EAP-Message = 0x010b00321a010b002d109ce0b0ed27560f706b913753486d010361612e616140737475642e6173702e6b72616b6f772e706c Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf7406046f74b7ad73c0df3922cff6ba2 [peap] Got tunneled reply RADIUS code 11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 := "216" EAP-Message = 0x010b00321a010b002d109ce0b0ed27560f706b913753486d010361612e616140737475642e6173702e6b72616b6f772e706c Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf7406046f74b7ad73c0df3922cff6ba2 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 214 to 10.65.100.41 port 32775 EAP-Message = 0x010b005b190017030100503ae86e59fc0b91c6c5ae412b2292f1f5d6efa460ec1b01c358014be90d5006fa9b793a2e1af9e64795f54e239fd7281dd696d018c7f44b4cb2eb67ecd475cc434c473f009dba337006b1aab298ba8ad4 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe4e07f21e3eb667995348cff618d76b9 Finished request 7. Going to the next request Waking up in 2.7 seconds. rad_recv: Access-Request packet from host 10.65.100.41 port 32775, id=215, length=430 User-Name = "aa.aa@stud.wcc.domain.pl" Chargeable-User-Identity = "" Location-Capable = Civix-Location Calling-Station-Id = "b4-74-9f-ea-2a-1e" Called-Station-Id = "54-78-1a-5f-08-e0:RADIUS-TEST" NAS-Port = 2 Cisco-AVPair = "audit-session-id=0a41642900000d4a57628ef2" Acct-Session-Id = "57628ef2/b4:74:9f:ea:2a:1e/3674" NAS-IP-Address = 10.65.100.41 NAS-Identifier = "WLC-1-wcc-Mat13-MDF-1" Airespace-Wlan-Id = 4 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "216" EAP-Message = 0x020b007b1900170301007093a027714c83b1c3148c0f0cb48de716b6b8527d3c24f93d9b44a02cc3dcda6daf31becba6d782b69a235c564632021dfaae14f860e1822b139394a91915dc4763438a1eb0f2c647c13c486a3562ac0c029a326c091013c0b4544e9a716599fb33ce121f27c9aedfc38e736d36a339f2 State = 0xe4e07f21e3eb667995348cff618d76b9 Message-Authenticator = 0x4aa39debfb53301591faa7194e96605e # Executing section authorize from file /etc/freeradius-eduroam//sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [eap] EAP packet type response id 11 length 123 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius-eduroam//sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020b00531a020b004e315381f7e957bdb65b4cecc534fb1381090000000000000000484795e959127ad898fd4230c3e3f52cbd19297d084e00d50061612e616140737475642e6173702e6b72616b6f772e706c server { [peap] Setting User-Name to aa.aa@stud.wcc.domain.pl Sending tunneled request EAP-Message = 0x020b00531a020b004e315381f7e957bdb65b4cecc534fb1381090000000000000000484795e959127ad898fd4230c3e3f52cbd19297d084e00d50061612e616140737475642e6173702e6b72616b6f772e706c FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "aa.aa@stud.wcc.domain.pl" State = 0xf7406046f74b7ad73c0df3922cff6ba2 Chargeable-User-Identity = "" Location-Capable = Civix-Location Calling-Station-Id = "b4-74-9f-ea-2a-1e" Called-Station-Id = "54-78-1a-5f-08-e0:RADIUS-TEST" NAS-Port = 2 Cisco-AVPair = "audit-session-id=0a41642900000d4a57628ef2" Acct-Session-Id = "57628ef2/b4:74:9f:ea:2a:1e/3674" NAS-IP-Address = 10.65.100.41 NAS-Identifier = "WLC-1-wcc-Mat13-MDF-1" Airespace-Wlan-Id = 4 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "216" server inner-tunnel { # Executing section authorize from file /etc/freeradius-eduroam//sites-enabled/inner-tunnel +- entering group authorize {...} ++[mschap] returns noop ++[control] returns noop [eap] EAP packet type response id 11 length 83 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [ldap] Entering ldap_groupcmp() [files] expand: dc=wcc,dc=local -> dc=wcc,dc=local [files] expand: %{Stripped-User-Name} -> [files] ... expanding second conditional [files] expand: %{User-Name} -> aa.aa@stud.wcc.domain.pl [files] expand: (userPrincipalName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (userPrincipalName=aa.aa@stud.wcc.domain.pl) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=wcc,dc=local, with filter (userPrincipalName=aa.aa@stud.wcc.domain.pl) [ldap] ldap_release_conn: Release Id: 0 [files] expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=CN\3daa aa\2cCN\3dUsers\2cDC\3dwcc\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3daa aa\2cCN\3dUsers\2cDC\3dwcc\2cDC\3dlocal))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=wcc,dc=local, with filter (&(cn=workers)(|(&(objectClass=GroupOfNames)(member=CN\3daa aa\2cCN\3dUsers\2cDC\3dwcc\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3daa aa\2cCN\3dUsers\2cDC\3dwcc\2cDC\3dlocal)))) [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in CN=aa aa,CN=Users,DC=wcc,DC=local, with filter (objectclass=*) [ldap] performing search in CN=students,CN=Users,DC=wcc,DC=local, with filter (cn=workers) [ldap] object not found rlm_ldap::groupcmp: Group workers not found or user not a member [ldap] ldap_release_conn: Release Id: 0 [ldap] Entering ldap_groupcmp() [files] expand: dc=wcc,dc=local -> dc=wcc,dc=local [files] expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=CN\3daa aa\2cCN\3dUsers\2cDC\3dwcc\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3daa aa\2cCN\3dUsers\2cDC\3dwcc\2cDC\3dlocal))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=wcc,dc=local, with filter (&(cn=students)(|(&(objectClass=GroupOfNames)(member=CN\3daa aa\2cCN\3dUsers\2cDC\3dwcc\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3daa aa\2cCN\3dUsers\2cDC\3dwcc\2cDC\3dlocal)))) [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in CN=aa aa,CN=Users,DC=wcc,DC=local, with filter (objectclass=*) [ldap] performing search in CN=students,CN=Users,DC=wcc,DC=local, with filter (cn=students) rlm_ldap::ldap_groupcmp: User found in group students [ldap] ldap_release_conn: Release Id: 0 [files] users: Matched entry DEFAULT at line 8 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = ntlm_auth Found Auth-Type = EAP Warning: Found 2 auth-types on request for user 'aa.aa@stud.wcc.domain.pl' # Executing group from file /etc/freeradius-eduroam//sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/freeradius-eduroam//sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] Creating challenge hash with username: aa.aa@stud.wcc.domain.pl [mschap] Told to do MS-CHAPv2 for aa.aa@stud.wcc.domain.pl with NT-Password [mschap] expand: %{Stripped-User-Name} -> [mschap] ... expanding second conditional [mschap] expand: %{User-Name} -> aa.aa@stud.wcc.domain.pl [mschap] expand: --username=%{%{Stripped-User-Name}:-%{User-Name}} -> --username=aa.aa@stud.wcc.domain.pl [mschap] Creating challenge hash with username: aa.aa@stud.wcc.domain.pl [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=1282528812d8f6bb [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=484795e959127ad898fd4230c3e3f52cbd19297d084e00d5 Exec-Program output: Logon failure (0xc000006d) Exec-Program-Wait: plaintext: Logon failure (0xc000006d) Exec-Program: returned: 1 [mschap] External script failed. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. Login incorrect (mschap: External script says Logon failure (0xc000006d)): [aa.aa@stud.wcc.domain.pl] (from client 10.65.100.41 port 2 cli b4-74-9f-ea-2a-1e via TLS tunnel) } # server inner-tunnel [peap] Got tunneled reply code 3 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 := "216" MS-CHAP-Error = "\013E=691 R=1" EAP-Message = 0x040b0004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 := "216" MS-CHAP-Error = "\013E=691 R=1" EAP-Message = 0x040b0004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 215 to 10.65.100.41 port 32775 EAP-Message = 0x010c002b1900170301002020427a067789db85515b75eca6b998b12bb6deeb76176187226b9a84520a3b05 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe4e07f21ecec667995348cff618d76b9 Finished request 8. Going to the next request Waking up in 2.0 seconds. rad_recv: Access-Request packet from host 10.65.100.41 port 32775, id=216, length=350 User-Name = "aa.aa@stud.wcc.domain.pl" Chargeable-User-Identity = "" Location-Capable = Civix-Location Calling-Station-Id = "b4-74-9f-ea-2a-1e" Called-Station-Id = "54-78-1a-5f-08-e0:RADIUS-TEST" NAS-Port = 2 Cisco-AVPair = "audit-session-id=0a41642900000d4a57628ef2" Acct-Session-Id = "57628ef2/b4:74:9f:ea:2a:1e/3674" NAS-IP-Address = 10.65.100.41 NAS-Identifier = "WLC-1-wcc-Mat13-MDF-1" Airespace-Wlan-Id = 4 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "216" EAP-Message = 0x020c002b190017030100205085a1640815b69b53fa1a5c28367074dda54682f404abe7deb8fcd3494e92cb State = 0xe4e07f21ecec667995348cff618d76b9 Message-Authenticator = 0x2a8e923b8e2d7d08b9fdd1747d80c60d # Executing section authorize from file /etc/freeradius-eduroam//sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [eap] EAP packet type response id 12 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius-eduroam//sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv failure [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [aa.aa@stud.wcc.domain.pl] (from client 10.65.100.41 port 2 cli b4-74-9f-ea-2a-1e) Using Post-Auth-Type Reject # Executing group from file /etc/freeradius-eduroam//sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> aa.aa@stud.wcc.domain.pl attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 9 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 9 Sending Access-Reject of id 216 to 10.65.100.41 port 32775 EAP-Message = 0x040c0004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 1.0 seconds. Cleaning up request 0 ID 207 with timestamp +37 Waking up in 1.0 seconds. Cleaning up request 1 ID 208 with timestamp +38 Cleaning up request 2 ID 209 with timestamp +39 Cleaning up request 3 ID 210 with timestamp +39 Cleaning up request 4 ID 211 with timestamp +39 Cleaning up request 5 ID 212 with timestamp +39 Cleaning up request 6 ID 213 with timestamp +39 Waking up in 1.0 seconds. Cleaning up request 7 ID 214 with timestamp +39 Waking up in 0.7 seconds. Cleaning up request 8 ID 215 with timestamp +40 Waking up in 1.0 seconds. Cleaning up request 9 ID 216 with timestamp +41 Ready to process requests. -- Z poważaniem / Yours sincerely Zenon Matuszyk mobile: 00 48 797 004 938 e-mail: zenon.matuszyk@networkers.pl www: http://www.networkers.pl
On Jun 16, 2016, at 8:19 AM, Zenon Matuszyk <zenon.matuszyk@networkers.pl> wrote:
Hello,
I have a little problem with auth in Windows AD by using userPrincipalName (using samAccountName works fine). In mschap file i have:
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{User-Name}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
and ldap file:
filter = "(userPrincipalName=%{%{Stripped-User-Name}:-%{User-Name}})"
In debug I see:
...
[mschap] Creating challenge hash with username: aa.aa@stud.wcc.domain.pl [mschap] Told to do MS-CHAPv2 for aa.aa@stud.wcc.domain.pl with NT-Password [mschap] expand: %{Stripped-User-Name} -> [mschap] ... expanding second conditional [mschap] expand: %{User-Name} -> aa.aa@stud.wcc.domain.pl [mschap] expand: --username=%{%{Stripped-User-Name}:-%{User-Name}} -> --username=aa.aa@stud.wcc.domain.pl [mschap] Creating challenge hash with username: aa.aa@stud.wcc.domain.pl [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=1282528812d8f6bb [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=484795e959127ad898fd4230c3e3f52cbd19297d084e00d5 Exec-Program output: Logon failure (0xc000006d) Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
That seems definitive. The name / password is incorrect. Alan DeKok.
On Thu, Jun 16, 2016 at 02:19:47PM +0200, Zenon Matuszyk wrote: ...
++[mschap] returns noop ++[digest] returns noop [eap] EAP packet type response id 3 length 29 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [ldap] Entering ldap_groupcmp() [files] expand: dc=wcc,dc=local -> dc=wcc,dc=local [files] expand: %{Stripped-User-Name} -> [files] ... expanding second conditional [files] expand: %{User-Name} -> aa.aa@stud.wcc.domain.pl [files] expand: (userPrincipalName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (userPrincipalName=aa.aa@stud.wcc.domain.pl) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection
You should probably move the LDAP searches to later on in the inner tunnel or post-auth to save hammering the LDAP server so much.
++[pap] returns noop Found Auth-Type = ntlm_auth Found Auth-Type = EAP Warning: Found 2 auth-types on request for user 'aa.aa@stud.wcc.domain.pl'
This isn't good. Find out what is setting Auth-Type to ntlm_auth and get rid of it. You're doing PEAP/EAP-MSCHAPv2 so Auth-Type should be set to EAP (as the eap module does for you).
[mschapv2] # Executing group from file /etc/freeradius-eduroam//sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] Creating challenge hash with username: aa.aa@stud.wcc.domain.pl [mschap] Told to do MS-CHAPv2 for aa.aa@stud.wcc.domain.pl with NT-Password [mschap] expand: %{Stripped-User-Name} ->
You've not got Stripped-User-Name...
[mschap] ... expanding second conditional [mschap] expand: %{User-Name} -> aa.aa@stud.wcc.domain.pl [mschap] expand: --username=%{%{Stripped-User-Name}:-%{User-Name}} -> --username=aa.aa@stud.wcc.domain.pl
...so ntlm_auth is being called with User-Name, which is aa.aa@stud.wcc.domain.pl. It's likely it needs to be called with "aa.aa" instead - test with calling ntlm_auth yourself on the command line to see what works. Then set up Stripped-User-Name. In FreeRADIUS 3 you should be able to call the "split_username_nai" policy to do this for you, or otherwise either write your own unlang or use the realm (suffix) module to split it off. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
W dniu 2016-06-16 o 16:04, Matthew Newton pisze:
On Thu, Jun 16, 2016 at 02:19:47PM +0200, Zenon Matuszyk wrote: ...
++[mschap] returns noop ++[digest] returns noop [eap] EAP packet type response id 3 length 29 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [ldap] Entering ldap_groupcmp() [files] expand: dc=wcc,dc=local -> dc=wcc,dc=local [files] expand: %{Stripped-User-Name} -> [files] ... expanding second conditional [files] expand: %{User-Name} -> aa.aa@stud.wcc.domain.pl [files] expand: (userPrincipalName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (userPrincipalName=aa.aa@stud.wcc.domain.pl) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection You should probably move the LDAP searches to later on in the inner tunnel or post-auth to save hammering the LDAP server so much.
++[pap] returns noop Found Auth-Type = ntlm_auth Found Auth-Type = EAP Warning: Found 2 auth-types on request for user 'aa.aa@stud.wcc.domain.pl' This isn't good. Find out what is setting Auth-Type to ntlm_auth and get rid of it. You're doing PEAP/EAP-MSCHAPv2 so Auth-Type should be set to EAP (as the eap module does for you).
[mschapv2] # Executing group from file /etc/freeradius-eduroam//sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] Creating challenge hash with username: aa.aa@stud.wcc.domain.pl [mschap] Told to do MS-CHAPv2 for aa.aa@stud.wcc.domain.pl with NT-Password [mschap] expand: %{Stripped-User-Name} -> You've not got Stripped-User-Name...
[mschap] ... expanding second conditional [mschap] expand: %{User-Name} -> aa.aa@stud.wcc.domain.pl [mschap] expand: --username=%{%{Stripped-User-Name}:-%{User-Name}} -> --username=aa.aa@stud.wcc.domain.pl ...so ntlm_auth is being called with User-Name, which is aa.aa@stud.wcc.domain.pl. ok, but i have user:
DistinguishedName : CN=aa aa,CN=Users,DC=wcc,DC=local GivenName : aa Name : aa aa ObjectClass : user SamAccountName : s87030702814 Surname : aa UserPrincipalName : aa.aa@stud.wcc.domain.pl and UserPrincipalName is aa.aa@stud.wcc.domain.pl and login must be aa.aa@stud.wcc.domain.pl this is auth for eduroam, and SamAccountName is too short and we must use UserPrincipalName
It's likely it needs to be called with "aa.aa" instead - test with calling ntlm_auth yourself on the command line to see what works.
Then set up Stripped-User-Name. In FreeRADIUS 3 you should be able to call the "split_username_nai" policy to do this for you, or otherwise either write your own unlang or use the realm (suffix) module to split it off.
Matthew
-- Z poważaniem / Yours sincerely Zenon Matuszyk mobile: 00 48 797 004 938 e-mail: zenon.matuszyk@networkers.pl www: http://www.networkers.pl
participants (3)
-
Alan DeKok -
Matthew Newton -
Zenon Matuszyk