Help ocnfiguring freeradius to handle a cisco aeronet 1200 with peap and mschap2

Joseph Silverman yossie at laszlosystems.com
Wed Dec 13 22:38:36 CET 2006


I upgraded my radius server

from: radiusd: FreeRADIUS Version 1.0.4, for host , built on Aug 30  
2005 at 20:59:48
to: radiusd: FreeRADIUS Version 1.1.2, for host , built on Sep  4  
2006 at 19:15:42

in order to allow plain-text passwords to correctly work from a wifi  
client connecting to a cisco aeronet 1200 server which then connects  
to a raidus server which uses a ldap database as the user database.   
The ldap server has sha1 and crypt passwords, generally, though it  
might have others I suppose..

Till the upgrade, I had to include the already encrypted password  
(with leading {crypt} or {ssha}) as the password on the client.    
Meaning, for one, that whenever a user changed their password through  
some means or another, they have to get ahold of the "encrypted"  
version of their password from the LDAP database and use that for  
their wireless connections.  Unpleasant.

  I read about auto_header and it implied that by upgrading, I could  
get the whole thing to use unecrypted passwords (which would be  
generally simpler for our users) instead.  This failed to work.   
Something mis-configured, or possibly not doable?!

Here is a dump of radiusd -X with the new server.  Can anyone out  
there point out what I might be doing wrong?

[root at ldap raddb]# radiusd -X
Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /etc/raddb/proxy.conf
Config:   including file: /etc/raddb/clients.conf
Config:   including file: /etc/raddb/snmp.conf
Config:   including file: /etc/raddb/eap.conf
main: prefix = "/usr"
main: localstatedir = "/var"
main: logdir = "/var/log/radius"
main: libdir = "/usr/lib/freeradius"
main: radacctdir = "/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/log/radius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/var/run/radiusd/radiusd.pid"
main: user = "radius"
main: group = "radius"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is /usr/lib/freeradius
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded Pam
pam: pam_auth = "radiusd"
Module: Instantiated pam (pam)
Module: Loaded LDAP
ldap: server = "ldapsvr.laszlosystems.com"
ldap: port = 389
ldap: net_timeout = 1
ldap: timeout = 4
ldap: timelimit = 3
ldap: identity = "cn=Manager,dc=laszlosystems,dc=com"
ldap: tls_mode = no
ldap: start_tls = no
ldap: tls_cacertfile = "(null)"
ldap: tls_cacertdir = "(null)"
ldap: tls_certfile = "(null)"
ldap: tls_keyfile = "(null)"
ldap: tls_randfile = "(null)"
ldap: tls_require_cert = "allow"
ldap: password = "BLABLABLA"
ldap: basedn = "ou=Users,dc=laszlosystems,dc=com"
ldap: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
ldap: base_filter = "(objectclass=radiusprofile)"
ldap: default_profile = "(null)"
ldap: profile_attribute = "(null)"
ldap: password_header = "(null)"
ldap: password_attribute = "userPassword"
ldap: access_attr = "(null)"
ldap: groupname_attribute = "cn"
ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member= 
%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=% 
{Ldap-UserDn})))"
ldap: groupmembership_attribute = "(null)"
ldap: dictionary_mapping = "/etc/raddb/ldap.attrmap"
ldap: ldap_debug = 0
ldap: ldap_connections_number = 5
ldap: compare_check_items = no
ldap: access_attr_used_for_allow = yes
ldap: do_xlat = yes
ldap: set_auth_type = yes
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ 
ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling- 
Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed- 
Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX- 
Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination- 
Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed- 
AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed- 
AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed- 
AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
conns: 0x814ca58
Module: Instantiated ldap (ldap)
Module: Loaded eap
eap: default_eap_type = "peap"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type leap
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/root/certs/radius/radius.pem"
tls: certificate_file = "/root/certs/radius/radius.pem"
tls: CA_file = "/root/certs/cacert.pem"
tls: private_key_password = ""
tls: dh_file = "/dev/urandom"
tls: random_file = "/dev/urandom"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = "(null)"
tls: cipher_list = "(null)"
tls: check_cert_issuer = "(null)"
rlm_eap_tls: Loading the certificate file as a chain
rlm_eap: Loaded and initialized type tls
peap: default_eap_type = "mschapv2"
peap: copy_request_to_tunnel = no
peap: use_tunneled_reply = no
peap: proxy_tunneled_request_as_eap = yes
rlm_eap: Loaded and initialized type peap
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/etc/raddb/huntgroups"
preprocess: hints = "/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/etc/raddb/users"
files: acctusersfile = "/etc/raddb/acct_users"
files: preproxy_usersfile = "/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,  
Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/ 
detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.43.106:1645, id=35,  
length=149
         User-Name = "USER"
         Framed-MTU = 1400
         Called-Station-Id = "0014.a9c8.0fb0"
         Calling-Station-Id = "0016.cbb6.57b8"
         Service-Type = Login-User
         Message-Authenticator = 0x26548df1f8773d5573d3135259bb61b3
         EAP-Message = 0x0201000b01796f73736965
         NAS-Port-Type = Wireless-802.11
         NAS-Port = 86989
         NAS-IP-Address = 192.168.43.106
         NAS-Identifier = "sap.corp.laszlosystems.com"
   Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
   modcall[authorize]: module "preprocess" returns ok for request 0
   modcall[authorize]: module "mschap" returns noop for request 0
     rlm_realm: No '@' in User-Name = "USER", looking up realm NULL
     rlm_realm: No such realm "NULL"
   modcall[authorize]: module "suffix" returns noop for request 0
   rlm_eap: EAP packet type response id 1 length 11
   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
   modcall[authorize]: module "eap" returns updated for request 0
     users: Matched entry DEFAULT at line 217
     users: Matched entry DEFAULT at line 220
   modcall[authorize]: module "files" returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for USER
radius_xlat:  '(uid=USER)'
radius_xlat:  'ou=Users,dc=laszlosystems,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldapsvr.laszlosystems.com:389, authentication 0
rlm_ldap: bind as cn=Manager,dc=laszlosystems,dc=com/BLABLABLA to  
ldapsvr.laszlosystems.com:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=Users,dc=laszlosystems,dc=com, with  
filter (uid=USER)
rlm_ldap: Added password {CRYPT}5usNgubjIO.a6 in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user USER authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
   modcall[authorize]: module "ldap" returns ok for request 0
modcall: leaving group authorize (returns updated) for request 0
   rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
   Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
   rlm_eap: EAP Identity
   rlm_eap: processing type tls
   rlm_eap_tls: Initiate
   rlm_eap_tls: Start returned 1
   modcall[authenticate]: module "eap" returns handled for request 0
modcall: leaving group authenticate (returns handled) for request 0
Sending Access-Challenge of id 35 to 192.168.43.106 port 1645
         EAP-Message = 0x010200061920
         Message-Authenticator = 0x00000000000000000000000000000000
         State = 0xc34a408a2719251ce766568b5a651faa
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.43.106:1645, id=36,  
length=274
         User-Name = "USER"
         Framed-MTU = 1400
         Called-Station-Id = "0014.a9c8.0fb0"
         Calling-Station-Id = "0016.cbb6.57b8"
         Service-Type = Login-User
         Message-Authenticator = 0x3c9c0bb79649d42bfcd316d2601a3388
         EAP-Message =  
0x0202007619800000006c16030100670100006303014580701290d45534981ee5030abe 
6a55a1ad975159e9165682aff24760b663a900003c002f000500040035000aff830009ff 
82000300080006ff8000320033003400380039003a001600150014001300120011001800 
1b001a0017001900010100
         NAS-Port-Type = Wireless-802.11
         NAS-Port = 86989
         State = 0xc34a408a2719251ce766568b5a651faa
         NAS-IP-Address = 192.168.43.106
         NAS-Identifier = "sap.corp.laszlosystems.com"
   Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
   modcall[authorize]: module "preprocess" returns ok for request 1
   modcall[authorize]: module "mschap" returns noop for request 1
     rlm_realm: No '@' in User-Name = "USER", looking up realm NULL
     rlm_realm: No such realm "NULL"
   modcall[authorize]: module "suffix" returns noop for request 1
   rlm_eap: EAP packet type response id 2 length 118
   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
   modcall[authorize]: module "eap" returns updated for request 1
     users: Matched entry DEFAULT at line 217
     users: Matched entry DEFAULT at line 220
   modcall[authorize]: module "files" returns ok for request 1
rlm_ldap: - authorize
rlm_ldap: performing user authorization for USER
radius_xlat:  '(uid=USER)'
radius_xlat:  'ou=Users,dc=laszlosystems,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=Users,dc=laszlosystems,dc=com, with  
filter (uid=USER)
rlm_ldap: Added password {CRYPT}5usNgubjIO.a6 in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user USER authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
   modcall[authorize]: module "ldap" returns ok for request 1
modcall: leaving group authorize (returns updated) for request 1
   rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
   Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
   rlm_eap: Request found, released from the list
   rlm_eap: EAP/peap
   rlm_eap: processing type peap
   rlm_eap_peap: Authenticate
   rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
   eaptls_verify returned 11
     (other): before/accept initialization
     TLS_accept: before/accept initialization
     TLS_accept: SSLv3 read client hello A
     TLS_accept: SSLv3 write server hello A
     TLS_accept: SSLv3 write certificate A
     TLS_accept: SSLv3 write key exchange A
     TLS_accept: SSLv3 write server done A
     TLS_accept: SSLv3 flush data
     TLS_accept:error in SSLv3 read client certificate A
rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0)
In SSL Handshake Phase
In SSL Accept mode
   eaptls_process returned 13
   rlm_eap_peap: EAPTLS_HANDLED
   modcall[authenticate]: module "eap" returns handled for request 1
modcall: leaving group authenticate (returns handled) for request 1
Sending Access-Challenge of id 36 to 192.168.43.106 port 1645
         EAP-Message =  
0x0103040a19c00000050e160301004a020000460301458070136670a1aa6cfa4b9eeb63 
489ca646be0d1040865696f3574af5e569b420710919b71889fb546feb7b16d8285c5992 
a8ee99e9937f532ba5d9908fa036c2002f0016030103df0b0003db0003d80003d5308203 
d13082033aa003020102020900fdc2cdc7f040b46f300d06092a864886f70d0101050500 
3081a2310b3009060355040613025553311330110603550408130a43616c69666f726e69 
61311230100603550407130953616e204d6174656f311d301b060355040a13144c61737a 
6c6f2053797374656d732c20496e632e311e301c060355040313157777772e6c61737a6c 
6f73
         EAP-Message =  
0x797374656d732e636f6d312b302906092a864886f70d010901161c686f73746d617374 
6572406c61737a6c6f73797374656d732e636f6d301e170d303630333330323031323535 
5a170d3136303332373230313235355a3081a2310b300906035504061302555331133011 
0603550408130a43616c69666f726e6961311230100603550407130953616e204d617465 
6f311d301b060355040a13144c61737a6c6f2053797374656d732c20496e632e311e301c 
060355040313157777772e6c61737a6c6f73797374656d732e636f6d312b302906092a86 
4886f70d010901161c686f73746d6173746572406c61737a6c6f73797374656d732e636f 
6d30
         EAP-Message =  
0x819f300d06092a864886f70d010101050003818d0030818902818100ac77f58ce8d3f7 
50c365cbbee96d0cf029320205665568c54f085f5e112655c942866ad5ed7f37d907bc25 
44b1e896408637ba8fb45a2d5d7b8a63be2815b6b39f47449b6acf898c7fe38cce5ed6b9 
3d07e7bae4029af7134100a7bf698adf307a76d3481f79efe20e4441785af40b79cd950f 
1bbec8ae200ed720ecc9ade98b0203010001a382010b30820107301d0603551d0e041604 
14aa891b0ba86793b9a1fd0bcf37ee7c236d882e763081d70603551d230481cf3081cc80 
14aa891b0ba86793b9a1fd0bcf37ee7c236d882e76a181a8a481a53081a2310b30090603 
5504
         EAP-Message =  
0x0613025553311330110603550408130a43616c69666f726e6961311230100603550407 
130953616e204d6174656f311d301b060355040a13144c61737a6c6f2053797374656d73 
2c20496e632e311e301c060355040313157777772e6c61737a6c6f73797374656d732e63 
6f6d312b302906092a864886f70d010901161c686f73746d6173746572406c61737a6c6f 
73797374656d732e636f6d820900fdc2cdc7f040b46f300c0603551d13040530030101ff 
300d06092a864886f70d0101050500038181005b3c5f4cfa5b80295ea44a03a9be591ad8 
e25b84cb575221f5d76919c3e1ebb8c1799ab541007ec330c894d3e9075b677354d8a87c 
3538
         EAP-Message = 0xa5b99054a95b3291d49a51daa034dcfde45976d2ba3c
         Message-Authenticator = 0x00000000000000000000000000000000
         State = 0x2cb14e41f488e26f81eeb69b9e567a75
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 192.168.43.106:1645, id=37,  
length=162
         User-Name = "USER"
         Framed-MTU = 1400
         Called-Station-Id = "0014.a9c8.0fb0"
         Calling-Station-Id = "0016.cbb6.57b8"
         Service-Type = Login-User
         Message-Authenticator = 0x096aa9e5788065b00b968a559f45e98a
         EAP-Message = 0x020300061900
         NAS-Port-Type = Wireless-802.11
         NAS-Port = 86989
         State = 0x2cb14e41f488e26f81eeb69b9e567a75
         NAS-IP-Address = 192.168.43.106
         NAS-Identifier = "sap.corp.laszlosystems.com"
   Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
   modcall[authorize]: module "preprocess" returns ok for request 2
   modcall[authorize]: module "mschap" returns noop for request 2
     rlm_realm: No '@' in User-Name = "USER", looking up realm NULL
     rlm_realm: No such realm "NULL"
   modcall[authorize]: module "suffix" returns noop for request 2
   rlm_eap: EAP packet type response id 3 length 6
   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
   modcall[authorize]: module "eap" returns updated for request 2
     users: Matched entry DEFAULT at line 217
     users: Matched entry DEFAULT at line 220
   modcall[authorize]: module "files" returns ok for request 2
rlm_ldap: - authorize
rlm_ldap: performing user authorization for USER
radius_xlat:  '(uid=USER)'
radius_xlat:  'ou=Users,dc=laszlosystems,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=Users,dc=laszlosystems,dc=com, with  
filter (uid=USER)
rlm_ldap: Added password {CRYPT}5usNgubjIO.a6 in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user USER authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
   modcall[authorize]: module "ldap" returns ok for request 2
modcall: leaving group authorize (returns updated) for request 2
   rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
   Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
   rlm_eap: Request found, released from the list
   rlm_eap: EAP/peap
   rlm_eap: processing type peap
   rlm_eap_peap: Authenticate
   rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
   rlm_eap_tls: No SSL info available. Waiting for more SSL data.
   eaptls_verify returned 1
   eaptls_process returned 13
   rlm_eap_peap: EAPTLS_HANDLED
   modcall[authenticate]: module "eap" returns handled for request 2
modcall: leaving group authenticate (returns handled) for request 2
Sending Access-Challenge of id 37 to 192.168.43.106 port 1645
         EAP-Message =  
0x0104011419009ead4a5bf9d452169c87f2be565a0186ac58bbf95540621769262dcdc6 
c7182ff81b6bfa54594a884aaf76e4c044516a7166ad16030100cd0c0000c90040b7e93c 
442c0eaee440ff11ca0a3581bb62f81fd375aaa531388cba47fc654eafedb008e32236ef 
2783b4787bfa5d4f42c79bab8e0e863da4733ea8d8effe79f10003010001008060b4d1b8 
9e51ebf5bf8851d9d1afc922225062d061b45bd84d96dba3bb0a02558f4f30a7251f5d71 
98ea2f75daa6b8e538160f640691299c09044f6b9ef8a3f7e51a443c172250896520a455 
87e97e4845cfe347f4eb0ef6c2ebd3ee1a818e8b9454add459d5b70bb3f8d430b6032c54 
11e9
         EAP-Message = 0x649ba0a7ef359445ef91a32ad5ec16030100040e000000
         Message-Authenticator = 0x00000000000000000000000000000000
         State = 0x6ec2482e58dbe98f951f51ff52dabd8e
Finished request 2
Going to the next request
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 192.168.43.106:1645, id=38,  
length=300
         User-Name = "USER"
         Framed-MTU = 1400
         Called-Station-Id = "0014.a9c8.0fb0"
         Calling-Station-Id = "0016.cbb6.57b8"
         Service-Type = Login-User
         Message-Authenticator = 0xa937d2ea590e079a9f29bd6c57e229aa
         EAP-Message =  
0x020400901980000000861603010046100000420040673dea3b73c8612479a8558d548f 
ebf33e7745322aeeda666059501b5302eaf7f583c81378cc3af6a84db6a53a49b4ddf656 
895f16fcbe85861cf0ca8cb46dc51403010001011603010030ec4cf04e18a0c2e82aa207 
19a9b3b35b0d477dfe1d72239d9b4d16c425001c4cc989e7727c544515767f080ec08844 
67
         NAS-Port-Type = Wireless-802.11
         NAS-Port = 86989
         State = 0x6ec2482e58dbe98f951f51ff52dabd8e
         NAS-IP-Address = 192.168.43.106
         NAS-Identifier = "sap.corp.laszlosystems.com"
   Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
   modcall[authorize]: module "preprocess" returns ok for request 3
   modcall[authorize]: module "mschap" returns noop for request 3
     rlm_realm: No '@' in User-Name = "USER", looking up realm NULL
     rlm_realm: No such realm "NULL"
   modcall[authorize]: module "suffix" returns noop for request 3
   rlm_eap: EAP packet type response id 4 length 144
   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
   modcall[authorize]: module "eap" returns updated for request 3
     users: Matched entry DEFAULT at line 217
     users: Matched entry DEFAULT at line 220
   modcall[authorize]: module "files" returns ok for request 3
rlm_ldap: - authorize
rlm_ldap: performing user authorization for USER
radius_xlat:  '(uid=USER)'
radius_xlat:  'ou=Users,dc=laszlosystems,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=Users,dc=laszlosystems,dc=com, with  
filter (uid=USER)
rlm_ldap: Added password {CRYPT}5usNgubjIO.a6 in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user USER authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
   modcall[authorize]: module "ldap" returns ok for request 3
modcall: leaving group authorize (returns updated) for request 3
   rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
   Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
   rlm_eap: Request found, released from the list
   rlm_eap: EAP/peap
   rlm_eap: processing type peap
   rlm_eap_peap: Authenticate
   rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
   eaptls_verify returned 11
     TLS_accept: SSLv3 read client key exchange A
     TLS_accept: SSLv3 read finished A
     TLS_accept: SSLv3 write change cipher spec A
     TLS_accept: SSLv3 write finished A
     TLS_accept: SSLv3 flush data
     (other): SSL negotiation finished successfully
rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0)
SSL Connection Established
   eaptls_process returned 13
   rlm_eap_peap: EAPTLS_HANDLED
   modcall[authenticate]: module "eap" returns handled for request 3
modcall: leaving group authenticate (returns handled) for request 3
Sending Access-Challenge of id 38 to 192.168.43.106 port 1645
         EAP-Message =  
0x0105004119001403010001011603010030de7f717fb19dec3b50cadbb53ba7e83658e6 
ca8f6486c1774e5cc72dd8ae013b260425d5727fa05321ddb95bcbdd9e50
         Message-Authenticator = 0x00000000000000000000000000000000
         State = 0x4da94ec3a8dbc38413ea566eefab8e73
Finished request 3
Going to the next request
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 192.168.43.106:1645, id=39,  
length=162
         User-Name = "USER"
         Framed-MTU = 1400
         Called-Station-Id = "0014.a9c8.0fb0"
         Calling-Station-Id = "0016.cbb6.57b8"
         Service-Type = Login-User
         Message-Authenticator = 0x923fff95497858a00c2970c88b80147a
         EAP-Message = 0x020500061900
         NAS-Port-Type = Wireless-802.11
         NAS-Port = 86989
         State = 0x4da94ec3a8dbc38413ea566eefab8e73
         NAS-IP-Address = 192.168.43.106
         NAS-Identifier = "sap.corp.laszlosystems.com"
   Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
   modcall[authorize]: module "preprocess" returns ok for request 4
   modcall[authorize]: module "mschap" returns noop for request 4
     rlm_realm: No '@' in User-Name = ""USER"", looking up realm NULL
     rlm_realm: No such realm "NULL"
   modcall[authorize]: module "suffix" returns noop for request 4
   rlm_eap: EAP packet type response id 5 length 6
   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
   modcall[authorize]: module "eap" returns updated for request 4
     users: Matched entry DEFAULT at line 217
     users: Matched entry DEFAULT at line 220
   modcall[authorize]: module "files" returns ok for request 4
rlm_ldap: - authorize
rlm_ldap: performing user authorization  for USER
radius_xlat:  '(uid=USER)'
radius_xlat:  'ou=Users,dc=laszlosystems,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=Users,dc=laszlosystems,dc=com, with  
filter (uid=USER)
rlm_ldap: Added password {CRYPT}5usNgubjIO.a6 in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user USER   authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
   modcall[authorize]: module "ldap" returns ok for request 4
modcall: leaving group authorize (returns updated) for request 4
   rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
   Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
   rlm_eap: Request found, released from the list
   rlm_eap: EAP/peap
   rlm_eap: processing type peap
   rlm_eap_peap: Authenticate
   rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
   rlm_eap_tls: No SSL info available. Waiting for more SSL data.
   eaptls_verify returned 1
   eaptls_process returned 13
   rlm_eap_peap: EAPTLS_HANDLED
   modcall[authenticate]: module "eap" returns handled for request 4
modcall: leaving group authenticate (returns handled) for request 4
Sending Access-Challenge of id 39 to 192.168.43.106 port 1645
         EAP-Message = 0x010600061900
         Message-Authenticator = 0x00000000000000000000000000000000
         State = 0x7c82b915bfc84d169d053dc47c2c3aa6
Finished request 4
Going to the next request
Waking up in 5 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 35 with timestamp 45807012
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 36 with timestamp 45807013
Cleaning up request 2 ID 37 with timestamp 45807013
Cleaning up request 3 ID 38 with timestamp 45807013
Cleaning up request 4 ID 39 with timestamp 45807013
Nothing to do.  Sleeping until we see a request.




More information about the Freeradius-Users mailing list