Machine Authecitation with PEAP
King, Michael
MKing at bridgew.edu
Thu Mar 9 19:17:48 CET 2006
Has anyone gotten Machine Authentication with PEAP working?
rad_recv: Access-Request packet from host 10.0.1.21:32768, id=2,
length=342
User-Name = "host/boy-it-tel-2528.campus.bridgew.edu"
Calling-Station-Id = "00-0B-7D-1B-B0-BA"
Called-Station-Id = "00-0B-85-5F-66-E0:Wireless at BSC"
NAS-Port = 29
NAS-IP-Address = 10.0.1.21
NAS-Identifier = "BUWISM2-1"
Airespace-Wlan-Id = 1
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "4000"
EAP-Message =
0x020900791900170301006ed6d5858d2d5e437d5127e2f91a69520faa2104d0573c0a1d
098dce6c763982b9a2b160a55541d1fcec125fb106c4668c
0d3d5b4facf2737febb2a5f98c4344d36b9c4fbcf52f2b6d3d613b79f6a123bf30d5e5bc
09d2cf2859aabada6c297a14d782995bce310f879a006e2c6ba0
State = 0x332bd4a26a3495ca8b876c3936b99a50
Message-Authenticator = 0x4fec0b430cc29964546aa3c9fee52d2c
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 40
modcall[authorize]: module "preprocess" returns ok for request 40
radius_xlat:
'/var/log/freeradius/radacct/10.0.1.21/auth-detail-20060309'
rlm_detail:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/10.0.1.21/auth-detail-2
0060309
modcall[authorize]: module "auth_log" returns ok for request 40
modcall[authorize]: module "chap" returns noop for request 40
modcall[authorize]: module "mschap" returns noop for request 40
rlm_realm: No '@' in User-Name =
"host/boy-it-tel-2528.campus.bridgew.edu", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 40
rlm_eap: EAP packet type response id 9 length 121
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 40
users: Matched entry DEFAULT at line 152
users: Matched entry DEFAULT at line 171
modcall[authorize]: module "files" returns ok for request 40
modcall: leaving group authorize (returns updated) for request 40
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 40
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: EAP type mschapv2
rlm_eap_peap: Tunneled data is valid.
PEAP: Got tunneled EAP-Message
EAP-Message =
0x020900621a0209005d310575b329205687211101eef2ea1463b60000000000000000c9
2c121419368a6b599e159c9ef21bbc4d98138946d6df2900
686f73742f626f792d69742d74656c2d323532382e63616d7075732e627269646765772e
656475
PEAP: Setting User-Name to host/boy-it-tel-2528.campus.bridgew.edu
PEAP: Adding old state with c0 be
PEAP: Sending tunneled request
EAP-Message =
0x020900621a0209005d310575b329205687211101eef2ea1463b60000000000000000c9
2c121419368a6b599e159c9ef21bbc4d98138946d6df2900
686f73742f626f792d69742d74656c2d323532382e63616d7075732e627269646765772e
656475
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "host/boy-it-tel-2528.campus.bridgew.edu"
State = 0xc0be9e82d71e93ec07c4074441377fb0
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 40
modcall[authorize]: module "preprocess" returns ok for request 40
radius_xlat:
'/var/log/freeradius/radacct/127.0.0.1/auth-detail-20060309'
rlm_detail:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-2
0060309
modcall[authorize]: module "auth_log" returns ok for request 40
modcall[authorize]: module "chap" returns noop for request 40
modcall[authorize]: module "mschap" returns noop for request 40
rlm_realm: No '@' in User-Name =
"host/boy-it-tel-2528.campus.bridgew.edu", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 40
rlm_eap: EAP packet type response id 9 length 98
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 40
users: Matched entry DEFAULT at line 152
modcall[authorize]: module "files" returns ok for request 40
modcall: leaving group authorize (returns updated) for request 40
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 40
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
Processing the authenticate section of radiusd.conf
modcall: entering group MS-CHAP for request 40
rlm_mschap: No User-Password configured. Cannot create LM-Password.
rlm_mschap: No User-Password configured. Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for
host/boy-it-tel-2528.campus.bridgew.edu with NT-Password
radius_xlat: Running registered xlat function of module mschap for
string 'User-Name'
radius_xlat: Running registered xlat function of module mschap for
string 'NT-Domain'
radius_xlat: Running registered xlat function of module mschap for
string 'Challenge'
mschap2: 31
radius_xlat: Running registered xlat function of module mschap for
string 'NT-Response'
radius_xlat: '/usr/bin/ntlm_auth --request-nt-key
--username=boy-it-tel-2528$ --domain=campus --challenge=8498683817c21d86
--nt-response=c92c
121419368a6b599e159c9ef21bbc4d98138946d6df29 '
Exec-Program: /usr/bin/ntlm_auth --request-nt-key
--username=boy-it-tel-2528$ --domain=campus --challenge=8498683817c21d86
--nt-response=c92c1
21419368a6b599e159c9ef21bbc4d98138946d6df29
Exec-Program output: Logon failure (0xc000006d)
Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
Exec-Program: returned: 1
rlm_mschap: External script failed.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
modcall[authenticate]: module "mschap" returns reject for request 40
modcall: leaving group MS-CHAP (returns reject) for request 40
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns reject for request 40
modcall: leaving group authenticate (returns reject) for request 40
auth: Failed to validate the user.
Login incorrect: [host/boy-it-tel-2528.campus.bridgew.edu] (from client
localhost port 0)
PEAP: Got tunneled reply RADIUS code 3
MS-CHAP-Error = "\tE=691 R=1"
EAP-Message = 0x04090004
Message-Authenticator = 0x00000000000000000000000000000000
PEAP: Processing from tunneled session code 0x8159120 3
MS-CHAP-Error = "\tE=691 R=1"
EAP-Message = 0x04090004
Message-Authenticator = 0x00000000000000000000000000000000
PEAP: Tunneled authentication was rejected.
rlm_eap_peap: FAILURE
modcall[authenticate]: module "eap" returns handled for request 40
modcall: leaving group authenticate (returns handled) for request 40
Sending Access-Challenge of id 2 to 10.0.1.21 port 32768
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
EAP-Message =
0x010a00261900170301001b2b70132064acd535306c54d37e22679711096bbe69821ed0
d2af6e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe08ef92e3bc5a82f8011159dff79c57f
Finished request 40
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.0.1.21:32768, id=3,
length=259
User-Name = "host/boy-it-tel-2528.campus.bridgew.edu"
Calling-Station-Id = "00-0B-7D-1B-B0-BA"
Called-Station-Id = "00-0B-85-5F-66-E0:Wireless at BSC"
NAS-Port = 29
NAS-IP-Address = 10.0.1.21
NAS-Identifier = "BUWISM2-1"
Airespace-Wlan-Id = 1
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "4000"
EAP-Message =
0x020a00261900170301001b59c0444996b63b6d1b27e0dff445c27caccb8c1f8d17fe91
0776d1
State = 0xe08ef92e3bc5a82f8011159dff79c57f
Message-Authenticator = 0x0fccb825852b2ffc878a6a3a2cf5d31a
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 41
modcall[authorize]: module "preprocess" returns ok for request 41
radius_xlat:
'/var/log/freeradius/radacct/10.0.1.21/auth-detail-20060309'
rlm_detail:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/10.0.1.21/auth-detail-2
0060309
modcall[authorize]: module "auth_log" returns ok for request 41
modcall[authorize]: module "chap" returns noop for request 41
modcall[authorize]: module "mschap" returns noop for request 41
rlm_realm: No '@' in User-Name =
"host/boy-it-tel-2528.campus.bridgew.edu", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 41
rlm_eap: EAP packet type response id 10 length 38
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 41
users: Matched entry DEFAULT at line 152
users: Matched entry DEFAULT at line 171
modcall[authorize]: module "files" returns ok for request 41
modcall: leaving group authorize (returns updated) for request 41
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 41
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Tunneled data is valid.
rlm_eap_peap: Had sent TLV failure. User was rejcted rejected
earlier in this session.
rlm_eap: Handler failed in EAP/peap
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 41
modcall: leaving group authenticate (returns invalid) for request 41
auth: Failed to validate the user.
Login incorrect: [host/boy-it-tel-2528.campus.bridgew.edu] (from client
private-network-1 port 29 cli 00-0B-7D-1B-B0-BA)
Delaying request 41 for 1 seconds
Finished request 41
More information about the Freeradius-Users
mailing list