VLAN Mapping with MS-CHAP
robiwan at arcor.de
robiwan at arcor.de
Mon May 8 08:01:29 CEST 2006
> Dear all,
> I try to put my Windows-XP-Clients in different VLANs on my Cisco Catalyst 3750 Switch, depending on their Account.
> And i use two differnt authentication methods: MD5-Challange and MS-CHAP.
>
> User hugo should be mapped in VLAN 50 and authenticated via MD5-Challange
> User roka at Domain WINLAB should be mapped in VLAN 40 and authenticated via MS-CHAP
>
> Now both authentication works (thanks to all again) but i have difficulties to map user roka in his right VLAN.
>
> Here is my users file:
> -----------------------snip------------------------
>
> hugo User-Password == "hugo01"
> Tunnel-Type = VLAN,
> Tunnel-Medium-Type = 6,
> Tunnel-Private-Group-ID = 50
>
> roka Auth-Type := MS-CHAP
> Tunnel-Type = VLAN,
> Tunnel-Medium-Type = 6,
> Tunnel-Private-Group-ID = 40
> ---------------------snap--------------------------
Do NOT set Auth-Type. If your server is properly configured, it is not
needed and can cause problems. In this case, it should not be causing
the problem.
Just to check - that's the ENTIRE users file, yes?
robiwan: Now, here is my complete users:
---------------------start users ---------------------------
hugo User-Password == "hugo01"
Tunnel-Type = VLAN,
Tunnel-Medium-Type = 6,
Tunnel-Private-Group-ID = 50
roka
Tunnel-Type = VLAN,
Tunnel-Medium-Type = 6,
Tunnel-Private-Group-ID = 40
DEFAULT Service-Type == Framed-User
Framed-IP-Address = 255.255.255.254,
Framed-MTU = 576,
Service-Type = Framed-User,
Fall-Through = Yes
DEFAULT Hint == "CSLIP"
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "SLIP"
Framed-Protocol = SLIP
--------------------------end users-----------------------------------
>
>
> Here is the output of my radiusd with user hugo
> The Cisco-Switch map user hugo in VLAN 50:
>
> Login OK: [hugo/<no User-Password attribute>] (from client M4DEMRCO0000015 port 50103 cli 00-0B-5D-84-AE-CA)
> Sending Access-Accept of id 210 to 10.187.0.15 port 1645
> Tunnel-Type:0 = VLAN
> Tunnel-Medium-Type:0 = IEEE-802
> Tunnel-Private-Group-Id:0 = "50"
> EAP-Message = 0x03010004
> Message-Authenticator = 0x00000000000000000000000000000000
> User-Name = "hugo"
> Finished request 1
> Going to the next request
>
>
> Here is the output with user roka
> The Cisco-Switch map user roka in VLAN 1, and NOT in VLAN 40, i miss the Tunnel informations:
>
> Login OK: [WINLAB\\roka/<no User-Password attribute>] (from client M4DEMRCO0000015 port 50103 cli 00-0B-AA-84-AE-CA)
> Sending Access-Accept of id 220 to 10.187.0.15 port 1645
> Framed-IP-Address = 255.255.255.254
> Framed-MTU = 576
> Service-Type = Framed-User
> MS-MPPE-Recv-Key = 0x70235fcdc1bc208578d0a26edb3c6d0b09f7cb712d4e9b66e7b2bea5b159c4f2
> MS-MPPE-Send-Key = 0x6208fd4f8c1d2cd07a5e4597c98707dc70c94f29898eb0672e4572808efbd13d
> EAP-Message = 0x03090004
> Message-Authenticator = 0x00000000000000000000000000000000
> User-Name = "WINLAB\\roka"
> Finished request 9
> Going to the next request
This is not helpful. Send the full debugging output prior to this, so we
can see what modules matched. If you're going to trim, start from the
point the radius server is idling, not the very last packet.
robiwan: Okay, here is the complete output from my radiusd, when user roka do a request:
sorry, it's huge
rad_recv: Access-Request packet from host 10.187.0.15:1645, id=231, length=137
NAS-IP-Address = 10.187.0.15
NAS-Port = 50103
NAS-Port-Type = Ethernet
User-Name = "WINLAB\\roka"
Called-Station-Id = "00-14-69-5B-8B-03"
Calling-Station-Id = "00-0B-5D-84-AE-CA"
Service-Type = Framed-User
Framed-MTU = 1500
EAP-Message = 0x020000100157494e4c41425c726f6b61
Message-Authenticator = 0x58539e67c56f220589cf69d3485c493d
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "WINLAB\roka", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: EAP packet type response id 0 length 16
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
users: Matched entry DEFAULT at line 185
modcall[authorize]: module "files" returns ok for request 0
modcall: leaving group authorize (returns updated) for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type md5
rlm_eap_md5: Issuing Challenge
modcall[authenticate]: module "eap" returns handled for request 0
modcall: leaving group authenticate (returns handled) for request 0
Sending Access-Challenge of id 231 to 10.187.0.15 port 1645
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
EAP-Message = 0x0101001604104d9b1cdfa7099813e534e513b97cf690
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x1d76bae29fbc0e19159eaa3f74334d79
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.187.0.15:1645, id=232, length=145
NAS-IP-Address = 10.187.0.15
NAS-Port = 50103
NAS-Port-Type = Ethernet
User-Name = "WINLAB\\roka"
Called-Station-Id = "00-14-69-5B-8B-03"
Calling-Station-Id = "00-0B-5D-84-AE-CA"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x1d76bae29fbc0e19159eaa3f74334d79
EAP-Message = 0x020100060319
Message-Authenticator = 0xf909eb3892cf65a9bc743a0df26a1969
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
modcall[authorize]: module "chap" returns noop for request 1
modcall[authorize]: module "mschap" returns noop for request 1
rlm_realm: No '@' in User-Name = "WINLAB\roka", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1
rlm_eap: EAP packet type response id 1 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1
users: Matched entry DEFAULT at line 185
modcall[authorize]: module "files" returns ok for request 1
modcall: leaving group authorize (returns updated) for request 1
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
rlm_eap: Request found, released from the list
rlm_eap: EAP NAK
rlm_eap: EAP-NAK asked for EAP-Type/peap
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 1
modcall: leaving group authenticate (returns handled) for request 1
Sending Access-Challenge of id 232 to 10.187.0.15 port 1645
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7403336ead41e5a0c556b56a35cb7d33
Finished request 1
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.187.0.15:1645, id=233, length=251
NAS-IP-Address = 10.187.0.15
NAS-Port = 50103
NAS-Port-Type = Ethernet
User-Name = "WINLAB\\roka"
Called-Station-Id = "00-14-69-5B-8B-03"
Calling-Station-Id = "00-0B-5D-84-AE-CA"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x7403336ead41e5a0c556b56a35cb7d33
EAP-Message = 0x0202007019800000006616030100610100005d0301445ed95d77c35c3390cfe1215b5c4e1e8e9e656d274731adb4b7f90657cbd13b2095b1a12797a7ea814e2acdc0f092c6d3be7983fa1a806039dea5576694e804ca001600040005000a000900640062000300060013001200630100
Message-Authenticator = 0xe1546f42b5e72f886fe40c3175d5f42b
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
modcall[authorize]: module "preprocess" returns ok for request 2
modcall[authorize]: module "chap" returns noop for request 2
modcall[authorize]: module "mschap" returns noop for request 2
rlm_realm: No '@' in User-Name = "WINLAB\roka", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 2
rlm_eap: EAP packet type response id 2 length 112
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 2
users: Matched entry DEFAULT at line 185
modcall[authorize]: module "files" returns ok for request 2
modcall: leaving group authorize (returns updated) for request 2
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0061], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0694], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
TLS_accept: SSLv3 write server done A
TLS_accept: SSLv3 flush data
TLS_accept:error in SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 2
modcall: leaving group authenticate (returns handled) for request 2
Sending Access-Challenge of id 233 to 10.187.0.15 port 1645
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
EAP-Message = 0x0103040a19c0000006f1160301004a020000460301445eda018a3e232a765524a6e5794ea3af3409d9e3dcee73a95b41b8c452b4f72069073717e251c570a42ab27ce7128641cec168d48fac0cdae9434b00cc7bb06200040016030106940b00069000068d0002cd308202c930820232a003020102020102300d06092a864886f70d010104050030819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e74206365
EAP-Message = 0x7274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d301e170d3034303132353133323631305a170d3035303132343133323631305a30819b310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f73743119301706035504031310526f6f74206365727469666963617465311f301d06092a864886f70d0109011610726f6f74406578616d706c652e636f6d30819f300d06092a864886f70d010101050003
EAP-Message = 0x818d0030818902818100dac525422bfedb082629a2cba44b3449c90d0ab462fb72c8434a782098863d7eb7d7e70028c2b7ad555a51cc756cf4fa1d7091615ab450d5289553ae6616aff014a55085d6b8fb4aee98638e426175cdd36c665c63cda177d34920eb30585edc8773999c2980f81ad4638bbbea1c82d054023db7ef24a3ec1c3f6241a903d7f30203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038181007a2d921b1cf13bf2982a9178ec9ede6d88edc178a2e8bd40a0a06fb6f0769957884cd7084537083496fd184165293f583c8e8240eb68e042c94b15752e4c07e80d09
EAP-Message = 0x779afa3dd55c24fa54ac292d77205d1c2477ed30d59f57caf9bd21ff2a8d16cc0911c50e4f295763fcb60efa3c3d2d0e43850f6e6fbe284902f6e83503650003ba308203b63082031fa003020102020100300d06092a864886f70d010104050030819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c
EAP-Message = 0x652e636f6d301e170d3034303132353133323630375a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x23e1da47b9d2ad5d9a992e53e51b0f88
Finished request 2
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.187.0.15:1645, id=234, length=145
NAS-IP-Address = 10.187.0.15
NAS-Port = 50103
NAS-Port-Type = Ethernet
User-Name = "WINLAB\\roka"
Called-Station-Id = "00-14-69-5B-8B-03"
Calling-Station-Id = "00-0B-5D-84-AE-CA"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x23e1da47b9d2ad5d9a992e53e51b0f88
EAP-Message = 0x020300061900
Message-Authenticator = 0x993d1a0b0a680cde949eeeeb5366b376
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
modcall[authorize]: module "preprocess" returns ok for request 3
modcall[authorize]: module "chap" returns noop for request 3
modcall[authorize]: module "mschap" returns noop for request 3
rlm_realm: No '@' in User-Name = "WINLAB\roka", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 3
rlm_eap: EAP packet type response id 3 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 3
users: Matched entry DEFAULT at line 185
modcall[authorize]: module "files" returns ok for request 3
modcall: leaving group authorize (returns updated) for request 3
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 3
modcall: leaving group authenticate (returns handled) for request 3
Sending Access-Challenge of id 234 to 10.187.0.15 port 1645
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
EAP-Message = 0x010402f71900170d3036303132343133323630375a30819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100d4c5b19724f164acf1ffb189db1c8fbff4f14396ea7cb1e90f78d69451725377895dfe52ccb99b41e8
EAP-Message = 0x0ddeb58b127a943f4f58cbc562878192fbdc6fece9f871e7c130d35cf5188817e9b133249edd2a1c75d31043ae87553cec7a77ef26aa7d74281db9b77e17c6446c5dd9b188b43250ca0229963722a123a726b00b4027fd0203010001a381ff3081fc301d0603551d0e0416041468d36d3e1ee7bc9d5a057021c363da1365d1ade33081cc0603551d230481c43081c1801468d36d3e1ee7bc9d5a057021c363da1365d1ade3a181a5a481a230819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010
EAP-Message = 0x060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d820100300c0603551d13040530030101ff300d06092a864886f70d01010405000381810033c00b66b1e579ef73a06798252dab8d5e5511fc00fd276d80d12f834777c6743fdc2743fca1507704e4bc0979e4f60ac3ad9ee83e6f347369229d1f77229ba2e982359da563024a00163dba6d6c986c0bad28af85132ff8f0d76501bf1b7c2dff658ce1e62c01997b6e64e3e8d4373354ce9912847651539063b85bbc5485c516030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xcd0b2de9f6247bc1a377ab09601b6622
Finished request 3
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.187.0.15:1645, id=235, length=331
NAS-IP-Address = 10.187.0.15
NAS-Port = 50103
NAS-Port-Type = Ethernet
User-Name = "WINLAB\\roka"
Called-Station-Id = "00-14-69-5B-8B-03"
Calling-Station-Id = "00-0B-5D-84-AE-CA"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0xcd0b2de9f6247bc1a377ab09601b6622
EAP-Message = 0x020400c01980000000b6160301008610000082008054fa1df090a84370a298993600e34cf8af13808befff697746cb3100c83a481758189f961b7e391de8cdfe48ef0f66f45c29019de52b662aac1738fed79487efab399df4c231b1a680c8c745180c6187d738aeead3a84e22bd38e15b0487befddce9b383e84f0bd6bcb51226f258d4ceb214853d622a16ff1316df2740767e9814030100010116030100200765266a26b02174d0fbf43fdce14c70a7e27c39c9ef851116dfc350e922d9fa
Message-Authenticator = 0x2c4f1683c21b9c8465c622867b6b424f
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
modcall[authorize]: module "preprocess" returns ok for request 4
modcall[authorize]: module "chap" returns noop for request 4
modcall[authorize]: module "mschap" returns noop for request 4
rlm_realm: No '@' in User-Name = "WINLAB\roka", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 4
rlm_eap: EAP packet type response id 4 length 192
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 4
users: Matched entry DEFAULT at line 185
modcall[authorize]: module "files" returns ok for request 4
modcall: leaving group authorize (returns updated) for request 4
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
TLS_accept: SSLv3 read client key exchange A
rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 read finished A
rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
TLS_accept: SSLv3 write change cipher spec A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 write finished A
TLS_accept: SSLv3 flush data
(other): SSL negotiation finished successfully
SSL Connection Established
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 4
modcall: leaving group authenticate (returns handled) for request 4
Sending Access-Challenge of id 235 to 10.187.0.15 port 1645
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
EAP-Message = 0x01050031190014030100010116030100204d6ac14fd758207216d3d41e01832f4ac6183a076fbe4efd160f4a41a35b22cf
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xddcdd8f2cca99b985d18ca87d2b88cec
Finished request 4
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.187.0.15:1645, id=236, length=145
NAS-IP-Address = 10.187.0.15
NAS-Port = 50103
NAS-Port-Type = Ethernet
User-Name = "WINLAB\\roka"
Called-Station-Id = "00-14-69-5B-8B-03"
Calling-Station-Id = "00-0B-5D-84-AE-CA"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0xddcdd8f2cca99b985d18ca87d2b88cec
EAP-Message = 0x020500061900
Message-Authenticator = 0x53e1a745d44793df57b5d50d1c052863
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
modcall[authorize]: module "preprocess" returns ok for request 5
modcall[authorize]: module "chap" returns noop for request 5
modcall[authorize]: module "mschap" returns noop for request 5
rlm_realm: No '@' in User-Name = "WINLAB\roka", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 5
rlm_eap: EAP packet type response id 5 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 5
users: Matched entry DEFAULT at line 185
modcall[authorize]: module "files" returns ok for request 5
modcall: leaving group authorize (returns updated) for request 5
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake is finished
eaptls_verify returned 3
eaptls_process returned 3
rlm_eap_peap: EAPTLS_SUCCESS
modcall[authenticate]: module "eap" returns handled for request 5
modcall: leaving group authenticate (returns handled) for request 5
Sending Access-Challenge of id 236 to 10.187.0.15 port 1645
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
EAP-Message = 0x0106002019001703010015a9944ae4d3056456288bb99631ee9e954ab45638e8
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x24ba89d55cd3575e21c74e389b97be66
Finished request 5
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.187.0.15:1645, id=237, length=178
NAS-IP-Address = 10.187.0.15
NAS-Port = 50103
NAS-Port-Type = Ethernet
User-Name = "WINLAB\\roka"
Called-Station-Id = "00-14-69-5B-8B-03"
Calling-Station-Id = "00-0B-5D-84-AE-CA"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x24ba89d55cd3575e21c74e389b97be66
EAP-Message = 0x020600271900170301001ca47c7847287cdeb393c6bf70b5f6af519019eef05e83f8e5003b8efc
Message-Authenticator = 0x7b8091e9347c683bf40f234e7573fb4a
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 6
modcall[authorize]: module "preprocess" returns ok for request 6
modcall[authorize]: module "chap" returns noop for request 6
modcall[authorize]: module "mschap" returns noop for request 6
rlm_realm: No '@' in User-Name = "WINLAB\roka", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 6
rlm_eap: EAP packet type response id 6 length 39
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 6
users: Matched entry DEFAULT at line 185
modcall[authorize]: module "files" returns ok for request 6
modcall: leaving group authorize (returns updated) for request 6
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Identity - WINLAB\roka
rlm_eap_peap: Tunneled data is valid.
PEAP: Got tunneled identity of WINLAB\roka
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to WINLAB\roka
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 6
modcall[authorize]: module "preprocess" returns ok for request 6
modcall[authorize]: module "chap" returns noop for request 6
modcall[authorize]: module "mschap" returns noop for request 6
rlm_realm: No '@' in User-Name = "WINLAB\roka", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 6
rlm_eap: EAP packet type response id 6 length 16
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 6
modcall[authorize]: module "files" returns notfound for request 6
modcall: leaving group authorize (returns updated) for request 6
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
rlm_eap: EAP Identity
rlm_eap: processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
modcall[authenticate]: module "eap" returns handled for request 6
modcall: leaving group authenticate (returns handled) for request 6
PEAP: Got tunneled Access-Challenge
modcall[authenticate]: module "eap" returns handled for request 6
modcall: leaving group authenticate (returns handled) for request 6
Sending Access-Challenge of id 237 to 10.187.0.15 port 1645
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
EAP-Message = 0x0107003c19001703010031fd510c2ebf47b3a59fa1aab6adad8b98bb1a27fde1f9b25b4bafef2db23581fcbc4905146ff16fb84d542486a6876d4788
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x576a439ed6f27a43441fcea96241dcdd
Finished request 6
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.187.0.15:1645, id=238, length=232
NAS-IP-Address = 10.187.0.15
NAS-Port = 50103
NAS-Port-Type = Ethernet
User-Name = "WINLAB\\roka"
Called-Station-Id = "00-14-69-5B-8B-03"
Calling-Station-Id = "00-0B-5D-84-AE-CA"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x576a439ed6f27a43441fcea96241dcdd
EAP-Message = 0x0207005d19001703010052543c8cda2e4d4b809a7ef500fced9a32c8475105b33591b7793d47c9038cd9d5ebaee45ce7ab4b48e9ce1429870fe0f0709833f807ed3b178c16ca85748e3425a59631a4fa19cb8a6e0e41ad7bbcc8042500
Message-Authenticator = 0x603bc333fad2a5b42b41856c81000ccc
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 7
modcall[authorize]: module "preprocess" returns ok for request 7
modcall[authorize]: module "chap" returns noop for request 7
modcall[authorize]: module "mschap" returns noop for request 7
rlm_realm: No '@' in User-Name = "WINLAB\roka", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 7
rlm_eap: EAP packet type response id 7 length 93
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 7
users: Matched entry DEFAULT at line 185
modcall[authorize]: module "files" returns ok for request 7
modcall: leaving group authorize (returns updated) for request 7
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 7
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: EAP type mschapv2
rlm_eap_peap: Tunneled data is valid.
PEAP: Setting User-Name to WINLAB\roka
PEAP: Adding old state with 05 ce
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 7
modcall[authorize]: module "preprocess" returns ok for request 7
modcall[authorize]: module "chap" returns noop for request 7
modcall[authorize]: module "mschap" returns noop for request 7
rlm_realm: No '@' in User-Name = "WINLAB\roka", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 7
rlm_eap: EAP packet type response id 7 length 70
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 7
modcall[authorize]: module "files" returns notfound for request 7
modcall: leaving group authorize (returns updated) for request 7
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 7
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
Processing the authenticate section of radiusd.conf
modcall: entering group MS-CHAP for request 7
rlm_mschap: No User-Password configured. Cannot create LM-Password.
rlm_mschap: No User-Password configured. Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for roka with NT-Password
radius_xlat: Running registered xlat function of module mschap for string 'User-Name'
radius_xlat: Running registered xlat function of module mschap for string 'Challenge'
mschap2: ed
radius_xlat: Running registered xlat function of module mschap for string 'NT-Response'
radius_xlat: '/usr/bin/ntlm_auth --domain=winlab --request-nt-key --username=roka --challenge=35f97f5f894fdd88 --nt-response=4f19e399acdcdaec236c88b715ba0429aad7d843e4ed9e45'
Exec-Program: /usr/bin/ntlm_auth --domain=winlab --request-nt-key --username=roka --challenge=35f97f5f894fdd88 --nt-response=4f19e399acdcdaec236c88b715ba0429aad7d843e4ed9e45
Exec-Program output: NT_KEY: 2F6C7B1EA51DEE8E0E47A627D4E5DEA5
Exec-Program-Wait: plaintext: NT_KEY: 2F6C7B1EA51DEE8E0E47A627D4E5DEA5
Exec-Program: returned: 0
rlm_mschap: adding MS-CHAPv2 MPPE keys
modcall[authenticate]: module "mschap" returns ok for request 7
modcall: leaving group MS-CHAP (returns ok) for request 7
MSCHAP Success
modcall[authenticate]: module "eap" returns handled for request 7
modcall: leaving group authenticate (returns handled) for request 7
PEAP: Got tunneled Access-Challenge
modcall[authenticate]: module "eap" returns handled for request 7
modcall: leaving group authenticate (returns handled) for request 7
Sending Access-Challenge of id 238 to 10.187.0.15 port 1645
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
EAP-Message = 0x0108004a1900170301003f14015567cad71a1b0c4fb4c3130bde7dfa157cb9c3917e440185650393f07e3c85f3cc7b9206df9f48d67727fb5dc0d424d26c244884598f80ec4d79717050
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x3f776c18d763a3b13fec28371a580368
Finished request 7
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.187.0.15:1645, id=239, length=168
NAS-IP-Address = 10.187.0.15
NAS-Port = 50103
NAS-Port-Type = Ethernet
User-Name = "WINLAB\\roka"
Called-Station-Id = "00-14-69-5B-8B-03"
Calling-Station-Id = "00-0B-5D-84-AE-CA"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x3f776c18d763a3b13fec28371a580368
EAP-Message = 0x0208001d1900170301001286cf00cd681fe2c866ceaa4dd4685616ebf2
Message-Authenticator = 0x9401ce83f45cba5524631482575c4e50
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 8
modcall[authorize]: module "preprocess" returns ok for request 8
modcall[authorize]: module "chap" returns noop for request 8
modcall[authorize]: module "mschap" returns noop for request 8
rlm_realm: No '@' in User-Name = "WINLAB\roka", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 8
rlm_eap: EAP packet type response id 8 length 29
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 8
users: Matched entry DEFAULT at line 185
modcall[authorize]: module "files" returns ok for request 8
modcall: leaving group authorize (returns updated) for request 8
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 8
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: EAP type mschapv2
rlm_eap_peap: Tunneled data is valid.
PEAP: Setting User-Name to WINLAB\roka
PEAP: Adding old state with 1c 3f
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 8
modcall[authorize]: module "preprocess" returns ok for request 8
modcall[authorize]: module "chap" returns noop for request 8
modcall[authorize]: module "mschap" returns noop for request 8
rlm_realm: No '@' in User-Name = "WINLAB\roka", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 8
rlm_eap: EAP packet type response id 8 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 8
modcall[authorize]: module "files" returns notfound for request 8
modcall: leaving group authorize (returns updated) for request 8
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 8
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns ok for request 8
modcall: leaving group authenticate (returns ok) for request 8
Login OK: [WINLAB\\roka/<no User-Password attribute>] (from client localhost port 0)
PEAP: Tunneled authentication was successful.
rlm_eap_peap: SUCCESS
modcall[authenticate]: module "eap" returns handled for request 8
modcall: leaving group authenticate (returns handled) for request 8
Sending Access-Challenge of id 239 to 10.187.0.15 port 1645
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
EAP-Message = 0x010900261900170301001b5d719231c99f383ef56f29dbd88ccdcee4619d327702c0a3fdcd0a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x86881135a8c0cf1a0a5e4673d0a3c80f
Finished request 8
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.187.0.15:1645, id=240, length=177
NAS-IP-Address = 10.187.0.15
NAS-Port = 50103
NAS-Port-Type = Ethernet
User-Name = "WINLAB\\roka"
Called-Station-Id = "00-14-69-5B-8B-03"
Calling-Station-Id = "00-0B-5D-84-AE-CA"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x86881135a8c0cf1a0a5e4673d0a3c80f
EAP-Message = 0x020900261900170301001b10ced5dc970678de199f84026e0da62c8d8aafcaef18cd827120f3
Message-Authenticator = 0x7299f75e3c756461e2af68b680bfdfba
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 9
modcall[authorize]: module "preprocess" returns ok for request 9
modcall[authorize]: module "chap" returns noop for request 9
modcall[authorize]: module "mschap" returns noop for request 9
rlm_realm: No '@' in User-Name = "WINLAB\roka", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 9
rlm_eap: EAP packet type response id 9 length 38
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 9
users: Matched entry DEFAULT at line 185
modcall[authorize]: module "files" returns ok for request 9
modcall: leaving group authorize (returns updated) for request 9
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 9
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Tunneled data is valid.
rlm_eap_peap: Success
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns ok for request 9
modcall: leaving group authenticate (returns ok) for request 9
Login OK: [WINLAB\\roka/<no User-Password attribute>] (from client M4DEMRCO0000015 port 50103 cli 00-0B-5D-84-AE-CA)
Sending Access-Accept of id 240 to 10.187.0.15 port 1645
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
MS-MPPE-Recv-Key = 0xf40ac6877b951361d702e2278e23578e330487ae798b71b65d12bb92ee68ae08
MS-MPPE-Send-Key = 0xbd3ba39fcf4ac785ca88eb041c7329af1a87a23b1c30d61f4fede979f078e442
EAP-Message = 0x03090004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "WINLAB\\roka"
Finished request 9
Going to the next request
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 231 with timestamp 445eda01
Cleaning up request 1 ID 232 with timestamp 445eda01
Cleaning up request 2 ID 233 with timestamp 445eda01
Cleaning up request 3 ID 234 with timestamp 445eda01
Cleaning up request 4 ID 235 with timestamp 445eda01
Cleaning up request 5 ID 236 with timestamp 445eda01
Cleaning up request 6 ID 237 with timestamp 445eda01
Cleaning up request 7 ID 238 with timestamp 445eda01
Cleaning up request 8 ID 239 with timestamp 445eda01
Cleaning up request 9 ID 240 with timestamp 445eda01
Nothing to do. Sleeping until we see a request.
In all probability, your problem is that you're using PEAP rather than
just MS-CHAP, and the tunnel attributes are being set on the inner
MS-CHAP reply, but not being copied to the outer EAP reply.
Make sure you have this in eap.conf:
eap {
# rest of config, then
peap {
# rest of config, then
use_tunneled_reply = yes
}
}
You may also need:
eap {
# rest of config, then
peap {
# rest of config, then
copy_request_to_tunnel = yes
use_tunneled_reply = yes
}
}
robiwan: Here is my eap.conf, the peap-section:
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = no
}
unfortunately it doesn't work.
User roka is still in VLAN 1 and not in VLAN 40
...if you want to match on other attributes in the request than username
at a later date.
>
>
> So, any ideas what to do, that for user roka my radiusd also say to my Switch the Tunnel things:
>
> Tunnel-Type:0 = VLAN
> Tunnel-Medium-Type:0 = IEEE-802
> Tunnel-Private-Group-Id:0 = "40"
>
That's expected and normal. See RFC 2868. The number is a tag, as you
can specify multiple tunnel-* attribute set. The tag groups them
together, and FreeRadius sets it to zero for the common case of one set.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Viel oder wenig? Schnell oder langsam? Unbegrenzt surfen + telefonieren
ohne Zeit- und Volumenbegrenzung? DAS TOP ANGEBOT JETZT bei Arcor: günstig
und schnell mit DSL - das All-Inclusive-Paket für clevere Doppel-Sparer,
nur 44,85 € inkl. DSL- und ISDN-Grundgebühr!
http://www.arcor.de/rd/emf-dsl-2
More information about the Freeradius-Users
mailing list