encrypted password LDAP and EAP//TTLS

Sergio Belkin sebelk at gmail.com
Tue Oct 16 20:42:42 CEST 2007


2007/10/12, tnt at kalik.co.yu <tnt at kalik.co.yu>:
> http://www.securew2.com/
>
> Ivan Kalik
> Kalik Informatika ISP

Thanks Ivan,

Now I have a radius server working with EAP/TTLS, and windows and
securew2 worked fine using PAP. It's a bit strange that first try as
anonymous and password fails and then can access successfully. Is that
right?


LDAP module section in radiusd.conf is as follows:
ldap {
                server = "ldap.cadorna.edu"
                port = 636
                identity = "cn=freeradius,ou=applications,dc=cadorna,dc=edu"
                password = pepe
                basedn = "ou=people,dc=palermo,dc=edu"
                filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
                ldap_debug = 0x0028
                tls_cacertfile  = /etc/raddb/cacert.pem
                tls_randfile            = /dev/urandom
                tls_require_cert        = "allow"
                access_attr = "radiusAllowed"
                dictionary_mapping = ${raddbdir}/ldap.attrmap
                ldap_connections_number = 5
                password_attribute = userPassword
                edir_account_policy_check=no
                timeout = 4
                timelimit = 3
                net_timeout = 1
}

Debug messages:

But I still have some doubts about way of acces:
Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /usr/local/etc/raddb/proxy.conf
Config:   including file: /usr/local/etc/raddb/clients.conf
Config:   including file: /usr/local/etc/raddb/snmp.conf
Config:   including file: /usr/local/etc/raddb/eap.conf
Config:   including file: /usr/local/etc/raddb/sql.conf
 main: prefix = "/usr/local"
 main: localstatedir = "/usr/local/var"
 main: logdir = "/usr/local/var/log/radius"
 main: libdir = "/usr/local/lib"
 main: radacctdir = "/usr/local/var/log/radius/radacct"
 main: hostname_lookups = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = no
 main: log_file = "/usr/local/var/log/radius/radius.log"
 main: log_auth = no
 main: log_auth_badpass = no
 main: log_auth_goodpass = no
 main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
 main: bind_address = 10.30.213.5 IP address [10.30.213.5]
 main: user = "radiusd"
 main: group = "radiusd"
 main: usercollide = no
 main: lower_user = "no"
 main: lower_pass = "no"
 main: nospace_user = "no"
 main: nospace_pass = "no"
 main: checkrad = "/usr/local/sbin/checkrad"
 main: proxy_requests = yes
 proxy: retry_delay = 5
 proxy: retry_count = 3
 proxy: synchronous = no
 proxy: default_fallback = yes
 proxy: dead_time = 120
 proxy: post_proxy_authorize = no
 proxy: wake_all_if_all_dead = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
 exec: wait = yes
 exec: program = "(null)"
 exec: input_pairs = "request"
 exec: output_pairs = "(null)"
 exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
 pap: encryption_scheme = "crypt"
 pap: auto_header = yes
Module: Instantiated pap (pap)
Module: Loaded LDAP
 ldap: server = "ldap.cadorna.edu"
 ldap: port = 636
 ldap: net_timeout = 1
 ldap: timeout = 4
 ldap: timelimit = 3
 ldap: identity = "cn=freeradius,ou=applications,dc=cadorna,dc=edu"
 ldap: tls_mode = no
 ldap: start_tls = no
 ldap: tls_cacertfile = "/etc/raddb/cacert.pem"
 ldap: tls_cacertdir = "(null)"
 ldap: tls_certfile = "(null)"
 ldap: tls_keyfile = "(null)"
 ldap: tls_randfile = "/dev/urandom"
 ldap: tls_require_cert = "allow"
 ldap: password = "pepe"
 ldap: basedn = "ou=people,dc=cadorna,dc=edu"
 ldap: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
 ldap: base_filter = "(objectclass=radiusprofile)"
 ldap: default_profile = "(null)"
 ldap: profile_attribute = "(null)"
 ldap: password_header = "(null)"
 ldap: password_attribute = "userPassword"
 ldap: access_attr = "radiusAllowed"
 ldap: groupname_attribute = "cn"
 ldap: groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
 ldap: groupmembership_attribute = "(null)"
 ldap: dictionary_mapping = "/usr/local/etc/raddb/ldap.attrmap"
 ldap: ldap_debug = 40
 ldap: ldap_connections_number = 5
 ldap: compare_check_items = no
 ldap: access_attr_used_for_allow = yes
 ldap: do_xlat = yes
 ldap: set_auth_type = yes
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap<->radius mappings from file
/usr/local/etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS
Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
conns: 0x5555557a2f30
Module: Instantiated ldap (ldap)
Module: Loaded eap
 eap: default_eap_type = "ttls"
 eap: timer_expire = 60
 eap: ignore_unknown_eap_types = no
 eap: cisco_accounting_username_bug = no
 tls: rsa_key_exchange = no
 tls: dh_key_exchange = yes
 tls: rsa_key_length = 512
 tls: dh_key_length = 512
 tls: verify_depth = 0
 tls: CA_path = "(null)"
 tls: pem_file_type = yes
 tls: private_key_file = "/etc/pki/tls/certs/spectrum.xp-key.pem"
 tls: certificate_file = "/etc/pki/tls/certs/spectrum.xp-crt.pem"
 tls: CA_file = "/etc/pki/tls/certs/cacert.pem"
 tls: private_key_password = "(null)"
 tls: dh_file = "/usr/local/etc/raddb/certs/dh"
 tls: random_file = "/usr/local/etc/raddb/certs/random"
 tls: fragment_size = 1024
 tls: include_length = yes
 tls: check_crl = no
 tls: check_cert_cn = "(null)"
 tls: cipher_list = "(null)"
 tls: check_cert_issuer = "(null)"
rlm_eap_tls: Loading the certificate file as a chain
rlm_eap: Loaded and initialized type tls
 ttls: default_eap_type = "md5"
 ttls: copy_request_to_tunnel = no
 ttls: use_tunneled_reply = no
rlm_eap: Loaded and initialized type ttls
Module: Instantiated eap (eap)
Module: Loaded preprocess
 preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups"
 preprocess: hints = "/usr/local/etc/raddb/hints"
 preprocess: with_ascend_hack = no
 preprocess: ascend_channels_per_line = 23
 preprocess: with_ntdomain_hack = no
 preprocess: with_specialix_jetstream_hack = no
 preprocess: with_cisco_vsa_hack = no
 preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded files
 files: usersfile = "/usr/local/etc/raddb/users"
 files: acctusersfile = "/usr/local/etc/raddb/acct_users"
 files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
 files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
 acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded realm
 realm: format = "suffix"
 realm: delimiter = "@"
 realm: ignore_default = no
 realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded detail
 detail: detailfile =
"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
 detail: detailperm = 384
 detail: dirperm = 493
 detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
 radutmp: filename = "/usr/local/var/log/radius/radutmp"
 radutmp: username = "%{User-Name}"
 radutmp: case_sensitive = yes
 radutmp: check_with_nas = yes
 radutmp: perm = 384
 radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication 10.30.213.5:1812
Listening on accounting 10.30.213.5:1813
Ready to process requests.
rad_recv: Access-Request packet from host 10.30.1.151:1030, id=205, length=108
	User-Name = "anonymous"
	Calling-Station-Id = "00-0e-35-bf-51-18"
	EAP-Message = 0x0201000e01616e6f6e796d6f7573
	Framed-MTU = 1287
	NAS-IP-Address = 192.168.1.1
	NAS-Port = 0
	NAS-Port-Type = Wireless-802.11
	Message-Authenticator = 0x432e769202cc89631a7cd56a55bb7b54
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  rlm_eap: EAP packet type response id 1 length 14
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 0
  modcall[authorize]: module "files" returns notfound for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for anonymous
radius_xlat:  '(uid=anonymous)'
radius_xlat:  'ou=people,dc=cadorna,dc=edu'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap.cadorna.edu:636, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: setting TLS CACert File to /etc/raddb/cacert.pem
rlm_ldap: setting TLS Key File to /dev/urandom
rlm_ldap: bind as cn=freeradius,ou=applications,dc=cadorna,dc=edu/pepe
to ldap.cadorna.edu:636
rlm_ldap: waiting for bind result ...
request done: ld 0x5555557c3e10 msgid 1
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=people,dc=cadorna,dc=edu, with
filter (uid=anonymous)
request done: ld 0x5555557c3e10 msgid 2
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns notfound for request 0
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
  modcall[authorize]: module "pap" returns noop for request 0
modcall: leaving group authorize (returns updated) for request 0
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
  rlm_eap: EAP Identity
  rlm_eap: processing type tls
  rlm_eap_tls: Initiate
  rlm_eap_tls: Start returned 1
  modcall[authenticate]: module "eap" returns handled for request 0
modcall: leaving group authenticate (returns handled) for request 0
Sending Access-Challenge of id 205 to 10.30.1.151 port 1030
	EAP-Message = 0x010200061520
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x5dd8cb1825cff1c7098ac6cc4db7c6c6
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.30.1.151:1030, id=206, length=172
	User-Name = "anonymous"
	Calling-Station-Id = "00-0e-35-bf-51-18"
	EAP-Message = 0x0202003c158000000032160301002d01000029030174361ae958f7d25520677c8c584e111840583827d0ea19a9208633a82e134bc0000002000a0100
	Framed-MTU = 1287
	NAS-IP-Address = 192.168.1.1
	NAS-Port = 0
	NAS-Port-Type = Wireless-802.11
	State = 0x5dd8cb1825cff1c7098ac6cc4db7c6c6
	Message-Authenticator = 0x78081c16ef12594dc5b37e53ce7052db
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
  modcall[authorize]: module "preprocess" returns ok for request 1
  rlm_eap: EAP packet type response id 2 length 60
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 1
  modcall[authorize]: module "files" returns notfound for request 1
rlm_ldap: - authorize
rlm_ldap: performing user authorization for anonymous
radius_xlat:  '(uid=anonymous)'
radius_xlat:  'ou=people,dc=cadorna,dc=edu'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,dc=cadorna,dc=edu, with
filter (uid=anonymous)
request done: ld 0x5555557c3e10 msgid 3
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns notfound for request 1
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
  modcall[authorize]: module "pap" returns noop for request 1
modcall: leaving group authorize (returns updated) for request 1
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/ttls
  rlm_eap: processing type ttls
  rlm_eap_ttls: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
  eaptls_verify returned 11
    (other): before/accept initialization
    TLS_accept: before/accept initialization
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 002d], ClientHello
    TLS_accept: SSLv3 read client hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
    TLS_accept: SSLv3 write server hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0852], Certificate
    TLS_accept: SSLv3 write certificate A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
    TLS_accept: SSLv3 write server done A
    TLS_accept: SSLv3 flush data
    TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
  eaptls_process returned 13
  modcall[authenticate]: module "eap" returns handled for request 1
modcall: leaving group authenticate (returns handled) for request 1
Sending Access-Challenge of id 206 to 10.30.1.151 port 1030
	EAP-Message = 0x0103040a15c0000008af160301004a020000460301471501251e530c8f3770eeb65853642f48d400690040bd7ac6a262397753378e207b75a2b785ec125aa8bc12892656fd51d00df9fbcc6a12cc5e607d0a0b52f6e7000a0016030108520b00084e00084b0003b9308203b53082029da003020102020111300d06092a864886f70d010104050030818e310b3009060355040613024152311530130603550407130c4275656e6f73204169726573311f301d060355040a1316556e6976657273696461642064652050616c65726d6f31273025060355040b131e446570617274616d656e746f20646520436f6d756e69636163696f6e6573311e301c06
	EAP-Message = 0x035504031315436572746966696361746520417574686f72697479301e170d3037313031313233333633305a170d3131313031303233333633305a308193310b3009060355040613024152311530130603550407130c4275656e6f73204169726573311f301d060355040a1316556e6976657273696461642064652050616c65726d6f312d302b060355040b1324446570617274616d656e746f20646520436f6d756e69636163696f6e6573202d20737032311d301b06035504031314737065637472756d2e70616c65726d6f2e65647530820122300d06092a864886f70d01010105000382010f003082010a0282010100e04585aa76fe88e53fe2e5
	EAP-Message = 0xfd4e4c9732987996ca13093a1173f9760319f9bf6b1bbad6702284056432c8b9409e28789a2d91e8027baa1fadcf4951be8b3d1932d6a125dd50d18a57ea8c909eb93b83f73404193b6ebb16e7abcc49ec7b3d2546f65e41d895631ab82cbf09c6744c9d6e01064fd1548487e70baf1179f387430d7f193460f4bf55e9c6cb2100202382b2c0c10929e125f8c32bd5cd0d26c3d908688cb747475263370195f56c256bad4ee232fb9db6bf07966c6ad88f5bfa07143c5a626fde432f3582bdc50164e1b216e902efb947be80f5d64cf05e33e1ba76c3734bd4a1586895b5575ac4ea9f87384629547e75ad7c119c66abe7a07f8c7d0203010001a31730
	EAP-Message = 0x1530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000382010100c056381386ae47210e7781b5f29f6e345d3cf3170d7b56f207c5120ad7a0a3f50d8d5089b1b670e12571f30f6035435027ba8a6c0f560c4ed67436b09470a25f6c6ed5f6183671143d0119cdbd58f1564ff62d829557d30db8e3e629cde53dc086b2b6e6cbc199f38653349b1abd884554bde148d0b3c6972f3910a3d9a6004b4b85b5c2bea77f8939d3518d718d5a1290ca6c03f3ce5d98906e243f4cc698360b5d5f3015054f0dc7f0cb42475760038477a75d03c048f80b4f50b554499749833660883b818630ae143a9e0ac935e5e3d594
	EAP-Message = 0xf97b881df18c0b1712e00eef6a91fa1582e7f8eb93fa
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xbc6e316c0916a2c72bb8084c1c43fb36
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 10.30.1.151:1030, id=207, length=118
	User-Name = "anonymous"
	Calling-Station-Id = "00-0e-35-bf-51-18"
	EAP-Message = 0x020300061500
	Framed-MTU = 1287
	NAS-IP-Address = 192.168.1.1
	NAS-Port = 0
	NAS-Port-Type = Wireless-802.11
	State = 0xbc6e316c0916a2c72bb8084c1c43fb36
	Message-Authenticator = 0x6d88059e471bddecd25b24c506427690
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
  modcall[authorize]: module "preprocess" returns ok for request 2
  rlm_eap: EAP packet type response id 3 length 6
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 2
  modcall[authorize]: module "files" returns notfound for request 2
rlm_ldap: - authorize
rlm_ldap: performing user authorization for anonymous
radius_xlat:  '(uid=anonymous)'
radius_xlat:  'ou=people,dc=cadorna,dc=edu'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,dc=cadorna,dc=edu, with
filter (uid=anonymous)
request done: ld 0x5555557c3e10 msgid 4
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns notfound for request 2
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
  modcall[authorize]: module "pap" returns noop for request 2
modcall: leaving group authorize (returns updated) for request 2
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/ttls
  rlm_eap: processing type ttls
  rlm_eap_ttls: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake fragment handler
  eaptls_verify returned 1
  eaptls_process returned 13
  modcall[authenticate]: module "eap" returns handled for request 2
modcall: leaving group authenticate (returns handled) for request 2
Sending Access-Challenge of id 207 to 10.30.1.151 port 1030
	EAP-Message = 0x0104040a15c0000008af4ee3f701692818d33744866b15afbc8774a1ed07b5b43200048c3082048830820370a003020102020101300d06092a864886f70d010104050030818e310b3009060355040613024152311530130603550407130c4275656e6f73204169726573311f301d060355040a1316556e6976657273696461642064652050616c65726d6f31273025060355040b131e446570617274616d656e746f20646520436f6d756e69636163696f6e6573311e301c06035504031315436572746966696361746520417574686f72697479301e170d3035313230313134353835305a170d3135313132393134353835305a30818e310b30090603
	EAP-Message = 0x55040613024152311530130603550407130c4275656e6f73204169726573311f301d060355040a1316556e6976657273696461642064652050616c65726d6f31273025060355040b131e446570617274616d656e746f20646520436f6d756e69636163696f6e6573311e301c06035504031315436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100eb878d17120d3af300ab78838b32fde160463d4ff2693c5ebc59123788f0bfe9d90aaa34a22bab04b8e8f294176215b97f2edf6c686434ad87acccd5ecf7edec871e8449a876cbfe531c5158385aa9d30685723c
	EAP-Message = 0xf3273b5d2d8cde4ca62b0c07c3bdd54be96f2f68074454281c527079276d3388dcdb097e730c419f58d24eaca71fd8c5d8b6fe023154b9bdb920dc6ac013a57dc9bf94b99250b47bc32a07afbf2a2eddd37bdb8f0421f7df33eb999dce70784d065458b5e590f1c285837464709c6af7e3ae092dd38372420e780d8567699d534897f298fcde4309a2f66afee6dce842a69c31f1ca580454665eae87a04881b0bbb009928b30ef374fa534e50203010001a381ee3081eb301d0603551d0e04160414fd77533bb6a66d1e3b48bfb5d21501d829ddf4693081bb0603551d230481b33081b08014fd77533bb6a66d1e3b48bfb5d21501d829ddf469a18194
	EAP-Message = 0xa4819130818e310b3009060355040613024152311530130603550407130c4275656e6f73204169726573311f301d060355040a1316556e6976657273696461642064652050616c65726d6f31273025060355040b131e446570617274616d656e746f20646520436f6d756e69636163696f6e6573311e301c06035504031315436572746966696361746520417574686f72697479820101300c0603551d13040530030101ff300d06092a864886f70d0101040500038201010066656bbb8617d0aa046d938fb367586fb47ba22a4c54ccfc21d3bdc13ae39df3cd89029a0b5bcacb39977e824d94ba8c61296ce2e38d91e22766ce9ce6d988580251e19e
	EAP-Message = 0xf037cea75d86cb016c26f8d51bb33fbe8f07daf1f9fc
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xd11701cb88ee7e968ed572be6218ea0d
Finished request 2
Going to the next request
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 10.30.1.151:1030, id=208, length=118
	User-Name = "anonymous"
	Calling-Station-Id = "00-0e-35-bf-51-18"
	EAP-Message = 0x020400061500
	Framed-MTU = 1287
	NAS-IP-Address = 192.168.1.1
	NAS-Port = 0
	NAS-Port-Type = Wireless-802.11
	State = 0xd11701cb88ee7e968ed572be6218ea0d
	Message-Authenticator = 0x530bf822a6c0e96e9260a0a221d20204
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
  modcall[authorize]: module "preprocess" returns ok for request 3
  rlm_eap: EAP packet type response id 4 length 6
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 3
  modcall[authorize]: module "files" returns notfound for request 3
rlm_ldap: - authorize
rlm_ldap: performing user authorization for anonymous
radius_xlat:  '(uid=anonymous)'
radius_xlat:  'ou=people,dc=cadorna,dc=edu'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,dc=cadorna,dc=edu, with
filter (uid=anonymous)
request done: ld 0x5555557c3e10 msgid 5
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns notfound for request 3
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
  modcall[authorize]: module "pap" returns noop for request 3
modcall: leaving group authorize (returns updated) for request 3
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/ttls
  rlm_eap: processing type ttls
  rlm_eap_ttls: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake fragment handler
  eaptls_verify returned 1
  eaptls_process returned 13
  modcall[authenticate]: module "eap" returns handled for request 3
modcall: leaving group authenticate (returns handled) for request 3
Sending Access-Challenge of id 208 to 10.30.1.151 port 1030
	EAP-Message = 0x010500b91580000008af78833f2254362517e85e9dcd2c4362773223204e9c66dff65f08f319c5c9a2bb6a6de09b6534fd5df1fc14ba8dc996930e5413bbb2d4cae1c5aa68abe3785bec762c0c47246c2a89066512727dfc1c8b96fb0005841d05009db8e084a3931d2046b4d8047d2c182c9b0a5b5f340ee1b4331ec0ece5185dc33e4f100ec0a0a7e6e2bad313ea717fa4d4ed2e913575014832f80d0298e5c662015b0729eabd6220c0082326acb516030100040e000000
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x0c5dcc515069eabe0685e09b9153c59f
Finished request 3
Going to the next request
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 10.30.1.151:1030, id=209, length=442
	User-Name = "anonymous"
	Calling-Station-Id = "00-0e-35-bf-51-18"
	EAP-Message = 0x0205014815800000013e16030101061000010201008894a872f7066bcdf30d93cd5d96d9c8354815a83622ddb708d5dedd33a883c1dbda39363b72bf305e359a6642baf55d82ad010120655456c06fbca4ac48e83c08dcf02f953c2decb740c5c602087b894ad8ca67d768dd0abd234060c575942d8e2643628e5a38bd4672ba5d3f4fff30aff6deba50a4b626d42bd534d5497854c84b6891139c15f0041fbea41e28161184ff4bba34baa99b9da23c29a6edcd753b0ca439098ffe06c9037b1be29650bfc846d1db107034d516fc206f5dc6aa876636123ee6d945f9e318061089ccc195fda70b58bbf07ea4b6a10f0227424d7bc880ee4111e75bcf
	EAP-Message = 0x74d784c02643d63a866b9c7a0edb103c526bbd8630be47ab140301000101160301002813603db1a3d6d6591c0cc76e948eb0a0a5b2fc42740c6cf0f9dbf9c6fb0233c06518ead9e3e9426a
	Framed-MTU = 1287
	NAS-IP-Address = 192.168.1.1
	NAS-Port = 0
	NAS-Port-Type = Wireless-802.11
	State = 0x0c5dcc515069eabe0685e09b9153c59f
	Message-Authenticator = 0xb25f21fae175940ad726f5208d26c62f
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
  modcall[authorize]: module "preprocess" returns ok for request 4
  rlm_eap: EAP packet type response id 5 length 253
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 4
  modcall[authorize]: module "files" returns notfound for request 4
rlm_ldap: - authorize
rlm_ldap: performing user authorization for anonymous
radius_xlat:  '(uid=anonymous)'
radius_xlat:  'ou=people,dc=cadorna,dc=edu'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,dc=cadorna,dc=edu, with
filter (uid=anonymous)
request done: ld 0x5555557c3e10 msgid 6
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns notfound for request 4
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
  modcall[authorize]: module "pap" returns noop for request 4
modcall: leaving group authorize (returns updated) for request 4
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/ttls
  rlm_eap: processing type ttls
  rlm_eap_ttls: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
  eaptls_verify returned 11
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
    TLS_accept: SSLv3 read client key exchange A
  rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
    TLS_accept: SSLv3 read finished A
  rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
    TLS_accept: SSLv3 write change cipher spec A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
    TLS_accept: SSLv3 write finished A
    TLS_accept: SSLv3 flush data
    (other): SSL negotiation finished successfully
SSL Connection Established
  eaptls_process returned 13
  modcall[authenticate]: module "eap" returns handled for request 4
modcall: leaving group authenticate (returns handled) for request 4
Sending Access-Challenge of id 209 to 10.30.1.151 port 1030
	EAP-Message = 0x0106003d15800000003314030100010116030100287c4109666ce0d97286c430e838102c1f8ba072e170d34dfecc9a9a7ea641126fd7b465467ce35326
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x99039ab9ca15aabf0e212562acf87793
Finished request 4
Going to the next request
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 10.30.1.151:1030, id=210, length=183
	User-Name = "anonymous"
	Calling-Station-Id = "00-0e-35-bf-51-18"
	EAP-Message = 0x0206004715800000003d17030100384acba6c28662f7879facf05e15e63ac54d47d41ae634573ec2b501d26beb339b35a25fecd56f21b6edc005ba6e2b50089848df925ad21f37
	Framed-MTU = 1287
	NAS-IP-Address = 192.168.1.1
	NAS-Port = 0
	NAS-Port-Type = Wireless-802.11
	State = 0x99039ab9ca15aabf0e212562acf87793
	Message-Authenticator = 0xed3e3e688d2e6a9697d399a851a050a7
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
  modcall[authorize]: module "preprocess" returns ok for request 5
  rlm_eap: EAP packet type response id 6 length 71
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 5
  modcall[authorize]: module "files" returns notfound for request 5
rlm_ldap: - authorize
rlm_ldap: performing user authorization for anonymous
radius_xlat:  '(uid=anonymous)'
radius_xlat:  'ou=people,dc=cadorna,dc=edu'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,dc=cadorna,dc=edu, with
filter (uid=anonymous)
request done: ld 0x5555557c3e10 msgid 7
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns notfound for request 5
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
  modcall[authorize]: module "pap" returns noop for request 5
modcall: leaving group authorize (returns updated) for request 5
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/ttls
  rlm_eap: processing type ttls
  rlm_eap_ttls: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
  eaptls_verify returned 11
  eaptls_process returned 7
  rlm_eap_ttls: Session established.  Proceeding to decode tunneled attributes.
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
  modcall[authorize]: module "preprocess" returns ok for request 5
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 5
  modcall[authorize]: module "files" returns notfound for request 5
rlm_ldap: - authorize
rlm_ldap: performing user authorization for prueba
radius_xlat:  '(uid=prueba)'
radius_xlat:  'ou=people,dc=cadorna,dc=edu'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,dc=cadorna,dc=edu, with
filter (uid=prueba)
request done: ld 0x5555557c3e10 msgid 8
rlm_ldap: checking if remote access for prueba is allowed by radiusAllowed
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Setting Auth-Type = ldap
rlm_ldap: user prueba authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 5
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
  modcall[authorize]: module "pap" returns noop for request 5
modcall: leaving group authorize (returns ok) for request 5
  rad_check_password:  Found Auth-Type ldap
auth: type "LDAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group LDAP for request 5
rlm_ldap: - authenticate
rlm_ldap: login attempt by "prueba" with password "probando"
rlm_ldap: user DN: uid=prueba,ou=people,dc=cadorna,dc=edu
rlm_ldap: (re)connect to ldap.cadorna.edu:636, authentication 1
rlm_ldap: setting TLS mode to 1
rlm_ldap: setting TLS CACert File to /etc/raddb/cacert.pem
rlm_ldap: setting TLS Key File to /dev/urandom
rlm_ldap: bind as uid=prueba,ou=people,dc=cadorna,dc=edu/probando to
ldap.cadorna.edu:636
rlm_ldap: waiting for bind result ...
request done: ld 0x5555558851e0 msgid 1
rlm_ldap: Bind was successful
rlm_ldap: user prueba authenticated succesfully
  modcall[authenticate]: module "ldap" returns ok for request 5
modcall: leaving group LDAP (returns ok) for request 5
  TTLS: Got tunneled Access-Accept
  rlm_eap: Freeing handler
  modcall[authenticate]: module "eap" returns ok for request 5
modcall: leaving group authenticate (returns ok) for request 5
Sending Access-Accept of id 210 to 10.30.1.151 port 1030
	MS-MPPE-Recv-Key =
0xc7f9060ca81ffa0fcf19e0de87df3b444b6b325a73bcf2320f4192125955fcc1
	MS-MPPE-Send-Key =
0x6f193dd711b2d3087f74475ca81316bb8e58f2078867b0218811ec4db77c3973
	EAP-Message = 0x03060004
	Message-Authenticator = 0x00000000000000000000000000000000
	User-Name = "anonymous"
Finished request 5
Going to the next request
Waking up in 5 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 205 with timestamp 47150124
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 206 with timestamp 47150125
Cleaning up request 2 ID 207 with timestamp 47150125
Cleaning up request 3 ID 208 with timestamp 47150125
Cleaning up request 4 ID 209 with timestamp 47150125
Cleaning up request 5 ID 210 with timestamp 47150125
Nothing to do.  Sleeping until we see a request.




>
>
>
> Dana 12/10/2007, "Sergio Belkin" <sebelk at gmail.com> piše:
>
> >2007/10/12, tnt at kalik.co.yu <tnt at kalik.co.yu>:
> >> Yes, with EAP-TTLS/PAP.
> >>
> >> Ivan Kalik
> >> Kalik Informatika ISP
> >>
> >>
> >> Dana 12/10/2007, "Sergio Belkin" <sebelk at gmail.com> pi�e:
> >>
> >> >Hi, is it possible use in LDAP encrypted passwords and EAP/TTLS?
> >> >Thanks in advance!
> >> >--
> >> >--
> >> >Sergio Belkin -
> >> >-
> >> >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml
> >> >
> >> >
> >>
> >> -
> >> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> >>
> >
> >
> >But PAP can be used by Windows clients?
> >--
> >--
> >Sergio Belkin -
> >
> >-
> >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> >
> >
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>


-- 
--
Sergio Belkin -




More information about the Freeradius-Users mailing list