PEAP with Windows supplicant, Automatically use my windows credentials
splintered thoughts
splinteredthoughts at yahoo.com
Thu Dec 18 00:33:57 CET 2008
Ivan,
Here is the radiusd -X output:
Thanks
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/usr/local/jboss/server/zzjbossserver/log"
libdir = "/usr/lib"
radacctdir = "/usr/local/jboss/server/zzjbossserver/log/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
}
client 10.12.18.4 {
require_message_authenticator = no
secret = "zz"
shortname = "3750"
}
client 127.0.0.1 {
require_message_authenticator = no
secret = "zz"
shortname = "example"
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = yes
dead_time = 100
wake_all_if_all_dead = no
}
realm example {
authhost = LOCAL
accthost = LOCAL
}
realm tpw5.com {
authhost = LOCAL
accthost = LOCAL
}
realm tpw5 {
authhost = LOCAL
accthost = LOCAL
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = yes
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
}
radiusd: #### Loading Virtual Servers ####
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = "crypt"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = yes
require_strong = no
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/sudo /usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-%{mschap:User-Name}}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp = "/usr/local/jboss/server/zzjbossserver/log/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/opt/zz/current/radius/raddb/port_1812/cert_privkey.key"
certificate_file = "/opt/zz/current/radius/raddb/port_1812/cert_certificate.pem"
CA_file = "/opt/zz/current/radius/raddb/port_1812/cert_ca_cert.pem"
private_key_password = "whatever"
dh_file = "/etc/raddb/certs/dh"
random_file = "/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = yes
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Linked to module rlm_ldap
Module: Instantiating tpw5.com
ldap tpw5.com {
server = "10.12.19.12"
port = 3268
password = "password"
identity = "Administrator at tpw5.com"
net_timeout = 10
timeout = 20
timelimit = 20
tls_mode = no
start_tls = no
tls_require_cert = "allow"
basedn = "CN=Users,DC=tpw5,DC=com"
filter = "(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
auto_header = no
access_attr_used_for_allow = yes
groupname_attribute = "cn"
groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
dictionary_mapping = "/opt/zz/current/radius/raddb/port_1812/ldap.attrmap"
ldap_debug = 0
ldap_connections_number = 5
compare_check_items = no
do_xlat = yes
edir_account_policy_check = yes
set_auth_type = yes
}
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Creating new attribute tpw5.com-Ldap-Group
rlm_ldap: Registering ldap_groupcmp for tpw5.com-Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name tpw5.com
rlm_ldap: reading ldap<->radius mappings from file /opt/zz/current/radius/raddb/port_1812/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
conns: 0x9db9aa0
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = "/opt/zz/current/radius/raddb/port_1812/huntgroups"
hints = "/opt/zz/current/radius/raddb/port_1812/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_realm
Module: Instantiating realmpercent
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = yes
}
Module: Instantiating ntdomain
realm ntdomain {
format = "prefix"
delimiter = "\"
ignore_default = no
ignore_null = yes
}
Module: Instantiating suffix
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating files
files {
usersfile = "/opt/zz/current/radius/raddb/port_1812/users"
acctusersfile = "/opt/zz/current/radius/raddb/port_1812/acct_users"
preproxy_usersfile = "/opt/zz/current/radius/raddb/port_1812/preproxy_users"
compat = "no"
}
Module: Checking preacct {...} for more modules to load
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating detail
detail {
detailfile = "/usr/local/jboss/server/zzjbossserver/log/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_radutmp
Module: Instantiating radutmp
radutmp {
filename = "/usr/local/jboss/server/zzjbossserver/log/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_jradius
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 1812
}
Listening on authentication address * port 1812
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.12.18.4 port 1812, id=100, length=126
NAS-IP-Address = 10.12.18.4
NAS-Port-Type = Async
User-Name = "TPW5\\administrator"
Service-Type = Framed
Framed-MTU = 1500
Calling-Station-Id = "00-0b-db-0a-ed-eb"
EAP-Message = 0x0200001701545057355c61646d696e6973747261746f72
Message-Authenticator = 0x06f820c71907e184080fd19cd6e84fd0
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config.
++[realmpercent] returns noop
[ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator"
[ntdomain] Found realm "tpw5"
[ntdomain] Adding Stripped-User-Name = "administrator"
[ntdomain] Adding Realm = "tpw5"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[suffix] Request already proxied. Ignoring.
++[suffix] returns ok
[eap] EAP packet type response id 0 length 23
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 100 to 10.12.18.4 port 1812
EAP-Message = 0x0101001604105ad65c5e373632a60f58c8699b2db79e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x6ccc7ea76ccd7ad3e72180cc6356312d
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.12.18.4 port 1812, id=101, length=127
NAS-IP-Address = 10.12.18.4
NAS-Port-Type = Async
User-Name = "TPW5\\administrator"
Service-Type = Framed
Framed-MTU = 1500
Calling-Station-Id = "00-0b-db-0a-ed-eb"
State = 0x6ccc7ea76ccd7ad3e72180cc6356312d
EAP-Message = 0x020100060319
Message-Authenticator = 0x2c9415792a87d0100d36482b8e227326
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config.
++[realmpercent] returns noop
[ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator"
[ntdomain] Found realm "tpw5"
[ntdomain] Adding Stripped-User-Name = "administrator"
[ntdomain] Adding Realm = "tpw5"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[suffix] Request already proxied. Ignoring.
++[suffix] returns ok
[eap] EAP packet type response id 1 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 101 to 10.12.18.4 port 1812
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x6ccc7ea76dce67d3e72180cc6356312d
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.12.18.4 port 1812, id=102, length=201
NAS-IP-Address = 10.12.18.4
NAS-Port-Type = Async
User-Name = "TPW5\\administrator"
Service-Type = Framed
Framed-MTU = 1500
Calling-Station-Id = "00-0b-db-0a-ed-eb"
State = 0x6ccc7ea76dce67d3e72180cc6356312d
EAP-Message = 0x0202005019800000004616030100410100003d030149497fc0589d066d3182d4e06110415db7e9cce189ba524ed9da5a2b90466e9400001600040005000a000900640062000300060013001200630100
Message-Authenticator = 0x1b286efae0fc2cac4e562d2c8b06225f
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config.
++[realmpercent] returns noop
[ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator"
[ntdomain] Found realm "tpw5"
[ntdomain] Adding Stripped-User-Name = "administrator"
[ntdomain] Adding Realm = "tpw5"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[suffix] Request already proxied. Ignoring.
++[suffix] returns ok
[eap] EAP packet type response id 2 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
++[files] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 70
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0041], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 06ef], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 102 to 10.12.18.4 port 1812
EAP-Message =
EAP-Message =
EAP-Message =
EAP-Message =
EAP-Message =
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x6ccc7ea76ecf67d3e72180cc6356312d
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.12.18.4 port 1812, id=103, length=127
NAS-IP-Address = 10.12.18.4
NAS-Port-Type = Async
User-Name = "TPW5\\administrator"
Service-Type = Framed
Framed-MTU = 1500
Calling-Station-Id = "00-0b-db-0a-ed-eb"
State = 0x6ccc7ea76ecf67d3e72180cc6356312d
EAP-Message = 0x020300061900
Message-Authenticator = 0xf25c9f0d7a0c9a2a5873708bddf1901f
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config.
++[realmpercent] returns noop
[ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator"
[ntdomain] Found realm "tpw5"
[ntdomain] Adding Stripped-User-Name = "administrator"
[ntdomain] Adding Realm = "tpw5"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[suffix] Request already proxied. Ignoring.
++[suffix] returns ok
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
++[files] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 103 to 10.12.18.4 port 1812
EAP-Message =
EAP-Message =
EAP-Message =
EAP-Message =
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x6ccc7ea76fc867d3e72180cc6356312d
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.12.18.4 port 1812, id=104, length=313
NAS-IP-Address = 10.12.18.4
NAS-Port-Type = Async
User-Name = "TPW5\\administrator"
Service-Type = Framed
Framed-MTU = 1500
Calling-Station-Id = "00-0b-db-0a-ed-eb"
State = 0x6ccc7ea76fc867d3e72180cc6356312d
EAP-Message =
Message-Authenticator =
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config.
++[realmpercent] returns noop
[ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator"
[ntdomain] Found realm "tpw5"
[ntdomain] Adding Stripped-User-Name = "administrator"
[ntdomain] Adding Realm = "tpw5"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[suffix] Request already proxied. Ignoring.
++[suffix] returns ok
[eap] EAP packet type response id 4 length 192
[eap] Continuing tunnel setup.
++[eap] returns ok
++[files] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 182
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 104 to 10.12.18.4 port 1812
EAP-Message = 0x0105003119001403010001011603010020a1ba5949221dd59f2e8453311aec9c6c1d2e60cff4a6b017df386d2fa527f2c7
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x6ccc7ea768c967d3e72180cc6356312d
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.12.18.4 port 1812, id=105, length=127
NAS-IP-Address = 10.12.18.4
NAS-Port-Type = Async
User-Name = "TPW5\\administrator"
Service-Type = Framed
Framed-MTU = 1500
Calling-Station-Id = "00-0b-db-0a-ed-eb"
State = 0x6ccc7ea768c967d3e72180cc6356312d
EAP-Message = 0x020500061900
Message-Authenticator = 0x1de51ad1c24ebe21f7be45e6177e6693
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config.
++[realmpercent] returns noop
[ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator"
[ntdomain] Found realm "tpw5"
[ntdomain] Adding Stripped-User-Name = "administrator"
[ntdomain] Adding Realm = "tpw5"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[suffix] Request already proxied. Ignoring.
++[suffix] returns ok
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
++[files] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 105 to 10.12.18.4 port 1812
EAP-Message = 0x0106002019001703010015772e7cc1d5e3d2757502d491ac6a9ecbcb24c165c4
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x6ccc7ea769ca67d3e72180cc6356312d
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.12.18.4 port 1812, id=106, length=167
NAS-IP-Address = 10.12.18.4
NAS-Port-Type = Async
User-Name = "TPW5\\administrator"
Service-Type = Framed
Framed-MTU = 1500
Calling-Station-Id = "00-0b-db-0a-ed-eb"
State = 0x6ccc7ea769ca67d3e72180cc6356312d
EAP-Message = 0x0206002e190017030100230e1c053c3bcebe8892859e8bbfac2208ed26c7cf5f2f9c25627c2c0115038d12e7392f
Message-Authenticator = 0xdd0722594d8f86b0139a64ac045cc96a
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config.
++[realmpercent] returns noop
[ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator"
[ntdomain] Found realm "tpw5"
[ntdomain] Adding Stripped-User-Name = "administrator"
[ntdomain] Adding Realm = "tpw5"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[suffix] Request already proxied. Ignoring.
++[suffix] returns ok
[eap] EAP packet type response id 6 length 46
[eap] Continuing tunnel setup.
++[eap] returns ok
++[files] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Identity - TPW5\administrator
[peap] Got tunneled request
EAP-Message = 0x0206001701545057355c61646d696e6973747261746f72
server {
PEAP: Got tunneled identity of TPW5\administrator
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to TPW5\administrator
Sending tunneled request
EAP-Message = 0x0206001701545057355c61646d696e6973747261746f72
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "TPW5\\administrator"
NAS-IP-Address = 10.12.18.4
NAS-Port-Type = Async
Service-Type = Framed
Framed-MTU = 1500
Calling-Station-Id = "00-0b-db-0a-ed-eb"
server {
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config.
++[realmpercent] returns noop
[ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator"
[ntdomain] Found realm "tpw5"
[ntdomain] Adding Stripped-User-Name = "administrator"
[ntdomain] Adding Realm = "tpw5"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[suffix] Request already proxied. Ignoring.
++[suffix] returns ok
[eap] EAP packet type response id 6 length 23
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server
[peap] Got tunneled reply code 11
EAP-Message = 0x0107002c1a010700271094f96e94ba4375f4d745f33741fac11e545057355c61646d696e6973747261746f72
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xbd40b48fbd47ae4a573dddc94033f1de
[peap] Got tunneled reply RADIUS code 11
EAP-Message = 0x0107002c1a010700271094f96e94ba4375f4d745f33741fac11e545057355c61646d696e6973747261746f72
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xbd40b48fbd47ae4a573dddc94033f1de
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 106 to 10.12.18.4 port 1812
EAP-Message = 0x01070043190017030100387cd98b9fe8e33bc0bc8dbbf8a2f139fd27cc793f0241af4a18afa6962c75c5183a63822faa5bf18b3d9460cf6a05071729ea6565ea039db5
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x6ccc7ea76acb67d3e72180cc6356312d
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.12.18.4 port 1812, id=107, length=221
NAS-IP-Address = 10.12.18.4
NAS-Port-Type = Async
User-Name = "TPW5\\administrator"
Service-Type = Framed
Framed-MTU = 1500
Calling-Station-Id = "00-0b-db-0a-ed-eb"
State = 0x6ccc7ea76acb67d3e72180cc6356312d
EAP-Message = 0x0207006419001703010059f5d5f237a8b1b6a12ce80c36564ceed7ea4b77a2e021c87ab5c01015f679ab43a21c96092d0eb36c944690044e81504bf30d9a0ff0dcd6c5d5a6c036b298245967f69705f3c87d2ca8481b02cf79f3053546eeb7e09a5467ee
Message-Authenticator = 0x80fc39ba54f43c51ba004c1d30942c56
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config.
++[realmpercent] returns noop
[ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator"
[ntdomain] Found realm "tpw5"
[ntdomain] Adding Stripped-User-Name = "administrator"
[ntdomain] Adding Realm = "tpw5"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[suffix] Request already proxied. Ignoring.
++[suffix] returns ok
[eap] EAP packet type response id 7 length 100
[eap] Continuing tunnel setup.
++[eap] returns ok
++[files] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x0207004d1a020700483182563e83f60fc3886ae6a29eeaa3353c0000000000000000edfe77fdefdc346cfcb795de77c1bfb7e882075da213a53200545057355c61646d696e6973747261746f72
server {
PEAP: Setting User-Name to TPW5\administrator
Sending tunneled request
EAP-Message = 0x0207004d1a020700483182563e83f60fc3886ae6a29eeaa3353c0000000000000000edfe77fdefdc346cfcb795de77c1bfb7e882075da213a53200545057355c61646d696e6973747261746f72
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "TPW5\\administrator"
State = 0xbd40b48fbd47ae4a573dddc94033f1de
NAS-IP-Address = 10.12.18.4
NAS-Port-Type = Async
Service-Type = Framed
Framed-MTU = 1500
Calling-Station-Id = "00-0b-db-0a-ed-eb"
server {
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config.
++[realmpercent] returns noop
[ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator"
[ntdomain] Found realm "tpw5"
[ntdomain] Adding Stripped-User-Name = "administrator"
[ntdomain] Adding Realm = "tpw5"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[suffix] Request already proxied. Ignoring.
++[suffix] returns ok
[eap] EAP packet type response id 7 length 77
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for administrator with NT-Password
[mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
[mschap] expand: --username=%{Stripped-User-Name:-%{User-Name:-%{mschap:User-Name}}} -> --username=administrator
[mschap] mschap2: 94
[mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=c92aee56ea24cca3
[mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=edfe77fdefdc346cfcb795de77c1bfb7e882075da213a532
Exec-Program output: NT_KEY: 0B31E07CE9C3855E7B73F3A94ED21EB5
Exec-Program-Wait: plaintext: NT_KEY: 0B31E07CE9C3855E7B73F3A94ED21EB5
Exec-Program: returned: 0
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
++[eap] returns handled
} # server
[peap] Got tunneled reply code 11
EAP-Message = 0x010800331a0307002e533d30353238303737363038373744463839323931393436433734384142333131334443383345423534
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xbd40b48fbc48ae4a573dddc94033f1de
[peap] Got tunneled reply RADIUS code 11
EAP-Message = 0x010800331a0307002e533d30353238303737363038373744463839323931393436433734384142333131334443383345423534
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xbd40b48fbc48ae4a573dddc94033f1de
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 107 to 10.12.18.4 port 1812
EAP-Message = 0x0108004a1900170301003fa21a6406b72762e386f075bc1c01d6b83e271b811a3b126616dff52b1befad49d665e40cf12309fcf4c0675abd66826102e54fdfa02f4f5b9dc78fba4be828
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x6ccc7ea76bc467d3e72180cc6356312d
Finished request 7.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.12.18.4 port 1812, id=108, length=150
NAS-IP-Address = 10.12.18.4
NAS-Port-Type = Async
User-Name = "TPW5\\administrator"
Service-Type = Framed
Framed-MTU = 1500
Calling-Station-Id = "00-0b-db-0a-ed-eb"
State = 0x6ccc7ea76bc467d3e72180cc6356312d
EAP-Message = 0x0208001d190017030100123215a25025b2f991889e532eab1acc707509
Message-Authenticator = 0x4ad3f4a678eb190c4ba1f842ab5c4b31
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config.
++[realmpercent] returns noop
[ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator"
[ntdomain] Found realm "tpw5"
[ntdomain] Adding Stripped-User-Name = "administrator"
[ntdomain] Adding Realm = "tpw5"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[suffix] Request already proxied. Ignoring.
++[suffix] returns ok
[eap] EAP packet type response id 8 length 29
[eap] Continuing tunnel setup.
++[eap] returns ok
++[files] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x020800061a03
server {
PEAP: Setting User-Name to TPW5\administrator
Sending tunneled request
EAP-Message = 0x020800061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "TPW5\\administrator"
State = 0xbd40b48fbc48ae4a573dddc94033f1de
NAS-IP-Address = 10.12.18.4
NAS-Port-Type = Async
Service-Type = Framed
Framed-MTU = 1500
Calling-Station-Id = "00-0b-db-0a-ed-eb"
server {
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config.
++[realmpercent] returns noop
[ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator"
[ntdomain] Found realm "tpw5"
[ntdomain] Adding Stripped-User-Name = "administrator"
[ntdomain] Adding Realm = "tpw5"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[suffix] Request already proxied. Ignoring.
++[suffix] returns ok
[eap] EAP packet type response id 8 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] returns ok
[peap] Got tunneled reply code 2
EAP-Message = 0x03080004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "administrator"
Session-Timeout := 900
Tunnel-Type:0 := VLAN
Tunnel-Medium-Type:0 := IEEE-802
Tunnel-Private-Group-Id:0 := "100"
[peap] Got tunneled reply RADIUS code 2
EAP-Message = 0x03080004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "administrator"
Session-Timeout := 900
Tunnel-Type:0 := VLAN
Tunnel-Medium-Type:0 := IEEE-802
Tunnel-Private-Group-Id:0 := "100"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
[peap] Saving tunneled attributes for later
++[eap] returns handled
Sending Access-Challenge of id 108 to 10.12.18.4 port 1812
EAP-Message = 0x010900261900170301001b80018f7d29f8c5f428c963bc1a2fb0d9eb4a5635fe3dd9ccecdee9
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x6ccc7ea764c567d3e72180cc6356312d
Finished request 8.
Going to the next request
Waking up in 4.6 seconds.
rad_recv: Access-Request packet from host 10.12.18.4 port 1812, id=109, length=159
NAS-IP-Address = 10.12.18.4
NAS-Port-Type = Async
User-Name = "TPW5\\administrator"
Service-Type = Framed
Framed-MTU = 1500
Calling-Station-Id = "00-0b-db-0a-ed-eb"
State = 0x6ccc7ea764c567d3e72180cc6356312d
EAP-Message = 0x020900261900170301001b5c1ed2599bd67049afbec5788577faf4dd886681d22bf37c1188f0
Message-Authenticator = 0x86a410ea19f9df8d6d6b7a4bfd926745
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[realmpercent] No '%' in User-Name = "TPW5\administrator", skipping NULL due to config.
++[realmpercent] returns noop
[ntdomain] Looking up realm "TPW5" for User-Name = "TPW5\administrator"
[ntdomain] Found realm "tpw5"
[ntdomain] Adding Stripped-User-Name = "administrator"
[ntdomain] Adding Realm = "tpw5"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[suffix] Request already proxied. Ignoring.
++[suffix] returns ok
[eap] EAP packet type response id 9 length 38
[eap] Continuing tunnel setup.
++[eap] returns ok
++[files] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Success
[peap] Using saved attributes from the original Access-Accept
rlm_eap_tls: add_reply failed to create attribute EAP-MSK: Invalid octet string "" for attribute name "EAP-MSK"
rlm_eap_tls: add_reply failed to create attribute EAP-EMSK: Invalid octet string "" for attribute name "EAP-EMSK"
[eap] Freeing handler
++[eap] returns ok
Sending Access-Accept of id 109 to 10.12.18.4 port 1812
User-Name = "administrator"
MS-MPPE-Recv-Key = 0x829a5f395e0ba2e486cf04409ee945b8d3b68e65b40b207b9117722222d890e2
MS-MPPE-Send-Key = 0x4680664366c2b27dd92f9b94d0d00a289f409040fcfc3d26d4e8500e8bd41cbc
EAP-Message = 0x03090004
Message-Authenticator = 0x00000000000000000000000000000000
Session-Timeout := 900
Tunnel-Type:0 := VLAN
Tunnel-Medium-Type:0 := IEEE-802
Tunnel-Private-Group-Id:0 := "100"
Finished request 9.
Going to the next request
________________________________
From: "tnt at kalik.net" <tnt at kalik.net>
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Sent: Wednesday, December 17, 2008 3:06:27 PM
Subject: Re: PEAP with Windows supplicant, Automatically use my windows credentials
>I've configured a PEAP with the Windows SP3 supplicant with freeradius 2.1.3, and the authentication succeeds when "Automatically use my windows logon name and password (and domain if any)" is unselected, which forces a manual logon. However, when "Automatically use my ..." is selected with the same user name/domain, the authentication fails.
How same is "the same user name/domain"? Post the debug of the good
attempt. Please use radiusd -X. We don't need to see "Wed Dec 17
09:07:24 2008 : Debug:" in front of every line.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20081217/5cc71fc7/attachment.html>
More information about the Freeradius-Users
mailing list