802.1x, EAP and LDAP

Mike Richardson doctor at mcc.ac.uk
Mon Mar 3 16:10:23 CET 2008


On Mon, Mar 03, 2008 at 03:38:32PM +0100, Stefan Winter wrote:
> Hi,
> 
> The debug log says whens tarting up:
> 
> > rlm_ldap: Over-riding set_auth_type, as we're not listed in the
> > "authenticate" section.
> 
> My first suggestion would be: check if the mentions of ldap are commented out 
> in the authenticate { } section - they are by default. Change that, and see 
> how far you get. Chances are that that was all and it works :-)

If it were only that easy... I've messed with that before. AFAICT that only
applies if you are doing plain text authentication. I'm using TTLS and PAP
because the password is going to be stored in an encryted format in LDAP.

Here's the output after uncommenting as suggested:

Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /etc/freeradius/proxy.conf
Config:   including file: /etc/freeradius/clients.conf
Config:   including file: /etc/freeradius/imported_clients.cfg
Config:   including file: /etc/freeradius/snmp.conf
Config:   including file: /etc/freeradius/eap.conf
Config:   including file: /etc/freeradius/sql.conf
 main: prefix = "/usr"
 main: localstatedir = "/var"
 main: logdir = "/var/log/freeradius"
 main: libdir = "/usr/lib/freeradius"
 main: radacctdir = "/var/log/freeradius/radacct"
 main: hostname_lookups = no
 main: snmp = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = no
 main: log_file = "/var/log/freeradius/radius.log"
 main: log_auth = no
 main: log_auth_badpass = no
 main: log_auth_goodpass = no
 main: pidfile = "/var/run/freeradius/freeradius.pid"
 main: user = "freerad"
 main: group = "freerad"
 main: usercollide = no
 main: lower_user = "no"
 main: lower_pass = "no"
 main: nospace_user = "no"
 main: nospace_pass = "no"
 main: checkrad = "/usr/sbin/checkrad"
 main: proxy_requests = yes
 proxy: retry_delay = 5
 proxy: retry_count = 3
 proxy: synchronous = no
 proxy: default_fallback = yes
 proxy: dead_time = 120
 proxy: post_proxy_authorize = no
 proxy: wake_all_if_all_dead = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is /usr/lib/freeradius
Module: Loaded exec 
 exec: wait = yes
 exec: program = "(null)"
 exec: input_pairs = "request"
 exec: output_pairs = "(null)"
 exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec) 
Module: Loaded expr 
Module: Instantiated expr (expr) 
Module: Loaded PAP 
 pap: encryption_scheme = "crypt"
 pap: auto_header = yes
Module: Instantiated pap (pap) 
Module: Loaded CHAP 
Module: Instantiated chap (chap) 
Module: Loaded MS-CHAP 
 mschap: use_mppe = yes
 mschap: require_encryption = yes
 mschap: require_strong = yes
 mschap: with_ntdomain_hack = yes
 mschap: passwd = "(null)"
 mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap) 
Module: Loaded LDAP 
 ldap: server = "UK-AC-MAN-MTEST"
 ldap: port = 636
 ldap: net_timeout = 1
 ldap: timeout = 4
 ldap: timelimit = 3
 ldap: identity = "cn=radiusadmin,ou=dir,o=ac,c=uk"
 ldap: tls_mode = no
 ldap: start_tls = no
 ldap: tls_cacertfile = "/tmp/oak-test-publickeycert.pem"
 ldap: tls_cacertdir = "(null)"
 ldap: tls_certfile = "(null)"
 ldap: tls_keyfile = "(null)"
 ldap: tls_randfile = "(null)"
 ldap: tls_require_cert = "demand"
 ldap: password = "radius30"
 ldap: basedn = "c=uk"
 ldap: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
 ldap: base_filter = "(objectclass=radiusprofile)"
 ldap: default_profile = "(null)"
 ldap: profile_attribute = "(null)"
 ldap: password_header = "(null)"
 ldap: password_attribute = "nspmdistributionpassword"
 ldap: access_attr = "(null)"
 ldap: groupname_attribute = "cn"
 ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
 ldap: groupmembership_attribute = "(null)"
 ldap: dictionary_mapping = "/etc/freeradius/ldap.attrmap"
 ldap: ldap_debug = 0
 ldap: ldap_connections_number = 5
 ldap: compare_check_items = no
 ldap: access_attr_used_for_allow = yes
 ldap: do_xlat = yes
 ldap: edir_account_policy_check = yes
 ldap: set_auth_type = yes
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Creating new attribute uni_ldap-Ldap-Group
rlm_ldap: Registering ldap_groupcmp for uni_ldap-Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name uni_ldap
rlm_ldap: Over-riding set_auth_type, as we're not listed in the "authenticate" section.
rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id
conns: 0x801107c8
Module: Instantiated ldap (uni_ldap) 
Module: Loaded eap 
 eap: default_eap_type = "ttls"
 eap: timer_expire = 60
 eap: ignore_unknown_eap_types = no
 eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
 gtc: challenge = "Password: "
 gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
 tls: rsa_key_exchange = no
 tls: dh_key_exchange = yes
 tls: rsa_key_length = 512
 tls: dh_key_length = 512
 tls: verify_depth = 0
 tls: CA_path = "(null)"
 tls: pem_file_type = yes
 tls: private_key_file = "/etc/freeradius/cert-srv.pem"
 tls: certificate_file = "/etc/freeradius/cert-srv.pem"
 tls: CA_file = "/etc/freeradius/root.pem"
 tls: private_key_password = "whatever"
 tls: dh_file = "/dev/null"
 tls: random_file = "/dev/urandom"
 tls: fragment_size = 1024
 tls: include_length = yes
 tls: check_crl = no
 tls: check_cert_cn = "(null)"
 tls: cipher_list = "(null)"
 tls: check_cert_issuer = "(null)"
rlm_eap_tls: Loading the certificate file as a chain
WARNING: rlm_eap_tls: Unable to set DH parameters.  DH cipher suites may not work!
WARNING: Fix this by running the OpenSSL command listed in eap.conf
rlm_eap: Loaded and initialized type tls
 ttls: default_eap_type = "md5"
 ttls: copy_request_to_tunnel = no
 ttls: use_tunneled_reply = no
rlm_eap: Loaded and initialized type ttls
 peap: default_eap_type = "mschapv2"
 peap: copy_request_to_tunnel = no
 peap: use_tunneled_reply = no
 peap: proxy_tunneled_request_as_eap = no
rlm_eap: Loaded and initialized type peap
 mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap) 
Module: Loaded preprocess 
 preprocess: huntgroups = "/etc/freeradius/huntgroups"
 preprocess: hints = "/etc/freeradius/hints"
 preprocess: with_ascend_hack = no
 preprocess: ascend_channels_per_line = 23
 preprocess: with_ntdomain_hack = no
 preprocess: with_specialix_jetstream_hack = no
 preprocess: with_cisco_vsa_hack = no
 preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess) 
Module: Loaded realm 
 realm: format = "suffix"
 realm: delimiter = "@"
 realm: ignore_default = no
 realm: ignore_null = no
Module: Instantiated realm (suffix) 
Module: Loaded files 
 files: usersfile = "/etc/freeradius/users"
 files: acctusersfile = "/etc/freeradius/acct_users"
 files: preproxy_usersfile = "/etc/freeradius/preproxy_users"
 files: compat = "no"
Module: Instantiated files (files) 
Module: Loaded Acct-Unique-Session-Id 
 acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique) 
Module: Loaded detail 
 detail: detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
 detail: detailperm = 384
 detail: dirperm = 493
 detail: locking = no
Module: Instantiated detail (detail) 
Module: Loaded System 
 unix: cache = no
 unix: passwd = "(null)"
 unix: shadow = "/etc/shadow"
 unix: group = "(null)"
 unix: radwtmp = "/var/log/freeradius/radwtmp"
 unix: usegroup = no
 unix: cache_reload = 600
Module: Instantiated unix (unix) 
Module: Loaded radutmp 
 radutmp: filename = "/var/log/freeradius/radutmp"
 radutmp: username = "%{User-Name}"
 radutmp: case_sensitive = yes
 radutmp: check_with_nas = yes
 radutmp: perm = 384
 radutmp: callerid = yes
Module: Instantiated radutmp (radutmp) 
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
rad_recv: Access-Request packet from host 10.150.200.1:1645, id=241, length=133
	User-Name = "anonymous"
	Service-Type = Framed-User
	Framed-MTU = 1500
	Called-Station-Id = "00-1B-2A-98-B4-19"
	Calling-Station-Id = "00-0B-DB-8D-4B-12"
	EAP-Message = 0x0203000e01616e6f6e796d6f7573
	Message-Authenticator = 0xb44d549e4b1f2ec56153e1ad631e668a
	NAS-Port-Type = Ethernet
	NAS-Port = 50025
	NAS-IP-Address = 10.150.200.1
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
    rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for anonymous
radius_xlat:  '(uid=anonymous)'
radius_xlat:  'c=uk'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to UK-AC-MAN-MTEST:636, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: setting TLS CACert File to /tmp/oak-test-publickeycert.pem
rlm_ldap: setting TLS Require Cert to demand
rlm_ldap: bind as cn=radiusadmin,ou=dir,o=ac,c=uk/radius30 to UK-AC-MAN-MTEST:636
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in c=uk, with filter (uid=anonymous)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "uni_ldap" returns notfound for request 0
  rlm_eap: EAP packet type response id 3 length 14
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 0
    users: Matched entry DEFAULT at line 181
  modcall[authorize]: module "files" returns ok for request 0
rlm_pap: WARNING! No "known good" password found for the user.  Authentication may fail because of this.
  modcall[authorize]: module "pap" returns noop for request 0
modcall: leaving group authorize (returns updated) for request 0
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
  rlm_eap: EAP Identity
  rlm_eap: processing type tls
  rlm_eap_tls: Initiate
  rlm_eap_tls: Start returned 1
  modcall[authenticate]: module "eap" returns handled for request 0
modcall: leaving group authenticate (returns handled) for request 0
Sending Access-Challenge of id 241 to 10.150.200.1 port 1645
	Framed-IP-Address = 255.255.255.254
	Framed-MTU = 576
	Service-Type = Framed-User
	EAP-Message = 0x010400061520
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x2c5156fe980e6942aecc6875b027751d
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.150.200.1:1645, id=242, length=231
	User-Name = "anonymous"
	Service-Type = Framed-User
	Framed-MTU = 1500
	Called-Station-Id = "00-1B-2A-98-B4-19"
	Calling-Station-Id = "00-0B-DB-8D-4B-12"
	EAP-Message = 0x0204005e150016030100530100004f030147cc12bf0667b64837c1b30867fd26160a518e0f7647a58389823726b1a842bf00002800390038003500160013000a00330032002f000700050004001500120009001400110008000600030100
	Message-Authenticator = 0x66f506782efe3471fbab984a878a73a9
	NAS-Port-Type = Ethernet
	NAS-Port = 50025
	State = 0x2c5156fe980e6942aecc6875b027751d
	NAS-IP-Address = 10.150.200.1
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
  modcall[authorize]: module "preprocess" returns ok for request 1
  modcall[authorize]: module "chap" returns noop for request 1
  modcall[authorize]: module "mschap" returns noop for request 1
    rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 1
rlm_ldap: - authorize
rlm_ldap: performing user authorization for anonymous
radius_xlat:  '(uid=anonymous)'
radius_xlat:  'c=uk'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in c=uk, with filter (uid=anonymous)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "uni_ldap" returns notfound for request 1
  rlm_eap: EAP packet type response id 4 length 94
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 1
    users: Matched entry DEFAULT at line 181
  modcall[authorize]: module "files" returns ok for request 1
rlm_pap: WARNING! No "known good" password found for the user.  Authentication may fail because of this.
  modcall[authorize]: module "pap" returns noop for request 1
modcall: leaving group authorize (returns updated) for request 1
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/ttls
  rlm_eap: processing type ttls
  rlm_eap_ttls: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7 
  rlm_eap_tls: Done initial handshake
    (other): before/accept initialization 
    TLS_accept: before/accept initialization 
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0053], ClientHello  
    TLS_accept: SSLv3 read client hello A 
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello  
    TLS_accept: SSLv3 write server hello A 
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0678], Certificate  
    TLS_accept: SSLv3 write certificate A 
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone  
    TLS_accept: SSLv3 write server done A 
    TLS_accept: SSLv3 flush data 
    TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase 
In SSL Accept mode  
  eaptls_process returned 13 
  modcall[authenticate]: module "eap" returns handled for request 1
modcall: leaving group authenticate (returns handled) for request 1
Sending Access-Challenge of id 242 to 10.150.200.1 port 1645
	Framed-IP-Address = 255.255.255.254
	Framed-MTU = 576
	Service-Type = Framed-User
	EAP-Message = 0x0105040a15c0000006d5160301004a02000046030147cc14c009f727ef2402d4fad6bcecfe3bcd72689bb7c85e85603c9adca1eb8e203e5fdb6b5bad50e80a6f92a03b1cebbb44f735274641b1791df6ac5291f85c7700350016030106780b0006740006710002d4308202d030820239a003020102020102300d06092a864886f70d010105050030818e310b30090603550406130247423110300e06035504081307456e676c616e64311330110603550407130a4d616e636865737465723121301f060355040a1318556e6976657273697479206f66204d616e6368657374657231143012060355040b130b4954205365727669636573311f301d0609
	EAP-Message = 0x2a864886f70d0109011610646f63746f72406d63632e61632e756b301e170d3037313030393132333033375a170d3039313030383132333033375a3081b3310b30090603550406130247423110300e06035504081307456e676c616e64311330110603550407130a4d616e636865737465723121301f060355040a1318556e6976657273697479206f66204d616e6368657374657231143012060355040b130b4954205365727669636573312330210603550403131a617574686b2e6974732e6d616e636865737465722e61632e756b311f301d06092a864886f70d0109011610646f63746f72406d63632e61632e756b30819f300d06092a864886f7
	EAP-Message = 0x0d010101050003818d0030818902818100d5258fbe611cf7570cb24a9cd31d8004cba7df05cdf398fdb534ecb6daf6ffa6c625109c28a5abdf7683d550ae63c947469a4f534667c1e7e9900ce2571bbc9863c89c02f09094040a7316068d2654e13941efdd6b416b990a6000d3ff2df46f10032ebc9f425768e81426df5c42adc1b7400f48155398b10257000f803e11630203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101050500038181005337fab657d2a50deb2ff3e9bb30eea51460f2f2f0e503becf43dd9999157573cf79058e6a64db78d133a3127388b8b832ed391df2d76d0946969c
	EAP-Message = 0x15a95ec6b646d277600da84a495c2ed1ab6868dc929fdb6ddabe82ee2cb9f8271061a7751be8eaa9af337e47f8113005622ca49b046f0caa54c406f510cc847d5096c816e000039730820393308202fca0030201020209009f72c65766f4a47d300d06092a864886f70d010105050030818e310b30090603550406130247423110300e06035504081307456e676c616e64311330110603550407130a4d616e636865737465723121301f060355040a1318556e6976657273697479206f66204d616e6368657374657231143012060355040b130b4954205365727669636573311f301d06092a864886f70d0109011610646f63746f72406d63632e6163
	EAP-Message = 0x2e756b301e170d3037313030393132323234395a170d
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x01d6512cad1d4926f0ce9a9cd0fb33d1
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 10.150.200.1:1645, id=243, length=143
	User-Name = "anonymous"
	Service-Type = Framed-User
	Framed-MTU = 1500
	Called-Station-Id = "00-1B-2A-98-B4-19"
	Calling-Station-Id = "00-0B-DB-8D-4B-12"
	EAP-Message = 0x020500061500
	Message-Authenticator = 0xb9d6884149d80dacf0157781f949d221
	NAS-Port-Type = Ethernet
	NAS-Port = 50025
	State = 0x01d6512cad1d4926f0ce9a9cd0fb33d1
	NAS-IP-Address = 10.150.200.1
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
  modcall[authorize]: module "preprocess" returns ok for request 2
  modcall[authorize]: module "chap" returns noop for request 2
  modcall[authorize]: module "mschap" returns noop for request 2
    rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 2
rlm_ldap: - authorize
rlm_ldap: performing user authorization for anonymous
radius_xlat:  '(uid=anonymous)'
radius_xlat:  'c=uk'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in c=uk, with filter (uid=anonymous)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "uni_ldap" returns notfound for request 2
  rlm_eap: EAP packet type response id 5 length 6
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 2
    users: Matched entry DEFAULT at line 181
  modcall[authorize]: module "files" returns ok for request 2
rlm_pap: WARNING! No "known good" password found for the user.  Authentication may fail because of this.
  modcall[authorize]: module "pap" returns noop for request 2
modcall: leaving group authorize (returns updated) for request 2
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/ttls
  rlm_eap: processing type ttls
  rlm_eap_ttls: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake fragment handler
  eaptls_verify returned 1 
  eaptls_process returned 13 
  modcall[authenticate]: module "eap" returns handled for request 2
modcall: leaving group authenticate (returns handled) for request 2
Sending Access-Challenge of id 243 to 10.150.200.1 port 1645
	Framed-IP-Address = 255.255.255.254
	Framed-MTU = 576
	Service-Type = Framed-User
	EAP-Message = 0x010602df1580000006d53039313030383132323234395a30818e310b30090603550406130247423110300e06035504081307456e676c616e64311330110603550407130a4d616e636865737465723121301f060355040a1318556e6976657273697479206f66204d616e6368657374657231143012060355040b130b4954205365727669636573311f301d06092a864886f70d0109011610646f63746f72406d63632e61632e756b30819f300d06092a864886f70d010101050003818d0030818902818100e2ea754f630847ce8e3632f5a82c3a2cafa32e1c50cdf502765994d69cbf94bc0a7272630c8628bc742e161efa24ec817c5d23fa038ffc01
	EAP-Message = 0x5e1e462e0c80d87d71d6b8d0ea7d29d5548dc865a3db029f41e81dc11d65f88e8abba59f69398ce9c917d0ee220c75482846b769dd79b49733ab86e584cd86a2531c1c4f1dd729dd0203010001a381f63081f3301d0603551d0e04160414a8c429b59d09f0217be4ab2b402dfcc3d9e181e63081c30603551d230481bb3081b88014a8c429b59d09f0217be4ab2b402dfcc3d9e181e6a18194a4819130818e310b30090603550406130247423110300e06035504081307456e676c616e64311330110603550407130a4d616e636865737465723121301f060355040a1318556e6976657273697479206f66204d616e6368657374657231143012060355
	EAP-Message = 0x040b130b4954205365727669636573311f301d06092a864886f70d0109011610646f63746f72406d63632e61632e756b8209009f72c65766f4a47d300c0603551d13040530030101ff300d06092a864886f70d010105050003818100008623e013bbe32deff3a86b4feed8192477afd740213d6b5f8d3dda0248c3a7a434763ad837b62160e3582f36f6f15ca649c96a8fed4fc4fed8c44e6afab88b37e0797007b54653d90807c41e8c24937212fcfe8a4ca5ad1af34bd70f2fad8e88d2e36d55f173435eb8f65fe0d506c5bfb764e0a4f32f964bac9a3c0994a15716030100040e000000
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xd4ee02e4ff3fa99b8bc946c7211385e3
Finished request 2
Going to the next request
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 10.150.200.1:1645, id=244, length=341
	User-Name = "anonymous"
	Service-Type = Framed-User
	Framed-MTU = 1500
	Called-Station-Id = "00-1B-2A-98-B4-19"
	Calling-Station-Id = "00-0B-DB-8D-4B-12"
	EAP-Message = 0x020600cc150016030100861000008200808e6cf1f486f61d36b48487ab5f61e2621a5e54c917618cc7de667e52dbc561586a3577906c36d3b6a226493352d6b6a3ceef5dbadb45b538d5c788b5382198a084282dd728d8eb38a1b7105cf64b47446c1acada00e97c8f54fa5e8d8d0761b31fe3a70bb081027836af4c0bd974be49b1dbcdfc42313378f7504d326d0a250e140301000101160301003055a53627a635e1aed424140b7b5b4cb80fb875ed32b7d6e4f68b477ae9d14cadf9b8b7a63a0b69b0b1a31d9638158655
	Message-Authenticator = 0x6b3dad9949169d28a06737200c13c05b
	NAS-Port-Type = Ethernet
	NAS-Port = 50025
	State = 0xd4ee02e4ff3fa99b8bc946c7211385e3
	NAS-IP-Address = 10.150.200.1
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
  modcall[authorize]: module "preprocess" returns ok for request 3
  modcall[authorize]: module "chap" returns noop for request 3
  modcall[authorize]: module "mschap" returns noop for request 3
    rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 3
rlm_ldap: - authorize
rlm_ldap: performing user authorization for anonymous
radius_xlat:  '(uid=anonymous)'
radius_xlat:  'c=uk'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in c=uk, with filter (uid=anonymous)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "uni_ldap" returns notfound for request 3
  rlm_eap: EAP packet type response id 6 length 204
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 3
    users: Matched entry DEFAULT at line 181
  modcall[authorize]: module "files" returns ok for request 3
rlm_pap: WARNING! No "known good" password found for the user.  Authentication may fail because of this.
  modcall[authorize]: module "pap" returns noop for request 3
modcall: leaving group authorize (returns updated) for request 3
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/ttls
  rlm_eap: processing type ttls
  rlm_eap_ttls: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7 
  rlm_eap_tls: Done initial handshake
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange  
    TLS_accept: SSLv3 read client key exchange A 
  rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]  
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished  
    TLS_accept: SSLv3 read finished A 
  rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]  
    TLS_accept: SSLv3 write change cipher spec A 
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished  
    TLS_accept: SSLv3 write finished A 
    TLS_accept: SSLv3 flush data 
    (other): SSL negotiation finished successfully 
SSL Connection Established 
  eaptls_process returned 13 
  modcall[authenticate]: module "eap" returns handled for request 3
modcall: leaving group authenticate (returns handled) for request 3
Sending Access-Challenge of id 244 to 10.150.200.1 port 1645
	Framed-IP-Address = 255.255.255.254
	Framed-MTU = 576
	Service-Type = Framed-User
	EAP-Message = 0x0107004515800000003b1403010001011603010030cc89d2cbbe5170e95c98d16842a31800f8b6968a1813f4bd499d9f6d9a224b5d6ad4f5737fb4a96a3949d5b7952a97a0
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xb1a6b438e7b877038a7d4bb7173ac013
Finished request 3
Going to the next request
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 10.150.200.1:1645, id=245, length=249
	User-Name = "anonymous"
	Service-Type = Framed-User
	Framed-MTU = 1500
	Called-Station-Id = "00-1B-2A-98-B4-19"
	Calling-Station-Id = "00-0B-DB-8D-4B-12"
	EAP-Message = 0x0207007015001703010020a819c8c977c11469db6af3b963fedee329e678ed839896b16acd6e52f69ca7eb17030100406788ca181350f08ccf5665d9c416f22ce7bebd06e4b9903f06a521b93cb78c61d1ccb21b49c5de7945dc89962aa8fa04639ffc88b90bbc94d7cd2fe278ad7c9c
	Message-Authenticator = 0x22a487248763bfd3825d8ac959b18b50
	NAS-Port-Type = Ethernet
	NAS-Port = 50025
	State = 0xb1a6b438e7b877038a7d4bb7173ac013
	NAS-IP-Address = 10.150.200.1
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
  modcall[authorize]: module "preprocess" returns ok for request 4
  modcall[authorize]: module "chap" returns noop for request 4
  modcall[authorize]: module "mschap" returns noop for request 4
    rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 4
rlm_ldap: - authorize
rlm_ldap: performing user authorization for anonymous
radius_xlat:  '(uid=anonymous)'
radius_xlat:  'c=uk'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in c=uk, with filter (uid=anonymous)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "uni_ldap" returns notfound for request 4
  rlm_eap: EAP packet type response id 7 length 112
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 4
    users: Matched entry DEFAULT at line 181
  modcall[authorize]: module "files" returns ok for request 4
rlm_pap: WARNING! No "known good" password found for the user.  Authentication may fail because of this.
  modcall[authorize]: module "pap" returns noop for request 4
modcall: leaving group authorize (returns updated) for request 4
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/ttls
  rlm_eap: processing type ttls
  rlm_eap_ttls: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7 
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7 
  rlm_eap_ttls: Session established.  Proceeding to decode tunneled attributes.
  TTLS: Got tunneled request
	User-Name = "raduser1"
	User-Password = "raduser10"
	FreeRADIUS-Proxied-To = 127.0.0.1
  TTLS: Sending tunneled request
	User-Name = "raduser1"
	User-Password = "raduser10"
	FreeRADIUS-Proxied-To = 127.0.0.1
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
  modcall[authorize]: module "preprocess" returns ok for request 4
  modcall[authorize]: module "chap" returns noop for request 4
  modcall[authorize]: module "mschap" returns noop for request 4
    rlm_realm: No '@' in User-Name = "raduser1", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 4
rlm_ldap: - authorize
rlm_ldap: performing user authorization for raduser1
radius_xlat:  '(uid=raduser1)'
radius_xlat:  'c=uk'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in c=uk, with filter (uid=raduser1)
rlm_ldap: No default NMAS login sequence
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user raduser1 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "uni_ldap" returns ok for request 4
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 4
  modcall[authorize]: module "files" returns notfound for request 4
rlm_pap: WARNING! No "known good" password found for the user.  Authentication may fail because of this.
  modcall[authorize]: module "pap" returns noop for request 4
modcall: leaving group authorize (returns ok) for request 4
auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
auth: Failed to validate the user.
  Found Post-Auth-Type 
  Processing the post-auth section of radiusd.conf
modcall: entering group REJECT for request 4
  modcall[post-auth]: module "uni_ldap" returns noop for request 4
modcall: leaving group REJECT (returns noop) for request 4
  TTLS: Got tunneled reply RADIUS code 3
  TTLS: Got tunneled Access-Reject
 rlm_eap: Handler failed in EAP/ttls
  rlm_eap: Failed in EAP select
  modcall[authenticate]: module "eap" returns invalid for request 4
modcall: leaving group authenticate (returns invalid) for request 4
auth: Failed to validate the user.
  Found Post-Auth-Type 
  Processing the post-auth section of radiusd.conf
modcall: entering group REJECT for request 4
  modcall[post-auth]: module "uni_ldap" returns noop for request 4
modcall: leaving group REJECT (returns noop) for request 4
Delaying request 4 for 1 seconds
Finished request 4
Going to the next request
Waking up in 5 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 241 with timestamp 47cc14bf
Sending Access-Reject of id 245 to 10.150.200.1 port 1645
	EAP-Message = 0x04070004
	Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 242 with timestamp 47cc14c0
Cleaning up request 2 ID 243 with timestamp 47cc14c0
Cleaning up request 3 ID 244 with timestamp 47cc14c0
Cleaning up request 4 ID 245 with timestamp 47cc14c0
Nothing to do.  Sleeping until we see a request.


-- 
Mike Richardson
Networks
IT Services, University of Manchester
*Plain text only please - attachments stripped on arrival*



More information about the Freeradius-Users mailing list