again: 802.1x auto login with win login/pass

Hegedus Gabor hegedus.gabor at euroway.hu
Tue Nov 18 13:38:24 CET 2008


 >>when I use the with-ntdomain-hack=no the result is :
 >>
 >
 > Where is that line? You should enable it in mschap module. It shouldn't
 > have any effect on EAP Identity.

I use it in preprocess file,
now I set it in mschap module too

 >
 >>[peap]  Had sent TLV failure.  User was rejected earlier in this session.
 >
 > Debug you posted is useless. You have deleted the important bits.

I think peap is work good, don't it?

(
...
[peap]     (other): SSL negotiation finished successfully
...
[peap] EAPTLS_SUCCESS
...
)

machap module:
mschap {
    with_ntdomain_hack = no
}
---------------------
eap.conf file:
    eap {
        default_eap_type = tls
        timer_expire     = 60
        ignore_unknown_eap_types = no
        cisco_accounting_username_bug = no
        max_sessions = 2048
        leap {
        }
        gtc {
            #challenge = "Password: "
            auth_type = PAP
        }
        tls {
            certdir = ${confdir}/certs
            cadir = ${confdir}/certs
            private_key_password = pass
            private_key_file = ${certdir}/server.pem
            certificate_file = ${certdir}/server.pem
            CA_file = ${cadir}/ca.pem
            dh_file = ${certdir}/dh
            random_file = ${certdir}/random
            fragment_size = 1024
            include_length = yes

            cache {
                  enable = no
                  lifetime = 24 # hours
                  max_entries = 255
            }
        }
        ttls {
            default_eap_type = md5
            copy_request_to_tunnel = no
            use_tunneled_reply = no
            virtual_server = "inner-tunnel"
        }
        peap
            default_eap_type = mschapv2
            virtual_server = "inner-tunnel"
        }
        mschapv2 {
        }
    }
--------------------------------------
here is the debug, I hope it is usefull:

[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 70
[peap] Length Included
[peap] eaptls_verify returned 11
[peap]     (other): before/accept initialization
[peap]     TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0041], ClientHello
[peap]     TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
[peap]     TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 084e], Certificate
[peap]     TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap]     TLS_accept: SSLv3 write server done A
[peap]     TLS_accept: SSLv3 flush data
[peap]     TLS_accept: Need to read more data: SSLv3 read client 
certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 97 to 192.168.1.1 port 1812
        EAP-Message =
0x0103040019c00000088b160301002a0200002603014922ab54fa757c7768f8d465c3e5679f3e35b71e1933e5aad7ad7d60b6ea8d2900000400160301084e0b00084a000847000396308203923082027aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479
        EAP-Message =
0x301e170d3038313131323134313231355a170d3039313131323134313231355a306c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e311330110603550403130a736572766572636572743120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a02820101009cf50fd32f4c11e95fb8dc2e365a1d0246c0dd39e616ed0621a36edea241836b39bd38ab2b008b2c1f00f8034d31664e0557ef16daa4bb8bc6ba05765b46be150ed10a90e18a960a1f634a300c1a
        EAP-Message =
0x40ab58da8da31c607e05e359781ed7bc73b443c21c46eca871ae4fe72627cae7b5222852bc50b9d843f4e53469f51cf84726dca616c85e804c839b438a187a28e03872af3a01265ffd51d37f15c2df5007e264948a2b44ddf367268123db200c007408528d35296009e884ef9ecc648a754ef6e674d33abbc466178cf1c51b91cdf50d235e70bdb043237d47809a89fb628f3be91d318ffbe70b7df70cf74e8ff0b2fb66996b64863074f2daef8da1ac411d0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000382010100a966a877dac3f553bc1350f31aa5e89da01a9b3cd7d3488016
        EAP-Message =
0x63fd1c780ae69af09d1200e1d3aaf514ee8fecc8e182a4e5e900727a4988e9e644fb5fc351a3553558a96ebed4db761b2d1c4cd5ac978ae2234d02ca514a4f4fc4ff5e13cd2f805b3f1b50e9bcd42a32487d04160d3d6eee0b5d15890f2d7cbd201ccdfad9806f2d2b993e71e341d817ef31ff6c8906f89b2a5673a7368d166a2244a65f2de426e322dbcfb114e8d9c08ebadae09c411838c274b4834b4eaa6aee7590b643bcff77057eb94525185e1cf3e760f675d104ff5fdd43f5e8b119806300db9913112fb38ae30721c6702080822add762cf9101134bc2159370d4739f94f41bcce10940004ab308204a73082038fa00302010202090089def0
        EAP-Message = 0x223a727e53300d06092a8648
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xf9af3e19fbac2729f634465079c20687
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.1 port 1812, id=98, 
length=168
        NAS-IP-Address = 192.168.1.1
        NAS-Port = 50003
        Cisco-NAS-Port = "FastEthernet0/3"
        NAS-Port-Type = Ethernet
        User-Name = "ROUTER\\Hege"
        Called-Station-Id = "00-09-B7-94-CA-83"
        Calling-Station-Id = "00-13-D4-E7-B3-FB"
        Service-Type = Framed-User
        Framed-MTU = 1500
        State = 0xf9af3e19fbac2729f634465079c20687
        EAP-Message = 0x020300061900
        Message-Authenticator = 0x0dd953ac5a0b9ac9d33afc8f9e85cb8c
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ROUTER\Hege", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 98 to 192.168.1.1 port 1812
        EAP-Message =
0x010403fc194086f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3038313131323134303630325a170d3038313231323134303630325a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013
        EAP-Message =
0x060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100d6254f5b7dca4a0429bfeb81eb3f2c33c1aee1cd37b8ab285ea762e728c89b92c9f6def3ae3ef2565c7d0c3a891cf07ab0de99232fedd2193b10026f2a52d7159f7adfabdd33289b653d7fa230c2f8acd2b3b12ff946c4c456e621e40d02debbb2272f619896e75707de5011751d5e5798e76629161e09de868a818d8c15c6
        EAP-Message =
0xb3b6bc37dc8b7360ebafa08a472f4f08324f94baf52176c33a70c2a3e9859860d4a38b2ddba21ec57d28f0db6ba26499df7b7f38b79636bef4e2a3eede3270d5ea1e362405db07ee761236044f7cdcb444c807b186307d62ae4a62f54ae4d9c00dc7ffc74703b67da9de4cdba901ed955bd5e0290a23f22ea98587a165e4a48dbf0203010001a381fb3081f8301d0603551d0e04160414bfc663b94da2edbfe2e3496d345fefb975df680c3081c80603551d230481c03081bd8014bfc663b94da2edbfe2e3496d345fefb975df680ca18199a48196308193310b3009060355040613024652310f300d0603550408130652616469757331123010060355
        EAP-Message =
0x04071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747982090089def0223a727e53300c0603551d13040530030101ff300d06092a864886f70d010105050003820101004d7a670b516773d9e34798399495b4fb7f173248f96bd51f14015a5b0502b7d8193759e4508aad49c44e9ee0b0a3a0ccb6655c85d6218c0f8ee982ba16ef6393c5415edadcc63381337d3f6f5fc764c287a968fe86f9050e4a30038ce45d83306fb5
        EAP-Message = 0x6478ad919a40d53b
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xf9af3e19faab2729f634465079c20687
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.1 port 1812, id=99, 
length=168
        NAS-IP-Address = 192.168.1.1
        NAS-Port = 50003
        Cisco-NAS-Port = "FastEthernet0/3"
        NAS-Port-Type = Ethernet
        User-Name = "ROUTER\\Hege"
        Called-Station-Id = "00-09-B7-94-CA-83"
        Calling-Station-Id = "00-13-D4-E7-B3-FB"
        Service-Type = Framed-User
        Framed-MTU = 1500
        State = 0xf9af3e19faab2729f634465079c20687
        EAP-Message = 0x020400061900
        Message-Authenticator = 0x2903cae7a8b539c0052a57fdf5fa17ad
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ROUTER\Hege", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 99 to 192.168.1.1 port 1812
        EAP-Message =
0x010500a5190050d2fe7290c9148457049118d051c1aed898c63ba4b4137717f010d720d687dfc94a4a1a6ceadf41c02795724b4842f9951646b1149fd1170c091d11b023eda2cd60bec931560c747702eef5b5ff49fde1d2246fe8edfe998ce57398fa375afac3f1314e3086e6586872bd3a0572c271c08c0c715c3a51c38655c6f13d4d315c364c87b365e3d69bd361418fca16894de67fe5086b2a16030100040e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xf9af3e19fdaa2729f634465079c20687
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.1 port 1812, id=100, 
length=484
        NAS-IP-Address = 192.168.1.1
        NAS-Port = 50003
        Cisco-NAS-Port = "FastEthernet0/3"
        NAS-Port-Type = Ethernet
        User-Name = "ROUTER\\Hege"
        Called-Station-Id = "00-09-B7-94-CA-83"
        Calling-Station-Id = "00-13-D4-E7-B3-FB"
        Service-Type = Framed-User
        Framed-MTU = 1500
        State = 0xf9af3e19fdaa2729f634465079c20687
        EAP-Message =
0x020501401980000001361603010106100001020100531fcfd0446c581fbfbc50ddd96e5df661c19cd3c04e9cd8c72d8de897c39c4926676109afb1ca8c8bfc4ae167096c0ca7a031a1ea50727eb22ca1c046cb3ba3dda3bbc2db0126e6d8c4f1ec853827b3b0cae9cee996e718fe5267730bca196abe7fbfc02b5e5e82a579ea81e4a978287184ea63505d8d98263f9fbce51931ee718285051d7f4a80911173daa6db0b127942813da4d4f80a4a0d0b828ff35a23b1e9dea7fa669efeaee68d58c83b39b52622418ce99aa96f06fd55c7061d379cd57c395fb0c0035ce7abef33fdee64dec42d3f3429202572481a226712907cc9fe391669131484b0
        EAP-Message =
0x3fa57c9f73c239293b994eec582d42a68979dddbfecb46301403010001011603010020c013ed8bfcb781f55c3ccbdb2f88bb8c6684f1e141c1f3284763121ad33ad697
        Message-Authenticator = 0x1eccd1c62fcae6de90ee9ad71ee3f4c4
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ROUTER\Hege", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 310
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[peap]     TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap]     TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap]     TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap]     TLS_accept: SSLv3 write finished A
[peap]     TLS_accept: SSLv3 flush data
[peap]     (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 100 to 192.168.1.1 port 1812
        EAP-Message =
0x01060031190014030100010116030100206d497e013ac12cd59a70ed0e843cdf19c07e87dc999d2a74fa6afaf3a4d71c3f
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xf9af3e19fca92729f634465079c20687
Finished request 5.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 192.168.1.1 port 1812, id=101, 
length=168
        NAS-IP-Address = 192.168.1.1
        NAS-Port = 50003
        Cisco-NAS-Port = "FastEthernet0/3"
        NAS-Port-Type = Ethernet
        User-Name = "ROUTER\\Hege"
        Called-Station-Id = "00-09-B7-94-CA-83"
        Calling-Station-Id = "00-13-D4-E7-B3-FB"
        Service-Type = Framed-User
        Framed-MTU = 1500
        State = 0xf9af3e19fca92729f634465079c20687
        EAP-Message = 0x020600061900
        Message-Authenticator = 0x1785840b012b68397f073225c8178e28
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ROUTER\Hege", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 101 to 192.168.1.1 port 1812
        EAP-Message = 
0x0107002019001703010015086a2b4c0bbe8ba0ff8b0bd8a05b4a81152567b963
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xf9af3e19ffa82729f634465079c20687
Finished request 6.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 192.168.1.1 port 1812, id=102, 
length=201
        NAS-IP-Address = 192.168.1.1
        NAS-Port = 50003
        Cisco-NAS-Port = "FastEthernet0/3"
        NAS-Port-Type = Ethernet
        User-Name = "ROUTER\\Hege"
        Called-Station-Id = "00-09-B7-94-CA-83"
        Calling-Station-Id = "00-13-D4-E7-B3-FB"
        Service-Type = Framed-User
        Framed-MTU = 1500
        State = 0xf9af3e19ffa82729f634465079c20687
        EAP-Message =
0x020700271900170301001ca1b8414fd75ccd01cde3fe489e7cb2426bc2b1010c7e426666c43900
        Message-Authenticator = 0x95acaa8bb8f013b713401522aae4bbe6
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ROUTER\Hege", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 39
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Identity - ROUTER\Hege
[peap] Got tunnled request
        EAP-Message = 0x0207001001524f555445525c48656765
server (null) {
  PEAP: Got tunneled identity of ROUTER\Hege
  PEAP: Setting default EAP type for tunneled EAP session.
  PEAP: Setting User-Name to ROUTER\Hege
Sending tunneled request
        EAP-Message = 0x0207001001524f555445525c48656765
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "ROUTER\\Hege"
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "ROUTER\Hege", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 7 length 16
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
        EAP-Message =
0x010800251a0108002010baa8bce2ab7f754af66ca37dca11bdfb524f555445525c48656765
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x13f3ed6713fbf70e77af625de147f876
[peap] Got tunneled reply RADIUS code 11
        EAP-Message =
0x010800251a0108002010baa8bce2ab7f754af66ca37dca11bdfb524f555445525c48656765
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x13f3ed6713fbf70e77af625de147f876
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 102 to 192.168.1.1 port 1812
        EAP-Message =
0x0108003c1900170301003122f781e48bee5ca858b2fadc15c1701f0b2e9d222f7b7a86a4e9ab5c9be0fd58be946282e5ae6823590353e614108f01a7
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xf9af3e19fea72729f634465079c20687
Finished request 7.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 192.168.1.1 port 1812, id=103, 
length=248
        NAS-IP-Address = 192.168.1.1
        NAS-Port = 50003
        Cisco-NAS-Port = "FastEthernet0/3"
        NAS-Port-Type = Ethernet
        User-Name = "ROUTER\\Hege"
        Called-Station-Id = "00-09-B7-94-CA-83"
        Calling-Station-Id = "00-13-D4-E7-B3-FB"
        Service-Type = Framed-User
        Framed-MTU = 1500
        State = 0xf9af3e19fea72729f634465079c20687
        EAP-Message =
0x020800561900170301004b8a5f812b2ebd3534c1f7bbfca7fd4254ea57cbbfe3b1b571277441e4676f8e1b169635636883c648bb7b2744288fa1a439af624aac87de7ae083cb3d455b44f1dedc4a3b5bbd01451966ba
        Message-Authenticator = 0xbe581a9933642f838bd86d2bf15cc1cf
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ROUTER\Hege", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 86
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunnled request
        EAP-Message =
0x0208003f1a0208003a31a18116247e3cf107cb80957aebda429e0000000000000000ab0bc307e1083f338935929421910d46588c08903505e85f0048656765
server (null) {
  PEAP: Setting User-Name to ROUTER\Hege
Sending tunneled request
        EAP-Message =
0x0208003f1a0208003a31a18116247e3cf107cb80957aebda429e0000000000000000ab0bc307e1083f338935929421910d46588c08903505e85f0048656765
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "ROUTER\\Hege"
        State = 0x13f3ed6713fbf70e77af625de147f876
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "ROUTER\Hege", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 8 length 63
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap]   NT Domain delimeter found, should we have enabled 
with_ntdomain_hack?
[mschap] Told to do MS-CHAPv2 for ROUTER\Hege with NT-Password
[mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
Login incorrect: [ROUTER\\Hege/<via Auth-Type = EAP>] (from client 
switch port 0
via TLS tunnel)
} # server inner-tunnel
[peap] Got tunneled reply code 3
        MS-CHAP-Error = "\010E=691 R=1"
        EAP-Message = 0x04080004
        Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
        MS-CHAP-Error = "\010E=691 R=1"
        EAP-Message = 0x04080004
        Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 103 to 192.168.1.1 port 1812
        EAP-Message =
0x010900261900170301001bc71968d5cb15656ea6b482aba56df99a166bfba8c87844a6ad1c2a
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xf9af3e19f1a62729f634465079c20687
Finished request 8.
Going to the next request
Waking up in 4.4 seconds.
rad_recv: Access-Request packet from host 192.168.1.1 port 1812, id=104, 
length=200
        NAS-IP-Address = 192.168.1.1
        NAS-Port = 50003
        Cisco-NAS-Port = "FastEthernet0/3"
        NAS-Port-Type = Ethernet
        User-Name = "ROUTER\\Hege"
        Called-Station-Id = "00-09-B7-94-CA-83"
        Calling-Station-Id = "00-13-D4-E7-B3-FB"
        Service-Type = Framed-User
        Framed-MTU = 1500
        State = 0xf9af3e19f1a62729f634465079c20687
        EAP-Message =
0x020900261900170301001b9806b1334ba9d945be522f2855f11e974d221b5b4c98dc0f8402ff
        Message-Authenticator = 0x7865e1d4e89a37f9d8a2daa60f56bdd6
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "ROUTER\Hege", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 9 length 38
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap]  Had sent TLV failure.  User was rejected earlier in this session.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [ROUTER\\Hege/<via Auth-Type = EAP>] (from client 
switch port
50003 cli 00-13-D4-E7-B3-FB)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]         expand: %{User-Name} -> ROUTER\Hege
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 9 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 9
Sending Access-Reject of id 104 to 192.168.1.1 port 1812
        EAP-Message = 0x04090004
        Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.4 seconds.





More information about the Freeradius-Users mailing list