Fedora 9 EAP issue
Casartello, Thomas
tcasartello at wsc.ma.edu
Wed Sep 17 15:52:48 CEST 2008
I put my new Fedora 9 server online because I appeared to have fixed the problem. I set it up on the IP Address of the old server and readded it to our Active Directory and now I'm having further issues. The following stuff is just repeating over and over again. Is this the same problem I was having before? It is in the same subnet as the old one and I have the firewall off on the box. I also have the server directly listening on the IP address (not *.)
rad_recv: Access-Request packet from host 172.20.5.252 port 32769, id=172, length=289
User-Name = "tcasartello"
Calling-Station-Id = "00-18-DE-73-37-EE"
Called-Station-Id = "00-1F-9D-DB-94-40:s-wsc"
NAS-Port = 29
NAS-IP-Address = 172.20.5.252
NAS-Identifier = "Chaplin_Controller_A"
Airespace-Wlan-Id = 4
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "191"
EAP-Message = 0x020a005d190017030100527a00472d5201e427838c45bb8428dc8664113b300390f81758622fb37c712352d75743b0a29f36e1d080575bd87c63267b8c7a57ffd485dc3a92015a8e03fc0bcb6ac242bb59ae5e3026864e8045a8b461a3
State = 0x3ead947a39a78dd4bebe7ede364e2669
Message-Authenticator = 0xbbb995cc19d88cc3db15af21ce912b73
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "tcasartello", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "tcasartello", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
[eap] EAP packet type response id 10 length 93
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunnled request
EAP-Message = 0x020a00461a020a0041317ddff63d61068c15b4dd903aabf12fc60000000000000000040333c17d23d8af8da1639d67ab88d3ea9bdd23e446e79a0074636173617274656c6c6f
server (null) {
PEAP: Setting User-Name to tcasartello
Sending tunneled request
EAP-Message = 0x020a00461a020a0041317ddff63d61068c15b4dd903aabf12fc60000000000000000040333c17d23d8af8da1639d67ab88d3ea9bdd23e446e79a0074636173617274656c6c6f
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "tcasartello"
State = 0x4e1ee9574e14f3dcb614e9f3e9841921
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "tcasartello", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "tcasartello", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
++[control] returns noop
[eap] EAP packet type response id 10 length 70
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 144
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for tcasartello with NT-Password
WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
expand: --username=%{Stripped-User-Name:-%{User-Name:-None}} -> --username=tcasartello
[mschap] mschap2: 30
expand: --challenge=%{mschap:Challenge:-00} -> --challenge=14ac698c5e16bde3
expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=040333c17d23d8af8da1639d67ab88d3ea9bdd23e446e79a
Exec-Program output: NT_KEY: FB5D361B3FAA75DD1ABDCEF2364BE00C
Exec-Program-Wait: plaintext: NT_KEY: FB5D361B3FAA75DD1ABDCEF2364BE00C
Exec-Program: returned: 0
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message = 0x010b00331a030a002e533d42463634433143453535353630444346394141373033383542343844413130433132313434333331
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4e1ee9574f15f3dcb614e9f3e9841921
[peap] Got tunneled reply RADIUS code 11
EAP-Message = 0x010b00331a030a002e533d42463634433143453535353630444346394141373033383542343844413130433132313434333331
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4e1ee9574f15f3dcb614e9f3e9841921
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 172 to 172.20.5.252 port 32769
EAP-Message = 0x010b004a1900170301003f828d16f025c7d4040da0f525ff1f1788db288bc5a3a82e8b0f03164c7d52c9aabdfb9b35df717ca303a0c2bcd3e97b1dc2be8b7f197e0e76138966af2ae8ff
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x3ead947a36a68dd4bebe7ede364e2669
Finished request 48.
Going to the next request
Waking up in 4.0 seconds.
680140e0760d439c91b5b5d907b23c8d2349d4a9a4639301b0603551d110414301281106161726f6e407773632e6d612e656475301c0603551d1204153013811167656e6572616c4069707363612e636f6d307206096086480186f842010d046516634f7267616e697a6174696f6e20496e666f726d6174696f6e204e4f542056414c
EAP-Message = 0x4944415445442e20434c4153
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x86cb6fac87cd76d592c573a24cade35c
Finished request 51.
Going to the next request
Waking up in 0.3 seconds.
Cleaning up request 46 ID 170 with timestamp +63
Cleaning up request 47 ID 171 with timestamp +63
Cleaning up request 48 ID 172 with timestamp +63
Waking up in 4.6 seconds.
rad_recv: Access-Request packet from host 172.20.4.252 port 32769, id=230, length=201
User-Name = "tcasartello"
Calling-Station-Id = "00-18-DE-73-37-EE"
Called-Station-Id = "00-1F-9D-DB-90-D0:s-wsc"
NAS-Port = 29
NAS-IP-Address = 172.20.4.252
NAS-Identifier = "Abbott_Controller_A"
Airespace-Wlan-Id = 4
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "491"
EAP-Message = 0x020600061900
State = 0x86cb6fac87cd76d592c573a24cade35c
Message-Authenticator = 0xd74101a2f44efd3835bdf2e21f236e3a
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "tcasartello", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "tcasartello", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
[eap] EAP packet type response id 6 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 230 to 172.20.4.252 port 32769
EAP-Message = 0x010703fc194045413120536572766572204365727469666963617465206973737565642062792068747470733a2f2f7777772e69707363612e636f6d2f302f06096086480186f84201020422162068747470733a2f2f7777772e69707363612e636f6d2f6970736361323030322f304306096086480186f84201040436163468747470733a2f2f7777772e69707363612e636f6d2f6970736361323030322f697073636132303032434c41534541312e63726c304606096086480186f84201030439163768747470733a2f2f7777772e69707363612e636f6d2f6970736361323030322f7265766f636174696f6e434c41534541312e68746d6c3f3043
EAP-Message = 0x06096086480186f84201070436163468747470733a2f2f7777772e69707363612e636f6d2f6970736361323030322f72656e6577616c434c41534541312e68746d6c3f304106096086480186f84201080434163268747470733a2f2f7777772e69707363612e636f6d2f6970736361323030322f706f6c696379434c41534541312e68746d6c3081830603551d1f047c307a3039a037a0358633687474703a2f2f7777772e69707363612e636f6d2f6970736361323030322f697073636132303032434c41534541312e63726c303da03ba0398637687474703a2f2f7777776261636b2e69707363612e636f6d2f6970736361323030322f6970736361
EAP-Message = 0x32303032434c41534541312e63726c303206082b0601050507010104263024302206082b060105050730018616687474703a2f2f6f6373702e69707363612e636f6d2f300d06092a864886f70d010105050003818100627ea9300de17a55c8864cf9abe94b6293edea363248d27ff304c2ad58b5905f20dd09e5860cbd2e1c28717fe4dc87344be9aa458120d61e38abadda5be6179bd8d3cae5ed7187f8d10db3ba2070d2b6845d82b9756c797279511c0b388e88656a17e76fec5d536476b9d8dff007041fc8b46771fd93f10b30475c177904e0450005ea308205e63082054fa0030201020203009018300d06092a864886f70d01010505003081a3
EAP-Message = 0x310b3009060355040613024553311230100603550408130942415243454c4f4e41311230100603550407130942415243454c4f4e4131193017060355040a13104950532053656775726964616420434131183016060355040b130f43657274696669636163696f6e6573311730150603550403130e495053205345525649444f524553311e301c06092a864886f70d010901160f697073406d61696c2e6970732e6573301e170d3031313233303133333631315a170d3235313232393133333631315a30820112310b3009060355040613024553311230100603550408130942617263656c6f6e61311230100603550407130942617263656c6f6e6131
EAP-Message = 0x293027060355040a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x86cb6fac84cc76d592c573a24cade35c
Finished request 52.
Going to the next request
Waking up in 4.0 seconds.
rad_recv: Access-Request packet from host 172.20.4.252 port 32769, id=231, length=201
User-Name = "tcasartello"
Calling-Station-Id = "00-18-DE-73-37-EE"
Called-Station-Id = "00-1F-9D-DB-90-D0:s-wsc"
NAS-Port = 29
NAS-IP-Address = 172.20.4.252
NAS-Identifier = "Abbott_Controller_A"
Airespace-Wlan-Id = 4
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "491"
EAP-Message = 0x020700061900
State = 0x86cb6fac84cc76d592c573a24cade35c
Message-Authenticator = 0xe0ef194dead3fb16e7e466c322abfd89
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "tcasartello", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "tcasartello", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
[eap] EAP packet type response id 7 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 231 to 172.20.4.252 port 32769
EAP-Message = 0x010803fc194013204950532043657274696669636174696f6e20417574686f7269747920732e6c2e312e302c060355040a142567656e6572616c4069707363612e636f6d20432e492e462e2020422d423632323130363935312e302c060355040b1325697073434120434c41534541312043657274696669636174696f6e20417574686f72697479312e302c06035504031325697073434120434c41534541312043657274696669636174696f6e20417574686f726974793120301e06092a864886f70d010901161167656e6572616c4069707363612e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100a6f57366361d
EAP-Message = 0xa32f4fad2ad8ef0ca64befa71bacf7f246171bb202ab3e11898c6aa80fd8631499d71fbcb22768026ef43089ebadeb41dcb44206fa481f138c64df872dc714d4a783e4723b32ead34d793165050933812b6ee636ad211133362b68cabe432c37b73d69163be59dbe32a7d5df4a80fcda7370aad928822f68bbb10203010001a38202b4308202b0300c0603551d13040530030101ff301106096086480186f8420101040403020007300c0603551d0f0405030307ff80306b0603551d250464306206082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070308060a2b06010401823702
EAP-Message = 0x0115060a2b060104018237020116060a2b0601040182370a0301060a2b0601040182370a0304301d0603551d0e041604140e0760d439c91b5b5d907b23c8d2349d4a9a46393081ba0603551d230481b23081afa181a9a481a63081a3310b3009060355040613024553311230100603550408130942415243454c4f4e41311230100603550407130942415243454c4f4e4131193017060355040a13104950532053656775726964616420434131183016060355040b130f43657274696669636163696f6e6573311730150603550403130e495053205345525649444f524553311e301c06092a864886f70d010901160f697073406d61696c2e6970732e
EAP-Message = 0x6573820100301c0603551d1104153013811167656e6572616c4069707363612e636f6d30090603551d1204023000304306096086480186f842010d04361634434c4153454131204341204365727469666963617465206973737565642062792068747470733a2f2f7777772e6970732e65732f302206096086480186f84201020415161368747470733a2f2f7777772e6970732e65732f30730603551d1f046c306a3031a02fa02d862b68747470733a2f2f7777772e6970732e65732f63726c2f6970735345525649444f52455363726c2e63726c3035a033a031862f68747470733a2f2f7777776261636b2e6970732e65732f63726c2f6970735345
EAP-Message = 0x525649444f524553
Message-Authenticator = 0x00000000000000000000000000000000
Thomas E. Casartello, Jr.
Infrastructure Technician
Linux Specialist
Department of Information Technology
Westfield State College
Wilson 105-A
(413) 572-8245
E-Mail: tcasartello at wsc.ma.edu
Red Hat Certified Technician (RHCT)
-----Original Message-----
From: freeradius-users-bounces+tcasartello=wsc.ma.edu at lists.freeradius.org [mailto:freeradius-users-bounces+tcasartello=wsc.ma.edu at lists.freeradius.org] On Behalf Of Casartello, Thomas
Sent: Monday, September 15, 2008 2:00 PM
To: 'FreeRadius users mailing list'
Subject: RE: Fedora 9 EAP issue
Thanks to both of you, it was a combination of both problems. It was listening on two interfaces plus it was unable to communicate properly with the Cisco Wireless controllers from the subnet it was in.
Thomas E. Casartello, Jr.
Infrastructure Technician
Linux Specialist
Department of Information Technology
Westfield State College
Wilson 105-A
(413) 572-8245
E-Mail: tcasartello at wsc.ma.edu
Red Hat Certified Technician (RHCT)
-----Original Message-----
From: freeradius-users-bounces+tcasartello=wsc.ma.edu at lists.freeradius.org [mailto:freeradius-users-bounces+tcasartello=wsc.ma.edu at lists.freeradius.org] On Behalf Of Alan DeKok
Sent: Monday, September 15, 2008 11:34 AM
To: FreeRadius users mailing list
Subject: Re: Fedora 9 EAP issue
Casartello, Thomas wrote:
> I have two servers with identical configuration and identical versions
> of freeradius, one running Fedora 8, one running Fedora 9. The Fedora 8
> one works issueless, however with Fedora 9 I simply cannot get PEAP
> authentication to work with it. I am constantly getting this debug output:
>...
> rad_recv: Access-Request packet from host 172.20.5.252 port 32769, id=4,
> length=194
> Sending duplicate reply to client chaplin-wism-a.wsc.ma.edu port 32769 -
> ID: 4
You have a network interface with 2 IP addresses. (i.e. aliases).
FreeRADIUS is receiving packets on the alias IP address, but sending
responses from the main IP. This is because the *kernel* makes this choice.
Make FreeRADIUS listen on the alias IP (and not "*"). Or, enable
udpfromto via the "configure" script. Once that's enabled, the server
will receive the destination IP of the RADIUS packet, and use that as
the source IP.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list