Fedora 9 EAP issue

Casartello, Thomas tcasartello at wsc.ma.edu
Wed Sep 17 18:51:51 CEST 2008


More info on this:

If I type my password incorrectly, I get a totally different thing and it actually does send an access-reject, so this output only happens when I type a password correctly.

Thomas E. Casartello, Jr.
Infrastructure Technician
Linux Specialist
Department of Information Technology
Westfield State College
Wilson 105-A
(413) 572-8245
E-Mail: tcasartello at wsc.ma.edu

Red Hat Certified Technician (RHCT)


-----Original Message-----
From: freeradius-users-bounces+tcasartello=wsc.ma.edu at lists.freeradius.org [mailto:freeradius-users-bounces+tcasartello=wsc.ma.edu at lists.freeradius.org] On Behalf Of Casartello, Thomas
Sent: Wednesday, September 17, 2008 9:53 AM
To: 'FreeRadius users mailing list'
Subject: RE: Fedora 9 EAP issue

I put my new Fedora 9 server online because I appeared to have fixed the problem. I set it up on the IP Address of the old server and readded it to our Active Directory and now I'm having further issues. The following stuff is just repeating over and over again. Is this the same problem I was having before? It is in the same subnet as the old one and I have the firewall off on the box. I also have the server directly listening on the IP address (not *.)

rad_recv: Access-Request packet from host 172.20.5.252 port 32769, id=172, length=289
        User-Name = "tcasartello"
        Calling-Station-Id = "00-18-DE-73-37-EE"
        Called-Station-Id = "00-1F-9D-DB-94-40:s-wsc"
        NAS-Port = 29
        NAS-IP-Address = 172.20.5.252
        NAS-Identifier = "Chaplin_Controller_A"
        Airespace-Wlan-Id = 4
        Service-Type = Framed-User
        Framed-MTU = 1300
        NAS-Port-Type = Wireless-802.11
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "191"
        EAP-Message = 0x020a005d190017030100527a00472d5201e427838c45bb8428dc8664113b300390f81758622fb37c712352d75743b0a29f36e1d080575bd87c63267b8c7a57ffd485dc3a92015a8e03fc0bcb6ac242bb59ae5e3026864e8045a8b461a3
        State = 0x3ead947a39a78dd4bebe7ede364e2669
        Message-Authenticator = 0xbbb995cc19d88cc3db15af21ce912b73
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "tcasartello", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "tcasartello", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
[eap] EAP packet type response id 10 length 93
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunnled request
        EAP-Message = 0x020a00461a020a0041317ddff63d61068c15b4dd903aabf12fc60000000000000000040333c17d23d8af8da1639d67ab88d3ea9bdd23e446e79a0074636173617274656c6c6f
server (null) {
  PEAP: Setting User-Name to tcasartello
Sending tunneled request
        EAP-Message = 0x020a00461a020a0041317ddff63d61068c15b4dd903aabf12fc60000000000000000040333c17d23d8af8da1639d67ab88d3ea9bdd23e446e79a0074636173617274656c6c6f
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "tcasartello"
        State = 0x4e1ee9574e14f3dcb614e9f3e9841921
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "tcasartello", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "tcasartello", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
++[control] returns noop
[eap] EAP packet type response id 10 length 70
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 144
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for tcasartello with NT-Password
WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details
WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details
        expand: --username=%{Stripped-User-Name:-%{User-Name:-None}} -> --username=tcasartello
[mschap]  mschap2: 30
        expand: --challenge=%{mschap:Challenge:-00} -> --challenge=14ac698c5e16bde3
        expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=040333c17d23d8af8da1639d67ab88d3ea9bdd23e446e79a
Exec-Program output: NT_KEY: FB5D361B3FAA75DD1ABDCEF2364BE00C
Exec-Program-Wait: plaintext: NT_KEY: FB5D361B3FAA75DD1ABDCEF2364BE00C
Exec-Program: returned: 0
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
        EAP-Message = 0x010b00331a030a002e533d42463634433143453535353630444346394141373033383542343844413130433132313434333331
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x4e1ee9574f15f3dcb614e9f3e9841921
[peap] Got tunneled reply RADIUS code 11
        EAP-Message = 0x010b00331a030a002e533d42463634433143453535353630444346394141373033383542343844413130433132313434333331
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x4e1ee9574f15f3dcb614e9f3e9841921
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 172 to 172.20.5.252 port 32769
        EAP-Message = 0x010b004a1900170301003f828d16f025c7d4040da0f525ff1f1788db288bc5a3a82e8b0f03164c7d52c9aabdfb9b35df717ca303a0c2bcd3e97b1dc2be8b7f197e0e76138966af2ae8ff
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x3ead947a36a68dd4bebe7ede364e2669
Finished request 48.
Going to the next request
Waking up in 4.0 seconds.
680140e0760d439c91b5b5d907b23c8d2349d4a9a4639301b0603551d110414301281106161726f6e407773632e6d612e656475301c0603551d1204153013811167656e6572616c4069707363612e636f6d307206096086480186f842010d046516634f7267616e697a6174696f6e20496e666f726d6174696f6e204e4f542056414c
        EAP-Message = 0x4944415445442e20434c4153
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x86cb6fac87cd76d592c573a24cade35c
Finished request 51.
Going to the next request
Waking up in 0.3 seconds.
Cleaning up request 46 ID 170 with timestamp +63
Cleaning up request 47 ID 171 with timestamp +63
Cleaning up request 48 ID 172 with timestamp +63
Waking up in 4.6 seconds.
rad_recv: Access-Request packet from host 172.20.4.252 port 32769, id=230, length=201
        User-Name = "tcasartello"
        Calling-Station-Id = "00-18-DE-73-37-EE"
        Called-Station-Id = "00-1F-9D-DB-90-D0:s-wsc"
        NAS-Port = 29
        NAS-IP-Address = 172.20.4.252
        NAS-Identifier = "Abbott_Controller_A"
        Airespace-Wlan-Id = 4
        Service-Type = Framed-User
        Framed-MTU = 1300
        NAS-Port-Type = Wireless-802.11
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "491"
        EAP-Message = 0x020600061900
        State = 0x86cb6fac87cd76d592c573a24cade35c
        Message-Authenticator = 0xd74101a2f44efd3835bdf2e21f236e3a
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "tcasartello", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "tcasartello", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
[eap] EAP packet type response id 6 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 230 to 172.20.4.252 port 32769
        EAP-Message = 0x010703fc194045413120536572766572204365727469666963617465206973737565642062792068747470733a2f2f7777772e69707363612e636f6d2f302f06096086480186f84201020422162068747470733a2f2f7777772e69707363612e636f6d2f6970736361323030322f304306096086480186f84201040436163468747470733a2f2f7777772e69707363612e636f6d2f6970736361323030322f697073636132303032434c41534541312e63726c304606096086480186f84201030439163768747470733a2f2f7777772e69707363612e636f6d2f6970736361323030322f7265766f636174696f6e434c41534541312e68746d6c3f3043
        EAP-Message = 0x06096086480186f84201070436163468747470733a2f2f7777772e69707363612e636f6d2f6970736361323030322f72656e6577616c434c41534541312e68746d6c3f304106096086480186f84201080434163268747470733a2f2f7777772e69707363612e636f6d2f6970736361323030322f706f6c696379434c41534541312e68746d6c3081830603551d1f047c307a3039a037a0358633687474703a2f2f7777772e69707363612e636f6d2f6970736361323030322f697073636132303032434c41534541312e63726c303da03ba0398637687474703a2f2f7777776261636b2e69707363612e636f6d2f6970736361323030322f6970736361
        EAP-Message = 0x32303032434c41534541312e63726c303206082b0601050507010104263024302206082b060105050730018616687474703a2f2f6f6373702e69707363612e636f6d2f300d06092a864886f70d010105050003818100627ea9300de17a55c8864cf9abe94b6293edea363248d27ff304c2ad58b5905f20dd09e5860cbd2e1c28717fe4dc87344be9aa458120d61e38abadda5be6179bd8d3cae5ed7187f8d10db3ba2070d2b6845d82b9756c797279511c0b388e88656a17e76fec5d536476b9d8dff007041fc8b46771fd93f10b30475c177904e0450005ea308205e63082054fa0030201020203009018300d06092a864886f70d01010505003081a3
        EAP-Message = 0x310b3009060355040613024553311230100603550408130942415243454c4f4e41311230100603550407130942415243454c4f4e4131193017060355040a13104950532053656775726964616420434131183016060355040b130f43657274696669636163696f6e6573311730150603550403130e495053205345525649444f524553311e301c06092a864886f70d010901160f697073406d61696c2e6970732e6573301e170d3031313233303133333631315a170d3235313232393133333631315a30820112310b3009060355040613024553311230100603550408130942617263656c6f6e61311230100603550407130942617263656c6f6e6131
        EAP-Message = 0x293027060355040a
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x86cb6fac84cc76d592c573a24cade35c
Finished request 52.
Going to the next request
Waking up in 4.0 seconds.
rad_recv: Access-Request packet from host 172.20.4.252 port 32769, id=231, length=201
        User-Name = "tcasartello"
        Calling-Station-Id = "00-18-DE-73-37-EE"
        Called-Station-Id = "00-1F-9D-DB-90-D0:s-wsc"
        NAS-Port = 29
        NAS-IP-Address = 172.20.4.252
        NAS-Identifier = "Abbott_Controller_A"
        Airespace-Wlan-Id = 4
        Service-Type = Framed-User
        Framed-MTU = 1300
        NAS-Port-Type = Wireless-802.11
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "491"
        EAP-Message = 0x020700061900
        State = 0x86cb6fac84cc76d592c573a24cade35c
        Message-Authenticator = 0xe0ef194dead3fb16e7e466c322abfd89
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "tcasartello", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "tcasartello", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
[eap] EAP packet type response id 7 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 231 to 172.20.4.252 port 32769
        EAP-Message = 0x010803fc194013204950532043657274696669636174696f6e20417574686f7269747920732e6c2e312e302c060355040a142567656e6572616c4069707363612e636f6d20432e492e462e2020422d423632323130363935312e302c060355040b1325697073434120434c41534541312043657274696669636174696f6e20417574686f72697479312e302c06035504031325697073434120434c41534541312043657274696669636174696f6e20417574686f726974793120301e06092a864886f70d010901161167656e6572616c4069707363612e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100a6f57366361d
        EAP-Message = 0xa32f4fad2ad8ef0ca64befa71bacf7f246171bb202ab3e11898c6aa80fd8631499d71fbcb22768026ef43089ebadeb41dcb44206fa481f138c64df872dc714d4a783e4723b32ead34d793165050933812b6ee636ad211133362b68cabe432c37b73d69163be59dbe32a7d5df4a80fcda7370aad928822f68bbb10203010001a38202b4308202b0300c0603551d13040530030101ff301106096086480186f8420101040403020007300c0603551d0f0405030307ff80306b0603551d250464306206082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070308060a2b06010401823702
        EAP-Message = 0x0115060a2b060104018237020116060a2b0601040182370a0301060a2b0601040182370a0304301d0603551d0e041604140e0760d439c91b5b5d907b23c8d2349d4a9a46393081ba0603551d230481b23081afa181a9a481a63081a3310b3009060355040613024553311230100603550408130942415243454c4f4e41311230100603550407130942415243454c4f4e4131193017060355040a13104950532053656775726964616420434131183016060355040b130f43657274696669636163696f6e6573311730150603550403130e495053205345525649444f524553311e301c06092a864886f70d010901160f697073406d61696c2e6970732e
        EAP-Message = 0x6573820100301c0603551d1104153013811167656e6572616c4069707363612e636f6d30090603551d1204023000304306096086480186f842010d04361634434c4153454131204341204365727469666963617465206973737565642062792068747470733a2f2f7777772e6970732e65732f302206096086480186f84201020415161368747470733a2f2f7777772e6970732e65732f30730603551d1f046c306a3031a02fa02d862b68747470733a2f2f7777772e6970732e65732f63726c2f6970735345525649444f52455363726c2e63726c3035a033a031862f68747470733a2f2f7777776261636b2e6970732e65732f63726c2f6970735345
        EAP-Message = 0x525649444f524553
        Message-Authenticator = 0x00000000000000000000000000000000

Thomas E. Casartello, Jr.
Infrastructure Technician
Linux Specialist
Department of Information Technology
Westfield State College
Wilson 105-A
(413) 572-8245
E-Mail: tcasartello at wsc.ma.edu

Red Hat Certified Technician (RHCT)

-----Original Message-----
From: freeradius-users-bounces+tcasartello=wsc.ma.edu at lists.freeradius.org [mailto:freeradius-users-bounces+tcasartello=wsc.ma.edu at lists.freeradius.org] On Behalf Of Casartello, Thomas
Sent: Monday, September 15, 2008 2:00 PM
To: 'FreeRadius users mailing list'
Subject: RE: Fedora 9 EAP issue

Thanks to both of you, it was a combination of both problems. It was listening on two interfaces plus it was unable to communicate properly with the Cisco Wireless controllers from the subnet it was in.

Thomas E. Casartello, Jr.
Infrastructure Technician
Linux Specialist
Department of Information Technology
Westfield State College
Wilson 105-A
(413) 572-8245
E-Mail: tcasartello at wsc.ma.edu

Red Hat Certified Technician (RHCT)


-----Original Message-----
From: freeradius-users-bounces+tcasartello=wsc.ma.edu at lists.freeradius.org [mailto:freeradius-users-bounces+tcasartello=wsc.ma.edu at lists.freeradius.org] On Behalf Of Alan DeKok
Sent: Monday, September 15, 2008 11:34 AM
To: FreeRadius users mailing list
Subject: Re: Fedora 9 EAP issue

Casartello, Thomas wrote:
> I have two servers with identical configuration and identical versions
> of freeradius, one running Fedora 8, one running Fedora 9. The Fedora 8
> one works issueless, however with Fedora 9 I simply cannot get PEAP
> authentication to work with it. I am constantly getting this debug output:
>...
> rad_recv: Access-Request packet from host 172.20.5.252 port 32769, id=4,
> length=194
> Sending duplicate reply to client chaplin-wism-a.wsc.ma.edu port 32769 -
> ID: 4

  You have a network interface with 2 IP addresses.  (i.e. aliases).
FreeRADIUS is receiving packets on the alias IP address, but sending
responses from the main IP.  This is because the *kernel* makes this choice.

  Make FreeRADIUS listen on the alias IP (and not "*").  Or, enable
udpfromto via the "configure" script.  Once that's enabled, the server
will receive the destination IP of the RADIUS packet, and use that as
the source IP.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list