FreeRADIUS and Active Directory
Tomas
tomas.radius at googlemail.com
Thu Feb 19 10:57:53 CET 2009
Hi,
I believe I did all I had to enable my freeradius server to chat to
windows AD
##########################################################
Kerberos:
root at radius:/home/radius# kinit Administrator at AD.LAB.COM
Password for Administrator at AD.LAB.COM:
root at radius:/home/radius# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator at AD.LAB.COM
Valid starting Expires Service principal
02/19/09 09:44:44 02/19/09 19:44:51 krbtgt/AD.LAB.COM at AD.LAB.COM
renew until 02/20/09 09:44:44
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
##########################################################
ntlm_auth:
root at radius:/home/radius# ntlm_auth --request-nt-key --domain=AD.LAB.COM
--username=Administrator
password:
NT_STATUS_OK: Success (0x0)
##########################################################
I did changes to my FreeRADIUS configuration according
http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO
(I had to change names of .pem files in eap.conf for my certificates)
This is my eap.conf (less the comments and empty lines):
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls {
private_key_password = whatever
private_key_file = ${raddbdir}/certs/server.pem
certificate_file = ${raddbdir}/certs/server.pem
CA_file = ${raddbdir}/certs/ca.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
random_file = /dev/urandom
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
mschapv2 {
}
}
So here I am trying to authenticate using my AD username and the
password and having no joy :(
radiusd -X
FreeRADIUS Version 2.1.3, for host i686-pc-linux-gnu, built on Jan 19 2009 at 13:48:26
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /home/radius/etc/raddb/radiusd.conf
including configuration file /home/radius/etc/raddb/proxy.conf
including configuration file /home/radius/etc/raddb/clients.conf
including files in directory /home/radius/etc/raddb/modules/
including configuration file /home/radius/etc/raddb/modules/etc_group
including configuration file /home/radius/etc/raddb/modules/files
including configuration file /home/radius/etc/raddb/modules/expiration
including configuration file /home/radius/etc/raddb/modules/detail.log
including configuration file /home/radius/etc/raddb/modules/smbpasswd
including configuration file /home/radius/etc/raddb/modules/chap
including configuration file /home/radius/etc/raddb/modules/mschap
including configuration file /home/radius/etc/raddb/modules/ippool
including configuration file /home/radius/etc/raddb/modules/digest
including configuration file /home/radius/etc/raddb/modules/radutmp
including configuration file /home/radius/etc/raddb/modules/realm
including configuration file /home/radius/etc/raddb/modules/attr_rewrite
including configuration file /home/radius/etc/raddb/modules/echo
including configuration file /home/radius/etc/raddb/modules/policy
including configuration file /home/radius/etc/raddb/modules/mac2vlan
including configuration file /home/radius/etc/raddb/modules/sql_log
including configuration file /home/radius/etc/raddb/modules/preprocess
including configuration file /home/radius/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /home/radius/etc/raddb/modules/krb5
including configuration file /home/radius/etc/raddb/modules/pam
including configuration file /home/radius/etc/raddb/modules/wimax
including configuration file /home/radius/etc/raddb/modules/linelog
including configuration file /home/radius/etc/raddb/modules/always
including configuration file /home/radius/etc/raddb/modules/exec
including configuration file /home/radius/etc/raddb/modules/inner-eap
including configuration file /home/radius/etc/raddb/modules/checkval
including configuration file /home/radius/etc/raddb/modules/passwd
including configuration file /home/radius/etc/raddb/modules/expr
including configuration file /home/radius/etc/raddb/modules/perl
including configuration file /home/radius/etc/raddb/modules/detail.example.com
including configuration file /home/radius/etc/raddb/modules/pap
including configuration file /home/radius/etc/raddb/modules/ldap
including configuration file /home/radius/etc/raddb/modules/unix
including configuration file /home/radius/etc/raddb/modules/detail
including configuration file /home/radius/etc/raddb/modules/counter
including configuration file /home/radius/etc/raddb/modules/sradutmp
including configuration file /home/radius/etc/raddb/modules/attr_filter
including configuration file /home/radius/etc/raddb/modules/mac2ip
including configuration file /home/radius/etc/raddb/modules/logintime
including configuration file /home/radius/etc/raddb/modules/acct_unique
including configuration file /home/radius/etc/raddb/eap.conf
including configuration file /home/radius/etc/raddb/sql.conf
including configuration file /home/radius/etc/raddb/sql/mysql/dialup.conf
including configuration file /home/radius/etc/raddb/sql/mysql/counter.conf
including configuration file /home/radius/etc/raddb/policy.conf
including files in directory /home/radius/etc/raddb/sites-enabled/
including configuration file /home/radius/etc/raddb/sites-enabled/inner-tunnel
including configuration file /home/radius/etc/raddb/sites-enabled/default
including dictionary file /home/radius/etc/raddb/dictionary
main {
prefix = "/home/radius"
localstatedir = "/home/radius/var"
logdir = "/home/radius/var/log/radius"
libdir = "/home/radius/lib"
radacctdir = "/home/radius/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/home/radius/var/run/radiusd/radiusd.pid"
checkrad = "/home/radius/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
client 192.168.0.50 {
require_message_authenticator = no
secret = "testing123"
shortname = "Procurve2824"
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server inner-tunnel {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp = "/home/radius/var/log/radius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/home/radius/etc/raddb/certs/server.pem"
certificate_file = "/home/radius/etc/raddb/certs/server.pem"
CA_file = "/home/radius/etc/raddb/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/home/radius/etc/raddb/certs/dh"
random_file = "/home/radius/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating suffix
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating files
files {
usersfile = "/home/radius/etc/raddb/users"
acctusersfile = "/home/radius/etc/raddb/acct_users"
preproxy_usersfile = "/home/radius/etc/raddb/preproxy_users"
compat = "no"
}
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating radutmp
radutmp {
filename = "/home/radius/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating attr_filter.access_reject
attr_filter attr_filter.access_reject {
attrsfile = "/home/radius/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
}
}
}
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = "/home/radius/etc/raddb/huntgroups"
hints = "/home/radius/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating detail
detail {
detailfile = "/home/radius/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating attr_filter.accounting_response
attr_filter attr_filter.accounting_response {
attrsfile = "/home/radius/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
}
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.0.50 port 1024, id=145, length=219
Framed-MTU = 1480
NAS-IP-Address = 192.168.0.50
NAS-Identifier = "HP ProCurve Switch 2824"
User-Name = "AD\\tomas"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 1
NAS-Port-Type = Ethernet
NAS-Port-Id = "1"
Called-Station-Id = "00-11-0a-fe-a9-3f"
Calling-Station-Id = "00-17-a4-4e-77-47"
Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1"
EAP-Message = 0x0202000d0141445c746f6d6173
Message-Authenticator = 0x6284ee873372cae375d55f623802b513
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "AD\tomas", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 172
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 145 to 192.168.0.50 port 1024
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
EAP-Message = 0x010300061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa7700ab4a77313314b7c55c3e8534adf
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.50 port 1024, id=146, length=304
Framed-MTU = 1480
NAS-IP-Address = 192.168.0.50
NAS-Identifier = "HP ProCurve Switch 2824"
User-Name = "AD\\tomas"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 1
NAS-Port-Type = Ethernet
NAS-Port-Id = "1"
Called-Station-Id = "00-11-0a-fe-a9-3f"
Calling-Station-Id = "00-17-a4-4e-77-47"
Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1"
State = 0xa7700ab4a77313314b7c55c3e8534adf
EAP-Message = 0x0203005019800000004616030100410100003d0301499d286e3a35671559855ef2c8bef05802fabc183a42eb4b669d9e474e085ba900001600040005000a000900640062000300060013001200630100
Message-Authenticator = 0x46b2eaa942dba96799d4336312d6c698
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "AD\tomas", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 70
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0041], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 085e], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 146 to 192.168.0.50 port 1024
EAP-Message = 0x0104040019c00000089b160301002a020000260301499d286cdb1f8ce8a5fb2621e05e22740ec7ed76ffc6abf318cd00d5c16dc61f00000400160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479
EAP-Message = 0x301e170d3039303131393134333032365a170d3130303131393134333032365a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100ad98162664ec45dd610f43757b3f3a8bb0b400ca026307492cf50ba142af109378da58248572a1236fa439be790fd3ef17c1b22b9503739d7c3bc56a2240
EAP-Message = 0xdf4fd855dfabba9ffe67ebc9ef0772e1036cc8fd8c275e0eae813442b6bf713746f7caa8af848002c6edfa5596eab50667945e95a7e7befaf1139d04ed6a453c062b1e4849b21597302c4c730ef9b69e6934d8336d607baf2c61b9cf544b58d2633d34804e705a1c675be9887f32e0d677317e3635c17f65c18bcd6c8b3033d351dfa77b36ea7feca91b41a707ca37452102f40a18a0832dcdc4cd8a5a2c01e4c8a62bdce1f0b886193c155ef4c8bbbf8ad66d51573c6eb0a21966d47ac9c1a5f4230203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000382010100352858d2b93777f989
EAP-Message = 0x37da2562908c3391559a6f1bd9b0e41adef4c2cfc393c0b9668ceaf6df7227112867a48853e921a9da6783fda2614d07cc0b011a11b4feacb4b61d43628e2d2c4e95e747fa03849decf26051807a9e51136df5f81f698fe88f6d1a8ad5a2151ed4f45a8385e02cb9e3d3b10cd6103212d488d27126e8e6a974cc5c282813abd411657bf5be22f91dbc7a58d08237b38915736ed1f01ebb384f91eadda353743ca7d4e62b23e85e60d04c58c280dbea9cd505bf234cfaee1a0a51754954c9e3e6f7960d0a9a9f85243199d986671a1db32e5fcca17b62ce9bb1ff312500f1ffd8874de9fe53c828ec2a3fdb8a2e186a28c5b59c53dcce9b0004ab308204
EAP-Message = 0xa73082038fa0030201020209
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa7700ab4a67413314b7c55c3e8534adf
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.50 port 1024, id=147, length=230
Framed-MTU = 1480
NAS-IP-Address = 192.168.0.50
NAS-Identifier = "HP ProCurve Switch 2824"
User-Name = "AD\\tomas"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 1
NAS-Port-Type = Ethernet
NAS-Port-Id = "1"
Called-Station-Id = "00-11-0a-fe-a9-3f"
Calling-Station-Id = "00-17-a4-4e-77-47"
Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1"
State = 0xa7700ab4a67413314b7c55c3e8534adf
EAP-Message = 0x020400061900
Message-Authenticator = 0xaa295b159651be4a3e1a80fde7805ea7
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "AD\tomas", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 147 to 192.168.0.50 port 1024
EAP-Message = 0x010503fc19400094a001b5eb25441d300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3039303131393134333032365a170d3130303131393134333032365a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504
EAP-Message = 0x071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100a987d28b942573bad6f47cc07eed6c6dcdad586632c29f838248874e1ad78ef744cf491992803212afca36a03f2a06be90c1da8bca6032b677a48dd26e6449d498b3e83d5569dca2b7a743fa3d96007884ed81616e0ad61f51dca6814fac86c6120d71ceddc0dd9798711b36dd8005
EAP-Message = 0x85a94e3cd2ab01503bd1f2a702e10d06aa6c16c62c0cefe59f96c89307137c5e1d5fce113e0c0da426c435f454f1e83437c48b74f52a68e67ab0236e1f63bcce0289f57d98147134ec577b2faa50155611f8280bd7a5768e09c2fccb6b2ad0d7050d44292c988df7e1571ce10baa2105ca2e553deab5ea75728e7b090aaf2918540d48769fdb597d2df70d6b1855ebfb690203010001a381fb3081f8301d0603551d0e0416041472880f64c1fc1753474b579032ea3663716e23543081c80603551d230481c03081bd801472880f64c1fc1753474b579032ea3663716e2354a18199a48196308193310b3009060355040613024652310f300d06035504
EAP-Message = 0x0813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747982090094a001b5eb25441d300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100699e12dabf9c108ba7200bee0c69f2ff01ac37886fdd207b3ccde9311f7684959ed3dfda0936a2781ac286612ef24d987159c2b28e9d756b53701e15967b73c3f82c8517cbfefa2d3e9ac1275e180c97ccbb
EAP-Message = 0x5f8391f0cafc40c7
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa7700ab4a57513314b7c55c3e8534adf
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.50 port 1024, id=148, length=230
Framed-MTU = 1480
NAS-IP-Address = 192.168.0.50
NAS-Identifier = "HP ProCurve Switch 2824"
User-Name = "AD\\tomas"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 1
NAS-Port-Type = Ethernet
NAS-Port-Id = "1"
Called-Station-Id = "00-11-0a-fe-a9-3f"
Calling-Station-Id = "00-17-a4-4e-77-47"
Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1"
State = 0xa7700ab4a57513314b7c55c3e8534adf
EAP-Message = 0x020500061900
Message-Authenticator = 0x34ca3ab594dd2c388a8df2f3da5faed6
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "AD\tomas", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 148 to 192.168.0.50 port 1024
EAP-Message = 0x010600b51900290a8a1becaa5f95acd275a8b07d4ce8e2b56745877efd21ca5cee0c39bd7e66d625688c05a22f43c49f90c057109d12adf008cfe513d4219f84bcd4e123caf1548e368bff658efb2f8c8c674a2e5ec896136ea044eeef99fd52220ecb2ee8192aeacb6bac2e30b29b670e2532924a6cd60dae38584514d46c38e550a52dd719060d7468bc87833fc6e65fba911ee8610e5ca515ecf58705dee114e2954fced9276ff4e6356f16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa7700ab4a47613314b7c55c3e8534adf
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.50 port 1024, id=149, length=546
Framed-MTU = 1480
NAS-IP-Address = 192.168.0.50
NAS-Identifier = "HP ProCurve Switch 2824"
User-Name = "AD\\tomas"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 1
NAS-Port-Type = Ethernet
NAS-Port-Id = "1"
Called-Station-Id = "00-11-0a-fe-a9-3f"
Calling-Station-Id = "00-17-a4-4e-77-47"
Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1"
State = 0xa7700ab4a47613314b7c55c3e8534adf
EAP-Message = 0x020601401980000001361603010106100001020100575cf08b5efe3bfa2b102efb0ccb399c4342bf15303bcda0d80a24e279d3dd313a533bf8ea78b9c5b24c7d260ab666177e58e7c1aff14556f6fafa12206b50b5adf1f13fe7f5ec5e00829b8bee526b4bf5ef581d553c074759eb470f7a7cc565f48a14cef18ad00135bcf3b62960458c46e867f50d9edc063cf647eec87a752b75f4af5645330f7f053632f8b16f32987a90da3e59273e34d8a78dc788d0abe7a5673aafccd6b1ca9d45c1d54468cbdc3799c2e3cccc16711f6a0d003dd76d65aaf855fd7b548f48f11d6631461cbefc6e086929d1fac902eaf2e60b9956a0b72d4bef20b370d3b1
EAP-Message = 0x642d63cce135fa576f57f33de4bb616254ea741a3a8208811403010001011603010020f1391a72bcb5f269d5ada83203e8331fee69e6868c4a8d0d31943c7c6305ec99
Message-Authenticator = 0x1a1423af25e5958dee7cd9461c03528e
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "AD\tomas", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 310
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 149 to 192.168.0.50 port 1024
EAP-Message = 0x0107003119001403010001011603010020b495378da34cbeed0a1086ff1286b15a94a2192612e0c0297da1b7de831a43f9
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa7700ab4a37713314b7c55c3e8534adf
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.50 port 1024, id=150, length=230
Framed-MTU = 1480
NAS-IP-Address = 192.168.0.50
NAS-Identifier = "HP ProCurve Switch 2824"
User-Name = "AD\\tomas"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 1
NAS-Port-Type = Ethernet
NAS-Port-Id = "1"
Called-Station-Id = "00-11-0a-fe-a9-3f"
Calling-Station-Id = "00-17-a4-4e-77-47"
Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1"
State = 0xa7700ab4a37713314b7c55c3e8534adf
EAP-Message = 0x020700061900
Message-Authenticator = 0x9eac8aa44c87e5f81ddbb063c1a035df
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "AD\tomas", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 150 to 192.168.0.50 port 1024
EAP-Message = 0x01080020190017030100156326f7e95daa4403b150b4d521beb8d093cbd081e3
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa7700ab4a27813314b7c55c3e8534adf
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.50 port 1024, id=151, length=260
Framed-MTU = 1480
NAS-IP-Address = 192.168.0.50
NAS-Identifier = "HP ProCurve Switch 2824"
User-Name = "AD\\tomas"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 1
NAS-Port-Type = Ethernet
NAS-Port-Id = "1"
Called-Station-Id = "00-11-0a-fe-a9-3f"
Calling-Station-Id = "00-17-a4-4e-77-47"
Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1"
State = 0xa7700ab4a27813314b7c55c3e8534adf
EAP-Message = 0x02080024190017030100193dd421cda8cc1de66a7b0b59210efb5ca9d83c3ff457175d04
Message-Authenticator = 0x691b308cd5d03042fefeac42e8e0f48d
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "AD\tomas", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 36
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Identity - AD\tomas
[peap] Got tunneled request
EAP-Message = 0x0208000d0141445c746f6d6173
server {
PEAP: Got tunneled identity of AD\tomas
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to AD\tomas
Sending tunneled request
EAP-Message = 0x0208000d0141445c746f6d6173
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "AD\\tomas"
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "AD\tomas", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 8 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry AD\tomas at line 206
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message = 0x010900221a0109001d106bec785af6d4a846f669bb11bc7e7f6141445c746f6d6173
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc45c7e91c455641081f4392f87dbe9b5
[peap] Got tunneled reply RADIUS code 11
EAP-Message = 0x010900221a0109001d106bec785af6d4a846f669bb11bc7e7f6141445c746f6d6173
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc45c7e91c455641081f4392f87dbe9b5
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 151 to 192.168.0.50 port 1024
EAP-Message = 0x010900391900170301002e6fca7a90a0460e344377af0758cf4bce22ea505a7d792f6205364e13335debd60d8c6db5cf055f9b3f63ba4f7c3d
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa7700ab4a17913314b7c55c3e8534adf
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.50 port 1024, id=152, length=314
Framed-MTU = 1480
NAS-IP-Address = 192.168.0.50
NAS-Identifier = "HP ProCurve Switch 2824"
User-Name = "AD\\tomas"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 1
NAS-Port-Type = Ethernet
NAS-Port-Id = "1"
Called-Station-Id = "00-11-0a-fe-a9-3f"
Calling-Station-Id = "00-17-a4-4e-77-47"
Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1"
State = 0xa7700ab4a17913314b7c55c3e8534adf
EAP-Message = 0x0209005a1900170301004faad232040b1f6cccf41600b3a8dd5770d01f143ad5c343d50640de3f45460e946e6c6b801b5579f1cfe37c467deb86c87b4e34e1887859ebed92d93894b4d899c70d0d548e108231fe98af12711890
Message-Authenticator = 0x6343ce9f44b16b4a87de883a0f0d2906
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "AD\tomas", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 9 length 90
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x020900431a0209003e312b850019e93cb20c529c6765c7a7797f0000000000000000c42c055a3b0f699414e441217450fc8c08739b1fdf908d0d0041445c746f6d6173
server {
PEAP: Setting User-Name to AD\tomas
Sending tunneled request
EAP-Message = 0x020900431a0209003e312b850019e93cb20c529c6765c7a7797f0000000000000000c42c055a3b0f699414e441217450fc8c08739b1fdf908d0d0041445c746f6d6173
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "AD\\tomas"
State = 0xc45c7e91c455641081f4392f87dbe9b5
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "AD\tomas", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 9 length 67
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry AD\tomas at line 206
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] NT Domain delimeter found, should we have enabled with_ntdomain_hack?
[mschap] Told to do MS-CHAPv2 for AD\tomas with NT-Password
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
MS-CHAP-Error = "\tE=691 R=1"
EAP-Message = 0x04090004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
MS-CHAP-Error = "\tE=691 R=1"
EAP-Message = 0x04090004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 152 to 192.168.0.50 port 1024
EAP-Message = 0x010a00261900170301001bb96920ded224eba0158d4d22140428c0ef2269ff50fc41776ab22a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa7700ab4a07a13314b7c55c3e8534adf
Finished request 7.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.50 port 1024, id=153, length=262
Framed-MTU = 1480
NAS-IP-Address = 192.168.0.50
NAS-Identifier = "HP ProCurve Switch 2824"
User-Name = "AD\\tomas"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 1
NAS-Port-Type = Ethernet
NAS-Port-Id = "1"
Called-Station-Id = "00-11-0a-fe-a9-3f"
Calling-Station-Id = "00-17-a4-4e-77-47"
Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1"
State = 0xa7700ab4a07a13314b7c55c3e8534adf
EAP-Message = 0x020a00261900170301001bc2d3a7dd4ad6836c4a105f8303ad99757ed6a51e896ea183e104a1
Message-Authenticator = 0x3ac13246949bddb5666ab5a4b7b1e16b
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "AD\tomas", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 10 length 38
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Had sent TLV failure. User was rejected earlier in this session.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> AD\tomas
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 8 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 8
Sending Access-Reject of id 153 to 192.168.0.50 port 1024
EAP-Message = 0x040a0004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
Cleaning up request 0 ID 145 with timestamp +11
Cleaning up request 1 ID 146 with timestamp +11
Cleaning up request 2 ID 147 with timestamp +11
Cleaning up request 3 ID 148 with timestamp +11
Cleaning up request 4 ID 149 with timestamp +11
Cleaning up request 5 ID 150 with timestamp +11
Cleaning up request 6 ID 151 with timestamp +11
Cleaning up request 7 ID 152 with timestamp +11
Waking up in 0.9 seconds.
Cleaning up request 8 ID 153 with timestamp +11
Ready to process requests.
I am really new in this RADIUS business and would really appreciate if somebody could point me to the right direction.
Thanks very much!
Tomas
More information about the Freeradius-Users
mailing list