FreeRADIUS and Active Directory
Tomas
tomas.radius at googlemail.com
Thu Feb 19 18:11:47 CET 2009
On Thu, 2009-02-19 at 10:23 -0600, Mike Loosbrock wrote:
> Tomas, it sounds like you want the following behavior:
>
> 1.) machine boots up
> 2.) machine 802.1x authenticates, opening switch port for AD
> communication
> 3.) user enters credentials into OS login screen
> 4.) machine authenticates user against AD
> 5.) machine does a 802.1x re-auth with the user's credentials
>
> Windows does support this and (surprise) it actually works well.
> Assuming you're using the native Windows 802.1x supplicant and have
> the non-domain case working, you can get the above behavior by
> enabling the following options in the supplicant: (how you do this
> varies a bit across Windows versions)
>
> 'Authenticate as computer when computer information is available'
> 'Automatically use my Windows logon name and password (and domain if
> any)'
Mike,
Thanks for your mail, I was ticking all options and seeing what was on
the output, now that you said it all makes sense.
I was missing the step where machine authenticates to allow user to
communicate with AD and then once user logged on it re authenticates
using user credentials. I tried this option and radius does pick it up,
this is the radiusd -X dump from when computer provides host
credentials:
rad_recv: Access-Request packet from host 192.168.0.50 port 1024, id=69,
length=241
Framed-MTU = 1480
NAS-IP-Address = 192.168.0.50
NAS-Identifier = "HP ProCurve Switch 2824"
User-Name = "host/PC1.ad.lab.com"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 1
NAS-Port-Type = Ethernet
NAS-Port-Id = "1"
Called-Station-Id = "00-11-0a-fe-a9-3f"
Calling-Station-Id = "00-17-a4-4e-77-47"
Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1"
EAP-Message = 0x0202001801686f73742f5043312e61642e6c61622e636f6d
Message-Authenticator = 0x776191bf1a6b8a58e704fcc7f112ed60
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "host/PC1.ad.lab.com", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 24
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 172
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 69 to 192.168.0.50 port 1024
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
EAP-Message = 0x010300061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0afa11ec0af9084d66de98b8605bce83
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.50 port 1024, id=70, length=315
Framed-MTU = 1480
NAS-IP-Address = 192.168.0.50
NAS-Identifier = "HP ProCurve Switch 2824"
User-Name = "host/PC1.ad.lab.com"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 1
NAS-Port-Type = Ethernet
NAS-Port-Id = "1"
Called-Station-Id = "00-11-0a-fe-a9-3f"
Calling-Station-Id = "00-17-a4-4e-77-47"
Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1"
State = 0x0afa11ec0af9084d66de98b8605bce83
EAP-Message = 0x0203005019800000004616030100410100003d0301499d8a5a7d404fc4ab8f844caf1a6187a856c227b0377058d45002bbdd6e2c1000001600040005000a000900640062000300060013001200630100
Message-Authenticator = 0x241c09d55aa981883ee4362b927d07de
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "host/PC1.ad.lab.com", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 70
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0041], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 085e], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 70 to 192.168.0.50 port 1024
EAP-Message = 0x0104040019c00000089b160301002a020000260301499d8a58bba910884add8b8f1fe3e14750cad38df17838aea2ce7022e4beb19900000400160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479
EAP-Message = 0x301e170d3039303131393134333032365a170d3130303131393134333032365a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100ad98162664ec45dd610f43757b3f3a8bb0b400ca026307492cf50ba142af109378da58248572a1236fa439be790fd3ef17c1b22b9503739d7c3bc56a2240
EAP-Message = 0xdf4fd855dfabba9ffe67ebc9ef0772e1036cc8fd8c275e0eae813442b6bf713746f7caa8af848002c6edfa5596eab50667945e95a7e7befaf1139d04ed6a453c062b1e4849b21597302c4c730ef9b69e6934d8336d607baf2c61b9cf544b58d2633d34804e705a1c675be9887f32e0d677317e3635c17f65c18bcd6c8b3033d351dfa77b36ea7feca91b41a707ca37452102f40a18a0832dcdc4cd8a5a2c01e4c8a62bdce1f0b886193c155ef4c8bbbf8ad66d51573c6eb0a21966d47ac9c1a5f4230203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000382010100352858d2b93777f989
EAP-Message = 0x37da2562908c3391559a6f1bd9b0e41adef4c2cfc393c0b9668ceaf6df7227112867a48853e921a9da6783fda2614d07cc0b011a11b4feacb4b61d43628e2d2c4e95e747fa03849decf26051807a9e51136df5f81f698fe88f6d1a8ad5a2151ed4f45a8385e02cb9e3d3b10cd6103212d488d27126e8e6a974cc5c282813abd411657bf5be22f91dbc7a58d08237b38915736ed1f01ebb384f91eadda353743ca7d4e62b23e85e60d04c58c280dbea9cd505bf234cfaee1a0a51754954c9e3e6f7960d0a9a9f85243199d986671a1db32e5fcca17b62ce9bb1ff312500f1ffd8874de9fe53c828ec2a3fdb8a2e186a28c5b59c53dcce9b0004ab308204
EAP-Message = 0xa73082038fa0030201020209
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0afa11ec0bfe084d66de98b8605bce83
Finished request 1.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.0.50 port 1024, id=71, length=241
Framed-MTU = 1480
NAS-IP-Address = 192.168.0.50
NAS-Identifier = "HP ProCurve Switch 2824"
User-Name = "host/PC1.ad.lab.com"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 1
NAS-Port-Type = Ethernet
NAS-Port-Id = "1"
Called-Station-Id = "00-11-0a-fe-a9-3f"
Calling-Station-Id = "00-17-a4-4e-77-47"
Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1"
State = 0x0afa11ec0bfe084d66de98b8605bce83
EAP-Message = 0x020400061900
Message-Authenticator = 0x754b846a5d7bac3eca4db244a105c150
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "host/PC1.ad.lab.com", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 71 to 192.168.0.50 port 1024
EAP-Message = 0x010503fc19400094a001b5eb25441d300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3039303131393134333032365a170d3130303131393134333032365a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504
EAP-Message = 0x071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100a987d28b942573bad6f47cc07eed6c6dcdad586632c29f838248874e1ad78ef744cf491992803212afca36a03f2a06be90c1da8bca6032b677a48dd26e6449d498b3e83d5569dca2b7a743fa3d96007884ed81616e0ad61f51dca6814fac86c6120d71ceddc0dd9798711b36dd8005
EAP-Message = 0x85a94e3cd2ab01503bd1f2a702e10d06aa6c16c62c0cefe59f96c89307137c5e1d5fce113e0c0da426c435f454f1e83437c48b74f52a68e67ab0236e1f63bcce0289f57d98147134ec577b2faa50155611f8280bd7a5768e09c2fccb6b2ad0d7050d44292c988df7e1571ce10baa2105ca2e553deab5ea75728e7b090aaf2918540d48769fdb597d2df70d6b1855ebfb690203010001a381fb3081f8301d0603551d0e0416041472880f64c1fc1753474b579032ea3663716e23543081c80603551d230481c03081bd801472880f64c1fc1753474b579032ea3663716e2354a18199a48196308193310b3009060355040613024652310f300d06035504
EAP-Message = 0x0813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747982090094a001b5eb25441d300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100699e12dabf9c108ba7200bee0c69f2ff01ac37886fdd207b3ccde9311f7684959ed3dfda0936a2781ac286612ef24d987159c2b28e9d756b53701e15967b73c3f82c8517cbfefa2d3e9ac1275e180c97ccbb
EAP-Message = 0x5f8391f0cafc40c7
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0afa11ec08ff084d66de98b8605bce83
Finished request 2.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.0.50 port 1024, id=72, length=241
Framed-MTU = 1480
NAS-IP-Address = 192.168.0.50
NAS-Identifier = "HP ProCurve Switch 2824"
User-Name = "host/PC1.ad.lab.com"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 1
NAS-Port-Type = Ethernet
NAS-Port-Id = "1"
Called-Station-Id = "00-11-0a-fe-a9-3f"
Calling-Station-Id = "00-17-a4-4e-77-47"
Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1"
State = 0x0afa11ec08ff084d66de98b8605bce83
EAP-Message = 0x020500061900
Message-Authenticator = 0x7200ea239f30f92d11b58c76655ad4fb
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "host/PC1.ad.lab.com", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 72 to 192.168.0.50 port 1024
EAP-Message = 0x010600b51900290a8a1becaa5f95acd275a8b07d4ce8e2b56745877efd21ca5cee0c39bd7e66d625688c05a22f43c49f90c057109d12adf008cfe513d4219f84bcd4e123caf1548e368bff658efb2f8c8c674a2e5ec896136ea044eeef99fd52220ecb2ee8192aeacb6bac2e30b29b670e2532924a6cd60dae38584514d46c38e550a52dd719060d7468bc87833fc6e65fba911ee8610e5ca515ecf58705dee114e2954fced9276ff4e6356f16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0afa11ec09fc084d66de98b8605bce83
Finished request 3.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.0.50 port 1024, id=73, length=557
Framed-MTU = 1480
NAS-IP-Address = 192.168.0.50
NAS-Identifier = "HP ProCurve Switch 2824"
User-Name = "host/PC1.ad.lab.com"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 1
NAS-Port-Type = Ethernet
NAS-Port-Id = "1"
Called-Station-Id = "00-11-0a-fe-a9-3f"
Calling-Station-Id = "00-17-a4-4e-77-47"
Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1"
State = 0x0afa11ec09fc084d66de98b8605bce83
EAP-Message = 0x0206014019800000013616030101061000010201002e446a1e1961458dd8e5acb4e19897d89de14c3158e19151e4509d6bb4dca4efa7e283033caa3019f9bf1afe77f99c1c536a8c2f75f2f8614e9e342c5a5e6dc0d029c80bfff7506597e02e0b3a0fe6f3fe046e7385c9b3e05051a35894ca657047a6062ad444a3f890fe9b1f9c7afbbe4d6a8433b3d559ce1b40d12f1f29011b37ef8e5cb8a414d3965aabc42e7de7ea728c9b22274dfaa023ab8b5ff86f6166afbbb7ce36e824718f0c3289ca940d0d14465ad08a78d0e766b230af25592c4598e26951d321c3d0fc0921eb108fa5199e534e226d4ae76ea264eedf266737c9232f6806b398a476
EAP-Message = 0xef755b865824774bb734b3c2f218a0ad56ae8eab81f7b98d1403010001011603010020c0f20daf8800695c5f253ff3ec26d5626dc59e775f59146cab0c6bc20acca753
Message-Authenticator = 0x3b50b4e11df88b6c16d59122cd3faaf9
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "host/PC1.ad.lab.com", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 310
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 73 to 192.168.0.50 port 1024
EAP-Message = 0x01070031190014030100010116030100202c741f5c88031ac271a7f0d07e7620d7d88bcd2ec486b8192b2c4819bfbe399d
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0afa11ec0efd084d66de98b8605bce83
Finished request 4.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.0.50 port 1024, id=74, length=241
Framed-MTU = 1480
NAS-IP-Address = 192.168.0.50
NAS-Identifier = "HP ProCurve Switch 2824"
User-Name = "host/PC1.ad.lab.com"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 1
NAS-Port-Type = Ethernet
NAS-Port-Id = "1"
Called-Station-Id = "00-11-0a-fe-a9-3f"
Calling-Station-Id = "00-17-a4-4e-77-47"
Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1"
State = 0x0afa11ec0efd084d66de98b8605bce83
EAP-Message = 0x020700061900
Message-Authenticator = 0x836425394ba770ff12cb284673a5e7f4
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "host/PC1.ad.lab.com", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 74 to 192.168.0.50 port 1024
EAP-Message = 0x01080020190017030100158ddb5d04f12d39356ecbda6080235bad81d9d8ec7d
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0afa11ec0ff2084d66de98b8605bce83
Finished request 5.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 192.168.0.50 port 1024, id=75, length=282
Framed-MTU = 1480
NAS-IP-Address = 192.168.0.50
NAS-Identifier = "HP ProCurve Switch 2824"
User-Name = "host/PC1.ad.lab.com"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 1
NAS-Port-Type = Ethernet
NAS-Port-Id = "1"
Called-Station-Id = "00-11-0a-fe-a9-3f"
Calling-Station-Id = "00-17-a4-4e-77-47"
Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1"
State = 0x0afa11ec0ff2084d66de98b8605bce83
EAP-Message = 0x0208002f19001703010024983cfbd91304532cb0b0939d4d772c3e6c3d20d8b69de28f1f3cf4924ea0a7693c322c6b
Message-Authenticator = 0x7f75ae3a85f1a2bdace3ca4bc5464379
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "host/PC1.ad.lab.com", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 47
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Identity - host/PC1.ad.lab.com
[peap] Got tunneled request
EAP-Message = 0x0208001801686f73742f5043312e61642e6c61622e636f6d
server {
PEAP: Got tunneled identity of host/PC1.ad.lab.com
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to host/PC1.ad.lab.com
Sending tunneled request
EAP-Message = 0x0208001801686f73742f5043312e61642e6c61622e636f6d
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "host/PC1.ad.lab.com"
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "host/PC1.ad.lab.com", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 8 length 24
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message = 0x0109002d1a0109002810f5213060b5e6a38d27ae3961f3d34ee0686f73742f5043312e61642e6c61622e636f6d
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb08a8815b08392f63ecb6ffeec36b954
[peap] Got tunneled reply RADIUS code 11
EAP-Message = 0x0109002d1a0109002810f5213060b5e6a38d27ae3961f3d34ee0686f73742f5043312e61642e6c61622e636f6d
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb08a8815b08392f63ecb6ffeec36b954
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 75 to 192.168.0.50 port 1024
EAP-Message = 0x0109004419001703010039f9c7f47443128903a5e5a22ede2d1aaec9668c2fd70d46c81b18a00c363273462985c798989290e6b211f69ff0403f525dafad780de72e1866
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0afa11ec0cf3084d66de98b8605bce83
Finished request 6.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 192.168.0.50 port 1024, id=76, length=336
Framed-MTU = 1480
NAS-IP-Address = 192.168.0.50
NAS-Identifier = "HP ProCurve Switch 2824"
User-Name = "host/PC1.ad.lab.com"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 1
NAS-Port-Type = Ethernet
NAS-Port-Id = "1"
Called-Station-Id = "00-11-0a-fe-a9-3f"
Calling-Station-Id = "00-17-a4-4e-77-47"
Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1"
State = 0x0afa11ec0cf3084d66de98b8605bce83
EAP-Message = 0x020900651900170301005a1b964fc1f42dc9e5bb99bf5516c1b7c4ce78e5beb05a42e9b322057dae200118db520386410c1c57e55d502731a8ddffcc1c7afca094ae7e096e19937333c547200c1aa9b9ceee4a7bc0620d5f9abe3dcd83f9247522c611cfbc
Message-Authenticator = 0x2fa9e102cac1e2270c3f4e400ae6843e
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "host/PC1.ad.lab.com", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 9 length 101
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x0209004e1a0209004931a17d769cab8bd37e3959ebc65ebb59660000000000000000559d2b1923d94810ff460021cedd68b8f7781c6897efa07200686f73742f5043312e61642e6c61622e636f6d
server {
PEAP: Setting User-Name to host/PC1.ad.lab.com
Sending tunneled request
EAP-Message = 0x0209004e1a0209004931a17d769cab8bd37e3959ebc65ebb59660000000000000000559d2b1923d94810ff460021cedd68b8f7781c6897efa07200686f73742f5043312e61642e6c61622e636f6d
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "host/PC1.ad.lab.com"
State = 0xb08a8815b08392f63ecb6ffeec36b954
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "host/PC1.ad.lab.com", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 9 length 78
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for host/PC1.ad.lab.com with NT-Password
[mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
[mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
[mschap] expand: --username=%{Stripped-User-Name:-%{User-Name:-None}} -> --username=host/PC1.ad.lab.com
[mschap] mschap2: f5
[mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=ef47e24d23623e97
[mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=559d2b1923d94810ff460021cedd68b8f7781c6897efa072
Exec-Program output: Logon failure (0xc000006d)
Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
MS-CHAP-Error = "\tE=691 R=1"
EAP-Message = 0x04090004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
MS-CHAP-Error = "\tE=691 R=1"
EAP-Message = 0x04090004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 76 to 192.168.0.50 port 1024
EAP-Message = 0x010a00261900170301001b0bfeccd328b5dc469dcf83e1b9d348eb615a7ac5bf99afb97bdc16
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0afa11ec0df0084d66de98b8605bce83
Finished request 7.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 192.168.0.50 port 1024, id=77, length=273
Framed-MTU = 1480
NAS-IP-Address = 192.168.0.50
NAS-Identifier = "HP ProCurve Switch 2824"
User-Name = "host/PC1.ad.lab.com"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 1
NAS-Port-Type = Ethernet
NAS-Port-Id = "1"
Called-Station-Id = "00-11-0a-fe-a9-3f"
Calling-Station-Id = "00-17-a4-4e-77-47"
Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1"
State = 0x0afa11ec0df0084d66de98b8605bce83
EAP-Message = 0x020a00261900170301001b0e5f0e679c59798c9e65fd41ac3a3b0cf1fff77179ba6a12d58168
Message-Authenticator = 0x82b00465e77de1d0c986cc30f34fd571
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "host/PC1.ad.lab.com", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 10 length 38
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Had sent TLV failure. User was rejected earlier in this session.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> host/PC1.ad.lab.com
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 8 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 8
Sending Access-Reject of id 77 to 192.168.0.50 port 1024
EAP-Message = 0x040a0004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.7 seconds.
Cleaning up request 0 ID 69 with timestamp +63
Waking up in 0.1 seconds.
Cleaning up request 1 ID 70 with timestamp +63
Cleaning up request 2 ID 71 with timestamp +63
Cleaning up request 3 ID 72 with timestamp +63
Cleaning up request 4 ID 73 with timestamp +63
Cleaning up request 5 ID 74 with timestamp +63
Cleaning up request 6 ID 75 with timestamp +63
Cleaning up request 7 ID 76 with timestamp +63
Waking up in 0.9 seconds.
Cleaning up request 8 ID 77 with timestamp +63
Ready to process requests.
Do I need to change my modules/mschap config? Currently I have:
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
Thanks ever so much for your help!
Regards,
Tomas
More information about the Freeradius-Users
mailing list