802.1x problems
Keith Ledford
kledford at uga.edu
Thu Jan 15 15:31:45 CET 2009
Hello all,
I am having some issues with setting up 802.1x using
freeradius-server-2.1.1-2.el5. I have 3 SSIDs setup. One of them is
doing Mac Auth against a file. One is using ldap auth and the other is
setup to use 802.1x. Mac auth and ldap auth works great so I know my
ldap config in radius should be setup correctly. It looks like the
authorize part of 802.1x works but it fails during the authenticate
part. Does anyone see what I have messed up? I am sure it is something
simple that I am overlooking. I am using windows xp sp3 to try to
connect to this network. My wireless network is all Cisco LWAPP AP's
connecting to Cisco WLAN controllers and we use Cisco WCS to manage
all of these devices. I am trying to setup a secure network using wpa
and wpa2 with 802.1x using eap-peap.
The message
'WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?'
shows up also on the non-802.1x ldap auth wlan that works. Let me know
if more detail is needed.
TIA!
Config file snippets:
authorize {
preprocess
chap
mschap
suffix
eap {
ok = return
}
unix
files
ldap
ldap_all_myids
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
Auth-Type LDAP {
ldap
}
Auth-Type LDAP_ALL_MYIDS {
ldap_all_myids
}
eap
}
ldap ldap_all_myids {
server = "localhost"
identity = "cn=blah,ou=something,o=uga"
password = "my_pass"
basedn = "ou=users,o=uga"
filter = "(cn=%u)"
start_tls = no
tls_mode = no
# access_attr = "dialupAccess"
access_attr = "ugaelmkprov"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = whatever
private_key_file = ${certdir}/server.pem
certificate_file = ${certdir}/server.pem
CA_file = ${cadir}/ca.pem
dh_file = ${certdir}/dh
random_file = ${certdir}/random
cipher_list = "DEFAULT"
make_cert_command = "${certdir}/bootstrap"
cache {
enable = no
max_entries = 255
}
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
mschapv2 {
}
}
Log file:
rad_recv: Access-Request packet from host 172.17.6.205 port 32770, id=191, length=181
User-Name = "kledford"
Calling-Station-Id = "00-11-95-D9-07-77"
Called-Station-Id = "00-1F-9E-CE-2D-70:PAWS-Secure"
NAS-Port = 29
NAS-IP-Address = 172.17.6.205
NAS-Identifier = "South6"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1999"
EAP-Message = 0x020b000d016b6c6564666f7264
Message-Authenticator = 0xb4fdd87de3f264b7a28bd05a07ceae23
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "kledford", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 11 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
[ldap] performing user authorization for kledford
[ldap] expand: (&(|(eduPersonAffiliation=Staff)(eduPersonAffiliation=Faculty))(cn=%u)) -> (&(|(eduPersonAffiliation=Staff)(eduPersonAffiliation=Faculty))(cn=kledford))
[ldap] expand: ou=users,o=uga -> ou=users,o=uga
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=users,o=uga, with filter (&(|(eduPersonAffiliation=Staff)(eduPersonAffiliation=Faculty))(cn=kledford))
rlm_ldap: ldap_search() failed: LDAP connection lost.
rlm_ldap: Attempting reconnect
rlm_ldap: attempting LDAP reconnection
rlm_ldap: closing existing LDAP connection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as cn=cousteau-apache,ou=EDSAdmins,o=uga/my_pass to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=users,o=uga, with filter (&(|(eduPersonAffiliation=Staff)(eduPersonAffiliation=Faculty))(cn=kledford))
[ldap] checking if remote access for kledford is allowed by ugaelmkprov
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
[ldap] user kledford authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
[ldap_all_myids] performing user authorization for kledford
[ldap_all_myids] expand: (cn=%u) -> (cn=kledford)
[ldap_all_myids] expand: ou=users,o=uga -> ou=users,o=uga
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=users,o=uga, with filter (cn=kledford)
rlm_ldap: ldap_search() failed: LDAP connection lost.
rlm_ldap: Attempting reconnect
rlm_ldap: attempting LDAP reconnection
rlm_ldap: closing existing LDAP connection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as cn=cousteau-apache,ou=EDSAdmins,o=uga/my_pass to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=users,o=uga, with filter (cn=kledford)
[ldap_all_myids] checking if remote access for kledford is allowed by ugaelmkprov
[ldap_all_myids] No default NMAS login sequence
[ldap_all_myids] looking for check items in directory...
[ldap_all_myids] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
[ldap_all_myids] user kledford authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap_all_myids] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 191 to 172.17.6.205 port 32770
EAP-Message = 0x010c00061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0282fb8e028ee22c7ff0f6bedc08a825
Finished request 70.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.17.6.205 port 32770, id=192, length=266
User-Name = "kledford"
Calling-Station-Id = "00-11-95-D9-07-77"
Called-Station-Id = "00-1F-9E-CE-2D-70:PAWS-Secure"
NAS-Port = 29
NAS-IP-Address = 172.17.6.205
NAS-Identifier = "South6"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1999"
EAP-Message = 0x020c005019800000004616030100410100003d0301496f410ff8ee077ce9d259abb7f81ed6db2ea758cffee4e7ad7eb61b95e8329a00001600040005000a000900640062000300060013001200630100
State = 0x0282fb8e028ee22c7ff0f6bedc08a825
Message-Authenticator = 0x2f08e7cd6b50bc98da1db2daf64fc80f
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "kledford", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 12 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 70
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0041], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 085e], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 192 to 172.17.6.205 port 32770
EAP-Message = 0x010d040019c00000089b160301002a020000260301496f3ee1ee8866b8a4376d656afa915e2b592a924331e0656bce890e613fc83d00000400160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479
EAP-Message = 0x301e170d3039303130383232313433335a170d3130303130383232313433335a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100a7d8c0ef7a3a864ea16abde689de9400a9efdf1a723cba7527411b145f5f30d30db1a7ef5d5a6c8e611c936e821ef04bf3a0a42bed5e573364ac9fc855d2
EAP-Message = 0x9dc5234c6a61b0c639d1205aa8f6baa7a1798dc955d6792d68778d995c460a09b5e1ee31c0ca65fd7df82c8a30b284ea76a1875e16a4fa0b08f93927516f8ceb745842c378db6d5c1406c734d618323918d433707c4e59e6435881a39e18cb0ce52c1623cf149e57425ddfae12be2b2befbd9ba756f589a05f8935ce573ad4f6fcad95116eb8499c1daa6f3f34da4ccb275c6686677bc25ae678b5fabadd8c474d2a87263705892a9dee3a8b5c5ad11d1b229d93b7b37235bfa25c908e4a5c643fe70203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038201010046d53a405176aa48f1
EAP-Message = 0x9db9b1e524130f431f8d31d979c3c9cb9d01dfa19eacaa8bf1354d77b8431d571e12011a22f5adb109c8336191a861f9ee34a0f51c5d8991bd8feddac68ffac0ede52e5e9bd3efc17b6924e9bf4ec4944dda2bb48c10680ac49473dd2c474637c05c0594ec984f91468614a00e16547cb1b4227fe0b554a45d93852b09
EAP-Message = 0x69eba10c49200443
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0282fb8e008ce22c7ff0f6bedc08a825
Finished request 72.
Going to the next requ
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 172.17.6.205 port 32770, id=194, length=192
User-Name = "kledford"
Calling-Station-Id = "00-11-95-D9-07-77"
Called-Station-Id = "00-1F-9E-CE-2D-70:PAWS-Secure"
NAS-Port = 29
NAS-IP-Address = 172.17.6.205
NAS-Identifier = "South6"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1999"
EAP-Message = 0x020e00061900
State = 0x0282fb8e008ce22c7ff0f6bedc08a825
Message-Authenticator = 0x4aa592830ab1a5ab74e9a9a007187cb3
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "kledford", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 14 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 194 to 172.17.6.205 port 32770
EAP-Message = 0x010f00b51900dbe740ea1ac0356d73325c3b4862b3d7de03f02a23dba6bca2f6f1b797a90fbf5218a80d927bb8db9704876c522721d2a501828d7bbe23987b3f9f1232f56c98240d6e7810db793c7dd5e34daf5cf4299daa19393ea7ca3fc824447b57a62db54a622b8245942bc900cb982216c393a912b5ec346076e6044863de5249f31e319e8a0e876937e0b3520514fc00e3072659bbb89957d1322ad32aa4cbcb9418749803eb4310ae16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0282fb8e018de22c7ff0f6bedc08a825
Finished request 73.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 172.17.6.205 port 32770, id=195, length=508
User-Name = "kledford"
Calling-Station-Id = "00-11-95-D9-07-77"
Called-Station-Id = "00-1F-9E-CE-2D-70:PAWS-Secure"
NAS-Port = 29
NAS-IP-Address = 172.17.6.205
NAS-Identifier = "South6"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1999"
EAP-Message = 0x020f014019800000013616030101061000010201009b838b42c320d7d04e42a0b97c6f5480741eeb64be1f131e3dacb4c0394fb96bda91ccae4264e9a3264cc7e1bc621a8c9c0bf2be4de29042ee94469be9e3830f348df4009c679c00a1241df4b2b65fab811351cb1b97847eba5bfe321dc32739f93043103bd3a969513b10dbca3a2c9deb4a9a492603629e7e9ddaa362f0b148ad1842270a18321708ff0e314412079d458dd4b9fab38d9f1b86a65fa0fa8b0a2e06403c7a7a52d8c2a2e7ed5878c339d6905da1718c32b7f8ba07c8cedf866c980f690722e38fb421df3d67e55cc9b380bae38ef392c6234db71242b16f7ff56e352b7a3ca3837a
EAP-Message = 0xcf4e92de1e4d6728808dbf8df54d4819c57dabf00e16984114030100010116030100205c95b90821f44df33871c079ce0448065b483c9ef6504c023bba98c997702759
State = 0x0282fb8e018de22c7ff0f6bedc08a825
Message-Authenticator = 0x441cfb0518eb1e533b6445ac9ce68d59
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "kledford", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 15 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 310
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 195 to 172.17.6.205 port 32770
EAP-Message = 0x0110003119001403010001011603010020094cda7a332cef09766a43e6416115d88a0b0c2b9538c106d7a79530914df85b
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0282fb8e0692e22c7ff0f6bedc08a825
Finished request 74.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 172.17.6.205 port 32770, id=196, length=192
User-Name = "kledford"
Calling-Station-Id = "00-11-95-D9-07-77"
Called-Station-Id = "00-1F-9E-CE-2D-70:PAWS-Secure"
NAS-Port = 29
NAS-IP-Address = 172.17.6.205
NAS-Identifier = "South6"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1999"
EAP-Message = 0x021000061900
State = 0x0282fb8e0692e22c7ff0f6bedc08a825
Message-Authenticator = 0xb2541fc85b1ccd57fc7147c181c1f8b1
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "kledford", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 16 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 196 to 172.17.6.205 port 32770
EAP-Message = 0x011100201900170301001563bc74883cd5e22b287fdc9866b0cf7b7527605d97
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0282fb8e0793e22c7ff0f6bedc08a825
Finished request 75.
Going to the next request
Waking up in 4.5 seconds.
rad_recv: Access-Request packet from host 172.17.6.205 port 32770, id=197, length=222
User-Name = "kledford"
Calling-Station-Id = "00-11-95-D9-07-77"
Called-Station-Id = "00-1F-9E-CE-2D-70:PAWS-Secure"
NAS-Port = 29
NAS-IP-Address = 172.17.6.205
NAS-Identifier = "South6"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1999"
EAP-Message = 0x0211002419001703010019cf021abfc4a36083c60b53cf5f495fc64fef8cb5cb08107c9a
State = 0x0282fb8e0793e22c7ff0f6bedc08a825
Message-Authenticator = 0x8249cfb08c9015d02c7dd9437b1ecd50
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "kledford", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 17 length 36
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Identity - kledford
[peap] Got tunnled request
EAP-Message = 0x0211000d016b6c6564666f7264
server (null) {
PEAP: Got tunneled identity of kledford
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to kledford
Sending tunneled request
EAP-Message = 0x0211000d016b6c6564666f7264
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "kledford"
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "kledford", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 17 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message = 0x011200221a0112001d1054a490ba859f553d784df2dd0bde41906b6c6564666f7264
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x577c69d6576e7321a99fdce2c06ba398
[peap] Got tunneled reply RADIUS code 11
EAP-Message = 0x011200221a0112001d1054a490ba859f553d784df2dd0bde41906b6c6564666f7264
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x577c69d6576e7321a99fdce2c06ba398
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 197 to 172.17.6.205 port 32770
EAP-Message = 0x011200391900170301002e1f2e6251b0ee12c3a6be5147b62d32ff1e8f5b4d653c72d63b2f51095dd26c88d9e80b73c7c67e4d2642369bb7cf
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0282fb8e0490e22c7ff0f6bedc08a825
Finished request 76.
Going to the next request
Waking up in 4.5 seconds.
rad_recv: Access-Request packet from host 172.17.6.205 port 32770, id=198, length=276
User-Name = "kledford"
Calling-Station-Id = "00-11-95-D9-07-77"
Called-Station-Id = "00-1F-9E-CE-2D-70:PAWS-Secure"
NAS-Port = 29
NAS-IP-Address = 172.17.6.205
NAS-Identifier = "South6"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1999"
EAP-Message = 0x0212005a1900170301004fbe3681cc29c08c6a9cb7790dee6a2413b0ebc8473162dc85f362a9966ab531a0eb62ade6f69f550ca67d378fbff0e34767146eb3407c022ee9bd1e1939557fdd64cd99d5a77b130c13aeea3580be9f
State = 0x0282fb8e0490e22c7ff0f6bedc08a825
Message-Authenticator = 0x1d0b5a02f83fd064643cf8b17b61649e
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "kledford", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 18 length 90
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunnled request
EAP-Message = 0x021200431a0212003e31910199f838846ecebfb8b1996e431f9a0000000000000000977ba5a70d750315fe66e5f61e48aad8aad8d19f5b65eb8a006b6c6564666f7264
server (null) {
PEAP: Setting User-Name to kledford
Sending tunneled request
EAP-Message = 0x021200431a0212003e31910199f838846ecebfb8b1996e431f9a0000000000000000977ba5a70d750315fe66e5f61e48aad8aad8d19f5b65eb8a006b6c6564666f7264
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "kledford"
State = 0x577c69d6576e7321a99fdce2c06ba398
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "kledford", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 18 length 67
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for kledford with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
MS-CHAP-Error = "\022E=691 R=1"
EAP-Message = 0x04120004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
MS-CHAP-Error = "\022E=691 R=1"
EAP-Message = 0x04120004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 198 to 172.17.6.205 port 32770
EAP-Message = 0x011300261900170301001b7d7ecb9363773c2925be6270b36c1cc64746512b567f6487e27a4e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0282fb8e0591e22c7ff0f6bedc08a825
Finished request 77.
Going to the next request
Waking up in 4.5 seconds.
rad_recv: Access-Request packet from host 172.17.6.205 port 32770, id=199, length=224
User-Name = "kledford"
Calling-Station-Id = "00-11-95-D9-07-77"
Called-Station-Id = "00-1F-9E-CE-2D-70:PAWS-Secure"
NAS-Port = 29
NAS-IP-Address = 172.17.6.205
NAS-Identifier = "South6"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1999"
EAP-Message = 0x021300261900170301001b989cf4d191ed8635a159d484e8b3ddcea284fc0177b8ed705dd9d8
State = 0x0282fb8e0591e22c7ff0f6bedc08a825
Message-Authenticator = 0xf942e38c5ad48d5f0723d8062283dcb2
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "kledford", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 19 length 38
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Had sent TLV failure. User was rejected earlier in this session.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> kledford
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 78 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 78
Sending Access-Reject of id 199 to 172.17.6.205 port 32770
EAP-Message = 0x04130004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.5 seconds.
Cleaning up request 70 ID 191 with timestamp +511079
Cleaning up request 71 ID 192 with timestamp +511080
Waking up in 0.1 seconds.
Cleaning up request 72 ID 193 with timestamp +511080
Cleaning up request 73 ID 194 with timestamp +511080
Cleaning up request 74 ID 195 with timestamp +511080
Waking up in 0.1 seconds.
Cleaning up request 75 ID 196 with timestamp +511080
Cleaning up request 76 ID 197 with timestamp +511080
Cleaning up request 77 ID 198 with timestamp +511080
Waking up in 1.0 seconds.
Cleaning up request 78 ID 199 with timestamp +511080
--
Keith Ledford <kledford AT uga DOT edu>
Network Administrator
EITS Network Engineering
More information about the Freeradius-Users
mailing list