Authentication Problem with PEAP and openldap

Michael Poser m.poser at rz.uni-frankfurt.de
Thu Jan 15 17:58:40 CET 2009


> smbencrypt is distributed with the server. Use it to check the
> password hash.

> Ivan Kalik
> Kalik Informatika ISP

The authentication is half finished. The hint with the smbencrypt showed
that the stored nt passwords in our ldap directory was wrong. The hint with
ldap.attrmap pointed to a wrong nt-password mapping. Thanks a lot for the
help.

Now we are facing another problem:

1. We use the native windows xp (sp2 + sp3) 802.1x client without the check
in the box "Validate server certificate". Result: The authentication works.

2. We check the box, fill in the right dns server name and select the right
Trusted Root CA. Result:  The authentication fails.

3. We use an macintosh with leopard, the authentication works fine. 

4. We use windows xp (sp3) with an odyssey client, the authentication works
fine.

The failed authentication shows in the debug log, that something goes wrong
with the user data in the inner tunnel. There is no "rlm_eap_peap: Identity
- username". Instead it breaks with an "TLS Alert" and an "No data inside
the tunnel"

Our Server Certificate has the extended key-usage
  PKIX serverAuth (OID: 1.3.6.1.5.5.7.3.1)
  PKIX clientAuth (OID: 1.3.6.1.5.5.7.3.2)

Any help is appreciated, 

best regards

  Michael
 
rad_recv: Access-Request packet from host 141.2.252.203:55558, id=60,
length=82
        User-Name = "nutzername"
        EAP-Message = 0x0200000b016d706f736572
        Message-Authenticator = 0x4f1d0d2973fdb38611ce6bfacb5846f2
        NAS-Identifier = "cb-jur-vc0-11og"
        NAS-Port-Type = Virtual
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
    rlm_realm: No '@' in User-Name = "nutzername", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
  rlm_eap: EAP packet type response id 0 length 11
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 0
    users: Matched DEFAULT at 238
radius_xlat:  'nutzername'
  modcall[authorize]: module "files" returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for nutzername
radius_xlat:  '(uid=nutzername)'
radius_xlat:  'ou=raduser,ou=HRZ,o=bla,dc=bla,dc=de'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldaps://septimus.domain.de, authentication 0
rlm_ldap: setting TLS CACert File to /etc/openldap/cacerts/ca-bundle.crt
rlm_ldap: bind as uid=authproxy,o=bla,dc=bla,dc=de/geheim$ to
ldaps://septimus.domain.de
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=raduser,ou=HRZ,o=bla,dc=bla,dc=de, with
filter (uid=nutzername)
rlm_ldap: Added password 0x81.... in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding userPassword as NT-Password, value 0x81.... & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user nutzername authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 0
modcall: group authorize returns updated for request 0
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
  rlm_eap: EAP Identity
  rlm_eap: processing type md5
rlm_eap_md5: Issuing Challenge
  modcall[authenticate]: module "eap" returns handled for request 0
modcall: group authenticate returns handled for request 0
Sending Access-Challenge of id 60 to 141.2.252.203:55558
        User-Name = "nutzername"
        EAP-Message = 0x010100160410cae9bfb010ee5187489092b9a2f82ddd
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xbea2ee7e075274739942fa3464748581
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 141.2.252.203:55558, id=226,
length=95
        User-Name = "nutzername"
        State = 0xbea2ee7e075274739942fa3464748581
        EAP-Message = 0x020100060319
        Message-Authenticator = 0x200b492108ca7cac81f0e8922229d1ce
        NAS-Identifier = "cb-jur-vc0-11og"
        NAS-Port-Type = Virtual
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
  modcall[authorize]: module "preprocess" returns ok for request 1
  modcall[authorize]: module "chap" returns noop for request 1
  modcall[authorize]: module "mschap" returns noop for request 1
    rlm_realm: No '@' in User-Name = "nutzername", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 1
  rlm_eap: EAP packet type response id 1 length 6
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 1
    users: Matched DEFAULT at 238
radius_xlat:  'nutzername'
  modcall[authorize]: module "files" returns ok for request 1
rlm_ldap: - authorize
rlm_ldap: performing user authorization for nutzername
radius_xlat:  '(uid=nutzername)'
radius_xlat:  'ou=raduser,ou=HRZ,o=bla,dc=bla,dc=de'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=raduser,ou=HRZ,o=bla,dc=bla,dc=de, with
filter (uid=nutzername)
rlm_ldap: Added password 0x81.... in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding userPassword as NT-Password, value 0x81.... & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user nutzername authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 1
modcall: group authorize returns updated for request 1
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
  rlm_eap: Request found, released from the list
  rlm_eap: EAP NAK
 rlm_eap: EAP-NAK asked for EAP-Type/peap
  rlm_eap: processing type tls
  rlm_eap_tls: Initiate
  rlm_eap_tls: Start returned 1
  modcall[authenticate]: module "eap" returns handled for request 1
modcall: group authenticate returns handled for request 1
Sending Access-Challenge of id 226 to 141.2.252.203:55558
        User-Name = "nutzername"
        EAP-Message = 0x010200061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x5750c0ff371ce186f1965748119d04ac
Finished request 1
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 141.2.252.203:55558, id=38,
length=169
        User-Name = "nutzername"
        State = 0x5750c0ff371ce186f1965748119d04ac
        EAP-Message =
0x0202005019800000004616030100410100003d0301496e0c138b66c4b2b03439662b6dbd53
73c2bffd1be848b6eacc3fb4f77dba7900001600040005000a00090064006200030006001300
1200630100
        Message-Authenticator = 0x13930a9cfe35d09670f4963fa3e99ece
        NAS-Identifier = "cb-jur-vc0-11og"
        NAS-Port-Type = Virtual
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
  modcall[authorize]: module "preprocess" returns ok for request 2
  modcall[authorize]: module "chap" returns noop for request 2
  modcall[authorize]: module "mschap" returns noop for request 2
    rlm_realm: No '@' in User-Name = "nutzername", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 2
  rlm_eap: EAP packet type response id 2 length 80
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 2
    users: Matched DEFAULT at 238
radius_xlat:  'nutzername'
  modcall[authorize]: module "files" returns ok for request 2
rlm_ldap: - authorize
rlm_ldap: performing user authorization for nutzername
radius_xlat:  '(uid=nutzername)'
radius_xlat:  'ou=raduser,ou=HRZ,o=bla,dc=bla,dc=de'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=raduser,ou=HRZ,o=bla,dc=bla,dc=de, with
filter (uid=nutzername)
rlm_ldap: Added password 0x81.... in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding userPassword as NT-Password, value 0x81.... & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user nutzername authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 2
modcall: group authorize returns updated for request 2
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
  eaptls_verify returned 11
    (other): before/accept initialization
    TLS_accept: before/accept initialization
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello
    TLS_accept: SSLv3 read client hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
    TLS_accept: SSLv3 write server hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 08e4], Certificate
    TLS_accept: SSLv3 write certificate A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
    TLS_accept: SSLv3 write server done A
    TLS_accept: SSLv3 flush data
    TLS_accept:error in SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
  eaptls_process returned 13
  rlm_eap_peap: EAPTLS_HANDLED
  modcall[authenticate]: module "eap" returns handled for request 2
modcall: group authenticate returns handled for request 2
Sending Access-Challenge of id 38 to 141.2.252.203:55558
        User-Name = "nutzername"
        EAP-Message =
0x0103040a19c000000941160301004a020000460301496e0c0a313b94cc31ef3ce5fcf21642
9dcae1a13d91a1f4d634e431b7fba52f2063656f16763acb98fb6dae900682fe430116f46619
ef62da13543c269dca608200040016030108e40b0008e00008dd00057730820573308204dca0
03020102020e369900010002c59829d76c5f17cc300d06092a864886f70d01010505003081bc
310b30090603550406130244453110300e0603550408130748616d627572673110300e060355
0407130748616d62757267313a3038060355040a1331544320547275737443656e7465722066
6f7220536563757269747920696e2044617461204e6574776f72
        EAP-Message =
0x6b7320476d624831223020060355040b1319544320547275737443656e74657220436c6173
7320322043413129302706092a864886f70d010901161a636572746966696361746540747275
737463656e7465722e6465301e170d3038303830343132303430355a170d3039303832393132
303430355a3081d5310b3009060355040613024445310f300d0603550408130648657373656e
311a3018060355040713114672616e6b6675727420616d204d61696e312c302a060355040a13
234a6f68616e6e20576f6c6667616e6720476f657468652d556e69766572736974616574311f
301d060355040b1316486f6368736368756c72656368656e7a65
        EAP-Message =
0x6e7472756d31223020060355040314192a2e7365727665722e756e692d6672616e6b667572
742e64653126302406092a864886f70d010901161777777740727a2e756e692d6672616e6b66
7572742e646530820122300d06092a864886f70d01010105000382010f003082010a02820101
00be916aaefcd7a193458cea127673dd7296b608360945fcd1288f4537f751bf37ea0c47b7a4
ca89ecbd7677012462b1519de606a232c2e73e28d0d04ed554ce6a82e38d4f7bb8942008df11
e17122c5215333c5a49658abded7116628676a4f49e0f7230a1f85a339dfca410a5ff5045b51
3b413eb6bc84f171084be88d31b5159d915f86ddb50499409df2
        EAP-Message =
0x0207f15d52432a76601ed7bea5f25d59093b39632a02424eb053b9688ff91db85f9ca665b4
a42b985b9afe2cd9b6e9b8c5c8b30c7be0a8227fec6f6948fbec296b256879fe09403cb2c476
0643605e6ea1746d02fb0274c38139d16397733c36997fbf3c7775ca54f869dd47dc1cd4ed0e
28dc52ff0203010001a38201d7308201d330818e06082b06010505070101048181307f304c06
082b060105050730028640687474703a2f2f7777772e747275737463656e7465722e64652f63
65727473657276696365732f636163657274732f74635f636c6173735f325f63612e63727430
2f06082b060105050730018623687474703a2f2f6f6373702e74
        EAP-Message = 0x63636c617373322e747275737463656e7465722e6465
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x7d2d73c29099b11eba9f436f60e7786f
Finished request 2
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 141.2.252.203:55558, id=100,
length=95
        User-Name = "nutzername"
        State = 0x7d2d73c29099b11eba9f436f60e7786f
        EAP-Message = 0x020300061900
        Message-Authenticator = 0xc16bfac26a67d57deac7d60e2da85581
        NAS-Identifier = "cb-jur-vc0-11og"
        NAS-Port-Type = Virtual
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
  modcall[authorize]: module "preprocess" returns ok for request 3
  modcall[authorize]: module "chap" returns noop for request 3
  modcall[authorize]: module "mschap" returns noop for request 3
    rlm_realm: No '@' in User-Name = "nutzername", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 3
  rlm_eap: EAP packet type response id 3 length 6
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 3
    users: Matched DEFAULT at 238
radius_xlat:  'nutzername'
  modcall[authorize]: module "files" returns ok for request 3
rlm_ldap: - authorize
rlm_ldap: performing user authorization for nutzername
radius_xlat:  '(uid=nutzername)'
radius_xlat:  'ou=raduser,ou=HRZ,o=bla,dc=bla,dc=de'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=raduser,ou=HRZ,o=bla,dc=bla,dc=de, with
filter (uid=nutzername)
rlm_ldap: Added password 0x81.... in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding userPassword as NT-Password, value 0x81.... & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user nutzername authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 3
modcall: group authorize returns updated for request 3
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake fragment handler
  eaptls_verify returned 1
  eaptls_process returned 13
  rlm_eap_peap: EAPTLS_HANDLED
  modcall[authenticate]: module "eap" returns handled for request 3
modcall: group authenticate returns handled for request 3
Sending Access-Challenge of id 100 to 141.2.252.203:55558
        User-Name = "nutzername"
        EAP-Message =
0x010404061940300c0603551d130101ff040230003081820603551d20047b3079307706092a
8214002c01010102306a303606082b06010505070202302a1a28544320547275737443656e74
657220436c6173733220536572766572204365727469666963617465303006082b0601050507
02011624687474703a2f2f7777772e747275737463656e7465722e64652f67756964656c696e
6573300e0603551d0f0101ff0404030205e0301d0603551d0e04160414b766adfc0fd80652bc
51275e88e6b5254598806a304c0603551d1f044530433041a03fa03d863b687474703a2f2f63
726c2e7463636c617373322e747275737463656e7465722e6465
        EAP-Message =
0x2f63726c2f76322f74635f636c6173735f325f63612e63726c301d0603551d250416301406
082b0601050507030106082b06010505070302301106096086480186f84201010404030206c0
300d06092a864886f70d01010505000381810029a625b45ec3f9852a465b2fec2a9c47c7c781
33fc2cd3bc58f75a5ea04a32755dd12c7a7f4c0c3850ab7bf42504ec8ea307e5629919700750
c0114ef2772d713179c68258157d2873d61d9491ff5ba0252cf52020ed9dc4fce69ae5d58e82
171e077b1a193c903c1cfd27c6125e2201b0b31ac8a70de3592fe903a1258644620003603082
035c308202c5a003020102020203ea300d06092a864886f70d01
        EAP-Message =
0x010405003081bc310b30090603550406130244453110300e0603550408130748616d627572
673110300e0603550407130748616d62757267313a3038060355040a13315443205472757374
43656e74657220666f7220536563757269747920696e2044617461204e6574776f726b732047
6d624831223020060355040b1319544320547275737443656e74657220436c61737320322043
413129302706092a864886f70d010901161a636572746966696361746540747275737463656e
7465722e6465301e170d3938303330393131353935395a170d3131303130313131353935395a
3081bc310b30090603550406130244453110300e060355040813
        EAP-Message =
0x0748616d627572673110300e0603550407130748616d62757267313a3038060355040a1331
544320547275737443656e74657220666f7220536563757269747920696e2044617461204e65
74776f726b7320476d624831223020060355040b1319544320547275737443656e7465722043
6c61737320322043413129302706092a864886f70d010901161a636572746966696361746540
747275737463656e7465722e646530819f300d06092a864886f70d010101050003818d003081
8902818100da38e8ed3200297183010dbf8c01dcdac6ad39a4a98a2fd58b5c685f50c662f566
bdca9122ecaa1d51d73db351b2834e5dcb49b0f04c55e56b2dc7
        EAP-Message = 0x850b301c924e82d4ca02edf76fbedce0e314
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x6f3c1ccd94830375640659699664a51a
Finished request 3
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 141.2.252.203:55558, id=62,
length=95
        User-Name = "nutzername"
        State = 0x6f3c1ccd94830375640659699664a51a
        EAP-Message = 0x020400061900
        Message-Authenticator = 0xd3621dcb8ecf03d17c966eb0f661ad99
        NAS-Identifier = "cb-jur-vc0-11og"
        NAS-Port-Type = Virtual
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
  modcall[authorize]: module "preprocess" returns ok for request 4
  modcall[authorize]: module "chap" returns noop for request 4
  modcall[authorize]: module "mschap" returns noop for request 4
    rlm_realm: No '@' in User-Name = "nutzername", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 4
  rlm_eap: EAP packet type response id 4 length 6
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 4
    users: Matched DEFAULT at 238
radius_xlat:  'nutzername'
  modcall[authorize]: module "files" returns ok for request 4
rlm_ldap: - authorize
rlm_ldap: performing user authorization for nutzername
radius_xlat:  '(uid=nutzername)'
radius_xlat:  'ou=raduser,ou=HRZ,o=bla,dc=bla,dc=de'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=raduser,ou=HRZ,o=bla,dc=bla,dc=de, with
filter (uid=nutzername)
rlm_ldap: Added password 0x81.... in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding userPassword as NT-Password, value 0x81.... & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user nutzername authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 4
modcall: group authorize returns updated for request 4
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake fragment handler
  eaptls_verify returned 1
  eaptls_process returned 13
  rlm_eap_peap: EAPTLS_HANDLED
  modcall[authenticate]: module "eap" returns handled for request 4
modcall: group authenticate returns handled for request 4
Sending Access-Challenge of id 62 to 141.2.252.203:55558
        User-Name = "nutzername"
        EAP-Message =
0x010501471900b80553f29af4568b5a9e8593d1b48256ae4dbba84b5716bcfef8589ef8298d
b07bcd78c94fac8b670cf19cfbfc579b575c4f0d0203010001a36b3069300f0603551d130101
ff040530030101ff300e0603551d0f0101ff040403020186303306096086480186f842010804
261624687474703a2f2f7777772e747275737463656e7465722e64652f67756964656c696e65
73301106096086480186f8420101040403020007300d06092a864886f70d0101040500038181
008452fb28dfff1f7501bc01be0456976a7442243183f946b1068a89cf962c33bf8cb55f7a72
a18506ce86f8058ee8f925cada838c06aceb366d8591340436f4
        EAP-Message =
0x42f0f8792e0a485cabcc514f7876a0d9ac19bd2ad169042891ca36102780575bd25cf5c25b
ab6481637451f497bfcd1228f74d667fa7f01c012678b2664770516416030100040e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xbd5c957dea92c16671d2a4bb23ff2a96
Finished request 4
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 141.2.252.203:55558, id=77,
length=411
        User-Name = "nutzername"
        State = 0xbd5c957dea92c16671d2a4bb23ff2a96
        EAP-Message =
0x02050140198000000136160301010610000102010083c661702c546243ae82b89c22329e68
70c992c122d7d6eba0cd49909a808a5246245e5368d9871f7256a00f1d02fc7655fdb3407ff0
f2c334920716bbc7c249a6915917b2c81b2dbe2769d6bfbb0f5c746863e7f429a4a9b6236568
9637b27317c4fc1c5e8b6876a93f8b0119fb66204c48dadcae5f1d7ca514b2690e15a7e857f0
e2f8925e910bc4e8678340bb80c9581e16a4fabd801b7ce90839497be1938b3800f28574d37a
e46f7313ec6f2eac7b1c332e9c06773ded5f136e8b3e942ebfd4977cefd66550cb16882de8f4
e6c65cb843008f3738b94085ddb2fbd48cf79312ca1ee6e5ae09
        EAP-Message =
0x8d724ebb401cd378fc2965eb82b476f705b7795ed924f34e1403010001011603010020d6d7
ac087f5a4b8452126caa6f15acee0d30608d4b259d910486c4dc153a7940
        Message-Authenticator = 0x3a8c157d07a1eeedddbe386f4cfca41b
        NAS-Identifier = "cb-jur-vc0-11og"
        NAS-Port-Type = Virtual
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
  modcall[authorize]: module "preprocess" returns ok for request 5
  modcall[authorize]: module "chap" returns noop for request 5
  modcall[authorize]: module "mschap" returns noop for request 5
    rlm_realm: No '@' in User-Name = "nutzername", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 5
  rlm_eap: EAP packet type response id 5 length 253
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 5
    users: Matched DEFAULT at 238
radius_xlat:  'nutzername'
  modcall[authorize]: module "files" returns ok for request 5
rlm_ldap: - authorize
rlm_ldap: performing user authorization for nutzername
radius_xlat:  '(uid=nutzername)'
radius_xlat:  'ou=raduser,ou=HRZ,o=bla,dc=bla,dc=de'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=raduser,ou=HRZ,o=bla,dc=bla,dc=de, with
filter (uid=nutzername)
rlm_ldap: Added password 0x81.... in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding userPassword as NT-Password, value 0x81.... & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user nutzername authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 5
modcall: group authorize returns updated for request 5
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
  eaptls_verify returned 11
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
    TLS_accept: SSLv3 read client key exchange A
  rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
    TLS_accept: SSLv3 read finished A
  rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
    TLS_accept: SSLv3 write change cipher spec A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
    TLS_accept: SSLv3 write finished A
    TLS_accept: SSLv3 flush data
    (other): SSL negotiation finished successfully
SSL Connection Established
  eaptls_process returned 13
  rlm_eap_peap: EAPTLS_HANDLED
  modcall[authenticate]: module "eap" returns handled for request 5
modcall: group authenticate returns handled for request 5
Sending Access-Challenge of id 77 to 141.2.252.203:55558
        User-Name = "nutzername"
        EAP-Message =
0x0106003119001403010001011603010020941bf982a2967829df2e9158013bbecb542a799d
37afb0ee09da1aa705146157
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xf1f497af4715856825aa1004c515a4d0
Finished request 5
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 141.2.252.203:55558, id=242,
length=122
        User-Name = "nutzername"
        State = 0xf1f497af4715856825aa1004c515a4d0
        EAP-Message =
0x02060021198000000017150301001272c8140acf019f865785ebe57bfdc0ed9fdf
        Message-Authenticator = 0x7f0775975b56263d6d04c5d1714f2ed8
        NAS-Identifier = "cb-jur-vc0-11og"
        NAS-Port-Type = Virtual
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 6
  modcall[authorize]: module "preprocess" returns ok for request 6
  modcall[authorize]: module "chap" returns noop for request 6
  modcall[authorize]: module "mschap" returns noop for request 6
    rlm_realm: No '@' in User-Name = "nutzername", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 6
  rlm_eap: EAP packet type response id 6 length 33
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 6
    users: Matched DEFAULT at 238
radius_xlat:  'nutzername'
  modcall[authorize]: module "files" returns ok for request 6
rlm_ldap: - authorize
rlm_ldap: performing user authorization for nutzername
radius_xlat:  '(uid=nutzername)'
radius_xlat:  'ou=raduser,ou=HRZ,o=bla,dc=bla,dc=de'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=raduser,ou=HRZ,o=bla,dc=bla,dc=de, with
filter (uid=nutzername)
rlm_ldap: Added password 0x81.... in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding userPassword as NT-Password, value 0x81.... & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user nutzername authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 6
modcall: group authorize returns updated for request 6
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
  eaptls_verify returned 11
  eaptls_process returned 7
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal access_denied
TLS Alert read:fatal:access denied
rlm_eap_peap: No data inside of the tunnel.
 rlm_eap: Handler failed in EAP/peap
  rlm_eap: Failed in EAP select
  modcall[authenticate]: module "eap" returns invalid for request 6
modcall: group authenticate returns invalid for request 6
auth: Failed to validate the user.
Login incorrect: [nutzername] (from client Juniper-EX port 0)
Delaying request 6 for 1 seconds
Finished request 6
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 141.2.252.203:55558, id=242,
length=122
Sending Access-Reject of id 242 to 141.2.252.203:55558
        EAP-Message = 0x04060004
        Message-Authenticator = 0x00000000000000000000000000000000
--- Walking the entire request list ---
Waking up in 3 seconds...
--- Walking the entire request list ---
Cleaning up request 2 ID 38 with timestamp 496e0c0a
Cleaning up request 0 ID 60 with timestamp 496e0c0a
Cleaning up request 4 ID 62 with timestamp 496e0c0a
Cleaning up request 5 ID 77 with timestamp 496e0c0a
Cleaning up request 3 ID 100 with timestamp 496e0c0a
Cleaning up request 1 ID 226 with timestamp 496e0c0a
Cleaning up request 6 ID 242 with timestamp 496e0c0a
Nothing to do.  Sleeping until we see a request.

[root at wlan1 ~]#




More information about the Freeradius-Users mailing list