FreeRadius 2.1.6 + EAP-PEAP issue
Anatoly Oreshkin
Anatoly.Oreshkin at pnpi.spb.ru
Fri Jul 10 17:00:09 CEST 2009
I've added ntdomain to sites-available/inner-tunnel after suffix
in authorize section
suffix
ntdomain
and added domain in proxy.conf
realm csd-notebook {
type = radius
authhost = LOCAL
accthost = LOCAL
}
All the same Vista client could not connect to WiFi network though radius
server sent Access-Accept. See output of /usr/local/sbin/radiusd -fX
below.
But csd-notebook is not domain name, it is a computer name which can be
random name. Also we do not use NTLM authorisation.
What way to choose ?
----------------------------------------------------------------------
rad_recv: Access-Request packet from host 192.168.14.240 port 4177, id=20, length=235
Message-Authenticator = 0x6754868faae917f8ecf1de1b88ffbbff
Service-Type = Framed-User
User-Name = "csd-notebook\\oreshkin"
Framed-MTU = 1488
Called-Station-Id = "00-18-6E-8F-73-40:200901azk71And"
Calling-Station-Id = "00-16-EA-8A-DE-38"
NAS-Identifier = "3Com Access Point 7760"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x0214001a016373642d6e6f7465626f6f6b5c6f726573686b696e
NAS-IP-Address = 192.168.14.240
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "csd-notebook\oreshkin", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] Looking up realm "csd-notebook" for User-Name = "csd-notebook\oreshkin"
[ntdomain] Found realm "csd-notebook"
[ntdomain] Adding Stripped-User-Name = "oreshkin"
[ntdomain] Adding Realm = "csd-notebook"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[eap] EAP packet type response id 20 length 26
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 159
[files] users: Matched entry DEFAULT at line 178
[files] users: Matched entry oreshkin at line 229
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 20 to 192.168.14.240 port 4177
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
EAP-Message = 0x011500061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x521bfcaa520ee591f8365bba7dae1345
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.14.240 port 4177, id=21, length=359
Message-Authenticator = 0xd3c72a8422cc238deb3701cd984c13d6
Service-Type = Framed-User
User-Name = "csd-notebook\\oreshkin"
Framed-MTU = 1488
State = 0x521bfcaa520ee591f8365bba7dae1345
Called-Station-Id = "00-18-6E-8F-73-40:200901azk71And"
Calling-Station-Id = "00-16-EA-8A-DE-38"
NAS-Identifier = "3Com Access Point 7760"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x0215008419800000007a16030100750100007103014a5753e9b349d723fa3d51a41542ee5a204229fd96748679796b15a731767cdd000018002f00350005000ac009c00ac013c0140032003800130004010000300000001a00180000156373642d6e6f7465626f6f6b5c6f726573686b696e000a00080006001700180019000b00020100
NAS-IP-Address = 192.168.14.240
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "csd-notebook\oreshkin", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] Looking up realm "csd-notebook" for User-Name = "csd-notebook\oreshkin"
[ntdomain] Found realm "csd-notebook"
[ntdomain] Adding Stripped-User-Name = "oreshkin"
[ntdomain] Adding Realm = "csd-notebook"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[eap] EAP packet type response id 21 length 132
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 122
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0075], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 084e], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 21 to 192.168.14.240 port 4177
EAP-Message = 0x0116040019c00000088b160301002a0200002603014a5753907bd1c0875fd008715f2c67278f2199d62aea212127d5799677f7611800002f00160301084e0b00084a0008470003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479
EAP-Message = 0x301e170d3039303632353038343934325a170d3130303632353038343934325a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100afa137c1faa18184c11783fd931dbf08e3b3aab700e05e2d16471c85e470302c6d9db3068b833e463ff3cdaa6b2140447d2b7d151704863ad7439873ea51
EAP-Message = 0xe98c8abecfdd6268e021a8a17fb6966857f052859cef7a6bdcec12d2127ab2bc72c2b785a25f33c61aec0ff80079a53fb35cdbaebbfa29de9b24841a9a6c46a08073d66b09f3149fc840696c56ef61943d5e2679be18fc2733a012e261b9e9e6ae20c7ba01e2c6e4bfb3ce39325000bc51a2230319e4f8b16bffa46deb80631149f3e97333105b307b101958e9b83407c4398deb9cb32f7c23bdba70c091e79258f0c191edd239290beb26d0aaa8adf6f5ece5f633aef45ef0d4fea2c52b56fc39110203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000382010100973882c5663e2d6b29
EAP-Message = 0xf37acb064274e515f88c05490e81fcb594b8678a665ae9d17134a3e3fdb2df801547f84071730fa696eef58f5c1d73841e52aa2c9a4074cf288ef7158e4f3ae68db182c1798f3da6d86bda0a8a9c54de39f2d94d3e0687a8fa46faedcd36bcc64fd9f2cd74055682782684f674d377c0e2457f5ad4efa4ec460c7527c80769a270128e0a6d12cb79d0bb12fe0a1bb81f6c20b98873ac6718cd0d02ebb7de1cdd720360252cc736c2e84bfe1c87a695dcb7e2b4d982f0736305017d65ec72506bed1578f806479bedc2b5bfa83f0e15ccc03bbe908e734351e5843806e9dcb659b98056909aeed953e9e24d7e0e1f8163deb5f4f5076e5c00049b308204
EAP-Message = 0x973082037fa0030201020201
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x521bfcaa530de591f8365bba7dae1345
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.14.240 port 4177, id=22, length=233
Message-Authenticator = 0x4c73bb06cf9b4a279cb5f25364c25214
Service-Type = Framed-User
User-Name = "csd-notebook\\oreshkin"
Framed-MTU = 1488
State = 0x521bfcaa530de591f8365bba7dae1345
Called-Station-Id = "00-18-6E-8F-73-40:200901azk71And"
Calling-Station-Id = "00-16-EA-8A-DE-38"
NAS-Identifier = "3Com Access Point 7760"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x021600061900
NAS-IP-Address = 192.168.14.240
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "csd-notebook\oreshkin", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] Looking up realm "csd-notebook" for User-Name = "csd-notebook\oreshkin"
[ntdomain] Found realm "csd-notebook"
[ntdomain] Adding Stripped-User-Name = "oreshkin"
[ntdomain] Adding Realm = "csd-notebook"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[eap] EAP packet type response id 22 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 22 to 192.168.14.240 port 4177
EAP-Message = 0x011703fc194000300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3039303632353038343934325a170d3130303632353038343934325a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d6577
EAP-Message = 0x6865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100a056d1cfe5b95120cfb2ad67638c20cceb3feca1d22665f5d0379648340127cf5ffe26f48f46c04a1132b032d93b7f49417851f2e110fee7b457fbe2f99b47d3389b630dd2f78acf290b4ecb6d43466a19cb17063f1b2a1eefe1e6f34e1b0a20fa92fa17809a58e7120bc1a87db8865230df04775af5e1
EAP-Message = 0x16b46a471819383d8be674378c3d33bdc0a8d6686542a3ba1c32a97249786aea2c38a22a49992fcfaf54806b50415060a433e9dc013696f9c0240657098f46782b1d0536f691d9667f6c153a4d2982cb2f75a3a9ebfa4831caea445f4bff1ae6fe4ad8eec82213b2a20d02dd1b6cb2dc425698f21ede7c2917aa6f103749084b755046bb83a3746e2f0203010001a381f33081f0301d0603551d0e04160414d64b150fdb7f312ac6c3982680da07466046ab9f3081c00603551d230481b83081b58014d64b150fdb7f312ac6c3982680da07466046ab9fa18199a48196308193310b3009060355040613024652310f300d060355040813065261646975
EAP-Message = 0x733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d010104050003820101008d3084a08170518ab145f6969d1e61d2a228d5ffa21a60c154ab30774674df42fb32f5a22dad55d75ef2c7f44c93bb3e52c92763901b1299530780e1f195a85ccbbd78d8b527b3263bfa340a459ac472b90360b4408e11c10e81afbc325c10ec91fa
EAP-Message = 0xde231ca42761b9ba
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x521bfcaa500ce591f8365bba7dae1345
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.14.240 port 4177, id=23, length=233
Message-Authenticator = 0x0aee9f5b511c9ae23c11446eac0b4e78
Service-Type = Framed-User
User-Name = "csd-notebook\\oreshkin"
Framed-MTU = 1488
State = 0x521bfcaa500ce591f8365bba7dae1345
Called-Station-Id = "00-18-6E-8F-73-40:200901azk71And"
Calling-Station-Id = "00-16-EA-8A-DE-38"
NAS-Identifier = "3Com Access Point 7760"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x021700061900
NAS-IP-Address = 192.168.14.240
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "csd-notebook\oreshkin", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] Looking up realm "csd-notebook" for User-Name = "csd-notebook\oreshkin"
[ntdomain] Found realm "csd-notebook"
[ntdomain] Adding Stripped-User-Name = "oreshkin"
[ntdomain] Adding Realm = "csd-notebook"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[eap] EAP packet type response id 23 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 23 to 192.168.14.240 port 4177
EAP-Message = 0x011800a51900504fbacfc37f212076882bd7b098391319a08e59fc4d3dee5493579716c999ee20be7eed64f3b465e8ff5b718e9751b2c4ca5d1cd6700ccf0341f6a270aed40707094b7b6c39c78c581fa330b26bfb74042202fde6398f0fa591d0e164f5980d197175a49c7b9769cebfa4eef1f5527383f230b4df20935fa3903e171a05d038c6effefc1bf76e95dd86d637a53fc8ae83bdc13ea56d16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x521bfcaa5103e591f8365bba7dae1345
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.14.240 port 4177, id=24, length=565
Message-Authenticator = 0xe9c4f9e868333481bc3f992f2aa1a741
Service-Type = Framed-User
User-Name = "csd-notebook\\oreshkin"
Framed-MTU = 1488
State = 0x521bfcaa5103e591f8365bba7dae1345
Called-Station-Id = "00-18-6E-8F-73-40:200901azk71And"
Calling-Station-Id = "00-16-EA-8A-DE-38"
NAS-Identifier = "3Com Access Point 7760"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x021801501980000001461603010106100001020100769931e3139b93cc6c593060914bd072373bf39b834fc024fb0301eefb15b34f82ae8cf3f40c278ea48339b759562a70691bdae9d2787df103615f2aee215cb348ed881852c4ad851294b3d059196973ac2a88668fcdf0d8a8ea6990c1275a1a97c6401424fd45d143464a1d6bcbfd87adabbed5cdabf6f0f53784888117ec0b1b3ce8f820a58486284749ec6e0520fa08015f4f074688c4771582566051b2afe546df7d788aad9c25d2d2e1f6fedb700855ad1d3165284f8d8ae3dc3391230ca11134654abfbd4e27eed42eb42a15d65d2098c2b8f58d3183a0fc1d9766aa383093787acc0fb6af
EAP-Message = 0x467d42b176b10ba4938cff43e0d0da7d98c84de4befb83c11403010001011603010030eabb7f82b63254797b0a1058de5b2d4683403cd5c5c3340b930caa85db25f479d8ea1deb4d5ba5f201b8b9a84f4d97b4
NAS-IP-Address = 192.168.14.240
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "csd-notebook\oreshkin", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] Looking up realm "csd-notebook" for User-Name = "csd-notebook\oreshkin"
[ntdomain] Found realm "csd-notebook"
[ntdomain] Adding Stripped-User-Name = "oreshkin"
[ntdomain] Adding Realm = "csd-notebook"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[eap] EAP packet type response id 24 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 326
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 24 to 192.168.14.240 port 4177
EAP-Message = 0x0119004119001403010001011603010030f7a902a3cc95bd20025641fbee76e796b867fe811ed81d7ee337cddd4e18653d17378c0a926cce7da53c2afad9fc45a4
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x521bfcaa5602e591f8365bba7dae1345
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.14.240 port 4177, id=25, length=233
Message-Authenticator = 0x6cbaa61eb18daa20c579bee2679f4174
Service-Type = Framed-User
User-Name = "csd-notebook\\oreshkin"
Framed-MTU = 1488
State = 0x521bfcaa5602e591f8365bba7dae1345
Called-Station-Id = "00-18-6E-8F-73-40:200901azk71And"
Calling-Station-Id = "00-16-EA-8A-DE-38"
NAS-Identifier = "3Com Access Point 7760"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x021900061900
NAS-IP-Address = 192.168.14.240
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "csd-notebook\oreshkin", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] Looking up realm "csd-notebook" for User-Name = "csd-notebook\oreshkin"
[ntdomain] Found realm "csd-notebook"
[ntdomain] Adding Stripped-User-Name = "oreshkin"
[ntdomain] Adding Realm = "csd-notebook"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[eap] EAP packet type response id 25 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 25 to 192.168.14.240 port 4177
EAP-Message = 0x011a002b190017030100207cf398479d0eae664ea314f623103e57f103334f1e634464e707d81835ffd07f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x521bfcaa5701e591f8365bba7dae1345
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.14.240 port 4177, id=26, length=286
Message-Authenticator = 0x0574dd2cb5f885828ab6b8015307a036
Service-Type = Framed-User
User-Name = "csd-notebook\\oreshkin"
Framed-MTU = 1488
State = 0x521bfcaa5701e591f8365bba7dae1345
Called-Station-Id = "00-18-6E-8F-73-40:200901azk71And"
Calling-Station-Id = "00-16-EA-8A-DE-38"
NAS-Identifier = "3Com Access Point 7760"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x021a003b19001703010030b9c978edc0ec85f275c5f03d0842f19284727199eef9a38ad70976a9aed64260087d178e30252c000cd38f572293b58c
NAS-IP-Address = 192.168.14.240
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "csd-notebook\oreshkin", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] Looking up realm "csd-notebook" for User-Name = "csd-notebook\oreshkin"
[ntdomain] Found realm "csd-notebook"
[ntdomain] Adding Stripped-User-Name = "oreshkin"
[ntdomain] Adding Realm = "csd-notebook"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[eap] EAP packet type response id 26 length 59
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Identity - csd-notebook\oreshkin
[peap] Got tunneled request
EAP-Message = 0x021a001a016373642d6e6f7465626f6f6b5c6f726573686b696e
server {
PEAP: Got tunneled identity of csd-notebook\oreshkin
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to csd-notebook\oreshkin
Sending tunneled request
EAP-Message = 0x021a001a016373642d6e6f7465626f6f6b5c6f726573686b696e
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "csd-notebook\\oreshkin"
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "csd-notebook\oreshkin", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] Looking up realm "csd-notebook" for User-Name = "csd-notebook\oreshkin"
[ntdomain] Found realm "csd-notebook"
[ntdomain] Adding Stripped-User-Name = "oreshkin"
[ntdomain] Adding Realm = "csd-notebook"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
++[control] returns ok
[eap] EAP packet type response id 26 length 26
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 159
[files] users: Matched entry oreshkin at line 229
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message = 0x011b002f1a011b002a10c8f5c4e66039ee0c0248b00e7a4eb5456373642d6e6f7465626f6f6b5c6f726573686b696e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8cc4b76f8cdfad527821b84c1697460f
[peap] Got tunneled reply RADIUS code 11
EAP-Message = 0x011b002f1a011b002a10c8f5c4e66039ee0c0248b00e7a4eb5456373642d6e6f7465626f6f6b5c6f726573686b696e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8cc4b76f8cdfad527821b84c1697460f
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 26 to 192.168.14.240 port 4177
EAP-Message = 0x011b004b19001703010040a35bf50ba3bd99ea37448038a8d40802007487a075177b0419b54533f76c23a67a7f0a32592f07733e74dbaa940fcf35f71de88e734ea8cad58818ef2509ebe9
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x521bfcaa5400e591f8365bba7dae1345
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.14.240 port 4177, id=27, length=334
Message-Authenticator = 0x6377408684ab7b0dafbfd5a5d5aa9dff
Service-Type = Framed-User
User-Name = "csd-notebook\\oreshkin"
Framed-MTU = 1488
State = 0x521bfcaa5400e591f8365bba7dae1345
Called-Station-Id = "00-18-6E-8F-73-40:200901azk71And"
Calling-Station-Id = "00-16-EA-8A-DE-38"
NAS-Identifier = "3Com Access Point 7760"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x021b006b19001703010060bfbb8b002571807f3de09f5d37b7ea172b19ad7e8e6595473c7c3ecefc0f824eaa77be7eda4097a947ecbc9455c005b27d8ca23437273901a23d701f9aaaeb5a1f0a53765f353340a0a2bf5d08afa72fc1f262e00427b89039fcd28945e9d6d8
NAS-IP-Address = 192.168.14.240
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "csd-notebook\oreshkin", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] Looking up realm "csd-notebook" for User-Name = "csd-notebook\oreshkin"
[ntdomain] Found realm "csd-notebook"
[ntdomain] Adding Stripped-User-Name = "oreshkin"
[ntdomain] Adding Realm = "csd-notebook"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[eap] EAP packet type response id 27 length 107
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x021b00431a021b003e31819c7b1f2f8d867cafd6f0976e6cd29c0000000000000000538c3df64ded3d79745d4b6e21702de83ca497d34302d34b006f726573686b696e
server {
PEAP: Setting User-Name to csd-notebook\oreshkin
Sending tunneled request
EAP-Message = 0x021b00431a021b003e31819c7b1f2f8d867cafd6f0976e6cd29c0000000000000000538c3df64ded3d79745d4b6e21702de83ca497d34302d34b006f726573686b696e
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "csd-notebook\\oreshkin"
State = 0x8cc4b76f8cdfad527821b84c1697460f
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "csd-notebook\oreshkin", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] Looking up realm "csd-notebook" for User-Name = "csd-notebook\oreshkin"
[ntdomain] Found realm "csd-notebook"
[ntdomain] Adding Stripped-User-Name = "oreshkin"
[ntdomain] Adding Realm = "csd-notebook"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
++[control] returns ok
[eap] EAP packet type response id 27 length 67
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 159
[files] users: Matched entry oreshkin at line 229
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv2 for oreshkin with NT-Password
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message = 0x011c00331a031b002e533d39333632383542353544363242393846463634333641323246434133313633463230443633373333
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8cc4b76f8dd8ad527821b84c1697460f
[peap] Got tunneled reply RADIUS code 11
EAP-Message = 0x011c00331a031b002e533d39333632383542353544363242393846463634333641323246434133313633463230443633373333
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8cc4b76f8dd8ad527821b84c1697460f
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 27 to 192.168.14.240 port 4177
EAP-Message = 0x011c005b19001703010050abccee58e5726f5b3913595f28b77e17951e779c9392439824aed552eac47b7c9f14b166653341e272ac25914c28a1d6dbb9c55d4f912de1bf4ae76fd9a85e24cf3e164168b24fb155f39ffbc968f3db
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x521bfcaa5507e591f8365bba7dae1345
Finished request 7.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.14.240 port 4177, id=28, length=270
Message-Authenticator = 0x4c98e3edbda80d90f35e45d515a2a8af
Service-Type = Framed-User
User-Name = "csd-notebook\\oreshkin"
Framed-MTU = 1488
State = 0x521bfcaa5507e591f8365bba7dae1345
Called-Station-Id = "00-18-6E-8F-73-40:200901azk71And"
Calling-Station-Id = "00-16-EA-8A-DE-38"
NAS-Identifier = "3Com Access Point 7760"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x021c002b19001703010020020ffb1916a6287e3fc7338c22eeafab91d8e94329c9f4c762b96345c077f2a1
NAS-IP-Address = 192.168.14.240
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "csd-notebook\oreshkin", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] Looking up realm "csd-notebook" for User-Name = "csd-notebook\oreshkin"
[ntdomain] Found realm "csd-notebook"
[ntdomain] Adding Stripped-User-Name = "oreshkin"
[ntdomain] Adding Realm = "csd-notebook"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[eap] EAP packet type response id 28 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x021c00061a03
server {
PEAP: Setting User-Name to csd-notebook\oreshkin
Sending tunneled request
EAP-Message = 0x021c00061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "csd-notebook\\oreshkin"
State = 0x8cc4b76f8dd8ad527821b84c1697460f
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "csd-notebook\oreshkin", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] Looking up realm "csd-notebook" for User-Name = "csd-notebook\oreshkin"
[ntdomain] Found realm "csd-notebook"
[ntdomain] Adding Stripped-User-Name = "oreshkin"
[ntdomain] Adding Realm = "csd-notebook"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
++[control] returns ok
[eap] EAP packet type response id 28 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 159
[files] users: Matched entry oreshkin at line 229
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] returns ok
} # server inner-tunnel
[peap] Got tunneled reply code 2
EAP-Message = 0x031c0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "oreshkin"
[peap] Got tunneled reply RADIUS code 2
EAP-Message = 0x031c0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "oreshkin"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 28 to 192.168.14.240 port 4177
EAP-Message = 0x011d002b19001703010020b6e09090e6565d2213c2146da4d560c520e75e59c28702e5e916bd639c277d0f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x521bfcaa5a06e591f8365bba7dae1345
Finished request 8.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.14.240 port 4177, id=29, length=270
Message-Authenticator = 0xcc38941510510c2776d853ce35ba7fd2
Service-Type = Framed-User
User-Name = "csd-notebook\\oreshkin"
Framed-MTU = 1488
State = 0x521bfcaa5a06e591f8365bba7dae1345
Called-Station-Id = "00-18-6E-8F-73-40:200901azk71And"
Calling-Station-Id = "00-16-EA-8A-DE-38"
NAS-Identifier = "3Com Access Point 7760"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x021d002b190017030100207f0f1fe523589d2f59034ac7bab4797406f777f4d2cd797d272eadab787d8e77
NAS-IP-Address = 192.168.14.240
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "csd-notebook\oreshkin", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] Looking up realm "csd-notebook" for User-Name = "csd-notebook\oreshkin"
[ntdomain] Found realm "csd-notebook"
[ntdomain] Adding Stripped-User-Name = "oreshkin"
[ntdomain] Adding Realm = "csd-notebook"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[eap] EAP packet type response id 29 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Success
[eap] Freeing handler
++[eap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 29 to 192.168.14.240 port 4177
MS-MPPE-Recv-Key = 0xc12171c0071fd6f4098e5f68b570202b25bbc5d89f31d63e13645dd645e87a6d
MS-MPPE-Send-Key = 0x5b383c69c087a07603a627033e58f4bf17fcf505f534f1c85117f22acf0d1ec3
EAP-Message = 0x031d0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "oreshkin"
Finished request 9.
Going to the next request
Waking up in 4.9 seconds.
--------------------------------------------------------
Thanks
On Thu, 9 Jul 2009, Ivan Kalik wrote:
> Date: Thu, 9 Jul 2009 11:04:11 +0100 (BST)
> From: Ivan Kalik <tnt at kalik.net>
> To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
> Subject: Re: FreeRadius 2.1.6 + EAP-PEAP issue
>
>>
>> Hi,
>>
>> I've configured modules/preprocess with
>>
>> with_ntdomain_hack = yes
>>
>> and tried again to authenticate Vista user but got as follows:
>>
> ...
>> [eap] Identity does not match User-Name, setting from EAP Identity.
>
> That entry alters User-Name and shouldn't be used with EAP. It works fine
> with plain mschap but not here.
>
> Enable ntdomain in inner-tunnel virtual server (just under suffix) and
> create a local domain in proxy.conf:
>
> realm csd-notebook {
> }
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list