FreeRadius 2.1.6 + EAP-PEAP issue

Anatoly Oreshkin Anatoly.Oreshkin at pnpi.spb.ru
Mon Jul 13 16:11:33 CEST 2009


I've now enabled ntdomain in sites-available/inner-tunnel and
after that modification, authorization  of Vista user succeeded.
Thank you very much.

I would to like to add MAC address authorization. For this purpose
I've added MAC address to users file like this:

oreshkin Cleartext-Password := "some_password", Calling-Station-Id == 
"00-16-EA-8A-DE-38"

However authorization failed, the result of /usr/local/sbin/radiusd -fX
is provided below.

---------------------------------

Ready to process requests.

rad_recv: Access-Request packet from host 192.168.14.240 port 1072, id=0, length=235
 	Message-Authenticator = 0xab90b4e8f45b2157028e895bf7f9ffdc
 	Service-Type = Framed-User
 	User-Name = "csd-notebook\\oreshkin"
 	Framed-MTU = 1488
 	Called-Station-Id = "00-18-6E-8F-73-40:200901azk71And"
 	Calling-Station-Id = "00-16-EA-8A-DE-38"
 	NAS-Identifier = "3Com Access Point 7760"
 	NAS-Port-Type = Wireless-802.11
 	Connect-Info = "CONNECT 54Mbps 802.11g"
 	EAP-Message = 0x0200001a016373642d6e6f7465626f6f6b5c6f726573686b696e
 	NAS-IP-Address = 192.168.14.240
 	NAS-Port = 1
 	NAS-Port-Id = "STA port # 1"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "csd-notebook\oreshkin", looking up realm NULL
[suffix] Found realm "DEFAULT"
[suffix] Adding Stripped-User-Name = "csd-notebook\oreshkin"
[suffix] Adding Realm = "DEFAULT"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied.  Ignoring.
++[ntdomain] returns ok
[eap] EAP packet type response id 0 length 26
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 159
[files] users: Matched entry DEFAULT at line 178
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.14.240 port 1072
 	Framed-IP-Address = 255.255.255.254
 	Framed-MTU = 576
 	Service-Type = Framed-User
 	EAP-Message = 0x010100061920
 	Message-Authenticator = 0x00000000000000000000000000000000
 	State = 0x1cd845841cd95ccb36bc9cf89bd12b63
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.14.240 port 1072, id=1, length=359
 	Message-Authenticator = 0xe9dc83dc1457486ee19d0330fcb4e25e
 	Service-Type = Framed-User
 	User-Name = "csd-notebook\\oreshkin"
 	Framed-MTU = 1488
 	State = 0x1cd845841cd95ccb36bc9cf89bd12b63
 	Called-Station-Id = "00-18-6E-8F-73-40:200901azk71And"
 	Calling-Station-Id = "00-16-EA-8A-DE-38"
 	NAS-Identifier = "3Com Access Point 7760"
 	NAS-Port-Type = Wireless-802.11
 	Connect-Info = "CONNECT 54Mbps 802.11g"
 	EAP-Message = 0x0201008419800000007a16030100750100007103014a5b3da7091178c5ce612e30c36477888f6351b2a4ec4d31d47d537d05a18634000018002f00350005000ac009c00ac013c0140032003800130004010000300000001a00180000156373642d6e6f7465626f6f6b5c6f726573686b696e000a00080006001700180019000b00020100
 	NAS-IP-Address = 192.168.14.240
 	NAS-Port = 1
 	NAS-Port-Id = "STA port # 1"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "csd-notebook\oreshkin", looking up realm NULL
[suffix] Found realm "DEFAULT"
[suffix] Adding Stripped-User-Name = "csd-notebook\oreshkin"
[suffix] Adding Realm = "DEFAULT"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied.  Ignoring.
++[ntdomain] returns ok
[eap] EAP packet type response id 1 length 132
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
   TLS Length 122
[peap] Length Included
[peap] eaptls_verify returned 11 
[peap]     (other): before/accept initialization 
[peap]     TLS_accept: before/accept initialization 
[peap] <<< TLS 1.0 Handshake [length 0075], ClientHello 
[peap]     TLS_accept: SSLv3 read client hello A 
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello 
[peap]     TLS_accept: SSLv3 write server hello A 
[peap] >>> TLS 1.0 Handshake [length 084e], Certificate 
[peap]     TLS_accept: SSLv3 write certificate A 
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone 
[peap]     TLS_accept: SSLv3 write server done A 
[peap]     TLS_accept: SSLv3 flush data 
[peap]     TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase 
In SSL Accept mode 
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 1 to 192.168.14.240 port 1072
 	EAP-Message = 0x0102040019c00000088b160301002a0200002603014a5b3d483bb3aa596d4ba334157d9f6cdf6639eaf9a88abe2eb765ab6255c24a00002f00160301084e0b00084a0008470003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479
 	EAP-Message = 0x301e170d3039303632353038343934325a170d3130303632353038343934325a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100afa137c1faa18184c11783fd931dbf08e3b3aab700e05e2d16471c85e470302c6d9db3068b833e463ff3cdaa6b2140447d2b7d151704863ad7439873ea51
 	EAP-Message = 0xe98c8abecfdd6268e021a8a17fb6966857f052859cef7a6bdcec12d2127ab2bc72c2b785a25f33c61aec0ff80079a53fb35cdbaebbfa29de9b24841a9a6c46a08073d66b09f3149fc840696c56ef61943d5e2679be18fc2733a012e261b9e9e6ae20c7ba01e2c6e4bfb3ce39325000bc51a2230319e4f8b16bffa46deb80631149f3e97333105b307b101958e9b83407c4398deb9cb32f7c23bdba70c091e79258f0c191edd239290beb26d0aaa8adf6f5ece5f633aef45ef0d4fea2c52b56fc39110203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000382010100973882c5663e2d6b29
 	EAP-Message = 0xf37acb064274e515f88c05490e81fcb594b8678a665ae9d17134a3e3fdb2df801547f84071730fa696eef58f5c1d73841e52aa2c9a4074cf288ef7158e4f3ae68db182c1798f3da6d86bda0a8a9c54de39f2d94d3e0687a8fa46faedcd36bcc64fd9f2cd74055682782684f674d377c0e2457f5ad4efa4ec460c7527c80769a270128e0a6d12cb79d0bb12fe0a1bb81f6c20b98873ac6718cd0d02ebb7de1cdd720360252cc736c2e84bfe1c87a695dcb7e2b4d982f0736305017d65ec72506bed1578f806479bedc2b5bfa83f0e15ccc03bbe908e734351e5843806e9dcb659b98056909aeed953e9e24d7e0e1f8163deb5f4f5076e5c00049b308204
 	EAP-Message = 0x973082037fa0030201020201
 	Message-Authenticator = 0x00000000000000000000000000000000
 	State = 0x1cd845841dda5ccb36bc9cf89bd12b63
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.14.240 port 1072, id=2, length=233
 	Message-Authenticator = 0x6e4c448152aff4fd62c9fa4cb4908f2c
 	Service-Type = Framed-User
 	User-Name = "csd-notebook\\oreshkin"
 	Framed-MTU = 1488
 	State = 0x1cd845841dda5ccb36bc9cf89bd12b63
 	Called-Station-Id = "00-18-6E-8F-73-40:200901azk71And"
 	Calling-Station-Id = "00-16-EA-8A-DE-38"
 	NAS-Identifier = "3Com Access Point 7760"
 	NAS-Port-Type = Wireless-802.11
 	Connect-Info = "CONNECT 54Mbps 802.11g"
 	EAP-Message = 0x020200061900
 	NAS-IP-Address = 192.168.14.240
 	NAS-Port = 1
 	NAS-Port-Id = "STA port # 1"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "csd-notebook\oreshkin", looking up realm NULL
[suffix] Found realm "DEFAULT"
[suffix] Adding Stripped-User-Name = "csd-notebook\oreshkin"
[suffix] Adding Realm = "DEFAULT"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied.  Ignoring.
++[ntdomain] returns ok
[eap] EAP packet type response id 2 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1 
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 2 to 192.168.14.240 port 1072
 	EAP-Message = 0x010303fc194000300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3039303632353038343934325a170d3130303632353038343934325a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d6577
 	EAP-Message = 0x6865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100a056d1cfe5b95120cfb2ad67638c20cceb3feca1d22665f5d0379648340127cf5ffe26f48f46c04a1132b032d93b7f49417851f2e110fee7b457fbe2f99b47d3389b630dd2f78acf290b4ecb6d43466a19cb17063f1b2a1eefe1e6f34e1b0a20fa92fa17809a58e7120bc1a87db8865230df04775af5e1
 	EAP-Message = 0x16b46a471819383d8be674378c3d33bdc0a8d6686542a3ba1c32a97249786aea2c38a22a49992fcfaf54806b50415060a433e9dc013696f9c0240657098f46782b1d0536f691d9667f6c153a4d2982cb2f75a3a9ebfa4831caea445f4bff1ae6fe4ad8eec82213b2a20d02dd1b6cb2dc425698f21ede7c2917aa6f103749084b755046bb83a3746e2f0203010001a381f33081f0301d0603551d0e04160414d64b150fdb7f312ac6c3982680da07466046ab9f3081c00603551d230481b83081b58014d64b150fdb7f312ac6c3982680da07466046ab9fa18199a48196308193310b3009060355040613024652310f300d060355040813065261646975
 	EAP-Message = 0x733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d010104050003820101008d3084a08170518ab145f6969d1e61d2a228d5ffa21a60c154ab30774674df42fb32f5a22dad55d75ef2c7f44c93bb3e52c92763901b1299530780e1f195a85ccbbd78d8b527b3263bfa340a459ac472b90360b4408e11c10e81afbc325c10ec91fa
 	EAP-Message = 0xde231ca42761b9ba
 	Message-Authenticator = 0x00000000000000000000000000000000
 	State = 0x1cd845841edb5ccb36bc9cf89bd12b63
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.14.240 port 1072, id=3, length=233
 	Message-Authenticator = 0x80e476011f2a99d8957c70f5b74469e6
 	Service-Type = Framed-User
 	User-Name = "csd-notebook\\oreshkin"
 	Framed-MTU = 1488
 	State = 0x1cd845841edb5ccb36bc9cf89bd12b63
 	Called-Station-Id = "00-18-6E-8F-73-40:200901azk71And"
 	Calling-Station-Id = "00-16-EA-8A-DE-38"
 	NAS-Identifier = "3Com Access Point 7760"
 	NAS-Port-Type = Wireless-802.11
 	Connect-Info = "CONNECT 54Mbps 802.11g"
 	EAP-Message = 0x020300061900
 	NAS-IP-Address = 192.168.14.240
 	NAS-Port = 1
 	NAS-Port-Id = "STA port # 1"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "csd-notebook\oreshkin", looking up realm NULL
[suffix] Found realm "DEFAULT"
[suffix] Adding Stripped-User-Name = "csd-notebook\oreshkin"
[suffix] Adding Realm = "DEFAULT"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied.  Ignoring.
++[ntdomain] returns ok
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1 
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 3 to 192.168.14.240 port 1072
 	EAP-Message = 0x010400a51900504fbacfc37f212076882bd7b098391319a08e59fc4d3dee5493579716c999ee20be7eed64f3b465e8ff5b718e9751b2c4ca5d1cd6700ccf0341f6a270aed40707094b7b6c39c78c581fa330b26bfb74042202fde6398f0fa591d0e164f5980d197175a49c7b9769cebfa4eef1f5527383f230b4df20935fa3903e171a05d038c6effefc1bf76e95dd86d637a53fc8ae83bdc13ea56d16030100040e000000
 	Message-Authenticator = 0x00000000000000000000000000000000
 	State = 0x1cd845841fdc5ccb36bc9cf89bd12b63
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.14.240 port 1072, id=4, length=565
 	Message-Authenticator = 0x772a2a7cde5ab90adf1339ea4504e5a4
 	Service-Type = Framed-User
 	User-Name = "csd-notebook\\oreshkin"
 	Framed-MTU = 1488
 	State = 0x1cd845841fdc5ccb36bc9cf89bd12b63
 	Called-Station-Id = "00-18-6E-8F-73-40:200901azk71And"
 	Calling-Station-Id = "00-16-EA-8A-DE-38"
 	NAS-Identifier = "3Com Access Point 7760"
 	NAS-Port-Type = Wireless-802.11
 	Connect-Info = "CONNECT 54Mbps 802.11g"
 	EAP-Message = 0x0204015019800000014616030101061000010201007e0ad7dd41a084eb878c4e68afb68bf014a9f7c1f3e239845a2d3c683d0e0768d016e78891c09881ee0d7a8e7ce2c36d2eb9bc120fa3f3f00e461919d881829dd800ee1056bcb575feb18dcaa3c737fe5d8dad26192d39ae4b2db88d753420e750780d180f65253a3e72a72e54aeedd754966ed6727bbfb7ea1d07b5e63b5b96477f2ade51a4b385bbf7cf60eb3ea4f2fdddd13d595230ac701c5995c3097270174cbbf06f73b892f450df27c09267dd250fa560e2e09fef12a49588199615e49944cdbc198e99c327b6366201bd2604f6754d8558edb48d38e1becdcdd34da54fb942d5467276a2
 	EAP-Message = 0x979f449ded68c732c69107cb0cc5831df7865a7b971f99c91403010001011603010030448cc2e576a615f1026d6e6ca6882439eb3bbfe1802a7c536aae7e8a58dd488073b99646cf5ff348715aff4d7636efff
 	NAS-IP-Address = 192.168.14.240
 	NAS-Port = 1
 	NAS-Port-Id = "STA port # 1"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "csd-notebook\oreshkin", looking up realm NULL
[suffix] Found realm "DEFAULT"
[suffix] Adding Stripped-User-Name = "csd-notebook\oreshkin"
[suffix] Adding Realm = "DEFAULT"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied.  Ignoring.
++[ntdomain] returns ok
[eap] EAP packet type response id 4 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
   TLS Length 326
[peap] Length Included
[peap] eaptls_verify returned 11 
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange 
[peap]     TLS_accept: SSLv3 read client key exchange A 
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] 
[peap] <<< TLS 1.0 Handshake [length 0010], Finished 
[peap]     TLS_accept: SSLv3 read finished A 
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] 
[peap]     TLS_accept: SSLv3 write change cipher spec A 
[peap] >>> TLS 1.0 Handshake [length 0010], Finished 
[peap]     TLS_accept: SSLv3 write finished A 
[peap]     TLS_accept: SSLv3 flush data 
[peap]     (other): SSL negotiation finished successfully 
SSL Connection Established 
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 4 to 192.168.14.240 port 1072
 	EAP-Message = 0x01050041190014030100010116030100309b044cc51fa4953a63d076b0bf983a8da597f4a0c74479ca71ebd2d725e0a9175492362068f5b0af5ac669b952d43946
 	Message-Authenticator = 0x00000000000000000000000000000000
 	State = 0x1cd8458418dd5ccb36bc9cf89bd12b63
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.14.240 port 1072, id=5, length=233
 	Message-Authenticator = 0x368d297a7de5efd4ecf20c5609bdeec9
 	Service-Type = Framed-User
 	User-Name = "csd-notebook\\oreshkin"
 	Framed-MTU = 1488
 	State = 0x1cd8458418dd5ccb36bc9cf89bd12b63
 	Called-Station-Id = "00-18-6E-8F-73-40:200901azk71And"
 	Calling-Station-Id = "00-16-EA-8A-DE-38"
 	NAS-Identifier = "3Com Access Point 7760"
 	NAS-Port-Type = Wireless-802.11
 	Connect-Info = "CONNECT 54Mbps 802.11g"
 	EAP-Message = 0x020500061900
 	NAS-IP-Address = 192.168.14.240
 	NAS-Port = 1
 	NAS-Port-Id = "STA port # 1"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "csd-notebook\oreshkin", looking up realm NULL
[suffix] Found realm "DEFAULT"
[suffix] Adding Stripped-User-Name = "csd-notebook\oreshkin"
[suffix] Adding Realm = "DEFAULT"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied.  Ignoring.
++[ntdomain] returns ok
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3 
[peap] eaptls_process returned 3 
[peap] EAPTLS_SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 5 to 192.168.14.240 port 1072
 	EAP-Message = 0x0106002b19001703010020c6fb5d7268ec78ef1f9d3671de356278fd67065c9cf012d0c1de36c6afbd70b4
 	Message-Authenticator = 0x00000000000000000000000000000000
 	State = 0x1cd8458419de5ccb36bc9cf89bd12b63
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.14.240 port 1072, id=6, length=286
 	Message-Authenticator = 0x550e2114fae741954504321d47da07bd
 	Service-Type = Framed-User
 	User-Name = "csd-notebook\\oreshkin"
 	Framed-MTU = 1488
 	State = 0x1cd8458419de5ccb36bc9cf89bd12b63
 	Called-Station-Id = "00-18-6E-8F-73-40:200901azk71And"
 	Calling-Station-Id = "00-16-EA-8A-DE-38"
 	NAS-Identifier = "3Com Access Point 7760"
 	NAS-Port-Type = Wireless-802.11
 	Connect-Info = "CONNECT 54Mbps 802.11g"
 	EAP-Message = 0x0206003b19001703010030805ecc8cfaac3addedb0a50794219e83a270716f48eeb8e60a0c3ab3fed53c5198b105fbb713b908f6f8d93e6d536622
 	NAS-IP-Address = 192.168.14.240
 	NAS-Port = 1
 	NAS-Port-Id = "STA port # 1"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "csd-notebook\oreshkin", looking up realm NULL
[suffix] Found realm "DEFAULT"
[suffix] Adding Stripped-User-Name = "csd-notebook\oreshkin"
[suffix] Adding Realm = "DEFAULT"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied.  Ignoring.
++[ntdomain] returns ok
[eap] EAP packet type response id 6 length 59
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] eaptls_process returned 7 
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Identity - csd-notebook\oreshkin
[peap] Got tunneled request
 	EAP-Message = 0x0206001a016373642d6e6f7465626f6f6b5c6f726573686b696e
server  {
   PEAP: Got tunneled identity of csd-notebook\oreshkin
   PEAP: Setting default EAP type for tunneled EAP session.
   PEAP: Setting User-Name to csd-notebook\oreshkin
Sending tunneled request
 	EAP-Message = 0x0206001a016373642d6e6f7465626f6f6b5c6f726573686b696e
 	FreeRADIUS-Proxied-To = 127.0.0.1
 	User-Name = "csd-notebook\\oreshkin"
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[ntdomain] Looking up realm "csd-notebook" for User-Name = "csd-notebook\oreshkin"
[ntdomain] Found realm "DEFAULT"
[ntdomain] Adding Stripped-User-Name = "oreshkin"
[ntdomain] Adding Realm = "DEFAULT"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
++[control] returns ok
[eap] EAP packet type response id 6 length 26
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 159
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
 	EAP-Message = 0x0107002f1a0107002a100251dc4f5cece54da2b8881378dd444c6373642d6e6f7465626f6f6b5c6f726573686b696e
 	Message-Authenticator = 0x00000000000000000000000000000000
 	State = 0x86b209f786b51352b3578e7a38b869c7
[peap] Got tunneled reply RADIUS code 11
 	EAP-Message = 0x0107002f1a0107002a100251dc4f5cece54da2b8881378dd444c6373642d6e6f7465626f6f6b5c6f726573686b696e
 	Message-Authenticator = 0x00000000000000000000000000000000
 	State = 0x86b209f786b51352b3578e7a38b869c7
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 6 to 192.168.14.240 port 1072
 	EAP-Message = 0x0107004b1900170301004026664765ea523fba2ed015d3248195d02b335d7579ca0921452aaa563aa2c3a3a50bb02aca55a3cb8db677961421a3580157bbdb57a56a1ac143c69282ad8133
 	Message-Authenticator = 0x00000000000000000000000000000000
 	State = 0x1cd845841adf5ccb36bc9cf89bd12b63
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.14.240 port 1072, id=7, length=334
 	Message-Authenticator = 0x65f839b7d5eac06c3a75e2138584465b
 	Service-Type = Framed-User
 	User-Name = "csd-notebook\\oreshkin"
 	Framed-MTU = 1488
 	State = 0x1cd845841adf5ccb36bc9cf89bd12b63
 	Called-Station-Id = "00-18-6E-8F-73-40:200901azk71And"
 	Calling-Station-Id = "00-16-EA-8A-DE-38"
 	NAS-Identifier = "3Com Access Point 7760"
 	NAS-Port-Type = Wireless-802.11
 	Connect-Info = "CONNECT 54Mbps 802.11g"
 	EAP-Message = 0x0207006b1900170301006009cf68bc35f1789bb629f7cc6d1dc521f8abe45174ee9ec287237f97a3bad789635c92bc033059ac8e946446e7e0b324748de27694f96a2bf214b2d76e6c826eda7b897c26ed974ed4d2dd73c6c6058942661082dbb9d5a4388f32a96d14348c
 	NAS-IP-Address = 192.168.14.240
 	NAS-Port = 1
 	NAS-Port-Id = "STA port # 1"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "csd-notebook\oreshkin", looking up realm NULL
[suffix] Found realm "DEFAULT"
[suffix] Adding Stripped-User-Name = "csd-notebook\oreshkin"
[suffix] Adding Realm = "DEFAULT"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied.  Ignoring.
++[ntdomain] returns ok
[eap] EAP packet type response id 7 length 107
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] eaptls_process returned 7 
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunneled request
 	EAP-Message = 0x020700431a0207003e31543b42e36c388e9b55a8ddbfeb34b90a0000000000000000e406ca6b04ef491b2ef4d0b1d86507ad62c94c09492ed747006f726573686b696e
server  {
   PEAP: Setting User-Name to csd-notebook\oreshkin
Sending tunneled request
 	EAP-Message = 0x020700431a0207003e31543b42e36c388e9b55a8ddbfeb34b90a0000000000000000e406ca6b04ef491b2ef4d0b1d86507ad62c94c09492ed747006f726573686b696e
 	FreeRADIUS-Proxied-To = 127.0.0.1
 	User-Name = "csd-notebook\\oreshkin"
 	State = 0x86b209f786b51352b3578e7a38b869c7
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[ntdomain] Looking up realm "csd-notebook" for User-Name = "csd-notebook\oreshkin"
[ntdomain] Found realm "DEFAULT"
[ntdomain] Adding Stripped-User-Name = "oreshkin"
[ntdomain] Adding Realm = "DEFAULT"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
++[control] returns ok
[eap] EAP packet type response id 7 length 67
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 159
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for oreshkin with NT-Password
[mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
 	MS-CHAP-Error = "\007E=691 R=1"
 	EAP-Message = 0x04070004
 	Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
 	MS-CHAP-Error = "\007E=691 R=1"
 	EAP-Message = 0x04070004
 	Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 7 to 192.168.14.240 port 1072
 	EAP-Message = 0x0108002b19001703010020f53ff8fc7bf5c304bfca89826b65c7d28c735a30e86689c6af72a02d870916b7
 	Message-Authenticator = 0x00000000000000000000000000000000
 	State = 0x1cd845841bd05ccb36bc9cf89bd12b63
Finished request 7.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.14.240 port 1072, id=8, length=270
 	Message-Authenticator = 0xd5b9303bee9ed637d8fa83cd14602a75
 	Service-Type = Framed-User
 	User-Name = "csd-notebook\\oreshkin"
 	Framed-MTU = 1488
 	State = 0x1cd845841bd05ccb36bc9cf89bd12b63
 	Called-Station-Id = "00-18-6E-8F-73-40:200901azk71And"
 	Calling-Station-Id = "00-16-EA-8A-DE-38"
 	NAS-Identifier = "3Com Access Point 7760"
 	NAS-Port-Type = Wireless-802.11
 	Connect-Info = "CONNECT 54Mbps 802.11g"
 	EAP-Message = 0x0208002b1900170301002054077a731a80335cfc0c20507b5d608c8d3c489203490c87691ccfdcda252bd5
 	NAS-IP-Address = 192.168.14.240
 	NAS-Port = 1
 	NAS-Port-Id = "STA port # 1"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "csd-notebook\oreshkin", looking up realm NULL
[suffix] Found realm "DEFAULT"
[suffix] Adding Stripped-User-Name = "csd-notebook\oreshkin"
[suffix] Adding Realm = "DEFAULT"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied.  Ignoring.
++[ntdomain] returns ok
[eap] EAP packet type response id 8 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] eaptls_process returned 7 
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap]  Had sent TLV failure.  User was rejected earlier in this session.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] 	expand: %{User-Name} -> csd-notebook\oreshkin
  attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 8 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 8
Sending Access-Reject of id 8 to 192.168.14.240 port 1072
 	EAP-Message = 0x04080004
 	Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.

------------------------------------------

What's wrong ? Is there any other ways of performing such authorization ?

Thanks.



On Mon, 13 Jul 2009, Ivan Kalik wrote:

> Date: Mon, 13 Jul 2009 12:08:42 +0100 (BST)
> From: Ivan Kalik <tnt at kalik.net>
> To: Anatoly Oreshkin <Anatoly.Oreshkin at pnpi.spb.ru>
> Subject: Re: FreeRadius 2.1.6 + EAP-PEAP issue
> 
>>
>> I've configured realm DEFAULT in proxy.conf again:
>>
>> realm DEFAULT {
>>          type            = radius
>>          authhost        = LOCAL
>>          accthost        = LOCAL
>> }
>>
>> and deleted realm csd-notebook because csd-notebook is notebook name
>> rather than domain name.
>>
>> Also I 've disabled suffix in sites-available/inner-tunnel
>
> But didn't enable ntdomain there (you have enabled it in default virtual
> server).
>
> On the other hand, if you configure XP supplicant properly (ie. not to
> send Windows logon name) you won't need any of this.
>
> Ivan Kalik
> Kalik Informatika ISP
>




More information about the Freeradius-Users mailing list