Connecting freeRadius to openLDAP
Eric Bourkland
eric.bourkland at trustedconcepts.com
Tue Jul 21 21:47:51 CEST 2009
below is my debug file. The interesting thing is when I am trying to do an ldap search it doesn't list the password attribute but when I do a connection with my test user in the users file it does and I am trying to connect from the same laptop.
I think you are right that my zimbra OpenLdap is encrypted/encoded and that is the problem. Then my question will be how do I secure that down so that I'm not just storing and passing clear-text passwords all over the place.
rad_recv: Access-Request packet from host 192.168.10.1 port 1028, id=0, length=133
User-Name = "john.smith"
NAS-IP-Address = 192.168.10.1
Called-Station-Id = "00183ab6d76e"
Calling-Station-Id = "0013ce89b690"
NAS-Identifier = "00183ab6d76e"
NAS-Port = 47
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0200000f016a6f686e2e736d697468
Message-Authenticator = 0xaf4eb5a6f8547deb69ddff376f672094
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "john.smith", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 15
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
[ldap] performing user authorization for john.smith
[ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
[ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=john.smith)
[ldap] expand: ou=people,dc=localhost,dc=localdomain -> ou=people,dc=localhost,dc=localdomain
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 192.168.10.148:389, authentication 0
rlm_ldap: bind as uid=admin,ou=people,dc=localhost,dc=localdomain/P at ssw0rd to 192.168.10.148:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=people,dc=localhost,dc=localdomain, with filter (uid=john.smith)
[ldap] checking if remote access for john.smith is allowed by uid
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
[ldap] user john.smith authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.10.1 port 1028
EAP-Message = 0x0101001604102b6303c4711a8bcc35090687fc1998a8
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xcf57d13dcf56d5e622d1578f22f315ad
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.10.1 port 1028, id=0, length=142
Cleaning up request 0 ID 0 with timestamp +24
User-Name = "john.smith"
NAS-IP-Address = 192.168.10.1
Called-Station-Id = "00183ab6d76e"
Calling-Station-Id = "0013ce89b690"
NAS-Identifier = "00183ab6d76e"
NAS-Port = 47
Framed-MTU = 1400
State = 0xcf57d13dcf56d5e622d1578f22f315ad
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020100060319
Message-Authenticator = 0xa2a6ee3874799287a298c26fb263ce5e
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "john.smith", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
[ldap] performing user authorization for john.smith
[ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
[ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=john.smith)
[ldap] expand: ou=people,dc=localhost,dc=localdomain -> ou=people,dc=localhost,dc=localdomain
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,dc=localhost,dc=localdomain, with filter (uid=john.smith)
[ldap] checking if remote access for john.smith is allowed by uid
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
[ldap] user john.smith authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.10.1 port 1028
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xcf57d13dce55c8e622d1578f22f315ad
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.10.1 port 1028, id=0, length=216
Cleaning up request 1 ID 0 with timestamp +24
User-Name = "john.smith"
NAS-IP-Address = 192.168.10.1
Called-Station-Id = "00183ab6d76e"
Calling-Station-Id = "0013ce89b690"
NAS-Identifier = "00183ab6d76e"
NAS-Port = 47
Framed-MTU = 1400
State = 0xcf57d13dce55c8e622d1578f22f315ad
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0202005019800000004616030100410100003d03014a660d188a976348a566be0a8a662be1d9b58a0e383ddfe020ee7eb534e1c0e000001600040005000a000900640062000300060013001200630100
Message-Authenticator = 0x06af61713c03caa1b0ddb439d6ae6fa2
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "john.smith", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 70
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0041], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 084e], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.10.1 port 1028
EAP-Message = 0x0103040019c00000088b160301002a0200002603014a660d61ae6743ae7dae8311f0fc10fce2ae1c95fb3f748e394a3e0c73d8d78100000400160301084e0b00084a0008470003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479
EAP-Message = 0x301e170d3039303732313137333632315a170d3130303732313137333632315a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100e45ac2fb94fc4a45702c9a3dbae8601e2ead8a967b9486ab6b2caeef4b60efb193ce6b7c2acce1ca641097727ecec28caa7bbf7c4fc887752d62712af997
EAP-Message = 0x2d9fd2a938b515d225e37e76427680c10dbd06b336446c849f47330c9f6914919cb1b62f1874b34a23bc0eaee52da046b728b37f94faa13e98847f85af878d9cc532ef3933d6ef47e21da86f64b0fcad0b712d3fbcc7f2541ad90c7a6352ab166366bfccf9a69ea1df059b69dd5b205b3489349140b0d84f322f7c6d63a302730f712d989bb71e07c024a92e6322a137fc4c227769db69388364137cfa0da8ea083a6a4c2c782226be0101ccf11192c3ccfe0013c5c76e4fbc199af7de44bbda09c70203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000382010100558a06b09fffbb73b6
EAP-Message = 0x22388cc197654482d43e75ebaeeb6d9e32f04ded67f05828bb5eed596fa00c787e6743163955f9e4addf954219d911b405ed8888ffa77f8be882f6b0174856c4073ea718a326aad83858437903ed535539b66a18ee4c5a1df673af3aafc375a78b79f156ada23006a4e43458a6dd0e5bc4a8815ef77d638b32042c69b0b8a81eacd03fbcb85d2eef31547e7bfc5bb553fbabe94474a8945ef99383e0b48326eb0c7a23efa59c673db337fd153df82c94c831b7b1f2d6daabc069a8fb15907e238102ffb20513713555e9f156d41836581be2d527f97853e0af3738caeb8c9b1f28a037539d9c888c3f7a9659cf32ba8575587242d62f1000049b308204
EAP-Message = 0x973082037fa0030201020201
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xcf57d13dcd54c8e622d1578f22f315ad
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.10.1 port 1028, id=0, length=142
Cleaning up request 2 ID 0 with timestamp +24
User-Name = "john.smith"
NAS-IP-Address = 192.168.10.1
Called-Station-Id = "00183ab6d76e"
Calling-Station-Id = "0013ce89b690"
NAS-Identifier = "00183ab6d76e"
NAS-Port = 47
Framed-MTU = 1400
State = 0xcf57d13dcd54c8e622d1578f22f315ad
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020300061900
Message-Authenticator = 0x8c1d0bcc410400738fd5732c68b0b4a4
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "john.smith", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.10.1 port 1028
EAP-Message = 0x010403fc194000300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3039303732313137333632315a170d3130303732313137333632315a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d6577
EAP-Message = 0x6865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100b5979e950c50911aa21ed04f422eb772a89deb4b5cf16730367db8aa0426272a80aa210c69d60400bec39aa9ab756f3913c35a6df5d5c2adb2c62121c0b3fd2fed2f6b4da9d254ac08e036a7ea860dcb7c3dabfda4c18dae9089d1976716c1f42d47b4aa644905c0f9e48b145dfdae26769c33b5ea7682
EAP-Message = 0xc89a59df61c8ff7a582eb7207186b872afbc03e122c67df3d04935c29f174df94253aa360b861dfbce5edb9aa4c8faac7127fdb1de91ad705e6247a95ce718bcff6d135e1818e98627a6c744dde1c8071480cbc2bb4ef4e2368b20fa4b838cfe3b14759a7a7d7197375c03b98d80531579dbe510aad9f5eacc34b5ad8c889960ff2128d62b77ff63690203010001a381f33081f0301d0603551d0e04160414821652f8e60096ddcd51917967df6afb8f3c4ad73081c00603551d230481b83081b58014821652f8e60096ddcd51917967df6afb8f3c4ad7a18199a48196308193310b3009060355040613024652310f300d060355040813065261646975
EAP-Message = 0x733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d010104050003820101009c6d6bf3ef4d9a48cd112bcd3ab0f11b330015c5f0e2be342d46a79f7dd7ab59e31cc774551789d94445471f0446f1d3b2004b483b32a3cf90d5db7d75944c8472e1b8bc165c185e4b6d06c340ef78f1db4e08ae2e3ac6f0db859c459df61ed7c33d
EAP-Message = 0x191fb2b2b06f07ab
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xcf57d13dcc53c8e622d1578f22f315ad
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.10.1 port 1028, id=0, length=142
Cleaning up request 3 ID 0 with timestamp +24
User-Name = "john.smith"
NAS-IP-Address = 192.168.10.1
Called-Station-Id = "00183ab6d76e"
Calling-Station-Id = "0013ce89b690"
NAS-Identifier = "00183ab6d76e"
NAS-Port = 47
Framed-MTU = 1400
State = 0xcf57d13dcc53c8e622d1578f22f315ad
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020400061900
Message-Authenticator = 0xc8787e53c8ffc8bb451b5a597f92bc6d
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "john.smith", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.10.1 port 1028
EAP-Message = 0x010500a5190050ae73fe5117ef851690c310df6e393fc5202a16a53c96bda8996ff529c681ded0a63b2169cf4946576e54194e00be1359012d81b3595ca0248557332f401a9620c09feb37eea0fded47f1243cb6d01f2818750e0ffd3cb5c161a1b51be7df87bde47000f9c3c51b5f0665bace691349b36a1916159fb0931037b1ffbbdcc1f07b0677755a24e992944e2c4338b66ba9b592eec5b26a16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xcf57d13dcb52c8e622d1578f22f315ad
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.10.1 port 1028, id=0, length=458
Cleaning up request 4 ID 0 with timestamp +24
User-Name = "john.smith"
NAS-IP-Address = 192.168.10.1
Called-Station-Id = "00183ab6d76e"
Calling-Station-Id = "0013ce89b690"
NAS-Identifier = "00183ab6d76e"
NAS-Port = 47
Framed-MTU = 1400
State = 0xcf57d13dcb52c8e622d1578f22f315ad
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x02050140198000000136160301010610000102010027ab785db9527ca12cd92f09eb9826e0c1a01f9a2427843311aa5647bf3e5c9576574ee261a8104dce91063471caaa80dd6daeb0e86de1fc8e1ec77a9d82668ddd8dc5732c739ebf6eb464966904f86dfbb83e64c5d7e2739fee0c5062dbaaf04f5e4cde24262c7e5bf7475d85849b1241703713ad10ee45a375e5f64783f4d557ef6016f554b551a522b18caa30b2041bc66518b5dda58ee17cdc92e6efd6b22452dbc747a34aad8ca0338697036fc96d4e789fc115c7ef9072f8932c189a7fb7c6fd16d004107c8503365a9f23338a1645639f3385e6f5a1386ec02a97102f6da5537f345c06d9
EAP-Message = 0x437331f1e570132dfda72eeb030932199ebec4bfeab51aca14030100010116030100206305cbd5ad82ee900ba4aba093c8ae66dd7dfa3ae6efe1098a4ea34d03460626
Message-Authenticator = 0x4faa2a0e07b1eb195c0f607fea520eb2
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "john.smith", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 310
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.10.1 port 1028
EAP-Message = 0x0106003119001403010001011603010020c36d4292f46b11f942e286af1f1741279100c3b4dfb24e278cbb8040cb28928f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xcf57d13dca51c8e622d1578f22f315ad
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.10.1 port 1028, id=0, length=142
Cleaning up request 5 ID 0 with timestamp +24
User-Name = "john.smith"
NAS-IP-Address = 192.168.10.1
Called-Station-Id = "00183ab6d76e"
Calling-Station-Id = "0013ce89b690"
NAS-Identifier = "00183ab6d76e"
NAS-Port = 47
Framed-MTU = 1400
State = 0xcf57d13dca51c8e622d1578f22f315ad
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020600061900
Message-Authenticator = 0x2d9fc7ba68eb2c5deb809d9f21cf1c45
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "john.smith", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.10.1 port 1028
EAP-Message = 0x0107002019001703010015a0643d693ede06d2ea160c5a4eccddb247ecb84ef9
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xcf57d13dc950c8e622d1578f22f315ad
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.10.1 port 1028, id=0, length=174
Cleaning up request 6 ID 0 with timestamp +24
User-Name = "john.smith"
NAS-IP-Address = 192.168.10.1
Called-Station-Id = "00183ab6d76e"
Calling-Station-Id = "0013ce89b690"
NAS-Identifier = "00183ab6d76e"
NAS-Port = 47
Framed-MTU = 1400
State = 0xcf57d13dc950c8e622d1578f22f315ad
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020700261900170301001be80b6789d15becf22da83fc7e2b02bc8e35ad6b6507aa9ec1c39f6
Message-Authenticator = 0x6b3cf2b40e5c51d55f0a79aa14096de4
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "john.smith", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 38
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Identity - john.smith
[peap] Got tunneled request
EAP-Message = 0x0207000f016a6f686e2e736d697468
server {
PEAP: Got tunneled identity of john.smith
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to john.smith
Sending tunneled request
EAP-Message = 0x0207000f016a6f686e2e736d697468
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "john.smith"
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "john.smith", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 7 length 15
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message = 0x010800241a0108001f108662ce678bd2e6eb69b07d83486ed8406a6f686e2e736d697468
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb46e2919b46633c79a7500808cf9a6d2
[peap] Got tunneled reply RADIUS code 11
EAP-Message = 0x010800241a0108001f108662ce678bd2e6eb69b07d83486ed8406a6f686e2e736d697468
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb46e2919b46633c79a7500808cf9a6d2
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.10.1 port 1028
EAP-Message = 0x0108003b19001703010030462053235c94a48662e429ba0de3a90800bdd1008007d3a7f1d7f5d5614b6742284f6fe64d4a1e71b96063dfe477c666
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xcf57d13dc85fc8e622d1578f22f315ad
Finished request 7.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.10.1 port 1028, id=0, length=228
Cleaning up request 7 ID 0 with timestamp +24
User-Name = "john.smith"
NAS-IP-Address = 192.168.10.1
Called-Station-Id = "00183ab6d76e"
Calling-Station-Id = "0013ce89b690"
NAS-Identifier = "00183ab6d76e"
NAS-Port = 47
Framed-MTU = 1400
State = 0xcf57d13dc85fc8e622d1578f22f315ad
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0208005c1900170301005140ff0cc9373ae6cfe5e944eb89d6c1c23c98d1910b60eb11854298c0eaf269b15d9fedc270ea7d535f56ab9f349e557643b61a84386a2864233e01e04aca5dc20bb9079c7937d0005458efbd7bd6f867db
Message-Authenticator = 0x001449d0c41d0c0954a804314a89138a
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "john.smith", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 92
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x020800451a02080040310e74336f7daa6ed81f2f9467a3e43d290000000000000000e1f09c69382a3029bd87f46cb9222ad4620b26a84796236a006a6f686e2e736d697468
server {
PEAP: Setting User-Name to john.smith
Sending tunneled request
EAP-Message = 0x020800451a02080040310e74336f7daa6ed81f2f9467a3e43d290000000000000000e1f09c69382a3029bd87f46cb9222ad4620b26a84796236a006a6f686e2e736d697468
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "john.smith"
State = 0xb46e2919b46633c79a7500808cf9a6d2
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "john.smith", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 8 length 69
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for john.smith with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
MS-CHAP-Error = "\010E=691 R=1"
EAP-Message = 0x04080004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
MS-CHAP-Error = "\010E=691 R=1"
EAP-Message = 0x04080004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.10.1 port 1028
EAP-Message = 0x010900261900170301001bd00620d870231b7eb2763ab762296996947d2dccf03a08ec43b240
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xcf57d13dc75ec8e622d1578f22f315ad
Finished request 8.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.10.1 port 1028, id=0, length=174
Cleaning up request 8 ID 0 with timestamp +24
User-Name = "john.smith"
NAS-IP-Address = 192.168.10.1
Called-Station-Id = "00183ab6d76e"
Calling-Station-Id = "0013ce89b690"
NAS-Identifier = "00183ab6d76e"
NAS-Port = 47
Framed-MTU = 1400
State = 0xcf57d13dc75ec8e622d1578f22f315ad
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020900261900170301001be095bacaf673f05186741eeb42bea1b84d82d4f431d1c2228c9b3c
Message-Authenticator = 0x4b048c296dd9e95fd721925db63e30d7
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "john.smith", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 9 length 38
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Had sent TLV failure. User was rejected earlier in this session.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> john.smith
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 9 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 9
Sending Access-Reject of id 0 to 192.168.10.1 port 1028
EAP-Message = 0x04090004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 4.9 seconds.
Cleaning up request 9 ID 0 with timestamp +24
Ready to process requests.
----- Original Message -----
From: Ivan Kalik <tnt at kalik.net>
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Sent: Tue, 21 Jul 2009 12:33:13 -0500 (CDT)
Subject: Re: Connecting freeRadius to openLDAP
> Yes, I am trying to do MSCHAPv2 from the laptop.
> If the below is true why am I able to do a successful Radtest user
> password server 0 secret on the radius server?
Because pap works with almost any encryption. Also, ldap "bind as user"
authentication will work with pap request in case that ldap is not passing
the password to radius at all.
> I believe the password is plain text but I'm not 100% positive, I am able
> to connect other software such as Confluence to it with open passwords.
Post the debug (radiusd -X).
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list