Radius+Huwaei switch + auto VLan Assignment issue
Attou eric
gouroueric at yahoo.fr
Mon Jun 22 11:13:54 CEST 2009
Hello Everybody!
We are having issue in trying to setup Radius server with a huwaei quidway S3900 as authenticator.
The switch ports are configured as hybrid and tagged on all our four vlans. We also configure VLAN 1
(the default) as guest vlan of the ports and dot1x is activated globally and on each ethernet port.
Radius server is configure to search for users in LDAP directory. Here is one off our user parameters in
the directory:
dn: uid=toto,ou=Users,ou=ceforp,dc=uac,dc=bj
uid: toto
cn: toto
sambaSID: toto
telephoneNumber: 00000000
roomNumber: 00000000
homePhone: 97 09 61 90/90 04 12 26
givenName: toto
sn: toto
mail: toto at ceforp.uac.bj
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: radiusProfile
objectClass: top
objectClass: sambaSamAccount
objectClass: shadowAccount
userPassword: {crypt}$1$JGZ378je$G9BPCKU.BWv1QEAZCQtFO.
sambaLMPassword: AZERTY
sambaNTPassword: AZERTY
shadowLastChange: 14250
shadowMax: 99999
shadowWarning: 7
radiusTunnelPrivateGroup-Id: "2"
radiusTunnelMediumType: IEEE-802
radiusTunnelType: VLAN
loginShell: /bin/bash
uidNumber: 1616
gidNumber: 1614
homeDirectory: /home/toto
gecos: Akouma toto,,,97 09 61 90/90 04 12 26
When we try the authentication with this user account, although radius log send the
VLAN attributes (Tunnel-Type, Tunnel-Medium-Type, Tunnel-Private-Group-ID) in
Access-Challenge messages and finally send an Access-Accept message, the switch
does not assign the right VLAN( the switching from VLAN 1 to VLAN 2 does not
occur) and the user still in VLAN 1. We note that there is no VLAN attribute in
Access-Accept message.
What may be wrong ? Below is the radius server's output log
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.100.5 port 5001, id=22, length
=115
User-Name = "toto"
EAP-Message = 0x0201000901746f746f
Message-Authenticator = 0x60464542ce8c771452c8234d62a8de2d
NAS-IP-Address = 192.168.100.5
NAS-Identifier = "000fe265a2f5"
NAS-Port = 268455937
NAS-Port-Type = Ethernet
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = "000b-5d4a-369f"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "toto", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 1 length 9
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
users: Matched entry DEFAULT at line 172
++[files] returns ok
rlm_ldap: - authorize
rlm_ldap: performing user authorization for toto
expand: (&(objectclass=posixAccount)(uid=%u)) -> (&(objectclass=posixAcc
ount)(uid=toto))
expand: dc=uac,dc=bj -> dc=uac,dc=bj
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
Sending Access-Challenge of id 22 to 192.168.100.5 port 5001
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
Tunnel-Private-Group-Id:0 = "2"
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Type:0 = VLAN
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa88eb0cba88ca91516c2ad39391ee6f1
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.100.5 port 5001, id=23, length=236
User-Name = "toto"
EAP-Message = 0x0202007019800000006616030100610100005d03014a3f38dbbadfdeb57d18de0598e2cc8fc3a93bdc048767fda66314b9273e319b200a7da7d94248ab602a4aad9e3fcb579310da741faf694e40b9fef41839ae4604001600040005000a000900640062000300060013001200630100
Message-Authenticator = 0x3cf0c9732a7a9b23dea1cf4538f76931
NAS-IP-Address = 192.168.100.5
NAS-Identifier = "000fe265a2f5"
NAS-Port = 268455937
NAS-Port-Type = Ethernet
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = "000b-5d4a-369f"
State = 0xa88eb0cba88ca91516c2ad39391ee6f1
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "toto", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 2 length 112
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
TLS Length 102
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0061], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0eb6], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
TLS_accept: SSLv3 write server done A
TLS_accept: SSLv3 flush data
TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 23 to 192.168.100.5 port 5001
EAP-Message = 0x0103040019c000000f13160301004a0200004603014a3f46ed27ac2ce8a976a6a7a18e528a981c1274689c91b8dd0f371a71ef957e201e2e2fb4a46d14234197b85b3d21307055bb67a12dd408dcad5b39db5e679e770004001603010eb60b000eb2000eaf000759308207553082053da003020102020101300d06092a864886f70d01010505003081a2310b300906035504061302424a311330110603550408130a41746c616e7469717565311630140603550407130d41626f6d65792d43616c6176693121301f060355040a1318556e69766572736974652041626f6d65792d43616c6176693111300f060355040b1308526563746f726174311430
EAP-Message = 0x120603550403140b726f6f745f43415f554143311a301806092a864886f70d010901160b696e666f407561632e626a301e170d3038303731373135353833355a170d3039303731373135353833355a3081a4310b300906035504061302424a311330110603550408130a41746c616e7469717565311630140603550407130d41626f6d65792d43616c6176693121301f060355040a1318556e69766572736974652041626f6d65792d43616c6176693111300f060355040b1308526563746f726174311630140603550403130d63616c6176692e7561632e626a311a301806092a864886f70d010901160b696e666f407561632e626a30820222300d06
EAP-Message = 0x092a864886f70d01010105000382020f003082020a0282020100ba35068b7967acc67f03fe9f0cd76ea4fc16bb62b8986f8a2e70413e22942f1e7604ab691177fdb5fd14:
a030bb00840b9281a6ee37482bcb1f95d7cbeb23a06a1f659a48f4380a23acc10952d5c70258579fbda12d599aabd12d4ddb5de20e943c515ea8f817f15fc4b1201ba2952a43c8b4ef52941f256670d7e216ec19930e940ce1832e9b953096dc6ef00bbb1dc173b800b183c5d1f20383d29f7c8795d5ed22c8d6075f492d2adb6700a51ed0f8c8793c2d460be5d822a8309b541802b27c2c496be98c1a0737ed88ac27cd94bd85ef58a16f3dba29d3b94754265bd7d24ddea4
EAP-Message = 0x45efe16f59861c8f63dffa7835ba4e3f654afd6c2f50bbd1f11e220bd5df962d0e516688c7e9124128eb9bd23caf997fe12ad314ecbbce6c5dd3549df7aeb8b879bfdf2727b3aa1e4019283741448cf3e2148ea203a546e25c60fee5fe5da03d3fe1265da3dbe91bb7e620d1932e83d4e05433d6f2aa30a5264f30a134574f03c418c8077e7333d774f9b8a6451eea70a918f132cecf7957423a22784653042a5fcc6a8a0a66aefce4fff473ee078ed7fb2a3b1cab12694e3d1f9f44bae7ebaa6c6be4686e475ab908428af9592000f62b93ba39bfe15863907dc535941e1d7e9b5236874fb51979f8662aadc3dc1bdc5e34a9bdd3e32430fbe857523b
EAP-Message = 0x0d3f2885d5031e5f76099610
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa88eb0cba98da91516c2ad39391ee6f1
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.100.5 port 5001, id=24, length=130
User-Name = "toto"
EAP-Message = 0x020300061900
Message-Authenticator = 0xb5552c32bd90604d37c9c0fb4482455e
NAS-IP-Address = 192.168.100.5
NAS-Identifier = "000fe265a2f5"
NAS-Port = 268455937
NAS-Port-Type = Ethernet
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = "000b-5d4a-369f"
State = 0xa88eb0cba98da91516c2ad39391ee6f1
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "toto", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 3 length 6
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 24 to 192.168.100.5 port 5001
EAP-Message = 0x010403fc1940b38003bf6e1f8b658ce51826eea11c0bf44abf450203010001a38201903082018c30090603551d1304023000301106096086480186f8420101040403020640302b06096086480186f842010d041e161c54696e7943412047656e657261746564204365727469666963617465301d0603551d0e04160414f17eea30a8f7f709053f3f7bed44e40d6d63c68a3081d70603551d230481cf3081cc8014c3580d7f0c9b26c3fcca6bddecc25329b3ed999ea181a8a481a53081a2310b300906035504061302424a311330110603550408130a41746c616e7469717565311630140603550407130d41626f6d65792d43616c6176693121301f06
EAP-Message = 0x0355040a1318556e69766572736974652041626f6d65792d43616c6176693111300f060355040b1308526563746f726174311430120603550403140b726f6f745f43415f554143311a301806092a864886f70d010901160b696e666f407561632e626a820900f454a6d25d837f6130160603551d12040f300d810b696e666f407561632e626a30160603551d11040f300d810b696e666f407561632e626a30160603551d250101ff040c300a06082b06010505070301300d06092a864886f70d0101050500038202010075889612daeb738396e4a633941133cd7614298049994d4992ccef22cbb75e37e26fe9f51f9ce8515ea0918db7864da4440933
EAP-Message = 0x48844b57b3456682ac4b3f45d62d86f7212af508730fb37f53225ffbbc2fdb3389346da7802eec86548588c0cf01c50417969e4d3566c9ca0ae3910f6c79047d2510b9fb557185e826bf355820de2952f9aec584ce6e89062b088ded33999cde33f95fe3fe6f173623cde8838901421c17541dacf82879a49712ba9d082c9ebde368272af85d031e9049dead03902ebe71bb3a1b5e3c8385902c677cfac0c1ee8ac405a6cb77c6f64cdcf09b1d61874cb3eac03ce9f283d130caaceaa38a65c12e7d13a6d34444def970fd60d973fe7b2031abc41fa019dfd91cdfeeaab155f615f327c7b5fd711b79db87f45aa2b97c4e2bb44ef02d77392b0bb5d93c
EAP-Message = 0xe888d84f68211cd1f5c40eda157273e3e193c20d682ad3f30f0765ece4c20646afac050b8493e0874845971a2a03645d412b6aa96ea90fcae6df3fd94d6502900ad1c15f756f6c28cec9618f497faf5c32c200771a0b0e9652749b06ffa8837b0795883b757b81e62b4ad3d9eba615ccf63fc7f6d12d038814e32d013972b21b033399b4dea04c7368b4c20e80c405d25d70a49b1c16ad339510cc041bc529950d5e0769de26399739d2383499951bc54db8c1342e86354291c1f62b8b1816be8e184a30b6c761c73eea65c0d03ae8830007503082074c30820534a003020102020900f454a6d25d837f61300d06092a864886f70d01010505003081a2
EAP-Message = 0x310b300906035504
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa88eb0cbaa8aa91516c2ad39391ee6f1
Finished request 2.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.100.5 port 5001, id=25, length=130
User-Name = "toto"
EAP-Message = 0x020400061900
Message-Authenticator = 0x5eeac44dfede983aedee24c387cb44e9
NAS-IP-Address = 192.168.100.5
NAS-Identifier = "000fe265a2f5"
NAS-Port = 268455937
NAS-Port-Type = Ethernet
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = "000b-5d4a-369f"
State = 0xa88eb0cbaa8aa91516c2ad39391ee6f1
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "toto", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 4 length 6
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 25 to 192.168.100.5 port 5001
EAP-Message = 0x010503fc1940061302424a311330110603550408130a41746c616e74:
69717565311630140603550407130d41626f6d65792d43616c6176693121301f060355040a1318556e69766572736974652041626f6d65792d43616c6176693111300f060355040b1308526563746f726174311430120603550403140b726f6f745f43415f554143311a301806092a864886f70d010901160b696e666f407561632e626a301e170d3038303731373135353331385a170d3138303731353135353331385a3081a2310b300906035504061302424a311330110603550408130a41746c616e7469717565311630140603550407130d41626f6d65792d43616c617669
EAP-Message = 0x3121301f060355040a1318556e69766572736974652041626f6d65792d43616c6176693111300f060355040b1308526563746f726174311430120603550403140b726f6f745f43415f554143311a301806092a864886f70d010901160b696e666f407561632e626a30820222300d06092a864886f70d01010105000382020f003082020a0282020100f4b24ec17856ccd0925b38267d08f774b4e8305facfc02da999c9d5787a4d6b57af62d62531b4ee11135cf1546825c9c7aa6eb452c5adc6a768616ec978be9ddb0e98b1b1d23d2056c5fe37f46247295851e5c4866dec12d3b298b3d9b7629208465333f1f479a886f8321e8768b6a32c9563ecf
EAP-Message = 0xfd7d052a60062bf19ea4c007138dbedfb86604118f1c20c7e7769a82cd10564c4624a53786e894a174a253585bca0e92e8f32923fdde919eee543c6ac7b1e6af377a726d62cdab0941c4bacccd7a40fd1762b4682c47150b33a819d4ce4e01e31a989dce7ea27fc14c6bf6c4ef036929e3ec575b94610bcc30d0d0159b94a41182650f071d1b73a7e9a8cbe844be37b3ce1193910909bee58ca887a0a4b6ea65674aac02012eb9c0f5207982e2b06d2c4d36e5af8b508edf8f65234696eeae28121a786c906e933f56770d32ee8987de8b678d809dc53d98da8b805c62953231091b47026c2bf695899b7c170197219e4b80f6d5bb1135c76e11e641e7
EAP-Message = 0x6eda160e7661681a20b9381dcddcc5da66c62e9d40885dd74b38733981cc17f8735cca0122e34ed54e822d8d607215055a06834c0d0dd8b770fe025c4d0fb310baea2e876d5e9574e4c68282d0b440acd1bb420f329c0cefda380d72c6cd635dca12658b638b58bea300430511b391e39ffa5a778cd618a444517759644e3b714a3c7dba6b53de21aea101b29656e30203010001a38201813082017d301d0603551d0e04160414c3580d7f0c9b26c3fcca6bddecc25329b3ed999e3081d70603551d230481cf3081cc8014c3580d7f0c9b26c3fcca6bddecc25329b3ed999ea181a8a481a53081a2310b300906035504061302424a3113301106035504
EAP-Message = 0x08130a41746c616e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa88eb0cbab8ba91516c2ad39391ee6f1
Finished request 3.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 192.168.100.5 port 5001, id=26, length=130
User-Name = "toto"
EAP-Message = 0x020500061900
Message-Authenticator = 0x95ef28d6ba4539705842ff6961284ff6
NAS-IP-Address = 192.168.100.5
NAS-Identifier = "000fe265a2f5"
NAS-Port = 268455937
NAS-Port-Type = Ethernet
Service-Type = Framed-User
Calling-Station-Id = "000b-5d4a-369f"
State = 0xa88eb0cbae86a91516c2ad39391ee6f1
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "toto", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 8 length 32
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Identity - toto
PEAP: Got tunneled EAP-Message
EAP-Message = 0x0208000901746f746f
PEAP: Got tunneled identity of toto
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to toto
PEAP: Sending tunneled request
EAP-Message = 0x0208000901746f746f
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "toto"
server (null) {
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "toto", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 8 length 9
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for toto
expand: (&(objectclass=posixAccount)(uid=%u)) -> (&(objectclass=posixAccount)(uid=toto))
expand: dc=uac,dc=bj -> dc=uac,dc=bj
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=uac,dc=bj, with filter (&(objectclass=posixAccount)(uid=toto))
rlm_ldap: checking if remote access for toto is allowed by uid
rlm_ldap: No default NMAS login sequence
rlm_ldap: looking for check items in directory...
rlm_ldap: LDAP attribute sambaNTPassword as RADIUS attribute NT-Password == 0x4332313832333530444532433243463343344435434231343441394431444233
rlm_ldap: LDAP attribute sambaLMPassword as RADIUS attribute LM-Password == 0x3337364436424445433041413644323839343445324446343839413838304534
rlm_ldap: LDAP attribute userPassword as RADIUS attribute User-Password == "totouser"
:rlm_ldap: looking for reply items in directory...
rlm_ldap: LDAP attribute radiusTunnelPrivateGroupId as RADIUS attribute Tunnel-Private-Group-Id:0 = "2"
rlm_ldap: LDAP attribute radiusTunnelMediumType as RADIUS attribute Tunnel-Medium-Type:0 = IEEE-802
rlm_ldap: LDAP attribute radiusTunnelType as RADIUS attribute Tunnel-Type:0 = VLAN
rlm_ldap: user toto authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Normalizing NT-Password from hex encoding
rlm_pap: Normalizing LM-Password from hex encoding
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Replacing User-Password in config items with Cleartext-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good" !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
auth: type "EAP"
+- entering group authenticate
rlm_eap: EAP Identity
rlm_eap: processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server (null)
PEAP: Got tunneled reply RADIUS code 11
Tunnel-Private-Group-Id:0 = "2"
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Type:0 = VLAN
EAP-Message = 0x0109001e1a010900191007ae8dd49bdfd0c817732291052c1735746f746f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0c186c320c1176bedb16c1e664f42fe2
PEAP: Processing from tunneled session code 0x7c2670 11
Tunnel-Private-Group-Id:0 = "2"
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Type:0 = VLAN
EAP-Message = 0x0109001e1a010900191007ae8dd49bdfd0c817732291052c1735746f:
746f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0c186c320c1176bedb16c1e664f42fe2
PEAP: Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 29 to 192.168.100.5 port 5001
EAP-Message = 0x010900351900170301002ae5ded2cf6543b4449305996cc5fdcfec9bf7867d5fdb62ee189022502a79da435f13d7b9b80c2f8ced86
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa88eb0cbaf87a91516c2ad39391ee6f1
Finished request 7.
Going to the next request
Waking up in 4.4 seconds.
rad_recv: Access-Request packet from host 192.168.100.5 port 5001, id=30, length=210
User-Name = "toto"
EAP-Message = 0x020900561900170301004bbaf13ec9d401f583cd58929b8f7f454cdb002639dc4ea00b14a69f6400eea5d340665d95edb631514792962e1d54723456e074bd14b4ba6f45464f3d30552dc3f8823cd456500ca92efae7
Message-Authenticator = 0xa44820cdf03d1108a8d932ec95e953ef
NAS-IP-Address = 192.168.100.5
NAS-Identifier = "000fe265a2f5"
NAS-Port = 268455937
NAS-Port-Type = Ethernet
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = "000b-5d4a-369f"
State = 0xa88eb0cbaf87a91516c2ad39391ee6f1
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "toto", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 9 length 86
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: EAP type mschapv2
PEAP: Got tunneled EAP-Message
EAP-Message = 0x0209003f1a0209003a31f627621d72908d812dcc8660104a923b00000000000000007d029e559fbcc706309ba7f099f573290ecf7056a219884a00746f746f
PEAP: Setting User-Name to toto
PEAP: Sending tunneled request
EAP-Message = 0x0209003f1a0209003a31f627621d72908d812dcc8660104a923b00000000000000007d029e559fbcc706309ba7f099f573290ecf7056a219884a00746f746f
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "toto"
State = 0x0c186c320c1176bedb16c1e664f42fe2
server (null) {
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "toto", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 9 length 63
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for toto
expand: (&(objectclass=posixAccount)(uid=%u)) -> (&(objectclass=posixAccount)(uid=toto))
expand: dc=uac,dc=bj -> dc=uac,dc=bj
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=uac,dc=bj, with filter (&(objectclass=posixAccount)(uid=toto))
rlm_ldap: checking if remote access for toto is allowed by uid
rlm_ldap: No default NMAS login sequence
rlm_ldap: looking for check items in directory...
rlm_ldap: LDAP attribute sambaNTPassword as RADIUS attribute NT-Password == 0x4332313832333530444532433243463343344435434231343441394431444233
rlm_ldap: LDAP attribute sambaLMPassword as RADIUS attribute LM-Password == 0x3337364436424445433041413644323839343445324446343839413838304534
rlm_ldap: LDAP attribute userPassword as RADIUS attribute User-Password == "totouser"
rlm_ldap: looking for reply items in directory...
rlm_ldap: LDAP attribute radiusTunnelPrivateGroupId as RADIUS attribute Tunnel-Private-Group-Id:0 = "2"
rlm_ldap: LDAP attribute radiusTunnelMediumType as RADIUS attribute Tunnel-Medium-Type:0 = IEEE-802
rlm_ldap: LDAP attribute radiusTunnelType as RADIUS attribute Tunnel-Type:0 = VLAN
rlm_ldap: user toto authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Normalizing NT-Password from hex encoding
rlm_pap: Normalizing LM-Password from hex encoding
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Replacing User-Password in config items with Cleartext-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good" !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
+- entering group MS-CHAP
rlm_mschap: Found LM-Password
rlm_mschap: Found NT-Password
rlm_mschap: Told to do MS-CHAPv2 for toto with NT-Password
rlm_mschap: adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
++[eap] returns handled
} # server (null)
PEAP: Got tunneled reply RADIUS code 11
Tunnel-Private-Group-Id:0 = "2"
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Type:0 = VLAN
EAP-Message = 0x010a00331a0309002e533d45324635434146333132433946454341393932443738373436364344424342443444364643444134
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0c186c320d1276bedb16c1e664f42fe2
PEAP: Processing from tunneled session code 0x7c52c0 11
Tunnel-Private-Group-Id:0 = "2"
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Type:0 = VLAN
EAP-Message = 0x010a00331a0309002e533d45324635434146333132433946454341393932443738373436364344424342443444364643444134
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0c186c320d1276bedb16c1e664f42fe2
PEAP: Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 30 to 192.168.100.5 port 5001
EAP-Message = 0x010a004a1900170301003ff9c9a8096c8008435d18d64dd2844e84eaccd55bc005519a1e4330882677b71ee2dfdead2f7bfc9dcf711bd2b6776b5ded041a41783f07063d0a82dfff7eee
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa88eb0cba084a91516c2ad39391ee6f1
Finished request 8.
Going to the next request
Waking up in 4.3 seconds.
rad_recv: Access-Request packet from host 192.168.100.5 port 5001, id=31, length=153
User-Name = "toto"
EAP-Message = 0x020a001d19001703010012c5c3e515e280e0362280ea65d35a6ee5f57e
Message-Authenticator = 0xb12836f1115dd64af2d01d2d0fc41bca
NAS-IP-Address = 192.168.100.5
NAS-Identifier = "000fe265a2f5"
NAS-Port = 268455937
NAS-Port-Type = Ethernet
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = "000b-5d4a-369f"
State = 0xa88eb0cba084a91516c2ad39391ee6f1
+- entering group authorize
rad_recv: Access-Request packet from host 192.168.100.5 port 5001, id=32, length
=162
User-Name = "toto"
EAP-Message = 0x020b00261900170301001bac16d38a5cfbaed36ed0105a6c7c16925c
925a2a8a04b60c164770
Message-Authenticator = 0x6969775e3b691b3e7ef57aaa3e4d3ba7
NAS-IP-Address = 192.168.100.5
NAS-Identifier = "000fe265a2f5"
NAS-Port = 268455937
NAS-Port-Type = Ethernet
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = "000b-5d4a-369f"
State = 0xa88eb0cba185a91516c2ad39391ee6f1
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "toto", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 11 length 38
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Success
rlm_eap: Freeing handler
++[eap] returns ok
Login OK: [toto/<via Auth-Type = EAP>] (from client uac_quid002 port 268455937 cli 000b-5d4a-369f)
+- entering group post-auth
++[exec] returns noop
Sending Access-Accept of id 32 to 192.168.100.5 port 5001
MS-MPPE-Recv-Key = 0x3fc9ad8eb5c61fa194fbcf43ec68aa879a28a6f2b25d5dcc96531f47dccdae69
MS-MPPE-Send-Key = 0xaf8ead06473463ae03e04ac1cc4f09e8e827287effa7ccaf360b0b8bbc2ed18e
EAP-Message = 0x030b0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "toto"
Finished request 10.
Going to the next request
Waking up in 4.1 seconds.
Thanks for your help!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090622/ca95e58b/attachment.html>
More information about the Freeradius-Users
mailing list