Radius+Huwaei switch + auto VLan Assignment issue

Attou eric gouroueric at yahoo.fr
Mon Jun 22 11:13:54 CEST 2009


Hello Everybody! 

We are having issue in trying to setup Radius server with a huwaei quidway S3900 as authenticator.

The switch ports are configured as hybrid and tagged on all our four vlans. We also configure VLAN 1

(the default) as guest vlan of the ports and dot1x is activated globally and on each ethernet port.

Radius server is configure to search for users in LDAP directory. Here is one off our user parameters in 

the directory:

dn: uid=toto,ou=Users,ou=ceforp,dc=uac,dc=bj
uid: toto
cn: toto
sambaSID: toto
telephoneNumber: 00000000
roomNumber: 00000000
homePhone: 97 09 61 90/90 04 12 26
givenName: toto
sn: toto
mail: toto at ceforp.uac.bj
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: radiusProfile
objectClass: top
objectClass: sambaSamAccount
objectClass: shadowAccount
userPassword: {crypt}$1$JGZ378je$G9BPCKU.BWv1QEAZCQtFO.
sambaLMPassword: AZERTY
sambaNTPassword: AZERTY
shadowLastChange: 14250
shadowMax: 99999
shadowWarning: 7
radiusTunnelPrivateGroup-Id: "2"
radiusTunnelMediumType: IEEE-802
radiusTunnelType: VLAN
loginShell: /bin/bash
uidNumber: 1616
gidNumber: 1614
homeDirectory: /home/toto
gecos: Akouma toto,,,97 09 61 90/90 04 12 26

   When we try the authentication with this user account, although radius log send the 

VLAN attributes (Tunnel-Type, Tunnel-Medium-Type, Tunnel-Private-Group-ID) in 

Access-Challenge messages and finally send an Access-Accept message, the switch 

does not assign the right VLAN(  the switching from VLAN 1 to VLAN 2 does not

occur) and the user still in VLAN 1. We note that there is no VLAN attribute in 

Access-Accept message.
      
        What may be wrong ? Below is the radius server's output log 


   
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.100.5 port 5001, id=22, length
=115
        User-Name = "toto"
        EAP-Message = 0x0201000901746f746f
        Message-Authenticator = 0x60464542ce8c771452c8234d62a8de2d
        NAS-IP-Address = 192.168.100.5
        NAS-Identifier = "000fe265a2f5"
        NAS-Port = 268455937
        NAS-Port-Type = Ethernet
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Calling-Station-Id = "000b-5d4a-369f"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "toto", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: EAP packet type response id 1 length 9
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
    users: Matched entry DEFAULT at line 172
++[files] returns ok
rlm_ldap: - authorize
rlm_ldap: performing user authorization for toto
        expand: (&(objectclass=posixAccount)(uid=%u)) -> (&(objectclass=posixAcc
ount)(uid=toto))
        expand: dc=uac,dc=bj -> dc=uac,dc=bj
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
Sending Access-Challenge of id 22 to 192.168.100.5 port 5001
        Framed-Protocol = PPP
        Framed-Compression = Van-Jacobson-TCP-IP
        Tunnel-Private-Group-Id:0 = "2"
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Type:0 = VLAN
        EAP-Message = 0x010200061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xa88eb0cba88ca91516c2ad39391ee6f1
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.100.5 port 5001, id=23, length=236
        User-Name = "toto"
        EAP-Message = 0x0202007019800000006616030100610100005d03014a3f38dbbadfdeb57d18de0598e2cc8fc3a93bdc048767fda66314b9273e319b200a7da7d94248ab602a4aad9e3fcb579310da741faf694e40b9fef41839ae4604001600040005000a000900640062000300060013001200630100
        Message-Authenticator = 0x3cf0c9732a7a9b23dea1cf4538f76931
        NAS-IP-Address = 192.168.100.5
        NAS-Identifier = "000fe265a2f5"
        NAS-Port = 268455937
        NAS-Port-Type = Ethernet
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Calling-Station-Id = "000b-5d4a-369f"
        State = 0xa88eb0cba88ca91516c2ad39391ee6f1
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "toto", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: EAP packet type response id 2 length 112
  rlm_eap: Continuing tunnel setup.
++[eap] returns ok
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  TLS Length 102
rlm_eap_tls:  Length Included
  eaptls_verify returned 11
    (other): before/accept initialization
    TLS_accept: before/accept initialization
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0061], ClientHello
    TLS_accept: SSLv3 read client hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
    TLS_accept: SSLv3 write server hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0eb6], Certificate
    TLS_accept: SSLv3 write certificate A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
    TLS_accept: SSLv3 write server done A
    TLS_accept: SSLv3 flush data
    TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
  eaptls_process returned 13
  rlm_eap_peap: EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 23 to 192.168.100.5 port 5001
        EAP-Message = 0x0103040019c000000f13160301004a0200004603014a3f46ed27ac2ce8a976a6a7a18e528a981c1274689c91b8dd0f371a71ef957e201e2e2fb4a46d14234197b85b3d21307055bb67a12dd408dcad5b39db5e679e770004001603010eb60b000eb2000eaf000759308207553082053da003020102020101300d06092a864886f70d01010505003081a2310b300906035504061302424a311330110603550408130a41746c616e7469717565311630140603550407130d41626f6d65792d43616c6176693121301f060355040a1318556e69766572736974652041626f6d65792d43616c6176693111300f060355040b1308526563746f726174311430
        EAP-Message = 0x120603550403140b726f6f745f43415f554143311a301806092a864886f70d010901160b696e666f407561632e626a301e170d3038303731373135353833355a170d3039303731373135353833355a3081a4310b300906035504061302424a311330110603550408130a41746c616e7469717565311630140603550407130d41626f6d65792d43616c6176693121301f060355040a1318556e69766572736974652041626f6d65792d43616c6176693111300f060355040b1308526563746f726174311630140603550403130d63616c6176692e7561632e626a311a301806092a864886f70d010901160b696e666f407561632e626a30820222300d06
        EAP-Message = 0x092a864886f70d01010105000382020f003082020a0282020100ba35068b7967acc67f03fe9f0cd76ea4fc16bb62b8986f8a2e70413e22942f1e7604ab691177fdb5fd14:
a030bb00840b9281a6ee37482bcb1f95d7cbeb23a06a1f659a48f4380a23acc10952d5c70258579fbda12d599aabd12d4ddb5de20e943c515ea8f817f15fc4b1201ba2952a43c8b4ef52941f256670d7e216ec19930e940ce1832e9b953096dc6ef00bbb1dc173b800b183c5d1f20383d29f7c8795d5ed22c8d6075f492d2adb6700a51ed0f8c8793c2d460be5d822a8309b541802b27c2c496be98c1a0737ed88ac27cd94bd85ef58a16f3dba29d3b94754265bd7d24ddea4
        EAP-Message = 0x45efe16f59861c8f63dffa7835ba4e3f654afd6c2f50bbd1f11e220bd5df962d0e516688c7e9124128eb9bd23caf997fe12ad314ecbbce6c5dd3549df7aeb8b879bfdf2727b3aa1e4019283741448cf3e2148ea203a546e25c60fee5fe5da03d3fe1265da3dbe91bb7e620d1932e83d4e05433d6f2aa30a5264f30a134574f03c418c8077e7333d774f9b8a6451eea70a918f132cecf7957423a22784653042a5fcc6a8a0a66aefce4fff473ee078ed7fb2a3b1cab12694e3d1f9f44bae7ebaa6c6be4686e475ab908428af9592000f62b93ba39bfe15863907dc535941e1d7e9b5236874fb51979f8662aadc3dc1bdc5e34a9bdd3e32430fbe857523b
        EAP-Message = 0x0d3f2885d5031e5f76099610
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xa88eb0cba98da91516c2ad39391ee6f1
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.100.5 port 5001, id=24, length=130
        User-Name = "toto"
        EAP-Message = 0x020300061900
        Message-Authenticator = 0xb5552c32bd90604d37c9c0fb4482455e
        NAS-IP-Address = 192.168.100.5
        NAS-Identifier = "000fe265a2f5"
        NAS-Port = 268455937
        NAS-Port-Type = Ethernet
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Calling-Station-Id = "000b-5d4a-369f"
        State = 0xa88eb0cba98da91516c2ad39391ee6f1
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "toto", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: EAP packet type response id 3 length 6
  rlm_eap: Continuing tunnel setup.
++[eap] returns ok
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake fragment handler
  eaptls_verify returned 1
  eaptls_process returned 13
  rlm_eap_peap: EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 24 to 192.168.100.5 port 5001
        EAP-Message = 0x010403fc1940b38003bf6e1f8b658ce51826eea11c0bf44abf450203010001a38201903082018c30090603551d1304023000301106096086480186f8420101040403020640302b06096086480186f842010d041e161c54696e7943412047656e657261746564204365727469666963617465301d0603551d0e04160414f17eea30a8f7f709053f3f7bed44e40d6d63c68a3081d70603551d230481cf3081cc8014c3580d7f0c9b26c3fcca6bddecc25329b3ed999ea181a8a481a53081a2310b300906035504061302424a311330110603550408130a41746c616e7469717565311630140603550407130d41626f6d65792d43616c6176693121301f06
        EAP-Message = 0x0355040a1318556e69766572736974652041626f6d65792d43616c6176693111300f060355040b1308526563746f726174311430120603550403140b726f6f745f43415f554143311a301806092a864886f70d010901160b696e666f407561632e626a820900f454a6d25d837f6130160603551d12040f300d810b696e666f407561632e626a30160603551d11040f300d810b696e666f407561632e626a30160603551d250101ff040c300a06082b06010505070301300d06092a864886f70d0101050500038202010075889612daeb738396e4a633941133cd7614298049994d4992ccef22cbb75e37e26fe9f51f9ce8515ea0918db7864da4440933
        EAP-Message = 0x48844b57b3456682ac4b3f45d62d86f7212af508730fb37f53225ffbbc2fdb3389346da7802eec86548588c0cf01c50417969e4d3566c9ca0ae3910f6c79047d2510b9fb557185e826bf355820de2952f9aec584ce6e89062b088ded33999cde33f95fe3fe6f173623cde8838901421c17541dacf82879a49712ba9d082c9ebde368272af85d031e9049dead03902ebe71bb3a1b5e3c8385902c677cfac0c1ee8ac405a6cb77c6f64cdcf09b1d61874cb3eac03ce9f283d130caaceaa38a65c12e7d13a6d34444def970fd60d973fe7b2031abc41fa019dfd91cdfeeaab155f615f327c7b5fd711b79db87f45aa2b97c4e2bb44ef02d77392b0bb5d93c
        EAP-Message = 0xe888d84f68211cd1f5c40eda157273e3e193c20d682ad3f30f0765ece4c20646afac050b8493e0874845971a2a03645d412b6aa96ea90fcae6df3fd94d6502900ad1c15f756f6c28cec9618f497faf5c32c200771a0b0e9652749b06ffa8837b0795883b757b81e62b4ad3d9eba615ccf63fc7f6d12d038814e32d013972b21b033399b4dea04c7368b4c20e80c405d25d70a49b1c16ad339510cc041bc529950d5e0769de26399739d2383499951bc54db8c1342e86354291c1f62b8b1816be8e184a30b6c761c73eea65c0d03ae8830007503082074c30820534a003020102020900f454a6d25d837f61300d06092a864886f70d01010505003081a2
        EAP-Message = 0x310b300906035504
        Message-Authenticator = 0x00000000000000000000000000000000
 State = 0xa88eb0cbaa8aa91516c2ad39391ee6f1
Finished request 2.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.100.5 port 5001, id=25, length=130
        User-Name = "toto"
        EAP-Message = 0x020400061900
        Message-Authenticator = 0x5eeac44dfede983aedee24c387cb44e9
        NAS-IP-Address = 192.168.100.5
        NAS-Identifier = "000fe265a2f5"
        NAS-Port = 268455937
        NAS-Port-Type = Ethernet
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Calling-Station-Id = "000b-5d4a-369f"
        State = 0xa88eb0cbaa8aa91516c2ad39391ee6f1
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "toto", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: EAP packet type response id 4 length 6
  rlm_eap: Continuing tunnel setup.
++[eap] returns ok
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake fragment handler
  eaptls_verify returned 1
  eaptls_process returned 13
  rlm_eap_peap: EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 25 to 192.168.100.5 port 5001
        EAP-Message = 0x010503fc1940061302424a311330110603550408130a41746c616e74:
69717565311630140603550407130d41626f6d65792d43616c6176693121301f060355040a1318556e69766572736974652041626f6d65792d43616c6176693111300f060355040b1308526563746f726174311430120603550403140b726f6f745f43415f554143311a301806092a864886f70d010901160b696e666f407561632e626a301e170d3038303731373135353331385a170d3138303731353135353331385a3081a2310b300906035504061302424a311330110603550408130a41746c616e7469717565311630140603550407130d41626f6d65792d43616c617669
        EAP-Message = 0x3121301f060355040a1318556e69766572736974652041626f6d65792d43616c6176693111300f060355040b1308526563746f726174311430120603550403140b726f6f745f43415f554143311a301806092a864886f70d010901160b696e666f407561632e626a30820222300d06092a864886f70d01010105000382020f003082020a0282020100f4b24ec17856ccd0925b38267d08f774b4e8305facfc02da999c9d5787a4d6b57af62d62531b4ee11135cf1546825c9c7aa6eb452c5adc6a768616ec978be9ddb0e98b1b1d23d2056c5fe37f46247295851e5c4866dec12d3b298b3d9b7629208465333f1f479a886f8321e8768b6a32c9563ecf
        EAP-Message = 0xfd7d052a60062bf19ea4c007138dbedfb86604118f1c20c7e7769a82cd10564c4624a53786e894a174a253585bca0e92e8f32923fdde919eee543c6ac7b1e6af377a726d62cdab0941c4bacccd7a40fd1762b4682c47150b33a819d4ce4e01e31a989dce7ea27fc14c6bf6c4ef036929e3ec575b94610bcc30d0d0159b94a41182650f071d1b73a7e9a8cbe844be37b3ce1193910909bee58ca887a0a4b6ea65674aac02012eb9c0f5207982e2b06d2c4d36e5af8b508edf8f65234696eeae28121a786c906e933f56770d32ee8987de8b678d809dc53d98da8b805c62953231091b47026c2bf695899b7c170197219e4b80f6d5bb1135c76e11e641e7
        EAP-Message = 0x6eda160e7661681a20b9381dcddcc5da66c62e9d40885dd74b38733981cc17f8735cca0122e34ed54e822d8d607215055a06834c0d0dd8b770fe025c4d0fb310baea2e876d5e9574e4c68282d0b440acd1bb420f329c0cefda380d72c6cd635dca12658b638b58bea300430511b391e39ffa5a778cd618a444517759644e3b714a3c7dba6b53de21aea101b29656e30203010001a38201813082017d301d0603551d0e04160414c3580d7f0c9b26c3fcca6bddecc25329b3ed999e3081d70603551d230481cf3081cc8014c3580d7f0c9b26c3fcca6bddecc25329b3ed999ea181a8a481a53081a2310b300906035504061302424a3113301106035504
        EAP-Message = 0x08130a41746c616e
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xa88eb0cbab8ba91516c2ad39391ee6f1
Finished request 3.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 192.168.100.5 port 5001, id=26, length=130
        User-Name = "toto"
        EAP-Message = 0x020500061900
        Message-Authenticator = 0x95ef28d6ba4539705842ff6961284ff6
        NAS-IP-Address = 192.168.100.5
        NAS-Identifier = "000fe265a2f5"
        NAS-Port = 268455937
        NAS-Port-Type = Ethernet
        Service-Type = Framed-User
Calling-Station-Id = "000b-5d4a-369f"
        State = 0xa88eb0cbae86a91516c2ad39391ee6f1
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "toto", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: EAP packet type response id 8 length 32
  rlm_eap: Continuing tunnel setup.
++[eap] returns ok
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7
 rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_peap: Identity - toto
  PEAP: Got tunneled EAP-Message
        EAP-Message = 0x0208000901746f746f
  PEAP: Got tunneled identity of toto
  PEAP: Setting default EAP type for tunneled EAP session.
  PEAP: Setting User-Name to toto
  PEAP: Sending tunneled request
        EAP-Message = 0x0208000901746f746f
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "toto"
server (null) {
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "toto", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: EAP packet type response id 8 length 9
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for toto
        expand: (&(objectclass=posixAccount)(uid=%u)) -> (&(objectclass=posixAccount)(uid=toto))
        expand: dc=uac,dc=bj -> dc=uac,dc=bj
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=uac,dc=bj, with filter (&(objectclass=posixAccount)(uid=toto))
rlm_ldap: checking if remote access for toto is allowed by uid
rlm_ldap: No default NMAS login sequence
rlm_ldap: looking for check items in directory...
rlm_ldap: LDAP attribute sambaNTPassword as RADIUS attribute NT-Password == 0x4332313832333530444532433243463343344435434231343441394431444233
rlm_ldap: LDAP attribute sambaLMPassword as RADIUS attribute LM-Password == 0x3337364436424445433041413644323839343445324446343839413838304534
rlm_ldap: LDAP attribute userPassword as RADIUS attribute User-Password == "totouser"
:rlm_ldap: looking for reply items in directory...
rlm_ldap: LDAP attribute radiusTunnelPrivateGroupId as RADIUS attribute Tunnel-Private-Group-Id:0 = "2"
rlm_ldap: LDAP attribute radiusTunnelMediumType as RADIUS attribute Tunnel-Medium-Type:0 = IEEE-802
rlm_ldap: LDAP attribute radiusTunnelType as RADIUS attribute Tunnel-Type:0 = VLAN
rlm_ldap: user toto authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Normalizing NT-Password from hex encoding
rlm_pap: Normalizing LM-Password from hex encoding
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
  rad_check_password:  Found Auth-Type EAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!    Replacing User-Password in config items with Cleartext-Password.     !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good"               !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
auth: type "EAP"
+- entering group authenticate
  rlm_eap: EAP Identity
  rlm_eap: processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server (null)
  PEAP: Got tunneled reply RADIUS code 11
        Tunnel-Private-Group-Id:0 = "2"
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Type:0 = VLAN
        EAP-Message = 0x0109001e1a010900191007ae8dd49bdfd0c817732291052c1735746f746f
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x0c186c320c1176bedb16c1e664f42fe2
  PEAP: Processing from tunneled session code 0x7c2670 11
        Tunnel-Private-Group-Id:0 = "2"
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Type:0 = VLAN
        EAP-Message = 0x0109001e1a010900191007ae8dd49bdfd0c817732291052c1735746f:
746f
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x0c186c320c1176bedb16c1e664f42fe2
  PEAP: Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 29 to 192.168.100.5 port 5001
        EAP-Message = 0x010900351900170301002ae5ded2cf6543b4449305996cc5fdcfec9bf7867d5fdb62ee189022502a79da435f13d7b9b80c2f8ced86
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xa88eb0cbaf87a91516c2ad39391ee6f1
Finished request 7.
Going to the next request
Waking up in 4.4 seconds.
rad_recv: Access-Request packet from host 192.168.100.5 port 5001, id=30, length=210
        User-Name = "toto"
        EAP-Message = 0x020900561900170301004bbaf13ec9d401f583cd58929b8f7f454cdb002639dc4ea00b14a69f6400eea5d340665d95edb631514792962e1d54723456e074bd14b4ba6f45464f3d30552dc3f8823cd456500ca92efae7
        Message-Authenticator = 0xa44820cdf03d1108a8d932ec95e953ef
        NAS-IP-Address = 192.168.100.5
        NAS-Identifier = "000fe265a2f5"
        NAS-Port = 268455937
        NAS-Port-Type = Ethernet
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Calling-Station-Id = "000b-5d4a-369f"
        State = 0xa88eb0cbaf87a91516c2ad39391ee6f1
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "toto", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: EAP packet type response id 9 length 86
  rlm_eap: Continuing tunnel setup.
++[eap] returns ok
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_peap: EAP type mschapv2
  PEAP: Got tunneled EAP-Message
        EAP-Message = 0x0209003f1a0209003a31f627621d72908d812dcc8660104a923b00000000000000007d029e559fbcc706309ba7f099f573290ecf7056a219884a00746f746f
  PEAP: Setting User-Name to toto
  PEAP: Sending tunneled request
        EAP-Message = 0x0209003f1a0209003a31f627621d72908d812dcc8660104a923b00000000000000007d029e559fbcc706309ba7f099f573290ecf7056a219884a00746f746f
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "toto"
        State = 0x0c186c320c1176bedb16c1e664f42fe2
server (null) {
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "toto", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: EAP packet type response id 9 length 63
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for toto
        expand: (&(objectclass=posixAccount)(uid=%u)) -> (&(objectclass=posixAccount)(uid=toto))
        expand: dc=uac,dc=bj -> dc=uac,dc=bj
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=uac,dc=bj, with filter (&(objectclass=posixAccount)(uid=toto))
rlm_ldap: checking if remote access for toto is allowed by uid
rlm_ldap: No default NMAS login sequence
rlm_ldap: looking for check items in directory...
rlm_ldap: LDAP attribute sambaNTPassword as RADIUS attribute NT-Password == 0x4332313832333530444532433243463343344435434231343441394431444233
rlm_ldap: LDAP attribute sambaLMPassword as RADIUS attribute LM-Password == 0x3337364436424445433041413644323839343445324446343839413838304534
rlm_ldap: LDAP attribute userPassword as RADIUS attribute User-Password == "totouser"
rlm_ldap: looking for reply items in directory...
rlm_ldap: LDAP attribute radiusTunnelPrivateGroupId as RADIUS attribute Tunnel-Private-Group-Id:0 = "2"
rlm_ldap: LDAP attribute radiusTunnelMediumType as RADIUS attribute Tunnel-Medium-Type:0 = IEEE-802
rlm_ldap: LDAP attribute radiusTunnelType as RADIUS attribute Tunnel-Type:0 = VLAN
rlm_ldap: user toto authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Normalizing NT-Password from hex encoding
rlm_pap: Normalizing LM-Password from hex encoding
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
  rad_check_password:  Found Auth-Type EAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!    Replacing User-Password in config items with Cleartext-Password.     !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good"               !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/mschapv2
  rlm_eap: processing type mschapv2
+- entering group MS-CHAP
  rlm_mschap: Found LM-Password
  rlm_mschap: Found NT-Password
  rlm_mschap: Told to do MS-CHAPv2 for toto with NT-Password
rlm_mschap: adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
++[eap] returns handled
} # server (null)
  PEAP: Got tunneled reply RADIUS code 11
        Tunnel-Private-Group-Id:0 = "2"
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Type:0 = VLAN
        EAP-Message = 0x010a00331a0309002e533d45324635434146333132433946454341393932443738373436364344424342443444364643444134
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x0c186c320d1276bedb16c1e664f42fe2
  PEAP: Processing from tunneled session code 0x7c52c0 11
        Tunnel-Private-Group-Id:0 = "2"
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Type:0 = VLAN
        EAP-Message = 0x010a00331a0309002e533d45324635434146333132433946454341393932443738373436364344424342443444364643444134
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x0c186c320d1276bedb16c1e664f42fe2
  PEAP: Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 30 to 192.168.100.5 port 5001
        EAP-Message = 0x010a004a1900170301003ff9c9a8096c8008435d18d64dd2844e84eaccd55bc005519a1e4330882677b71ee2dfdead2f7bfc9dcf711bd2b6776b5ded041a41783f07063d0a82dfff7eee
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xa88eb0cba084a91516c2ad39391ee6f1
Finished request 8.
Going to the next request
Waking up in 4.3 seconds.
rad_recv: Access-Request packet from host 192.168.100.5 port 5001, id=31, length=153
        User-Name = "toto"
        EAP-Message = 0x020a001d19001703010012c5c3e515e280e0362280ea65d35a6ee5f57e
        Message-Authenticator = 0xb12836f1115dd64af2d01d2d0fc41bca
        NAS-IP-Address = 192.168.100.5
        NAS-Identifier = "000fe265a2f5"
        NAS-Port = 268455937
        NAS-Port-Type = Ethernet
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Calling-Station-Id = "000b-5d4a-369f"
        State = 0xa88eb0cba084a91516c2ad39391ee6f1
+- entering group authorize
rad_recv: Access-Request packet from host 192.168.100.5 port 5001, id=32, length
=162
        User-Name = "toto"
        EAP-Message = 0x020b00261900170301001bac16d38a5cfbaed36ed0105a6c7c16925c
925a2a8a04b60c164770
        Message-Authenticator = 0x6969775e3b691b3e7ef57aaa3e4d3ba7
        NAS-IP-Address = 192.168.100.5
        NAS-Identifier = "000fe265a2f5"
        NAS-Port = 268455937
        NAS-Port-Type = Ethernet
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Calling-Station-Id = "000b-5d4a-369f"
        State = 0xa88eb0cba185a91516c2ad39391ee6f1
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "toto", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: EAP packet type response id 11 length 38
  rlm_eap: Continuing tunnel setup.
++[eap] returns ok
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_peap: Received EAP-TLV response.
  rlm_eap_peap: Success
 rlm_eap: Freeing handler
++[eap] returns ok
Login OK: [toto/<via Auth-Type = EAP>] (from client uac_quid002 port 268455937 cli 000b-5d4a-369f)
+- entering group post-auth
++[exec] returns noop
Sending Access-Accept of id 32 to 192.168.100.5 port 5001
        MS-MPPE-Recv-Key = 0x3fc9ad8eb5c61fa194fbcf43ec68aa879a28a6f2b25d5dcc96531f47dccdae69
        MS-MPPE-Send-Key = 0xaf8ead06473463ae03e04ac1cc4f09e8e827287effa7ccaf360b0b8bbc2ed18e
        EAP-Message = 0x030b0004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "toto"
Finished request 10.
Going to the next request
Waking up in 4.1 seconds.

Thanks for your help!


      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090622/ca95e58b/attachment.html>


More information about the Freeradius-Users mailing list