Perl/Peap-MSChapV2 Issues

Adam W. Sewell awsewell at catawba.edu
Fri Mar 20 14:24:15 CET 2009


I removed the DEFAULT Auth-Type = Perl since you said it wasn't use.

I removed the update control from the authorize in inner-tunnel.

Here's the new log. Thanks for the help.

Ready to process requests.
rad_recv: Accounting-Request packet from host 192.168.240.78 port 3083, 
id=11, length=101
        Acct-Status-Type = Stop
        Acct-Session-Id = "00000005"
        User-Name = "testUser"
        NAS-IP-Address = 192.168.240.78
        NAS-Port = 4
        Calling-Station-Id = "00-16-D3-30-E5-74"
        Acct-Delay-Time = 0
        Acct-Session-Time = 72
        Acct-Authentic = RADIUS
        Acct-Terminate-Cause = Lost-Carrier
+- entering group preacct
++[preprocess] returns ok
rlm_acct_unique: Hashing 'NAS-Port = 4,Client-IP-Address = 
192.168.240.78,NAS-IP-Address = 192.168.240.78,Acct-Session-Id = 
"00000005",User-Name = "testUser"'
rlm_acct_unique: Acct-Unique-Session-ID = "4675a10eb3ec92c2".
++[acct_unique] returns ok
++[files] returns noop
+- entering group accounting
        expand: 
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> 
/var/log/radius/radacct/192.168.240.78/detail-20090320
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d 
expands to /var/log/radius/radacct/192.168.240.78/detail-20090320
        expand: %t -> Fri Mar 20 07:52:25 2009
++[detail] returns ok
++[unix] returns ok
        expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
        expand: %{User-Name} -> testUser
++[radutmp] returns ok
        expand: %{User-Name} -> testUser
 attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 11 to 192.168.240.78 port 3083
Finished request 0.
Cleaning up request 0 ID 11 with timestamp +3
Going to the next request
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.240.78 port 3085, 
id=235, length=152
        Message-Authenticator = 0x7d2d05eba9f44b4f560221d152a604d6
        User-Name = "testUser"
        NAS-IP-Address = 192.168.240.78
        NAS-Port = 4
        NAS-Port-Type = Ethernet
        Calling-Station-Id = "00-16-D3-30-E5-74"
        EAP-Message = 0x0201000d016c6a61636b736f6e
        Framed-MTU = 1000
        Called-Station-Id = "0001F4-B6-1B-80\0004"
        NAS-Identifier = "HOKDORM_01953_M48"
        NAS-Port-Id = "fe.0.4"
+- entering group authorize
++[preprocess] returns ok
++[mschap] returns noop
  rlm_eap: EAP packet type response id 1 length 13
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: EAP Identity
  rlm_eap: processing type tls
  rlm_eap_tls: Initiate
  rlm_eap_tls: Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 235 to 192.168.240.78 port 3085
        EAP-Message = 0x010200061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x01bfa13001bdb807fc4539ef1278734e
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.240.78 port 3085, 
id=236, length=249
        Message-Authenticator = 0xae6d806c5e45d7aa21bbaee13239c841
        User-Name = "testUser"
        State = 0x01bfa13001bdb807fc4539ef1278734e
        NAS-IP-Address = 192.168.240.78
        NAS-Port = 4
        NAS-Port-Type = Ethernet
        Calling-Station-Id = "00-16-D3-30-E5-74"
        Called-Station-Id = "00-01-F4-B6-1B-80"
        Framed-MTU = 1000
        EAP-Message = 
0x0202005c190016030100510100004d030149c3987c0e37eb6c0bac727f1287e3f6cd86
2647f846d214e820432669caf44800002600390038003500160013000a00330032002f00
050004001500120009001400110008000600030100
        NAS-Identifier = "HOKDORM_01953_M48"
        NAS-Port-Id = "fe.0.4"
+- entering group authorize
++[preprocess] returns ok
++[mschap] returns noop
  rlm_eap: EAP packet type response id 2 length 92
  rlm_eap: Continuing tunnel setup.
++[eap] returns ok
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
    (other): before/accept initialization
    TLS_accept: before/accept initialization
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0051], ClientHello
    TLS_accept: SSLv3 read client hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
    TLS_accept: SSLv3 write server hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 085e], Certificate
    TLS_accept: SSLv3 write certificate A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange
    TLS_accept: SSLv3 write key exchange A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
    TLS_accept: SSLv3 write server done A
    TLS_accept: SSLv3 flush data
    TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
  eaptls_process returned 13
  rlm_eap_peap: EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 236 to 192.168.240.78 port 3085
        EAP-Message = 
0x010303e419c000000acd160301004a02000046030149c383888e099135de3aa395da3f
053a0929a117724438a84cb0120230dc279d204044516166651aa96ff3c159f1ef0d302e
721399f0e55e533bed7a54ea1c81d0003900160301085e0b00085a0008570003a6308203
a23082028aa003020102020101300d06092a864886f70d0101040500308193310b300906
0355040613024652310f300d060355040813065261646975733112301006035504071309
536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e
06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603
5504
        EAP-Message = 
0x03131d4578616d706c6520436572746966696361746520417574686f72697479301e17
0d3039303232363138313530335a170d3130303232363138313530335a307c310b300906
0355040613024652310f300d0603550408130652616469757331153013060355040a130c
4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665
722043657274696669636174653120301e06092a864886f70d010901161161646d696e40
6578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f0030
82010a0282010100af91ce4cc96ce447a1b9ce6a3c8d5cee06559ffe5d6c58649c8af10c
f4d8
        EAP-Message = 
0x2196a122f04a957a7ca72043e3f61c0e4149a18d32bea21f5807e44e710762d5ede33f
41f89e5238ba8ec146775ec45f90335564a0ccdf9d7332b714993b527776d70068a939f5
8c7475e677850446ef1de2427a39b1469d4707f59723cc3c5c432426f51d899e3df16df4
8641151eb1a34b9aacf00fb3380f43db62d6efe38255abd22667ba5a4a4d0de897d955eb
54532c642b009994eb1d4353ab340852d9a2db429111f08e31dc5a5c063a1b4625023d21
496f55717d44b2ef1638b6cce64bf716e719d885f20b305fed4e6d94a8ecb1201d43389c
bbd9e48328d7f8850641d50203010001a317301530130603551d25040c300a06082b0601
0505
        EAP-Message = 
0x070301300d06092a864886f70d010104050003820101005e3f3bed588f5e438581d8ab
df869d6e5b9751c0407043ba804bae8a935f2ccfda3e106c7b9bd3c41e3baa1e6bea239a
7878a67fa523f76e9207640ce1900a71ee645e0a200007826520944b15177a2d855ba97f
35b5484cc4476b4c49bbcc55fa40b919506eb73e3f6f35c87ed3d38fca2b33a82d541a10
8e60a54b958ebab48dbcbed264380c05df5c4e8839169ade9bed2cde41faa08755b53dfe
9a4a8fe7417795f1149529d9e2ad6c0c6f610a12772c3a5b1dca9826bc8e55ba4d17bd2e
60db88e70bb9f66b22433be9a9d28522870278805bab
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x01bfa13000bcb807fc4539ef1278734e
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.240.78 port 3085, 
id=237, length=163
        Message-Authenticator = 0x36564054cf14369701daca7e3be846a9
        User-Name = "testUser"
        State = 0x01bfa13000bcb807fc4539ef1278734e
        NAS-IP-Address = 192.168.240.78
        NAS-Port = 4
        NAS-Port-Type = Ethernet
        Calling-Station-Id = "00-16-D3-30-E5-74"
        Called-Station-Id = "00-01-F4-B6-1B-80"
        Framed-MTU = 1000
        EAP-Message = 0x020300061900
        NAS-Identifier = "HOKDORM_01953_M48"
        NAS-Port-Id = "fe.0.4"
+- entering group authorize
++[preprocess] returns ok
++[mschap] returns noop
  rlm_eap: EAP packet type response id 3 length 6
  rlm_eap: Continuing tunnel setup.
++[eap] returns ok
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake fragment handler
  eaptls_verify returned 1
  eaptls_process returned 13
  rlm_eap_peap: EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 237 to 192.168.240.78 port 3085
        EAP-Message = 
0x010403e01940192b141d954ba5dad16f574bfa9c6f1069e1fda082afc3ba1fc97a0d15
1f664e5dd53aed97cf332119fe0004ab308204a73082038fa003020102020900bad26bfd
4ce6479b300d06092a864886f70d0101050500308193310b300906035504061302465231
0f300d060355040813065261646975733112301006035504071309536f6d657768657265
31153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d01
0901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d
706c6520436572746966696361746520417574686f72697479301e170d30393032323631
3831
        EAP-Message = 
0x3530315a170d3039303332383138313530315a308193310b3009060355040613024652
310f300d060355040813065261646975733112301006035504071309536f6d6577686572
6531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d
010901161161646d696e406578616d706c652e636f6d312630240603550403131d457861
6d706c6520436572746966696361746520417574686f7269747930820122300d06092a86
4886f70d01010105000382010f003082010a0282010100c005918d15156e31de5cad4be4
3bcee9a30544cbd7814d9e8b125c6aefc9a71a5c8d815d1cc12b0f37be7b2b30abd5cb4c
696e
        EAP-Message = 
0x9f5aa45dd330796a68c9440b1114f9181342ef7006f2ca01e8805e580f4505da0d6b20
c3e5ec1c85ac9473c4ce52cbba3917612d45f3d2ddcd0a7da895a57d4ef7defd41353010
449e124599e5d3115874e99c358e6448a5b78d84626d9b4479134e2fe45407e7088bf193
0a59b64aa4d17dc992cd317ea3ace04b31064a61647847ad710d6f458d128810e2152bc4
60182cf327c63cf30639c3072fbd5ac302e525319efdb02c7e3a33026e7228186d464695
aa1e00e461fc004d86f4aabb8be9f06db98714d5ef63b51c433d0203010001a381fb3081
f8301d0603551d0e04160414d00f03b207edebc2780daafc959d2c27157dcad13081c806
0355
        EAP-Message = 
0x1d230481c03081bd8014d00f03b207edebc2780daafc959d2c27157dcad1a18199a481
96308193310b3009060355040613024652310f300d060355040813065261646975733112
301006035504071309536f6d65776865726531153013060355040a130c4578616d706c65
20496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e
636f6d312630240603550403131d4578616d706c65204365727469666963617465204175
74686f72697479820900bad26bfd4ce6479b300c0603551d13040530030101ff300d0609
2a864886f70d01010505000382010100183c
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x01bfa13003bbb807fc4539ef1278734e
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.240.78 port 3085, 
id=238, length=163
        Message-Authenticator = 0xcd1123700762639172681128396a1141
        User-Name = "testUser"
        State = 0x01bfa13003bbb807fc4539ef1278734e
        NAS-IP-Address = 192.168.240.78
        NAS-Port = 4
        NAS-Port-Type = Ethernet
        Calling-Station-Id = "00-16-D3-30-E5-74"
        Called-Station-Id = "00-01-F4-B6-1B-80"
        Framed-MTU = 1000
        EAP-Message = 0x020400061900
        NAS-Identifier = "HOKDORM_01953_M48"
        NAS-Port-Id = "fe.0.4"
+- entering group authorize
++[preprocess] returns ok
++[mschap] returns noop
  rlm_eap: EAP packet type response id 4 length 6
  rlm_eap: Continuing tunnel setup.
++[eap] returns ok
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake fragment handler
  eaptls_verify returned 1
  eaptls_process returned 13
  rlm_eap_peap: EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 238 to 192.168.240.78 port 3085
        EAP-Message = 
0x0105031f19005647775d06a03ebb8b89c3256914ceac4171e7ee41b3bb5f8497c3f7ee
a643ac0637116e282046f3611e910dcf39d779ad13a14a68e75e9c416af68cb8474782e1
d77d20cbb4785c40d8b36de0f2caca1c5a477b3a09c488d3065b0865e63b546965fa1bc7
0c89f578eb1c88bcd329c3afb49730d0af199bf022be1f0cb74f71fde6d6be2f23af396c
883b5411c107b4d6fc51bc2bc07534c6d6d352c9afde1cb48565b9b669489403d0940d0d
a70125b2073f724b7d1e3cd7cf5f31432eb7a659105af9fb92e5f67d36ad6c15321a218a
34f89235844c88cc09f44d39151cbbc12c70d4f6dba5f9e80cbfb2af15bb644c7749a3b3
4a57
        EAP-Message = 
0x50b8f96e2da78c160301020d0c000209008095c28ea954c729df2931ea0e63d9b9ab25
cdacbad88a7ded24c19ae298dddfd9b9b2dfba285398d544e1aebe2e6fd4302399a2a156
a1be615d6b7579973fe3323c4f65428282088b141e06ee2d99144c7b458bb1da4ec85778
a8806b2e9183475abdc4707fd70974a7bfeb9068894e5b15a6a576a266a6ccf9e439a224
28445300010200808f1ccb7beec0faf418d6009cadacf97e1dff1a23ea14e00095e0f379
c192ab756481669f1a81926412284a3073109dc3eacd408be0b3fad04452d9ee9a426e13
1c0a3f5c43c81470036ac5e71f76fa0cf8ee624d2ce79e917d66585438a2df7ed2ad363b
b772
        EAP-Message = 
0x272c7638e47c389aec3b130f34328e9b4478de353f1a45deb78201000d2c2852e7c40b
90919128791cd4c552bd7c92a7a790a224fdeef4538b147d34869f4f8688a6193fcdae32
e14be0135595b681eb1d01de11e644221a7d517b053e6ee8c1f396b6d329ace204565f54
adc7a868d185f8cae3baf93782493fa4696462458c6bd43f7e13643434ac8f1bd67030e9
43b0a9ae13e0265d1b4ac922a5fab7813ab47415695f979408c18d73799fd006d7ce3cd5
b5a51bdb3acf433f3670b4eb22a6040497ac0c1601acc09a5f18c5f78ef9a978425b7308
2b5eeded09d28a47b7670649c5c3186afc18733b9fbdd05187966e69e8467cacc67edc50
ffd6
        EAP-Message = 
0x67c572f95b5fb02aab834279525ace940eea2f8bda43b01f0b72f4844f94cf16030100
040e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x01bfa13002bab807fc4539ef1278734e
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.240.78 port 3085, 
id=239, length=361
        Message-Authenticator = 0x09003c2770b7ebd8489a9b994c20f74b
        User-Name = "testUser"
        State = 0x01bfa13002bab807fc4539ef1278734e
        NAS-IP-Address = 192.168.240.78
        NAS-Port = 4
        NAS-Port-Type = Ethernet
        Calling-Station-Id = "00-16-D3-30-E5-74"
        Called-Station-Id = "00-01-F4-B6-1B-80"
        Framed-MTU = 1000
        EAP-Message = 
0x020500cc190016030100861000008200806b94c23fdb8d8035ecc8259084476867386a
afa76130f1ada15ee84f0d62dba7467b19f8f1968cd2223a67cc5814c1723850f3c0b4ea
e6b1808ce8dfb5bb2c585f326c9197fd2e872cd2f650e04a688906592f54be046332fcf6
4a071fafdea6f44932c9f0caac54e8b4c8dc39a50ae6faec29e9f81cb4089a636c7612dc
da771403010001011603010030167b64a37c9d69319b82fb4f49b144db14bf1097443c63
09e41d38b7545438f60a0dc100e140b1660bcecb0984ff086e
        NAS-Identifier = "HOKDORM_01953_M48"
        NAS-Port-Id = "fe.0.4"
+- entering group authorize
++[preprocess] returns ok
++[mschap] returns noop
  rlm_eap: EAP packet type response id 5 length 204
  rlm_eap: Continuing tunnel setup.
++[eap] returns ok
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
    TLS_accept: SSLv3 read client key exchange A
  rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
    TLS_accept: SSLv3 read finished A
  rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
    TLS_accept: SSLv3 write change cipher spec A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
    TLS_accept: SSLv3 write finished A
    TLS_accept: SSLv3 flush data
    (other): SSL negotiation finished successfully
SSL Connection Established
  eaptls_process returned 13
  rlm_eap_peap: EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 239 to 192.168.240.78 port 3085
        EAP-Message = 
0x010600411900140301000101160301003031553e3d100736927b572c87a4a544ac2e5c
13e28672736daeb20c6a7633ff9d91f9440db93fafb1e0fcf2a42c2b401a
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x01bfa13005b9b807fc4539ef1278734e
Finished request 5.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.240.78 port 3085, 
id=240, length=163
        Message-Authenticator = 0xb9721f691bfe0d3af8faf21a0ff630aa
        User-Name = "testUser"
        State = 0x01bfa13005b9b807fc4539ef1278734e
        NAS-IP-Address = 192.168.240.78
        NAS-Port = 4
        NAS-Port-Type = Ethernet
        Calling-Station-Id = "00-16-D3-30-E5-74"
        Called-Station-Id = "00-01-F4-B6-1B-80"
        Framed-MTU = 1000
        EAP-Message = 0x020600061900
        NAS-Identifier = "HOKDORM_01953_M48"
        NAS-Port-Id = "fe.0.4"
+- entering group authorize
++[preprocess] returns ok
++[mschap] returns noop
  rlm_eap: EAP packet type response id 6 length 6
  rlm_eap: Continuing tunnel setup.
++[eap] returns ok
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake is finished
  eaptls_verify returned 3
  eaptls_process returned 3
  rlm_eap_peap: EAPTLS_SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 240 to 192.168.240.78 port 3085
        EAP-Message = 
0x0107002b190017030100207d2e96536e28ad72eb3ca57c8a2bcf688cb96b50806c7eba
642545b13c390577
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x01bfa13004b8b807fc4539ef1278734e
Finished request 6.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.240.78 port 3085, 
id=241, length=237
        Message-Authenticator = 0x3ad17cc6959f8c49d02162344986a841
        User-Name = "testUser"
        State = 0x01bfa13004b8b807fc4539ef1278734e
        NAS-IP-Address = 192.168.240.78
        NAS-Port = 4
        NAS-Port-Type = Ethernet
        Calling-Station-Id = "00-16-D3-30-E5-74"
        Called-Station-Id = "00-01-F4-B6-1B-80"
        Framed-MTU = 1000
        EAP-Message = 
0x0207005019001703010020eeb76cf08fd4f2dd75225fce25e025a088b4349d3653ed4f
e2df729676e6f7c01703010020de00409ede5e7e5a8d11a17d3ffc1e1fb2756068f3acc9
d77fa86efcff9de378
        NAS-Identifier = "HOKDORM_01953_M48"
        NAS-Port-Id = "fe.0.4"
+- entering group authorize
++[preprocess] returns ok
++[mschap] returns noop
  rlm_eap: EAP packet type response id 7 length 80
  rlm_eap: Continuing tunnel setup.
++[eap] returns ok
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_peap: Identity - testUser
  PEAP: Got tunneled identity of testUser
  PEAP: Setting default EAP type for tunneled EAP session.
  PEAP: Setting User-Name to testUser
+- entering group authorize
++[mschap] returns noop
  rlm_eap: EAP packet type response id 7 length 13
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
perl_pool: item 0x8191728 asigned new request. Handled so far: 1
found interpetator at address 0x8191728
rlm_perl: Added pair User-Name = testUser
rlm_perl: Added pair EAP-Message = 0x0207000d016c6a61636b736f6e
rlm_perl: Added pair EAP-Type = Identity
rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1
rlm_perl: Added pair Filter-Id = Enterasys:version=1:policy=CCP_Student
rlm_perl: Added pair Cleartext-Password = password09
rlm_perl: Added pair Auth-Type = EAP
rlm_perl: Added pair EAP-Type = MS-CHAP-V2
perl_pool total/active/spare [64/0/64]
Unreserve perl at address 0x8191728
++[perl] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: EAP Identity
  rlm_eap: processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
  PEAP: Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 241 to 192.168.240.78 port 3085
        EAP-Message = 
0x0108004b19001703010040e31225a17d30228bb7726cc44bf263d914f7579e06b0a286
4f97ce5e3d9219571a383a062a61d4e397ed58fd314ba1245ed182935ac989ed833b4b2d
6d67eda8
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x01bfa13007b7b807fc4539ef1278734e
Finished request 7.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 192.168.240.78 port 3085, 
id=242, length=301
        Message-Authenticator = 0x82d26d1f2e916f292d1e74c07e2673fd
        User-Name = "testUser"
        State = 0x01bfa13007b7b807fc4539ef1278734e
        NAS-IP-Address = 192.168.240.78
        NAS-Port = 4
        NAS-Port-Type = Ethernet
        Calling-Station-Id = "00-16-D3-30-E5-74"
        Called-Station-Id = "00-01-F4-B6-1B-80"
        Framed-MTU = 1000
        EAP-Message = 
0x02080090190017030100203509abf8d3006800cf8fd548e2463dd1db3971dd04eaabf2
265fc3b7a0a1499c1703010060f4771096b5bd8385dabd3a1bd741da9eab1606c411c739
9a6677799722d86be4e087574bdd32d9a136518bd8cf5bca394bfb5ebce00ffc341ccbcf
9ffa0a41a2eb6fe7789095ba937b75779b21c743e3aede20f2ef1fafa5ee4aa0b7017c0e
ad
        NAS-Identifier = "HOKDORM_01953_M48"
        NAS-Port-Id = "fe.0.4"
+- entering group authorize
++[preprocess] returns ok
++[mschap] returns noop
  rlm_eap: EAP packet type response id 8 length 144
  rlm_eap: Continuing tunnel setup.
++[eap] returns ok
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_peap: EAP type mschapv2
  PEAP: Setting User-Name to testUser
+- entering group authorize
++[mschap] returns noop
  rlm_eap: EAP packet type response id 8 length 67
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
perl_pool: item 0x83bd3c0 asigned new request. Handled so far: 1
found interpetator at address 0x83bd3c0
rlm_perl: Added pair User-Name = testUser
rlm_perl: Added pair EAP-Message = 
0x020800431a0208003e31d253ad39b9fda0c56ca1ea3593e679c700000000000000005a
3766caadf4442e13e2a263c18c03121055eb446b426c51006c6a61636b736f6e
rlm_perl: Added pair EAP-Type = MS-CHAP-V2
rlm_perl: Added pair State = 0xd36534b3d36d2ee2a528a15b28aae93c
rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1
rlm_perl: Added pair Filter-Id = Enterasys:version=1:policy=CCP_Student
rlm_perl: Added pair Cleartext-Password = password09
rlm_perl: Added pair Auth-Type = EAP
perl_pool total/active/spare [64/0/64]
Unreserve perl at address 0x83bd3c0
++[perl] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/mschapv2
  rlm_eap: processing type mschapv2
+- entering group MS-CHAP
  rlm_mschap: Told to do MS-CHAPv2 for testUser with NT-Password
rlm_mschap: adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
++[eap] returns handled
  PEAP: Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 242 to 192.168.240.78 port 3085
        EAP-Message = 
0x0109005b190017030100506e30c2b48acb850cd73aeb0a26b62e4d5fceda76923a125c
d308f84e63d376c0aa97567fc85f9171bcc3ab08744380905298620b8783077b0538c506
22f1b0bc02bb9314c2ec99be670d39dc2e9b79e6
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x01bfa13006b6b807fc4539ef1278734e
Finished request 8.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 192.168.240.78 port 3085, 
id=243, length=237
        Message-Authenticator = 0x77e2252beeafd9a16ab1c8e17a578773
        User-Name = "testUser"
        State = 0x01bfa13006b6b807fc4539ef1278734e
        NAS-IP-Address = 192.168.240.78
        NAS-Port = 4
        NAS-Port-Type = Ethernet
        Calling-Station-Id = "00-16-D3-30-E5-74"
        Called-Station-Id = "00-01-F4-B6-1B-80"
        Framed-MTU = 1000
        EAP-Message = 
0x020900501900170301002078b33b77fa12a265f134bf85941c35d098f428c755efe6f2
82c2ff3c2ec7e4051703010020fe71c1e773492d476502217835e03c5a4f35fb35dba550
32c4b35e10d42d2c0c
        NAS-Identifier = "HOKDORM_01953_M48"
        NAS-Port-Id = "fe.0.4"
+- entering group authorize
++[preprocess] returns ok
++[mschap] returns noop
  rlm_eap: EAP packet type response id 9 length 80
  rlm_eap: Continuing tunnel setup.
++[eap] returns ok
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_peap: EAP type mschapv2
  PEAP: Setting User-Name to testUser
+- entering group authorize
++[mschap] returns noop
  rlm_eap: EAP packet type response id 9 length 6
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
perl_pool: item 0x84b6230 asigned new request. Handled so far: 1
found interpetator at address 0x84b6230
rlm_perl: Added pair User-Name = testUser
rlm_perl: Added pair EAP-Message = 0x020900061a03
rlm_perl: Added pair EAP-Type = MS-CHAP-V2
rlm_perl: Added pair State = 0xd36534b3d26c2ee2a528a15b28aae93c
rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1
rlm_perl: Added pair Filter-Id = Enterasys:version=1:policy=CCP_Student
rlm_perl: Added pair Cleartext-Password = password09
rlm_perl: Added pair Auth-Type = EAP
perl_pool total/active/spare [64/0/64]
Unreserve perl at address 0x84b6230
++[perl] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/mschapv2
  rlm_eap: processing type mschapv2
  rlm_eap: Freeing handler
++[eap] returns ok
Login OK: [testUser] (from client DORMTEST2_M80 port 0 via TLS tunnel)
  PEAP: Tunneled authentication was successful.
  rlm_eap_peap: SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 243 to 192.168.240.78 port 3085
        EAP-Message = 
0x010a002b19001703010020884606f22ab4302ddb6a5c5f4e37fdc5e31c04cff4a19a90
fb889231c0d13d15
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x01bfa13009b5b807fc4539ef1278734e
Finished request 9.
Going to the next request
Waking up in 4.6 seconds.
rad_recv: Access-Request packet from host 192.168.240.78 port 3085, 
id=244, length=237
        Message-Authenticator = 0xd6e7fd50aff83fb7860432e00ee61b91
        User-Name = "testUser"
        State = 0x01bfa13009b5b807fc4539ef1278734e
        NAS-IP-Address = 192.168.240.78
        NAS-Port = 4
        NAS-Port-Type = Ethernet
        Calling-Station-Id = "00-16-D3-30-E5-74"
        Called-Station-Id = "00-01-F4-B6-1B-80"
        Framed-MTU = 1000
        EAP-Message = 
0x020a005019001703010020ed5d8078eeac6585f770e9723882e7dfab5001c2ef6c0554
96f8c24475ee9443170301002072f87cbf1d487ab533b305badcd983e1969071c0a4d57e
df1b228d940d336a9a
        NAS-Identifier = "HOKDORM_01953_M48"
        NAS-Port-Id = "fe.0.4"
+- entering group authorize
++[preprocess] returns ok
++[mschap] returns noop
  rlm_eap: EAP packet type response id 10 length 80
  rlm_eap: Continuing tunnel setup.
++[eap] returns ok
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_peap: Received EAP-TLV response.
  rlm_eap_peap: Success
  rlm_eap: Freeing handler
++[eap] returns ok
Login OK: [testUser] (from client DORMTEST2_M80 port 4 cli 
00-16-D3-30-E5-74)
+- entering group post-auth
++[exec] returns noop
Sending Access-Accept of id 244 to 192.168.240.78 port 3085
        MS-MPPE-Recv-Key = 
0xc19c41b6b90a8a2fd163fd01b2063947b0d92633fd05fdce97f314dd267e05c6
        MS-MPPE-Send-Key = 
0x4a11b9ee8d9de1506569176d11bf97823ba21771a97e79fea82e427acad442a2
        EAP-Message = 0x030a0004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "testUser"
Finished request 10.
Going to the next request
Waking up in 4.6 seconds.
rad_recv: Accounting-Request packet from host 192.168.240.78 port 3086, 
id=12, length=89
        Acct-Status-Type = Start
        User-Name = "testUser"
        NAS-IP-Address = 192.168.240.78
        NAS-Port = 4
        Calling-Station-Id = "00-16-D3-30-E5-74"
        Acct-Delay-Time = 0
        Acct-Session-Id = "00000006"
        Acct-Authentic = RADIUS
+- entering group preacct
++[preprocess] returns ok
rlm_acct_unique: Hashing 'NAS-Port = 4,Client-IP-Address = 
192.168.240.78,NAS-IP-Address = 192.168.240.78,Acct-Session-Id = 
"00000006",User-Name = "testUser"'
rlm_acct_unique: Acct-Unique-Session-ID = "761ab26e01bff75f".
++[acct_unique] returns ok
++[files] returns noop
+- entering group accounting
        expand: 
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> 
/var/log/radius/radacct/192.168.240.78/detail-20090320
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d 
expands to /var/log/radius/radacct/192.168.240.78/detail-20090320
        expand: %t -> Fri Mar 20 07:52:41 2009
++[detail] returns ok
++[unix] returns ok
        expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
        expand: %{User-Name} -> testUser
++[radutmp] returns ok
        expand: %{User-Name} -> testUser
 attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 12 to 192.168.240.78 port 3086
Finished request 11.
Cleaning up request 11 ID 12 with timestamp +19
Going to the next request
Waking up in 4.6 seconds.

-----Original Message-----
From: tnt at kalik.net [mailto:tnt at kalik.net] 
Sent: Thursday, March 19, 2009 6:14 PM
To: FreeRadius users mailing list
Subject: RE: Perl/Peap-MSChapV2 Issues

>Ok, I've made a little progress. The perl script is now being called
>correctly and returning the correct data. There seems to be something
>else now.
>

Yes, there is something else.

>I added DEFAULT Auth-Type = Perl Fall-Through = 1 to users, I think
>that's what you were wanting.

Fine. Only you haven't listed files in inner-tunnel, so this is never
used.

>
>
>Inner-tunnel authorize
>------------------------------
>Authorize {
>
>	Mschap
>	Suffix

>	Update control {
>		Proxy-To-Realm := LOCAL
>	}

Remove that.

>	Eap {
>		Ok=return
>	}
>	Perl
>	Expiration
>	Logintime
>	Pap
>}
>
..
>perl_pool: item 0x8192020 asigned new request. Handled so far: 1
>found interpetator at address 0x8192020
>rlm_perl: Added pair User-Name = testUser
>rlm_perl: Added pair EAP-Message = 0x0207000d016c6a61636b736f6e
>rlm_perl: Added pair EAP-Type = Identity
>rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1
>rlm_perl: Added pair Filter-Id = Enterasys:version=1:policy=CCP_Student
>rlm_perl: Added pair Cleartext-Password = password09
>rlm_perl: Added pair Proxy-To-Realm = LOCAL
>rlm_perl: Added pair EAP-Type = MS-CHAP-V2
>perl_pool total/active/spare [64/0/64]
>Unreserve perl at address 0x8192020
>++[perl] returns ok
>++[expiration] returns noop
>++[logintime] returns noop
>rlm_pap: No clear-text password in the request.  Not performing PAP.
>++[pap] returns noop
>auth: type Local

This is breaking EAP. Remove forcing Auth-Type Local.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html






More information about the Freeradius-Users mailing list