Authentication with eap/mschapv2

Stefan Hotz stefhotz at yahoo.de
Thu Sep 17 16:09:49 CEST 2009


Hello 

I would like to authenticate my Windows XP wireless users with freeradius against a AD. Test with the local ntlm_auth against the AD worked fine as well radtest with a local user in the users file.

It seems to me that Problem ist somewhere here:

Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
rlm_eap_mschapv2: Invalid response type 4
[eap] Handler failed in EAP/mschapv2
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.

I have read in the archive that  "Code 4 is MS-CHAP failure.  It means that the client told the server 
it didn't like the previous packet"

But I have no idea what the server does not like.
The whole debug output is below
Any help it greatliy appreciated

regards

stefan


FreeRADIUS Version 2.1.0, for host i486-pc-linux-gnu, built on Sep  2 2009 at 13:59:26
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. 
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A 
PARTICULAR PURPOSE. 
You may redistribute copies of FreeRADIUS under the terms of the 
GNU General Public License v2. 
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy..conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
group = freerad
user = freerad
including dictionary file /etc/freeradius/dictionary
main {
    prefix = "/usr"
    localstatedir = "/var"
    logdir = "/var/log/freeradius"
    libdir = "/usr/lib/freeradius"
    radacctdir = "/var/log/freeradius/radacct"
    hostname_lookups = no
    max_request_time = 30
    cleanup_delay = 5
    max_requests = 1024
    allow_core_dumps = no
    pidfile = "/var/run/freeradius/freeradius.pid"
    checkrad = "/usr/sbin/checkrad"
    debug_level = 0
    proxy_requests = yes
 log {
    stripped_names = no
    auth = no
    auth_badpass = no
    auth_goodpass = no
 }
 security {
    max_attributes = 200
    reject_delay = 1
    status_server = yes
 }
}
 client localhost {
    ipaddr = 127..0.0.1
    require_message_authenticator = no
    secret = "testing123-1"
    shortname = "localhost"
    nastype = "other"
 }
 client 10.0.0.1 {
    require_message_authenticator = no
    secret = "testing123-1"
    shortname = "wireless"
    nastype = "others"
 }
radiusd: #### Loading Realms and Home Servers ####
 proxy server {
    retry_delay = 5
    retry_count = 3
    default_fallback = no
    dead_time = 120
    wake_all_if_all_dead = no
 }
 home_server localhost {
    ipaddr = 127.0.0.1
    port = 1812
    type = "auth"
    secret = "testing123"
    response_window = 20
    max_outstanding = 65536
    zombie_period = 40
    status_check = "status-server"
    ping_interval = 30
    check_interval = 30
    num_answers_to_alive = 3
    num_pings_to_alive = 3
    revive_interval = 120
    status_check_timeout = 4
 }
 home_server_pool my_auth_failover {
    type = fail-over
    home_server = localhost
 }
 realm example.com {
    auth_pool = my_auth_failover
 }
 realm LOCAL {
 }
radiusd: #### Instantiating modules ####
 instantiate {
 Module: Linked to module rlm_exec
 Module: Instantiating exec
  exec {
    wait = no
    input_pairs = "request"
    shell_escape = yes
  }
 Module: Linked to module rlm_expr
 Module: Instantiating expr
 Module: Linked to module rlm_expiration
 Module: Instantiating expiration
  expiration {
    reply-message = "Password Has Expired  "
  }
 Module: Linked to module rlm_logintime
 Module: Instantiating logintime
  logintime {
    reply-message = "You are calling outside your allowed timespan  "
    minimum-timeout = 60
  }
 }
radiusd: #### Loading Virtual Servers ####
server inner-tunnel {
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_pap
 Module: Instantiating pap
  pap {
    encryption_scheme = "auto"
    auto_header = no
  }
 Module: Linked to module rlm_chap
 Module: Instantiating chap
 Module: Linked to module rlm_mschap
 Module: Instantiating mschap
  mschap {
    use_mppe = no
    require_encryption = yes
    require_strong = yes
    with_ntdomain_hack = yes
    ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-mydomain:-mydomain} --username=%{mschap:User-Name:-None} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
  }
 Module: Linked to module rlm_unix
 Module: Instantiating unix
  unix {
    radwtmp = "/var/log/freeradius/radwtmp"
  }
 Module: Linked to module rlm_eap
 Module: Instantiating eap
  eap {
    default_eap_type = "peap"
    timer_expire = 60
    ignore_unknown_eap_types = no
    cisco_accounting_username_bug = no
    max_sessions = 2048
  }
 Module: Linked to sub-module rlm_eap_tls
 Module: Instantiating eap-tls
   tls {
    rsa_key_exchange = no
    dh_key_exchange = yes
    rsa_key_length = 512
    dh_key_length = 512
    verify_depth = 0
    pem_file_type = yes
    private_key_file = "/etc/freeradius/certs/demoCA/nzzwire01-0.key"
    certificate_file = "/etc/freeradius/certs/demoCA/nzzwire01-0.crt"
    CA_file = "/etc/freeradius/certs/demoCA/CA_cert.crt"
    private_key_password = "WireKey*!4"
    dh_file = "/etc/freeradius/certs/dh"
    random_file = "/etc/freeradius/certs/random"
    fragment_size = 1024
    include_length = yes
    check_crl = no
    cipher_list = "DEFAULT"
    cache {
    enable = no
    lifetime = 24
    max_entries = 255
    }
   }
 Module: Linked to sub-module rlm_eap_peap
 Module: Instantiating eap-peap
   peap {
    default_eap_type = "mschapv2"
    copy_request_to_tunnel = yes
    use_tunneled_reply = no
    proxy_tunneled_request_as_eap = no
    virtual_server = "inner-tunnel"
   }
 Module: Linked to sub-module rlm_eap_mschapv2
 Module: Instantiating eap-mschapv2
   mschapv2 {
    with_ntdomain_hack = no
   }
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_realm
 Module: Instantiating suffix
  realm suffix {
    format = "suffix"
    delimiter = "@"
    ignore_default = no
    ignore_null = no
  }
 Module: Linked to module rlm_files
 Module: Instantiating files
  files {
    usersfile = "/etc/freeradius/users"
    acctusersfile = "/etc/freeradius/acct_users"
    preproxy_usersfile = "/etc/freeradius/preproxy_users"
    compat = "no"
  }
 Module: Checking session {...} for more modules to load
 Module: Linked to module rlm_radutmp
 Module: Instantiating radutmp
  radutmp {
    filename = "/var/log/freeradius/radutmp"
    username = "%{User-Name}"
    case_sensitive = yes
    check_with_nas = yes
    perm = 384
    callerid = yes
  }
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {....} for more modules to load
 Module: Linked to module rlm_attr_filter
 Module: Instantiating attr_filter.access_reject
  attr_filter attr_filter.access_reject {
    attrsfile = "/etc/freeradius/attrs.access_reject"
    key = "%{User-Name}"
  }
 }
}
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_preprocess
 Module: Instantiating preprocess
  preprocess {
    huntgroups = "/etc/freeradius/huntgroups"
    hints = "/etc/freeradius/hints"
    with_ascend_hack = no
    ascend_channels_per_line = 23
    with_ntdomain_hack = no
    with_specialix_jetstream_hack = no
    with_cisco_vsa_hack = no
    with_alvarion_vsa_hack = no
  }
 Module: Checking preacct {...} for more modules to load
 Module: Linked to module rlm_acct_unique
 Module: Instantiating acct_unique
  acct_unique {
    key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
  }
 Module: Checking accounting {...} for more modules to load
 Module: Linked to module rlm_detail
 Module: Instantiating detail
  detail {
    detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
    header = "%t"
    detailperm = 384
    dirperm = 493
    locking = no
    log_packet_header = no
  }
 Module: Instantiating attr_filter.accounting_response
  attr_filter attr_filter.accounting_response {
    attrsfile = "/etc/freeradius/attrs.accounting_response"
    key = "%{User-Name}"
  }
 Module: Checking session {...} for more modules to load
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 }
radiusd: #### Opening IP addresses and Ports ####
listen {
    type = "auth"
    ipaddr = *
    port = 0
}
listen {
    type = "acct"
    ipaddr = *
    port = 0
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=104, length=145
    User-Name = "mydomain\\user"
    Framed-MTU = 1400
    Called-Station-Id = "000d.2868.4801"
    Calling-Station-Id = "000e.3560.3e95"
    Service-Type = Login-User
    Message-Authenticator = 0xa1f051e8488f5a50cb044187a8c4c674
    EAP-Message = 0x02010010015a4830315c532e486f747a
    NAS-Port-Type = Wireless-802.11
    NAS-Port = 4392
    NAS-IP-Address = 10.0.0.1
    NAS-Identifier = "wireless"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "mydomain\user", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 16
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 104 to 10.0.0.1 port 1645
    EAP-Message = 0x010200061920
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x80e9682e80eb716d23cf4280d3865bd8
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=105, length=253
    User-Name = "mydomain\\user"
    Framed-MTU = 1400
    Called-Station-Id = "000d.2868.4801"
    Calling-Station-Id = "000e.3560.3e95"
    Service-Type = Login-User
    Message-Authenticator = 0x8ea63d676026bf116dc956f454e8088e
    EAP-Message = 0x0202006a1900160301005f0100005b03014ab1f239fed58a9540ea7eeff0e2d184bfde52a76c671ae71e9ecf769581c7ff00003400390038003500160013000a00330032002f006600050004006500640063006200610060001500120009001400110008000600030100
    NAS-Port-Type = Wireless-802.11
    NAS-Port = 4392
    State = 0x80e9682e80eb716d23cf4280d3865bd8
    NAS-IP-Address = 10.0.0.1
    NAS-Identifier = "wireless"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "mydomain\user", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 106
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap]     (other): before/accept initialization 
[peap]     TLS_accept: before/accept initialization 
[peap] <<< TLS 1.0 Handshake [length 005f], ClientHello  
[peap]     TLS_accept: SSLv3 read client hello A 
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello  
[peap]     TLS_accept: SSLv3 write server hello A 
[peap] >>> TLS 1.0 Handshake [length 05ce], Certificate  
[peap]     TLS_accept: SSLv3 write certificate A 
[peap] >>> TLS 1.0 Handshake [length 010d], ServerKeyExchange  
[peap]     TLS_accept: SSLv3 write key exchange A 
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone  
[peap]     TLS_accept: SSLv3 write server done A 
[peap]     TLS_accept: SSLv3 flush data 
[peap]     TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase 
In SSL Accept mode  
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 105 to 10.0.0.1 port 1645
    EAP-Message = 0x0103040019c00000071d160301002a0200002603014ab1f237fbca05f523e033ce4b7b8ef2489ee1d6fe7016bbe3ffc2f4ab5acb540000390016030105ce0b0005ca0005c7000302308202fe30820267a003020102020103300d06092a864886f70d0101040500304e310b3009060355040613026368310b3009060355040813027a68310f300d060355040713067a7572696368310c300a060355040a13036e7a7a31133011060355040b130a696e666f726d6174696b301e170d3038313230343037333630395a170d3133313230333037333630395a3066310b3009060355040613026368310b3009060355040813027a68310c300a060355040a13
    EAP-Message = 0x036e7a7a31133011060355040b130a696e666f726d6174696b312730250603550403131e6e7a7a7769726530312d302e7a6830312e6e7a7a6772757070652e6e657430819f300d06092a864886f70d010101050003818d0030818902818100bf2852a1be32bc65d8a6bf27c34453b53ae9a378b98943a31b5d4cffd28e96dd9b0fe69212027623d91a92682a238cd190adecad171cee0a76a5c264efd4e159242c850c78c1e8ec9acc7d222c3970510dd21a06596b40b25001fcb62b617d02a3c2cba3821cafd6b656e9eeca3c84a5e4c271b3786a2089de9ce97b9d894b630203010001a381d33081d030090603551d1304023000302c060960864801
    EAP-Message = 0x86f842010d041f161d4f70656e53534c2047656e657261746564204365727469666963617465301d0603551d0e04160414c93199967c5bdf132d1d5ab3fa15ac9b72ecc78530760603551d23046f306d8014727ea255965d8fbf177009121c46c0ca5c761743a152a450304e310b3009060355040613026368310b3009060355040813027a68310f300d060355040713067a7572696368310c300a060355040a13036e7a7a31133011060355040b130a696e666f726d6174696b820100300d06092a864886f70d0101040500038181002f9130e3625335befa4741b20897377a22f325d6436e1c36f9be24facaf7d1eb54deaa81edb224429c0854f0f6
    EAP-Message = 0x9e6475e665843ce0370b2c4dcfa7fd912d359404dbc1b027aadf3de96180dba9be61bf82785b63a41ec73f7f6b84bcd80990704441a9a84945a2ba2f68c77c8c56880b191482c87285bb22fc9351db0fed03c40002bf308202bb30820224a003020102020100300d06092a864886f70d0101040500304e310b3009060355040613026368310b3009060355040813027a68310f300d060355040713067a7572696368310c300a060355040a13036e7a7a31133011060355040b130a696e666f726d6174696b301e170d3038313230333135343235395a170d3138313230313135343235395a304e310b3009060355040613026368310b30090603550408
    EAP-Message = 0x13027a68310f300d06035504
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x80e9682e81ea716d23cf4280d3865bd8
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=106, length=153
    User-Name = "mydomain\\user"
    Framed-MTU = 1400
    Called-Station-Id = "000d.2868.4801"
    Calling-Station-Id = "000e.3560.3e95"
    Service-Type = Login-User
    Message-Authenticator = 0x918316a7a500e443230e4bbc47d5ad7d
    EAP-Message = 0x020300061900
    NAS-Port-Type = Wireless-802.11
    NAS-Port = 4392
    State = 0x80e9682e81ea716d23cf4280d3865bd8
    NAS-IP-Address = 10.0.0.1
    NAS-Identifier = "wireless"
+- entering group authorize {....}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "mydomain\user", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1 
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 106 to 10.0.0.1 port 1645
    EAP-Message = 0x0104032d19000713067a7572696368310c300a060355040a13036e7a7a31133011060355040b130a696e666f726d6174696b30819f300d06092a864886f70d010101050003818d0030818902818100c6c1ffce3fe668d765c1dd77d608b27ae5168f1f7316dfe1a61a51fecf6f027c376b13047d11e34eaefd6ed682d3a580106b2b085f78571cdf1c97d02fff9db2b45ecff5512bf42627b38bb49fcf492066930dd04d889258035bd804da3b43e36fb19fd3c6ade9dc1010b9f2d0886c90a26b5f9d22cd17a296867ecc4c709bab0203010001a381a83081a5301d0603551d0e04160414727ea255965d8fbf177009121c46c0ca5c76174330760603
    EAP-Message = 0x551d23046f306d8014727ea255965d8fbf177009121c46c0ca5c761743a152a450304e310b3009060355040613026368310b3009060355040813027a68310f300d060355040713067a7572696368310c300a060355040a13036e7a7a31133011060355040b130a696e666f726d6174696b820100300c0603551d13040530030101ff300d06092a864886f70d0101040500038181009b2b4c150f7620aaf113a2855c0750f0f50f3265f6dc9fd8fc45c87192e5989f36e2b223cce00d9c2e289c59d7f552348f1befc5041ea840047c8c51b742070d2038a1d8f30d149f97b4cbfc136bfa0953625647d75e1865d30c12c56cd30417e427107d7ac14ab8
    EAP-Message = 0xc3a50f63708713e4de5f2a257c536d7c8ec6401d29067103160301010d0c0001090040bc35b1fa5e7e1a1ac57b7f4b1d4bdb2aa0c090840cf3995df0fd2a2125315aeab4113d78cdd6f01841f720a3f51032069994b119ac5e013e6d1c1bdb60055c0b0001020040bb26e792b1a9496427dd930c8f921185af6d0b1301223b7bfff07ab237f63ecd5152d2a79716c1f6d95317f4105666565fc951027f12bdce2a6fec51a49ffa880080562d6f74e16994a4a2757f46b77009569a38e063190ba54e6d395c04837f42a48cb81baee48328a2844d446293b40effd6fa3ba3f2ab86032c5e5d3310ad86eb11ae0eab3c4b922b461f833c66b44a39f19b4b
    EAP-Message = 0x1fee35da981a6e3f4939e5c3e0187867094c41b1e6bf6da839f737f42dfefea18aa18718509de0791f15edde5316030100040e000000
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x80e9682e82ed716d23cf4280d3865bd8
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=107, length=287
    User-Name = "mydomain\\user"
    Framed-MTU = 1400
    Called-Station-Id = "000d.2868.4801"
    Calling-Station-Id = "000e.3560.3e95"
    Service-Type = Login-User
    Message-Authenticator = 0xf6e713150b71eaf618f12fde46e3bcbb
    EAP-Message = 0x0204008c190016030100461000004200401c3ab7dc1a753b6ae3020d96d1d144cadf21b5f3422a6783f77bc954b33441514b12044ddacd7ca955d4e1c23c8fc697df9f9e4cdd9361aca2ed8f9ac3f1e04314030100010116030100309180e1b3bc25f45e673fbe76685a95ecc6440b1b0309c47624f75142ae6c9ada63fa12674301b56444c21b450c6b32e7
    NAS-Port-Type = Wireless-802.11
    NAS-Port = 4392
    State = 0x80e9682e82ed716d23cf4280d3865bd8
    NAS-IP-Address = 10.0.0.1
    NAS-Identifier = "wireless"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "mydomain\user", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 140
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange  
[peap]     TLS_accept: SSLv3 read client key exchange A 
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]  
[peap] <<< TLS 1.0 Handshake [length 0010], Finished  
[peap]     TLS_accept: SSLv3 read finished A 
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]  
[peap]     TLS_accept: SSLv3 write change cipher spec A 
[peap] >>> TLS 1.0 Handshake [length 0010], Finished  
[peap]     TLS_accept: SSLv3 write finished A 
[peap]     TLS_accept: SSLv3 flush data 
[peap]     (other): SSL negotiation finished successfully 
SSL Connection Established 
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 107 to 10.0.0.1 port 1645
    EAP-Message = 0x010500411900140301000101160301003020196b841f13a063342315f0272e8781d4be5a2e7147e5bdbbfbdc21aeef3d4ea2affdacf672abbd8534b15150719e00
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x80e9682e83ec716d23cf4280d3865bd8
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=108, length=153
    User-Name = "mydomain\\user"
    Framed-MTU = 1400
    Called-Station-Id = "000d.2868.4801"
    Calling-Station-Id = "000e.3560.3e95"
    Service-Type = Login-User
    Message-Authenticator = 0x4e257a44e0eb615236e7e6132d5d661f
    EAP-Message = 0x020500061900
    NAS-Port-Type = Wireless-802.11
    NAS-Port = 4392
    State = 0x80e9682e83ec716d23cf4280d3865bd8
    NAS-IP-Address = 10.0.0.1
    NAS-Identifier = "wireless"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "mydomain\user", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3 
[peap] eaptls_process returned 3 
[peap] EAPTLS_SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 108 to 10.0.0.1 port 1645
    EAP-Message = 0x0106002b190017030100204ac0995a7016dc6e2823fe58aa1a8ff6714e685167aa9168e2a18516a34ce6d6
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x80e9682e84ef716d23cf4280d3865bd8
Finished request 4.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=109, length=243
    User-Name = "mydomain\\user"
    Framed-MTU = 1400
    Called-Station-Id = "000d.2868.4801"
    Calling-Station-Id = "000e.3560.3e95"
    Service-Type = Login-User
    Message-Authenticator = 0xa1c6ce6def0c9de02466b5c65e1cf9c3
    EAP-Message = 0x0206006019001703010020d89c686f3a414d7446d857dee8506108223b5dc794ab421d80fb05f03f0a2bd21703010030de672b9ad28edfa510afb0379d769393b37e8de8f1cc4e4f7e9153bc4b7c4b9ccae6f4b26cc5a1bf7fcdc31537a79ea0
    NAS-Port-Type = Wireless-802.11
    NAS-Port = 4392
    State = 0x80e9682e84ef716d23cf4280d3865bd8
    NAS-IP-Address = 10.0.0.1
    NAS-Identifier = "wireless"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "mydomain\user", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 96
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] eaptls_process returned 7 
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Identity - mydomain\user
[peap] Got tunnled request
    EAP-Message = 0x02060010017a6830315c732e686f747a
server (null) {
  PEAP: Got tunneled identity of mydomain\user
  PEAP: Setting default EAP type for tunneled EAP session.
  PEAP: Setting User-Name to mydomain\user
Sending tunneled request
    EAP-Message = 0x02060010017a6830315c732e686f747a
    FreeRADIUS-Proxied-To = 127.0.0.1
    User-Name = "mydomain\\user"
    Framed-MTU = 1400
    Called-Station-Id = "000d.2868.4801"
    Calling-Station-Id = "000e.3560.3e95"
    Service-Type = Login-User
    NAS-Port-Type = Wireless-802.11
    NAS-Port = 4392
    NAS-IP-Address = 10.0.0.1
    NAS-Identifier = "wireless"
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "mydomain\user", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 6 length 16
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
    EAP-Message = 0x010700251a0107002010c508956d066adc8e3bc9b92127fb2fe27a6830315c732e686f747a
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x03371cd203300629664a8ed6dcdcbe2d
[peap] Got tunneled reply RADIUS code 11
    EAP-Message = 0x010700251a0107002010c508956d066adc8e3bc9b92127fb2fe27a6830315c732e686f747a
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x03371cd203300629664a8ed6dcdcbe2d
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 109 to 10.0.0.1 port 1645
    EAP-Message = 0x0107004b19001703010040fd04cc1b4a2605a649d63355aabdeb2632f6f349527cb4013d00d87573592aab6137e23b1f600379195c551950397cce371207f6be612863a7984b38637b9992
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x80e9682e85ee716d23cf4280d3865bd8
Finished request 5.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=110, length=291
    User-Name = "mydomain\\user"
    Framed-MTU = 1400
    Called-Station-Id = "000d.2868.4801"
    Calling-Station-Id = "000e.3560.3e95"
    Service-Type = Login-User
    Message-Authenticator = 0x1cd29e39402a6e840e8f6556bf46928e
    EAP-Message = 0x0207009019001703010020bd76d0b1af16c027e5a9da101b14ee7fe6ff2cf97814650047851242be007a711703010060c32b500bc499db805ab72b291f00d4005f04d993d16bb7061e2d52b47c7d9556b3c7c11b69878df2bb9d162d0785d085987181a73a81d9315139e4662efa7b54369921d174a6047bb7746897a46c93a795a8ebc3c4856481f9e1323ad8bcbdb5
    NAS-Port-Type = Wireless-802.11
    NAS-Port = 4392
    State = 0x80e9682e85ee716d23cf4280d3865bd8
    NAS-IP-Address = 10.0.0.1
    NAS-Identifier = "wireless"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "mydomain\user", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 144
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] eaptls_process returned 7 
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunnled request
    EAP-Message = 0x020700461a0207004131f57076f6190b1451606d6ed9d3c3b80f0000000000000000758dee0f5cf4b7ea3cd150fa32ff165723887bae940074c4007a6830315c732e686f747a
server (null) {
  PEAP: Setting User-Name to mydomain\user
Sending tunneled request
    EAP-Message = 0x020700461a0207004131f57076f6190b1451606d6ed9d3c3b80f0000000000000000758dee0f5cf4b7ea3cd150fa32ff165723887bae940074c4007a6830315c732e686f747a
    FreeRADIUS-Proxied-To = 127.0.0.1
    User-Name = "mydomain\\user"
    State = 0x03371cd203300629664a8ed6dcdcbe2d
    Framed-MTU = 1400
    Called-Station-Id = "000d.2868.4801"
    Calling-Station-Id = "000e.3560..3e95"
    Service-Type = Login-User
    NAS-Port-Type = Wireless-802.11
    NAS-Port = 4392
    NAS-IP-Address = 10.0.0.1
    NAS-Identifier = "wireless"
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "mydomain\user", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 7 length 70
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for user with NT-Password
    expand: --domain=%{mschap:NT-mydomain:-mydomain} -> --domain=mydomain
    expand: --username=%{mschap:User-Name:-None} -> --username=user
[mschap]  mschap2: c5
    expand: --challenge=%{mschap:Challenge:-00} -> --challenge=8660dea0f174464c
    expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=758dee0f5cf4b7ea3cd150fa32ff165723887bae940074c4
Exec-Program output: NT_KEY: B9C1923227672CF3D5079723D78E41A0 
Exec-Program-Wait: plaintext: NT_KEY: B9C1923227672CF3D5079723D78E41A0 
Exec-Program: returned: 0
++[mschap] returns ok
MSCHAP Success 
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
    EAP-Message = 0x010800331a0307002e533d32423538443738374433374635314433313846413736343432333539463034384645433535353044
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x03371cd2023f0629664a8ed6dcdcbe2d
[peap] Got tunneled reply RADIUS code 11
    EAP-Message = 0x010800331a0307002e533d32423538443738374433374635314433313846413736343432333539463034384645433535353044
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x03371cd2023f0629664a8ed6dcdcbe2d
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 110 to 10.0.0.1 port 1645
    EAP-Message = 0x0108005b1900170301005055895bdec32accf23e83a028b4dacbd15c004660b5f7894904db99814756478b5e75b0d7784be8499937b31e7b49ac566dea2f9ffcfec48f52c6187290e8531f7f1f1227f27d7b589aea4033a7d24ea9
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x80e9682e86e1716d23cf4280d3865bd8
Finished request 6.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10..0.0.1 port 1645, id=111, length=227
    User-Name = "mydomain\\user"
    Framed-MTU = 1400
    Called-Station-Id = "000d.2868.4801"
    Calling-Station-Id = "000e.3560.3e95"
    Service-Type = Login-User
    Message-Authenticator = 0xca25c9fefffe68fb16b7540330f886cd
    EAP-Message = 0x0208005019001703010020218fcc3ddf31542a1f4561375cb7b54f876cad08360a35bbee7cffcc512cd1a1170301002029173c496b16779ef3bb3d5172702d36c240bd8357def389fac4eb3212046f6e
    NAS-Port-Type = Wireless-802.11
    NAS-Port = 4392
    State = 0x80e9682e86e1716d23cf4280d3865bd8
    NAS-IP-Address = 10.0.0.1
    NAS-Identifier = "wireless"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "mydomain\user", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] eaptls_process returned 7 
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunnled request
    EAP-Message = 0x020800061a04
server (null) {
  PEAP: Setting User-Name to mydomain\user
Sending tunneled request
    EAP-Message = 0x020800061a04
    FreeRADIUS-Proxied-To = 127.0.0.1
    User-Name = "mydomain\\user"
    State = 0x03371cd2023f0629664a8ed6dcdcbe2d
    Framed-MTU = 1400
    Called-Station-Id = "000d.2868.4801"
    Calling-Station-Id = "000e.3560.3e95"
    Service-Type = Login-User
    NAS-Port-Type = Wireless-802.11
    NAS-Port = 4392
    NAS-IP-Address = 10.0.0.1
    NAS-Identifier = "wireless"
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "mydomain\user", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 8 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {....}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
rlm_eap_mschapv2: Invalid response type 4
[eap] Handler failed in EAP/mschapv2
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
    EAP-Message = 0x04080004
    Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
    EAP-Message = 0x04080004
    Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 111 to 10.0.0.1 port 1645
    EAP-Message = 0x0109002b19001703010020b12908003d5c6d7d90cd3130cf111d70753d81ca7757744970195793cf356978
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x80e9682e87e0716d23cf4280d3865bd8
Finished request 7.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=112, length=227
    User-Name = "mydomain\\user"
    Framed-MTU = 1400
    Called-Station-Id = "000d.2868.4801"
    Calling-Station-Id = "000e.3560.3e95"
    Service-Type = Login-User
    Message-Authenticator = 0x508935028611f6b0a47361317bf28b8f
    EAP-Message = 0x02090050190017030100203ce39908b6bbd121e3b74f1b47e4df5e0a3b29c6bad8add51bdfad7e96ecb35917030100208618b9c909461c0afd54c4187f4fc76076ec42ed2d702e7cdd3e3099dc3b0f6b
    NAS-Port-Type = Wireless-802.11
    NAS-Port = 4392
    State = 0x80e9682e87e0716d23cf4280d3865bd8
    NAS-IP-Address = 10.0.0.1
    NAS-Identifier = "wireless"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "mydomain\user", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 9 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] eaptls_process returned 7 
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap]  Had sent TLV failure.  User was rejected earlier in this session.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
    expand: %{User-Name} -> mydomain\user
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 8 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 8
Sending Access-Reject of id 112 to 10.0.0.1 port 1645
    EAP-Message = 0x04090004
    Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.4 seconds.


      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090917/4db4347c/attachment.html>


More information about the Freeradius-Users mailing list