Configuring FreeRADIUS to use ntlm_auth for MS-CHAP

Pedro Alves pedrojmalves at gmail.com
Fri Apr 30 03:42:01 CEST 2010


Hello Again.

Using JRadiusSimulator to test and receive "Sending Access-Accept" :)

But when i use a client AP Cisco Aironet 1121, only users from "files" can
connect,	users on AD dont.

This is the radiusd -X :

rad_recv: Access-Request packet from host 10.1.3.17 port 1645, id=103,
length=121
        User-Name = "radius"
        Framed-MTU = 1400
        Called-Station-Id = "0016.9df4.c3d0"
        Calling-Station-Id = "001c.bf72.f652"
        Service-Type = Login-User
        Message-Authenticator = 0x5421f97a6f252cbb7b15c33e50e083c9
        EAP-Message = 0x0214000b01726164697573
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 333
        NAS-IP-Address = 10.1.3.17
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "radius", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 20 length 11
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 103 to 10.1.3.17 port 1645
        EAP-Message = 0x011500061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xac9d3931ac8820751e3f7dd68458a60f
Finished request 142.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.1.3.17 port 1645, id=104,
length=208
        User-Name = "radius"
        Framed-MTU = 1400
        Called-Station-Id = "0016.9df4.c3d0"
        Calling-Station-Id = "001c.bf72.f652"
        Service-Type = Login-User
        Message-Authenticator = 0xfe9d4d7736eb25ec342eba47caef7bc2
        EAP-Message =
0x0215005019800000004616030100410100003d03014bd97bb8c5e84e785ab0eda2044b31ad
36f279237dff6efb4d76d51fc135801b00001600040005000a00090064006200030006001300
1200630100
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 333
        State = 0xac9d3931ac8820751e3f7dd68458a60f
        NAS-IP-Address = 10.1.3.17
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "radius", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 21 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 70
[peap] Length Included
[peap] eaptls_verify returned 11 
[peap]     (other): before/accept initialization 
[peap]     TLS_accept: before/accept initialization 
[peap] <<< TLS 1.0 Handshake [length 0041], ClientHello  
[peap]     TLS_accept: SSLv3 read client hello A 
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello  
[peap]     TLS_accept: SSLv3 write server hello A 
[peap] >>> TLS 1.0 Handshake [length 0881], Certificate  
[peap]     TLS_accept: SSLv3 write certificate A 
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone  
[peap]     TLS_accept: SSLv3 write server done A 
[peap]     TLS_accept: SSLv3 flush data 
[peap]     TLS_accept: Need to read more data: SSLv3 read client certificate
A
In SSL Handshake Phase 
In SSL Accept mode  
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 104 to 10.1.3.17 port 1645
        EAP-Message =
0x0116040019c0000008be160301002a0200002603014bd97bc3d689df8189bf1b82478e8b10
b0cdc460dca827895a49c151220d46de0000040016030108810b00087d00087a0003b6308203
b23082029aa003020102020101300d06092a864886f70d0101040500308199310b3009060355
040613025054310f300d060355040813064c6973626f613112301006035504071309416c6672
616769646531153013060355040a130c53756d6f6c2b436f6d70616c3121301f06092a864886
f70d01090116126473694073756d6f6c636f6d70616c2e7074312b3029060355040313225375
6d6f6c2b436f6d70616c20436572746966696361746520417574
        EAP-Message =
0x686f72697479301e170d3130303432393130323835355a170d313330343238313032383535
5a308185310b3009060355040613025054310f300d060355040813064c6973626f6131153013
060355040a130c53756d6f6c2b436f6d70616c312b30290603550403132253756d6f6c2b436f
6d70616c20436572746966696361746520417574686f726974793121301f06092a864886f70d
01090116126473694073756d6f6c636f6d70616c2e707430820122300d06092a864886f70d01
010105000382010f003082010a0282010100aead30e6e578a9a3df511d9eea6702ab01f8d0f0
225bc6f044cdda41dc28c39ef7746ba8790d4b86cbe29fc27bb9
        EAP-Message =
0x37d171818aa3d8e572af5cca3816a1dbea5a10945323349656c68f7eb947f99cd7db260fe8
4f6d8d5ee453fb228c58cceb0b592def5adb50053d4cebf1edbc4d0a44d49b21ba9dbc3e38b9
5846ba82c0c2b88b132a39f2f80dbe78e1d983577648aab8846a141969fe1b435f07c881611a
434f3bd398b4dea8b1809d46951e9ab9680f04fbc5c65cbde43961850e4cbf87941919ed3614
f87e4f20d38da1cad832f76578fbb920048506e2ac8351d6ed9a41fca5e1028d8fcd4ac768a9
6b6cbf1082c62a17aa16d8b8879c0905c67990d86f0203010001a317301530130603551d2504
0c300a06082b06010505070301300d06092a864886f70d010104
        EAP-Message =
0x05000382010100202023fad2fc1181f0f1a8213c9cfe74c61a505191ec8bcb9172987acc3b
53ca9d4c701f4f373be7185568d82285915d4ae5a1079bbaa2b27e64151c680835ad967b80e3
662c4c632b5e8d888783d2b4f514d67a214ebd674fc324a55656c8e3f3e865d08053f35de1a2
8829a6655c5b58c2832c7dd5cfdaa82bf7d6e25307132388d5508e3918bc5bbf0865a8d32e54
9a5678dd2192f4ec0b81da138d59fdb460bd2e7b09648eb226fd0b2433d532206a71dad3cb81
f8205813f7da224921a1718abe53d444fc9eeffa3a08cb59d3114ab207cc3f505cf3c2b3e067
324eb4679fb4857d7a49bc4f494e15bb16b653db09ec29dfe8ec
        EAP-Message = 0xaf4576c2b0070a32f5800004
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xac9d3931ad8b20751e3f7dd68458a60f
Finished request 143.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.1.3.17 port 1645, id=105,
length=134
        User-Name = "radius"
        Framed-MTU = 1400
        Called-Station-Id = "0016.9df4.c3d0"
        Calling-Station-Id = "001c.bf72.f652"
        Service-Type = Login-User
        Message-Authenticator = 0x9afdd3efabb3c2c22f2e620b2b6a45e3
        EAP-Message = 0x021600061900
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 333
        State = 0xac9d3931ad8b20751e3f7dd68458a60f
        NAS-IP-Address = 10.1.3.17
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "radius", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 22 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1 
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 105 to 10.1.3.17 port 1645
        EAP-Message =
0x011703fc1940be308204ba308203a2a003020102020900e676cf69665132ea300d06092a86
4886f70d0101050500308199310b3009060355040613025054310f300d060355040813064c69
73626f613112301006035504071309416c6672616769646531153013060355040a130c53756d
6f6c2b436f6d70616c3121301f06092a864886f70d01090116126473694073756d6f6c636f6d
70616c2e7074312b30290603550403132253756d6f6c2b436f6d70616c204365727469666963
61746520417574686f72697479301e170d3130303432393130323835355a170d313330343238
3130323835355a308199310b3009060355040613025054310f30
        EAP-Message =
0x0d060355040813064c6973626f613112301006035504071309416c66726167696465311530
13060355040a130c53756d6f6c2b436f6d70616c3121301f06092a864886f70d010901161264
73694073756d6f6c636f6d70616c2e7074312b30290603550403132253756d6f6c2b436f6d70
616c20436572746966696361746520417574686f7269747930820122300d06092a864886f70d
01010105000382010f003082010a0282010100b24bbffe31302f4ad0b6b3d14d25043993513a
6afe0052f53368486e882204788a5c1e7ada8e06a7fd2d664c984bb236dce5b1345a51cd20bb
899cf7ec7e045bb40ad4ad13f8feaf194a33e160f961acea0ac2
        EAP-Message =
0x9536cfd418e0a931badb0aa0ccb440d9207e7772e9e310b64df5dc0f3aeba600a74a9d6de7
601ccb89003b676d359ba939d836bb45d3f34e4936a4631ca1b8d33481cf99e872f6ddbdff5c
31ba80129a20b4c8c19d10bdd009ddf9359017d12652135a0c4c51a718c1d940903de92cfb9c
cb9f97d3a969471527f2e6ea36269acbded706c93317f2cf2c0b0dd3e1206624c9973e839d27
7e1c59abaec63e132bd2d909df6a134754a37f004b3d0203010001a38201013081fe301d0603
551d0e0416041425f59b62bf9b4f44e8823fd2248371807b17ff903081ce0603551d230481c6
3081c3801425f59b62bf9b4f44e8823fd2248371807b17ff90a1
        EAP-Message =
0x819fa4819c308199310b3009060355040613025054310f300d060355040813064c6973626f
613112301006035504071309416c6672616769646531153013060355040a130c53756d6f6c2b
436f6d70616c3121301f06092a864886f70d01090116126473694073756d6f6c636f6d70616c
2e7074312b30290603550403132253756d6f6c2b436f6d70616c204365727469666963617465
20417574686f72697479820900e676cf69665132ea300c0603551d13040530030101ff300d06
092a864886f70d010105050003820101008ebc829a120fb51c2610d99da0f4f67a3630d58830
4df593e3493ff80e94e24e524e43b46d3a5cf8b6adf5c54f3c10
        EAP-Message = 0xbb37209851f7c861
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xac9d3931ae8a20751e3f7dd68458a60f
Finished request 144.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.1.3.17 port 1645, id=106,
length=134
        User-Name = "radius"
        Framed-MTU = 1400
        Called-Station-Id = "0016.9df4.c3d0"
        Calling-Station-Id = "001c.bf72.f652"
        Service-Type = Login-User
        Message-Authenticator = 0xcc667a485f75d999ee9ca1a1a4d3009f
        EAP-Message = 0x021700061900
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 333
        State = 0xac9d3931ae8a20751e3f7dd68458a60f
        NAS-IP-Address = 10.1.3.17
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "radius", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 23 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1 
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 106 to 10.1.3.17 port 1645
        EAP-Message =
0x011800d819002f5a83c923534ec2db772cc3ba7177a11bad2ff8c8cb6ee2a62c77ecfdc796
fb35ec7dcc1a3322a76637b2c7d0d2e719a667fabc8033d27214105e5edae46e97a692e4dc65
026a83907bbaf87e18a5027206612b229b0efc65e3f8be783efb2cc3513222abdf137eb6aa7b
2a857ec7b12276b947e05dba00c8d4a881b72a3418d935a5d041a1dbc983d07be4afa5153389
e82f579ee35ea6c5b1e5b31f5e62a1e28d0d23b99fb88ce6384fd7e8533736c3eaf7a5f643f1
8ec93c0c0732e76932667f049f70fc9e4def16030100040e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xac9d3931af8520751e3f7dd68458a60f
Finished request 145.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.1.3.17 port 1645, id=107,
length=450
        User-Name = "radius"
        Framed-MTU = 1400
        Called-Station-Id = "0016.9df4.c3d0"
        Calling-Station-Id = "001c.bf72.f652"
        Service-Type = Login-User
        Message-Authenticator = 0x504485daa93505822f5226f8336c24c1
        EAP-Message =
0x0218014019800000013616030101061000010201000f11893a2a0af5ff119c9aeaf905f745
2ab17e795ff97718a7331a15b262a28985bd6cec5854eb16d2a1df910f3ed31bb4966a8c9efd
ed0b5ebe9e17803cbc9a0bded32a9720626fe58ef3e5acfe5aa29b2184f4872ab522ca32c4eb
a335742ff20a63c90b52dea3dfba65d0b0407a1040fc59524ef8f5df22775968869da2fe47a7
66f792950eee8b81a61e29b38a4cce55d776aece337c2794e56d3bb395a5619f489553a234f4
43ab9bb2afaedc6dc9a454168e5285ad07b04a82564f34ebe150115a7bb038d8fe90d54d9f3d
9bf48caa31bc4f4a0476a7d82f9380024538e6c6bdc1f4d60130
        EAP-Message =
0x27b542fba0cfe08d72e2606c3c67bfb30320ac0133c9f4b7140301000101160301002082ee
41684920bb00277f9676240c2eda7234060fa769c08f7be5046cb4114b4d
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 333
        State = 0xac9d3931af8520751e3f7dd68458a60f
        NAS-IP-Address = 10.1.3.17
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "radius", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 24 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 310
[peap] Length Included
[peap] eaptls_verify returned 11 
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange  
[peap]     TLS_accept: SSLv3 read client key exchange A 
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]  
[peap] <<< TLS 1.0 Handshake [length 0010], Finished  
[peap]     TLS_accept: SSLv3 read finished A 
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]  
[peap]     TLS_accept: SSLv3 write change cipher spec A 
[peap] >>> TLS 1.0 Handshake [length 0010], Finished  
[peap]     TLS_accept: SSLv3 write finished A 
[peap]     TLS_accept: SSLv3 flush data 
[peap]     (other): SSL negotiation finished successfully 
SSL Connection Established 
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 107 to 10.1.3.17 port 1645
        EAP-Message =
0x0119003119001403010001011603010020620e595ee40aed5c5827c1a95eb2f49bdbd90c99
8731155dcc38ad25392abb11
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xac9d3931a88420751e3f7dd68458a60f
Finished request 146.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.1.3.17 port 1645, id=108,
length=134
        User-Name = "radius"
        Framed-MTU = 1400
        Called-Station-Id = "0016.9df4.c3d0"
        Calling-Station-Id = "001c.bf72.f652"
        Service-Type = Login-User
        Message-Authenticator = 0x7023048b235562b398e0d7673adc9c37
        EAP-Message = 0x021900061900
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 333
        State = 0xac9d3931a88420751e3f7dd68458a60f
        NAS-IP-Address = 10.1.3.17
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "radius", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 25 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3 
[peap] eaptls_process returned 3 
[peap] EAPTLS_SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 108 to 10.1.3.17 port 1645
        EAP-Message =
0x011a002019001703010015b3c0657eb22ecfe39f483c96b6d825dd2ae546aa88
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xac9d3931a98720751e3f7dd68458a60f
Finished request 147.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.1.3.17 port 1645, id=109,
length=162
        User-Name = "radius"
        Framed-MTU = 1400
        Called-Station-Id = "0016.9df4.c3d0"
        Calling-Station-Id = "001c.bf72.f652"
        Service-Type = Login-User
        Message-Authenticator = 0x9d9d8018fcf0ca698b3221bdb5074960
        EAP-Message =
0x021a002219001703010017a6900bd1d2f519aa0a543ab128c4179ec45369a3b2d332
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 333
        State = 0xac9d3931a98720751e3f7dd68458a60f
        NAS-IP-Address = 10.1.3.17
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "radius", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 26 length 34
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] eaptls_process returned 7 
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Identity - radius
[peap] Got tunneled request
        EAP-Message = 0x021a000b01726164697573
server  {
  PEAP: Got tunneled identity of radius
  PEAP: Setting default EAP type for tunneled EAP session.
  PEAP: Setting User-Name to radius
Sending tunneled request
        EAP-Message = 0x021a000b01726164697573
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "radius"
server inner-tunnel {
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "radius", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 26 length 11
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
        EAP-Message =
0x011b00201a011b001b10104069986f899325db5507f732c9a84d726164697573
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xf2895040f2924a11970822f6475488c4
[peap] Got tunneled reply RADIUS code 11
        EAP-Message =
0x011b00201a011b001b10104069986f899325db5507f732c9a84d726164697573
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xf2895040f2924a11970822f6475488c4
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 109 to 10.1.3.17 port 1645
        EAP-Message =
0x011b00371900170301002c47364676fd9f5f038e2a853553cd5bf9641c40b4027bf9288d54
93f40de0ce78d96664845c9d1b6d299ce2c8
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xac9d3931aa8620751e3f7dd68458a60f
Finished request 148.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.1.3.17 port 1645, id=110,
length=216
        User-Name = "radius"
        Framed-MTU = 1400
        Called-Station-Id = "0016.9df4.c3d0"
        Calling-Station-Id = "001c.bf72.f652"
        Service-Type = Login-User
        Message-Authenticator = 0x45e1406c4831f33a22bb8334777278de
        EAP-Message =
0x021b00581900170301004d7f244c122bfed197958b6eed9c2d9409b4ab78e3926597e8ee81
d5224c980b78bcd27c6a70ba2c28ad9e2db574e2d2dd9b8f57e68ae15f3ea2256d1a77907d29
b22dfc99484303a45fd6af169c
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 333
        State = 0xac9d3931aa8620751e3f7dd68458a60f
        NAS-IP-Address = 10.1.3.17
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "radius", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 27 length 88
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] eaptls_process returned 7 
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunneled request
        EAP-Message =
0x021b00411a021b003c31cd2f712e07f9dfe9f598c4709e20991f00000000000000003e5f3c
c91a9b6a17d93fb3fe2df5fe3ca9bb11e445388c4900726164697573
server  {
  PEAP: Setting User-Name to radius
Sending tunneled request
        EAP-Message =
0x021b00411a021b003c31cd2f712e07f9dfe9f598c4709e20991f00000000000000003e5f3c
c91a9b6a17d93fb3fe2df5fe3ca9bb11e445388c4900726164697573
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "radius"
        State = 0xf2895040f2924a11970822f6475488c4
server inner-tunnel {
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "radius", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 27 length 65
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv2 for radius with NT-Password
[mschap]        expand: --username=%{mschap:User-Name:-None} ->
--username=radius
[mschap] No NT-Domain was found in the User-Name.
[mschap]        expand: %{mschap:NT-Domain} -> 
[mschap]        ... expanding second conditional
[mschap]        expand: --domain=%{%{mschap:NT-Domain}:-domain} ->
--domain=domain
[mschap]  mschap2: 10
[mschap]        expand: --challenge=%{mschap:Challenge:-00} ->
--challenge=f8ee793b104b9514
[mschap]        expand: --nt-response=%{mschap:NT-Response:-00} ->
--nt-response=3e5f3cc91a9b6a17d93fb3fe2df5fe3ca9bb11e445388c49
Exec-Program output: NT_KEY: 46AA6F75892B0C742D6F219B7DE53841 
Exec-Program-Wait: plaintext: NT_KEY: 46AA6F75892B0C742D6F219B7DE53841 
Exec-Program: returned: 0
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success 
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
        EAP-Message =
0x011c00331a031b002e533d3537343234373641383630373337373030443645313134443939
3143374137323538434136333633
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xf2895040f3954a11970822f6475488c4
[peap] Got tunneled reply RADIUS code 11
        EAP-Message =
0x011c00331a031b002e533d3537343234373641383630373337373030443645313134443939
3143374137323538434136333633
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xf2895040f3954a11970822f6475488c4
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 110 to 10.1.3.17 port 1645
        EAP-Message =
0x011c004a1900170301003faca645f76e5aff8c761515bd9d8c3213f7e06d164a58508ec372
6451efcaa894181735f73811912c526d93579a32e2887690f78fb267de6af44993815d126a
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xac9d3931ab8120751e3f7dd68458a60f
Finished request 149.
Going to the next request
Waking up in 4.7 seconds.


-----Original Message-----
From: freeradius-users-bounces+pedrojmalves=gmail.com at lists.freeradius.org
[mailto:freeradius-users-bounces+pedrojmalves=gmail.com at lists.freeradius.org
] On Behalf Of Alan DeKok
Sent: quarta-feira, 28 de Abril de 2010 20:59
To: FreeRadius users mailing list
Subject: Re: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP

Pedro Alves wrote:
> This is the test with AD user:
> 
> AP#test aaa group radius userad userpass new-code  
> Trying to authenticate with Servergroup radius
> User rejected
> 
> rad_recv: Access-Request packet from host xx.xx.xx.xx port 1645, id=175,
length=52
>         User-Password = "userpass"
>         User-Name = "userad"
>         NAS-IP-Address = xx.xx.xx.xx

  So... you're not doing MS-CHAP.

  Why is this message useful?

  Again... the Active Directory howto you were pointed to *documents*
this.  Go read it and follow the steps.  If you don't follow the
documentation, you probably won't be able to solve the problem.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list