Freeradius problem, EAP-TTLS works fine, EAP-PEAP does not
Jean-Yves Avenard
jyavenard at gmail.com
Mon Aug 30 16:25:45 CEST 2010
Hi
On 27 August 2010 23:06, Alan DeKok <aland at deployingradius.com> wrote:
> Jean-Yves Avenard wrote:
>> You seem to miss the point that the issue occurs *only* with Win 7
>> clients. All other clients are fine.
>
> I don't really care which client it is. All that matters is:
>
> a) what data is in the packet
>
> b) what you configure the server to do with that data
>
>
> You have posted output from (a). That's nice. You *also* need (as I
> said already) to configure the server for (b).
Okay..
As requested.
Here is the log from the Win 7 client, when it is configured in
Advanced Settings -> 802.11X Settings -> Specify authentication mode:
user authentication
I've preceded each line with > so if like me you are using gmail, it's
easier to skip through
> rad_recv: Access-Request packet from host 192.168.0.20 port 65513, id=103, length=177
> User-Name = "jean-yves.avenard"
> NAS-IP-Address = 192.168.0.20
> NAS-Port = 0
> Called-Station-Id = "00-1C-B3-AD-13-5F:HYDRIX-TEST"
> Calling-Station-Id = "C4-46-19-25-31-52"
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-802.11
> Connect-Info = "CONNECT 0Mbps 802.11"
> EAP-Message = 0x02d40016016a65616e2d797665732e6176656e617264
> Message-Authenticator = 0xd617293cc36f9d2934e4364c48696da2
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "jean-yves.avenard", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 212 length 22
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> ++[unix] returns updated
> ++[files] returns noop
> rlm_opendirectory: The host 192.168.0.20 does not have an access group.
> rlm_opendirectory: User <jean-yves.avenard> is authorized.
> ++[opendirectory] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] Found existing Auth-Type, not changing it.
> ++[pap] returns noop
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] EAP Identity
> [eap] processing type tls
> [tls] Initiate
> [tls] Start returned 1
> ++[eap] returns handled
> Sending Access-Challenge of id 103 to 192.168.0.20 port 65513
> EAP-Message = 0x01d500061920
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x56ebca49563ed3c34eaeaec5306add89
> Finished request 0.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.0.20 port 65513, id=104, length=304
> User-Name = "jean-yves.avenard"
> NAS-IP-Address = 192.168.0.20
> NAS-Port = 0
> Called-Station-Id = "00-1C-B3-AD-13-5F:HYDRIX-TEST"
> Calling-Station-Id = "C4-46-19-25-31-52"
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-802.11
> Connect-Info = "CONNECT 0Mbps 802.11"
> EAP-Message = 0x02d5008319800000007916030100740100007003014c7bbc6f1988ef8942fd2a91e0d171c08e57e6f23dbce06bfb570dc2a39ee7b2000018002f00350005000ac013c014c009c00a00320038001300040100002fff010001000000001600140000116a65616e2d797665732e6176656e617264000a0006000400170018000b00020100
> State = 0x56ebca49563ed3c34eaeaec5306add89
> Message-Authenticator = 0xdc87572842154eda0af298bfad361a81
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "jean-yves.avenard", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 213 length 131
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> TLS Length 121
> [peap] Length Included
> [peap] eaptls_verify returned 11
> [peap] (other): before/accept initialization
> [peap] TLS_accept: before/accept initialization
> [peap] <<< TLS 1.0 Handshake [length 0074], ClientHello
> [peap] TLS_accept: SSLv3 read client hello A
> [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
> [peap] TLS_accept: SSLv3 write server hello A
> [peap] >>> TLS 1.0 Handshake [length 068a], Certificate
> [peap] TLS_accept: SSLv3 write certificate A
> [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
> [peap] TLS_accept: SSLv3 write server done A
> [peap] TLS_accept: SSLv3 flush data
> [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
> In SSL Handshake Phase
> In SSL Accept mode
> [peap] eaptls_process returned 13
> [peap] EAPTLS_HANDLED
> ++[eap] returns handled
> Sending Access-Challenge of id 104 to 192.168.0.20 port 65513
> EAP-Message = 0x01d6040019c0000006c7160301002a0200002603014c7bbc638660cb91c478e7233be221fa9048c65948c4c27d19bd88e7929394d500002f00160301068a0b00068600068300035930820355308202bea003020102020310adba300d06092a864886f70d0101050500304e310b30090603550406130255533110300e060355040a130745717569666178312d302b060355040b1324457175696661782053656375726520436572746966696361746520417574686f72697479301e170d3130303431333134353235365a170d3132303631333039353833315a3081df3129302706035504051320746c43354c615a425030302f657a714b566677455a63
> EAP-Message = 0x63762d45315673313930310b300906035504061302415531153013060355040a140c2a2e6879647269782e636f6d31133011060355040b130a475438313233373633343131302f060355040b1328536565207777772e726170696473736c2e636f6d2f7265736f75726365732f637073202863293130312f302d060355040b1326446f6d61696e20436f6e74726f6c2056616c696461746564202d20526170696453534c285229311530130603550403140c2a2e6879647269782e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100dfe086b6803479d87cf9f96937d58d42cf97af5d9edeb9c490d0cabb200c6030fc1b
> EAP-Message = 0x0b0b158d736b5205d8d769004bf9afabe7ff51b3ce3b00be1584bfa56660d8082ad02b47d3c85f64920342d33833bf9258e6c28d35a4c2f8dbec5db493f05683e08e74daedcc64544f09619008df99cdc2324c6d5853f244feb3b0c3cca90203010001a381ae3081ab300e0603551d0f0101ff0404030204f0301d0603551d0e041604147612da889e2204ca3467cd2b5ea70e1fc3f674f1303a0603551d1f04333031302fa02da02b8629687474703a2f2f63726c2e67656f74727573742e636f6d2f63726c732f73656375726563612e63726c301f0603551d2304183016801448e668f92bd2b295d747d82320104f3398909fd4301d0603551d2504
> EAP-Message = 0x16301406082b0601050507030106082b06010505070302300d06092a864886f70d0101050500038181006908f00a8df2c62e7579a020b6502c4c719ccc84ee9a7b0c9f291e3ee5af018f20427ea856275fea68d22077d6db2c921f2ec0be3777b0bb59e454ed4eb2c69fd197b9e539aea8472e6b3a5b4ef731ccbebf8a4549e005d1268e298b2a8d331170db1f99bfc7edba01cf733d902174d55480437e4d47580e6edafaee58ea72b20003243082032030820289a003020102020435def4cf300d06092a864886f70d0101050500304e310b30090603550406130255533110300e060355040a130745717569666178312d302b060355040b13244571
> EAP-Message = 0x756966617820536563757265
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x56ebca49573dd3c34eaeaec5306add89
> Finished request 1.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.0.20 port 65513, id=105, length=179
> User-Name = "jean-yves.avenard"
> NAS-IP-Address = 192.168.0.20
> NAS-Port = 0
> Called-Station-Id = "00-1C-B3-AD-13-5F:HYDRIX-TEST"
> Calling-Station-Id = "C4-46-19-25-31-52"
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-802.11
> Connect-Info = "CONNECT 0Mbps 802.11"
> EAP-Message = 0x02d600061900
> State = 0x56ebca49573dd3c34eaeaec5306add89
> Message-Authenticator = 0xba5d2001604fd40f63be2a0066f39618
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "jean-yves.avenard", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 214 length 6
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] Received TLS ACK
> [peap] ACK handshake fragment handler
> [peap] eaptls_verify returned 1
> [peap] eaptls_process returned 13
> [peap] EAPTLS_HANDLED
> ++[eap] returns handled
> Sending Access-Challenge of id 105 to 192.168.0.20 port 65513
> EAP-Message = 0x01d702d7190020436572746966696361746520417574686f72697479301e170d3938303832323136343135315a170d3138303832323136343135315a304e310b30090603550406130255533110300e060355040a130745717569666178312d302b060355040b1324457175696661782053656375726520436572746966696361746520417574686f7269747930819f300d06092a864886f70d010101050003818d0030818902818100c15db158670862eea09a2d1f086d911468980a1efeda046f13846221c3d17cce9f05e0b801f04e34ece28a950464acf16b535f05b3cb6780bf42028efedd0109ece100144ffcfbf00cdd43ba5b2be11f80709915
> EAP-Message = 0x579316f10f976ab7c268231ccc4d5930ac511e3baf2bd6ee63457bc5d95f50d2e3500f3a88e7bf14fde0c7b90203010001a38201093082010530700603551d1f046930673065a063a061a45f305d310b30090603550406130255533110300e060355040a130745717569666178312d302b060355040b1324457175696661782053656375726520436572746966696361746520417574686f72697479310d300b0603550403130443524c31301a0603551d1004133011810f32303138303832323136343135315a300b0603551d0f040403020106301f0603551d2304183016801448e668f92bd2b295d747d82320104f3398909fd4301d0603551d0e04
> EAP-Message = 0x16041448e668f92bd2b295d747d82320104f3398909fd4300c0603551d13040530030101ff301a06092a864886f67d074100040d300b1b0556332e3063030206c0300d06092a864886f70d01010505000381810058ce29eafcf7deb5ce02b917b585d1b9e3e095cc25310d00a6926e7fb692639e5095d19a6fe411de63856e98eea8ff5ac8d355b2667157dec021eb3d2aa72349010486427bfcee7fa21652b56767d340db3b2658b228773dae147761d6fa2a6627a00dfaa7735cea70f1942165445ffafcef2968a9a28779ef79ef4fac07773816030100040e000000
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x56ebca49543cd3c34eaeaec5306add89
> Finished request 2.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.0.20 port 65513, id=106, length=381
> User-Name = "jean-yves.avenard"
> NAS-IP-Address = 192.168.0.20
> NAS-Port = 0
> Called-Station-Id = "00-1C-B3-AD-13-5F:HYDRIX-TEST"
> Calling-Station-Id = "C4-46-19-25-31-52"
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-802.11
> Connect-Info = "CONNECT 0Mbps 802.11"
> EAP-Message = 0x02d700d01980000000c61603010086100000820080c6238de17d3505d52f67e05190dda102bac42ce3dda3f1160dc48fdf0f030dc3bd75a41e8ba6fd4345b6d97d6213f2e8e6395d0e762ac64543d790409d7b050d898adbc615a1efd4a7a4280e782d9d1b63d4ba3c56ad0c6350564d937cfcbc2896901cf4908f615daff21b72cf0b6d15dc6076af070c1a42f4f9c060c279df24140301000101160301003008a5f1ed66228073f1e8d76de392579a7b1dd1743f79c127b429f1022eb9ed92d457ca0541ec88dd5443b24612555521
> State = 0x56ebca49543cd3c34eaeaec5306add89
> Message-Authenticator = 0xa844fe6f8705aa634490d82244ca6717
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "jean-yves.avenard", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 215 length 208
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> TLS Length 198
> [peap] Length Included
> [peap] eaptls_verify returned 11
> [peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
> [peap] TLS_accept: SSLv3 read client key exchange A
> [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
> [peap] <<< TLS 1.0 Handshake [length 0010], Finished
> [peap] TLS_accept: SSLv3 read finished A
> [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
> [peap] TLS_accept: SSLv3 write change cipher spec A
> [peap] >>> TLS 1.0 Handshake [length 0010], Finished
> [peap] TLS_accept: SSLv3 write finished A
> [peap] TLS_accept: SSLv3 flush data
> [peap] (other): SSL negotiation finished successfully
> SSL Connection Established
> [peap] eaptls_process returned 13
> [peap] EAPTLS_HANDLED
> ++[eap] returns handled
> Sending Access-Challenge of id 106 to 192.168.0.20 port 65513
> EAP-Message = 0x01d8004119001403010001011603010030871e1d85c5e7a6f2dc2b24b6f380deb7162c192558a035576389cb6516c5c1b554cf47031c40173be061ca8c37a86476
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x56ebca495533d3c34eaeaec5306add89
> Finished request 3.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.0.20 port 65513, id=107, length=179
> User-Name = "jean-yves.avenard"
> NAS-IP-Address = 192.168.0.20
> NAS-Port = 0
> Called-Station-Id = "00-1C-B3-AD-13-5F:HYDRIX-TEST"
> Calling-Station-Id = "C4-46-19-25-31-52"
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-802.11
> Connect-Info = "CONNECT 0Mbps 802.11"
> EAP-Message = 0x02d800061900
> State = 0x56ebca495533d3c34eaeaec5306add89
> Message-Authenticator = 0x58d3f7836001e4de5c66b0f0690293fc
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "jean-yves.avenard", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 216 length 6
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] Received TLS ACK
> [peap] ACK handshake is finished
> [peap] eaptls_verify returned 3
> [peap] eaptls_process returned 3
> [peap] EAPTLS_SUCCESS
> ++[eap] returns handled
> Sending Access-Challenge of id 107 to 192.168.0.20 port 65513
> EAP-Message = 0x01d9002b190017030100201558a359dbf74ae6fc65f62583f774446eb7b95973a80ed47ccc32b5510dc40c
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x56ebca495232d3c34eaeaec5306add89
> Finished request 4.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.0.20 port 65513, id=108, length=232
> User-Name = "jean-yves.avenard"
> NAS-IP-Address = 192.168.0.20
> NAS-Port = 0
> Called-Station-Id = "00-1C-B3-AD-13-5F:HYDRIX-TEST"
> Calling-Station-Id = "C4-46-19-25-31-52"
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-802.11
> Connect-Info = "CONNECT 0Mbps 802.11"
> EAP-Message = 0x02d9003b190017030100308c7db30e12a98adde5eea9d84f120dddd6423d6524e2292cc307630e7548484a7bf50c77624ed1615fb9d458a6b4b93e
> State = 0x56ebca495232d3c34eaeaec5306add89
> Message-Authenticator = 0x43696038a9644d24ae76625f007a23d8
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "jean-yves.avenard", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 217 length 59
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] eaptls_verify returned 7
> [peap] Done initial handshake
> [peap] eaptls_process returned 7
> [peap] EAPTLS_OK
> [peap] Session established. Decoding tunneled attributes.
> [peap] Identity - jean-yves.avenard
> [peap] Got tunneled request
> EAP-Message = 0x02d90016016a65616e2d797665732e6176656e617264
> server {
> PEAP: Got tunneled identity of jean-yves.avenard
> PEAP: Setting default EAP type for tunneled EAP session.
> PEAP: Setting User-Name to jean-yves.avenard
> Sending tunneled request
> EAP-Message = 0x02d90016016a65616e2d797665732e6176656e617264
> FreeRADIUS-Proxied-To = 127.0.0.1
> User-Name = "jean-yves.avenard"
> server inner-tunnel {
> +- entering group authorize {...}
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[unix] returns updated
> [suffix] No '@' in User-Name = "jean-yves.avenard", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> ++[control] returns noop
> [eap] EAP packet type response id 217 length 22
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> ++[files] returns noop
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] Found existing Auth-Type, not changing it.
> ++[pap] returns noop
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] EAP Identity
> [eap] processing type mschapv2
> rlm_eap_mschapv2: Issuing Challenge
> ++[eap] returns handled
> } # server inner-tunnel
> [peap] Got tunneled reply code 11
> EAP-Message = 0x01da002b1a01da00261043ab8b6696518e3d977d7e43cfbbe4556a65616e2d797665732e6176656e617264
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x4fa813f74f7209c552ff372f4aeadb16
> [peap] Got tunneled reply RADIUS code 11
> EAP-Message = 0x01da002b1a01da00261043ab8b6696518e3d977d7e43cfbbe4556a65616e2d797665732e6176656e617264
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x4fa813f74f7209c552ff372f4aeadb16
> [peap] Got tunneled Access-Challenge
> ++[eap] returns handled
> Sending Access-Challenge of id 108 to 192.168.0.20 port 65513
> EAP-Message = 0x01da004b19001703010040fe03996117bf5d58930069397a6f4274e1fe6de21db623b4da95c09b068614931d91f318dab53ffe9da4f6f7f2b51e946241a04ea19b98858ae5f8719ede8c41
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x56ebca495331d3c34eaeaec5306add89
> Finished request 5.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.0.20 port 65513, id=109, length=280
> User-Name = "jean-yves.avenard"
> NAS-IP-Address = 192.168.0.20
> NAS-Port = 0
> Called-Station-Id = "00-1C-B3-AD-13-5F:HYDRIX-TEST"
> Calling-Station-Id = "C4-46-19-25-31-52"
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-802.11
> Connect-Info = "CONNECT 0Mbps 802.11"
> EAP-Message = 0x02da006b190017030100606a6800fadb31147345321c0441ded410513b8acbff36d2111ec021f0ce54e3ce36806865010d19b9b86a8309b0feccfa44db665feb586e4ca932fb0dd79cd61fc8600f6ac45ddd775ea4de0d3815f737d4469bfb1de8108d97db27c1609e1c30
> State = 0x56ebca495331d3c34eaeaec5306add89
> Message-Authenticator = 0xf90ce475234bb39e5904bf9f3fcbee00
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "jean-yves.avenard", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 218 length 107
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] eaptls_verify returned 7
> [peap] Done initial handshake
> [peap] eaptls_process returned 7
> [peap] EAPTLS_OK
> [peap] Session established. Decoding tunneled attributes.
> [peap] EAP type mschapv2
> [peap] Got tunneled request
> EAP-Message = 0x02da004c1a02da004731371b44b1d34d564423fd33a0a766298f0000000000000000dc783dfb319f1434f2ef4ddb10101167ad0f145d457b9283006a65616e2d797665732e6176656e617264
> server {
> PEAP: Setting User-Name to jean-yves.avenard
> Sending tunneled request
> EAP-Message = 0x02da004c1a02da004731371b44b1d34d564423fd33a0a766298f0000000000000000dc783dfb319f1434f2ef4ddb10101167ad0f145d457b9283006a65616e2d797665732e6176656e617264
> FreeRADIUS-Proxied-To = 127.0.0.1
> User-Name = "jean-yves.avenard"
> State = 0x4fa813f74f7209c552ff372f4aeadb16
> server inner-tunnel {
> +- entering group authorize {...}
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[unix] returns updated
> [suffix] No '@' in User-Name = "jean-yves.avenard", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> ++[control] returns noop
> [eap] EAP packet type response id 218 length 76
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> ++[files] returns noop
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] Found existing Auth-Type, not changing it.
> ++[pap] returns noop
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/mschapv2
> [eap] processing type mschapv2
> [mschapv2] +- entering group MS-CHAP {...}
> [mschap] No Cleartext-Password configured. Cannot create LM-Password.
> [mschap] No Cleartext-Password configured. Cannot create NT-Password.
> [mschap] No NT-Password configured. Trying OpenDirectory Authentication.
> [mschap] OD username_string = jean-yves.avenard, OD shortUserName=jean-yves.avenard (length = 17)
> [mschap] dsDoDirNodeAuth returns stepbuff: S=E8966B7B7AFD6594A863C42AA12032861CE2F8345616e2298f0000?I0??"????????? (len=40)
> ++[mschap] returns ok
> MSCHAP Success
> ++[eap] returns handled
> } # server inner-tunnel
> [peap] Got tunneled reply code 11
> EAP-Message = 0x01db00331a03da002e533d45383936364237423741464436353934413836334334324141313230333238363143453246383334
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x4fa813f74e7309c552ff372f4aeadb16
> [peap] Got tunneled reply RADIUS code 11
> EAP-Message = 0x01db00331a03da002e533d45383936364237423741464436353934413836334334324141313230333238363143453246383334
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x4fa813f74e7309c552ff372f4aeadb16
> [peap] Got tunneled Access-Challenge
> ++[eap] returns handled
> Sending Access-Challenge of id 109 to 192.168.0.20 port 65513
> EAP-Message = 0x01db005b19001703010050af77e16588bd1a0669684b744b7386bbccdca1d8a0c554b94ce6fa65b3e404b652546af93c89b1779e6ed50ca043c0fc675638201f09f07336e1f5890ccc375ca6b0a82585461517f3efa7d0607be02c
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x56ebca495030d3c34eaeaec5306add89
> Finished request 6.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.0.20 port 65513, id=110, length=216
> User-Name = "jean-yves.avenard"
> NAS-IP-Address = 192.168.0.20
> NAS-Port = 0
> Called-Station-Id = "00-1C-B3-AD-13-5F:HYDRIX-TEST"
> Calling-Station-Id = "C4-46-19-25-31-52"
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-802.11
> Connect-Info = "CONNECT 0Mbps 802.11"
> EAP-Message = 0x02db002b19001703010020a698915f58535a61ac9e89cd7d8b67c249930e37a6dc9f3ac6a24cc17a496c05
> State = 0x56ebca495030d3c34eaeaec5306add89
> Message-Authenticator = 0x1d75c784913c112a990a8338c6569695
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "jean-yves.avenard", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 219 length 43
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] eaptls_verify returned 7
> [peap] Done initial handshake
> [peap] eaptls_process returned 7
> [peap] EAPTLS_OK
> [peap] Session established. Decoding tunneled attributes.
> [peap] EAP type mschapv2
> [peap] Got tunneled request
> EAP-Message = 0x02db00061a03
> server {
> PEAP: Setting User-Name to jean-yves.avenard
> Sending tunneled request
> EAP-Message = 0x02db00061a03
> FreeRADIUS-Proxied-To = 127.0.0.1
> User-Name = "jean-yves.avenard"
> State = 0x4fa813f74e7309c552ff372f4aeadb16
> server inner-tunnel {
> +- entering group authorize {...}
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[unix] returns updated
> [suffix] No '@' in User-Name = "jean-yves.avenard", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> ++[control] returns noop
> [eap] EAP packet type response id 219 length 6
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> ++[files] returns noop
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] Found existing Auth-Type, not changing it.
> ++[pap] returns noop
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/mschapv2
> [eap] processing type mschapv2
> [eap] Freeing handler
> ++[eap] returns ok
> } # server inner-tunnel
> [peap] Got tunneled reply code 2
> EAP-Message = 0x03db0004
> Message-Authenticator = 0x00000000000000000000000000000000
> User-Name = "jean-yves.avenard"
> [peap] Got tunneled reply RADIUS code 2
> EAP-Message = 0x03db0004
> Message-Authenticator = 0x00000000000000000000000000000000
> User-Name = "jean-yves.avenard"
> [peap] Tunneled authentication was successful.
> [peap] SUCCESS
> ++[eap] returns handled
> Sending Access-Challenge of id 110 to 192.168.0.20 port 65513
> EAP-Message = 0x01dc002b190017030100203e47a88e8ae2f4b63f9dd0d78a10db0b899d41f2966124be7a8e31aca594282a
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x56ebca495137d3c34eaeaec5306add89
> Finished request 7.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.0.20 port 65513, id=111, length=216
> User-Name = "jean-yves.avenard"
> NAS-IP-Address = 192.168.0.20
> NAS-Port = 0
> Called-Station-Id = "00-1C-B3-AD-13-5F:HYDRIX-TEST"
> Calling-Station-Id = "C4-46-19-25-31-52"
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-802.11
> Connect-Info = "CONNECT 0Mbps 802.11"
> EAP-Message = 0x02dc002b19001703010020bbb1b1cb33d1827663c63b0f1e128d63d8b06d4658eb690c80d4916c8dc1646a
> State = 0x56ebca495137d3c34eaeaec5306add89
> Message-Authenticator = 0x57111afa6e1374748e54800df1147e8a
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "jean-yves.avenard", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 220 length 43
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] eaptls_verify returned 7
> [peap] Done initial handshake
> [peap] eaptls_process returned 7
> [peap] EAPTLS_OK
> [peap] Session established. Decoding tunneled attributes.
> [peap] Received EAP-TLV response.
> [peap] Success
> [eap] Freeing handler
> ++[eap] returns ok
> +- entering group post-auth {...}
> ++[exec] returns noop
> Sending Access-Accept of id 111 to 192.168.0.20 port 65513
> MS-MPPE-Recv-Key = 0x6b7c57469ccfdccfa399fc3d20b47021bb81c6f71d05ed2d2f085306f06ce8a1
> MS-MPPE-Send-Key = 0xe1d0265f9a991b9030206da68cf419b6fd84d3fb9e4e2d9345402fe9eba57440
> EAP-Message = 0x03dc0004
> Message-Authenticator = 0x00000000000000000000000000000000
> User-Name = "jean-yves.avenard"
> Finished request 8.
> Going to the next request
> Waking up in 4.9 seconds.
> Cleaning up request 0 ID 103 with timestamp +28
> Cleaning up request 1 ID 104 with timestamp +28
> Cleaning up request 2 ID 105 with timestamp +28
> Cleaning up request 3 ID 106 with timestamp +28
> Cleaning up request 4 ID 107 with timestamp +28
> Cleaning up request 5 ID 108 with timestamp +28
> Cleaning up request 6 ID 109 with timestamp +28
> Cleaning up request 7 ID 110 with timestamp +28
> Cleaning up request 8 ID 111 with timestamp +28
> Ready to process requests.
This is from a Win 7 client, using default configuration settings that
is just username / password and that Authentication is PEAP:MSCHAPv2
> rad_recv: Access-Request packet from host 192.168.0.20 port 65513, id=112, length=163
> User-Name = "host/ramon"
> NAS-IP-Address = 192.168.0.20
> NAS-Port = 0
> Called-Station-Id = "00-1C-B3-AD-13-5F:HYDRIX-TEST"
> Calling-Station-Id = "C4-46-19-25-31-52"
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-802.11
> Connect-Info = "CONNECT 0Mbps 802.11"
> EAP-Message = 0x0272000f01686f73742f72616d6f6e
> Message-Authenticator = 0xafc736013ac7d55d3093782b7d03d604
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "host/ramon", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 114 length 15
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> ++[unix] returns notfound
> ++[files] returns noop
> rlm_opendirectory: The host 192.168.0.20 does not have an access group.
> rlm_opendirectory: Could not get the user's uuid.
> ++[opendirectory] returns notfound
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
> ++[pap] returns noop
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] EAP Identity
> [eap] processing type tls
> [tls] Initiate
> [tls] Start returned 1
> ++[eap] returns handled
> Sending Access-Challenge of id 112 to 192.168.0.20 port 65513
> EAP-Message = 0x017300061920
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x2901333729722a271ee22a85a9879908
> Finished request 9.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.0.20 port 65513, id=113, length=285
> User-Name = "host/ramon"
> NAS-IP-Address = 192.168.0.20
> NAS-Port = 0
> Called-Station-Id = "00-1C-B3-AD-13-5F:HYDRIX-TEST"
> Calling-Station-Id = "C4-46-19-25-31-52"
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-802.11
> Connect-Info = "CONNECT 0Mbps 802.11"
> EAP-Message = 0x0273007719800000006d16030100680100006403014c7bbde9787032bb1126f5fce5f22fd277f962afa64bce2d5bf8407c4319fc04000018002f00350005000ac013c014c009c00a003200380013000401000023ff010001000000000a000800000572616d6f6e000a0006000400170018000b00020100
> State = 0x2901333729722a271ee22a85a9879908
> Message-Authenticator = 0xd82e921b4c981a07c773647fc0786b91
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "host/ramon", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 115 length 119
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> TLS Length 109
> [peap] Length Included
> [peap] eaptls_verify returned 11
> [peap] (other): before/accept initialization
> [peap] TLS_accept: before/accept initialization
> [peap] <<< TLS 1.0 Handshake [length 0068], ClientHello
> [peap] TLS_accept: SSLv3 read client hello A
> [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
> [peap] TLS_accept: SSLv3 write server hello A
> [peap] >>> TLS 1.0 Handshake [length 068a], Certificate
> [peap] TLS_accept: SSLv3 write certificate A
> [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
> [peap] TLS_accept: SSLv3 write server done A
> [peap] TLS_accept: SSLv3 flush data
> [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
> In SSL Handshake Phase
> In SSL Accept mode
> [peap] eaptls_process returned 13
> [peap] EAPTLS_HANDLED
> ++[eap] returns handled
> Sending Access-Challenge of id 113 to 192.168.0.20 port 65513
> EAP-Message = 0x0174040019c0000006c7160301002a0200002603014c7bbde9f613a30decd1cdeac197e2ec339769a8d7bcb28291d2ac2e12e6971300002f00160301068a0b00068600068300035930820355308202bea003020102020310adba300d06092a864886f70d0101050500304e310b30090603550406130255533110300e060355040a130745717569666178312d302b060355040b1324457175696661782053656375726520436572746966696361746520417574686f72697479301e170d3130303431333134353235365a170d3132303631333039353833315a3081df3129302706035504051320746c43354c615a425030302f657a714b566677455a63
> EAP-Message = 0x63762d45315673313930310b300906035504061302415531153013060355040a140c2a2e6879647269782e636f6d31133011060355040b130a475438313233373633343131302f060355040b1328536565207777772e726170696473736c2e636f6d2f7265736f75726365732f637073202863293130312f302d060355040b1326446f6d61696e20436f6e74726f6c2056616c696461746564202d20526170696453534c285229311530130603550403140c2a2e6879647269782e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100dfe086b6803479d87cf9f96937d58d42cf97af5d9edeb9c490d0cabb200c6030fc1b
> EAP-Message = 0x0b0b158d736b5205d8d769004bf9afabe7ff51b3ce3b00be1584bfa56660d8082ad02b47d3c85f64920342d33833bf9258e6c28d35a4c2f8dbec5db493f05683e08e74daedcc64544f09619008df99cdc2324c6d5853f244feb3b0c3cca90203010001a381ae3081ab300e0603551d0f0101ff0404030204f0301d0603551d0e041604147612da889e2204ca3467cd2b5ea70e1fc3f674f1303a0603551d1f04333031302fa02da02b8629687474703a2f2f63726c2e67656f74727573742e636f6d2f63726c732f73656375726563612e63726c301f0603551d2304183016801448e668f92bd2b295d747d82320104f3398909fd4301d0603551d2504
> EAP-Message = 0x16301406082b0601050507030106082b06010505070302300d06092a864886f70d0101050500038181006908f00a8df2c62e7579a020b6502c4c719ccc84ee9a7b0c9f291e3ee5af018f20427ea856275fea68d22077d6db2c921f2ec0be3777b0bb59e454ed4eb2c69fd197b9e539aea8472e6b3a5b4ef731ccbebf8a4549e005d1268e298b2a8d331170db1f99bfc7edba01cf733d902174d55480437e4d47580e6edafaee58ea72b20003243082032030820289a003020102020435def4cf300d06092a864886f70d0101050500304e310b30090603550406130255533110300e060355040a130745717569666178312d302b060355040b13244571
> EAP-Message = 0x756966617820536563757265
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x2901333728752a271ee22a85a9879908
> Finished request 10.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.0.20 port 65513, id=114, length=172
> User-Name = "host/ramon"
> NAS-IP-Address = 192.168.0.20
> NAS-Port = 0
> Called-Station-Id = "00-1C-B3-AD-13-5F:HYDRIX-TEST"
> Calling-Station-Id = "C4-46-19-25-31-52"
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-802.11
> Connect-Info = "CONNECT 0Mbps 802.11"
> EAP-Message = 0x027400061900
> State = 0x2901333728752a271ee22a85a9879908
> Message-Authenticator = 0x90c632ba5132116016e8d8feb31e52fe
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "host/ramon", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 116 length 6
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] Received TLS ACK
> [peap] ACK handshake fragment handler
> [peap] eaptls_verify returned 1
> [peap] eaptls_process returned 13
> [peap] EAPTLS_HANDLED
> ++[eap] returns handled
> Sending Access-Challenge of id 114 to 192.168.0.20 port 65513
> EAP-Message = 0x017502d7190020436572746966696361746520417574686f72697479301e170d3938303832323136343135315a170d3138303832323136343135315a304e310b30090603550406130255533110300e060355040a130745717569666178312d302b060355040b1324457175696661782053656375726520436572746966696361746520417574686f7269747930819f300d06092a864886f70d010101050003818d0030818902818100c15db158670862eea09a2d1f086d911468980a1efeda046f13846221c3d17cce9f05e0b801f04e34ece28a950464acf16b535f05b3cb6780bf42028efedd0109ece100144ffcfbf00cdd43ba5b2be11f80709915
> EAP-Message = 0x579316f10f976ab7c268231ccc4d5930ac511e3baf2bd6ee63457bc5d95f50d2e3500f3a88e7bf14fde0c7b90203010001a38201093082010530700603551d1f046930673065a063a061a45f305d310b30090603550406130255533110300e060355040a130745717569666178312d302b060355040b1324457175696661782053656375726520436572746966696361746520417574686f72697479310d300b0603550403130443524c31301a0603551d1004133011810f32303138303832323136343135315a300b0603551d0f040403020106301f0603551d2304183016801448e668f92bd2b295d747d82320104f3398909fd4301d0603551d0e04
> EAP-Message = 0x16041448e668f92bd2b295d747d82320104f3398909fd4300c0603551d13040530030101ff301a06092a864886f67d074100040d300b1b0556332e3063030206c0300d06092a864886f70d01010505000381810058ce29eafcf7deb5ce02b917b585d1b9e3e095cc25310d00a6926e7fb692639e5095d19a6fe411de63856e98eea8ff5ac8d355b2667157dec021eb3d2aa72349010486427bfcee7fa21652b56767d340db3b2658b228773dae147761d6fa2a6627a00dfaa7735cea70f1942165445ffafcef2968a9a28779ef79ef4fac07773816030100040e000000
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x290133372b742a271ee22a85a9879908
> Finished request 11.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.0.20 port 65513, id=115, length=374
> User-Name = "host/ramon"
> NAS-IP-Address = 192.168.0.20
> NAS-Port = 0
> Called-Station-Id = "00-1C-B3-AD-13-5F:HYDRIX-TEST"
> Calling-Station-Id = "C4-46-19-25-31-52"
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-802.11
> Connect-Info = "CONNECT 0Mbps 802.11"
> EAP-Message = 0x027500d01980000000c61603010086100000820080c92305f633ebb13d1146dac01d43c19047e5326b42434518e7daf6b6623a19eb1cd877ea3efc03f68c6e2614e424aa04bfc5f953155573bc9ce818f3d2c890a0986847a5ef8733880fb1451c8ba1b4b36120c346e9e9050d6eb253a78a737fd68aca89bf2f45fa6572741c52ff660419e9117178a9109ccf7bc8764a62b64277140301000101160301003073f845987a3f1b2b628142eed10e04383a69c24f9d047c9b032610d8757b0747ee669a44da75dee822ffd2a21e838ef2
> State = 0x290133372b742a271ee22a85a9879908
> Message-Authenticator = 0x9bb5cc74512ad0bdceaaaf921164c7a8
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "host/ramon", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 117 length 208
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> TLS Length 198
> [peap] Length Included
> [peap] eaptls_verify returned 11
> [peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
> [peap] TLS_accept: SSLv3 read client key exchange A
> [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
> [peap] <<< TLS 1.0 Handshake [length 0010], Finished
> [peap] TLS_accept: SSLv3 read finished A
> [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
> [peap] TLS_accept: SSLv3 write change cipher spec A
> [peap] >>> TLS 1.0 Handshake [length 0010], Finished
> [peap] TLS_accept: SSLv3 write finished A
> [peap] TLS_accept: SSLv3 flush data
> [peap] (other): SSL negotiation finished successfully
> SSL Connection Established
> [peap] eaptls_process returned 13
> [peap] EAPTLS_HANDLED
> ++[eap] returns handled
> Sending Access-Challenge of id 115 to 192.168.0.20 port 65513
> EAP-Message = 0x0176004119001403010001011603010030614cc88b6f7fd4b02100d31466fed38c2cfe56fa4efb2ce43875c82841816c33f1e706863ce88f5c5af738f47c5e1fa0
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x290133372a772a271ee22a85a9879908
> Finished request 12.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.0.20 port 65513, id=116, length=172
> User-Name = "host/ramon"
> NAS-IP-Address = 192.168.0.20
> NAS-Port = 0
> Called-Station-Id = "00-1C-B3-AD-13-5F:HYDRIX-TEST"
> Calling-Station-Id = "C4-46-19-25-31-52"
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-802.11
> Connect-Info = "CONNECT 0Mbps 802.11"
> EAP-Message = 0x027600061900
> State = 0x290133372a772a271ee22a85a9879908
> Message-Authenticator = 0xca39a76697f59adcaa15916a78e16ed2
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "host/ramon", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 118 length 6
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] Received TLS ACK
> [peap] ACK handshake is finished
> [peap] eaptls_verify returned 3
> [peap] eaptls_process returned 3
> [peap] EAPTLS_SUCCESS
> ++[eap] returns handled
> Sending Access-Challenge of id 116 to 192.168.0.20 port 65513
> EAP-Message = 0x0177002b19001703010020c3009d54f21929eb7ee0043e7771df5f0a7cbf6ebd66def03565bb4aaa4cb41b
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x290133372d762a271ee22a85a9879908
> Finished request 13.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.0.20 port 65513, id=117, length=209
> User-Name = "host/ramon"
> NAS-IP-Address = 192.168.0.20
> NAS-Port = 0
> Called-Station-Id = "00-1C-B3-AD-13-5F:HYDRIX-TEST"
> Calling-Station-Id = "C4-46-19-25-31-52"
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-802.11
> Connect-Info = "CONNECT 0Mbps 802.11"
> EAP-Message = 0x0277002b190017030100201dd6103b6d0f86c6ac33fe86888f5a13b10970a1ef222f1e83ce55a94db4d942
> State = 0x290133372d762a271ee22a85a9879908
> Message-Authenticator = 0xf6428db91fea81a03c903f8278eff0d5
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "host/ramon", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 119 length 43
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] eaptls_verify returned 7
> [peap] Done initial handshake
> [peap] eaptls_process returned 7
> [peap] EAPTLS_OK
> [peap] Session established. Decoding tunneled attributes.
> [peap] Identity - host/ramon
> [peap] Got tunneled request
> EAP-Message = 0x0277000f01686f73742f72616d6f6e
> server {
> PEAP: Got tunneled identity of host/ramon
> PEAP: Setting default EAP type for tunneled EAP session.
> PEAP: Setting User-Name to host/ramon
> Sending tunneled request
> EAP-Message = 0x0277000f01686f73742f72616d6f6e
> FreeRADIUS-Proxied-To = 127.0.0.1
> User-Name = "host/ramon"
> server inner-tunnel {
> +- entering group authorize {...}
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[unix] returns notfound
> [suffix] No '@' in User-Name = "host/ramon", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> ++[control] returns noop
> [eap] EAP packet type response id 119 length 15
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> ++[files] returns noop
> ++[expiration] returns noop
> ++[logintime] returns noop
> ++[pap] returns noop
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] EAP Identity
> [eap] processing type mschapv2
> rlm_eap_mschapv2: Issuing Challenge
> ++[eap] returns handled
> } # server inner-tunnel
> [peap] Got tunneled reply code 11
> EAP-Message = 0x017800241a0178001f107ea40ec7760d14474dee0b4e6b9d640c686f73742f72616d6f6e
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xfbc0fc99fbb8e6c1acf79e9f2cef3e77
> [peap] Got tunneled reply RADIUS code 11
> EAP-Message = 0x017800241a0178001f107ea40ec7760d14474dee0b4e6b9d640c686f73742f72616d6f6e
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xfbc0fc99fbb8e6c1acf79e9f2cef3e77
> [peap] Got tunneled Access-Challenge
> ++[eap] returns handled
> Sending Access-Challenge of id 117 to 192.168.0.20 port 65513
> EAP-Message = 0x0178004b190017030100403251f76d20afd9bd1be50ca770e4ef315fcdfa3f286f641d8b2749d8d76da28e8e70a4806aa2896c655c5546437e2c2060ac44ca854f654f8f54c2d99e35fbbf
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x290133372c792a271ee22a85a9879908
> Finished request 14.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.0.20 port 65513, id=118, length=273
> User-Name = "host/ramon"
> NAS-IP-Address = 192.168.0.20
> NAS-Port = 0
> Called-Station-Id = "00-1C-B3-AD-13-5F:HYDRIX-TEST"
> Calling-Station-Id = "C4-46-19-25-31-52"
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-802.11
> Connect-Info = "CONNECT 0Mbps 802.11"
> EAP-Message = 0x0278006b190017030100608c8234cfe2ebd7ca29c77661768564cafeaff5313f126a180cf96473c6f51f73ab881585286f454f4f1ed6a8600f1b593ca21d6a787532921d6579661db9d2387e25bf325b263313892981bfb3128d7b30389ebd7ecd5abf3c6051142047e407
> State = 0x290133372c792a271ee22a85a9879908
> Message-Authenticator = 0x6f9193d476c9b00a3e44db300044fe8d
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "host/ramon", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 120 length 107
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] eaptls_verify returned 7
> [peap] Done initial handshake
> [peap] eaptls_process returned 7
> [peap] EAPTLS_OK
> [peap] Session established. Decoding tunneled attributes.
> [peap] EAP type mschapv2
> [peap] Got tunneled request
> EAP-Message = 0x027800451a0278004031d1cf5a51ae82bba33c59afaccdbe4563000000000000000000000000000000000000000000000000000000000000000000686f73742f72616d6f6e
> server {
> PEAP: Setting User-Name to host/ramon
> Sending tunneled request
> EAP-Message = 0x027800451a0278004031d1cf5a51ae82bba33c59afaccdbe4563000000000000000000000000000000000000000000000000000000000000000000686f73742f72616d6f6e
> FreeRADIUS-Proxied-To = 127.0.0.1
> User-Name = "host/ramon"
> State = 0xfbc0fc99fbb8e6c1acf79e9f2cef3e77
> server inner-tunnel {
> +- entering group authorize {...}
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[unix] returns notfound
> [suffix] No '@' in User-Name = "host/ramon", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> ++[control] returns noop
> [eap] EAP packet type response id 120 length 69
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> ++[files] returns noop
> ++[expiration] returns noop
> ++[logintime] returns noop
> ++[pap] returns noop
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/mschapv2
> [eap] processing type mschapv2
> [mschapv2] +- entering group MS-CHAP {...}
> [mschap] No Cleartext-Password configured. Cannot create LM-Password.
> [mschap] No Cleartext-Password configured. Cannot create NT-Password.
> [mschap] No NT-Password configured. Trying OpenDirectory Authentication.
> rlm_mschap: getUserNodeRef(): dsGetRecordList() status = 0, recCount=0
> [mschap] od_mschap_auth: getUserNodeRef() failed
> ++[mschap] returns fail
> [eap] Freeing handler
> ++[eap] returns reject
> Failed to authenticate the user.
> } # server inner-tunnel
> [peap] Got tunneled reply code 3
> EAP-Message = 0x04780004
> Message-Authenticator = 0x00000000000000000000000000000000
> [peap] Got tunneled reply RADIUS code 3
> EAP-Message = 0x04780004
> Message-Authenticator = 0x00000000000000000000000000000000
> [peap] Tunneled authentication was rejected.
> [peap] FAILURE
> ++[eap] returns handled
> Sending Access-Challenge of id 118 to 192.168.0.20 port 65513
> EAP-Message = 0x0179002b190017030100201d0da92cec780afeb07d044ae3bec2d0bbae6f756cb641bf7afb941c603d3bfb
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x290133372f782a271ee22a85a9879908
> Finished request 15.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.0.20 port 65513, id=119, length=209
> User-Name = "host/ramon"
> NAS-IP-Address = 192.168.0.20
> NAS-Port = 0
> Called-Station-Id = "00-1C-B3-AD-13-5F:HYDRIX-TEST"
> Calling-Station-Id = "C4-46-19-25-31-52"
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-802.11
> Connect-Info = "CONNECT 0Mbps 802.11"
> EAP-Message = 0x0279002b19001703010020c105223815949c87f20ddf78237c265be8030e828d278b2f87db880eadcd2bf8
> State = 0x290133372f782a271ee22a85a9879908
> Message-Authenticator = 0xe5350e69dd68ba1c0ab8e39eaed51b5e
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "host/ramon", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 121 length 43
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] eaptls_verify returned 7
> [peap] Done initial handshake
> [peap] eaptls_process returned 7
> [peap] EAPTLS_OK
> [peap] Session established. Decoding tunneled attributes.
> [peap] Received EAP-TLV response.
> [peap] Had sent TLV failure. User was rejected earlier in this session.
> [eap] Handler failed in EAP/peap
> [eap] Failed in EAP select
> ++[eap] returns invalid
> Failed to authenticate the user.
> Using Post-Auth-Type Reject
> +- entering group REJECT {...}
> [attr_filter.access_reject] expand: %{User-Name} -> host/ramon
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Delaying reject of request 16 for 1 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> Sending delayed reject for request 16
> Sending Access-Reject of id 119 to 192.168.0.20 port 65513
> EAP-Message = 0x04790004
> Message-Authenticator = 0x00000000000000000000000000000000
> Waking up in 3.9 seconds.
> Cleaning up request 9 ID 112 with timestamp +418
> Cleaning up request 10 ID 113 with timestamp +418
> Cleaning up request 11 ID 114 with timestamp +418
> Cleaning up request 12 ID 115 with timestamp +418
> Cleaning up request 13 ID 116 with timestamp +418
> Cleaning up request 14 ID 117 with timestamp +418
> Cleaning up request 15 ID 118 with timestamp +418
> Waking up in 1.0 seconds.
> Cleaning up request 16 ID 119 with timestamp +418
> Ready to process requests.
>
> Unfortunately, the OpenDirectory module does not take any
> configuration. This means that you will need to edit the "User-Name"
> attribute *before* it is used by the opendirectory module.
>
> So... what *should* the User-Name look like? This is for you to decide.
I'm not sure I follow what you re saying here...
I am only interested at this stage by the user name, not the computer
name as part of the "User-Name"
If you could point me to directions on how to configure the server for
(b), it would be greatly appreciated.
Kind regards
Jean-Yves
More information about the Freeradius-Users
mailing list