Facing mSchapv2 errors
Bhanu Vegesna
bhanu.vegesna at gmail.com
Tue Oct 12 12:18:59 CEST 2010
HI All,
PLease find below the complete server dump,facing some mschapv2 error
Mysetup is with local users files, can you please help me in resolving the
issues
ad_recv: Access-Request packet from host 192.168.1.225 port 1812, id=30,
length=65
User-Name = "ctc"
NAS-IP-Address = 192.168.1.225
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020a000801637463
Message-Authenticator = 0x8619073533db3cd0ddeb56ce1822da9f
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[eap] EAP packet type response id 10 length 8
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 30 to 192.168.1.225 port 1812
EAP-Message = 0x010b00061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x31e9dd0431e2c4ed979caadd4b7fe761
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 30 with timestamp +5
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.1.225 port 1812, id=31,
length=65
User-Name = "ctc"
NAS-IP-Address = 192.168.1.225
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020d000801637463
Message-Authenticator = 0x3daea945933e3b0ef11e27cb1e17b548
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[eap] EAP packet type response id 13 length 8
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 31 to 192.168.1.225 port 1812
EAP-Message = 0x010e00061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0592eaef059cf3f26e32a90a78f08b93
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.225 port 1812, id=32,
length=187
User-Name = "ctc"
NAS-IP-Address = 192.168.1.225
NAS-Port-Type = Wireless-802.11
State = 0x0592eaef059cf3f26e32a90a78f08b93
EAP-Message =
0x020e007019800000006616030100610100005d03014cb424696a5b618d15d8430c16c42c1ae8dfd99f406eac38508a26405123c9d400003600390038003500160013000a00330032002f0007006600050004006300620061001500120009006500640060001400110008000600030100
Message-Authenticator = 0x854bee3b67e4c64a4ae4855f5aa7606f
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[eap] EAP packet type response id 14 length 112
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 102
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0061], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 02e3], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 018d], ServerKeyExchange
[peap] TLS_accept: SSLv3 write key exchange A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate
A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 32 to 192.168.1.225 port 1812
EAP-Message =
0x010f040019c0000004b2160301002a0200002603014cb439c5d26ef7dea90580fde09366c70047db45a70f6328d9ed2e1f5dbde33a0000390016030102e30b0002df0002dc0002d9308202d53082023ea0030201020202011e300d06092a864886f70d0101050500306e310b3009060355040613025553311330110603550408130a43616c69666f726e69613112301006035504071309526f736576696c6c65310b3009060355040a1302485031153013060355040b130c436f6e6e65637469766974793112301006035504031309535049526f6f744341301e170d3035303230343232323234335a170d3135303230323232323234335a3075310b30
EAP-Message =
0x09060355040613025553311330110603550408130a43616c69666f726e69613112301006035504071309526f736576696c6c65310b3009060355040a1302485031153013060355040b130c436f6e6e656374697669747931193017060355040313105350494a65746469726563744365727430819f300d06092a864886f70d010101050003818d0030818902818100bbd338b0895e740f87744e3eadb598954e8849c718e0ef1a33349a97cef1c15ae1dfd3e2001e2c492b0973636898bd6517e22f8cd3e46dd52cf99343d6dcdbfb080dc156b967ba289bb4a01deb868978029c6b921377afaa0d1c267ea0eda80dd163194aa9cfe9ea6141b2e50572
EAP-Message =
0x5bc3fe12b66ec5dad5664fff2491561ebe770203010001a37b307930090603551d1304023000302c06096086480186f842010d041f161d4f70656e53534c2047656e657261746564204365727469666963617465301d0603551d0e041604148aec1592b20b02575f324f4d959e328a9a51b064301f0603551d2304183016801439822e0a473ef400e88f0b174dd11002917fe453300d06092a864886f70d010105050003818100465ef23653a631f1442994430160e8777692fbe38cc2880ae88fa131c296c4e020c45b120a47ddd07b7cec63adaddc38dd228a609ff82524f38e4bc5e9e8c7f144fd9d8cc123c6a5b4e1254926de469b6567c508279a
EAP-Message =
0x408370cfcdb4bda34822aca61daddcd4e0e96d70eea09cef4463a6a6ef1b141f8289246d189ddbbe4145160301018d0c0001890080a379bbfdad1a102091cb387317deb180ab78b2aa3eb33f9f9e80d7ddb93ad20154c85b76742b98ea0e209c0a0e4f3c49a0ed372c7187f6438fc19ffd1d338ebacb0baad62566c9b51c25d95b30dc88f1c8f0dc348c33b0e2047f215ea111e033b71fa2352f5f2703cced7616586ee31c66250c57cbc2e82c4ed04f82fd718b730001020080827fcb4097afc48c9f4f6843d32f3844d05036b0c64d179808d4d4176d6b212ea1394166a00ae1f17d96ed5a55824ae4b9fc1bc2984d892df37be5a66e6394d61e1ec8
EAP-Message = 0xe2bcd0d1f54c65294ede9c2e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0592eaef049df3f26e32a90a78f08b93
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.225 port 1812, id=33,
length=81
User-Name = "ctc"
NAS-IP-Address = 192.168.1.225
NAS-Port-Type = Wireless-802.11
State = 0x0592eaef049df3f26e32a90a78f08b93
EAP-Message = 0x020f00061900
Message-Authenticator = 0x7a647b4f8c583fafe9877035ac44b488
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[eap] EAP packet type response id 15 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 33 to 192.168.1.225 port 1812
EAP-Message =
0x011000c21900061298473bfa3edf593c1f757c3cedfc001c5e7f32245ba23b4abf3a8348339300588584b783ee84c159d0cee3d64507e20080886112bc2c4052e2a070718307e7eb0b584998a4c06c585d11c8764f6026b715a631c15c7569898b596abb40196dee281f53df6de23b712cdd20940835182c61cdf28fe0237b96b64da92d44616214b1b11007e6144b05929579e138957685801e9d7a31b416db3fc41e6e0461853308f4cc7a1d7d6b9bd66dd67737eedf6a5f16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0592eaef0782f3f26e32a90a78f08b93
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.225 port 1812, id=34,
length=283
User-Name = "ctc"
NAS-IP-Address = 192.168.1.225
NAS-Port-Type = Wireless-802.11
State = 0x0592eaef0782f3f26e32a90a78f08b93
EAP-Message =
0x021000d01980000000c616030100861000008200804d7a87dfa4bc3dfe580bfb1975b4092b051e2d12a0fb60dc7bb5f6f52d023c69174fca627013cabb64ba726700d855bc0e82fb374a8dd80f53a8908cf4e1f1b5a12119eed763132242818d8f0d1c9c64e10f3315a89a0ea81d6fe621a4d560c2410164803ad24231ad143249931cbb282b7c5bdf746dfeefbd142377e74d751414030100010116030100303746ccf8800106b03c3a9c0e631af338b7fa61b84dd8990e6589edd28ae8fd7800e2be1f5987743d1296928b7a1afe03
Message-Authenticator = 0x427829e4fced10fd250e94933f83f3bf
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[eap] EAP packet type response id 16 length 208
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 198
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 34 to 192.168.1.225 port 1812
EAP-Message =
0x0111004119001403010001011603010030e1bfe6c5f3644d41a581a4cf68165ab2f8af3bf19fcc7f4afe227776e9d8b9052fa1cfccc9d628b558d11246d5422f2b
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0592eaef0683f3f26e32a90a78f08b93
Finished request 4.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.1.225 port 1812, id=35,
length=81
User-Name = "ctc"
NAS-IP-Address = 192.168.1.225
NAS-Port-Type = Wireless-802.11
State = 0x0592eaef0683f3f26e32a90a78f08b93
EAP-Message = 0x021100061900
Message-Authenticator = 0x7fe6a72bc495b4bb0259d663fd843b23
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[eap] EAP packet type response id 17 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 35 to 192.168.1.225 port 1812
EAP-Message =
0x0112002b190017030100202b1bf52fc85ed7e7cb678fe08745237c4720fad5597f289aa4a115fbc0e1de91
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0592eaef0180f3f26e32a90a78f08b93
Finished request 5.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.1.225 port 1812, id=36,
length=155
User-Name = "ctc"
NAS-IP-Address = 192.168.1.225
NAS-Port-Type = Wireless-802.11
State = 0x0592eaef0180f3f26e32a90a78f08b93
EAP-Message =
0x02120050190017030100202838541640a936d238183ad162d36122e47fee60fb5611f34191ef8666f7107a1703010020659553682dc050f325783e499974d17ad3e4d4645d6706cb4545cdeea4ebeef3
Message-Authenticator = 0x05137589fd1f344d82046b17c65b4c5a
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[eap] EAP packet type response id 18 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Identity - ctc
[peap] Got tunneled request
EAP-Message = 0x0212000801637463
server {
PEAP: Got tunneled identity of ctc
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to ctc
Sending tunneled request
EAP-Message = 0x0212000801637463
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "ctc"
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[control] returns noop
[eap] EAP packet type response id 18 length 8
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message =
0x0113001d1a01130018107f5953c57504dfb4e738ab8850e3189e637463
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x45c4c38d45d7d9aca82c004c4020e30c
[peap] Got tunneled reply RADIUS code 11
EAP-Message =
0x0113001d1a01130018107f5953c57504dfb4e738ab8850e3189e637463
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x45c4c38d45d7d9aca82c004c4020e30c
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 36 to 192.168.1.225 port 1812
EAP-Message =
0x0113003b19001703010030c502a17459c1df87c914d120795b43e58f931927e1d98fec9dc6b3a616ebf6bfe291d7815f67b3bf6ecd1c8dca8288a3
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0592eaef0081f3f26e32a90a78f08b93
Finished request 6.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.1.225 port 1812, id=37,
length=203
User-Name = "ctc"
NAS-IP-Address = 192.168.1.225
NAS-Port-Type = Wireless-802.11
State = 0x0592eaef0081f3f26e32a90a78f08b93
EAP-Message =
0x02130080190017030100202bd5e425a8b8c27f0ed175d03cfc2b636b73cef4935b1a3ae7a0ee198315330e1703010050e137ac521ede7b4d9b5cab90e1a55134aecd8a030e81251b5953ed5a35053015501ec66e9dfefd97c1feef0208b4eafe312f1062874217272143210177dcbb241448fcc867973edc6cdc2a9687a893ab
Message-Authenticator = 0xb5d69cbc6b213a5a007885c1725a47e5
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[eap] EAP packet type response id 19 length 128
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message =
0x0213003e1a0213003931f2ced11e011c01cdaa5c3be3d4dd3b6c00000000000000003b69010be7c7034733e2601cf7616467d33075c4aa62733f00637463
server {
PEAP: Setting User-Name to ctc
Sending tunneled request
EAP-Message =
0x0213003e1a0213003931f2ced11e011c01cdaa5c3be3d4dd3b6c00000000000000003b69010be7c7034733e2601cf7616467d33075c4aa62733f00637463
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "ctc"
State = 0x45c4c38d45d7d9aca82c004c4020e30c
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[control] returns noop
[eap] EAP packet type response id 19 length 62
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for ctc with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
MS-CHAP-Error = "\023E=691 R=1"
EAP-Message = 0x04130004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
MS-CHAP-Error = "\023E=691 R=1"
EAP-Message = 0x04130004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 37 to 192.168.1.225 port 1812
EAP-Message =
0x0114002b19001703010020b4a3a6faa307f943267cf71f698cc9b917cc5d430a4b8aac632c19fa5a3d3f32
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0592eaef0386f3f26e32a90a78f08b93
Finished request 7.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.1.225 port 1812, id=38,
length=155
User-Name = "ctc"
NAS-IP-Address = 192.168.1.225
NAS-Port-Type = Wireless-802.11
State = 0x0592eaef0386f3f26e32a90a78f08b93
EAP-Message =
0x0214005019001703010020394df60d43869f97f778161a3f55a8a2949614abc592ecb4fb6f0a5f081a77e0170301002047e097a428103d4872d14e7d1b08a46322486d5520997a850b8c1c4b2a139d8a
Message-Authenticator = 0x9d0178b358e3af2393f8c89e6be815b1
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[eap] EAP packet type response id 20 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] The users session was previously rejected: returning reject (again.)
[peap] *** This means you need to read the PREVIOUS messages in the debug
output
[peap] *** to find out the reason why the user was rejected.
[peap] *** Look for "reject" or "fail". Those earlier messages will tell
you.
[peap] *** what went wrong, and how to fix the problem.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> ctc
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 8 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 8
Sending Access-Reject of id 38 to 192.168.1.225 port 1812
EAP-Message = 0x04140004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.8 seconds.
Cleaning up request 1 ID 31 with timestamp +33
Cleaning up request 2 ID 32 with timestamp +33
Cleaning up request 3 ID 33 with timestamp +33
Waking up in 0.1 seconds.
Cleaning up request 4 ID 34 with timestamp +33
Cleaning up request 5 ID 35 with timestamp +33
Cleaning up request 6 ID 36 with timestamp +33
Cleaning up request 7 ID 37 with timestamp +33
Waking up in 1.0 seconds.
Cleaning up request 8 ID 38 with timestamp +33
Ready to process requests.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20101012/0736f9b0/attachment.html>
More information about the Freeradius-Users
mailing list