AD authenication issue with machine authentication
Cannady, Mike
mike.cannady at htcinc.net
Tue Oct 19 23:37:38 CEST 2010
I'm having a problem with XP (and windows 7) machine authentication from
a Procurve switch (802.1x and eap-radius) and the supplicant using PEAP
to an AD domain. The FreeRadius version is 2.1.7.
My configuration works for the following style authentication requests:
jmctest at htc.com
horry\jmctest
but doesn't work for the machine login of the following form:
host/pcname.htc.com
>From the output of "radiusd -X", it thinks the domain is "htc" and the
authentication fails since there is no "htc" domain (there is a
"htc.com"). I verified that the "HTC" domain doesn't work using
ntlm_auth. "horry" and "htc.com" do work.
Our AD (2003) setup has the domain name as "htc.com". The pre-windows
2000 domain name is "HORRY".
As a test, I changed the mschap ntlm_auth "--domain" parameter from
"--domain=%{mschap:NT-Domain}" to "--domain=HORRY" and it worked in all
three cases. I'm not comfortable with this fix.
How can I make the "htc" one work without hard-coding the HORRY domain?
If the mschap module would have returned the full domain name, I
wouldn't have this problem.
Thanks for any assistance!
My smb.conf file:
[global]
workgroup = HORRY
server string = Samba Server Version %v
log file = /var/log/samba/log.%m
max log size = 50
security = ads
realm = HTC.COM
load printers = yes
cups options = raw
[homes]
comment = Home Directories
browseable = no
writable = yes
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
My krb5.conf file:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = HTC.COM
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[realms]
HTC.COM = {
admin_server = htcaddc01.htc.com:749
default_domain = htc.com
}
[domain_realm]
.htc.com = HTC.COM
htc.com = HTC.COM
htc = HTC.COM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
pkinit = {
allow_pkinit = false
}
Radiusd -x output:
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/krb5
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/ldap
including configuration file
/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/control-socket
group = radiusd
user = radiusd
including dictionary file /etc/raddb/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = yes
auth_goodpass = yes
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = no
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
realm HORRY {
}
realm htc.com {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
client 172.24.8.101 {
require_message_authenticator = no
secret = "thisisasecret"
shortname = "LocalHostETH0"
}
client 172.21.17.59 {
require_message_authenticator = no
secret = "thisisasecret"
shortname = "MikeDeskSwitch"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = "You are calling outside your allowed timespan
"
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server inner-tunnel {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--domain=%{mschap:NT-Domain} --username=%{mschap:User-Name}
--challenge=%{m
schap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Module: Instantiating ntlm_auth
exec ntlm_auth {
wait = yes
program = "/usr/bin/ntlm_auth --request-nt-key --domain=htc.com
--username=%{mschap:User-Name} --password=%{User-Password}"
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server.pem"
certificate_file = "/etc/raddb/certs/server.pem"
CA_file = "/etc/raddb/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/etc/raddb/certs/dh"
random_file = "/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/raddb/certs/bootstrap"
cache {
enable = no
lifetime = 24
max_entries = 255
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating suffix
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = yes
}
Module: Instantiating ntdomain
realm ntdomain {
format = "prefix"
delimiter = "\"
ignore_default = no
ignore_null = yes
}
Module: Linked to module rlm_files
Module: Instantiating files
files {
usersfile = "/etc/raddb/users"
acctusersfile = "/etc/raddb/acct_users"
preproxy_usersfile = "/etc/raddb/preproxy_users"
compat = "no"
}
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating attr_filter.access_reject
attr_filter attr_filter.access_reject {
attrsfile = "/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
}
} # modules
} # server
server {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = "/etc/raddb/huntgroups"
hints = "/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating detail
detail {
detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating attr_filter.accounting_response
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "control"
listen {
socket = "/var/run/radiusd/radiusd.sock"
}
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 172.21.17.59 port 1025, id=44,
length=251
Framed-MTU = 1480
NAS-IP-Address = 172.21.17.59
NAS-Identifier = "BareFtComs_BO_HP2"
User-Name = "host/IS-MCANNADY-L.htc.com"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 17
NAS-Port-Type = Ethernet
NAS-Port-Id = "17"
Called-Station-Id = "00-14-c2-25-f9-00"
Calling-Station-Id = "00-1e-e5-87-61-d6"
Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "221"
EAP-Message =
0x0201001f01686f73742f49532d4d43414e4e4144592d4c2e6874632e636f6d
Message-Authenticator = 0x0f9937d73fb2934ff54cf78a7ddb611d
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "host/IS-MCANNADY-L.htc.com", skipping
NULL due to config.
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "host/IS-MCANNADY-L.htc.com", skipping
NULL due to config.
++[ntdomain] returns noop
[eap] EAP packet type response id 1 length 31
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 171
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 44 to 172.21.17.59 port 1025
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
EAP-Message = 0x010200160410994fcad22261d405da18727f5688f5b5
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x29be35a429bc31776aa21593a54d8f6e
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.21.17.59 port 1025, id=45,
length=244
Framed-MTU = 1480
NAS-IP-Address = 172.21.17.59
NAS-Identifier = "BareFtComs_BO_HP2"
User-Name = "host/IS-MCANNADY-L.htc.com"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 17
NAS-Port-Type = Ethernet
NAS-Port-Id = "17"
Called-Station-Id = "00-14-c2-25-f9-00"
Calling-Station-Id = "00-1e-e5-87-61-d6"
Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "221"
State = 0x29be35a429bc31776aa21593a54d8f6e
EAP-Message = 0x020200060319
Message-Authenticator = 0xc1df97187bc217466fbb7ec9427803d5
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "host/IS-MCANNADY-L.htc.com", skipping
NULL due to config.
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "host/IS-MCANNADY-L.htc.com", skipping
NULL due to config.
++[ntdomain] returns noop
[eap] EAP packet type response id 2 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 171
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 45 to 172.21.17.59 port 1025
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
EAP-Message = 0x010300061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x29be35a428bd2c776aa21593a54d8f6e
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.21.17.59 port 1025, id=46,
length=325
Framed-MTU = 1480
NAS-IP-Address = 172.21.17.59
NAS-Identifier = "BareFtComs_BO_HP2"
User-Name = "host/IS-MCANNADY-L.htc.com"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 17
NAS-Port-Type = Ethernet
NAS-Port-Id = "17"
Called-Station-Id = "00-14-c2-25-f9-00"
Calling-Station-Id = "00-1e-e5-87-61-d6"
Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "221"
State = 0x29be35a428bd2c776aa21593a54d8f6e
EAP-Message =
0x0203005719800000004d16030100480100004403014cbe046105f5f2421a34386c77b6
32020675b50cf26e04e2f79b5d451d701f5300
001600040005000a0009006400620003000600130012006301000005ff01000100
Message-Authenticator = 0x244ca5136f7b517770eae24421b83cbd
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "host/IS-MCANNADY-L.htc.com", skipping
NULL due to config.
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "host/IS-MCANNADY-L.htc.com", skipping
NULL due to config.
++[ntdomain] returns noop
[eap] EAP packet type response id 3 length 87
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 77
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0048], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0031], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 085e], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 46 to 172.21.17.59 port 1025
EAP-Message =
0x0104040019c0000008a216030100310200002d03014cbe04613b0be068a3764765b5db
764af1debdf0f9d1970a489f1046b8ae428800
0004000005ff01000100160301085e0b00085a0008570003a6308203a23082028aa00302
0102020101300d06092a864886f70d0101040500308193310b3009060355
040613024652310f300d060355040813065261646975733112301006035504071309536f
6d65776865726531153013060355040a130c4578616d706c6520496e632e
3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126
30240603550403131d4578616d706c652043657274696669636174652041
75
EAP-Message =
0x74686f72697479301e170d3130313031353139343934385a170d313131303135313934
3934385a307c310b3009060355040613024652
310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520
496e632e312330210603550403131a4578616d706c652053657276657220
43657274696669636174653120301e06092a864886f70d010901161161646d696e406578
616d706c652e636f6d30820122300d06092a864886f70d01010105000382
010f003082010a02820101009ea0b19e4c765c3e13ae4054d728857225c87317b90147a6
f6ef4eef0e2056d9a3185b0fcb913bc682cca14d7d5c0ef2eda777a0d396
95
EAP-Message =
0x11e80ff8e3e2d3ee01aa34b020c847c7713e27dd38eaf6b59b740d7a84445ba82c84b6
83e3102546e3bae2bb7be082831de6fbd569ed
f716782e7ed05f0cb36c031a617850297e496aca128513b6825fb0520d6d96eac8d2e178
b940c30d3e723fdd194533e50b562a0df9cbd6583c40d391167392de57a6
150704684e8032dd95cc1214e668c16959fc505fa08a6c9ff6a78398ad67365730836e7c
cca239378a6085fca7b5ede5d0d65b1b22a45b4e715a490cda69d775ab9a
12efc8c6a51f21c60158979fba4f1b0203010001a317301530130603551d25040c300a06
082b06010505070301300d06092a864886f70d010104050003820101002e
32
EAP-Message =
0xb8dc5509c5cbe66233a5d8cfeece55cc9298490c3a6d22b3d2ddb8bd17009077f5d116
be633fa8c9658c08080fd4d742efa1458917ba
981d0d1c0d29e568e82ed0c9aa931e154989d98ad292e18fcec24db460e709e539fde9d1
3fa06ccb75ed581f08a807fdf489519c60e840eb6c82efb67af35ed5c2c4
2ee48ec6d17b920f2079b0d56d2330d956cd1971b519748cb1ce0467e22553ae62ca23f9
dc80a331e20bdad1944cc0a10e3ea5abfafa60984909ac3ae989ee93e530
621666226747e8ba7f411897bb6cba36727ec432c9696222a6f4df0089be6b1db33d4a90
2c69b9fc5f5e57c4439b68f6240ba856b41289d3421f992eba0d4ca45926
ac
EAP-Message = 0xcf0004ab308204a73082038f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x29be35a42bba2c776aa21593a54d8f6e
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.21.17.59 port 1025, id=47,
length=244
Framed-MTU = 1480
NAS-IP-Address = 172.21.17.59
NAS-Identifier = "BareFtComs_BO_HP2"
User-Name = "host/IS-MCANNADY-L.htc.com"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 17
NAS-Port-Type = Ethernet
NAS-Port-Id = "17"
Called-Station-Id = "00-14-c2-25-f9-00"
Calling-Station-Id = "00-1e-e5-87-61-d6"
Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "221"
State = 0x29be35a42bba2c776aa21593a54d8f6e
EAP-Message = 0x020400061900
Message-Authenticator = 0x33cf19aacee3d06143712441a4ecf162
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "host/IS-MCANNADY-L.htc.com", skipping
NULL due to config.
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "host/IS-MCANNADY-L.htc.com", skipping
NULL due to config.
++[ntdomain] returns noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 47 to 172.21.17.59 port 1025
EAP-Message =
0x010503fc1940a003020102020900c9423449815faac7300d06092a864886f70d010105
0500308193310b300906035504061302465231
0f300d060355040813065261646975733112301006035504071309536f6d657768657265
31153013060355040a130c4578616d706c6520496e632e3120301e06092a
864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403
131d4578616d706c6520436572746966696361746520417574686f726974
79301e170d3130313031353139343934385a170d3131313031353139343934385a308193
310b3009060355040613024652310f300d06035504081306526164697573
31
EAP-Message =
0x12301006035504071309536f6d65776865726531153013060355040a130c4578616d70
6c6520496e632e3120301e06092a864886f70d
010901161161646d696e406578616d706c652e636f6d312630240603550403131d457861
6d706c6520436572746966696361746520417574686f7269747930820122
300d06092a864886f70d01010105000382010f003082010a0282010100dec5bc115fc8f9
d0eea46821d85a9483d8a616663e4e05650d3dd3e92dd1ac181fccef1039
7f10f422834d70dcc22e8c52638217c3281db3ebde1a9a032a4d08e5769da008068db756
c4838264036da3307e595782d17f0187d3ed29419ec0c2c120ea91c2acb6
8e
EAP-Message =
0xe5c9844536a4a7f0a44a65b23f9331c5c4acddc334091289a214958b50af9c10349b8c
6e56cd1deecc52ba2d7b09cfc2672f01003793
90eb9221dd3068f1d02a5b85d3a39d803c847a5736b8c34d8162e127534a4d8356c9e6be
4f1f177e6fcca3763a263307b14cc93760058a0f4f043461740a755161a5
6afcd8d1f5a8c72e6f99dec168694552ad5f35406e52dd8968d7afb8c64bb98502030100
01a381fb3081f8301d0603551d0e0416041401c36ebe0273ff8e54a2b42e
816f9b2071b4fba83081c80603551d230481c03081bd801401c36ebe0273ff8e54a2b42e
816f9b2071b4fba8a18199a48196308193310b3009060355040613024652
31
EAP-Message =
0x0f300d060355040813065261646975733112301006035504071309536f6d6577686572
6531153013060355040a130c4578616d706c65
20496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e
636f6d312630240603550403131d4578616d706c65204365727469666963
61746520417574686f72697479820900c9423449815faac7300c0603551d130405300301
01ff300d06092a864886f70d010105050003820101008ac0e2f9448b980a
c2eb95d7060f9916fdc5d0b81fb21118cb2fb8ce106b0f4d6c33ea460a802b7ec376961d
a85d66162d4717c8c377f3423d02a3350ae8cfe63f7e07b4e534e0409ffd
32
EAP-Message = 0xf6b164de0d3b3253
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x29be35a42abb2c776aa21593a54d8f6e
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.21.17.59 port 1025, id=48,
length=244
Framed-MTU = 1480
NAS-IP-Address = 172.21.17.59
NAS-Identifier = "BareFtComs_BO_HP2"
User-Name = "host/IS-MCANNADY-L.htc.com"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 17
NAS-Port-Type = Ethernet
NAS-Port-Id = "17"
Called-Station-Id = "00-14-c2-25-f9-00"
Calling-Station-Id = "00-1e-e5-87-61-d6"
Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "221"
State = 0x29be35a42abb2c776aa21593a54d8f6e
EAP-Message = 0x020500061900
Message-Authenticator = 0x03a0e65b83c6778a88ce8d82850c0ee0
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "host/IS-MCANNADY-L.htc.com", skipping
NULL due to config.
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "host/IS-MCANNADY-L.htc.com", skipping
NULL due to config.
++[ntdomain] returns noop
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 48 to 172.21.17.59 port 1025
EAP-Message =
0x010600bc1900b63e21fba0bf519e938c61d3436188d2fa9bf57cb906e980a46fd18230
b3a84244a3618940c39ae4c8893344845128f0
ec51514e9fe274c9386fb82b38d1734112b181552e0b0e4f6c815e51a3f561fb37a928b5
3a1eebc95b58da30b099571268319ea1b17bec64f9c2577d7cdf721d80a9
90911b9a02887d2ec2695bfe54f34041994e515e33235e9f2175cf27df6e5cae78e6e95f
7c3d0e08617f1ecf6d9a78f3ce9fc05ac074f7e7bdca9e16030100040e00
0000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x29be35a42db82c776aa21593a54d8f6e
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.21.17.59 port 1025, id=49,
length=560
Framed-MTU = 1480
NAS-IP-Address = 172.21.17.59
NAS-Identifier = "BareFtComs_BO_HP2"
User-Name = "host/IS-MCANNADY-L.htc.com"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 17
NAS-Port-Type = Ethernet
NAS-Port-Id = "17"
Called-Station-Id = "00-14-c2-25-f9-00"
Calling-Station-Id = "00-1e-e5-87-61-d6"
Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "221"
State = 0x29be35a42db82c776aa21593a54d8f6e
EAP-Message =
0x020601401980000001361603010106100001020100230f537a95be1090728d4e7c3c44
fb588ae5ac048f6e2e050542b4f46006cfaf12
76595ae8ce60101206c520e5575e2814712249742eec0397de9d2340f09af0f418885b7c
28ef80801c1d2108df4effb1b59c37ea1452be2606edc5e01b1f7e478385
c0fcb26f53e2bef482224406052f1c99f47bc94a72e0926497c2df989bc5eaa35aded4c4
7e42bfa11d894410d8d42a0543091c200ed96106089242e3ffa3ab94b1c1
0ed97c0c84d18c96c73a805854bb66a326f30aefc8b1813152dc66443b0231616fb4ee85
f12b738e2eaa525a54a4fb0cdfe06af3c2af46fde74f8583e394b22c57be
96
EAP-Message =
0x2c0ce2956fde903f4f14ddb4a01a760576b36cd86e32d9f71403010001011603010020
b67e77a6dde2037cbb27c797f82fdc47e7725c
97cb4bc975ff59958024c8609d
Message-Authenticator = 0x7562cd533469cc7e3454a807126c7757
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "host/IS-MCANNADY-L.htc.com", skipping
NULL due to config.
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "host/IS-MCANNADY-L.htc.com", skipping
NULL due to config.
++[ntdomain] returns noop
[eap] EAP packet type response id 6 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 310
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 49 to 172.21.17.59 port 1025
EAP-Message =
0x01070031190014030100010116030100204fc8145013c734a36979325c3d0404a31fed
3079fd89de557c2651934ee8f103
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x29be35a42cb92c776aa21593a54d8f6e
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.21.17.59 port 1025, id=50,
length=244
Framed-MTU = 1480
NAS-IP-Address = 172.21.17.59
NAS-Identifier = "BareFtComs_BO_HP2"
User-Name = "host/IS-MCANNADY-L.htc.com"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 17
NAS-Port-Type = Ethernet
NAS-Port-Id = "17"
Called-Station-Id = "00-14-c2-25-f9-00"
Calling-Station-Id = "00-1e-e5-87-61-d6"
Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "221"
State = 0x29be35a42cb92c776aa21593a54d8f6e
EAP-Message = 0x020700061900
Message-Authenticator = 0xf1636cb76cd28098587cbf6ced6a92ae
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "host/IS-MCANNADY-L.htc.com", skipping
NULL due to config.
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "host/IS-MCANNADY-L.htc.com", skipping
NULL due to config.
++[ntdomain] returns noop
[eap] EAP packet type response id 7 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 50 to 172.21.17.59 port 1025
EAP-Message =
0x01080020190017030100156482e5906cba353c9abf3a4b646082b4d75974cd48
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x29be35a42fb62c776aa21593a54d8f6e
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.21.17.59 port 1025, id=51,
length=292
Framed-MTU = 1480
NAS-IP-Address = 172.21.17.59
NAS-Identifier = "BareFtComs_BO_HP2"
User-Name = "host/IS-MCANNADY-L.htc.com"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 17
NAS-Port-Type = Ethernet
NAS-Port-Id = "17"
Called-Station-Id = "00-14-c2-25-f9-00"
Calling-Station-Id = "00-1e-e5-87-61-d6"
Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "221"
State = 0x29be35a42fb62c776aa21593a54d8f6e
EAP-Message =
0x020800361900170301002bec85cc7cdc603d78049eb88fbed7da736628173316308e2e
4ef5a9aa5855f5b97511a2182324f467ab1bdb
Message-Authenticator = 0x55e15d853fc0ee308bec4cbbef2a1aa7
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "host/IS-MCANNADY-L.htc.com", skipping
NULL due to config.
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "host/IS-MCANNADY-L.htc.com", skipping
NULL due to config.
++[ntdomain] returns noop
[eap] EAP packet type response id 8 length 54
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Identity - host/IS-MCANNADY-L.htc.com
[peap] Got tunneled request
EAP-Message =
0x0208001f01686f73742f49532d4d43414e4e4144592d4c2e6874632e636f6d
server {
PEAP: Got tunneled identity of host/IS-MCANNADY-L.htc.com
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to host/IS-MCANNADY-L.htc.com
Sending tunneled request
EAP-Message =
0x0208001f01686f73742f49532d4d43414e4e4144592d4c2e6874632e636f6d
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "host/IS-MCANNADY-L.htc.com"
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "host/IS-MCANNADY-L.htc.com", skipping
NULL due to config.
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "host/IS-MCANNADY-L.htc.com", skipping
NULL due to config.
++[ntdomain] returns noop
++[control] returns noop
[eap] EAP packet type response id 8 length 31
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message =
0x010900341a0109002f10b63a43c6b16bc4276a3f62fdd54ea58b686f73742f49532d4d
43414e4e4144592d4c2e6874632e636f6d
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa67b01cba6721b6f289ad37074bdf4d3
[peap] Got tunneled reply RADIUS code 11
EAP-Message =
0x010900341a0109002f10b63a43c6b16bc4276a3f62fdd54ea58b686f73742f49532d4d
43414e4e4144592d4c2e6874632e636f6d
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa67b01cba6721b6f289ad37074bdf4d3
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 51 to 172.21.17.59 port 1025
EAP-Message =
0x0109004b190017030100400c3efceaeceed14785f589ebae969a62f2a6b99e8d01f960
9b6cc661619ba3fcd48729c257e8ae05e16aa8
7f28a4e53b094e816084b7316397258d746c133a82
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x29be35a42eb72c776aa21593a54d8f6e
Finished request 7.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.21.17.59 port 1025, id=52,
length=346
Framed-MTU = 1480
NAS-IP-Address = 172.21.17.59
NAS-Identifier = "BareFtComs_BO_HP2"
User-Name = "host/IS-MCANNADY-L.htc.com"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 17
NAS-Port-Type = Ethernet
NAS-Port-Id = "17"
Called-Station-Id = "00-14-c2-25-f9-00"
Calling-Station-Id = "00-1e-e5-87-61-d6"
Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "221"
State = 0x29be35a42eb72c776aa21593a54d8f6e
EAP-Message =
0x0209006c1900170301006167a4215a3dbc1305e25e143c01edb40ff92b9284464a0698
cf478e307f2b2a38d394d32012e5293d19ec02
8427a45ed21394e7492741809b6a91f5f4ab87c08d5389bf9b787a9eade9e5d122da9256
b8bedec42e52c003b70fb743e8ba7d318f6d
Message-Authenticator = 0xc384357caf39604b6cdcf7ca09233a2c
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "host/IS-MCANNADY-L.htc.com", skipping
NULL due to config.
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "host/IS-MCANNADY-L.htc.com", skipping
NULL due to config.
++[ntdomain] returns noop
[eap] EAP packet type response id 9 length 108
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message =
0x020900551a02090050312448ca723266ded3fa1704b03d55766a00000000000000002e
7c3d2146332065d255b7f853aecb601d00e050
82badb1000686f73742f49532d4d43414e4e4144592d4c2e6874632e636f6d
server {
PEAP: Setting User-Name to host/IS-MCANNADY-L.htc.com
Sending tunneled request
EAP-Message =
0x020900551a02090050312448ca723266ded3fa1704b03d55766a00000000000000002e
7c3d2146332065d255b7f853aecb601d00e050
82badb1000686f73742f49532d4d43414e4e4144592d4c2e6874632e636f6d
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "host/IS-MCANNADY-L.htc.com"
State = 0xa67b01cba6721b6f289ad37074bdf4d3
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "host/IS-MCANNADY-L.htc.com", skipping
NULL due to config.
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "host/IS-MCANNADY-L.htc.com", skipping
NULL due to config.
++[ntdomain] returns noop
++[control] returns noop
[eap] EAP packet type response id 9 length 85
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv2 for host/IS-MCANNADY-L.htc.com with
NT-Password
[mschap] expand: --domain=%{mschap:NT-Domain} -> --domain=htc
[mschap] expand: --username=%{mschap:User-Name} ->
--username=IS-MCANNADY-L$
[mschap] mschap2: b6
[mschap] expand: --challenge=%{mschap:Challenge:-00} ->
--challenge=11e08bdff9a35b3f
[mschap] expand: --nt-response=%{mschap:NT-Response:-00} ->
--nt-response=2e7c3d2146332065d255b7f853aecb601d00e05082badb10
Exec-Program output: Logon failure (0xc000006d)
Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
Login incorrect: [host/IS-MCANNADY-L.htc.com/<via Auth-Type = EAP>]
(from client MikeDeskSwitch port 0 via TLS tunnel)
} # server inner-tunnel
[peap] Got tunneled reply code 3
MS-CHAP-Error = "\tE=691 R=1"
EAP-Message = 0x04090004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
MS-CHAP-Error = "\tE=691 R=1"
EAP-Message = 0x04090004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 52 to 172.21.17.59 port 1025
EAP-Message =
0x010a00261900170301001b3533c7101e632bc436b65822b9b7bb11e5d9f923547accf9
5234e0
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x29be35a421b42c776aa21593a54d8f6e
Finished request 8.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.21.17.59 port 1025, id=53,
length=276
Framed-MTU = 1480
NAS-IP-Address = 172.21.17.59
NAS-Identifier = "BareFtComs_BO_HP2"
User-Name = "host/IS-MCANNADY-L.htc.com"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 17
NAS-Port-Type = Ethernet
NAS-Port-Id = "17"
Called-Station-Id = "00-14-c2-25-f9-00"
Calling-Station-Id = "00-1e-e5-87-61-d6"
Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "221"
State = 0x29be35a421b42c776aa21593a54d8f6e
EAP-Message =
0x020a00261900170301001bb9ad6307193ba51867e2ddc8c1bf3bff13a3e96d71fcce70
12c592
Message-Authenticator = 0xd7b1be5082f5a55d993d5de076606a4c
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "host/IS-MCANNADY-L.htc.com", skipping
NULL due to config.
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "host/IS-MCANNADY-L.htc.com", skipping
NULL due to config.
++[ntdomain] returns noop
[eap] EAP packet type response id 10 length 38
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Had sent TLV failure. User was rejected earlier in this
session.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [host/IS-MCANNADY-L.htc.com/<via Auth-Type = EAP>]
(from client MikeDeskSwitch port 17 cli 00-1e-e5-87-61-d6)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} ->
host/IS-MCANNADY-L.htc.com
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 9 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 9
Sending Access-Reject of id 53 to 172.21.17.59 port 1025
EAP-Message = 0x040a0004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.8 seconds.
Cleaning up request 0 ID 44 with timestamp +110
Cleaning up request 1 ID 45 with timestamp +110
Cleaning up request 2 ID 46 with timestamp +110
Cleaning up request 3 ID 47 with timestamp +110
Cleaning up request 4 ID 48 with timestamp +110
Cleaning up request 5 ID 49 with timestamp +110
Cleaning up request 6 ID 50 with timestamp +110
Cleaning up request 7 ID 51 with timestamp +110
Cleaning up request 8 ID 52 with timestamp +110
Waking up in 1.0 seconds.
Cleaning up request 9 ID 53 with timestamp +110
Ready to process requests.
[root at htcRadius1 etc]#
Mike Cannady
Information Services
Horry Telephone Cooperative (HTC)
Phone: (843)369-8212
Fax..: (843)369-7195
Pager: (843)828-5899
Email: Mike.Cannady at htcinc.net
**********************************************************************
HTC Disclaimer: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
**********************************************************************
More information about the Freeradius-Users
mailing list