Logging ntlm authentication

Sion mleasd at gmail.com
Mon Sep 6 14:46:16 CEST 2010


On Mon, Sep 6, 2010 at 12:54 PM, Alan DeKok <aland at deployingradius.com> wrote:
> Sion wrote:
>> I've also tried outer.reply, but I'm still not seeing it show up in my logs.
>
>  <sigh>  And the debug log says... ?

rad_recv: Access-Request packet from host 192.168.196.13 port 32768,
id=113, length=175
        User-Name = "cc0086"
        Calling-Station-Id = "00-1B-77-94-57-72"
        Called-Station-Id = "00-0B-85-6D-BA-C0:eduroam"
        NAS-Port = 29
        NAS-IP-Address = 192.168.196.13
        NAS-Identifier = "llwacA105"
        Airespace-Wlan-Id = 2
        Service-Type = Framed-User
        Framed-MTU = 1300
        NAS-Port-Type = Wireless-802.11
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "115"
        EAP-Message = 0x0203000b01636330303836
        Message-Authenticator = 0xfad76efcaaae1711153d00e8b66be682
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "cc0086", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 11
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 113 to 192.168.196.13 port 32768
        EAP-Message = 0x010400061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xcd901d8ccd9404e11d6b7c064faf8b1f
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.196.13 port 32768,
id=114, length=297
        User-Name = "cc0086"
        Calling-Station-Id = "00-1B-77-94-57-72"
        Called-Station-Id = "00-0B-85-6D-BA-C0:eduroam"
        NAS-Port = 29
        NAS-IP-Address = 192.168.196.13
        NAS-Identifier = "llwacA105"
        Airespace-Wlan-Id = 2
        Service-Type = Framed-User
        Framed-MTU = 1300
        NAS-Port-Type = Wireless-802.11
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "115"
        EAP-Message =
0x0204007319800000006916030100640100006003014c84aaed46f925dbf010684571f2a65f8665099d1535eb4dafd7b34ccf5c382c000018002f00350005000ac013c014c009c00a00320038001300040100001f0000000b0009000006636330303836000a0006000400170018000b00020100
        State = 0xcd901d8ccd9404e11d6b7c064faf8b1f
        Message-Authenticator = 0x723f90602e22add50d84204eb9c29fbb
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "cc0086", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 115
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 105
[peap] Length Included
[peap] eaptls_verify returned 11
[peap]     (other): before/accept initialization
[peap]     TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0064], ClientHello
[peap]     TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
[peap]     TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 06e5], Certificate
[peap]     TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap]     TLS_accept: SSLv3 write server done A
[peap]     TLS_accept: SSLv3 flush data
[peap]     TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 114 to 192.168.196.13 port 32768
        EAP-Message =
0x0105040019c000000722160301002a0200002603014c84aaeabbefb79f979e0bc448a7508f277b89b07cd68280544ad5af8234c25d00002f0016030106e50b0006e10006de0003c1308203bd30820326a0030201020210571735f114d0297747dec8e1dc855028300d06092a864886f70d01010505003081c4310b3009060355040613025a41311530130603550408130c5765737465726e204361706531123010060355040713094361706520546f776e311d301b060355040a131454686177746520436f6e73756c74696e6720636331283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e311930
        EAP-Message =
0x1706035504031310546861777465205365727665722043413126302406092a864886f70d01090116177365727665722d6365727473407468617774652e636f6d301e170d3037303932383030303030305a170d3130303932373233353935395a3081d231293027060355040a132063656e7472616c69617330312e696e7465726e616c2e757769632e61632e756b313b3039060355040b1332476f20746f2068747470733a2f2f7777772e7468617774652e636f6d2f7265706f7369746f72792f696e6465782e68746d6c31223020060355040b13195468617774652053534c31323320636572746966696361746531193017060355040b1310446f6d
        EAP-Message =
0x61696e2056616c696461746564312930270603550403132063656e7472616c69617330312e696e7465726e616c2e757769632e61632e756b30819f300d06092a864886f70d010101050003818d0030818902818100bea4ab1bcde08208fc9823ce022556c90f5c3bfdc79c0a9ae2ba2aa110017a67c67fbd2fbd1e6304853e51cc8f7b3ce4d5ad36b6a420d028b7902935c9d14eb0f880839faf3509f1b23be0c6820e60e8dd4e35b1f3f6b57df2655f379468e63958406874dd2a19700be6638c73cc20eccb85863be0dcd8af40386f900835c88b0203010001a3819f30819c300c0603551d130101ff0402300030390603551d1f04323030302ea02c
        EAP-Message =
0xa02a8628687474703a2f2f63726c2e7468617774652e636f6d2f54686177746553657276657243412e63726c301d0603551d250416301406082b0601050507030106082b06010505070302303206082b0601050507010104263024302206082b060105050730018616687474703a2f2f6f6373702e7468617774652e636f6d300d06092a864886f70d0101050500038181002f4b29c37eb54ba62bd16de5c09a6f3f258c10fd90177df8f37186799e2ba3832bed398f85c2623d5568257c3df4225e49c4327704d7ec1393ee5e03ce7e5a53ae45e6d58b6752212544ea79baef771d921f39169dba3c0a219fea40fef8422456026a51942acbcb90d677
        EAP-Message = 0x323d4fe9cf449ea6dc0def99
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xcd901d8ccc9504e11d6b7c064faf8b1f
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.196.13 port 32768,
id=115, length=188
        User-Name = "cc0086"
        Calling-Station-Id = "00-1B-77-94-57-72"
        Called-Station-Id = "00-0B-85-6D-BA-C0:eduroam"
        NAS-Port = 29
        NAS-IP-Address = 192.168.196.13
        NAS-Identifier = "llwacA105"
        Airespace-Wlan-Id = 2
        Service-Type = Framed-User
        Framed-MTU = 1300
        NAS-Port-Type = Wireless-802.11
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "115"
        EAP-Message = 0x020500061900
        State = 0xcd901d8ccc9504e11d6b7c064faf8b1f
        Message-Authenticator = 0x5f2a4775f7523e28fdc4a11f71f87c46
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "cc0086", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 115 to 192.168.196.13 port 32768
        EAP-Message =
0x010603321900b2abee6bd1b7966fef000317308203133082027ca003020102020101300d06092a864886f70d01010405003081c4310b3009060355040613025a41311530130603550408130c5765737465726e204361706531123010060355040713094361706520546f776e311d301b060355040a131454686177746520436f6e73756c74696e6720636331283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e3119301706035504031310546861777465205365727665722043413126302406092a864886f70d01090116177365727665722d6365727473407468617774652e636f6d301e170d39
        EAP-Message =
0x36303830313030303030305a170d3230313233313233353935395a3081c4310b3009060355040613025a41311530130603550408130c5765737465726e204361706531123010060355040713094361706520546f776e311d301b060355040a131454686177746520436f6e73756c74696e6720636331283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e3119301706035504031310546861777465205365727665722043413126302406092a864886f70d01090116177365727665722d6365727473407468617774652e636f6d30819f300d06092a864886f70d010101050003818d003081890281
        EAP-Message =
0x8100d3a4506ec8ff566be6cf5db6ea0c687547a2aac2da8425fca8f44751da85b5207494861e0f75c9e90861f5066d306e151902e952c062db4d999ee26a0c4438cdfebee3640970c5feb16b29b62f49c83bd427042510972fe7906dc0284299d74c43dec3f5216d549f5dc358e1c0e4d95bb0b8dcb47bdf363ac2b5662212d6870d0203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010405000381810007fa4c695cfb95cc46ee85834d21308ecad9a86f491ae6da51e360706c846111a11ac8483e59437d4f953da18bb70b62987a758add884e4e9e40dba8cc3274b96f0dc6e3b3440bd98a6f9a299b99
        EAP-Message =
0x18283bd1e340289a5a3cd5b5e7201b8bcaa4ab8de951d9e24c2c59a9dab9b2751bf642f2efc7f218f989bca3ff8a232e704716030100040e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xcd901d8ccf9604e11d6b7c064faf8b1f
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.196.13 port 32768,
id=116, length=390
        User-Name = "cc0086"
        Calling-Station-Id = "00-1B-77-94-57-72"
        Called-Station-Id = "00-0B-85-6D-BA-C0:eduroam"
        NAS-Port = 29
        NAS-IP-Address = 192.168.196.13
        NAS-Identifier = "llwacA105"
        Airespace-Wlan-Id = 2
        Service-Type = Framed-User
        Framed-MTU = 1300
        NAS-Port-Type = Wireless-802.11
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "115"
        EAP-Message =
0x020600d01980000000c6160301008610000082008093cef56e526dc8b390fac8cbe14d42b058bdf1f449a9c84ef8963a17f673c87c266231e2452377abf4b62f47ab87f21c08ff5b37c978df65dc2d650b92b646fa2df83fc87d60a05d0fb12cd632408c95849f19eeea78037685018463ed491c1f61a26590b03639a4edf5be80083b938ad3141c54f34e93ffda247cc27d68e16f14030100010116030100309a8e34a5520a23ef7fffa50009c9fa90a1c38b3e7515b2650b2f2b2a77570063ace6d5bc2d931992283c5f0bf3ff33d0
        State = 0xcd901d8ccf9604e11d6b7c064faf8b1f
        Message-Authenticator = 0xac104a34afffac97df350e54c4175593
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "cc0086", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 208
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 198
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
[peap]     TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap]     TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap]     TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap]     TLS_accept: SSLv3 write finished A
[peap]     TLS_accept: SSLv3 flush data
[peap]     (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 116 to 192.168.196.13 port 32768
        EAP-Message =
0x010700411900140301000101160301003044a5568519b90fc4f025402fba4d748c554186ad5fe16e5222b5a6697cc48c24961ce6376c7b771c9b6a337e0d47700a
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xcd901d8cce9704e11d6b7c064faf8b1f
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.196.13 port 32768,
id=117, length=188
        User-Name = "cc0086"
        Calling-Station-Id = "00-1B-77-94-57-72"
        Called-Station-Id = "00-0B-85-6D-BA-C0:eduroam"
        NAS-Port = 29
        NAS-IP-Address = 192.168.196.13
        NAS-Identifier = "llwacA105"
        Airespace-Wlan-Id = 2
        Service-Type = Framed-User
        Framed-MTU = 1300
        NAS-Port-Type = Wireless-802.11
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "115"
        EAP-Message = 0x020700061900
        State = 0xcd901d8cce9704e11d6b7c064faf8b1f
        Message-Authenticator = 0xf2deda649560b5cdfc1b28b03cb37304
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "cc0086", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 117 to 192.168.196.13 port 32768
        EAP-Message =
0x0108002b19001703010020aa320f1d031012a0ec51ec99585bc62c72a3bb786e053e80aed6daa644ec2cae
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xcd901d8cc99804e11d6b7c064faf8b1f
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.196.13 port 32768,
id=118, length=225
        User-Name = "cc0086"
        Calling-Station-Id = "00-1B-77-94-57-72"
        Called-Station-Id = "00-0B-85-6D-BA-C0:eduroam"
        NAS-Port = 29
        NAS-IP-Address = 192.168.196.13
        NAS-Identifier = "llwacA105"
        Airespace-Wlan-Id = 2
        Service-Type = Framed-User
        Framed-MTU = 1300
        NAS-Port-Type = Wireless-802.11
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "115"
        EAP-Message =
0x0208002b19001703010020c2e8be5361c10411cadf5f701b6de7446814f8b7903ac77bbda1c316b4c1109c
        State = 0xcd901d8cc99804e11d6b7c064faf8b1f
        Message-Authenticator = 0xcf4cacaadd8e256aa927a8a06156d459
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "cc0086", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Identity - cc0086
[peap] Got tunneled request
        EAP-Message = 0x0208000b01636330303836
server  {
  PEAP: Got tunneled identity of cc0086
  PEAP: Setting default EAP type for tunneled EAP session.
  PEAP: Setting User-Name to cc0086
Sending tunneled request
        EAP-Message = 0x0208000b01636330303836
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "cc0086"
        Calling-Station-Id = "00-1B-77-94-57-72"
        Called-Station-Id = "00-0B-85-6D-BA-C0:eduroam"
        NAS-Port = 29
        NAS-IP-Address = 192.168.196.13
        NAS-Identifier = "llwacA105"
        Airespace-Wlan-Id = 2
        Service-Type = Framed-User
        Framed-MTU = 1300
        NAS-Port-Type = Wireless-802.11
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "115"
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "cc0086", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 8 length 11
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group EAP {...}
        expand: %{reply:MS-CHAP-Error} ->
++[outer.control] returns reject
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
        EAP-Message =
0x010900201a0109001b10bb9e7492a6bc73d959be9d902d7078bc636330303836
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x30652915306c3399cd1bddd466afcc03
[peap] Got tunneled reply RADIUS code 11
        EAP-Message =
0x010900201a0109001b10bb9e7492a6bc73d959be9d902d7078bc636330303836
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x30652915306c3399cd1bddd466afcc03
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 118 to 192.168.196.13 port 32768
        EAP-Message =
0x0109004b190017030100401213bdb66fec8786c2ab048f0d729335d1a60bb7acea3150fa728d019f3fcd9a3f1464c301eb2437265a3daed8380523c6befa216915bc6b7843be09551a6038
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xcd901d8cc89904e11d6b7c064faf8b1f
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.196.13 port 32768,
id=119, length=289
        User-Name = "cc0086"
        Calling-Station-Id = "00-1B-77-94-57-72"
        Called-Station-Id = "00-0B-85-6D-BA-C0:eduroam"
        NAS-Port = 29
        NAS-IP-Address = 192.168.196.13
        NAS-Identifier = "llwacA105"
        Airespace-Wlan-Id = 2
        Service-Type = Framed-User
        Framed-MTU = 1300
        NAS-Port-Type = Wireless-802.11
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "115"
        EAP-Message =
0x0209006b190017030100606a82d39c737d6a30e594e2c787d1073c23a24c3d5f1db005caaf72f2416199902efc72ca3c0ef4443030910f7523fd335b79600d5cfdf952a7da1b1ab9e06dcead14e078053d7337c8ebe9b7caa440c1052a78c903d0ff4cfe5e3595274d8060
        State = 0xcd901d8cc89904e11d6b7c064faf8b1f
        Message-Authenticator = 0xdf7b0162c26571a79f0b2a6670c7c289
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "cc0086", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 9 length 107
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunneled request
        EAP-Message =
0x020900411a0209003c31378805df2ace774051ee17d8f0bfe5670000000000000000b2be976261221bc6be689240cbfd3adba42fd0aa01d3e83800636330303836
server  {
  PEAP: Setting User-Name to cc0086
Sending tunneled request
        EAP-Message =
0x020900411a0209003c31378805df2ace774051ee17d8f0bfe5670000000000000000b2be976261221bc6be689240cbfd3adba42fd0aa01d3e83800636330303836
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "cc0086"
        State = 0x30652915306c3399cd1bddd466afcc03
        Calling-Station-Id = "00-1B-77-94-57-72"
        Called-Station-Id = "00-0B-85-6D-BA-C0:eduroam"
        NAS-Port = 29
        NAS-IP-Address = 192.168.196.13
        NAS-Identifier = "llwacA105"
        Airespace-Wlan-Id = 2
        Service-Type = Framed-User
        Framed-MTU = 1300
        NAS-Port-Type = Wireless-802.11
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "115"
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "cc0086", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 9 length 65
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group EAP {...}
        expand: %{reply:MS-CHAP-Error} ->
++[outer.control] returns reject
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv2 for cc0086 with NT-Password
[mschap]        expand: %{Stripped-User-Name} ->
[mschap] WARNING: Deprecated conditional expansion ":-".  See "man
unlang" for details
[mschap]        expand: %{User-Name:-None} -> cc0086
[mschap]        expand:
--username=%{%{Stripped-User-Name}:-%{User-Name:-None}} ->
--username=cc0086
[mschap]  mschap2: bb
[mschap]        expand: --challenge=%{mschap:Challenge:-00} ->
--challenge=3b6854cde18f868d
[mschap]        expand: --nt-response=%{mschap:NT-Response:-00} ->
--nt-response=b2be976261221bc6be689240cbfd3adba42fd0aa01d3e838
Exec-Program output: Logon failure (0xc000006d)
Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
        MS-CHAP-Error = "\tE=691 R=1"
        EAP-Message = 0x04090004
        Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
        MS-CHAP-Error = "\tE=691 R=1"
        EAP-Message = 0x04090004
        Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 119 to 192.168.196.13 port 32768
        EAP-Message =
0x010a002b190017030100200887b3d6f1a7645507824e43d00bcec006de93ac841e5e28c531d69324a9e9b2
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xcd901d8ccb9a04e11d6b7c064faf8b1f
Finished request 6.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.196.13 port 32768,
id=120, length=225
        User-Name = "cc0086"
        Calling-Station-Id = "00-1B-77-94-57-72"
        Called-Station-Id = "00-0B-85-6D-BA-C0:eduroam"
        NAS-Port = 29
        NAS-IP-Address = 192.168.196.13
        NAS-Identifier = "llwacA105"
        Airespace-Wlan-Id = 2
        Service-Type = Framed-User
        Framed-MTU = 1300
        NAS-Port-Type = Wireless-802.11
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "115"
        EAP-Message =
0x020a002b190017030100208fbe14e5d82d8325e5e12f19bfd63620fb14f4082357311d9bedba574eb14dca
        State = 0xcd901d8ccb9a04e11d6b7c064faf8b1f
        Message-Authenticator = 0xe0d14b40638deb9cb37b71ea21685c5e
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "cc0086", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 10 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap]  Had sent TLV failure.  User was rejected earlier in this session.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> cc0086
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
[testlinelog]   expand: /var/log/radius/testlinelog ->
/var/log/radius/testlinelog
[testlinelog]   expand: %S      %{reply:Packet-Type}    %{User-Name}
 %{Calling-Station-Id}   %{Called-Station-Id}    %{NAS-Identifier}
  %{Packet-Src-IP-Address}        %{reply:Reply-Message}
%{reply:MS-CHAP-Error}  %{MS-CHAP-Error}%{reply:Tunnel-Type}
%{reply:Tunnel-Private-Group-Id} -> 2010-09-06 09:48:42
Access-Reject    cc0086  00-1B-77-94-57-72
00-0B-85-6D-BA-C0:eduroam      llwacA105        192.168.196.13
++[testlinelog] returns ok
Delaying reject of request 7 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 7
Sending Access-Reject of id 120 to 192.168.196.13 port 32768
        EAP-Message = 0x040a0004
        Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.7 seconds.


>
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>




More information about the Freeradius-Users mailing list