username at realm append to realm\username

Vikash Gounder coolvixs at gmail.com
Thu Dec 15 23:00:03 CET 2011


Hi,

I have managed to setup freeradius to authenticate against AD without any
issues using ntlm_auth.

I would also like to allow users with username at example.com.au to be able to
login and authenticate against AD as well.

Currently I'm facing issues with it.

Example of error log:

Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv2 for user at example.com.au with NT-Password
[mschap]        expand: --username=%{mschap:User-Name} -> --username=
user at example.com.au
[mschap] No NT-Domain was found in the User-Name.
[mschap]        expand: --domain=%{mschap:NT-Domain} -> --domain=
[mschap]  mschap2: 9e
[mschap]        expand: --challenge=%{mschap:Challenge:-00} ->
--challenge=a4ffc08d2167e1a1
[mschap]        expand: --nt-response=%{mschap:NT-Response:-00} ->
--nt-response=3c208f5fdd84f5bb38f23d5b932e3bfc98d024c0d53a65a4

my AD is setup like this:

example.com.au -> top level
staff.example.com.au -> sub branches with staff profile
student.example.com.au -> sub branches with student profile

Samba is binded to the top level example.com.au

normally sending the username as staff\user works fine via and if logged in
on windows domain via Windows OS.

How can i allow for user at example.com.au to also authenticate AD vi
ntlm_auth or is it possible to strip the domain and append the domain\user.

I did go through all the documentation and mailinglist and wiki but could
not get it running.

Would greatly appreciate someones help.


Thanks
Vikash:

here is the complete log:
FreeRADIUS Version 2.1.7, for host x86_64-redhat-linux-gnu, built on Mar 31
2010 at 00:14:28
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/ORIG-ldap
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/OLD_mschap
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/control-socket
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/default
group = radiusd
user = radiusd
including dictionary file /etc/raddb/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
libdir = "/usr/lib64/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
 log {
stripped_names = yes
auth = yes
auth_badpass = yes
auth_goodpass = yes
 }
 security {
max_attributes = 200
reject_delay = 1
status_server = yes
 }
}
radiusd: #### Loading Realms and Home Servers ####
 proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
 }
 home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = no
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
irt = 2
mrt = 16
mrc = 5
mrd = 30
 }
 home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
 }
 realm example.com {
auth_pool = my_auth_failover
 }
 realm LOCAL {
 }
 realm example.com.au {
authhost = LOCAL
accthost = LOCAL
 }
radiusd: #### Loading Clients ####
 client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
 }
 client xx.xx.xx.x {
require_message_authenticator = no
secret = "xxxxxxxxx"
shortname = "eduraom-test"
nastype = "other"
 }
radiusd: #### Instantiating modules ####
 instantiate {
 Module: Linked to module rlm_exec
 Module: Instantiating exec
  exec {
wait = no
input_pairs = "request"
shell_escape = yes
  }
 Module: Linked to module rlm_expr
 Module: Instantiating expr
 Module: Linked to module rlm_expiration
 Module: Instantiating expiration
  expiration {
reply-message = "Password Has Expired  "
  }
 Module: Linked to module rlm_logintime
 Module: Instantiating logintime
  logintime {
reply-message = "You are calling outside your allowed timespan  "
minimum-timeout = 60
  }
 }
radiusd: #### Loading Virtual Servers ####
server inner-tunnel {
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_pap
 Module: Instantiating pap
  pap {
encryption_scheme = "auto"
auto_header = no
  }
 Module: Instantiating ntlm_auth
  exec ntlm_auth {
wait = yes
program = "/usr/bin/ntlm_auth --request-nt-key --domain=%{realm}
--username=%{mschap:User-Name} --password=%{User-Password}"
input_pairs = "request"
shell_escape = yes
  }
 Module: Linked to module rlm_chap
 Module: Instantiating chap
 Module: Linked to module rlm_mschap
 Module: Instantiating mschap
  mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name} --domain=%{mschap:NT-Domain}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
  }
 Module: Linked to module rlm_eap
 Module: Instantiating eap
  eap {
default_eap_type = "ttls"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
  }
 Module: Linked to sub-module rlm_eap_md5
 Module: Instantiating eap-md5
 Module: Linked to sub-module rlm_eap_leap
 Module: Instantiating eap-leap
 Module: Linked to sub-module rlm_eap_gtc
 Module: Instantiating eap-gtc
   gtc {
challenge = "Password: "
auth_type = "PAP"
   }
 Module: Linked to sub-module rlm_eap_tls
 Module: Instantiating eap-tls
   tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server.pem"
certificate_file = "/etc/raddb/certs/server.pem"
CA_file = "/etc/raddb/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/etc/raddb/certs/dh"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/raddb/certs/bootstrap"
    cache {
enable = no
lifetime = 24
max_entries = 255
    }
   }
 Module: Linked to sub-module rlm_eap_ttls
 Module: Instantiating eap-ttls
   ttls {
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
include_length = yes
   }
 Module: Linked to sub-module rlm_eap_peap
 Module: Instantiating eap-peap
   peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
   }
 Module: Linked to sub-module rlm_eap_mschapv2
 Module: Instantiating eap-mschapv2
   mschapv2 {
with_ntdomain_hack = no
   }
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_realm
 Module: Instantiating suffix
  realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = yes
  }
 Module: Checking session {...} for more modules to load
 Module: Linked to module rlm_radutmp
 Module: Instantiating radutmp
  radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
  }
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 Module: Linked to module rlm_attr_filter
 Module: Instantiating attr_filter.access_reject
  attr_filter attr_filter.access_reject {
attrsfile = "/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
  }
 } # modules
} # server
server {
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_preprocess
 Module: Instantiating preprocess
  preprocess {
huntgroups = "/etc/raddb/huntgroups"
hints = "/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
  }
 Module: Checking preacct {...} for more modules to load
 Module: Linked to module rlm_acct_unique
 Module: Instantiating acct_unique
  acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
NAS-Port"
  }
 Module: Linked to module rlm_files
 Module: Instantiating files
  files {
usersfile = "/etc/raddb/users"
acctusersfile = "/etc/raddb/acct_users"
preproxy_usersfile = "/etc/raddb/preproxy_users"
compat = "no"
  }
 Module: Checking accounting {...} for more modules to load
 Module: Linked to module rlm_detail
 Module: Instantiating detail
  detail {
detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
  }
 Module: Linked to module rlm_unix
 Module: Instantiating unix
  unix {
radwtmp = "/var/log/radius/radwtmp"
  }
 Module: Instantiating attr_filter.accounting_response
  attr_filter attr_filter.accounting_response {
attrsfile = "/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
  }
 Module: Checking session {...} for more modules to load
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 } # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "control"
 listen {
socket = "/var/run/radiusd/radiusd.sock"
 }
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.38.0.3 port 32769, id=178,
length=259
User-Name = "user at example.com.au"
Calling-Station-Id = "d0-23-db-e8-b6-01"
Called-Station-Id = "e8-ba-70-9c-a3-d0:eduraom-test"
NAS-Port = 1
Cisco-AVPair = "audit-session-id=0a2600030000afdc4eea6929"
NAS-IP-Address = 10.38.0.3
NAS-Identifier = "MAKWLC5508-1"
Airespace-Wlan-Id = 4
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "19"
EAP-Message = 0x0201001901756c64617074657374406163752e6564752e6175
Message-Authenticator = 0xa6b74ce27715f3c6314f30ce435d689f
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[eap] EAP packet type response id 1 length 25
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.
++[pap] returns noop
++? if (!control:Auth-Type)
? Evaluating !(control:Auth-Type) -> FALSE
++? if (!control:Auth-Type) -> FALSE
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 178 to 10.38.0.3 port 32769
EAP-Message = 0x010200061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x255f8b13255d9ea7b896c4c3b04c6f97
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.38.0.3 port 32769, id=179,
length=404
User-Name = "user at example.com.au"
Calling-Station-Id = "d0-23-db-e8-b6-01"
Called-Station-Id = "e8-ba-70-9c-a3-d0:eduraom-test"
NAS-Port = 1
Cisco-AVPair = "audit-session-id=0a2600030000afdc4eea6929"
NAS-IP-Address = 10.38.0.3
NAS-Identifier = "MAKWLC5508-1"
Airespace-Wlan-Id = 4
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "19"
EAP-Message =
0x0202009815800000008e16030100890100008503014eea692751ed1acdf3e116c9c0875f917e2ff6fb38ff3a9c355b5e337125011700004a00ffc024c023c00ac009c007c008c028c027c014c013c011c012c026c025c02ac029c004c005c002c003c00ec00fc00cc00d003d003c002f000500040035000a0067006b00330039001601000012000a00080006001700180019000b00020100
State = 0x255f8b13255d9ea7b896c4c3b04c6f97
Message-Authenticator = 0xc8ca528a26e8648e1aa38c1c6f22a0ad
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[eap] EAP packet type response id 2 length 152
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
  TLS Length 142
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls]     (other): before/accept initialization
[ttls]     TLS_accept: before/accept initialization
[ttls] <<< TLS 1.0 Handshake [length 0089], ClientHello
[ttls]     TLS_accept: SSLv3 read client hello A
[ttls] >>> TLS 1.0 Handshake [length 0031], ServerHello
[ttls]     TLS_accept: SSLv3 write server hello A
[ttls] >>> TLS 1.0 Handshake [length 085e], Certificate
[ttls]     TLS_accept: SSLv3 write certificate A
[ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[ttls]     TLS_accept: SSLv3 write server done A
[ttls]     TLS_accept: SSLv3 flush data
[ttls]     TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 179 to 10.38.0.3 port 32769
EAP-Message =
0x0103040015c0000008a216030100310200002d03014eea692667acccd592e9309a5faf894898300061d01624253fdef50f6653aae200002f000005ff01000100160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c65204365727469666963617465204175
EAP-Message =
0x74686f72697479301e170d3131313231333232313734335a170d3132313231323232313734335a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100cfaf7a058431841af986f84a83a6e673588926ad79a0dc4f630c715ce96960ef1af4035780e923173ebdba24f8ea251743b18594812b4b
EAP-Message =
0x5369e973914dc50bf34df150e89c1bfb5dfec4f4617f6742d314720d609e517df7b2fea7bc96846799a226ce2c6f82df891bbb21b66c442fff03fc6f0f48014dc87f5a8425687abc8c1df0f80dadbb186ca7de4404c8afb5d5557bcc4085c57a6f010cb6ee7bb881f861e1c3ae008718b06b5650dccba392b9246d9518882e000cd0faa51966eecd626d139f592761bb19650880a0155bbe60a6d0f96db2c442500396a4dc010fdccdf0672b26c058af42cd1a1eb06018f9e0de40d92f213a0456d1419e0735a274f10203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000382010100aa8c
EAP-Message =
0x4b7401fcb2014b7866e9cacd1aa6d41d2dc309245b37a14ef930eda5bd254a378af0645c4b093f67373023562708492d000d4a8e726549e4df4bb207d23f648d97b10bf9194a73cc60a72958f7b9c3af24ac839b182ae6c9f3af8ace9e5b90a63190f6159de91d2d0314d87c8f14c33d2d484162000f130e512b57aac1d87855c1d8f00cbf3667ced34398d76f87bdc47d26a0402947e709e2bb870fb6987feff928160eb7f6d2960281680ca8a962ce77e7d445b1126523ac65113778149699af0bb9102597dceebbbb7837c6486165854f75ae3d9df3a495ca5ecc9ab6cd95c1bef4d8fe17b23b076b9c0647464c763f770d1b1d8a56791f2e1362de
EAP-Message = 0x010004ab308204a73082038f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x255f8b13245c9ea7b896c4c3b04c6f97
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.38.0.3 port 32769, id=180,
length=258
User-Name = "user at example.com.au"
Calling-Station-Id = "d0-23-db-e8-b6-01"
Called-Station-Id = "e8-ba-70-9c-a3-d0:eduraom-test"
NAS-Port = 1
Cisco-AVPair = "audit-session-id=0a2600030000afdc4eea6929"
NAS-IP-Address = 10.38.0.3
NAS-Identifier = "MAKWLC5508-1"
Airespace-Wlan-Id = 4
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "19"
EAP-Message = 0x020300061500
State = 0x255f8b13245c9ea7b896c4c3b04c6f97
Message-Authenticator = 0xddac83b5c84460996555e7b43e235788
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 180 to 10.38.0.3 port 32769
EAP-Message =
0x0104040015c0000008a2a00302010202090081954b05fc420019300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3131313231333232313734335a170d3132313231323232313734335a308193310b3009060355040613024652310f300d06035504081306526164
EAP-Message =
0x6975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100cc940f2715240f984bef0113058fb77c9c9dd5f325f8f14cc112fe8f0b367fb7e7005e20a86a0e37582884d6aeb2fdf7407bd049914a2fec7b3380698e2bddf2f3fb18418b8bd9a2601abebf02b7aa9e333bbc1802a323b213613fb99fdfe4e278bcd08a
EAP-Message =
0xbd2e65104fe99747c4446fc48bba500d8c7ede55fc5eaaa96c081a4114e76c53a378da060a61bbcdc8c71594bd26a6d373eb0de9c866af04b216ceffc93cc0e1b492b6ce447960a7b9f7488cea39d1df6771e8ed963853b12bf886b4337c40d934e259ea98bb71cbb9c3fcf6fb5fe86c0a7b25298b54d62350a2a8b740c431b7e221032cdf3f309dc628e076ba2d531292a021cd5673f009bc4b2ebd0203010001a381fb3081f8301d0603551d0e04160414ae4906d1a02877e55de58a7df11f79583bd463a33081c80603551d230481c03081bd8014ae4906d1a02877e55de58a7df11f79583bd463a3a18199a48196308193310b3009060355040613
EAP-Message =
0x024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747982090081954b05fc420019300c0603551d13040530030101ff300d06092a864886f70d010105050003820101007a6c684dd06db01bdbd75cae83074bda777c20e8be9a1be1bd56bd2b3d8c950803c003b37fc7554cb10a1122dbead4a23ba9ff6bdbeea1afef17b5a8e565a1d855277c2baebb94
EAP-Message = 0x1f57f0f52a672be403901059
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x255f8b13275b9ea7b896c4c3b04c6f97
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.38.0.3 port 32769, id=181,
length=258
User-Name = "user at example.com.au"
Calling-Station-Id = "d0-23-db-e8-b6-01"
Called-Station-Id = "e8-ba-70-9c-a3-d0:eduraom-test"
NAS-Port = 1
Cisco-AVPair = "audit-session-id=0a2600030000afdc4eea6929"
NAS-IP-Address = 10.38.0.3
NAS-Identifier = "MAKWLC5508-1"
Airespace-Wlan-Id = 4
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "19"
EAP-Message = 0x020400061500
State = 0x255f8b13275b9ea7b896c4c3b04c6f97
Message-Authenticator = 0xfc99a254f9326c2e5935b07dd2be7e6c
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 181 to 10.38.0.3 port 32769
EAP-Message =
0x010500c01580000008a2f93ffa21693b555e0ae5383ec5b742022c77860ffe184ee9a72c4b2e2ee19fc6999842d4fa3aa95f0701342b79e8ba09b404f50be7380f7355f11a2996a99fd0dfa756aa053fcbbc0584de34623f24affe35f9ce6ce1bb9c6324191ea71d5c0ae6886fd376847ce845e7e690c438d55e00f86ade7da9f69572f13e1bece372ddc945061caaca04e5d934db3b7304ea3236a3523c54ee4858a4020dfc66da3f0966bdffd05310a63706d02e2d8616030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x255f8b13265a9ea7b896c4c3b04c6f97
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.38.0.3 port 32769, id=182,
length=590
User-Name = "user at example.com.au"
Calling-Station-Id = "d0-23-db-e8-b6-01"
Called-Station-Id = "e8-ba-70-9c-a3-d0:eduraom-test"
NAS-Port = 1
Cisco-AVPair = "audit-session-id=0a2600030000afdc4eea6929"
NAS-IP-Address = 10.38.0.3
NAS-Identifier = "MAKWLC5508-1"
Airespace-Wlan-Id = 4
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "19"
EAP-Message =
0x0205015015800000014616030101061000010201005eb0e7366af459216883bcfe66c782c2cadb93471f57894edd91701438fa5ef036269d8bc464da118bfe77f46b3ea25b8b082793b94e85e4c234cf0621f144fb785c1c691f2f55ceca405237cee5cb24e65c39694704bf16322243bfb8b6abd72a8f5c2e38de6d8d9336d0be223614f1536896c0c33e896099c10997b253b5999a8288649b1962aea6d4d02a25aaaceb9b9494fe7fc67647911b4330ec9f990d3ea555b9b79555e8b3d65d7e12bd73798a8283fcc7d954e8ae88d225cc0e44b9192ce06c9a9fb7ed89e16ae4f8d12fe4f1f8de0b5e60cf09c82455e58e301107dfa5c6b70ff22cd8
EAP-Message =
0xfc36bb4e4d9d45b2e78903cdfd098985d2e83430cd67fb941403010001011603010030be9deb372366b2a588d43e9845b2964b1a3fd1fea139f310addbc39c768cf77eba9b10ad9d403319e6a8d2721b50b94d
State = 0x255f8b13265a9ea7b896c4c3b04c6f97
Message-Authenticator = 0xb5a83699ac11acbfbe8ad5c6a4c85065
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[eap] EAP packet type response id 5 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
  TLS Length 326
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[ttls]     TLS_accept: SSLv3 read client key exchange A
[ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[ttls] <<< TLS 1.0 Handshake [length 0010], Finished
[ttls]     TLS_accept: SSLv3 read finished A
[ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[ttls]     TLS_accept: SSLv3 write change cipher spec A
[ttls] >>> TLS 1.0 Handshake [length 0010], Finished
[ttls]     TLS_accept: SSLv3 write finished A
[ttls]     TLS_accept: SSLv3 flush data
[ttls]     (other): SSL negotiation finished successfully
SSL Connection Established
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 182 to 10.38.0.3 port 32769
EAP-Message =
0x0106004515800000003b14030100010116030100307dd7611e8f7882f4503eb58c834cbc158b60f906df5f1a34f29ec7b5eca23d080918129b5c2b822f2f6090433486eac2
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x255f8b1321599ea7b896c4c3b04c6f97
Finished request 4.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.38.0.3 port 32769, id=183,
length=411
User-Name = "user at example.com.au"
Calling-Station-Id = "d0-23-db-e8-b6-01"
Called-Station-Id = "e8-ba-70-9c-a3-d0:eduraom-test"
NAS-Port = 1
Cisco-AVPair = "audit-session-id=0a2600030000afdc4eea6929"
NAS-IP-Address = 10.38.0.3
NAS-Identifier = "MAKWLC5508-1"
Airespace-Wlan-Id = 4
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "19"
EAP-Message =
0x0206009f158000000095170301009019a583666c2057ca5e6f9adb0f78e8264ff1e75fd11f0dde18ebfebec8ac135505ea649eb64ca0584b490f034e83136fce991af2f542bc71a1271674a60630161d2d863641c42c8f0cb1efe46733b7618119f2cd5dfbbadc2ed5ee55980bff1646c1e8be19117b9d0859b010fe4467daae591b3db2d824670889726294a4e6544a8c92176d21754fbc3a8c62c700097a
State = 0x255f8b1321599ea7b896c4c3b04c6f97
Message-Authenticator = 0xe625583ae40d6922617196d1c2b56a0c
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[eap] EAP packet type response id 6 length 159
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
  TLS Length 149
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls] eaptls_process returned 7
[ttls] Session established.  Proceeding to decode tunneled attributes.
[ttls] Got tunneled request
User-Name = "user at example.com.au"
MS-CHAP-Challenge = 0x6ff7b6dd4a5155fa5d41b7b76dd50084
MS-CHAP2-Response =
0xda005b945c000516c50eaa0ae012e61fafcc0000000000000000ae2f8133e1b834293ee0a3c6bfe522d7928cf57b97ef589d
FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Sending tunneled request
User-Name = "user at example.com.au"
MS-CHAP-Challenge = 0x6ff7b6dd4a5155fa5d41b7b76dd50084
MS-CHAP2-Response =
0xda005b945c000516c50eaa0ae012e61fafcc0000000000000000ae2f8133e1b834293ee0a3c6bfe522d7928cf57b97ef589d
FreeRADIUS-Proxied-To = 127.0.0.1
Calling-Station-Id = "d0-23-db-e8-b6-01"
Called-Station-Id = "e8-ba-70-9c-a3-d0:eduraom-test"
NAS-Port = 1
Cisco-AVPair = "audit-session-id=0a2600030000afdc4eea6929"
NAS-IP-Address = 10.38.0.3
NAS-Identifier = "MAKWLC5508-1"
Airespace-Wlan-Id = 4
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "19"
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
[mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
++[mschap] returns ok
[suffix] Looking up realm "example.com.au" for User-Name = "
user at example.com.au"
[suffix] Found realm "example.com.au"
[suffix] Adding Stripped-User-Name = "user"
[suffix] Adding Realm = "example.com.au"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
++[control] returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
++? if (!control:Auth-Type)
? Evaluating !(control:Auth-Type) -> FALSE
++? if (!control:Auth-Type) -> FALSE
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv2 for user at example.com.au with NT-Password
[mschap] expand: --username=%{mschap:User-Name} -> --username=
user at example.com.au
[mschap] No NT-Domain was found in the User-Name.
[mschap] expand: --domain=%{mschap:NT-Domain} -> --domain=
[mschap]  mschap2: 6f
[mschap] expand: --challenge=%{mschap:Challenge:-00} ->
--challenge=d1b8a20829fffe33
[mschap] expand: --nt-response=%{mschap:NT-Response:-00} ->
--nt-response=ae2f8133e1b834293ee0a3c6bfe522d7928cf57b97ef589d
Exec-Program output: No such user (0xc0000064)
Exec-Program-Wait: plaintext: No such user (0xc0000064)
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
Failed to authenticate the user.
Login incorrect: [user/<via Auth-Type = mschap>] (from client eduraom-test
port 1 cli d0-23-db-e8-b6-01 via TLS tunnel)
} # server inner-tunnel
[ttls] Got tunneled reply code 3
MS-CHAP-Error = "\332E=691 R=1"
[ttls] Got tunneled Access-Reject
[eap] Handler failed in EAP/ttls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [user at example.com.au/<via Auth-Type = EAP>] (from client
eduraom-test port 1 cli d0-23-db-e8-b6-01)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> user at example.com.au
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 5 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 5
Sending Access-Reject of id 183 to 10.38.0.3 port 32769
EAP-Message = 0x04060004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.8 seconds.
Cleaning up request 0 ID 178 with timestamp +21
Cleaning up request 1 ID 179 with timestamp +21
Cleaning up request 2 ID 180 with timestamp +21
Cleaning up request 3 ID 181 with timestamp +21
Cleaning up request 4 ID 182 with timestamp +21
Waking up in 1.0 seconds.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20111216/ad0d2633/attachment.html>


More information about the Freeradius-Users mailing list