802.1x on Active Directory: no errors in debug but auth fails
Domenico Viggiani
dviggiani at tiscali.it
Mon Feb 7 12:08:12 CET 2011
Hi,
I'm trying to setup Freeradius2 (2.1.7-7) on Red Hat 5.5 to authenticate
Windows 802.1x clients on the LAN by Active Directory. Network switches are
HP Procurve 2610.
I followed:
http://deployingradius.com/documents/configuration/active_directory.html
tutorial without any difficulty but PC is unable to authenticate even if I'm
not able to see any error in "radiusd -X" output:
#####################################################################
FreeRADIUS Version 2.1.7, for host i386-redhat-linux-gnu, built on Dec 30
2009 at 13:47:58
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/control-socket
group = radiusd
user = radiusd
including dictionary file /etc/raddb/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = no
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
client sw-test {
require_message_authenticator = no
secret = "thankyou"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server inner-tunnel {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:-None}
--domain=%{%{mschap:NT-Domain}:-PITAGORA}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server.pem"
certificate_file = "/etc/raddb/certs/server.pem"
CA_file = "/etc/raddb/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/etc/raddb/certs/dh"
random_file = "/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/raddb/certs/bootstrap"
cache {
enable = no
lifetime = 24
max_entries = 255
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Instantiating ntlm_auth
exec ntlm_auth {
wait = yes
program = "/usr/bin/ntlm_auth --request-nt-key --domain=PITAGORA
--username=%{mschap:User-Name} --password=%{User-Password}"
input_pairs = "request"
shell_escape = yes
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating suffix
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating files
files {
usersfile = "/etc/raddb/users"
acctusersfile = "/etc/raddb/acct_users"
preproxy_usersfile = "/etc/raddb/preproxy_users"
compat = "no"
}
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating attr_filter.access_reject
attr_filter attr_filter.access_reject {
attrsfile = "/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
}
} # modules
} # server
server {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = "/etc/raddb/huntgroups"
hints = "/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating detail
detail {
detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating attr_filter.accounting_response
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "control"
listen {
socket = "/var/run/radiusd/radiusd.sock"
}
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.63.1.207 port 1025, id=46,
length=242
Framed-MTU = 1480
NAS-IP-Address = 10.63.1.207
NAS-Identifier = "sw-test"
User-Name = "PITAGORA\\testuser"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 3
NAS-Port-Type = Ethernet
NAS-Port-Id = "3"
Called-Station-Id = "00-12-79-ca-9d-80"
Calling-Station-Id = "00-02-3f-31-7e-5d"
Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "6"
EAP-Message =
0x020100210150495441474f52415c6769616e6672616e636f2e63617264696c6c6f
Message-Authenticator = 0x23fccd425e446ea9cb372d952782d4ba
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "PITAGORA\testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 33
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 172
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 46 to 10.63.1.207 port 1025
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
EAP-Message = 0x0102001604100ad511f05f27d9673a2f4aa87ec6f29b
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc2330ef2c2310a9b10e022abbe73f133
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.63.1.207 port 1025, id=47,
length=233
Framed-MTU = 1480
NAS-IP-Address = 10.63.1.207
NAS-Identifier = "sw-test"
User-Name = "PITAGORA\\testuser"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 3
NAS-Port-Type = Ethernet
NAS-Port-Id = "3"
Called-Station-Id = "00-12-79-ca-9d-80"
Calling-Station-Id = "00-02-3f-31-7e-5d"
Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "6"
State = 0xc2330ef2c2310a9b10e022abbe73f133
EAP-Message = 0x020200060319
Message-Authenticator = 0x1433cd9351165311cf6481b2598a2900
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "PITAGORA\testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 172
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 47 to 10.63.1.207 port 1025
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
EAP-Message = 0x010300061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc2330ef2c330179b10e022abbe73f133
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.63.1.207 port 1025, id=48,
length=314
Framed-MTU = 1480
NAS-IP-Address = 10.63.1.207
NAS-Identifier = "sw-test"
User-Name = "PITAGORA\\testuser"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 3
NAS-Port-Type = Ethernet
NAS-Port-Id = "3"
Called-Station-Id = "00-12-79-ca-9d-80"
Calling-Station-Id = "00-02-3f-31-7e-5d"
Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "6"
State = 0xc2330ef2c330179b10e022abbe73f133
EAP-Message =
0x0203005719800000004d16030100480100004403014d4fd13cf2eeeab2afebcd0bac01461a
f387fed3654bc64abb3342e273f4cab700001600040005000a00090064006200030006001300
12006301000005ff01000100
Message-Authenticator = 0x04a5713d3acefa6a14589feb04cf1fe5
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "PITAGORA\testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 87
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 77
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0048], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0031], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 085e], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate
A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 48 to 10.63.1.207 port 1025
EAP-Message =
0x0104040019c0000008a216030100310200002d03014d4fd13cc78072b7ad2723a076a86ca1
dcc8644ef4fd8c062bd543bda538c7fc000004000005ff01000100160301085e0b00085a0008
570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193
310b3009060355040613024652310f300d060355040813065261646975733112301006035504
071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e312030
1e06092a864886f70d010901161161646d696e406578616d706c652e636f6d31263024060355
0403131d4578616d706c65204365727469666963617465204175
EAP-Message =
0x74686f72697479301e170d3131303230343134333331345a170d3132303230343134333331
345a307c310b3009060355040613024652310f300d0603550408130652616469757331153013
060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c6520
5365727665722043657274696669636174653120301e06092a864886f70d010901161161646d
696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f00
3082010a0282010100ea55617b68e9f5afb5bda1ccdc3a6bdab724c33edcb047875e2e035dc5
7e07efe2becbdde3f8c77445f0cb61da0a7360e8eabc52c2e909
EAP-Message =
0x982ce71d51aed0cad56be3067d0583d34a62dc33d1265ffada76166d572ce71551697e5395
e0bca3b197ae0003a9afe9c89c55c6a935e267beecb1a28d17a044c932761b9dc28799bcfd92
50ec5f9ed92ee00383e591823bae32f15e1bf33728817b26c51712099afb931166ff2c40d266
e9dbfb6ed6d516bf55c957f49713981e48c578bd0d9450c10bce8173173837d408212e49c386
2f84a2d6ead9b894e2bcdc76f20ac3c9221fe60038fda32c3f3f9e085f721dc1bf87617d1378
4a7c5faec678798a42a173af0203010001a317301530130603551d25040c300a06082b060105
05070301300d06092a864886f70d01010405000382010100bfb1
EAP-Message =
0x34afa9e780cce028160fdbf6426edcd838712aa615cda0542ce21e7b51b72a2a11a5f35740
e1b37f604ad87f825888490576ac0adefb5cde9b49be770f8889a776b1e3c1fcec196080fbc1
f7005961dd91ba29f7a4f79714a43c6a198da71b59d9d74bb644d33df3c762597d635d3fb79b
e17cbd95ae7a8fe74cbb4cbf44ad0d6f6a322923f161e48382b2546cc97ff0b608424cfbcd60
91483f08831dc63bb6352d124f66a37b8bbd9ee2f16442c123462dee541f0cd5a77f011a7c60
77134aad0bfabebafde4d4bbeb721fb0e3a10725260e9584a3e621286a7ed7cb7f00668b87e9
37a54805e4fe0b09993b30693725b0f85f187e5fc6626aa62984
EAP-Message = 0x8f0004ab308204a73082038f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc2330ef2c037179b10e022abbe73f133
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.63.1.207 port 1025, id=49,
length=233
Framed-MTU = 1480
NAS-IP-Address = 10.63.1.207
NAS-Identifier = "sw-test"
User-Name = "PITAGORA\\testuser"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 3
NAS-Port-Type = Ethernet
NAS-Port-Id = "3"
Called-Station-Id = "00-12-79-ca-9d-80"
Calling-Station-Id = "00-02-3f-31-7e-5d"
Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "6"
State = 0xc2330ef2c037179b10e022abbe73f133
EAP-Message = 0x020400061900
Message-Authenticator = 0x03ea01b263bdcbb60dcbc6ca9e56f829
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "PITAGORA\testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 49 to 10.63.1.207 port 1025
EAP-Message =
0x010503fc1940a003020102020900cbfbb3c6e6eac293300d06092a864886f70d0101050500
308193310b3009060355040613024652310f300d060355040813065261646975733112301006
035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e
3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d31263024
0603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e
170d3131303230343134333331345a170d3132303230343134333331345a308193310b300906
0355040613024652310f300d0603550408130652616469757331
EAP-Message =
0x12301006035504071309536f6d65776865726531153013060355040a130c4578616d706c65
20496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f
6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72
69747930820122300d06092a864886f70d01010105000382010f003082010a0282010100f09f
04293b15c3fbc1cd487f7e8c2672e6ed9b3f2076497505fcbca6ae04bb1a28a3f71836569feb
0f993d069adf937a3c85171558868dee233085f11f2f749efaa2dd25693d4c8bb36b4c49ecae
5c61d949db07a3520fc38f13908254be3b2d9b75357e130b60b3
EAP-Message =
0x154e657206dfdc54bce402c1786dee6934211b4c40fa5976c6def1794d0b239a509cdf7beb
96bb560fa7ffb595626676db99d8d46ad9baa14beb797bbeb2a40bd823e31515dcf97843f821
43780c76238000bacc252381e46118aba2048529df1de0a840bf3bf649104b0800bd1d2f4bc9
08421cccdc648783d3392045c90a0e3fe023e2d66afa9d1e9dfd130bf99a5437511bf7606629
e90203010001a381fb3081f8301d0603551d0e041604142fad8e1834baf2c00ff7a992e1ac5f
f2a59c840a3081c80603551d230481c03081bd80142fad8e1834baf2c00ff7a992e1ac5ff2a5
9c840aa18199a48196308193310b300906035504061302465231
EAP-Message =
0x0f300d060355040813065261646975733112301006035504071309536f6d65776865726531
153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d01090116
1161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c652043
6572746966696361746520417574686f72697479820900cbfbb3c6e6eac293300c0603551d13
040530030101ff300d06092a864886f70d01010505000382010100324abb2820dac845e24553
75ecb04b30eaa4430dd010afea712210be69f74e194e4a06eeb2fffc584ef62549b0751eeb80
5f64ac9f6a3e31c5703dc7e0d53b670215dd7731c9cc2ca45bde
EAP-Message = 0x50458bff45c56032
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc2330ef2c136179b10e022abbe73f133
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.63.1.207 port 1025, id=50,
length=233
Framed-MTU = 1480
NAS-IP-Address = 10.63.1.207
NAS-Identifier = "sw-test"
User-Name = "PITAGORA\\testuser"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 3
NAS-Port-Type = Ethernet
NAS-Port-Id = "3"
Called-Station-Id = "00-12-79-ca-9d-80"
Calling-Station-Id = "00-02-3f-31-7e-5d"
Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "6"
State = 0xc2330ef2c136179b10e022abbe73f133
EAP-Message = 0x020500061900
Message-Authenticator = 0x737833619f69c6a5a575256d21bd42d6
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "PITAGORA\testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 50 to 10.63.1.207 port 1025
EAP-Message =
0x010600bc1900ddb966ad449ebce7845bd0ae07480e65bea3e8ea663b5e63a7611dcaf8a7c0
846188c452db0cf8e0ef66c0e43f953dd2ed2b8e87682cd1315c717c80e4fab9855f30cd20ea
93f250fb30d75fff92212902209b8debc5f3083e50740f5fa92e24c053893f86f3688e113ef1
1c609f6536860396bb10842f6345d4c4abbea751aa0655f7a2def230abcefa504fac484df327
65271397e546271e2dbd4f8bfa26c5d83d7c74df6f01440a6a2f4f9816030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc2330ef2c635179b10e022abbe73f133
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.63.1.207 port 1025, id=51,
length=549
Framed-MTU = 1480
NAS-IP-Address = 10.63.1.207
NAS-Identifier = "sw-test"
User-Name = "PITAGORA\\testuser"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 3
NAS-Port-Type = Ethernet
NAS-Port-Id = "3"
Called-Station-Id = "00-12-79-ca-9d-80"
Calling-Station-Id = "00-02-3f-31-7e-5d"
Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "6"
State = 0xc2330ef2c635179b10e022abbe73f133
EAP-Message =
0x02060140198000000136160301010610000102010013a4a5cfa0977e0775057b68fa525204
043b1eb0bc219d09f048fe6d63e032aa3ac386d0383ebddbb468498ab5efb55714eaddc7681b
7ecd1eb9c6561a094cc52aed59125ce5ff1150671baec79edc87eec83138fbe4ce3a64f49fd9
e76554acdae5a127cbd4164b568c60c20a682220e3cb9dc68b46a455cccaa247a609f01a134c
8f1fd66975dad840ff3c7b040defd618918c73da49f561a857a3177682e27fc67c940261251d
9d8c725eb70e45eaaf79fc898f9f8efa8162011d0bca0212b4aff0ea8ca6e3b3796e490a84e7
efbf0d8db98c70c9e2d70dae38ba5ed6411e2a946fb9aae29033
EAP-Message =
0x465b5a926f959280200fe13d2dae18498f78c53798248f9914030100010116030100207dc5
1c2e15af596e0698dd6108a1aa3d0fcea328015ba5354de641c979dc2020
Message-Authenticator = 0x16550f99a63143672ac90b00dbd3114b
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "PITAGORA\testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 310
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 51 to 10.63.1.207 port 1025
EAP-Message =
0x01070031190014030100010116030100205ade2f3e33e8685e52df75423f2473025edd9c2f
cf68c03232281c39f616dca1
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc2330ef2c734179b10e022abbe73f133
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.63.1.207 port 1025, id=52,
length=233
Framed-MTU = 1480
NAS-IP-Address = 10.63.1.207
NAS-Identifier = "sw-test"
User-Name = "PITAGORA\\testuser"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 3
NAS-Port-Type = Ethernet
NAS-Port-Id = "3"
Called-Station-Id = "00-12-79-ca-9d-80"
Calling-Station-Id = "00-02-3f-31-7e-5d"
Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "6"
State = 0xc2330ef2c734179b10e022abbe73f133
EAP-Message = 0x020700061900
Message-Authenticator = 0x26998eddde82022fa49c43d7b4ebb76a
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "PITAGORA\testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 52 to 10.63.1.207 port 1025
EAP-Message =
0x01080020190017030100154b7b5dd4c4f406c163805dec8c21607a8babdad020
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc2330ef2c43b179b10e022abbe73f133
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.63.1.207 port 1025, id=53,
length=283
Framed-MTU = 1480
NAS-IP-Address = 10.63.1.207
NAS-Identifier = "sw-test"
User-Name = "PITAGORA\\testuser"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 3
NAS-Port-Type = Ethernet
NAS-Port-Id = "3"
Called-Station-Id = "00-12-79-ca-9d-80"
Calling-Station-Id = "00-02-3f-31-7e-5d"
Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "6"
State = 0xc2330ef2c43b179b10e022abbe73f133
EAP-Message =
0x020800381900170301002d089df87f8e1e5987ef1792c8925e1194dc3b9a7d372f23a69484
fb4dffcfac64811aae3e366003e7f13d79d7a3
Message-Authenticator = 0xa585cf547907140181f7b8426dca155e
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "PITAGORA\testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 56
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Identity - PITAGORA\testuser
[peap] Got tunneled request
EAP-Message =
0x020800210150495441474f52415c6769616e6672616e636f2e63617264696c6c6f
server {
PEAP: Got tunneled identity of PITAGORA\testuser
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to PITAGORA\testuser
Sending tunneled request
EAP-Message =
0x020800210150495441474f52415c6769616e6672616e636f2e63617264696c6c6f
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "PITAGORA\\testuser"
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "PITAGORA\testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 8 length 33
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message =
0x010900361a010900311014d6c9e2f9cb4a58554df2cb29adb0a950495441474f52415c6769
616e6672616e636f2e63617264696c6c6f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x37523e80375b245973dcd634f3fc6f7a
[peap] Got tunneled reply RADIUS code 11
EAP-Message =
0x010900361a010900311014d6c9e2f9cb4a58554df2cb29adb0a950495441474f52415c6769
616e6672616e636f2e63617264696c6c6f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x37523e80375b245973dcd634f3fc6f7a
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 53 to 10.63.1.207 port 1025
EAP-Message =
0x0109004d190017030100429b5f32184f610613f00b1cce946385098a8eff56bfd4be135578
680f6b0dff1f5ed1ac0d1678088067a3ab3d5e9242114e5e7a0d7290bdf6ad92bf5d4efb6816
cffb
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc2330ef2c53a179b10e022abbe73f133
Finished request 7.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.63.1.207 port 1025, id=54,
length=337
Framed-MTU = 1480
NAS-IP-Address = 10.63.1.207
NAS-Identifier = "sw-test"
User-Name = "PITAGORA\\testuser"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 3
NAS-Port-Type = Ethernet
NAS-Port-Id = "3"
Called-Station-Id = "00-12-79-ca-9d-80"
Calling-Station-Id = "00-02-3f-31-7e-5d"
Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "6"
State = 0xc2330ef2c53a179b10e022abbe73f133
EAP-Message =
0x0209006e19001703010063f8651686a818b10b399c346b7e7d55f1ed23cd3c68c02aab5143
e156b46c87f3b06be3a6546fbdc9fe76ae1250c4900db2a0a246a229176bfc8ecfc564d274dc
fde0c6f1b4c6856045202ac081856d1788e1728ef297877b9f889710a290ec845bdf45
Message-Authenticator = 0xa10bdae95be3fb4f160fea338874c85a
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "PITAGORA\testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 9 length 110
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message =
0x020900571a02090052318b237fb97c62ee51a148a9f160c34b6c000000000000000070e882
9b2758fcac1999a7165374bbef5f406c32951a8d1c0050495441474f52415c6769616e667261
6e636f2e63617264696c6c6f
server {
PEAP: Setting User-Name to PITAGORA\testuser
Sending tunneled request
EAP-Message =
0x020900571a02090052318b237fb97c62ee51a148a9f160c34b6c000000000000000070e882
9b2758fcac1999a7165374bbef5f406c32951a8d1c0050495441474f52415c6769616e667261
6e636f2e63617264696c6c6f
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "PITAGORA\\testuser"
State = 0x37523e80375b245973dcd634f3fc6f7a
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "PITAGORA\testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 9 length 87
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv2 for testuser with NT-Password
[mschap] expand: --username=%{mschap:User-Name:-None} ->
--username=testuser
[mschap] expand: %{mschap:NT-Domain} -> PITAGORA
[mschap] expand: --domain=%{%{mschap:NT-Domain}:-PITAGORA} ->
--domain=PITAGORA
[mschap] mschap2: 14
[mschap] expand: --challenge=%{mschap:Challenge:-00} ->
--challenge=fb9a84f7a072a61e
[mschap] expand: --nt-response=%{mschap:NT-Response:-00} ->
--nt-response=70e8829b2758fcac1999a7165374bbef5f406c32951a8d1c
Exec-Program output: NT_KEY: 5E93A783937468FDED71B619F0781AD4
Exec-Program-Wait: plaintext: NT_KEY: 5E93A783937468FDED71B619F0781AD4
Exec-Program: returned: 0
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message =
0x010a00331a0309002e533d4341303635413435333430423234384542433237433546463731
3133303545423545354633383131
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x37523e803658245973dcd634f3fc6f7a
[peap] Got tunneled reply RADIUS code 11
EAP-Message =
0x010a00331a0309002e533d4341303635413435333430423234384542433237433546463731
3133303545423545354633383131
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x37523e803658245973dcd634f3fc6f7a
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 54 to 10.63.1.207 port 1025
EAP-Message =
0x010a004a1900170301003f89859944848beaa1a1150d04b44af7343d3f0867517b48dcfa7c
1a3a38468e2c7f73a4a6d760ee589d34d3ae808c8fe81be20e246f39c054d1efa38ae39490
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc2330ef2ca39179b10e022abbe73f133
Finished request 8.
Going to the next request
Waking up in 4.8 seconds.
Cleaning up request 0 ID 46 with timestamp +31
Cleaning up request 1 ID 47 with timestamp +31
Cleaning up request 2 ID 48 with timestamp +31
Cleaning up request 3 ID 49 with timestamp +31
Cleaning up request 4 ID 50 with timestamp +31
Cleaning up request 5 ID 51 with timestamp +31
Cleaning up request 6 ID 52 with timestamp +31
Cleaning up request 7 ID 53 with timestamp +31
Cleaning up request 8 ID 54 with timestamp +31
Ready to process requests.
############################################################################
###########
Any help?
Thanks in advance
--
DV
More information about the Freeradius-Users
mailing list