TTLS-MSCHAPv2 works but PEAP-MSCHAPv2 doesn't (FreeRADIUS 2.1.3)

Alan Buxey A.L.M.Buxey at lboro.ac.uk
Thu Feb 24 10:09:37 CET 2011


Quick answer . Your eduroam inner tunnel virtual server isnt handling it ... No auth method found . Mschap noop.


Alan



----- Reply message -----
From: "Wenche Backman" <Wenche.Backman at csc.fi>
Date: Thu, Feb 24, 2011 08:14
Subject: TTLS-MSCHAPv2 works but PEAP-MSCHAPv2 doesn't (FreeRADIUS 2.1.3)
To: "freeradius-users at lists.freeradius.org" <freeradius-users at lists.freeradius.org>

Hi,

I have a FreeRADIUS-server for configuration testing purposes and on this server TTLS-MSCHAPv2 works fine but PEAP-MSCHAPv2 fails. PEAP-MSCHAPv2 fails both with the WindowsXP client and the NetworkManager included in Ubuntu 8.04 LTS.  The  output from radius -X are shown below. The configuration files are attached. I'd appreciate if someone could take a look at this and check where the problem might be.

Regards,

Wenche Backman

PEAP-MSCHAPv2 failure (this one from Ubuntu 8.04 LTS, the output from WinXP is the same):

Ready to process requests
rad_recv: Access-Request packet from host 193.166.6.179 port 2048, id=0, length=137
        User-Name = "du at mytest.fi"
        NAS-IP-Address = 193.166.6.179
        Called-Station-Id = "000d0b6cd027"
        Calling-Station-Id = "001de01a9a47"
        NAS-Identifier = "000d0b6cd027"
        NAS-Port = 7
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x02000011016475406d79746573742e6669
        Message-Authenticator = 0xb613072b66070df9b35799b65683a666
server eduroam {
+- entering group authorize {...}
[auth_log]      expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/193.166.6.179/auth-detail-20110222
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/193.166.6.179/auth-detail-20110222
[auth_log]      expand: %t -> Tue Feb 22 12:17:12 2011
++[auth_log] returns ok
[suffix] Looking up realm "mytest.fi" for User-Name = "du at mytest.fi"
[suffix] Found realm "mytest.fi"
[suffix] Adding Realm = "mytest.fi"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 0 length 17
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
} # server eduroam
Sending Access-Challenge of id 0 to 193.166.6.179 port 2048
        EAP-Message = 0x010100061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xb667f4e0b666ed0567b6ebba8e637a5c
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 193.166.6.179 port 2048, id=0, length=231
Cleaning up request 0 ID 0 with timestamp +107
        User-Name = "du at mytest.fi"
        NAS-IP-Address = 193.166.6.179
        Called-Station-Id = "000d0b6cd027"
        Calling-Station-Id = "001de01a9a47"
        NAS-Identifier = "000d0b6cd027"
        NAS-Port = 7
        Framed-MTU = 1400
        State = 0xb667f4e0b666ed0567b6ebba8e637a5c
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x0201005d190016030100520100004e03014d638d2813d992579c034f3369d4734a02fcc8603b1297948e5ee5d6950eb9ae00002600390038003500160013000a00330032002f0005000400150012000900140011000800060003020100
        Message-Authenticator = 0x7aaf685db9bfc8a730e04e61846a8ba4
server eduroam {
+- entering group authorize {...}
[auth_log]      expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/193.166.6.179/auth-detail-20110222
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/193.166.6.179/auth-detail-20110222
[auth_log]      expand: %t -> Tue Feb 22 12:17:12 2011
++[auth_log] returns ok
[suffix] Looking up realm "mytest.fi" for User-Name = "du at mytest.fi"
[suffix] Found realm "mytest.fi"
[suffix] Adding Realm = "mytest.fi"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 1 length 93
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap]     (other): before/accept initialization
[peap]     TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0052], ClientHello
[peap]     TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
[peap]     TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 085e], Certificate
[peap]     TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange
[peap]     TLS_accept: SSLv3 write key exchange A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap]     TLS_accept: SSLv3 write server done A
[peap]     TLS_accept: SSLv3 flush data
[peap]     TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
} # server eduroam
Sending Access-Challenge of id 0 to 193.166.6.179 port 2048
        EAP-Message = 0x0102040019c000000aad160301002a0200002603014d638d2822caad2a4af2262ab74eea2824d9767d409a66ca0cfad0ae45610e7500003901160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479
        EAP-Message = 0x301e170d3039303131363130323433375a170d3130303131363130323433375a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100bca3a7d340515ebd6023cbfb2c18b2ffc99f5276c2af17db6621b34a2e596aa4193eee8582efc0a84f8cb24b740602f7344f0d3e07f05dfab378f03112e3
        EAP-Message = 0xa43530d75b5a611e456d530cc9e9a5143dbdcf6129d99273f9960b4d6bb2124f42bc61be778bad4e34a21d75e2904cc26ab003927898cdab60fb4bc1780c19d23e5d64065248e8a2e586a9d7f7ac6dc089269890532c952ea979de7202b549e5979c1be63419a29d64febe0a4576d629e7431a2e1fcca05c550172c0c4e309e746662bb2a80d26c975b979409596dd3e079a96850532745cb92dfdca8aab7bbb66fedd8a9ac3f30c62252a453c57acbc33cb0f669326ece07032fafb4584bcc417430203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000382010100110e3b6ca51ea7854b
        EAP-Message = 0x05a122cefcc96f0060bc1c3d2de06a79f50ff17de7c50664598b7b499ebf536f80bc0c3a86bfb6c9837cd23992d522be1693f12aa3b9e8eead66d0e85316cb038b7673642d83b924891b057126d85e52d91452c0a52203424fc16d6094e812ef0bd1535852edbe3e5a9696a0c5c7611badba4f789f1a04dd6548127c82d7b4e4635c03b12b621b2b4022644907e12ab5f0ecfd4863cfeb440636da869fcb57b65d67b95c007afb7bd160d20e01d946cb8f4d7a3d6c252417172ea45ffb847585e98c8c6d0d34094d031cc69cfc015b24297fa0d085fe4dfb2b2de27a9363d8d023b151867e8a5c04dcfc072e0397a063db3bf4bdc5f26f0004ab308204
        EAP-Message = 0xa73082038fa0030201020209
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xb667f4e0b765ed0567b6ebba8e637a5c
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 193.166.6.179 port 2048, id=0, length=144
Cleaning up request 1 ID 0 with timestamp +107
        User-Name = "du at mytest.fi"
        NAS-IP-Address = 193.166.6.179
        Called-Station-Id = "000d0b6cd027"
        Calling-Station-Id = "001de01a9a47"
        NAS-Identifier = "000d0b6cd027"
        NAS-Port = 7
        Framed-MTU = 1400
        State = 0xb667f4e0b765ed0567b6ebba8e637a5c
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x020200061900
        Message-Authenticator = 0xf24d59a32f188207dee0c313a901bfb3
server eduroam {
+- entering group authorize {...}
[auth_log]      expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/193.166.6.179/auth-detail-20110222
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/193.166.6.179/auth-detail-20110222
[auth_log]      expand: %t -> Tue Feb 22 12:17:12 2011
++[auth_log] returns ok
[suffix] Looking up realm "mytest.fi" for User-Name = "du at mytest.fi"
[suffix] Found realm "mytest.fi"
[suffix] Adding Realm = "mytest.fi"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 2 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
} # server eduroam
Sending Access-Challenge of id 0 to 193.166.6.179 port 2048
        EAP-Message = 0x010303fc19400095425f8466e364f5300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3039303131363130323433375a170d3130303131363130323433375a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504
        EAP-Message = 0x071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100a79b656861b09eb9d5bd77174981b3b00554530ffc18238cf3164a1882e42c6379db8d256187bc4788e63349ae25379f606087ab41864d8a533d738c7c5286b4057c96d0f5be5972a34b0d27d784d2571bc8a085f15fd17942948566e7589f1b4994676beb9e3d9828bdda3bd6f767
        EAP-Message = 0xed21bdf2e4bd035a8e235ddf4341c2b5a587e707e5b333c49d4533110ce905b31071c90bc795dee46e8b0b063862c0d58c4765553bcef3d8408dffcb951b81a1b5e8e61f5e857bc6f5931f132146fd145ed316517e7e8bd8f5941b7d571a7a0b8500a2d4538c0a036d12ce655a55dea0b4360739b0c251ed44c91900b67a7206c83e22b34ead286d9ac6023258892f4d150203010001a381fb3081f8301d0603551d0e041604140397fbc3d67c570e8f13b91c45394b5f44616cf43081c80603551d230481c03081bd80140397fbc3d67c570e8f13b91c45394b5f44616cf4a18199a48196308193310b3009060355040613024652310f300d06035504
        EAP-Message = 0x0813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747982090095425f8466e364f5300c0603551d13040530030101ff300d06092a864886f70d0101050500038201010023477ecf0e1f391af60dccc8605dd8743615a07242f1d68f3815855b86ab605a9fa22c9da76fe73fdcceb1a76afb224d424dd032efa93e7d7bacc26a0fc592ed29a04993e5c4043fcfd4312b92337b2919f5
        EAP-Message = 0x5746b2fc48857aac
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xb667f4e0b464ed0567b6ebba8e637a5c
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 193.166.6.179 port 2048, id=0, length=144
Cleaning up request 2 ID 0 with timestamp +107
        User-Name = "du at mytest.fi"
        NAS-IP-Address = 193.166.6.179
        Called-Station-Id = "000d0b6cd027"
        Calling-Station-Id = "001de01a9a47"
        NAS-Identifier = "000d0b6cd027"
        NAS-Port = 7
        Framed-MTU = 1400
        State = 0xb667f4e0b464ed0567b6ebba8e637a5c
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x020300061900
        Message-Authenticator = 0xb8250ec4167cfca1229cd8fed99c2ebe
server eduroam {
+- entering group authorize {...}
[auth_log]      expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/193.166.6.179/auth-detail-20110222
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/193.166.6.179/auth-detail-20110222
[auth_log]      expand: %t -> Tue Feb 22 12:17:12 2011
++[auth_log] returns ok
[suffix] Looking up realm "mytest.fi" for User-Name = "du at mytest.fi"
[suffix] Found realm "mytest.fi"
[suffix] Adding Realm = "mytest.fi"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
} # server eduroam
Sending Access-Challenge of id 0 to 193.166.6.179 port 2048
        EAP-Message = 0x010402c71900d8fba265108675c4143ba764839add9dad12b1e94d9c914c0f18108e5d9f99090bf291b83623238457fe4576e87c1f3b3cb9dd0cf0de1522e48948e5af796c8ed530986f5610a0dc3b0d89fa14686238e318a1cbb0de862d2ea63cc0b0b29ae1210bf94ab9e772de19b817e7d0df45b71a9595499756b5d5e6c757ca7bc55b1fc7a3ebe98be922105889149cfaa023c94eda62121c053d11f6c6e59736b2d25a0496aab4db2f160301020d0c0002090080d6c327b60d685b7dea0b3bf533d54f8e151fb5d72b4a805e4c120a847706984eedeb80d3a48fabd0f36bbabdd4125fe717709c5c73010ac5185e4154b12c4738f6cb62d40b82
        EAP-Message = 0x47efc9ae7da9c0612f0bf7592be07f1eb2f5b45b5289743831f2b2cad359dbf213c9e14aaf44a1ede1e7ac48b9fbb7b371d82ec2d6ab9415ff230001020080185049cf069168f5fa3037bab3f8cbe72ffa09d5222d80db41a2265b2a270aae741f7ef06a574144055e27724d75001556dd166feedcfb7827625b2fa66f72a1c85cd9dc3e1dd693ef38f2bf0c3d8f08e21d86b9ed9d8dba54a571bdb36bed6190ddfa42816f76e3a154799ba7c629ca358df7f55f2746f7918be7a9ded259fb01006b443e4a0e6f85d615db5c3a3308860a8e7335b4c3ed7a6ca6a26b60b60399b81d97499c77a6c889c21293b3bcc5ff03b87cc98556f0b3d6c1e211ed
        EAP-Message = 0x7e11c75caad6f24d6d967130f88120690fbce884666d5c4d9e235230e58b53878eb7437b253601580401c2cafba3ae088abce707763cec25709e95cb0dc4a3a9b772a507058baa5783dbf780b2e59cc2be5e8bf28401722211bec6093170c426993baf969daad724132211f1ae38314bbbb6e6a7681a57894482574f43fc60fc18d8f40b92d2fa6de896ddedfd5be469845235a8fa561c2abc94cd37764575ff0c209165d1d128af9cde0b51be10533052b7180313f411529ba43abd073e54b2111495a516030100040e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xb667f4e0b563ed0567b6ebba8e637a5c
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 193.166.6.179 port 2048, id=0, length=342
Cleaning up request 3 ID 0 with timestamp +107
        User-Name = "du at mytest.fi"
        NAS-IP-Address = 193.166.6.179
        Called-Station-Id = "000d0b6cd027"
        Calling-Station-Id = "001de01a9a47"
        NAS-Identifier = "000d0b6cd027"
        NAS-Port = 7
        Framed-MTU = 1400
        State = 0xb667f4e0b563ed0567b6ebba8e637a5c
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x020400cc1900160301008610000082008086f0298b073e157e853a830e045a18b40f17a02efbe131d943518b00817f8a72a2be1b64d1208657beea1cff038418106c6beda352e34d9950e7b9c397932bd7cb8f722ff87b819edfea5910676e1e898ec4c071c6cdedab5b8c8980dbd752c9f74bbf5818cc35900515d0a97a4b6139b94e24c2b0aa1aa7ca282e205952121e140301000101160301003053d0e5fbe8ed7e32c5d7318f3baf834371d7ccc760d9a0fb0b2320f9707c9acf7f218bcb8c70a8b51e88bbdc2274aec8
        Message-Authenticator = 0x7b92c60ebe961910947ed53e0f3deced
server eduroam {
+- entering group authorize {...}
[auth_log]      expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/193.166.6.179/auth-detail-20110222
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/193.166.6.179/auth-detail-20110222
[auth_log]      expand: %t -> Tue Feb 22 12:17:12 2011
++[auth_log] returns ok
[suffix] Looking up realm "mytest.fi" for User-Name = "du at mytest.fi"
[suffix] Found realm "mytest.fi"
[suffix] Adding Realm = "mytest.fi"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 4 length 204
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
[peap]     TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap]     TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap]     TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap]     TLS_accept: SSLv3 write finished A
[peap]     TLS_accept: SSLv3 flush data
[peap]     (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
} # server eduroam
Sending Access-Challenge of id 0 to 193.166.6.179 port 2048
        EAP-Message = 0x01050041190014030100010116030100305a7b9877876923768d3f6b8ddffb2a49d7c701b35c74a0c803a5c99b9b632fcb4eeb6ef635de4e8994feef3c84f828ff
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xb667f4e0b262ed0567b6ebba8e637a5c
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 193.166.6.179 port 2048, id=0, length=144
Cleaning up request 4 ID 0 with timestamp +107
        User-Name = "du at mytest.fi"
        NAS-IP-Address = 193.166.6.179
        Called-Station-Id = "000d0b6cd027"
        Calling-Station-Id = "001de01a9a47"
        NAS-Identifier = "000d0b6cd027"
        NAS-Port = 7
        Framed-MTU = 1400
        State = 0xb667f4e0b262ed0567b6ebba8e637a5c
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x020500061900
        Message-Authenticator = 0xc5648cb005eb7be3dcd512844c73fc53
server eduroam {
+- entering group authorize {...}
[auth_log]      expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/193.166.6.179/auth-detail-20110222
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/193.166.6.179/auth-detail-20110222
[auth_log]      expand: %t -> Tue Feb 22 12:17:12 2011
++[auth_log] returns ok
[suffix] Looking up realm "mytest.fi" for User-Name = "du at mytest.fi"
[suffix] Found realm "mytest.fi"
[suffix] Adding Realm = "mytest.fi"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
++[eap] returns handled
} # server eduroam
Sending Access-Challenge of id 0 to 193.166.6.179 port 2048
        EAP-Message = 0x0106002b190017030100204911606b54a92f837428b80e62f8fd2eaa9def9e14ca28d915ccc4e1718e421e
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xb667f4e0b361ed0567b6ebba8e637a5c
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 193.166.6.179 port 2048, id=0, length=234
Cleaning up request 5 ID 0 with timestamp +107
        User-Name = "du at mytest.fi"
        NAS-IP-Address = 193.166.6.179
        Called-Station-Id = "000d0b6cd027"
        Calling-Station-Id = "001de01a9a47"
        NAS-Identifier = "000d0b6cd027"
        NAS-Port = 7
        Framed-MTU = 1400
        State = 0xb667f4e0b361ed0567b6ebba8e637a5c
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x020600601900170301002084f81dbeee164be0d004166b849fec7362852574d78846dad2b62b39b08cf6a51703010030825c7db26910cfcc090ad6f9edf862db3bf8a16401564750eb0bcf77857da0fdb7de955192557ac83755357f816949b9
        Message-Authenticator = 0xa9e56e06a53d4769e832e0f8cee70a4d
server eduroam {
+- entering group authorize {...}
[auth_log]      expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/193.166.6.179/auth-detail-20110222
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/193.166.6.179/auth-detail-20110222
[auth_log]      expand: %t -> Tue Feb 22 12:17:12 2011
++[auth_log] returns ok
[suffix] Looking up realm "mytest.fi" for User-Name = "du at mytest.fi"
[suffix] Found realm "mytest.fi"
[suffix] Adding Realm = "mytest.fi"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 6 length 96
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Identity - du at mytest.fi
[peap] Got tunneled request
        EAP-Message = 0x02060011016475406d79746573742e6669
server eduroam {
  PEAP: Got tunneled identity of du at mytest.fi
  PEAP: Setting default EAP type for tunneled EAP session.
  PEAP: Setting User-Name to du at mytest.fi
Sending tunneled request
        EAP-Message = 0x02060011016475406d79746573742e6669
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "du at mytest.fi"
        NAS-IP-Address = 193.166.6.179
        Called-Station-Id = "000d0b6cd027"
        Calling-Station-Id = "001de01a9a47"
        NAS-Identifier = "000d0b6cd027"
        NAS-Port = 7
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
server eduroam-inner-tunnel {
+- entering group authorize {...}
[auth_log]      expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/193.166.6.179/auth-detail-20110222
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/193.166.6.179/auth-detail-20110222
[auth_log]      expand: %t -> Tue Feb 22 12:17:12 2011
++[auth_log] returns ok
[files] users: Matched entry du at mytest.fi at line 206
++[files] returns ok
++[mschap] returns noop
[pap] Normalizing NT-Password from hex encoding
[pap] No clear-text password in the request.  Not performing PAP.
++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
Failed to authenticate the user.
} # server eduroam-inner-tunnel
[peap] Got tunneled reply code 3
[peap] Got tunneled reply RADIUS code 3
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
} # server eduroam
Sending Access-Challenge of id 0 to 193.166.6.179 port 2048
        EAP-Message = 0x0107003b19001703010030998319d6fd8e167dc17373bdbd74ff90ed3b3565f1eeec9f48a3fabf8022e8a3f0d84d04fed1507c2be2696c67f0591b
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xb667f4e0b060ed0567b6ebba8e637a5c
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 193.166.6.179 port 2048, id=0, length=234
Cleaning up request 6 ID 0 with timestamp +107
        User-Name = "du at mytest.fi"
        NAS-IP-Address = 193.166.6.179
        Called-Station-Id = "000d0b6cd027"
        Calling-Station-Id = "001de01a9a47"
        NAS-Identifier = "000d0b6cd027"
        NAS-Port = 7
        Framed-MTU = 1400
        State = 0xb667f4e0b060ed0567b6ebba8e637a5c
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x02070060190017030100206a2891cc8d712812216d36fc9a6aafafcfa02faf5c3746b46c8b5bd3fec306071703010030bb13eb9f3a5a8808db75cf59c22d50994ae45e0ecc1f7b91c3e00de1e70e8e45a98adbe3b2d7a7e15547c50362d7fdda
        Message-Authenticator = 0x534b7bb55532f1fde1e5c3205e83ecae
server eduroam {
+- entering group authorize {...}
[auth_log]      expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/193.166.6.179/auth-detail-20110222
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/193.166.6.179/auth-detail-20110222
[auth_log]      expand: %t -> Tue Feb 22 12:17:12 2011
++[auth_log] returns ok
[suffix] Looking up realm "mytest.fi" for User-Name = "du at mytest.fi"
[suffix] Found realm "mytest.fi"
[suffix] Adding Realm = "mytest.fi"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 7 length 96
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap]  Had sent TLV failure.  User was rejected earlier in this session.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
} # server eduroam
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[reply_log]     expand: /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d -> /var/log/radius/radacct/193.166.6.179/reply-detail-20110222
[reply_log] /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/log/radius/radacct/193.166.6.179/reply-detail-20110222
[reply_log]     expand: %t -> Tue Feb 22 12:17:12 2011
++[reply_log] returns ok
Delaying reject of request 7 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 7
Sending Access-Reject of id 0 to 193.166.6.179 port 2048
        EAP-Message = 0x04070004
        Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 4.9 seconds.
Cleaning up request 7 ID 0 with timestamp +107
Ready to process requests.


Wenche Backman
Tietoliikenneasiantuntija
CSC - Tieteen tietotekniikan keskus Oy
PL 405, 02101 Espoo
(09) 457 2737, Wenche.Backman at csc.fi

Ms. Wenche Backman
Data Communications Specialist
CSC - IT Center for Science Ltd.
P.O. BOX 405, FI-02101 Espoo, Finland
+358 9 457 2737, Wenche.Backman at csc.fi

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110224/baed2429/attachment.html>


More information about the Freeradius-Users mailing list