FW: Problem with PEAP MS-ChapV2 against AD

Graham, Robert rgraham at mem-ins.com
Thu Jan 13 23:45:31 CET 2011


I am testing the new version of FreeRadius (v2.1.10) on a CentOS 5
server with Samba 3.4.3 installed.  The ultimate goal is to do 802.1x
port authentication (Vista machines) for Wired connections  and
authenticate the users against Windows 2008 R2 AD.  I configured Samba
and join it to the Domain, and configured FreeRadius per the
instructions on the Wiki.  Testing against AD was successful, so I
configured FreeRadius to use EAP-PEAP, generated my own certificates and
ran into problems when testing it out.

When I generated the certificates, I created the server key and server
csr with openssl.  I signed the csr with a Windows CA (adding the
XPextensions) and then converted the DER format to PEM using openssl.  I
verified that the certificate did have the Extended Key Attributes:

[root at radius mycerts]# openssl x509 -text -noout -in radius2.pem shows:


            X509v3 Extended Key Usage:
                TLS Web Server Authentication

When I try to authenticate, I did not see any errors, but at the end of
the debug output shows:  

WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0x17d5444b10dc5de2 did not finish!
WARNING: !! Please read
http://wiki.freeradius.org/Certificate_Compatibility
WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Ready to process requests.

I regenerated the certificates with the same results.  Does anyone have
a clue on what is happening?  Here is the Debug output:

rad_recv: Access-Request packet from host 172.16.1.2 port 1645, id=177,
length=112
        User-Name = "MEM\\test1"
        Service-Type = Framed-User
        Framed-MTU = 1500
        NAS-IP-Address = 172.16.1.2
        NAS-Port = 2
        Calling-Station-Id = "00-1B-78-4E-00-12"
        EAP-Message = 0x02010010014d454d5c7267726168616d
        Message-Authenticator = 0xe1910a3453bca0c7c905bfc2e5cd5aec
# Executing section authorize from file
/usr//etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "MEM\test1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 16
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 53
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr//etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 177 to 172.16.1.2 port 1645
        Service-Type = Framed-User
        Framed-Protocol = PPP
        EAP-Message = 0x010200061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x17d5444b17d75de2f7dce27aee56b663
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.16.1.2 port 1645, id=178,
length=236
        User-Name = "MEM\\test1"
        Service-Type = Framed-User
        Framed-MTU = 1500
        NAS-IP-Address = 172.16.1.2
        NAS-Port = 2
        Calling-Station-Id = "00-1B-78-4E-00-12"
        State = 0x17d5444b17d75de2f7dce27aee56b663
        EAP-Message =
0x0202007a198000000070160301006b0100006703014d2f6a09730b74f908bd8b719705
896b0b5eb2fe01f3fa3e0c26d38bcffa7361000018002f00350005000ac009c00ac013c0
1400320038001300040100002600000010000e00000b6d656d5c7267726168616d000a00
080006001700180019000b00020100
        Message-Authenticator = 0x63e3265e98a3bb083f39d950ae2ade9f
# Executing section authorize from file
/usr//etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "MEM\test1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 122
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr//etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 112
[peap] Length Included
[peap] eaptls_verify returned 11
[peap]     (other): before/accept initialization
[peap]     TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 006b], ClientHello
[peap]     TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
[peap]     TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 084e], Certificate
[peap]     TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap]     TLS_accept: SSLv3 write server done A
[peap]     TLS_accept: SSLv3 flush data
[peap]     TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 178 to 172.16.1.2 port 1645
        EAP-Message =
0x0103040019c00000088b160301002a0200002603014d2f698b6d3788f388aa9228162c
3f76d3fe9a63fe494c39669259b60b9de8ad00002f00160301084e0b00084a0008470004
af308204ab30820393a003020102020a23987bed000000000009300d06092a864886f70d
0101050500304f31133011060a0992268993f22c6401191603636f6d31173015060a0992
268993f22c64011916076d656d2d696e73311f301d060355040313166d656d2d696e732d
4d454d2d4c41422d4443332d4341301e170d3131303131333138313134385a170d313230
3131333138323134385a308190310b30090603550406130255533111300f060355040813
084d
        EAP-Message =
0x6973736f7572693111300f06035504071308436f6c756d626961310c300a060355040a
13034d454d310b3009060355040b13024953311b3019060355040313127261646975732e
6d656d2d696e732e636f6d3123302106092a864886f70d01090116147365637572697479
406d656d2d696e732e636f6d305c300d06092a864886f70d0101010500034b0030480241
00f36a27a2cafae70e6ba4a457802e352b6cb99976513c47cad6ec7585eedc5a565e736d
bbc5377935dc2143414ee3620b1657503df4f5658c6d4549b322db5a090203010001a382
020d30820209301d0603551d0e04160414787066c86e7a89d1c0bc0df2d001a9de5a7590
a630
        EAP-Message =
0x1f0603551d2304183016801477292debc77ac57e073627dba3229e6faf5b76103081d8
0603551d1f0481d03081cd3081caa081c7a081c48681c16c6461703a2f2f2f434e3d6d65
6d2d696e732d4d454d2d4c41422d4443332d43412c434e3d6d656d2d6c61622d6463332c
434e3d4344502c434e3d5075626c69632532304b657925323053657276696365732c434e
3d53657276696365732c434e3d436f6e66696775726174696f6e2c44433d6d656d2d696e
732c44433d636f6d3f63657274696669636174655265766f636174696f6e4c6973743f62
6173653f6f626a656374436c6173733d63524c446973747269627574696f6e506f696e74
3081
        EAP-Message =
0xc806082b060105050701010481bb3081b83081b506082b060105050730028681a86c64
61703a2f2f2f434e3d6d656d2d696e732d4d454d2d4c41422d4443332d43412c434e3d41
49412c434e3d5075626c69632532304b657925323053657276696365732c434e3d536572
76696365732c434e3d436f6e66696775726174696f6e2c44433d6d656d2d696e732c4443
3d636f6d3f634143657274696669636174653f626173653f6f626a656374436c6173733d
63657274696669636174696f6e417574686f72697479300c0603551d130101ff04023000
30130603551d25040c300a06082b06010505070301300d06092a864886f70d0101050500
0382
        EAP-Message = 0x0101003a8b2d68ea968ca3eb
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x17d5444b16d65de2f7dce27aee56b663
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.16.1.2 port 1645, id=179,
length=120
        User-Name = "MEM\\test1"
        Service-Type = Framed-User
        Framed-MTU = 1500
        NAS-IP-Address = 172.16.1.2
        NAS-Port = 2
        Calling-Station-Id = "00-1B-78-4E-00-12"
        State = 0x17d5444b16d65de2f7dce27aee56b663
        EAP-Message = 0x020300061900
        Message-Authenticator = 0x1a2ddd0cffc8a6eeb4bd5af56a73316f
# Executing section authorize from file
/usr//etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "MEM\test1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr//etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 179 to 172.16.1.2 port 1645
        EAP-Message =
0x010403fc19407aa413407a16a4e2e344994d020646636e4b03b012a0a7011631e0a917
fd491b2ad6795c8e210fbeb759e66ace486020b3c2da8778d05bf6b04431547da91e04bc
304cc957f8782b5a6a903608da92903dc7bef79579d77e65b65ab8984156d8a6997219b9
0bbd75db4b432c48d3c97430916cc47a76bc095daedc0f0749f05f51bce08543a2192b78
7f15a208d6a2db4009df5079cf20e7986548032df3b55d36428bceae20295f7b7db4b745
18a92058f72016204e226e158f3b1150dcfca79b3f831954b7917f3b52f22e831506b0f0
3d8970e4be34e73ce4edbfe2b52917939b0a1b3026467291a722f3fafa13ec7ad395d76c
7ee0
        EAP-Message =
0x0003923082038e30820276a00302010202101d65a3c4272ba9ae4000af16adf133e830
0d06092a864886f70d0101050500304f31133011060a0992268993f22c6401191603636f
6d31173015060a0992268993f22c64011916076d656d2d696e73311f301d060355040313
166d656d2d696e732d4d454d2d4c41422d4443332d4341301e170d313031303134303035
3434315a170d3335313031343031303433395a304f31133011060a0992268993f22c6401
191603636f6d31173015060a0992268993f22c64011916076d656d2d696e73311f301d06
0355040313166d656d2d696e732d4d454d2d4c41422d4443332d434130820122300d0609
2a86
        EAP-Message =
0x4886f70d01010105000382010f003082010a0282010100dec78b70f45103e5f3d835b4
d757320e0442c0ce223a37d5148087d0d9cac90f1244fab1b4d6e57bf0f04a9df770d973
d1a35379bd1448159880adb6c059d7bc48c19790b784e0cb0519f73605687435a943a99f
063e36eb4584535c35a7f3d6f4900c54712280080bb229245b8a7f9ec39047ed0e1a906f
632f97d4b75c6369817f85479e6cb009bb5be487ecd7b2186c818efd595b13faafbe0385
5adf655cdf70f23fbc7ddb63c8ea3466ae027252fccb877bc9adebfc4d637faf3f55366c
4fa53cab5dde9edfc1dead59b4b56479ec52fdb91cc8a282ebc2529d41f3088c3858e80b
1628
        EAP-Message =
0x708eda94966f51a236d785f13193e252ea7279b5bd6c2ee4553b0203010001a3663064
301306092b060104018237140204061e0400430041300b0603551d0f040403020186300f
0603551d130101ff040530030101ff301d0603551d0e0416041477292debc77ac57e0736
27dba3229e6faf5b7610301006092b06010401823715010403020100300d06092a864886
f70d010105050003820101004ed045d54a6ec8362174cc3b70e9617f31fcec9951c61f8c
f8e850fed2b86207295690201a1cbb174870927fa6c847289688da1a0b33ee935c9d2b57
83547de88e1b42e1f04aa001fe2af230e35da26b6cfe17ae58b5e4a875c53d7249380777
82df
        EAP-Message = 0x6c3bec718651f019
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x17d5444b15d15de2f7dce27aee56b663
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.16.1.2 port 1645, id=180,
length=120
        User-Name = "MEM\\test1"
        Service-Type = Framed-User
        Framed-MTU = 1500
        NAS-IP-Address = 172.16.1.2
        NAS-Port = 2
        Calling-Station-Id = "00-1B-78-4E-00-12"
        State = 0x17d5444b15d15de2f7dce27aee56b663
        EAP-Message = 0x020400061900
        Message-Authenticator = 0x952d481043dda4da8eca2b39ffd30fcb
# Executing section authorize from file
/usr//etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "MEM\test1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr//etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 180 to 172.16.1.2 port 1645
        EAP-Message =
0x010500a519002b3a66c8e8526d8ca3c9e036f7c21295735cffc7cca62e8d1da2526a65
a9f79a69c80e259b2ac75781bf6c6f80ec149a46dd773307ecdfc2346ecd140ae08475e2
bbf8d4cc45677d0c0821e9f3b3001899691830b151c99665a689a177a97682fb1a740da6
bf92d05b83f293bc3d3ce00dea49df7eb6d39032dc5e4ad50419e189e57751e10cb9939b
43a4c39b945fa0fd57f05dc01c16030100040e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x17d5444b14d05de2f7dce27aee56b663
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.16.1.2 port 1645, id=181,
length=258
        User-Name = "MEM\\test1"
        Service-Type = Framed-User
        Framed-MTU = 1500
        NAS-IP-Address = 172.16.1.2
        NAS-Port = 2
        Calling-Station-Id = "00-1B-78-4E-00-12"
        State = 0x17d5444b14d05de2f7dce27aee56b663
        EAP-Message =
0x02050090198000000086160301004610000042004019a92f516c2ed12eed5c4b4f4de6
3dbd4200f5c6293ff30e2565451f3775ffcbb01d71c341ac94d80926258517db6c5e7512
05e76bdc724f025dc43e441288b51403010001011603010030b7b8c1cc4e21a2c6fd1e52
308e75c347510b2336a38c4ace61bde40495ac3bc86b53995adf75e9c428d63028edb075
4b
        Message-Authenticator = 0x502b16df4abdeec82fb8a4031b883444
# Executing section authorize from file
/usr//etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "MEM\test1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 144
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr//etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 134
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
[peap]     TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap]     TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap]     TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap]     TLS_accept: SSLv3 write finished A
[peap]     TLS_accept: SSLv3 flush data
[peap]     (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 181 to 172.16.1.2 port 1645
        EAP-Message =
0x0106004119001403010001011603010030740816e4b8e4c191780d546c1443a25171c6
2261bb4bbd7fa91dd713403f86418f33de753f3af5259f8ad46ed0d64abf
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x17d5444b13d35de2f7dce27aee56b663
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.16.1.2 port 1645, id=182,
length=120
        User-Name = "MEM\\test1"
        Service-Type = Framed-User
        Framed-MTU = 1500
        NAS-IP-Address = 172.16.1.2
        NAS-Port = 2
        Calling-Station-Id = "00-1B-78-4E-00-12"
        State = 0x17d5444b13d35de2f7dce27aee56b663
        EAP-Message = 0x020600061900
        Message-Authenticator = 0x01334a4b91706f8128e35f10f6c74e0d
# Executing section authorize from file
/usr//etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "MEM\test1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr//etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] returns handled
Sending Access-Challenge of id 182 to 172.16.1.2 port 1645
        EAP-Message =
0x0107002b190017030100201437bd7da4e0d7dccb3f7880d51fa1881eae5c67aad13229
4e712cd80416cfbb
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x17d5444b12d25de2f7dce27aee56b663
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.16.1.2 port 1645, id=183,
length=173
        User-Name = "MEM\\test1"
        Service-Type = Framed-User
        Framed-MTU = 1500
        NAS-IP-Address = 172.16.1.2
        NAS-Port = 2
        Calling-Station-Id = "00-1B-78-4E-00-12"
        State = 0x17d5444b12d25de2f7dce27aee56b663
        EAP-Message =
0x0207003b1900170301003076edeff553f5cb4d13a2ed7029ba397c77cf9d64c3d4712d
1fc345d3d0dfdd1cec8ba1521e7800fab983b4b9c28068bb
        Message-Authenticator = 0xea354eec0fbb47ee4a142b0d6920754e
# Executing section authorize from file
/usr//etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "MEM\test1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 59
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr//etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - MEM\test1
[peap] Got inner identity 'MEM\test1'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
        EAP-Message = 0x02070010014d454d5c7267726168616d
server  {
  PEAP: Setting User-Name to MEM\test1
Sending tunneled request
        EAP-Message = 0x02070010014d454d5c7267726168616d
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "MEM\\test1"
server inner-tunnel {
# Executing section authorize from file
/usr//etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "MEM\test1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 7 length 16
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr//etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
        EAP-Message =
0x010800251a0108002010a088cefe33e2d8f8c4b799ed59c5fb0d4d454d5c7267726168
616d
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xc0c1c1a1c0c9db106b079f71f54582b1
[peap] Got tunneled reply RADIUS code 11
        EAP-Message =
0x010800251a0108002010a088cefe33e2d8f8c4b799ed59c5fb0d4d454d5c7267726168
616d
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xc0c1c1a1c0c9db106b079f71f54582b1
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 183 to 172.16.1.2 port 1645
        EAP-Message =
0x0108004b190017030100402047ac117f1fb44413571911d8cc5218a52dcd31033604e2
4e1884e44ef4d3a56b0540d56451fbbcaa3dc0ba6856c560b31b06642fa27235651d8869
8617735b
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x17d5444b11dd5de2f7dce27aee56b663
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.16.1.2 port 1645, id=184,
length=221
        User-Name = "MEM\\test1"
        Service-Type = Framed-User
        Framed-MTU = 1500
        NAS-IP-Address = 172.16.1.2
        NAS-Port = 2
        Calling-Station-Id = "00-1B-78-4E-00-12"
        State = 0x17d5444b11dd5de2f7dce27aee56b663
        EAP-Message =
0x0208006b19001703010060ed7d3f594ba21455ac85cb59be5680cbec08cd20c7e2ac70
5c3d5289aadb43318fded2bc16e793b1fe21206e81054dece94dc95f6a5402014a10a21c
4f09d86a069d624832465c2ed89040cda57f84cb0298184274cec6eeb88a17f0198a0594
        Message-Authenticator = 0x4c97f3f00ebaf2a9bd5a748646064d04
# Executing section authorize from file
/usr//etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "MEM\test1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 107
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr//etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
        EAP-Message =
0x020800461a020800413139db069aec3a1482eaf5437cc12dc36200000000000000002f
f233ba94c6cc0ff8b204e09e8217c1f93dd23f6a175caa004d454d5c7267726168616d
server  {
  PEAP: Setting User-Name to MEM\test1
Sending tunneled request
        EAP-Message =
0x020800461a020800413139db069aec3a1482eaf5437cc12dc36200000000000000002f
f233ba94c6cc0ff8b204e09e8217c1f93dd23f6a175caa004d454d5c7267726168616d
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "MEM\\test1"
        State = 0xc0c1c1a1c0c9db106b079f71f54582b1
server inner-tunnel {
# Executing section authorize from file
/usr//etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "MEM\test1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 8 length 70
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr//etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file
/usr//etc/raddb/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: test1
[mschap] Told to do MS-CHAPv2 for test1 with NT-Password
[mschap]        expand: --username=%{mschap:User-Name:-None} ->
--username=test1
[mschap]        expand: %{mschap:NT-Domain} -> MEM
[mschap]        expand: --domain=%{%{mschap:NT-Domain}:-MEM} ->
--domain=MEM
[mschap]  mschap2: a0
[mschap] Creating challenge hash with username: test1
[mschap]        expand: --challenge=%{mschap:Challenge:-00} ->
--challenge=101d5affa80deb2a
[mschap]        expand: --nt-response=%{mschap:NT-Response:-00} ->
--nt-response=2ff233ba94c6cc0ff8b204e09e8217c1f93dd23f6a175caa
Exec-Program output: NT_KEY: D17434B7303CD6FA2ABE17CDB536D69D
Exec-Program-Wait: plaintext: NT_KEY: D17434B7303CD6FA2ABE17CDB536D69D
Exec-Program: returned: 0
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
        EAP-Message =
0x010900331a0308002e533d363836324644434335413636363431333041383135354636
43454332414535354530433031354133
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xc0c1c1a1c1c8db106b079f71f54582b1
[peap] Got tunneled reply RADIUS code 11
        EAP-Message =
0x010900331a0308002e533d363836324644434335413636363431333041383135354636
43454332414535354530433031354133
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xc0c1c1a1c1c8db106b079f71f54582b1
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 184 to 172.16.1.2 port 1645
        EAP-Message =
0x0109005b190017030100503ab95bfb4fc74f8bdbc39c6a332f01e8238c1548c1d905ed
c81dc513033f398190f455a6a164b10035f08c1b0eef983b1174dc9136c66507a8209a06
f26adf1ed27f08e7c1f157ae925b63dc1d3452f0
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x17d5444b10dc5de2f7dce27aee56b663
Finished request 7.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 177 with timestamp +72
Cleaning up request 1 ID 178 with timestamp +72
Cleaning up request 2 ID 179 with timestamp +72
Cleaning up request 3 ID 180 with timestamp +72
Cleaning up request 4 ID 181 with timestamp +72
Cleaning up request 5 ID 182 with timestamp +72
Cleaning up request 6 ID 183 with timestamp +72
Cleaning up request 7 ID 184 with timestamp +72
WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0x17d5444b10dc5de2 did not finish!
WARNING: !! Please read
http://wiki.freeradius.org/Certificate_Compatibility
WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110113/9377a53b/attachment.html>


More information about the Freeradius-Users mailing list