Error: User-Name is not the same as MS-CHAP name

Robert Mc Cready robert-mccready at cspi.qc.ca
Tue May 10 17:08:47 CEST 2011 

Here it is:

FreeRADIUS Debugging Output

This colorized output was produced by an automated tool from Network RADIUS


----------------------------------------------------------------------------
----

Packet 0


----------------------------------------------------------------------------
----

rad_recv: Access-Request packet from host 10.220.30.5 port 29002, id=171,
length=177

User-Name = "CAD08862\\ldapuser"

NAS-IP-Address = 10.220.30.5

NAS-Port = 0

Called-Station-Id = "58-16-26-AA-F7-B1:WIRELESS"

Calling-Station-Id = "00-16-EA-C5-78-9C"

Framed-MTU = 1400

NAS-Port-Type = Wireless-802.11

Connect-Info = "CONNECT 0Mbps 802.11g"

EAP-Message = 0x020b00150143414430383836325c54656368524d43

Message-Authenticator = 0x0a731b00ed8632709fd7a0cd73425aac

# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "CAD08862\ldapuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 11 length 21
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop

[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.

++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled

Sending Access-Challenge of id 171 to 10.220.30.5 port 29002

EAP-Message = 0x010c00160410b6e7676fb05991e0012286fb7d646c1e

Message-Authenticator = 0x00000000000000000000000000000000

State = 0xa5fe4130a5f2453a08d7b8b3e893ab3f

Finished request 229.

Going to the next request
Waking up in 4.9 seconds.

Packet 1


----------------------------------------------------------------------------
----

rad_recv: Access-Request packet from host 10.220.30.5 port 29002, id=172,
length=180

User-Name = "CAD08862\\ldapuser"

NAS-IP-Address = 10.220.30.5

NAS-Port = 0

Called-Station-Id = "58-16-26-AA-F7-B1:WIRELESS"

Calling-Station-Id = "00-16-EA-C5-78-9C"

Framed-MTU = 1400

NAS-Port-Type = Wireless-802.11

Connect-Info = "CONNECT 0Mbps 802.11g"

EAP-Message = 0x020c00060319

State = 0xa5fe4130a5f2453a08d7b8b3e893ab3f

Message-Authenticator = 0xa70f38635c3dc90b94a63ba069f76ebb

# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "CAD08862\ldapuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 12 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop

[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.

++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled

Sending Access-Challenge of id 172 to 10.220.30.5 port 29002

EAP-Message = 0x010d00061920

Message-Authenticator = 0x00000000000000000000000000000000

State = 0xa5fe4130a4f3583a08d7b8b3e893ab3f

Finished request 230.

Going to the next request
Waking up in 4.9 seconds.

Packet 2


----------------------------------------------------------------------------
----

rad_recv: Access-Request packet from host 10.220.30.5 port 29002, id=173,
length=254

User-Name = "CAD08862\\ldapuser"

NAS-IP-Address = 10.220.30.5

NAS-Port = 0

Called-Station-Id = "58-16-26-AA-F7-B1:WIRELESS"

Calling-Station-Id = "00-16-EA-C5-78-9C"

Framed-MTU = 1400

NAS-Port-Type = Wireless-802.11

Connect-Info = "CONNECT 0Mbps 802.11g"

EAP-Message = 0x020d005019800000004616030100410100003d03014dc932cb ...

State = 0xa5fe4130a4f3583a08d7b8b3e893ab3f

Message-Authenticator = 0x2e2e0708c73b34e905daee695ee8032a

# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "CAD08862\ldapuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 13 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 70
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0041], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 085e], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled

Sending Access-Challenge of id 173 to 10.220.30.5 port 29002

EAP-Message = 0x010e040019c00000089b160301002a0200002603014dc932cb ...

EAP-Message = 0x301e170d3131303531303131343933315a170d313230353039 ...

EAP-Message = 0x247a871d8a28fca6ca77871f75158cb881bc154162482826dd ...

EAP-Message = 0x3ca0d3dd2e4fe050819da932da5eb9b05a8732cdbfae1ecd97 ...

EAP-Message = 0xa73082038fa0030201020209

Message-Authenticator = 0x00000000000000000000000000000000

State = 0xa5fe4130a7f0583a08d7b8b3e893ab3f

Finished request 231.

Going to the next request
Waking up in 4.9 seconds.

Packet 3


----------------------------------------------------------------------------
----

rad_recv: Access-Request packet from host 10.220.30.5 port 29002, id=174,
length=180

User-Name = "CAD08862\\ldapuser"

NAS-IP-Address = 10.220.30.5

NAS-Port = 0

Called-Station-Id = "58-16-26-AA-F7-B1:WIRELESS"

Calling-Station-Id = "00-16-EA-C5-78-9C"

Framed-MTU = 1400

NAS-Port-Type = Wireless-802.11

Connect-Info = "CONNECT 0Mbps 802.11g"

EAP-Message = 0x020e00061900

State = 0xa5fe4130a7f0583a08d7b8b3e893ab3f

Message-Authenticator = 0x299e7d9bc6c1576d75b2dc575bb8d131

# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "CAD08862\ldapuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 14 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled

Sending Access-Challenge of id 174 to 10.220.30.5 port 29002

EAP-Message = 0x010f03fc194000ae4924c977166296300d06092a864886f70d ...

EAP-Message = 0x071309536f6d65776865726531153013060355040a130c4578 ...

EAP-Message = 0x9f6d4aba6ff7e424f8e3053ecd0d88e8e2b8441d43588d5519 ...

EAP-Message = 0x0813065261646975733112301006035504071309536f6d6577 ...

EAP-Message = 0x912aa6d3291cd0dc

Message-Authenticator = 0x00000000000000000000000000000000

State = 0xa5fe4130a6f1583a08d7b8b3e893ab3f

Finished request 232.

Going to the next request
Waking up in 4.9 seconds.

Packet 4


----------------------------------------------------------------------------
----

rad_recv: Access-Request packet from host 10.220.30.5 port 29002, id=175,
length=180

User-Name = "CAD08862\\ldapuser"

NAS-IP-Address = 10.220.30.5

NAS-Port = 0

Called-Station-Id = "58-16-26-AA-F7-B1:WIRELESS"

Calling-Station-Id = "00-16-EA-C5-78-9C"

Framed-MTU = 1400

NAS-Port-Type = Wireless-802.11

Connect-Info = "CONNECT 0Mbps 802.11g"

EAP-Message = 0x020f00061900

State = 0xa5fe4130a6f1583a08d7b8b3e893ab3f

Message-Authenticator = 0x21deff950681e5b9ed5d0b915238df63

# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "CAD08862\ldapuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 15 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled

Sending Access-Challenge of id 175 to 10.220.30.5 port 29002

EAP-Message = 0x011000b519000dd9a5fde73f897737b0f264443de17265d729 ...

Message-Authenticator = 0x00000000000000000000000000000000

State = 0xa5fe4130a1ee583a08d7b8b3e893ab3f

Finished request 233.

Going to the next request
Waking up in 4.9 seconds.

Packet 5


----------------------------------------------------------------------------
----

rad_recv: Access-Request packet from host 10.220.30.5 port 29002, id=176,
length=496

User-Name = "CAD08862\\ldapuser"

NAS-IP-Address = 10.220.30.5

NAS-Port = 0

Called-Station-Id = "58-16-26-AA-F7-B1:WIRELESS"

Calling-Station-Id = "00-16-EA-C5-78-9C"

Framed-MTU = 1400

NAS-Port-Type = Wireless-802.11

Connect-Info = "CONNECT 0Mbps 802.11g"

EAP-Message = 0x0210014019800000013616030101061000010201000cd623d8 ...

EAP-Message = 0x7e97ab57b201610cb97da732dc3ea2fa8d945c59af7f5d6e14 ...

State = 0xa5fe4130a1ee583a08d7b8b3e893ab3f

Message-Authenticator = 0x9b6a444a93ad642167d08affdee03b15

# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "CAD08862\ldapuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 16 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 310
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled

Sending Access-Challenge of id 176 to 10.220.30.5 port 29002

EAP-Message = 0x01110031190014030100010116030100208a615f5002c2f168 ...

Message-Authenticator = 0x00000000000000000000000000000000

State = 0xa5fe4130a0ef583a08d7b8b3e893ab3f

Finished request 234.

Going to the next request
Waking up in 4.8 seconds.

Packet 6


----------------------------------------------------------------------------
----

rad_recv: Access-Request packet from host 10.220.30.5 port 29002, id=177,
length=180

User-Name = "CAD08862\\ldapuser"

NAS-IP-Address = 10.220.30.5

NAS-Port = 0

Called-Station-Id = "58-16-26-AA-F7-B1:WIRELESS"

Calling-Station-Id = "00-16-EA-C5-78-9C"

Framed-MTU = 1400

NAS-Port-Type = Wireless-802.11

Connect-Info = "CONNECT 0Mbps 802.11g"

EAP-Message = 0x021100061900

State = 0xa5fe4130a0ef583a08d7b8b3e893ab3f

Message-Authenticator = 0x40f129dcea3d601dbd5f744da4c406c3

# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "CAD08862\ldapuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 17 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] returns handled

Sending Access-Challenge of id 177 to 10.220.30.5 port 29002

EAP-Message = 0x011200201900170301001586534e83dd452d3c59548f8ad4e9 ...

Message-Authenticator = 0x00000000000000000000000000000000

State = 0xa5fe4130a3ec583a08d7b8b3e893ab3f

Finished request 235.

Going to the next request
Waking up in 4.8 seconds.

Packet 7


----------------------------------------------------------------------------
----

rad_recv: Access-Request packet from host 10.220.30.5 port 29002, id=178,
length=218

User-Name = "CAD08862\\ldapuser"

NAS-IP-Address = 10.220.30.5

NAS-Port = 0

Called-Station-Id = "58-16-26-AA-F7-B1:WIRELESS"

Calling-Station-Id = "00-16-EA-C5-78-9C"

Framed-MTU = 1400

NAS-Port-Type = Wireless-802.11

Connect-Info = "CONNECT 0Mbps 802.11g"

EAP-Message = 0x0212002c19001703010021a58a75cc4381a250bba38251cd2c ...

State = 0xa5fe4130a3ec583a08d7b8b3e893ab3f

Message-Authenticator = 0x265a6aa891e196ddbd3280a30cfb3e0f

# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "CAD08862\ldapuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 18 length 44
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - CAD08862\ldapuser
[peap] Got inner identity 'CAD08862\ldapuser'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request

EAP-Message = 0x021200150143414430383836325c54656368524d43

server {
PEAP: Setting User-Name to CAD08862\ldapuser

Sending tunneled request

EAP-Message = 0x021200150143414430383836325c54656368524d43

FreeRADIUS-Proxied-To = 127.0.0.1

User-Name = "CAD08862\\ldapuser"

server inner-tunnel {
# Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++? if (User-Name !~ /^host\//)
? Evaluating (User-Name !~ /^host\//) -> TRUE
++? if (User-Name !~ /^host\//) -> TRUE
++- entering if (User-Name !~ /^host\//) {...}
+++[control] returns notfound
++- if (User-Name !~ /^host\//) returns notfound
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "CAD08862\ldapuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[copy.user-name] expand: %{User-Name} -> CAD08862\ldapuser
copy.user-name: Added attribute Stripped-User-Name with value
'CAD08862\ldapuser'
++[copy.user-name] returns ok
[remove-domain-name] expand: (.nw2.test.local) -> (.nw2.test.local)
remove-domain-name: Does not match: Stripped-User-Name = CAD08862\ldapuser
++[remove-domain-name] returns ok
[add-dollar-sign] expand: ^(host/.*) -> ^(host/.*)
add-dollar-sign: Does not match: Stripped-User-Name = CAD08862\ldapuser
++[add-dollar-sign] returns ok
[strip-realm-name] expand: ^(.*[\/]+) -> ^(.*[\/]+)
strip-realm-name: Changed value for attribute Stripped-User-Name from
'CAD08862\ldapuser' to 'ldapuser'
++[strip-realm-name] returns ok
[ntdomain] Looking up realm "CAD08862" for User-Name = "CAD08862\ldapuser"
[ntdomain] No such realm "CAD08862"
++[ntdomain] returns noop
++[control] returns noop
[eap] EAP packet type response id 18 length 21
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for CAD08862\ldapuser
[ldap] expand: %{Stripped-User-Name} -> ldapuser
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=ldapuser)
[ldap] expand: o=test -> o=test
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in o=test, with filter (uid=ldapuser)
[ldap] Added the eDirectory password 1234567 in check items as
Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
[ldap] user CAD08862\ldapuser authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop

[pap] WARNING: Auth-Type already set. Not setting to PAP

++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11

EAP-Message = 0x0113002a1a0113002510cf908a1b7ebf4d936c15f1224e9ed3 ...

Message-Authenticator = 0x00000000000000000000000000000000

State = 0xb1d14868b1c252824a02ce38607236ef

[peap] Got tunneled reply RADIUS code 11

EAP-Message = 0x0113002a1a0113002510cf908a1b7ebf4d936c15f1224e9ed3 ...

Message-Authenticator = 0x00000000000000000000000000000000

State = 0xb1d14868b1c252824a02ce38607236ef

[peap] Got tunneled Access-Challenge
++[eap] returns handled

Sending Access-Challenge of id 178 to 10.220.30.5 port 29002

EAP-Message = 0x011300411900170301003636791f38ba2c2c44f57b5e62c92e ...

Message-Authenticator = 0x00000000000000000000000000000000

State = 0xa5fe4130a2ed583a08d7b8b3e893ab3f

Finished request 236.

Going to the next request
Waking up in 4.8 seconds.

Packet 8


----------------------------------------------------------------------------
----

rad_recv: Access-Request packet from host 10.220.30.5 port 29002, id=179,
length=263

User-Name = "CAD08862\\ldapuser"

NAS-IP-Address = 10.220.30.5

NAS-Port = 0

Called-Station-Id = "58-16-26-AA-F7-B1:WIRELESS"

Calling-Station-Id = "00-16-EA-C5-78-9C"

Framed-MTU = 1400

NAS-Port-Type = Wireless-802.11

Connect-Info = "CONNECT 0Mbps 802.11g"

EAP-Message = 0x021300591900170301004ebc0a4c73422ad0f2958deff363d6 ...

State = 0xa5fe4130a2ed583a08d7b8b3e893ab3f

Message-Authenticator = 0x7db4139bac8a822e9a923f4758080856

# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "CAD08862\ldapuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 19 length 89
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request

EAP-Message = 0x021300421a0213003d315d7829b8f975c70fa9a07456cb5f19 ...

server {
PEAP: Setting User-Name to CAD08862\ldapuser

Sending tunneled request

EAP-Message = 0x021300421a0213003d315d7829b8f975c70fa9a07456cb5f19 ...

FreeRADIUS-Proxied-To = 127.0.0.1

User-Name = "CAD08862\\ldapuser"

State = 0xb1d14868b1c252824a02ce38607236ef

server inner-tunnel {
# Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++? if (User-Name !~ /^host\//)
? Evaluating (User-Name !~ /^host\//) -> TRUE
++? if (User-Name !~ /^host\//) -> TRUE
++- entering if (User-Name !~ /^host\//) {...}
+++[control] returns notfound
++- if (User-Name !~ /^host\//) returns notfound
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "CAD08862\ldapuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[copy.user-name] expand: %{User-Name} -> CAD08862\ldapuser
copy.user-name: Added attribute Stripped-User-Name with value
'CAD08862\ldapuser'
++[copy.user-name] returns ok
[remove-domain-name] expand: (.nw2.test.local) -> (.nw2.test.local)
remove-domain-name: Does not match: Stripped-User-Name = CAD08862\ldapuser
++[remove-domain-name] returns ok
[add-dollar-sign] expand: ^(host/.*) -> ^(host/.*)
add-dollar-sign: Does not match: Stripped-User-Name = CAD08862\ldapuser
++[add-dollar-sign] returns ok
[strip-realm-name] expand: ^(.*[\/]+) -> ^(.*[\/]+)
strip-realm-name: Changed value for attribute Stripped-User-Name from
'CAD08862\ldapuser' to 'ldapuser'
++[strip-realm-name] returns ok
[ntdomain] Looking up realm "CAD08862" for User-Name = "CAD08862\ldapuser"
[ntdomain] No such realm "CAD08862"
++[ntdomain] returns noop
++[control] returns noop
[eap] EAP packet type response id 19 length 66
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for CAD08862\ldapuser
[ldap] expand: %{Stripped-User-Name} -> ldapuser
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=ldapuser)
[ldap] expand: o=test -> o=test
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in o=test, with filter (uid=ldapuser)
[ldap] Added the eDirectory password 1234567 in check items as
Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
[ldap] user CAD08862\ldapuser authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop

[pap] WARNING: Auth-Type already set. Not setting to PAP

++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}

[mschap] ERROR: User-Name (CAD08862\ldapuser) is not the same as MS-CHAP
Name (ldapuser) from EAP-MSCHAPv2

++[mschap] returns reject

[eap] Freeing handler

++[eap] returns reject

Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3

EAP-Message = 0x04130004

Message-Authenticator = 0x00000000000000000000000000000000

[peap] Got tunneled reply RADIUS code 3

EAP-Message = 0x04130004

Message-Authenticator = 0x00000000000000000000000000000000

[peap] Tunneled authentication was rejected.

[peap] FAILURE
++[eap] returns handled

Sending Access-Challenge of id 179 to 10.220.30.5 port 29002

EAP-Message = 0x011400261900170301001b042d951bea675042a05ce3fed5c1 ...

Message-Authenticator = 0x00000000000000000000000000000000

State = 0xa5fe4130adea583a08d7b8b3e893ab3f

Finished request 237.

Going to the next request
Waking up in 4.8 seconds.

Packet 9


----------------------------------------------------------------------------
----

rad_recv: Access-Request packet from host 10.220.30.5 port 29002, id=180,
length=212

User-Name = "CAD08862\\ldapuser"

NAS-IP-Address = 10.220.30.5

NAS-Port = 0

Called-Station-Id = "58-16-26-AA-F7-B1:WIRELESS"

Calling-Station-Id = "00-16-EA-C5-78-9C"

Framed-MTU = 1400

NAS-Port-Type = Wireless-802.11

Connect-Info = "CONNECT 0Mbps 802.11g"

EAP-Message = 0x021400261900170301001b7a27bfb0b0524f3a9afbf1b1f407 ...

State = 0xa5fe4130adea583a08d7b8b3e893ab3f

Message-Authenticator = 0xe8c786bb73038b5f6172a3637d73a61d

# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "CAD08862\ldapuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 20 length 38
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv failure
[peap] Received EAP-TLV response.

[peap] The users session was previously rejected: returning reject (again.)

[peap] *** This means you need to read the PREVIOUS messages in the debug
output

[peap] *** to find out the reason why the user was rejected.

[peap] *** Look for "reject" or "fail". Those earlier messages will tell
you.

[peap] *** what went wrong, and how to fix the problem.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.

Using Post-Auth-Type Reject

# Executing group from file /etc/raddb/sites-enabled/default

+- entering group REJECT {...}

[attr_filter.access_reject] expand: %{User-Name} -> CAD08862\ldapuser

attr_filter: Matched entry DEFAULT at line 11

++[attr_filter.access_reject] returns updated

Delaying reject of request 238 for 1 seconds

Going to the next request
Waking up in 0.9 seconds.

Sending delayed reject for request 238

Sending Access-Reject of id 180 to 10.220.30.5 port 29002

EAP-Message = 0x04140004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.8 seconds.
Cleaning up request 229 ID 171 with timestamp +857
Cleaning up request 230 ID 172 with timestamp +857
Cleaning up request 231 ID 173 with timestamp +857
Cleaning up request 232 ID 174 with timestamp +857
Cleaning up request 233 ID 175 with timestamp +857
Cleaning up request 234 ID 176 with timestamp +857
Cleaning up request 235 ID 177 with timestamp +857
Cleaning up request 236 ID 178 with timestamp +857
Cleaning up request 237 ID 179 with timestamp +857
Waking up in 1.0 seconds.

---------------------------------------------------------------------------



On 05/10/2011 03:35 PM, Robert Mc Cready wrote:
> If the User-Name is being rewritten it is not intentional.
>
> Now, I reinstalled from scratch, save the default configuration, join the
> server to the domain, modified clients.conf, attr_rewrite, ldap, mschap
and
> inner-tunnel and ran diff. I can see in the debug output of the server
that
> User-Name = "CAD08862\\ldapuser" but I don't know want I am doing wrong.
>
> http://www.cspi.qc.ca/sinfrmc/windowsxp2.htm

I presume there's a debug at this URL, but I have no reachability to it 
from where I am (tried from a couple of different source networks):

17  Vlan1999.icore1.MTT-Montreal.as6453.net (216.6.115.54)  90.786 ms 
90.770 ms  90.740 ms
18  Vlan50.icore1.MTT-Montreal.as6453.net (206.82.135.10)  90.800 ms 
90.918 ms  91.056 ms
19  tge-1-3.ar1.mtl2.mtotelecom.net (64.254.224.165)  91.241 ms  90.598 
ms  90.634 ms
20  tge-1-2.ar1.mtrlpq07.mtotelecom.net (64.254.224.198)  79.405 ms 
79.282 ms  79.230 ms
21  * * *
22  * * *
23  * * *

 

__________ Information provenant d'ESET NOD32 Antivirus, version de la base
des signatures de virus 6110 (20110510) __________

Le message a ete verifie par ESET NOD32 Antivirus.

http://www.eset.com

More information about the Freeradius-Users mailing list