Error: User-Name is not the same as MS-CHAP name

Francois Gaudreault fgaudreault at inverse.ca
Sat May 28 19:33:46 CEST 2011


Hi,

Here is the complete debug log :

rad_recv: Access-Request packet from host 10.220.30.5 port 29010, 
id=194, length=179
         User-Name = "STIC08862\\TechRMC"
         NAS-IP-Address = 10.220.30.5
         NAS-Port = 0
         Called-Station-Id = "58-16-26-AA-F7-A1:AVAYA-RESEAU"
         Calling-Station-Id = "00-16-EA-C5-78-9C"
         Framed-MTU = 1400
         NAS-Port-Type = Wireless-802.11
         Connect-Info = "CONNECT 0Mbps 802.11a"
         EAP-Message = 0x02000016015354494330383836325c54656368524d43
         Message-Authenticator = 0xfa084ddf06908a03fe823772e3df038e
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
[suffix] No '@' in User-Name = "STIC08862\TechRMC", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] Looking up realm "STIC08862" for User-Name = "STIC08862\TechRMC"
[ntdomain] No such realm "STIC08862"
++[ntdomain] returns noop
++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/)
         expand: %{User-Name} -> STIC08862\TechRMC
? Evaluating ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE
++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE
++[preprocess] returns ok
[eap] EAP packet type response id 0 length 22
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[ldap] performing user authorization for STIC08862\TechRMC
[ldap]  expand: (uid=%{mschap:User-Name}) -> (uid=TechRMC)
[ldap]  expand: o=CSPI -> o=CSPI
   [ldap] ldap_get_conn: Checking Id: 0
   [ldap] ldap_get_conn: Got Id: 0
   [ldap] performing search in o=CSPI, with filter (uid=TechRMC)
[ldap] Added the eDirectory password 1234567 in check items as 
Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
[ldap] user STIC08862\TechRMC authorized to use remote access
   [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 194 to 10.220.30.5 port 29010
         EAP-Message = 0x010100061920
         Message-Authenticator = 0x00000000000000000000000000000000
         State = 0x309c14c6309d0dd14b00d913c56dbe3f
Finished request 78.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.220.30.5 port 29010, 
id=195, length=255
         User-Name = "STIC08862\\TechRMC"
         NAS-IP-Address = 10.220.30.5
         NAS-Port = 0
         Called-Station-Id = "58-16-26-AA-F7-A1:AVAYA-RESEAU"
         Calling-Station-Id = "00-16-EA-C5-78-9C"
         Framed-MTU = 1400
         NAS-Port-Type = Wireless-802.11
         Connect-Info = "CONNECT 0Mbps 802.11a"
         EAP-Message = 
0x0201005019800000004616030100410100003d03014de118d0fb7ad90b86758750890c116038cb55d9c09e4f2b4228a03e019e3d4200001600040005000a000900640062000300060013001200630100 

         State = 0x309c14c6309d0dd14b00d913c56dbe3f
         Message-Authenticator = 0xbb36f856b12e7151d07b7f62bb8ac4d1
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
[suffix] No '@' in User-Name = "STIC08862\TechRMC", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] Looking up realm "STIC08862" for User-Name = "STIC08862\TechRMC"
[ntdomain] No such realm "STIC08862"
++[ntdomain] returns noop
++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/)
         expand: %{User-Name} -> STIC08862\TechRMC
? Evaluating ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE
++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE
++[preprocess] returns ok
[eap] EAP packet type response id 1 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
   TLS Length 70
[peap] Length Included
[peap] eaptls_verify returned 11
[peap]     (other): before/accept initialization
[peap]     TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0041], ClientHello
[peap]     TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
[peap]     TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 085e], Certificate
[peap]     TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap]     TLS_accept: SSLv3 write server done A
[peap]     TLS_accept: SSLv3 flush data
[peap]     TLS_accept: Need to read more data: SSLv3 read client 
certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 195 to 10.220.30.5 port 29010
         EAP-Message = 
0x0102040019c00000089b160301002a0200002603014de118cc589bf7890a69fb3f645cbd3f8fb8e69b0de774081f186249cbb1fab400000400160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479 

         EAP-Message = 
0x301e170d3131303532363131323630315a170d3132303532353131323630315a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100abc6704165a82539a0386d451ff1ef7af0b77a030e0ece6ae83f509f03075fc22f4314bed080131a3f4ce4836d78b9f839e787dcf28407ebe4b4976a23b8 

         EAP-Message = 
0x99720c1bdeb4e3a97cb664364a74231a865f1c58f96afa6060b528500f2a570c488ba5d43c1898ec6b8ccb38f66ed46fcc83c824da13c885743ae1c2fac049de6d095b694a6144ab81d6b1ae9ade3ad472fa3c505c5aad28a7f878426c5625e844a9f8980f2d6b18a2820ddc4086ae123f1b58b76e1662d5df63ec1662d44f8c302fd0f0f56bf156e2b998558ffab4e9c5967adf434ed23e28b8500d13e12d72202880234fadf61dc578fd16f6a0e9b7e62fbc7d5e93195384c6a53388a357a7e8590203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010105050003820101009b9dae84aad1294971 

         EAP-Message = 
0x085bfc65eea37216552b3898f2164a56490b8e68d7d3b809b379f74c18b249611da68f59c6ded6c40673cfe5bc870d40e305eeb2da97d2550d804d6e75fd2a42bf35e2ee7abdeae22a33a2cd27c8e5cb26a30a10cd7b9a22bb936e09effc1323a9beb1b407f375a0f197b5ea4dab4dc9f5a131bd89d64b3e61ce79250659c86de853316f63cd62edcae9ffd2ea4bba902a02e38cbf2a483f2b723f6e87bc7092f6335730a0cb24c8ec74a1d21cc0e7aa0f9b4eb991a00e10f9c54fbbe950dd0252c7eb094e26888c8bd0cf38488755f2f64822923402e46c5578ab316d899076fcab91a140b32aa180e265e8e8df263e209233432482bf0004ab308204 

         EAP-Message = 0xa73082038fa0030201020209
         Message-Authenticator = 0x00000000000000000000000000000000
         State = 0x309c14c6319e0dd14b00d913c56dbe3f
Finished request 79.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.220.30.5 port 29010, 
id=196, length=181
         User-Name = "STIC08862\\TechRMC"
         NAS-IP-Address = 10.220.30.5
         NAS-Port = 0
         Called-Station-Id = "58-16-26-AA-F7-A1:AVAYA-RESEAU"
         Calling-Station-Id = "00-16-EA-C5-78-9C"
         Framed-MTU = 1400
         NAS-Port-Type = Wireless-802.11
         Connect-Info = "CONNECT 0Mbps 802.11a"
         EAP-Message = 0x020200061900
         State = 0x309c14c6319e0dd14b00d913c56dbe3f
         Message-Authenticator = 0xa462f5cd5ac6dd277077e9011fbf9c14
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
[suffix] No '@' in User-Name = "STIC08862\TechRMC", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] Looking up realm "STIC08862" for User-Name = "STIC08862\TechRMC"
[ntdomain] No such realm "STIC08862"
++[ntdomain] returns noop
++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/)
         expand: %{User-Name} -> STIC08862\TechRMC
? Evaluating ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE
++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE
++[preprocess] returns ok
[eap] EAP packet type response id 2 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 196 to 10.220.30.5 port 29010
         EAP-Message = 
0x010303fc194000cbce0215a96683a7300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3131303532363131323630315a170d3132303532353131323630315a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504 

         EAP-Message = 
0x071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100bc17ac5d732962b1d8b9930162674dbc7ed2c21a022847f8d0bbf631b90c4598a9f450824c1335d535b1a3bc06344b72429484af7f8a7470f387f9b3314ca14b85328e7ed7c94f40f821bc5b69b1828a4eb5ca30e4cb30668c7b8dada3769f20a61fa244d158eb43fa343001a80195 

         EAP-Message = 
0xb1b11e518865a45a3b1f8116ffc29a79de5bc4f72c54e53632a1c49f84aa523b39519bfdac4cf067f0bff3455f17f44c8e40b04b06ad175fcf5fcc9d88e047d95a35ee4581d243207a1c94f32aaa6ba8c59883944f8d2721493a52f0d18aa594cbaead171926e6a1f992b67ab93854a34f3d421cbe875e2909aafde2eb5bed79d233a20fa21fb9e378497d273e8f6ca14d0203010001a381fb3081f8301d0603551d0e04160414c4c3cc2ea4d081bbce0c80d92996e92cda9390dc3081c80603551d230481c03081bd8014c4c3cc2ea4d081bbce0c80d92996e92cda9390dca18199a48196308193310b3009060355040613024652310f300d06035504 

         EAP-Message = 
0x0813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900cbce0215a96683a7300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100022271f224357d78202aaecf9faca93ece45548fc74f4bed01bb6ad31badca58eb3d019ac1f2fcc323d33dcae04b84b6c2b443bca35258946c7f02eaa1bbeb550494b30648c47d83786b5f872facbb828d6f 

         EAP-Message = 0x3deb8931d600ea5e
         Message-Authenticator = 0x00000000000000000000000000000000
         State = 0x309c14c6329f0dd14b00d913c56dbe3f
Finished request 80.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.220.30.5 port 29010, 
id=197, length=181
         User-Name = "STIC08862\\TechRMC"
         NAS-IP-Address = 10.220.30.5
         NAS-Port = 0
         Called-Station-Id = "58-16-26-AA-F7-A1:AVAYA-RESEAU"
         Calling-Station-Id = "00-16-EA-C5-78-9C"
         Framed-MTU = 1400
         NAS-Port-Type = Wireless-802.11
         Connect-Info = "CONNECT 0Mbps 802.11a"
         EAP-Message = 0x020300061900
         State = 0x309c14c6329f0dd14b00d913c56dbe3f
         Message-Authenticator = 0xa5deb369fab7a8ab117e3a2d3a1bd99a
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
[suffix] No '@' in User-Name = "STIC08862\TechRMC", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] Looking up realm "STIC08862" for User-Name = "STIC08862\TechRMC"
[ntdomain] No such realm "STIC08862"
++[ntdomain] returns noop
++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/)
         expand: %{User-Name} -> STIC08862\TechRMC
? Evaluating ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE
++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE
++[preprocess] returns ok
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 197 to 10.220.30.5 port 29010
         EAP-Message = 
0x010400b519001c077a0c37c0021ebd5901d8710b97ad0f8565cbe4081f184c4f48d79500d781c789cd7e4fcb9ef1c0d85e8c0e2f79b33d98067a79636b7b18c212c6fa065393ead60ccbd66b1ee55415965798592390475c38b8f1d81a8372e7e1aafcb6563a44f0be0cb173c485b071d8f18a6d6c978b2a17fc24579a3a00c360a6b43efefc2ec4f0d73ab140ec5e5d9b591a5b29b0d3a7a096774771c16065b46160051a8d1e88f6aa261516030100040e000000 

         Message-Authenticator = 0x00000000000000000000000000000000
         State = 0x309c14c633980dd14b00d913c56dbe3f
Finished request 81.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.220.30.5 port 29010, 
id=198, length=497
         User-Name = "STIC08862\\TechRMC"
         NAS-IP-Address = 10.220.30.5
         NAS-Port = 0
         Called-Station-Id = "58-16-26-AA-F7-A1:AVAYA-RESEAU"
         Calling-Station-Id = "00-16-EA-C5-78-9C"
         Framed-MTU = 1400
         NAS-Port-Type = Wireless-802.11
         Connect-Info = "CONNECT 0Mbps 802.11a"
         EAP-Message = 
0x0204014019800000013616030101061000010201000d5a7cfe5681de38952daa49b5a1f72a4406db283c1bdb0dbf56630552caba84d0ddd24cb5782d77a3b91ccbfbecc86a769bce2e367a77d13049c89aca7179224427b950971802c12e803af42ec507f6ded58f3ad883f4e774878bef3537d59d19e0e6697a98120a7cc029be2c20ca05e87ba0beb9376957afba29ab6bff97667ce389d9b8d5530f9456b4b6a77753596a1bd6caff20c5269203b2b6d51e70082f5592c2abb1a17235e2f1ccfe6110ea40a44f4b25b46b56eaae52ec6649d39bf5434b53b996821b1c68159f34d7695c4d0d21d6d138c62f5fa6eb7664bf2ab59facdbab3bf9eac9
         EAP-Message = 
0x2a59234d25f162d9c012c90c1b564c40f7a244ceb74fdbba1403010001011603010020105e724ee5343bc59dc34a12d5f6ae80cb30ee64b5e06ec66e794571315cee97 

         State = 0x309c14c633980dd14b00d913c56dbe3f
         Message-Authenticator = 0xa808596aff58e89c835ba408d22c8576
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
[suffix] No '@' in User-Name = "STIC08862\TechRMC", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] Looking up realm "STIC08862" for User-Name = "STIC08862\TechRMC"
[ntdomain] No such realm "STIC08862"
++[ntdomain] returns noop
++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/)
         expand: %{User-Name} -> STIC08862\TechRMC
? Evaluating ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE
++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE
++[preprocess] returns ok
[eap] EAP packet type response id 4 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
   TLS Length 310
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[peap]     TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap]     TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap]     TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap]     TLS_accept: SSLv3 write finished A
[peap]     TLS_accept: SSLv3 flush data
[peap]     (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 198 to 10.220.30.5 port 29010
         EAP-Message = 
0x0105003119001403010001011603010020a7b524514b3cddffd4a8160f9eb6cc6a58975c324fe0d9ad042931b8bffb2bbd 

         Message-Authenticator = 0x00000000000000000000000000000000
         State = 0x309c14c634990dd14b00d913c56dbe3f
Finished request 82.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.220.30.5 port 29010, 
id=199, length=181
         User-Name = "STIC08862\\TechRMC"
         NAS-IP-Address = 10.220.30.5
         NAS-Port = 0
         Called-Station-Id = "58-16-26-AA-F7-A1:AVAYA-RESEAU"
         Calling-Station-Id = "00-16-EA-C5-78-9C"
         Framed-MTU = 1400
         NAS-Port-Type = Wireless-802.11
         Connect-Info = "CONNECT 0Mbps 802.11a"
         EAP-Message = 0x020500061900
         State = 0x309c14c634990dd14b00d913c56dbe3f
         Message-Authenticator = 0xfbb387ec4960fce18fa01d5ff1c5e01e
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
[suffix] No '@' in User-Name = "STIC08862\TechRMC", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] Looking up realm "STIC08862" for User-Name = "STIC08862\TechRMC"
[ntdomain] No such realm "STIC08862"
++[ntdomain] returns noop
++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/)
         expand: %{User-Name} -> STIC08862\TechRMC
? Evaluating ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE
++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE
++[preprocess] returns ok
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] returns handled
Sending Access-Challenge of id 199 to 10.220.30.5 port 29010
         EAP-Message = 
0x010600201900170301001571c76260985f4c2cdee93f9c926ad4e44dbc5089bd
         Message-Authenticator = 0x00000000000000000000000000000000
         State = 0x309c14c6359a0dd14b00d913c56dbe3f
Finished request 83.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.220.30.5 port 29010, 
id=200, length=220
         User-Name = "STIC08862\\TechRMC"
         NAS-IP-Address = 10.220.30.5
         NAS-Port = 0
         Called-Station-Id = "58-16-26-AA-F7-A1:AVAYA-RESEAU"
         Calling-Station-Id = "00-16-EA-C5-78-9C"
         Framed-MTU = 1400
         NAS-Port-Type = Wireless-802.11
         Connect-Info = "CONNECT 0Mbps 802.11a"
         EAP-Message = 
0x0206002d1900170301002265afc9d83fb63b3df1fa050064293a1d5724034b497cd6917712aed52e33e5c50a93 

         State = 0x309c14c6359a0dd14b00d913c56dbe3f
         Message-Authenticator = 0x1d9a3ba6178e12c05cfd06e7b2a2c601
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
[suffix] No '@' in User-Name = "STIC08862\TechRMC", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] Looking up realm "STIC08862" for User-Name = "STIC08862\TechRMC"
[ntdomain] No such realm "STIC08862"
++[ntdomain] returns noop
++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/)
         expand: %{User-Name} -> STIC08862\TechRMC
? Evaluating ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE
++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE
++[preprocess] returns ok
[eap] EAP packet type response id 6 length 45
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - STIC08862\TechRMC
[peap] Got inner identity 'STIC08862\TechRMC'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
         EAP-Message = 0x02060016015354494330383836325c54656368524d43
server  {
   PEAP: Setting User-Name to STIC08862\TechRMC
Sending tunneled request
         EAP-Message = 0x02060016015354494330383836325c54656368524d43
         FreeRADIUS-Proxied-To = 127.0.0.1
         User-Name = "STIC08862\\TechRMC"
server inner-tunnel {
# Executing section authorize from file 
/etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
[suffix] No '@' in User-Name = "STIC08862\TechRMC", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] Looking up realm "STIC08862" for User-Name = "STIC08862\TechRMC"
[ntdomain] No such realm "STIC08862"
++[ntdomain] returns noop
++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/)
         expand: %{User-Name} -> STIC08862\TechRMC
? Evaluating ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE
++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE
[eap] EAP packet type response id 6 length 22
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[ldap] performing user authorization for STIC08862\TechRMC
[ldap]  expand: (uid=%{mschap:User-Name}) -> (uid=TechRMC)
[ldap]  expand: o=CSPI -> o=CSPI
   [ldap] ldap_get_conn: Checking Id: 0
   [ldap] ldap_get_conn: Got Id: 0
   [ldap] performing search in o=CSPI, with filter (uid=TechRMC)
[ldap] Added the eDirectory password 1234567 in check items as 
Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
[ldap] user STIC08862\TechRMC authorized to use remote access
   [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++? if (User-Name !~ /^host\/.*nw2.cspi.qc.ca$/)
? Evaluating (User-Name !~ /^host\/.*nw2.cspi.qc.ca$/) -> TRUE
++? if (User-Name !~ /^host\/.*nw2.cspi.qc.ca$/) -> TRUE
++- entering if (User-Name !~ /^host\/.*nw2.cspi.qc.ca$/) {...}
+++[control] returns ok
++- if (User-Name !~ /^host\/.*nw2.cspi.qc.ca$/) returns ok
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
         EAP-Message = 
0x0107002b1a010700261012b5c4c3a3dbd6a23fe3af6f3db81bc15354494330383836325c54656368524d43 

         Message-Authenticator = 0x00000000000000000000000000000000
         State = 0x510e2245510938eb25e1ac3222e20688
[peap] Got tunneled reply RADIUS code 11
         EAP-Message = 
0x0107002b1a010700261012b5c4c3a3dbd6a23fe3af6f3db81bc15354494330383836325c54656368524d43 

         Message-Authenticator = 0x00000000000000000000000000000000
         State = 0x510e2245510938eb25e1ac3222e20688
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 200 to 10.220.30.5 port 29010
         EAP-Message = 
0x0107004219001703010037421203ab26df0308676a4f2cb9e0fa8ff6e390152e6e971e94d31eda95d20b849007bca062f718e1d559e79b10a5b6a188768b6fe1907c 

         Message-Authenticator = 0x00000000000000000000000000000000
         State = 0x309c14c6369b0dd14b00d913c56dbe3f
Finished request 84.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.220.30.5 port 29010, 
id=201, length=264
         User-Name = "STIC08862\\TechRMC"
         NAS-IP-Address = 10.220.30.5
         NAS-Port = 0
         Called-Station-Id = "58-16-26-AA-F7-A1:AVAYA-RESEAU"
         Calling-Station-Id = "00-16-EA-C5-78-9C"
         Framed-MTU = 1400
         NAS-Port-Type = Wireless-802.11
         Connect-Info = "CONNECT 0Mbps 802.11a"
         EAP-Message = 
0x020700591900170301004eb1f256aa2e900c41ef37f9d0933df166344a6edbc9356301e0fdc15cb87b6cbe03f6b07e54ccfd7fca446c7ce6cca1a742794be48c57b8e2ac735d7b2a2b38fe4483984103fc270b54d6c691b4c2 

         State = 0x309c14c6369b0dd14b00d913c56dbe3f
         Message-Authenticator = 0x8d693684ec5593182b54ce7c3d5e7d8f
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
[suffix] No '@' in User-Name = "STIC08862\TechRMC", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] Looking up realm "STIC08862" for User-Name = "STIC08862\TechRMC"
[ntdomain] No such realm "STIC08862"
++[ntdomain] returns noop
++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/)
         expand: %{User-Name} -> STIC08862\TechRMC
? Evaluating ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE
++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE
++[preprocess] returns ok
[eap] EAP packet type response id 7 length 89
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
         EAP-Message = 
0x020700421a0207003d3187ddf68b18fb1dce4cdd5b001c06abc000000000000000009a7812e4d4a1f425347de951e68fac50054fd8ff32d403fa0054656368524d43 

server  {
   PEAP: Setting User-Name to STIC08862\TechRMC
Sending tunneled request
         EAP-Message = 
0x020700421a0207003d3187ddf68b18fb1dce4cdd5b001c06abc000000000000000009a7812e4d4a1f425347de951e68fac50054fd8ff32d403fa0054656368524d43 

         FreeRADIUS-Proxied-To = 127.0.0.1
         User-Name = "STIC08862\\TechRMC"
         State = 0x510e2245510938eb25e1ac3222e20688
server inner-tunnel {
# Executing section authorize from file 
/etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
[suffix] No '@' in User-Name = "STIC08862\TechRMC", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] Looking up realm "STIC08862" for User-Name = "STIC08862\TechRMC"
[ntdomain] No such realm "STIC08862"
++[ntdomain] returns noop
++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/)
         expand: %{User-Name} -> STIC08862\TechRMC
? Evaluating ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE
++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE
[eap] EAP packet type response id 7 length 66
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[ldap] performing user authorization for STIC08862\TechRMC
[ldap]  expand: (uid=%{mschap:User-Name}) -> (uid=TechRMC)
[ldap]  expand: o=CSPI -> o=CSPI
   [ldap] ldap_get_conn: Checking Id: 0
   [ldap] ldap_get_conn: Got Id: 0
   [ldap] performing search in o=CSPI, with filter (uid=TechRMC)
[ldap] Added the eDirectory password 1234567 in check items as 
Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
[ldap] user STIC08862\TechRMC authorized to use remote access
   [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++? if (User-Name !~ /^host\/.*nw2.cspi.qc.ca$/)
? Evaluating (User-Name !~ /^host\/.*nw2.cspi.qc.ca$/) -> TRUE
++? if (User-Name !~ /^host\/.*nw2.cspi.qc.ca$/) -> TRUE
++- entering if (User-Name !~ /^host\/.*nw2.cspi.qc.ca$/) {...}
+++[control] returns ok
++- if (User-Name !~ /^host\/.*nw2.cspi.qc.ca$/) returns ok
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file 
/etc/raddb/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] ERROR: User-Name (STIC08862\TechRMC) is not the same as MS-CHAP 
Name (TechRMC) from EAP-MSCHAPv2
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
         EAP-Message = 0x04070004
         Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
         EAP-Message = 0x04070004
         Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 201 to 10.220.30.5 port 29010
         EAP-Message = 
0x010800261900170301001bd9addceecce69a0bbcafd532787f06f03515b539bbb8c598213707 

         Message-Authenticator = 0x00000000000000000000000000000000
         State = 0x309c14c637940dd14b00d913c56dbe3f
Finished request 85.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.220.30.5 port 29010, 
id=202, length=213
         User-Name = "STIC08862\\TechRMC"
         NAS-IP-Address = 10.220.30.5
         NAS-Port = 0
         Called-Station-Id = "58-16-26-AA-F7-A1:AVAYA-RESEAU"
         Calling-Station-Id = "00-16-EA-C5-78-9C"
         Framed-MTU = 1400
         NAS-Port-Type = Wireless-802.11
         Connect-Info = "CONNECT 0Mbps 802.11a"
         EAP-Message = 
0x020800261900170301001b5d49f3ad65771949521891ede66912ccf09cfa17c7d6a9965f229e
         State = 0x309c14c637940dd14b00d913c56dbe3f
         Message-Authenticator = 0xf8e78209cd1bbc051781ce0db38fb367
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
[suffix] No '@' in User-Name = "STIC08862\TechRMC", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] Looking up realm "STIC08862" for User-Name = "STIC08862\TechRMC"
[ntdomain] No such realm "STIC08862"
++[ntdomain] returns noop
++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/)
         expand: %{User-Name} -> STIC08862\TechRMC
? Evaluating ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE
++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE
++[preprocess] returns ok
[eap] EAP packet type response id 8 length 38
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state send tlv failure
[peap] Received EAP-TLV response.
[peap]  The users session was previously rejected: returning reject 
(again.)
[peap]  *** This means you need to read the PREVIOUS messages in the 
debug output
[peap]  *** to find out the reason why the user was rejected.
[peap]  *** Look for "reject" or "fail".  Those earlier messages will 
tell you.
[peap]  *** what went wrong, and how to fix the problem.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> STIC08862\TechRMC
  attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 86 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 86
Sending Access-Reject of id 202 to 10.220.30.5 port 29010
         EAP-Message = 0x04080004
         Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.7 seconds.

On 11-05-28 10:32 AM, Francois Gaudreault wrote:
> Hi Phil, and Alan,
>
> I will get you the debug output for Windows XP SP3 boxes (likely Monday).
>
> I will summarise what we have.  Basically, this is a setup where the 
> client is using eDirectory to authorize the users using the rlm_ldap 
> module.  On the windows boxes, it is configured to do PEAP using 
> MSCHAPv2.  When we send a host credential (ie. 
> host/mycomputer.domain.tld) it will pass the authorization and during 
> the authentication phase, it will use ntlm_auth to ensure that the 
> machine is member of the domain.  That part is working fine, the 
> mschap module does its job.  For the users, they have windows 7s and 
> windows XPs.  Windows 7 appears to be working without problems since 
> the username is sent without the computer name as the domain prefix.  
> The problem comes with the windows XP boxes.  If we let windows send 
> the credentials automatically (when novell logs in), the LDAP 
> authorization will work properly, but the authentication will fail 
> even if the Cleartext-Password attribute is set by the LDAP module.  
> It will throw that MS-CHAP error.  We also ensure that everything that 
> comes from something that is not matching host/something will use the 
> MS-CHAP-NTLM-Auth = No.  The only way to make Windows XP work is to 
> disable the "automatically send username" thing and only send the 
> username without the domain name.  However, the user experience will 
> definitely be terrible.
>
> The NAS Client is an Avaya Access Point.
>
> Thanks for your feedbacks guys, it is appreciated.  I will get you the 
> debug information and the sites configuration as soon as I can.
>
> Have a nice weekend.
>


-- 
Francois Gaudreault, ing. jr
fgaudreault at inverse.ca  ::  +1.514.447.4918 (x130) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)




More information about the Freeradius-Users mailing list