Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
Martin Ubank
Martin.Ubank at uwe.ac.uk
Fri Oct 14 17:13:12 CEST 2011
Here's the full output from 'radiusd -X':
rad_recv: Access-Request packet from host 127.0.0.1 port 46518, id=0, length=130
User-Name = "USERNAME"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x0200001001656475726f616d74657374
Message-Authenticator = 0x19af91fa38ff062679ec1d03996186f1
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "USERNAME", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 16
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 1
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 0 to 127.0.0.1 port 46518
EAP-Message = 0x010100160410e3c3e67208c265aca07beb7e7865d463
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd51fc6e5d51ec2fc226b361c74f28d1a
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 46518, id=1, length=138
User-Name = "USERNAME"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020100060319
State = 0xd51fc6e5d51ec2fc226b361c74f28d1a
Message-Authenticator = 0xd31570627564c5a11fb8b9203e310ce1
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "USERNAME", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 1
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 1 to 127.0.0.1 port 46518
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd51fc6e5d41ddffc226b361c74f28d1a
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 46518, id=2, length=254
User-Name = "USERNAME"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x0202007a198000000070160301006b0100006703014e96960ad361f23dc096d265af71ceffd445b4d9ae042b0c7c42b6b3846d4bee00003a00390038008800870035008400160013000a00330032009a009900450044002f00960041000500040015001200090014001100080006000300ff0100000400230000
State = 0xd51fc6e5d41ddffc226b361c74f28d1a
Message-Authenticator = 0x7b23ec62a31e205a2a7ec5c7f9740229
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "USERNAME", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 122
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 112
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 006b], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0035], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 0824], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange
[peap] TLS_accept: SSLv3 write key exchange A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 2 to 127.0.0.1 port 46518
EAP-Message = 0x0103040019c000000a7e16030100350200003103014e96960af25becfff944c864c255fad5a356b511aa59ced9de668370811edd2c000039000009ff010001000023000016030108240b00082000081d00038d3082038930820271a003020102020103300d06092a864886f70d0101050500308188310b300906035504061302554b311730150603550408130e556e69746564204b696e67646f6d311830160603550407130f57657374206f6620456e676c616e64310c300a060355040a13035557453121301f06092a864886f70d01090116126974732d756e6978407577652e61632e756b311530130603550403130c5557452c2042726973746f6c
EAP-Message = 0x301e170d3131303932373132313430385a170d3132303932363132313430385a306e310b300906035504061302554b311730150603550408130e556e69746564204b696e67646f6d310c300a060355040a1303555745311530130603550403130c5557452c2042726973746f6c3121301f06092a864886f70d01090116126974732d756e6978407577652e61632e756b30820122300d06092a864886f70d01010105000382010f003082010a0282010100abf8e76947fb730e676e7fe3abb28d7841bcf4766c2075580efe855329fa8c5be97b8853ed81a68a4511d890c0380cbb3fa419cccd2acd229841419fa9f08150accb9626c1ce469762a6b266
EAP-Message = 0xc50a3e8ce93a479982c31431a437fea310ce65ee129f121f47f97cd245d3144fdd154cb91a31ec2939b97a8147246d0553894b2da551783a081b7feb8eef899252668f49b0c63724ee2b6637a0494941c83399085a1408795d835ef1842b7b02b12029a785fa5cd2c0759287c39a14029cb5a2b261432c40267cecc5486ae333bf8d30eaaeddb87cffdf147429a54895f952468d51f32f56add55bed711dd29afd5d74b82952085a5c01a00aa196c2435d7e21910203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010505000382010100c5c2bf0108071d7d83a9a6fa3e0adb71ccf140eb3a3270
EAP-Message = 0x8b7c50da65d38a5b8d8faf512930b9f6a37c20fd24e12f83045d53774f324ca59f7dbf38c91a5db93d3daa9317bcf59ce91ee6a358fea314ebc167315ca81e6e276a28653dd2c4040777244a743040abec0b68267e6f3d5cbc09b69f9f6907800780171915d3c4e29cf5bd83e9b880871f6331219ed7b902d4831f29049a734ec7920582dc99c0d9fe2a650e563c5f0c4e50c36148e7e8b001530c461da58ac7c21920db5e8cfa11ccc807e807a2b754cf3c3323b5181e0cdc4e58b88d69dca1cd67f84cc2034c777965ff6e59b9ed1ab408d1f8b00f3b208fcc33047e3a46605b40fe70efc10490d500048a308204863082036ea003020102020900ea
EAP-Message = 0x76843bb94e48ff300d06092a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd51fc6e5d71cdffc226b361c74f28d1a
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 46518, id=3, length=138
User-Name = "USERNAME"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020300061900
State = 0xd51fc6e5d71cdffc226b361c74f28d1a
Message-Authenticator = 0xeac8d730967a7a82475dc0a22d887533
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "USERNAME", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 3 to 127.0.0.1 port 46518
EAP-Message = 0x010403fc1940864886f70d0101050500308188310b300906035504061302554b311730150603550408130e556e69746564204b696e67646f6d311830160603550407130f57657374206f6620456e676c616e64310c300a060355040a13035557453121301f06092a864886f70d01090116126974732d756e6978407577652e61632e756b311530130603550403130c5557452c2042726973746f6c301e170d3131303932373132303134395a170d3132303932363132303134395a308188310b300906035504061302554b311730150603550408130e556e69746564204b696e67646f6d311830160603550407130f57657374206f6620456e676c616e
EAP-Message = 0x64310c300a060355040a13035557453121301f06092a864886f70d01090116126974732d756e6978407577652e61632e756b311530130603550403130c5557452c2042726973746f6c30820122300d06092a864886f70d01010105000382010f003082010a0282010100eca974c9469bb2b9038c9cec00bb4710b72a5158ac68aced1f90f5af352d65068848d7187b033dbc40dc216ae01b1c0f9b37a26342cfbb1d2a544f263a1e79b3934c9895c10c797cb41b67ae18ca2ae955f2ff442f477cf9084d38b43b16a12bf18401ab2cd3d28bc5528f77a231339e20ef7f5cb0b9cec2eeecc41ea475698418883a9d55011ac7959606e44437163e650c2d
EAP-Message = 0x15038f9e7d0de2a28657871a47b516daf92b5920988ae0d0eda22f45a41c6b51c94e66b2d1c7c8388d35849f20ca99668862b2de96c0020e91e20b1049c122eafa7de46af7b3ff79ef88a0c4c81e2ab0aabd2861fd271b056a9a3445d83a3699e7dd5a61bcbf9f1cf5676179650203010001a381f03081ed301d0603551d0e04160414832a671a41ae7fd38f7d2a867d3caf4258a634133081bd0603551d230481b53081b28014832a671a41ae7fd38f7d2a867d3caf4258a63413a1818ea4818b308188310b300906035504061302554b311730150603550408130e556e69746564204b696e67646f6d311830160603550407130f57657374206f6620
EAP-Message = 0x456e676c616e64310c300a060355040a13035557453121301f06092a864886f70d01090116126974732d756e6978407577652e61632e756b311530130603550403130c5557452c2042726973746f6c820900ea76843bb94e48ff300c0603551d13040530030101ff300d06092a864886f70d010105050003820101007748eea59b2bd6a4d042a17c13f6a67f94d7de57b9df69dd50473ef15d71362d7394558cfc9b54fc48572f4cb62d3d88802d0be516d230730c2e4e6aceeaebb0098bfd2851141f3d366ece305dfee9eb5f3599e4f60f87925c294e214f576818be4db619a976343323c56ac9b4b32eef0c1c62749cba3d6bb0c36b1105ea4e570a
EAP-Message = 0x9236e20dee7f5d17
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd51fc6e5d61bdffc226b361c74f28d1a
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 46518, id=4, length=138
User-Name = "USERNAME"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020400061900
State = 0xd51fc6e5d61bdffc226b361c74f28d1a
Message-Authenticator = 0x462ba6d707d88db45403966796b77aae
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "USERNAME", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 4 to 127.0.0.1 port 46518
EAP-Message = 0x01050298190014f24598cc95e56c2df962cf71babff85382b7162f2583c6d0a28ddf9c25b2092388203879c714a8a11b81be2c6634e462905275ad295e874bbd16614231809d913af8d79c9a3a181ae25754adec324ac9caa93299ffa779bea8ba68d03772b5d350b07012458bcc0c565c46d7d651b8c47c16bbd34842160301020d0c0002090080d11460db9abf91f947d88e633cd4e9801540e222c95cce59f1dfbcafa31699ef9e0a5cc17142ca4cf26add8a3125af5b3e671f86dcd93acd5c90610362a99f81da008eb1af2830c5019f42bb6fc709000481512754b92235c8b9b950a31a8a66b8c4212ee376d79271ed2c5c611dd8629961e904dc
EAP-Message = 0xa746dfc00b07d867f1cf2300010200809acc0ffd2632f9bd6395fc75fcce6532c87fb8a72104774d5a30e09aee6647ccd17c9b1a8d8e7fb1ee681202b869040b90a5b92f743483956a7c0ab1d0e6793a9fe24b1e412766db333b2955144d7a37f4d7387421ee4edf206d9fce49bb1e855270d0c8e18f9ecae79f836aff647120715bc033b723b3b66c4ec7e346cba30701007246ace4b95fb4e321e49c08e373f86ebf6aee6921fb0bd7b6da516f55614b006f69a275899c538cc150d44aab98d20fd628a62b83a31c269ac46970a4f83a2c1465027b5e653392f3ed802ba74e361a6687b4664f743b5d8fcb8554987db224d147519c09f5eabca4051b
EAP-Message = 0x8337529fd094e68c5c78268fd43410af0f1f9f416c06dbc5e243057665b49f117bf74812d67c7c6dbe45c32dc490d2fd652d0f37fdd788ae15950dfb530f4ce72464ba58923a0653c13df28248b3bf89e05853950f56c1008a31d2fe679c91066597c8c595763fa7a3fbd646186bfe548aab39f9376b5421b12964d4f92c85ebed27359eb43db6bdc7e68c6e95452a0f876700143416030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd51fc6e5d11adffc226b361c74f28d1a
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 46518, id=5, length=340
User-Name = "USERNAME"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020500d01980000000c616030100861000008200805acce1c3b4c2a661c04cabe6fc26f48d4ed47fa45c3df4cb1c7c198f7c9b28d95b7d585f79b7cd9c26c7af3f3c7ba9e83b0a37080d3e4e4ff3546172818cc481b603ce2b263fa1498313f5de4b7a44bd8cbea28c311e1e00bd247f1b96ae5484c793807e128ab22ea20af058d351b40025e4325585af1afa450135fc530c23c01403010001011603010030524764251831c4f454d5f934ca8f4cbcfd9a1989b40a91517a7abd51792d649083fadb08e6f89c7d3af7c2c0b15f7445
State = 0xd51fc6e5d11adffc226b361c74f28d1a
Message-Authenticator = 0xadda94034436b0ff221189c2f4be6eb4
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "USERNAME", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 208
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 198
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 Handshake [length 00aa]???
[peap] TLS_accept: SSLv3 write session ticket A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 5 to 127.0.0.1 port 46518
EAP-Message = 0x010600f0190016030100aa040000a60000000000a0cc8d70c52047f8b3e2dd5eefa0c6b68d481713110eb10c139a032c9ccd16342bf0bacdba48a21cf380436517e2bf9f38cc9fc56b5bc36ebb97838a7973a5b544716c3e17ea3f50d274da7a2b9fa370521419dfe016961a232f312861f6cfedf1853882db6d9da6d47f95b823935675a40a37f8c3a96a5a41abbd79cf0bb245769988ed24af435f6a1574077885f47c7dac0152caa18a44b3924694afbba260fd1403010001011603010030979402d9cc8285d5b3b688a55259b7d425d77f8cd866491751234dfc0f00fbf507399d0ed2d17862747152c72bdeb1a5
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd51fc6e5d019dffc226b361c74f28d1a
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 46518, id=6, length=138
User-Name = "USERNAME"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020600061900
State = 0xd51fc6e5d019dffc226b361c74f28d1a
Message-Authenticator = 0xa8d2d0aa1f4e696f304941c4d6aea9c5
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "USERNAME", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 6 to 127.0.0.1 port 46518
EAP-Message = 0x0107002b19001703010020fde5e4f975c631461bf812654c521bf751cbd50328326c22c4314b1dc22b5981
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd51fc6e5d318dffc226b361c74f28d1a
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 46518, id=7, length=228
User-Name = "USERNAME"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020700601900170301002082ca809e8b71e1737e6f283824f1fc57f516b406a52edcde740635aff970657a1703010030db98915cf59fb0fbd86b01c9c93f2f071441050e4cb24444dc1750d86c0048ad2630960eee387a8b9e917906d101a5e5
State = 0xd51fc6e5d318dffc226b361c74f28d1a
Message-Authenticator = 0x9fd3dfdc80fadb9dae243e30fd904c67
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "USERNAME", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 96
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Identity - USERNAME
[peap] Got tunneled request
EAP-Message = 0x0207001001656475726f616d74657374
server {
PEAP: Got tunneled identity of USERNAME
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to USERNAME
Sending tunneled request
EAP-Message = 0x0207001001656475726f616d74657374
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "USERNAME"
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "USERNAME", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 7 length 16
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 1
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message = 0x010800251a0108002010753b806a5a6af658f2d316d30c12ecc1656475726f616d74657374
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf52c5994f52443b388bfb7acfc0b1196
[peap] Got tunneled reply RADIUS code 11
EAP-Message = 0x010800251a0108002010753b806a5a6af658f2d316d30c12ecc1656475726f616d74657374
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf52c5994f52443b388bfb7acfc0b1196
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 7 to 127.0.0.1 port 46518
EAP-Message = 0x0108004b19001703010040bebe64dc1329ef2740f8e42c59e1120733b64c36c16a9475d047b551a74dfc12c69cbb404408eab8f872620679d76339d572e88b33e38a385546ae0b37847a85
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd51fc6e5d217dffc226b361c74f28d1a
Finished request 7.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 46518, id=8, length=276
User-Name = "USERNAME"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x0208009019001703010020ee50e7ff63126c0c1bd3205c1b5329263a41d41fe547b9c71e7fff5021f0990217030100608d63c97a880115c98a6c4912eef2cc8e592bf71ef659f8f13327695b6d066a45c194cb99e0e351e1533c5d6a4b4a80a9137ea22d7fc5dda4b8afbe2e08da5246c1edaea83f2d550a0ed20eab76d634f48076a74b99e3e38db6647e67adbc4390
State = 0xd51fc6e5d217dffc226b361c74f28d1a
Message-Authenticator = 0xe7ced67503caf2dc1389e6b832ec8252
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "USERNAME", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 144
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x020800461a020800413140c4b30b46c9ec6da33aad308ce5eb96000000000000000027fce3051abca58436d4737a54e109bf7485f073cf95b00900656475726f616d74657374
server {
PEAP: Setting User-Name to USERNAME
Sending tunneled request
EAP-Message = 0x020800461a020800413140c4b30b46c9ec6da33aad308ce5eb96000000000000000027fce3051abca58436d4737a54e109bf7485f073cf95b00900656475726f616d74657374
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "USERNAME"
State = 0xf52c5994f52443b388bfb7acfc0b1196
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "USERNAME", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 8 length 70
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 1
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for USERNAME with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
MS-CHAP-Error = "\010E=691 R=1"
EAP-Message = 0x04080004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
MS-CHAP-Error = "\010E=691 R=1"
EAP-Message = 0x04080004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 8 to 127.0.0.1 port 46518
EAP-Message = 0x0109002b190017030100208c4e2f1cf1bae28345164884c2d88d6076154baf708a8d14257705571de8bdc2
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd51fc6e5dd16dffc226b361c74f28d1a
Finished request 8.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 46518, id=9, length=212
User-Name = "USERNAME"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x0209005019001703010020d9cfaefa5e285c9f5f3f69feb289acf8d93c592efca5a111d9de338781b85fb917030100201d132513a9b552a9e5e7f85cb6c0158ad889b9367619656d3dd80a869ef4cd11
State = 0xd51fc6e5dd16dffc226b361c74f28d1a
Message-Authenticator = 0x05a869fff5928f065bcf99af65e0681f
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "USERNAME", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 9 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] The users session was previously rejected: returning reject (again.)
[peap] *** This means you need to read the PREVIOUS messages in the debug output
[peap] *** to find out the reason why the user was rejected.
[peap] *** Look for "reject" or "fail". Those earlier messages will tell you.
[peap] *** what went wrong, and how to fix the problem.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> USERNAME
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 9 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 9
Sending Access-Reject of id 9 to 127.0.0.1 port 46518
EAP-Message = 0x04090004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
Cleaning up request 0 ID 0 with timestamp +111
Cleaning up request 1 ID 1 with timestamp +111
Cleaning up request 2 ID 2 with timestamp +111
Cleaning up request 3 ID 3 with timestamp +111
Cleaning up request 4 ID 4 with timestamp +111
Cleaning up request 5 ID 5 with timestamp +111
Cleaning up request 6 ID 6 with timestamp +111
Cleaning up request 7 ID 7 with timestamp +111
Cleaning up request 8 ID 8 with timestamp +111
Waking up in 1.0 seconds.
Cleaning up request 9 ID 9 with timestamp +111
Ready to process requests.
From: freeradius-users-bounces+martin.ubank=uwe.ac.uk at lists.freeradius.org [mailto:freeradius-users-bounces+martin.ubank=uwe.ac.uk at lists.freeradius.org] On Behalf Of Arran Cudbard-Bell
Sent: 14 October 2011 16:04
To: FreeRadius users mailing list
Subject: Re: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
I can see from the 'radiusd -X' output that FreeRadius is not using MS-CHAP correctly:
<snip>
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for USERNAME with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
<snip>
You just snipped away the useful information in the log... Please include the full debug log for the EAP round where this message is produced.
Arran Cudbard-Bell
a.cudbardb at freeradius.org<mailto:a.cudbardb at freeradius.org>
Betelwiki, Betelwiki, Betelwiki.... http://wiki.freeradius.org/ !
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20111014/84f65874/attachment.html>
More information about the Freeradius-Users
mailing list