cisco WAP/FreeRadius/OpenLDAP
Matt Arguin
matt.arguin at currensee.com
Thu Oct 27 19:31:00 CEST 2011
Hi All,
having trouble setting up my RADIUS(FreeRADIUS Version 2.1.7) to
auth to my openldap server (openldap-2.3.43-12.el5_6.7) on CentOS 5.5.
i am trying to configure EAP-TLS and think i am pretty close. I am
currently wondering if possibly i have an incorrect mapping in the
ldap.attrs file (it is completely default right now). running
'radiusd -X' i do see some errors such as:
rlm_ldap: performing search in dc=currensee,dc=com, with filter (uid=anonymous)
rlm_ldap: object not found
[ldap] search failed
but later down the path of the session it looks like things are going
ok , seeing a bunch of EAP challeges and it expanding the username
and stuff being put in to the inner-tunnel. However, in the end:
rlm_ldap: performing search in dc=currensee,dc=com, with filter (uid=marguin2)
[ldap] checking if remote access for marguin2 is allowed by uid
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure
that the user is configured correctly?
my ldap attribute for password is userPassword and i have tried
changing the values in the ldap.attrs to match this but that did not
help. Here is the full output of the run of radiusd in debug mode.
Any insight is appreciated:
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.10.31 port 1645,
id=181, length=132
User-Name = "anonymous"
Framed-MTU = 1400
Called-Station-Id = "64a0.e729.b890"
Calling-Station-Id = "1c65.9d32.fb68"
Service-Type = Login-User
Message-Authenticator = 0x247be03937ef0698a7ad23d2f86aa54b
EAP-Message = 0x0202000e01616e6f6e796d6f7573
NAS-Port-Type = Wireless-802.11
NAS-Port = 799
NAS-Port-Id = "799"
NAS-IP-Address = 192.168.10.31
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[ldap] performing user authorization for anonymous
[ldap] expand: %{Stripped-User-Name} ->
[ldap] expand: %{User-Name} -> anonymous
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=anonymous)
[ldap] expand: dc=currensee,dc=com -> dc=currensee,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap.local.currensee.com:389, authentication 0
rlm_ldap: bind as
cn=radius,ou=Services,dc=currensee,dc=com/c17ad5805204465ab39d11e0381272c5
to ldap.local.currensee.com:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=currensee,dc=com, with filter (uid=anonymous)
rlm_ldap: object not found
[ldap] search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
[eap] EAP packet type response id 2 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
Found Auth-Type = EAP
Found Auth-Type = EAP
Warning: Found 2 auth-types on request for user 'anonymous'
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 181 to 192.168.10.31 port 1645
EAP-Message = 0x010300061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x12d3382012d02152159f345e3e0c333a
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.10.31 port 1645,
id=182, length=228
User-Name = "anonymous"
Framed-MTU = 1400
Called-Station-Id = "64a0.e729.b890"
Calling-Station-Id = "1c65.9d32.fb68"
Service-Type = Login-User
Message-Authenticator = 0x07f8f2c72439114d5efd54762efa740b
EAP-Message =
0x0203005c190016030100510100004d03014ea9917e4e0fee76b71533a74710796e73ac02e494439b92a5338ee6d1f1bcd900002600390038003500160013000a00330032002f00050004001500120009001400110008000600030100
NAS-Port-Type = Wireless-802.11
NAS-Port = 799
NAS-Port-Id = "799"
State = 0x12d3382012d02152159f345e3e0c333a
NAS-IP-Address = 192.168.10.31
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 92
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0051], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 06cd], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 018d], ServerKeyExchange
[peap] TLS_accept: SSLv3 write key exchange A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 182 to 192.168.10.31 port 1645
EAP-Message =
0x0104040019c00000089c160301002a0200002603014ea9916c2187b4df7edfdaf6bcadb4e396d5e7fe95aa4b84bdb2342f281e64d00000390016030106cd0b0006c90006c60002a6308202a23082020b0203100028300d06092a864886f70d01010405003081b931183016060355040a130f43757272656e7365652c20496e632e31143012060355040b130b456e67696e656572696e673121301f06092a864886f70d0109011612726f6f744063757272656e7365652e636f6d310f300d06035504071306426f73746f6e311630140603550408130d4d617373616368757365747473310b3009060355040613025553312e302c060355040313254c6f
EAP-Message =
0x63616c2043757272656e73656520436572746966696361746520417574686f72697479301e170d3131313032313135313134335a170d3231313032303135313134335a3077310b3009060355040613025553311630140603550408130d4d61737361636875736574747331183016060355040a130f43757272656e7365652c20496e632e31133011060355040b130a4f7065726174696f6e733121301f060355040313186f7073322e6c6f63616c2e63757272656e7365652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100dbd67230f6e9b1f8d37cd689371e4965f6760ef34369b95ea48e1ef153be887b5dd5ef31
EAP-Message =
0x7a47e5d66048731d7458d9ae1ebe0508aa349d4fa74dd0c077cdca1fb2af2868d309e938cd6222f3c6737116ff656e10bbb175b76e2aa83c35efc2b0655f3bf669cabbad375d98d89c84f9d30b5887ac5225685c5bee55176ce2fe890203010001300d06092a864886f70d01010405000381810023558f75bca5500a1b7ca225f46cd98622ef05c01cc43e000dcae1cd19b8d8fcf7c53d2dff7c6403781839d0dd4a0bffb4eec337967c32665ee5f11720e09760c222e2fc6a029b0d4eb33c45614d21a6fb55cb6f01df47958d97578160057f0d23aa685539931ad0229522218b7d7c31f9fb1b8e94a9b88d6e8bc4f410a9701400041a308204163082
EAP-Message =
0x037fa003020102020900d869d83ec24831ce300d06092a864886f70d01010405003081b931183016060355040a130f43757272656e7365652c20496e632e31143012060355040b130b456e67696e656572696e673121301f06092a864886f70d0109011612726f6f744063757272656e7365652e636f6d310f300d06035504071306426f73746f6e311630140603550408130d4d617373616368757365747473310b3009060355040613025553312e302c060355040313254c6f63616c2043757272656e73656520436572746966696361746520417574686f72697479301e170d3130303432363138323634325a170d3230303432353138323634325a
EAP-Message = 0x3081b931183016060355040a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x12d3382013d72152159f345e3e0c333a
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.10.31 port 1645,
id=183, length=142
User-Name = "anonymous"
Framed-MTU = 1400
Called-Station-Id = "64a0.e729.b890"
Calling-Station-Id = "1c65.9d32.fb68"
Service-Type = Login-User
Message-Authenticator = 0xfb2f68eee2f87814bcac62b0feb517d1
EAP-Message = 0x020400061900
NAS-Port-Type = Wireless-802.11
NAS-Port = 799
NAS-Port-Id = "799"
State = 0x12d3382013d72152159f345e3e0c333a
NAS-IP-Address = 192.168.10.31
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 183 to 192.168.10.31 port 1645
EAP-Message =
0x010503fc1940130f43757272656e7365652c20496e632e31143012060355040b130b456e67696e656572696e673121301f06092a864886f70d0109011612726f6f744063757272656e7365652e636f6d310f300d06035504071306426f73746f6e311630140603550408130d4d617373616368757365747473310b3009060355040613025553312e302c060355040313254c6f63616c2043757272656e73656520436572746966696361746520417574686f7269747930819f300d06092a864886f70d010101050003818d0030818902818100d6e8fe8f9e3905fcd63f0c9f3b9eded323e8b7a1e47ef23d8d53a29572e41656e189ccd616664ad52ea7
EAP-Message =
0x36ee86a2e1fe0696e1fe24e0345cd5b3167530ef0d6b7a58f9f55774d7a403b9a03e5d9374118a1dbb30fcab8c8bc499ef62b3aac1aec00134b635416c73e2f555b24e08933cefe2fb2a47024ee61ab51490f1cae3070203010001a38201223082011e300c0603551d13040530030101ff301d0603551d0e04160414706ed0933d93523470a6e9bc979d124333df14b03081ee0603551d230481e63081e38014706ed0933d93523470a6e9bc979d124333df14b0a181bfa481bc3081b931183016060355040a130f43757272656e7365652c20496e632e31143012060355040b130b456e67696e656572696e673121301f06092a864886f70d01090116
EAP-Message =
0x12726f6f744063757272656e7365652e636f6d310f300d06035504071306426f73746f6e311630140603550408130d4d617373616368757365747473310b3009060355040613025553312e302c060355040313254c6f63616c2043757272656e73656520436572746966696361746520417574686f72697479820900d869d83ec24831ce300d06092a864886f70d010104050003818100d435d275a02b5e04e17e75b6046bbd1ab3ca33299cee907f2bd9c7603b3da4a23ee97e677e97e442bd855e8c2dffc351e134e03fbec16ad71eb7608c62c29bd2a2aaa2660013bc8d76520a5a9f3b516dcbddf6a773564e57c29e20d0a614a6116a36aef3cdfb
EAP-Message =
0xdc510f1058d291e6310d9b53c8b17e521038a866f3510355ef29160301018d0c0001890080ff76d1db8e9c6aa6bbe3d1bcc691f539a047acfa556255866a6d802ab6698cb71cf82f2fb16dfe236b5855ea6c50768f5725618bf523493f97785eda71b4aab842513a83fdb1b2466f94df90ec6c771bc6c8004fe3695f678f44ed4618b609c0e8eaf250ea9aef1bfc6213d2e48bd75258d4b20fcb2ea89eb6f562a93619ebeb0001020080b5a0d1fe1783f77da04814409d4381253b3ffbf42bcb99c317280d8c75540d6fb116b748951b5f932db160803689d6f8ed466d8486abae167f27da11a06607c72df17a54d517f21ac5d620663643f8f855e518
EAP-Message = 0x9a37bae7ab57131e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x12d3382010d62152159f345e3e0c333a
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.10.31 port 1645,
id=184, length=142
User-Name = "anonymous"
Framed-MTU = 1400
Called-Station-Id = "64a0.e729.b890"
Calling-Station-Id = "1c65.9d32.fb68"
Service-Type = Login-User
Message-Authenticator = 0x1fd77cc584bc1051b7d9fe58107c4c3a
EAP-Message = 0x020500061900
NAS-Port-Type = Wireless-802.11
NAS-Port = 799
NAS-Port-Id = "799"
State = 0x12d3382010d62152159f345e3e0c333a
NAS-IP-Address = 192.168.10.31
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 184 to 192.168.10.31 port 1645
EAP-Message =
0x010600b6190020da5b4f45515a10838c069b4f306c799dcae80fde0c7eecec68db12a3eaa188db7dcbf50200806bb73ce9d989ce3e074cef9ed67d06dfb226f888a3f8799c5df1c4bf4f652a966eac1ea47e789967cf2657c8a245141794ee18ee29c0ff4f3b3634573b90285e23472af4b29d2e75cac5db910ddac31d258f7f5e3bf8bafe20fe7c46c70bda90a2f67eef82eeff0e907606354f10dff1e2b6ce1cac104de8a8ec6c73cdec574616030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x12d3382011d52152159f345e3e0c333a
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.10.31 port 1645,
id=185, length=340
User-Name = "anonymous"
Framed-MTU = 1400
Called-Station-Id = "64a0.e729.b890"
Calling-Station-Id = "1c65.9d32.fb68"
Service-Type = Login-User
Message-Authenticator = 0x60c232952342a311ee2bc93a26e4ce71
EAP-Message =
0x020600cc19001603010086100000820080a52906e4cab72051f10862c9b4e9db68968fa1c00ebc4f8c074fa28048ae720918e3e6dde2c7aecddddd342e1f5c6649fa27b48b6960a42370a44bb8ed450c95c35db9878c8e37bf4766de7da741e152ac923353122eba5812448d68414c59de2b16bb02ff0251b80feabf15ef38a54bfd78cda06c8ccee4cfa6088c8803d7361403010001011603010030c557f553edafc375c220d8b101de0f084b5177c27a77c54fb0d465a68e47620529713ff626312a53bf1e06d3ac1ca073
NAS-Port-Type = Wireless-802.11
NAS-Port = 799
NAS-Port-Id = "799"
State = 0x12d3382011d52152159f345e3e0c333a
NAS-IP-Address = 192.168.10.31
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 204
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 185 to 192.168.10.31 port 1645
EAP-Message =
0x0107004119001403010001011603010030ffe92683dad17988140bd1cded5144fa14720bb91cb28e33292d07a24deb1ef51839a5b0531e269e6f31be133887341b
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x12d3382016d42152159f345e3e0c333a
Finished request 4.
Going to the next request
Waking up in 1.2 seconds.
rad_recv: Access-Request packet from host 192.168.10.31 port 1645,
id=186, length=142
User-Name = "anonymous"
Framed-MTU = 1400
Called-Station-Id = "64a0.e729.b890"
Calling-Station-Id = "1c65.9d32.fb68"
Service-Type = Login-User
Message-Authenticator = 0xef4b9bafcba2b7293142633bf00f1a52
EAP-Message = 0x020700061900
NAS-Port-Type = Wireless-802.11
NAS-Port = 799
NAS-Port-Id = "799"
State = 0x12d3382016d42152159f345e3e0c333a
NAS-IP-Address = 192.168.10.31
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 186 to 192.168.10.31 port 1645
EAP-Message =
0x0108002b190017030100203572669053841178aa51d4dea859b4aa66a10fe9dcce996c6d9e0bf40953d2a4
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x12d3382017db2152159f345e3e0c333a
Finished request 5.
Going to the next request
Waking up in 1.2 seconds.
rad_recv: Access-Request packet from host 192.168.10.31 port 1645,
id=187, length=216
User-Name = "anonymous"
Framed-MTU = 1400
Called-Station-Id = "64a0.e729.b890"
Calling-Station-Id = "1c65.9d32.fb68"
Service-Type = Login-User
Message-Authenticator = 0x82af7372ebc34d1c5a983c695666352f
EAP-Message =
0x0208005019001703010020381428016e79c1a921ad7bdf022e84bc4a9c4d00aef5e18e9da6abc10d096e501703010020fcac01f3ed169b5b12acb63a0c071b20a1dd48091f06a95457a478078cacbc42
NAS-Port-Type = Wireless-802.11
NAS-Port = 799
NAS-Port-Id = "799"
State = 0x12d3382017db2152159f345e3e0c333a
NAS-IP-Address = 192.168.10.31
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Identity - marguin2
[peap] Got tunneled request
EAP-Message = 0x0208000d016d61726775696e32
server {
PEAP: Got tunneled identity of marguin2
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to marguin2
Sending tunneled request
EAP-Message = 0x0208000d016d61726775696e32
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "marguin2"
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns updated
[suffix] No '@' in User-Name = "marguin2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 8 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for marguin2
[ldap] expand: %{Stripped-User-Name} ->
[ldap] expand: %{User-Name} -> marguin2
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=marguin2)
[ldap] expand: dc=currensee,dc=com -> dc=currensee,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=currensee,dc=com, with filter (uid=marguin2)
[ldap] checking if remote access for marguin2 is allowed by uid
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure
that the user is configured correctly?
[ldap] user marguin2 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message =
0x010900221a0109001d105c038f58bcb3c4fc977d39febd11f16c6d61726775696e32
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa2676f99a26e75640cc52013c4080612
[peap] Got tunneled reply RADIUS code 11
EAP-Message =
0x010900221a0109001d105c038f58bcb3c4fc977d39febd11f16c6d61726775696e32
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa2676f99a26e75640cc52013c4080612
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 187 to 192.168.10.31 port 1645
EAP-Message =
0x0109004b190017030100407c0dcc2b6be749d2d560495f41a01c6ba27e65a9f3e1facf816a8486e3ebc9be251742e5134b24c41a4e3a1727748ce3ddec39e39c97c21d4de46155f44fe292
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x12d3382014da2152159f345e3e0c333a
Finished request 6.
Going to the next request
Waking up in 0.2 seconds.
Cleaning up request 0 ID 181 with timestamp +1285
Cleaning up request 1 ID 182 with timestamp +1285
Cleaning up request 2 ID 183 with timestamp +1285
Cleaning up request 3 ID 184 with timestamp +1285
Waking up in 3.6 seconds.
rad_recv: Access-Request packet from host 192.168.10.31 port 1645,
id=188, length=216
User-Name = "anonymous"
Framed-MTU = 1400
Called-Station-Id = "64a0.e729.b890"
Calling-Station-Id = "1c65.9d32.fb68"
Service-Type = Login-User
Message-Authenticator = 0xba68c91d8ff9a8fc3d4b81978503d6a8
EAP-Message =
0x020900501900170301002038ddef970c4b5de2408e15dcf170380e2dae20f5b4906ca0b83ab09955f3adb31703010020c662bb01f949917629bbf706a765e7289242c9ac1bf7977e086d474a0c535275
NAS-Port-Type = Wireless-802.11
NAS-Port = 799
NAS-Port-Id = "799"
State = 0x12d3382014da2152159f345e3e0c333a
NAS-IP-Address = 192.168.10.31
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 9 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type nak
[peap] Got tunneled request
EAP-Message = 0x020900060306
server {
PEAP: Setting User-Name to marguin2
Sending tunneled request
EAP-Message = 0x020900060306
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "marguin2"
State = 0xa2676f99a26e75640cc52013c4080612
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns updated
[suffix] No '@' in User-Name = "marguin2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 9 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for marguin2
[ldap] expand: %{Stripped-User-Name} ->
[ldap] expand: %{User-Name} -> marguin2
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=marguin2)
[ldap] expand: dc=currensee,dc=com -> dc=currensee,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=currensee,dc=com, with filter (uid=marguin2)
[ldap] checking if remote access for marguin2 is allowed by uid
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure
that the user is configured correctly?
[ldap] user marguin2 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/gtc
[eap] processing type gtc
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message = 0x010a000f0650617373776f72643a20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa2676f99a36d69640cc52013c4080612
[peap] Got tunneled reply RADIUS code 11
EAP-Message = 0x010a000f0650617373776f72643a20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa2676f99a36d69640cc52013c4080612
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 188 to 192.168.10.31 port 1645
EAP-Message =
0x010a002b19001703010020ba7c2227f17381def4ec6006850ae086b0697cdfc41e97ee94d231ccdd551274
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x12d3382015d92152159f345e3e0c333a
Finished request 7.
Going to the next request
Waking up in 2.4 seconds.
rad_recv: Access-Request packet from host 192.168.10.31 port 1645,
id=189, length=216
User-Name = "anonymous"
Framed-MTU = 1400
Called-Station-Id = "64a0.e729.b890"
Calling-Station-Id = "1c65.9d32.fb68"
Service-Type = Login-User
Message-Authenticator = 0x4f5e68f91a36294046965c597972916c
EAP-Message =
0x020a005019001703010020a4743668f0e6f04dc75a186b4547d127fe87d9ac737598ed00d339bd31eef34a1703010020c4266d8d1399b82aaf4d2dc72f527108219aa6f977d6481102df32ac0c4d6eff
NAS-Port-Type = Wireless-802.11
NAS-Port = 799
NAS-Port-Id = "799"
State = 0x12d3382015d92152159f345e3e0c333a
NAS-IP-Address = 192.168.10.31
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 10 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type gtc
[peap] Got tunneled request
EAP-Message = 0x020a000d06723061646b696c6c
server {
PEAP: Setting User-Name to marguin2
Sending tunneled request
EAP-Message = 0x020a000d06723061646b696c6c
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "marguin2"
State = 0xa2676f99a36d69640cc52013c4080612
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns updated
[suffix] No '@' in User-Name = "marguin2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 10 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for marguin2
[ldap] expand: %{Stripped-User-Name} ->
[ldap] expand: %{User-Name} -> marguin2
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=marguin2)
[ldap] expand: dc=currensee,dc=com -> dc=currensee,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=currensee,dc=com, with filter (uid=marguin2)
[ldap] checking if remote access for marguin2 is allowed by uid
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure
that the user is configured correctly?
[ldap] user marguin2 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/gtc
[eap] processing type gtc
[gtc] +- entering group PAP {...}
[pap] login attempt with password "r0adkill"
[pap] Using CRYPT encryption.
[pap] Passwords don't match
++[pap] returns reject
[eap] Handler failed in EAP/gtc
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
EAP-Message = 0x040a0004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
EAP-Message = 0x040a0004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 189 to 192.168.10.31 port 1645
EAP-Message =
0x010b002b19001703010020bc3ae32e4fe71200cc035272d73d69789a34f8e7c790f035bee17b0980cdf04b
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x12d338201ad82152159f345e3e0c333a
Finished request 8.
Going to the next request
Waking up in 0.8 seconds.
Cleaning up request 4 ID 185 with timestamp +1288
Cleaning up request 5 ID 186 with timestamp +1288
Waking up in 1.0 seconds.
rad_recv: Access-Request packet from host 192.168.10.31 port 1645,
id=190, length=216
User-Name = "anonymous"
Framed-MTU = 1400
Called-Station-Id = "64a0.e729.b890"
Calling-Station-Id = "1c65.9d32.fb68"
Service-Type = Login-User
Message-Authenticator = 0x1688d578dda01e85e46ea3f9a3f33deb
EAP-Message =
0x020b00501900170301002018a1fc697e05b342b2d81cc8e159577636727020200da90ecd9fc5a854639bd6170301002077d6f24b102100d28f33456f2390219e2ea88229cff0fe978b9df68ac5c60918
NAS-Port-Type = Wireless-802.11
NAS-Port = 799
NAS-Port-Id = "799"
State = 0x12d338201ad82152159f345e3e0c333a
NAS-IP-Address = 192.168.10.31
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 11 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Had sent TLV failure. User was rejected earlier in this session.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> anonymous
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 9 for 1 seconds
Going to the next request
Waking up in 0.2 seconds.
Cleaning up request 6 ID 187 with timestamp +1289
Waking up in 0.7 seconds.
Sending delayed reject for request 9
Sending Access-Reject of id 190 to 192.168.10.31 port 1645
EAP-Message = 0x040b0004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 0.8 seconds.
Cleaning up request 7 ID 188 with timestamp +1291
Waking up in 1.5 seconds.
Cleaning up request 8 ID 189 with timestamp +1293
Waking up in 2.6 seconds.
Cleaning up request 9 ID 190 with timestamp +1294
Ready to process requests.
--
Matthew Arguin
More information about the Freeradius-Users
mailing list