PEAP Authentication Problems with Windows Users

Jacob Dawson dawson at vt.edu
Tue Sep 6 17:07:10 CEST 2011


Anyone have any thoughts on where I need to poke at this thing?  I'm about at the limits of my ability to figure out what's going wrong.

- Jacob

On 29 Aug 2011, at 17:28, Jacob Dawson wrote:

> We're having an odd problem here, and I just can't pin down quite where to look to fix it.  We use PEAP-MSCHAPv2 for authentication of our windows domain users on wireless.  This is accomplished by terminating the TLS conversation at FreeRADIUS and sending along the MSCHAP conversation to an IAS server. We've tested this in the past, and it's worked fine, and we're doing a modified form of this in production, and it's working fine, but I've lately been unable to get it to work in our pre-production 2.1.11 environment.  What's particularly odd is that it's only affecting the Windows clients.  My OS X client doing PEAP with the same credentials is happy.
> 
> What we're doing in production, which continues to work, is this:
> We terminate TLS at FreeRADIUS.  This allows us to manage the wireless service certificate there, keeps the IAS operators from having to keep up with it.
> We proxy the MSCHAP conversation to our OpenRADIUS server (which is also running and interacting with TACACS).
> OpenRADIUS proxies the CHAP stuff to IAS.  It may be tinkering with the MSCHAP fields from IAS to make them more compatible (basically changing out the secrets because it's standing in the middle).
> Successful authentication then percolates back through the chain and the user is happy.
> 
> In pre-production, it looks like this:
> Request comes in from Windows client, is recognized to be a Domain authentication request, gets proxied to an FR virtual server.
> Said virtual server gets it, processes the TLS and terminates it, and proxies the MSCHAP conversation to IAS.
> IAS does its MSCHAP thing, accepts the user.
> Access-Accept percolates back up through the chain.  We send an access challenge, the user sends an Access request, and FR says the user said something weird, so it's rejecting them.
> 
> Request comes in from non-windows client, is recognized to be Domain authentication request, gets proxied to an FR virtual server
> Said virtual server gets it, processes the TLS and terminates it, and proxies the MSCHAP conversation to IAS.
> IAS does its MSCHAP thing, accepts the user.
> Access-Accept percolates back up through the chain.  We send an access challenge, the user sends an Access request, and FR says everything's fine, user gets Access-Accept.
> 
> Thoughts on where I need to look?  I can't parse out what's happening to cause a response to be invalid for Windows users but not for, say, Mac users.  Our initial guess here is that the Windows clients are looking at the MPPE keys, and are unhappy about them, whereas the Mac clients are not, though we suspect neither set of clients requires them.
> 
> Posting relevant bits of debug output below.
> 
> Thanks much,
> Jacob M. Dawson
> 
> ---------
> 
> Pre-production failure:
> rad_recv: Access-Request packet from host 198.82.171.153 port 32768, id=138, length=293
> 	User-Name = "HOKIES\\dawson"
> 	Calling-Station-Id = "00-1d-e0-90-5f-db"
> 	Called-Station-Id = "00-21-55-4d-c4-40:CNS-Test"
> 	NAS-Port = 29
> 	NAS-IP-Address = 198.82.171.153
> 	NAS-Identifier = "cas-6509-3.wsm8b"
> 	Airespace-Wlan-Id = 17
> 	Service-Type = Framed-User
> 	Framed-MTU = 1300
> 	NAS-Port-Type = Wireless-802.11
> 	Tunnel-Type:0 = VLAN
> 	Tunnel-Medium-Type:0 = IEEE-802
> 	Tunnel-Private-Group-Id:0 = "1381"
> 	EAP-Message = 0x020b005f19001703010054bdd79574acfa8744908880dfa66a9e861f5fff5d2b3b7e387679b867704afa60476df6cc1ac0f30d92a4dc753cebb4bc4e71f4e0bc4db75534ab2403ec993619f05ad02497597deaa193debe78641e14b4718e84
> 	State = 0x5b4a8e485341972bae816e794759d3ea
> 	Message-Authenticator = 0xc234d7f3f04c9d023687fd78e4d5c9da
> (75) # Executing section authorize from file /usr/local/freeradius-2.1.11/etc/raddb/sites-enabled/default
> (75)   group authorize {
> (75)  - entering group authorize {...}
> (75)    policy split_username_prefix {
> (75)   - entering policy split_username_prefix {...}
> (75)    ? if (request:User-Name =~ /^([a-z]+)[\\\/]+([-a-z0-9_.]+)$/i)
> (75) ? Evaluating (request:User-Name =~ /^([a-z]+)[\\\/]+([-a-z0-9_.]+)$/i) -> TRUE
> (75)    ? if (request:User-Name =~ /^([a-z]+)[\\\/]+([-a-z0-9_.]+)$/i) -> TRUE
> (75)     if (request:User-Name =~ /^([a-z]+)[\\\/]+([-a-z0-9_.]+)$/i) {
> (75)    - entering if (request:User-Name =~ /^([a-z]+)[\\\/]+([-a-z0-9_.]+)$/i) {...}
> (75)     update request {
> (75) 	expand: %{2} -> dawson
> (75) 	expand: %{1} -> HOKIES
> (75)     } # update request = notfound
> (75)     [updated] = updated
> (75)    - if (request:User-Name =~ /^([a-z]+)[\\\/]+([-a-z0-9_.]+)$/i) returns updated
> (75)     ... skipping else for request 75: Preceding "if" was taken
> (75)   - policy split_username_prefix returns updated
> (75)    policy split_username_suffix {
> (75)   - entering policy split_username_suffix {...}
> (75)    ? if (request:User-Name =~ /^([^@]*)@([-[:alnum:]]+\.[-[:alnum:].]+)$/i)
> (75) ? Evaluating (request:User-Name =~ /^([^@]*)@([-[:alnum:]]+\.[-[:alnum:].]+)$/i) -> FALSE
> (75)    ? if (request:User-Name =~ /^([^@]*)@([-[:alnum:]]+\.[-[:alnum:].]+)$/i) -> FALSE
> (75)     else else {
> (75)    - entering else else {...}
> (75)     [noop] = noop
> (75)    - else else returns noop
> (75)   - policy split_username_suffix returns noop
> (75)   [preprocess] = ok
> (75) auth_log : 	expand: /usr/local/freeradius-2.1.11/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/freeradius-2.1.11/var/log/radius/radacct/198.82.171.153/auth-detail-20110823
> (75) auth_log : /usr/local/freeradius-2.1.11/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/freeradius-2.1.11/var/log/radius/radacct/198.82.171.153/auth-detail-20110823
> (75) auth_log : 	expand: %t -> Tue Aug 23 10:40:16 2011
> (75)   [auth_log] = ok
> rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
> rlm_perl: Added pair Service-Type = Framed-User
> rlm_perl: Added pair Tunnel-Type = VLAN
> rlm_perl: Added pair State = 0x5b4a8e485341972bae816e794759d3ea
> rlm_perl: Added pair Called-Station-Id = 00-21-55-4d-c4-40:CNS-Test
> rlm_perl: Added pair Message-Authenticator = 0xc234d7f3f04c9d023687fd78e4d5c9da
> rlm_perl: Added pair Airespace-Wlan-Id = 17
> rlm_perl: Added pair Stripped-User-Domain = HOKIES
> rlm_perl: Added pair NAS-IP-Address = 198.82.171.153
> rlm_perl: Added pair Tunnel-Private-Group-Id = 1381
> rlm_perl: Added pair Tunnel-Medium-Type = IEEE-802
> rlm_perl: Added pair Calling-Station-Id = 00-1d-e0-90-5f-db
> rlm_perl: Added pair User-Name = HOKIES\\dawson
> rlm_perl: Added pair NAS-Identifier = cas-6509-3.wsm8b
> rlm_perl: Added pair EAP-Message = 0x020b005f19001703010054bdd79574acfa8744908880dfa66a9e861f5fff5d2b3b7e387679b867704afa60476df6cc1ac0f30d92a4dc753cebb4bc4e71f4e0bc4db75534ab2403ec993619f05ad02497597deaa193debe78641e14b4718e84
> rlm_perl: Added pair Stripped-User-Name = dawson
> rlm_perl: Added pair NAS-Port = 29
> rlm_perl: Added pair Framed-MTU = 1300
> (75)   [perl] = noop
> (75)   ? if ("%{Stripped-User-Domain}" != "HOKIES")
> (75) 	expand: %{Stripped-User-Domain} -> HOKIES
> (75) ? Evaluating ("%{Stripped-User-Domain}" != "HOKIES") -> FALSE
> (75)   ? if ("%{Stripped-User-Domain}" != "HOKIES") -> FALSE
> (75) eap : EAP packet type response id 11 length 95
> (75) eap : Continuing tunnel setup.
> (75)   [eap] = ok
> (75) Found Auth-Type = ?
> (75) # Executing group from file /usr/local/freeradius-2.1.11/etc/raddb/sites-enabled/default
> (75)   group authenticate {
> (75)  - entering group authenticate {...}
> (75) eap : Request found, released from the list
> (75) eap : EAP/peap
> (75) eap : processing type peap
> (75) peap : processing EAP-TLS
> (75) peap : eaptls_verify returned 7 
> (75) peap : Done initial handshake
> (75) peap : eaptls_process returned 7 
> (75) peap : FR_TLS_OK
> (75) peap : Session established.  Decoding tunneled attributes.
> (75) peap : Peap state phase2
> (75) peap : EAP type mschapv2
> (75) peap : Got tunneled request
> 	EAP-Message = 0x020b00481a020b004331bf4d439d3028cbdba8fff532c04f1cf60000000000000000bee44f94acbe708a682535adc0505e56a87462580576d06600484f4b4945535c646177736f6e
> server  {
> (75) peap : Setting User-Name to HOKIES\dawson
> Sending tunneled request
> 	EAP-Message = 0x020b00481a020b004331bf4d439d3028cbdba8fff532c04f1cf60000000000000000bee44f94acbe708a682535adc0505e56a87462580576d06600484f4b4945535c646177736f6e
> 	FreeRADIUS-Proxied-To = 127.0.0.1
> 	User-Name = "HOKIES\\dawson"
> 	State = 0x21ebcfee21e0d5ab22fbf5cfb29bfd25
> 	NAS-Port-Type = Wireless-802.11
> 	Service-Type = Framed-User
> 	Tunnel-Type:0 = VLAN
> 	Called-Station-Id = "00-21-55-4d-c4-40:CNS-Test"
> 	NAS-IP-Address = 198.82.171.153
> 	Tunnel-Private-Group-Id:0 = "1381"
> 	Tunnel-Medium-Type:0 = IEEE-802
> 	Calling-Station-Id = "00-1d-e0-90-5f-db"
> 	NAS-Identifier = "cas-6509-3.wsm8b"
> 	NAS-Port = 29
> 	Framed-MTU = 1300
> server proxy-inner-tunnel {
> (75) # Executing section authorize from file /usr/local/freeradius-2.1.11/etc/raddb/sites-enabled/proxy-inner-tunnel
> (75)   group authorize {
> (75)  - entering group authorize {...}
> (75)   ? if ("%{User-Name}" =~ /^(host\/.*)$/)
> (75) 	expand: %{User-Name} -> HOKIES\dawson
> (75) ? Evaluating ("%{User-Name}" =~ /^(host\/.*)$/) -> FALSE
> (75)   ? if ("%{User-Name}" =~ /^(host\/.*)$/) -> FALSE
> (75)    else else {
> (75)   - entering else else {...}
> (75)    update control {
> (75)    } # update control = notfound
> (75)   - else else returns notfound
> } # server proxy-inner-tunnel
> (75) peap : Got tunneled reply code 0
>  PEAP: Calling authenticate in order to initiate tunneled EAP session.
> (75) # Executing group from file /usr/local/freeradius-2.1.11/etc/raddb/sites-enabled/proxy-inner-tunnel
> (75)   group authenticate {
> (75)  - entering group authenticate {...}
> (75) eap : Request found, released from the list
> (75) eap : EAP/mschapv2
> (75) eap : processing type mschapv2
> rlm_eap_mschapv2: cancelling authentication and letting it be proxied
> (75) eap :   Not-EAP proxy set.  Not composing EAP
> (75)   [eap] = handled
>  PEAP: Tunneled authentication will be proxied to DomainUser
>  PEAP: Remembering to do EAP-MS-CHAP-V2 post-proxy.
> (75) eap :   Tunneled session will be proxied.  Not doing EAP.
> (75)   [eap] = handled
> (75)   WARNING: Empty pre-proxy section.  Using default return values.
> Sending Access-Request of id 161 to 198.82.160.219 port 1812
> 	User-Name = "HOKIES\\dawson"
> 	NAS-Port-Type = Wireless-802.11
> 	Service-Type = Framed-User
> 	Tunnel-Type:0 = VLAN
> 	Called-Station-Id = "00-21-55-4d-c4-40:CNS-Test"
> 	NAS-IP-Address = 198.82.171.153
> 	Tunnel-Private-Group-Id:0 = "1381"
> 	Tunnel-Medium-Type:0 = IEEE-802
> 	Calling-Station-Id = "00-1d-e0-90-5f-db"
> 	NAS-Identifier = "cas-6509-3.wsm8b"
> 	NAS-Port = 29
> 	Framed-MTU = 1300
> 	MS-CHAP-Challenge = 0xd3827513a357a99d4eb9a5c87a716418
> 	MS-CHAP2-Response = 0x0b4fbf4d439d3028cbdba8fff532c04f1cf60000000000000000bee44f94acbe708a682535adc0505e56a87462580576d066
> 	Proxy-State = 0x313338
> (75) Proxying request to home server 198.82.160.219 port 1812
> Sending Access-Request of id 161 to 198.82.160.219 port 1812
> 	User-Name = "HOKIES\\dawson"
> 	NAS-Port-Type = Wireless-802.11
> 	Service-Type = Framed-User
> 	Tunnel-Type:0 = VLAN
> 	Called-Station-Id = "00-21-55-4d-c4-40:CNS-Test"
> 	NAS-IP-Address = 198.82.171.153
> 	Tunnel-Private-Group-Id:0 = "1381"
> 	Tunnel-Medium-Type:0 = IEEE-802
> 	Calling-Station-Id = "00-1d-e0-90-5f-db"
> 	NAS-Identifier = "cas-6509-3.wsm8b"
> 	NAS-Port = 29
> 	Framed-MTU = 1300
> 	MS-CHAP-Challenge = 0xd3827513a357a99d4eb9a5c87a716418
> 	MS-CHAP2-Response = 0x0b4fbf4d439d3028cbdba8fff532c04f1cf60000000000000000bee44f94acbe708a682535adc0505e56a87462580576d066
> 	Proxy-State = 0x313338
> Waking up in 0.2 seconds.
> rad_recv: Access-Accept packet from host 198.82.160.219 port 1812, id=161, length=219
> DEBUG: Compare b472204 to calculated digest f796ca40, secret temporaryS3CR3T
> 	Proxy-State = 0x313338
> 	Framed-Protocol = PPP
> 	Service-Type = Framed-User
> 	Class = 0x6538078a000001370001c652a0db01cc5476fe414ece0000000000004586
> 	MS-MPPE-Recv-Key = 0x7208bb9a9555b125d123303ac3db12a1
> 	MS-MPPE-Send-Key = 0x0cd6218a695a558ade111bcd7b05cfc2
> 	MS-CHAP2-Success = 0x0b533d32434230433038364541464632333233453842414534314643443231333130453939354641454134
> 	MS-CHAP-Domain = "\013HOKIES"
> (75) # Executing section post-proxy from file /usr/local/freeradius-2.1.11/etc/raddb/sites-enabled/default
> (75)   group post-proxy {
> (75)  - entering group post-proxy {...}
> (75) eap : Doing post-proxy callback
> (75) eap : Passing reply from proxy back into the tunnel.
> server proxy-inner-tunnel {
> (75) eap : Passing reply back for EAP-MS-CHAP-V2
> (75) # Executing section post-proxy from file /usr/local/freeradius-2.1.11/etc/raddb/sites-enabled/proxy-inner-tunnel
> (75)   group post-proxy {
> (75)  - entering group post-proxy {...}
> (75)   [eap] = noop
> (75)   WARNING: Empty post-auth section.  Using default return values.
> } # server proxy-inner-tunnel
> (75) eap : Final reply from tunneled session code 2
> 	Proxy-State = 0x313338
> 	Framed-Protocol = PPP
> 	Service-Type = Framed-User
> 	Class = 0x6538078a000001370001c652a0db01cc5476fe414ece0000000000004586
> 	MS-MPPE-Recv-Key = 0x7208bb9a9555b125d123303ac3db12a1
> 	MS-MPPE-Send-Key = 0x0cd6218a695a558ade111bcd7b05cfc2
> 	MS-CHAP2-Success = 0x0b533d32434230433038364541464632333233453842414534314643443231333130453939354641454134
> 	MS-CHAP-Domain = "\013HOKIES"
> (75) eap : Got reply 2
> (75) eap : Got tunneled reply RADIUS code 2
> 	Proxy-State = 0x313338
> 	Framed-Protocol = PPP
> 	Service-Type = Framed-User
> 	Class = 0x6538078a000001370001c652a0db01cc5476fe414ece0000000000004586
> 	MS-MPPE-Recv-Key = 0x7208bb9a9555b125d123303ac3db12a1
> 	MS-MPPE-Send-Key = 0x0cd6218a695a558ade111bcd7b05cfc2
> 	MS-CHAP2-Success = 0x0b533d32434230433038364541464632333233453842414534314643443231333130453939354641454134
> 	MS-CHAP-Domain = "\013HOKIES"
> (75) eap : Tunneled authentication was successful.
> (75) eap : SUCCESS
> (75) eap : Reply was handled
> (75)   [eap] = ok
> (75) Found Auth-Type = ?
> (75) Found Auth-Type = ?
> (75) Warning:  Found 2 auth-types on request for user 'HOKIES\dawson'
> (75) Auth-Type = Accept, accepting the user
> (75) Login OK: [HOKIES\\dawson] (from client 198.82.171.153 port 29 cli 00-1d-e0-90-5f-db)
> (75) # Executing section post-auth from file /usr/local/freeradius-2.1.11/etc/raddb/sites-enabled/default
> (75)   group post-auth {
> (75)  - entering group post-auth {...}
> (75)   [exec] = noop
> Sending Access-Challenge of id 138 to 198.82.171.153 port 32768
> 	EAP-Message = 0x010c00261900170301001b0167b434a0313cb3f29b20e1f731efe3d173083c964cda1451135a
> 	Message-Authenticator = 0x00000000000000000000000000000000
> 	State = 0x5b4a8e485246972bae816e794759d3ea
> (75) Finished request 75.
> Waking up in 0.2 seconds.
> rad_recv: Access-Request packet from host 198.82.171.153 port 32768, id=139, length=236
> 	User-Name = "HOKIES\\dawson"
> 	Calling-Station-Id = "00-1d-e0-90-5f-db"
> 	Called-Station-Id = "00-21-55-4d-c4-40:CNS-Test"
> 	NAS-Port = 29
> 	NAS-IP-Address = 198.82.171.153
> 	NAS-Identifier = "cas-6509-3.wsm8b"
> 	Airespace-Wlan-Id = 17
> 	Service-Type = Framed-User
> 	Framed-MTU = 1300
> 	NAS-Port-Type = Wireless-802.11
> 	Tunnel-Type:0 = VLAN
> 	Tunnel-Medium-Type:0 = IEEE-802
> 	Tunnel-Private-Group-Id:0 = "1381"
> 	EAP-Message = 0x020c00261900170301001b00dae368dd150e9d42e0c8888cb128e6ecc520b887a849a8a1d743
> 	State = 0x5b4a8e485246972bae816e794759d3ea
> 	Message-Authenticator = 0x26b42d72271f1819599977a28920622f
> (76) # Executing section authorize from file /usr/local/freeradius-2.1.11/etc/raddb/sites-enabled/default
> (76)   group authorize {
> (76)  - entering group authorize {...}
> (76)    policy split_username_prefix {
> (76)   - entering policy split_username_prefix {...}
> (76)    ? if (request:User-Name =~ /^([a-z]+)[\\\/]+([-a-z0-9_.]+)$/i)
> (76) ? Evaluating (request:User-Name =~ /^([a-z]+)[\\\/]+([-a-z0-9_.]+)$/i) -> TRUE
> (76)    ? if (request:User-Name =~ /^([a-z]+)[\\\/]+([-a-z0-9_.]+)$/i) -> TRUE
> (76)     if (request:User-Name =~ /^([a-z]+)[\\\/]+([-a-z0-9_.]+)$/i) {
> (76)    - entering if (request:User-Name =~ /^([a-z]+)[\\\/]+([-a-z0-9_.]+)$/i) {...}
> (76)     update request {
> (76) 	expand: %{2} -> dawson
> (76) 	expand: %{1} -> HOKIES
> (76)     } # update request = notfound
> (76)     [updated] = updated
> (76)    - if (request:User-Name =~ /^([a-z]+)[\\\/]+([-a-z0-9_.]+)$/i) returns updated
> (76)     ... skipping else for request 76: Preceding "if" was taken
> (76)   - policy split_username_prefix returns updated
> (76)    policy split_username_suffix {
> (76)   - entering policy split_username_suffix {...}
> (76)    ? if (request:User-Name =~ /^([^@]*)@([-[:alnum:]]+\.[-[:alnum:].]+)$/i)
> (76) ? Evaluating (request:User-Name =~ /^([^@]*)@([-[:alnum:]]+\.[-[:alnum:].]+)$/i) -> FALSE
> (76)    ? if (request:User-Name =~ /^([^@]*)@([-[:alnum:]]+\.[-[:alnum:].]+)$/i) -> FALSE
> (76)     else else {
> (76)    - entering else else {...}
> (76)     [noop] = noop
> (76)    - else else returns noop
> (76)   - policy split_username_suffix returns noop
> (76)   [preprocess] = ok
> (76) auth_log : 	expand: /usr/local/freeradius-2.1.11/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/freeradius-2.1.11/var/log/radius/radacct/198.82.171.153/auth-detail-20110823
> (76) auth_log : /usr/local/freeradius-2.1.11/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/freeradius-2.1.11/var/log/radius/radacct/198.82.171.153/auth-detail-20110823
> (76) auth_log : 	expand: %t -> Tue Aug 23 10:40:16 2011
> (76)   [auth_log] = ok
> rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
> rlm_perl: Added pair Service-Type = Framed-User
> rlm_perl: Added pair Tunnel-Type = VLAN
> rlm_perl: Added pair State = 0x5b4a8e485246972bae816e794759d3ea
> rlm_perl: Added pair Called-Station-Id = 00-21-55-4d-c4-40:CNS-Test
> rlm_perl: Added pair Message-Authenticator = 0x26b42d72271f1819599977a28920622f
> rlm_perl: Added pair Airespace-Wlan-Id = 17
> rlm_perl: Added pair Stripped-User-Domain = HOKIES
> rlm_perl: Added pair NAS-IP-Address = 198.82.171.153
> rlm_perl: Added pair Tunnel-Private-Group-Id = 1381
> rlm_perl: Added pair Tunnel-Medium-Type = IEEE-802
> rlm_perl: Added pair Calling-Station-Id = 00-1d-e0-90-5f-db
> rlm_perl: Added pair User-Name = HOKIES\\dawson
> rlm_perl: Added pair NAS-Identifier = cas-6509-3.wsm8b
> rlm_perl: Added pair EAP-Message = 0x020c00261900170301001b00dae368dd150e9d42e0c8888cb128e6ecc520b887a849a8a1d743
> rlm_perl: Added pair Stripped-User-Name = dawson
> rlm_perl: Added pair NAS-Port = 29
> rlm_perl: Added pair Framed-MTU = 1300
> (76)   [perl] = noop
> (76)   ? if ("%{Stripped-User-Domain}" != "HOKIES")
> (76) 	expand: %{Stripped-User-Domain} -> HOKIES
> (76) ? Evaluating ("%{Stripped-User-Domain}" != "HOKIES") -> FALSE
> (76)   ? if ("%{Stripped-User-Domain}" != "HOKIES") -> FALSE
> (76) eap : EAP packet type response id 12 length 38
> (76) eap : Continuing tunnel setup.
> (76)   [eap] = ok
> (76) Found Auth-Type = ?
> (76) # Executing group from file /usr/local/freeradius-2.1.11/etc/raddb/sites-enabled/default
> (76)   group authenticate {
> (76)  - entering group authenticate {...}
> (76) eap : Request found, released from the list
> (76) eap : EAP/peap
> (76) eap : processing type peap
> (76) peap : processing EAP-TLS
> (76) peap : eaptls_verify returned 7 
> (76) peap : Done initial handshake
> (76) peap : eaptls_process returned 7 
> (76) peap : FR_TLS_OK
> (76) peap : Session established.  Decoding tunneled attributes.
> (76) peap : Peap state send tlv success
> (76) peap : Received EAP-TLV response.
> (76) peap : Client rejected our response.  The password is probably incorrect.
> (76) peap : We sent a success, but received something weird in return.
> (76) eap : Handler failed in EAP/peap
> (76) eap : Failed in EAP select
> (76)   [eap] = invalid
> (76) Failed to authenticate the user.
> (76) Login incorrect: [HOKIES\\dawson] (from client 198.82.171.153 port 29 cli 00-1d-e0-90-5f-db)
> (76) Using Post-Auth-Type Reject
> (76) # Executing group from file /usr/local/freeradius-2.1.11/etc/raddb/sites-enabled/default
> (76)   group REJECT {
> (76)  - entering group REJECT {...}
> (76) attr_filter.access_reject : 	expand: %{User-Name} -> HOKIES\dawson
> attr_filter: Matched entry DEFAULT at line 11
> (76)   [attr_filter.access_reject] = updated
> (76) Finished request 76.
> Waking up in 0.2 seconds.
> Waking up in 0.6 seconds.
> (76) Sending delayed reject
> Sending Access-Reject of id 139 to 198.82.171.153 port 32768
> 	EAP-Message = 0x040c0004
> 	Message-Authenticator = 0x00000000000000000000000000000000
> 
> -----
> 
> Production Success:
> Waking up in 4.9 seconds.
> 	User-Name = "HOKIES\\dawson"
> 	Calling-Station-Id = "00-1d-e0-90-5f-db"
> 	Called-Station-Id = "00-21-55-4d-c4-40:CNS-Test"
> 	NAS-Port = 29
> 	NAS-IP-Address = 198.82.171.153
> 	NAS-Identifier = "cas-6509-3.wsm8b"
> 	Airespace-Wlan-Id = 17
> 	Service-Type = Framed-User
> 	Framed-MTU = 1300
> 	NAS-Port-Type = Wireless-802.11
> 	Tunnel-Type:0 = VLAN
> 	Tunnel-Medium-Type:0 = IEEE-802
> 	Tunnel-Private-Group-Id:0 = "1381"
> 	EAP-Message = 0x020a005f1900170301005499a000fc4d08b0c067d3251047d61b836767466160c386b38d37d4b6c39b07ce3b09c85590c8a923419e6f0ae464ac472050214b71b4d641e06f8a439348319233d622cd7900f8f172726407b0010bcb54c6a1d6
> 	State = 0x764462057e4e7bc59f1c525ed4400d40
> 	Message-Authenticator = 0xd9566738adb17439ce7d7568c8bc8264
> +- entering group authorize
> ++[mschap] returns noop
>  rlm_eap: EAP packet type response id 10 length 95
>  rlm_eap: Continuing tunnel setup.
> ++[eap] returns ok
>  rad_check_password:  Found Auth-Type EAP
> auth: type "EAP"
> +- entering group EAP
>  rlm_eap: Request found, released from the list
>  rlm_eap: EAP/peap
>  rlm_eap: processing type peap
>  rlm_eap_peap: Authenticate
>  rlm_eap_tls: processing TLS
>  eaptls_verify returned 7 
>  rlm_eap_tls: Done initial handshake
>  eaptls_process returned 7 
>  rlm_eap_peap: EAPTLS_OK
>  rlm_eap_peap: Session established.  Decoding tunneled attributes.
>  rlm_eap_peap: EAP type mschapv2
>  PEAP: Setting User-Name to HOKIES\dawson
> +- entering group authorize
> ++? if ("%{User-Name}" =~ /^(host\/.*)$/)
> 	expand: %{User-Name} -> HOKIES\dawson
> ? Evaluating ("%{User-Name}" =~ /^(host\/.*)$/) -> FALSE
> ++? if ("%{User-Name}" =~ /^(host\/.*)$/) -> FALSE
> ++- entering else else
> +++[control] returns notfound
> ++- else else returns notfound
>  PEAP: Calling authenticate in order to initiate tunneled EAP session.
> +- entering group authenticate
>  rlm_eap: Request found, released from the list
>  rlm_eap: EAP/mschapv2
>  rlm_eap: processing type mschapv2
>  Not-EAP proxy set.  Not composing EAP
> ++[eap] returns handled
>  PEAP: Tunneled authentication will be proxied to openradius
>  PEAP: Remembering to do EAP-MS-CHAP-V2 post-proxy.
>  Tunneled session will be proxied.  Not doing EAP.
> ++[eap] returns handled
> +- entering group pre-proxy
>    preproxy_users: Matched entry DEFAULT at line 1
> ++[files] returns ok
> 	User-Name = "HOKIES\\dawson"
> 	Calling-Station-Id = "00-1d-e0-90-5f-db"
> 	Called-Station-Id = "00-21-55-4d-c4-40:CNS-Test"
> 	NAS-Port = 29
> 	NAS-IP-Address := 198.82.247.103
> 	NAS-Identifier = "cas-6509-3.wsm8b"
> 	Airespace-Wlan-Id = 17
> 	Service-Type := Framed-User
> 	Framed-MTU = 1300
> 	NAS-Port-Type := Wireless-802.11
> 	Tunnel-Type:0 = VLAN
> 	Tunnel-Medium-Type:0 = IEEE-802
> 	Tunnel-Private-Group-Id:0 = "1381"
> 	MS-CHAP-Challenge = 0x20760eb105e545d6a131f324c1d30464
> 	MS-CHAP2-Response = 0x0a4f84e590f059f31dc3ca5b621b238582190000000000000000385984c78f91f816edb8f1b279838a0a890bdd6573bac9f7
> 	Proxy-State = 0x323433
> Proxying request 9 to home server 198.82.247.67 port 1812
> 	User-Name = "HOKIES\\dawson"
> 	Calling-Station-Id = "00-1d-e0-90-5f-db"
> 	Called-Station-Id = "00-21-55-4d-c4-40:CNS-Test"
> 	NAS-Port = 29
> 	NAS-IP-Address := 198.82.247.103
> 	NAS-Identifier = "cas-6509-3.wsm8b"
> 	Airespace-Wlan-Id = 17
> 	Service-Type := Framed-User
> 	Framed-MTU = 1300
> 	NAS-Port-Type := Wireless-802.11
> 	Tunnel-Type:0 = VLAN
> 	Tunnel-Medium-Type:0 = IEEE-802
> 	Tunnel-Private-Group-Id:0 = "1381"
> 	MS-CHAP-Challenge = 0x20760eb105e545d6a131f324c1d30464
> 	MS-CHAP2-Response = 0x0a4f84e590f059f31dc3ca5b621b238582190000000000000000385984c78f91f816edb8f1b279838a0a890bdd6573bac9f7
> 	Proxy-State = 0x323433
> Going to the next request
> Waking up in 0.9 seconds.
> 	Framed-Protocol = PPP
> 	Service-Type = Framed-User
> 	MS-MPPE-Recv-Key = 0xe32365fe45921738025084f44fd7822a
> 	MS-MPPE-Send-Key = 0xf65c13fbcd70a80768ea868ec27085ff
> 	MS-CHAP2-Success = 0x0a533d46333146313034313438374339373131303542344546363341364339333146344135424141383434
> 	MS-CHAP-Domain = "\nHOKIES"
> +- entering group post-proxy
>  rlm_eap: Doing post-proxy callback
>  PEAP: Passing reply from proxy back into the tunnel.
>  PEAP: Passing reply back for EAP-MS-CHAP-V2
> +- entering group post-proxy
>  rlm_eap: Doing post-proxy callback
>  rlm_eap_mschapv2: Passing reply from proxy back into the tunnel 0x1cd469a0 2.
>  rlm_eap_mschapv2: Authentication succeeded.
> MSCHAP Success 
> ++[eap] returns ok
> PEAP: Got reply 11
>  PEAP: Got tunneled Access-Challenge
>  PEAP: Reply was handled
> ++[eap] returns ok
> 	EAP-Message = 0x010b004a1900170301003f084cf62c48fb9b9e951aa3801c9a88bbe2078c7a667df320929296299bdff2863bf8572a744dac5d9409953cda9855feca24aa24b8205677fbf3f7e3767f36
> 	Message-Authenticator = 0x00000000000000000000000000000000
> 	State = 0x764462057f4f7bc59f1c525ed4400d40
> Finished request 9.
> Going to the next request
> Waking up in 4.9 seconds.
> 	User-Name = "HOKIES\\dawson"
> 	Calling-Station-Id = "00-1d-e0-90-5f-db"
> 	Called-Station-Id = "00-21-55-4d-c4-40:CNS-Test"
> 	NAS-Port = 29
> 	NAS-IP-Address = 198.82.171.153
> 	NAS-Identifier = "cas-6509-3.wsm8b"
> 	Airespace-Wlan-Id = 17
> 	Service-Type = Framed-User
> 	Framed-MTU = 1300
> 	NAS-Port-Type = Wireless-802.11
> 	Tunnel-Type:0 = VLAN
> 	Tunnel-Medium-Type:0 = IEEE-802
> 	Tunnel-Private-Group-Id:0 = "1381"
> 	EAP-Message = 0x020b001d19001703010012091d2f1089b72dd14c76daf331c2dc4de167
> 	State = 0x764462057f4f7bc59f1c525ed4400d40
> 	Message-Authenticator = 0xee39bc3d804727c33f69fc7d8172d2bf
> +- entering group authorize
> ++[mschap] returns noop
>  rlm_eap: EAP packet type response id 11 length 29
>  rlm_eap: Continuing tunnel setup.
> ++[eap] returns ok
>  rad_check_password:  Found Auth-Type EAP
> auth: type "EAP"
> +- entering group EAP
>  rlm_eap: Request found, released from the list
>  rlm_eap: EAP/peap
>  rlm_eap: processing type peap
>  rlm_eap_peap: Authenticate
>  rlm_eap_tls: processing TLS
>  eaptls_verify returned 7 
>  rlm_eap_tls: Done initial handshake
>  eaptls_process returned 7 
>  rlm_eap_peap: EAPTLS_OK
>  rlm_eap_peap: Session established.  Decoding tunneled attributes.
>  rlm_eap_peap: EAP type mschapv2
>  PEAP: Setting User-Name to HOKIES\dawson
> +- entering group authorize
> ++? if ("%{User-Name}" =~ /^(host\/.*)$/)
> 	expand: %{User-Name} -> HOKIES\dawson
> ? Evaluating ("%{User-Name}" =~ /^(host\/.*)$/) -> FALSE
> ++? if ("%{User-Name}" =~ /^(host\/.*)$/) -> FALSE
> ++- entering else else
> +++[control] returns notfound
> ++- else else returns notfound
>  PEAP: Calling authenticate in order to initiate tunneled EAP session.
> +- entering group authenticate
>  rlm_eap: Request found, released from the list
>  rlm_eap: EAP/mschapv2
>  rlm_eap: processing type mschapv2
>  rlm_eap: Freeing handler
> ++[eap] returns ok
>  PEAP: Tunneled authentication was successful.
>  rlm_eap_peap: SUCCESS
> ++[eap] returns handled
> 	EAP-Message = 0x010c00261900170301001badffc5c8196273037ffc5ae8b421cb5a11d4cdbf3d67e521a2dd10
> 	Message-Authenticator = 0x00000000000000000000000000000000
> 	State = 0x764462057c487bc59f1c525ed4400d40
> Finished request 10.
> Going to the next request
> Waking up in 4.9 seconds.
> 	User-Name = "HOKIES\\dawson"
> 	Calling-Station-Id = "00-1d-e0-90-5f-db"
> 	Called-Station-Id = "00-21-55-4d-c4-40:CNS-Test"
> 	NAS-Port = 29
> 	NAS-IP-Address = 198.82.171.153
> 	NAS-Identifier = "cas-6509-3.wsm8b"
> 	Airespace-Wlan-Id = 17
> 	Service-Type = Framed-User
> 	Framed-MTU = 1300
> 	NAS-Port-Type = Wireless-802.11
> 	Tunnel-Type:0 = VLAN
> 	Tunnel-Medium-Type:0 = IEEE-802
> 	Tunnel-Private-Group-Id:0 = "1381"
> 	EAP-Message = 0x020c00261900170301001be252b19386182f2a3d9b6255f0b51007da074f90f732568c1dfbb8
> 	State = 0x764462057c487bc59f1c525ed4400d40
> 	Message-Authenticator = 0xc04ab29e63cd60e30bfd3fed2ba3be09
> +- entering group authorize
> ++[mschap] returns noop
>  rlm_eap: EAP packet type response id 12 length 38
>  rlm_eap: Continuing tunnel setup.
> ++[eap] returns ok
>  rad_check_password:  Found Auth-Type EAP
> auth: type "EAP"
> +- entering group EAP
>  rlm_eap: Request found, released from the list
>  rlm_eap: EAP/peap
>  rlm_eap: processing type peap
>  rlm_eap_peap: Authenticate
>  rlm_eap_tls: processing TLS
>  eaptls_verify returned 7 
>  rlm_eap_tls: Done initial handshake
>  eaptls_process returned 7 
>  rlm_eap_peap: EAPTLS_OK
>  rlm_eap_peap: Session established.  Decoding tunneled attributes.
>  rlm_eap_peap: Received EAP-TLV response.
>  rlm_eap_peap: Success
>  rlm_eap: Freeing handler
> ++[eap] returns ok
> perl_pool: item 0x17a6e7a0 asigned new request. Handled so far: 1
> found interpetator at address 0x17a6e7a0
> rlm_perl: no serial number; assuming non-TLS authentication
> rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
> rlm_perl: Added pair Service-Type = Framed-User
> rlm_perl: Added pair Tunnel-Type = VLAN
> rlm_perl: Added pair State = 0x764462057c487bc59f1c525ed4400d40
> rlm_perl: Added pair Called-Station-Id = 00-21-55-4d-c4-40:CNS-Test
> rlm_perl: Added pair Message-Authenticator = 0xc04ab29e63cd60e30bfd3fed2ba3be09
> rlm_perl: Added pair Airespace-Wlan-Id = 17
> rlm_perl: Added pair EAP-Type = PEAP
> rlm_perl: Added pair NAS-IP-Address = 198.82.171.153
> rlm_perl: Added pair Tunnel-Private-Group-Id = 1381
> rlm_perl: Added pair Tunnel-Medium-Type = IEEE-802
> rlm_perl: Added pair Calling-Station-Id = 00-1d-e0-90-5f-db
> rlm_perl: Added pair User-Name = HOKIES\\dawson
> rlm_perl: Added pair NAS-Identifier = cas-6509-3.wsm8b
> rlm_perl: Added pair EAP-Message = 0x020c00261900170301001be252b19386182f2a3d9b6255f0b51007da074f90f732568c1dfbb8
> rlm_perl: Added pair NAS-Port = 29
> rlm_perl: Added pair Framed-MTU = 1300
> rlm_perl: Added pair User-Name = HOKIES\\dawson
> rlm_perl: Added pair MS-MPPE-Recv-Key = 0x4e3e827b7fb173dbe293fadd607586b838cd55ae5261090fd483569509a070de
> rlm_perl: Added pair EAP-Message = 0x030c0004
> rlm_perl: Added pair MS-MPPE-Send-Key = 0xb43ef9e36d44d66d205184ee8ca81f0f14e3a52cd254bd27268c7c99f58a18b0
> rlm_perl: Added pair Message-Authenticator = 0x00000000000000000000000000000000
> rlm_perl: Added pair Auth-Type = EAP
> perl_pool total/active/spare [32/0/32]
> Unreserve perl at address 0x17a6e7a0
> ++[perl] returns ok
> Login OK: [HOKIES\\\\dawson/<via Auth-Type = EAP>] (from client cas-6509-3.wsm8b port 29 cli 00-1d-e0-90-5f-db)
> 	User-Name = "HOKIES\\\\dawson"
> 	MS-MPPE-Recv-Key = 0x4e3e827b7fb173dbe293fadd607586b838cd55ae5261090fd483569509a070de
> 	EAP-Message = 0x030c0004
> 	MS-MPPE-Send-Key = 0xb43ef9e36d44d66d205184ee8ca81f0f14e3a52cd254bd27268c7c99f58a18b0
> 	Message-Authenticator = 0x00000000000000000000000000000000
> Finished request 11.
> Going to the next request
> Waking up in 4.9 seconds.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





More information about the Freeradius-Users mailing list