LDAP-FreeRadius-Cisco Switch-802.1x Fails.
Wassim Zaarour
wassim.zaarour at navlink.com
Fri Apr 20 06:46:23 CEST 2012
Thanks Alan, it worked like a charm!!
But it worked using TTLS/PAP, now Windows OS natively supports PEAP, and
when I tried it with TTLS/PEAP it didn't authenticate and gave the
following debug:
I guess from the below what's important is this section
.
.
.
[eap] processing type mschapv2
[mschapv2] # Executing group from file
/etc/raddb/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Creating challenge hash with username: pk
[mschap] Told to do MS-CHAPv2 for pk with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
.
.
.
Is there a way to configure radius to accept TTLS/PEAP and authenticate
with LDAP?
Below the full debug log.
rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=232,
length=139
NAS-IP-Address = 192.168.1.8
NAS-Port = 50023
NAS-Port-Type = Ethernet
User-Name = "host/Lap-Top"
Called-Station-Id = "00-15-F9-F8-4E-97"
Calling-Station-Id = "00-1A-80-3F-F6-A1"
Service-Type = Framed-User
Framed-MTU = 1500
EAP-Message = 0x0200001101686f73742f4c61702d546f70
Message-Authenticator = 0x393e8f392e9902b158ed1424675efc19
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "host/Lap-Top", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 17
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for host/Lap-Top
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> host/Lap-Top
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=host/Lap-Top)
[ldap] expand: o=navbey.com, dc=navbey,dc=com -> o=navbey.com,
dc=navbey,dc=com
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to 192.168.1.40:389, authentication 0
[ldap] bind as /Hayalla5 to 192.168.1.40:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in o=navbey.com, dc=navbey,dc=com, with filter
(uid=host/Lap-Top)
[ldap] object not found
[ldap] search failed
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 232 to 192.168.1.8 port 1645
EAP-Message = 0x010100160410fccd1139019e6857ddd78da6b684af3c
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd99dee93d99ceace8e5305bc8fdf726b
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=233,
length=146
NAS-IP-Address = 192.168.1.8
NAS-Port = 50023
NAS-Port-Type = Ethernet
User-Name = "host/Lap-Top"
Called-Station-Id = "00-15-F9-F8-4E-97"
Calling-Station-Id = "00-1A-80-3F-F6-A1"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0xd99dee93d99ceace8e5305bc8fdf726b
EAP-Message = 0x020100060319
Message-Authenticator = 0x80eabf367e08a9bd587fcbf4d36a0003
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "host/Lap-Top", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for host/Lap-Top
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> host/Lap-Top
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=host/Lap-Top)
[ldap] expand: o=navbey.com, dc=navbey,dc=com -> o=navbey.com,
dc=navbey,dc=com
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in o=navbey.com, dc=navbey,dc=com, with filter
(uid=host/Lap-Top)
[ldap] object not found
[ldap] search failed
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 233 to 192.168.1.8 port 1645
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd99dee93d89ff7ce8e5305bc8fdf726b
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=234,
length=261
NAS-IP-Address = 192.168.1.8
NAS-Port = 50023
NAS-Port-Type = Ethernet
User-Name = "host/Lap-Top"
Called-Station-Id = "00-15-F9-F8-4E-97"
Calling-Station-Id = "00-1A-80-3F-F6-A1"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0xd99dee93d89ff7ce8e5305bc8fdf726b
EAP-Message =
0x0202007919800000006f160301006a0100006603014f90e7644c403354e4e4b15decc0aeb
b536d3363eb37876a26f4c3f9b77cb88c000018002f00350005000ac013c014c009c00a0032
003800
13000401000025ff010001000000000c000a0000076c61702d746f70000a000600040017001
8000b00020100
Message-Authenticator = 0xe4a963411850e8b5b37ab847329b06c6
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "host/Lap-Top", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 121
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 111
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 006a], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0031], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 085e], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 234 to 192.168.1.8 port 1645
EAP-Message =
0x0103040019c0000008a216030100310200002d03014f90e754c928c34ff5dbd357df6597e
a5e1d524fde068ccc2df5d94c9206ecde00002f000005ff01000100160301085e0b00085a00
085700
03a6308203a23082028aa003020102020101300d06092a864886f70d0101050500308193310
b3009060355040613024652310f300d06035504081306526164697573311230100603550407
1309536f6d657768657265311530
13060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d01090116116
1646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c65204365
727469666963617465204175
EAP-Message =
0x74686f72697479301e170d3132303431393035323632305a170d313230363138303532363
2305a307c310b3009060355040613024652310f300d06035504081306526164697573311530
130603
55040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c6520536
5727665722043657274696669636174653120301e06092a864886f70d010901161161646d69
6e406578616d706c652e636f6d30
820122300d06092a864886f70d01010105000382010f003082010a0282010100d8e5bb5cefd
0db1624fbbcbba0a02f4d2b23a12f9f0ea9d1f96dc0ef3a08536f4096b8cb434aac77b625bb
7610ea5eafdcba502cc3c094
EAP-Message =
0xf74c16743d6ec16f4a8104cc5b98ea30fb86287bf0906ed458604e63412a6339c8bf25fd7
f627131a6219db5e5d5f56460df027982eb5b1ca3b59a2fd27666fb7016df166162fe720c65
9f959c
b04266ced87b083b6641a431d002b996fdb4c342b0205c9d2d70878caebee08fc19402b6867
af343fe3a43a740bc44c66fcf993bc6c9812377983bcee8f5562d0974abc6142d95c3d58240
3fcf5dd9d5403fca88bb28eaec1c
ddafe9d23d1d17e804eb15da303e169756418be76cb204ce0c8bcbe428ceb75995cd2b02030
10001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d
010105050003820101009e6c
EAP-Message =
0xc83de144237e09ce61668125af89da7f9d0dc727464fb50a1a8519ba3eed74c9553738541
642751ece1617a2f1f567741ce6ce7e2bec8a2dd7871058ec5c440fc9342fa040dff416cddd
a61f48
137d54fcf6725f487093947b9a02697e2ebf41962618b94e2a4453a1b43f1eacd51657b5407
400d2404423f719e9b3779d6936d3b739599586f4ee8138bfac0cce760d17db9072576cea1a
e391b95968c7ac2563f4f578a0db
ee4750ef50e137a2e998ee6d9e7ea5050688e73a971905e1d468a04f8229c7fc1736cf8ee21
6f942a6a08790e49070f85fad784a5220f2ef9c99b0bd281d6486d5e8f699c843af9d57a10b
c1a4a3d57bc470785d8736c7
EAP-Message = 0x860004ab308204a73082038f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd99dee93db9ef7ce8e5305bc8fdf726b
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=235,
length=146
NAS-IP-Address = 192.168.1.8
NAS-Port = 50023
NAS-Port-Type = Ethernet
User-Name = "host/Lap-Top"
Called-Station-Id = "00-15-F9-F8-4E-97"
Calling-Station-Id = "00-1A-80-3F-F6-A1"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0xd99dee93db9ef7ce8e5305bc8fdf726b
EAP-Message = 0x020300061900
Message-Authenticator = 0xbae3ed10c923140fa6dfcfb1231cd7bf
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "host/Lap-Top", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 235 to 192.168.1.8 port 1645
EAP-Message =
0x010403fc1940a003020102020900bcccc1285b561d81300d06092a864886f70d010105050
0308193310b3009060355040613024652310f300d0603550408130652616469757331123010
060355
04071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e312
0301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406
03550403131d4578616d706c6520
436572746966696361746520417574686f72697479301e170d3132303431393035323632305
a170d3132303631383035323632305a308193310b3009060355040613024652310f300d0603
550408130652616469757331
EAP-Message =
0x12301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6
520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e63
6f6d31
2630240603550403131d4578616d706c6520436572746966696361746520417574686f72697
47930820122300d06092a864886f70d01010105000382010f003082010a0282010100c2000d
e5769708aa73a3affa3ae2581583
c4882e26f16a18d443e29db8316192c28b219cbb097059526763db5440029da5f07038fb6a9
04f36e3a41dc25ee2d693730072613aaff090fd98e30623969bc0d43527de8a6e60ecbcfa66
72df1f278419f652471cc787
EAP-Message =
0xc882a134970210e501a5f008bce3abbcd4de1b5c5da2287cf6af098930a2a46f6c4c68f2d
b00dc8b8289dfb961b00fb1b8cec26b996c69e2f2a4207cf29afc6e1e7a95599782388b5a5b
5a10f9
61d816e101fdf26cf6062274aef2b443a5c60787edcd755a986de269abf78fde55eae7f450b
ca4434e6495b264e6db1bce418c8a417739b3bd52739f9ac134c2c9ed6b7bbf4ed479cb3369
0203010001a381fb3081f8301d06
03551d0e0416041410d684dcfea11dfdc1bb500b759373530aa6d64b3081c80603551d23048
1c03081bd801410d684dcfea11dfdc1bb500b759373530aa6d64ba18199a48196308193310b
300906035504061302465231
EAP-Message =
0x0f300d060355040813065261646975733112301006035504071309536f6d6577686572653
1153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901
161161
646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c652043657
2746966696361746520417574686f72697479820900bcccc1285b561d81300c0603551d1304
0530030101ff300d06092a864886
f70d010105050003820101002d0d028da27788c0e5d3623cdb4cf11f09216955fe7493bfa23
3ec62bb45d3cb9dd71d61a95ca6e1ddb8aa2f8b80fbfcea5b8b35776bc61c9acab1408bc31d
af3cf0f27d531819b600d3ca
EAP-Message = 0x7a7c33f4b1017102
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd99dee93da99f7ce8e5305bc8fdf726b
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=236,
length=146
NAS-IP-Address = 192.168.1.8
NAS-Port = 50023
NAS-Port-Type = Ethernet
User-Name = "host/Lap-Top"
Called-Station-Id = "00-15-F9-F8-4E-97"
Calling-Station-Id = "00-1A-80-3F-F6-A1"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0xd99dee93da99f7ce8e5305bc8fdf726b
EAP-Message = 0x020400061900
Message-Authenticator = 0xe12b82e1fc8c5ed35f4f3591f8f09111
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "host/Lap-Top", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 236 to 192.168.1.8 port 1645
EAP-Message =
0x010500bc1900971b6ff4eedeea77cbd7b846662c36009c223bb1dab20d1956c65d6dfdd68
e272a551fae0e5b9066339a0f279041f434256e4aa905eb8dbabc508c2a0771d29cb0810ff8
a278d3
2154413350d24a65e9c3cfb9e15e9057d0dce5f2cbd3d523586b6b7f60bf3a6d92c8772b862
711d539a2412abe6a6c4f79816985453331bc5f8661a99c795b6d6a92fd75d73273373be417
324e2b8696ff3d6cb180e1619343
b8bf9d39a193cf49a3f008a74e16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd99dee93dd98f7ce8e5305bc8fdf726b
Finished request 4.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=237,
length=157
NAS-IP-Address = 192.168.1.8
NAS-Port = 50023
NAS-Port-Type = Ethernet
User-Name = "host/Lap-Top"
Called-Station-Id = "00-15-F9-F8-4E-97"
Calling-Station-Id = "00-1A-80-3F-F6-A1"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0xd99dee93dd98f7ce8e5305bc8fdf726b
EAP-Message = 0x0205001119800000000715030100020230
Message-Authenticator = 0x5ce3a9de35758d1c75450df5daaf1374
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "host/Lap-Top", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 17
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 7
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert read:fatal:unknown CA
TLS_accept: failed in SSLv3 read client certificate A
rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
unknown ca
SSL: SSL_read failed inside of TLS (-1), TLS session fails.
TLS receive handshake failed during operation
[peap] eaptls_process returned 4
[peap] EAPTLS_OTHERS
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> host/Lap-Top
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 5 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 5
Sending Access-Reject of id 237 to 192.168.1.8 port 1645
EAP-Message = 0x04050004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.6 seconds.
Cleaning up request 0 ID 232 with timestamp +33
Cleaning up request 1 ID 233 with timestamp +33
Cleaning up request 2 ID 234 with timestamp +33
Cleaning up request 3 ID 235 with timestamp +34
Cleaning up request 4 ID 236 with timestamp +34
Waking up in 1.2 seconds.
Cleaning up request 5 ID 237 with timestamp +34
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=238,
length=119
NAS-IP-Address = 192.168.1.8
NAS-Port = 50023
NAS-Port-Type = Ethernet
User-Name = "pk"
Called-Station-Id = "00-15-F9-F8-4E-97"
Calling-Station-Id = "00-1A-80-3F-F6-A1"
Service-Type = Framed-User
Framed-MTU = 1500
EAP-Message = 0x0200000701706b
Message-Authenticator = 0x8172bc6808678b8cc0050e18f292be5b
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "pk", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 7
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for pk
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> pk
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=pk)
[ldap] expand: o=navbey.com, dc=navbey,dc=com -> o=navbey.com,
dc=navbey,dc=com
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in o=navbey.com, dc=navbey,dc=com, with filter
(uid=pk)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that
the user is configured correctly?
[ldap] user pk authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 238 to 192.168.1.8 port 1645
EAP-Message = 0x0101001604105907cf652b105257755a0a71aead1043
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xdf66a7f2df67a38e0e7c49ccf0790122
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=239,
length=136
NAS-IP-Address = 192.168.1.8
NAS-Port = 50023
NAS-Port-Type = Ethernet
User-Name = "pk"
Called-Station-Id = "00-15-F9-F8-4E-97"
Calling-Station-Id = "00-1A-80-3F-F6-A1"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0xdf66a7f2df67a38e0e7c49ccf0790122
EAP-Message = 0x020100060319
Message-Authenticator = 0x9e38985bc9352abd749655cef48fcabb
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "pk", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for pk
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> pk
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=pk)
[ldap] expand: o=navbey.com, dc=navbey,dc=com -> o=navbey.com,
dc=navbey,dc=com
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in o=navbey.com, dc=navbey,dc=com, with filter
(uid=pk)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that
the user is configured correctly?
[ldap] user pk authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 239 to 192.168.1.8 port 1645
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xdf66a7f2de64be8e0e7c49ccf0790122
Finished request 7.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=240,
length=246
NAS-IP-Address = 192.168.1.8
NAS-Port = 50023
NAS-Port-Type = Ethernet
User-Name = "pk"
Called-Station-Id = "00-15-F9-F8-4E-97"
Calling-Station-Id = "00-1A-80-3F-F6-A1"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0xdf66a7f2de64be8e0e7c49ccf0790122
EAP-Message =
0x0202007419800000006a16030100650100006103014f90e7b4d18bbe342796756b5150e42
2b34b841225b5fbf93254c2ea5f700171000018002f00350005000ac013c014c009c00a0032
003800
13000401000020ff01000100000000070005000002706b000a0006000400170018000b00020
100
Message-Authenticator = 0x83714ddb4c574e351f7e9852ebdf8365
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "pk", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 116
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 106
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0065], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0031], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 085e], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 240 to 192.168.1.8 port 1645
EAP-Message =
0x0103040019c0000008a216030100310200002d03014f90e7a5e170c65318f315262fbacc1
b091ef134223260cf2d9000702878462600002f000005ff01000100160301085e0b00085a00
085700
03a6308203a23082028aa003020102020101300d06092a864886f70d0101050500308193310
b3009060355040613024652310f300d06035504081306526164697573311230100603550407
1309536f6d657768657265311530
13060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d01090116116
1646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c65204365
727469666963617465204175
EAP-Message =
0x74686f72697479301e170d3132303431393035323632305a170d313230363138303532363
2305a307c310b3009060355040613024652310f300d06035504081306526164697573311530
130603
55040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c6520536
5727665722043657274696669636174653120301e06092a864886f70d010901161161646d69
6e406578616d706c652e636f6d30
820122300d06092a864886f70d01010105000382010f003082010a0282010100d8e5bb5cefd
0db1624fbbcbba0a02f4d2b23a12f9f0ea9d1f96dc0ef3a08536f4096b8cb434aac77b625bb
7610ea5eafdcba502cc3c094
EAP-Message =
0xf74c16743d6ec16f4a8104cc5b98ea30fb86287bf0906ed458604e63412a6339c8bf25fd7
f627131a6219db5e5d5f56460df027982eb5b1ca3b59a2fd27666fb7016df166162fe720c65
9f959c
b04266ced87b083b6641a431d002b996fdb4c342b0205c9d2d70878caebee08fc19402b6867
af343fe3a43a740bc44c66fcf993bc6c9812377983bcee8f5562d0974abc6142d95c3d58240
3fcf5dd9d5403fca88bb28eaec1c
ddafe9d23d1d17e804eb15da303e169756418be76cb204ce0c8bcbe428ceb75995cd2b02030
10001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d
010105050003820101009e6c
EAP-Message =
0xc83de144237e09ce61668125af89da7f9d0dc727464fb50a1a8519ba3eed74c9553738541
642751ece1617a2f1f567741ce6ce7e2bec8a2dd7871058ec5c440fc9342fa040dff416cddd
a61f48
137d54fcf6725f487093947b9a02697e2ebf41962618b94e2a4453a1b43f1eacd51657b5407
400d2404423f719e9b3779d6936d3b739599586f4ee8138bfac0cce760d17db9072576cea1a
e391b95968c7ac2563f4f578a0db
ee4750ef50e137a2e998ee6d9e7ea5050688e73a971905e1d468a04f8229c7fc1736cf8ee21
6f942a6a08790e49070f85fad784a5220f2ef9c99b0bd281d6486d5e8f699c843af9d57a10b
c1a4a3d57bc470785d8736c7
EAP-Message = 0x860004ab308204a73082038f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xdf66a7f2dd65be8e0e7c49ccf0790122
Finished request 8.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=241,
length=136
NAS-IP-Address = 192.168.1.8
NAS-Port = 50023
NAS-Port-Type = Ethernet
User-Name = "pk"
Called-Station-Id = "00-15-F9-F8-4E-97"
Calling-Station-Id = "00-1A-80-3F-F6-A1"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0xdf66a7f2dd65be8e0e7c49ccf0790122
EAP-Message = 0x020300061900
Message-Authenticator = 0x6d071271e3593761fab43b275fc890cf
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "pk", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 241 to 192.168.1.8 port 1645
EAP-Message =
0x010403fc1940a003020102020900bcccc1285b561d81300d06092a864886f70d010105050
0308193310b3009060355040613024652310f300d0603550408130652616469757331123010
060355
04071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e312
0301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406
03550403131d4578616d706c6520
436572746966696361746520417574686f72697479301e170d3132303431393035323632305
a170d3132303631383035323632305a308193310b3009060355040613024652310f300d0603
550408130652616469757331
EAP-Message =
0x12301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6
520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e63
6f6d31
2630240603550403131d4578616d706c6520436572746966696361746520417574686f72697
47930820122300d06092a864886f70d01010105000382010f003082010a0282010100c2000d
e5769708aa73a3affa3ae2581583
c4882e26f16a18d443e29db8316192c28b219cbb097059526763db5440029da5f07038fb6a9
04f36e3a41dc25ee2d693730072613aaff090fd98e30623969bc0d43527de8a6e60ecbcfa66
72df1f278419f652471cc787
EAP-Message =
0xc882a134970210e501a5f008bce3abbcd4de1b5c5da2287cf6af098930a2a46f6c4c68f2d
b00dc8b8289dfb961b00fb1b8cec26b996c69e2f2a4207cf29afc6e1e7a95599782388b5a5b
5a10f9
61d816e101fdf26cf6062274aef2b443a5c60787edcd755a986de269abf78fde55eae7f450b
ca4434e6495b264e6db1bce418c8a417739b3bd52739f9ac134c2c9ed6b7bbf4ed479cb3369
0203010001a381fb3081f8301d06
03551d0e0416041410d684dcfea11dfdc1bb500b759373530aa6d64b3081c80603551d23048
1c03081bd801410d684dcfea11dfdc1bb500b759373530aa6d64ba18199a48196308193310b
300906035504061302465231
EAP-Message =
0x0f300d060355040813065261646975733112301006035504071309536f6d6577686572653
1153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901
161161
646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c652043657
2746966696361746520417574686f72697479820900bcccc1285b561d81300c0603551d1304
0530030101ff300d06092a864886
f70d010105050003820101002d0d028da27788c0e5d3623cdb4cf11f09216955fe7493bfa23
3ec62bb45d3cb9dd71d61a95ca6e1ddb8aa2f8b80fbfcea5b8b35776bc61c9acab1408bc31d
af3cf0f27d531819b600d3ca
EAP-Message = 0x7a7c33f4b1017102
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xdf66a7f2dc62be8e0e7c49ccf0790122
Finished request 9.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=242,
length=136
NAS-IP-Address = 192.168.1.8
NAS-Port = 50023
NAS-Port-Type = Ethernet
User-Name = "pk"
Called-Station-Id = "00-15-F9-F8-4E-97"
Calling-Station-Id = "00-1A-80-3F-F6-A1"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0xdf66a7f2dc62be8e0e7c49ccf0790122
EAP-Message = 0x020400061900
Message-Authenticator = 0x406d4a98563e0a8815fc113633dc3e8a
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "pk", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 242 to 192.168.1.8 port 1645
EAP-Message =
0x010500bc1900971b6ff4eedeea77cbd7b846662c36009c223bb1dab20d1956c65d6dfdd68
e272a551fae0e5b9066339a0f279041f434256e4aa905eb8dbabc508c2a0771d29cb0810ff8
a278d3
2154413350d24a65e9c3cfb9e15e9057d0dce5f2cbd3d523586b6b7f60bf3a6d92c8772b862
711d539a2412abe6a6c4f79816985453331bc5f8661a99c795b6d6a92fd75d73273373be417
324e2b8696ff3d6cb180e1619343
b8bf9d39a193cf49a3f008a74e16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xdf66a7f2db63be8e0e7c49ccf0790122
Finished request 10.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=243,
length=468
NAS-IP-Address = 192.168.1.8
NAS-Port = 50023
NAS-Port-Type = Ethernet
User-Name = "pk"
Called-Station-Id = "00-15-F9-F8-4E-97"
Calling-Station-Id = "00-1A-80-3F-F6-A1"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0xdf66a7f2db63be8e0e7c49ccf0790122
EAP-Message =
0x0205015019800000014616030101061000010201007ca92d4c46976b1b4221150302f3368
a83dc071c73eba660f726d5994829e44d05a151ec815b381e2f1eb51e1d7e81f8ac2a797d58
f37c72
a5d30c39f58e74bf270c9e620ca368a702cea648d9a6c858e1bc8f9be8157e00b757e33e7b1
ea20b39cf66fb4fbedaafc981939713c44fc8b997419eb479dff20f0eccb3079e7751e9153a
c83d88bba33099f97c582edbc478
1d7f0639d32724524792b4d70ba65ac425016a23804a6df38154970bd73bc17932b394e1328
8de5e45c576d857438404c58e5db2a2665655983c6ad2be802d7429661f6cc331e4184efa28
9cdfa6fff8cd4b32ffcab948
EAP-Message =
0xd35111c89e339e4eb688cec3322076273345f6fd6c1060c51403010001011603010030260
8671e3f152141c25ed7c1fd386d33f3c6c2616d85f988fe98201fd0e76195009450561f33db
115953
d9cc0e0c6aad
Message-Authenticator = 0xeddc39b94b6c9df9fa14274a3bd8d18c
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "pk", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 326
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 243 to 192.168.1.8 port 1645
EAP-Message =
0x010600411900140301000101160301003054457c3f14edfe37c380b20c93886c1ff0b063a
823224547618117156a0e9bdc597726c7d28ae5d8de455329b1dca06b
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xdf66a7f2da60be8e0e7c49ccf0790122
Finished request 11.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=244,
length=136
NAS-IP-Address = 192.168.1.8
NAS-Port = 50023
NAS-Port-Type = Ethernet
User-Name = "pk"
Called-Station-Id = "00-15-F9-F8-4E-97"
Calling-Station-Id = "00-1A-80-3F-F6-A1"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0xdf66a7f2da60be8e0e7c49ccf0790122
EAP-Message = 0x020600061900
Message-Authenticator = 0x90ac28f0fcfd4d8b13135d7b4f586f9d
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "pk", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] returns handled
Sending Access-Challenge of id 244 to 192.168.1.8 port 1645
EAP-Message =
0x0107002b19001703010020ef133c0aa7b038aca4ed631f4b2195d48ef9178b0563bcfa3bb
a8e9949cfed99
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xdf66a7f2d961be8e0e7c49ccf0790122
Finished request 12.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=245,
length=173
NAS-IP-Address = 192.168.1.8
NAS-Port = 50023
NAS-Port-Type = Ethernet
User-Name = "pk"
Called-Station-Id = "00-15-F9-F8-4E-97"
Calling-Station-Id = "00-1A-80-3F-F6-A1"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0xdf66a7f2d961be8e0e7c49ccf0790122
EAP-Message =
0x0207002b190017030100207a7bde6894f97bb470bde13772156dcb004886d42b2d42e6313
4dea574c74e6d
Message-Authenticator = 0x4b4eecc47353757ee17f773ad9151172
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "pk", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - pk
[peap] Got inner identity 'pk'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
EAP-Message = 0x0207000701706b
server {
PEAP: Setting User-Name to pk
Sending tunneled request
EAP-Message = 0x0207000701706b
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "pk"
server inner-tunnel {
# Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "pk", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 7 length 7
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for pk
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> pk
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=pk)
[ldap] expand: o=navbey.com, dc=navbey,dc=com -> o=navbey.com,
dc=navbey,dc=com
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in o=navbey.com, dc=navbey,dc=com, with filter
(uid=pk)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that
the user is configured correctly?
[ldap] user pk authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message = 0x0108001c1a0108001710e3de4c1bb91f06762905e9b9836d9b85706b
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xcfa04815cfa85281f6375487a35aa0b0
[peap] Got tunneled reply RADIUS code 11
EAP-Message = 0x0108001c1a0108001710e3de4c1bb91f06762905e9b9836d9b85706b
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xcfa04815cfa85281f6375487a35aa0b0
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 245 to 192.168.1.8 port 1645
EAP-Message =
0x0108003b19001703010030f42bf53d46e5731b25dc206513c583ac3c3f439bde0a89c3c8d
00aefc27a0b56ce72596f7e08f227542c95bc96cbb520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xdf66a7f2d86ebe8e0e7c49ccf0790122
Finished request 13.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=246,
length=221
NAS-IP-Address = 192.168.1.8
NAS-Port = 50023
NAS-Port-Type = Ethernet
User-Name = "pk"
Called-Station-Id = "00-15-F9-F8-4E-97"
Calling-Station-Id = "00-1A-80-3F-F6-A1"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0xdf66a7f2d86ebe8e0e7c49ccf0790122
EAP-Message =
0x0208005b1900170301005066c6dfd96844df1f54b9abd2cb5769f2ab008a7117dd2ba5c82
3dde826c56926114583d0721d7abf1eae649c62b3925c5dbaac9771b10b03d03b35615f53e7
6e20ca
99343df8e9867526f5826bcb5245
Message-Authenticator = 0x7b7a7a7f5055b2806626ed1c0e64a965
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "pk", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 91
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message =
0x0208003d1a02080038313441fe526c301512427b1f00e3121ca4000000000000000092d46
9509e834a4e7da586c7e3d50e367c01b7309d1b777d00706b
server {
PEAP: Setting User-Name to pk
Sending tunneled request
EAP-Message =
0x0208003d1a02080038313441fe526c301512427b1f00e3121ca4000000000000000092d46
9509e834a4e7da586c7e3d50e367c01b7309d1b777d00706b
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "pk"
State = 0xcfa04815cfa85281f6375487a35aa0b0
server inner-tunnel {
# Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "pk", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 8 length 61
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for pk
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> pk
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=pk)
[ldap] expand: o=navbey.com, dc=navbey,dc=com -> o=navbey.com,
dc=navbey,dc=com
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in o=navbey.com, dc=navbey,dc=com, with filter
(uid=pk)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that
the user is configured correctly?
[ldap] user pk authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file
/etc/raddb/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Creating challenge hash with username: pk
[mschap] Told to do MS-CHAPv2 for pk with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
MS-CHAP-Error = "\010E=691 R=1"
EAP-Message = 0x04080004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
MS-CHAP-Error = "\010E=691 R=1"
EAP-Message = 0x04080004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 246 to 192.168.1.8 port 1645
EAP-Message =
0x0109002b190017030100209b7b6546ac7dd0c6de4ab8352452dc4d5e0ef2a8fa9e346d035
d54f42f5e5617
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xdf66a7f2d76fbe8e0e7c49ccf0790122
Finished request 14.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=247,
length=173
NAS-IP-Address = 192.168.1.8
NAS-Port = 50023
NAS-Port-Type = Ethernet
User-Name = "pk"
Called-Station-Id = "00-15-F9-F8-4E-97"
Calling-Station-Id = "00-1A-80-3F-F6-A1"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0xdf66a7f2d76fbe8e0e7c49ccf0790122
EAP-Message =
0x0209002b19001703010020fdaefbe1bb82e8c918f2aea95051b6bcec4ded07a5388605472
7c83dd0233c9c
Message-Authenticator = 0xeb10297e4e0ef47e8c1e7ba7c083ca48
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "pk", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 9 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv failure
[peap] Received EAP-TLV response.
[peap] The users session was previously rejected: returning reject
(again.)
[peap] *** This means you need to read the PREVIOUS messages in the debug
output
[peap] *** to find out the reason why the user was rejected.
[peap] *** Look for "reject" or "fail". Those earlier messages will tell
you.
[peap] *** what went wrong, and how to fix the problem.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> pk
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 15 for 1 seconds
Going to the next request
On 4/19/12 6:53 PM, "alan buxey" <A.L.M.Buxey at lboro.ac.uk> wrote:
>hi,
>
>quick look seems to show that you dont have a suitable authorise
>section in the inner tunnel.
>
>the tunnel gets started...your client rejects the default md5
>the server sent - and EAP-TTLS gets done...the username/password
>gets sent but has nothing to go against.... so I suggest
>you add
>
>'ldap' to the inner-tunnel virtual server (in same way that ldap and
>LDAP are defined in default server...)
>
>alan
>-
>List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list