computer authentication

Dan Letkeman danletkeman at gmail.com
Fri Dec 7 17:34:19 CET 2012


Hello,

I'm having some trouble with my setup and I am not sure where things have
gone wrong.  I don't think there is anything from with the freeradius
server or the switch setup.

My goal is to get computer authentication working, and from what I
understand from this post it should just work with the default setup with
only two modifications:

See the post from Phil Mayers

http://freeradius.1045715.n5.nabble.com/PEAP-with-Machine-auth-td4939666.html



Here is my debug log:

rad_recv: Access-Request packet from host 10.11.200.73 port 1645, id=236,
length=158
        User-Name = "host/DAN01"
        Service-Type = Framed-User
        Framed-MTU = 1500
        Called-Station-Id = "9C-AF-CA-F4-40-10"
        Calling-Station-Id = "64-31-50-7D-72-DE"
        EAP-Message = 0x0201000f01686f73742f44414e3031
        Message-Authenticator = 0xd542a2a3a3407e6908953cd7dca08817
        NAS-Port-Type = Ethernet
        NAS-Port = 50016
        NAS-Port-Id = "GigabitEthernet0/16"
        NAS-IP-Address = 10.11.200.73
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "host/DAN01", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 15
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 236 to 10.11.200.73 port 1645
        EAP-Message = 0x010200160410dda0857597b1b9c5d2114f6c83f2606d
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x01794096017b44e4c1b393ed153b7774
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.11.200.73 port 1645, id=237,
length=167
        User-Name = "host/DAN01"
        Service-Type = Framed-User
        Framed-MTU = 1500
        Called-Station-Id = "9C-AF-CA-F4-40-10"
        Calling-Station-Id = "64-31-50-7D-72-DE"
        EAP-Message = 0x020200060319
        Message-Authenticator = 0x36c72a6e152d0376c4c2e898ed25103b
        NAS-Port-Type = Ethernet
        NAS-Port = 50016
        NAS-Port-Id = "GigabitEthernet0/16"
        State = 0x01794096017b44e4c1b393ed153b7774
        NAS-IP-Address = 10.11.200.73
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "host/DAN01", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 237 to 10.11.200.73 port 1645
        EAP-Message = 0x010300061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x01794096007a59e4c1b393ed153b7774
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.11.200.73 port 1645, id=238,
length=266
        User-Name = "host/DAN01"
        Service-Type = Framed-User
        Framed-MTU = 1500
        Called-Station-Id = "9C-AF-CA-F4-40-10"
        Calling-Station-Id = "64-31-50-7D-72-DE"
        EAP-Message =
0x0203006919800000005f160301005a01000056030150c2020ad42f8473aaa4763bfe5559b68809e4731258d02a19bd5a83025e02fc000018002f00350005000ac013c014c009c00a003200380013000401000015ff01000100000a0006000400170018000b00020100
        Message-Authenticator = 0x0a4d04f9f52dbc7c000f26f2b9046e3d
        NAS-Port-Type = Ethernet
        NAS-Port = 50016
        NAS-Port-Id = "GigabitEthernet0/16"
        State = 0x01794096007a59e4c1b393ed153b7774
        NAS-IP-Address = 10.11.200.73
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "host/DAN01", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 105
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 95
[peap] Length Included
[peap] eaptls_verify returned 11
[peap]     (other): before/accept initialization
[peap]     TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 005a], ClientHello
[peap]     TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0031], ServerHello
[peap]     TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 085e], Certificate
[peap]     TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap]     TLS_accept: SSLv3 write server done A
[peap]     TLS_accept: SSLv3 flush data
[peap]     TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 238 to 10.11.200.73 port 1645
        EAP-Message =
0x0104040019c0000008a216030100310200002d030150c1ad7788786b10acec0131f1a69bc414f87718bb71685367e6e6a53ec0a1e600002f000005ff01000100160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c65204365727469666963617465204175
        EAP-Message =
0x74686f72697479301e170d3132313230363138333330375a170d3133303230343138333330375a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100badff6cb7179506abce81b22c0c12ce92f128d1fc2ffd51b159010f8bd9aa0352e9eb68fa01ede9d61214a39d78d2972b5406699eae304
        EAP-Message =
0xb40a74524471ec05582582a7aa9710aabd4a895773a02042e67db8e42572635efda35a45df5c9518a02c6a7e75a64051d60d436bfa62bfd6e5f88a8ebf3ba48c19e48a25c8662e19a29d92cb6317e067b7c6cb4f24976519a55c2681eb97f8d5974f8244dc50f641b03615ee14d5c8085664bff3c1be7247c1e4d98c9120319edfb4c167d0888140cbc768a81e8d1d016a0d093490a913578946ea9b21706066f1428370666364ed5f80919a0ca2d368daf1c85311c8375a27adb09e7d5bb7800c1bf66af0a86690470203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010105050003820101004857
        EAP-Message =
0xf861c78b2469007a3a0faeca30c4dd0c107a661f63e949e4ddfb4ffd28045199bd58e642837569ffa14e8521d161b0940802b3ad216b021a30c322814659bc1d6224205d65000c39c6edcea942e8c06965e1b9f6fb7f1654191940a392c2ef81a11d25fb73ce358bd6eadca1ef0e15f8572c232a04ec1629f0e727021ced7bd079d72cdb2d86bcc8ffdf334842f089ab15936eb7ba0cffcc0e9b37a37a216f0ed402d7200f210a7352cb339affdae7e5b6ba90f4108b22a3b1b713057809817b46cc6733fe03884dfb9f895552203bf1e1e403cf1f663a831936d41c25b9514f360416020b0fdb33a3b573396f3ae552c08799d85a40efb32cda9d1e60
        EAP-Message = 0xa00004ab308204a73082038f
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x01794096037d59e4c1b393ed153b7774
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.11.200.73 port 1645, id=239,
length=167
        User-Name = "host/DAN01"
        Service-Type = Framed-User
        Framed-MTU = 1500
        Called-Station-Id = "9C-AF-CA-F4-40-10"
        Calling-Station-Id = "64-31-50-7D-72-DE"
        EAP-Message = 0x020400061900
        Message-Authenticator = 0x57fa2f2fa8a12654c84ef47f24b9300c
        NAS-Port-Type = Ethernet
        NAS-Port = 50016
        NAS-Port-Id = "GigabitEthernet0/16"
        State = 0x01794096037d59e4c1b393ed153b7774
        NAS-IP-Address = 10.11.200.73
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "host/DAN01", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 239 to 10.11.200.73 port 1645
        EAP-Message =
0x010503fc1940a003020102020900a33fb10c1664a44e300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3132313230363138333330375a170d3133303230343138333330375a308193310b3009060355040613024652310f300d0603550408130652616469757331
        EAP-Message =
0x12301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100ba09abda0f9f2632773b404162045d145d1961f5d44cf7feafb38e5d352d7b7a47091b9156ef81be2c8d1ed9994cc2d88b530cdaa51bdc2d4f3132329fd958ffb5fe7f8a2a2d0c699ce8d434041d80898eb0a0ff623813aeb5d0f8e82dc094db92237c3b17987a19
        EAP-Message =
0x5711bd563ba0d6f947104787918866aa0c6fdc717bef128d0038637d4fa15a0a8428f3ff47235404c78e050425cd6ea33ad80dc5fc7dda16a76d4f49d679ac0cdac557620d3c7fb5dd508889d75c014f2bab7281a6514e9ef8801b49b2b62d7346e381ef28280ba2654505b85c1cc63ecb7664dfd46e3e1561d87c24ee7bd2ffea5e3282b2c722ccafb1ffe460fa8612ae82267c3e1df60d0203010001a381fb3081f8301d0603551d0e041604149a8d8e6f296e96fcc7d303cccfeeae2052615f093081c80603551d230481c03081bd80149a8d8e6f296e96fcc7d303cccfeeae2052615f09a18199a48196308193310b300906035504061302465231
        EAP-Message =
0x0f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900a33fb10c1664a44e300c0603551d13040530030101ff300d06092a864886f70d010105050003820101002a98ee33183e9c46aafd4385195180fff00f029253c1c1818934722dc09e3722378f93ecf6a21a98cf44c848e524a051bfa6c0d5b22b26088b06313e84de17bc22e7d9a3a87d466abd8ffc
        EAP-Message = 0x1e707bf177e925d2
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x01794096027c59e4c1b393ed153b7774
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.11.200.73 port 1645, id=240,
length=167
        User-Name = "host/DAN01"
        Service-Type = Framed-User
        Framed-MTU = 1500
        Called-Station-Id = "9C-AF-CA-F4-40-10"
        Calling-Station-Id = "64-31-50-7D-72-DE"
        EAP-Message = 0x020500061900
        Message-Authenticator = 0xbb0a37ac80ac127d37623ac19d8cb7d7
        NAS-Port-Type = Ethernet
        NAS-Port = 50016
        NAS-Port-Id = "GigabitEthernet0/16"
        State = 0x01794096027c59e4c1b393ed153b7774
        NAS-IP-Address = 10.11.200.73
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "host/DAN01", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 240 to 10.11.200.73 port 1645
        EAP-Message =
0x010600bc1900c35695b88d735375e6daf6e9fd7517c11036a05a4e769075fda1f4931e91e5a98d20c5f13886c0502b7e5fadd8851996d4cf5f418695e9e485411c391758f37c7ee4a00cf3f5eeebec0deb2bbfdfbdcc9a7df103311f69d7e81dba31d00cc887f1c93b24bc2bd77affe2451277fb4df09d82bbe43269c1b591503e03c5f678db04a77d6a42e55816b412aedf69c2b379d07157c74d5efe0b1ff411a138624d54324d91438a42c0d71567a80f1316030100040e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x01794096057f59e4c1b393ed153b7774
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.11.200.73 port 1645, id=241,
length=499
        User-Name = "host/DAN01"
        Service-Type = Framed-User
        Framed-MTU = 1500
        Called-Station-Id = "9C-AF-CA-F4-40-10"
        Calling-Station-Id = "64-31-50-7D-72-DE"
        EAP-Message =
0x02060150198000000146160301010610000102010052d9ea3856c176e5673da4cbe02a911e8f5fb543684e6ae8649d79c8e15d3a4fb6c1ed37d45ed785d3891bbdf1c3868cde05e75d91280f2c026c15f4e968ef6cdd4094a8a59e2ad1ceac5c53ce8af6084b98de2668567a254913920f266e0a7bca00f50db7c7c26552fe2b171b0287003ffea4ba84143cc567a4cb7748f46312957f4997aed1b64f62c21d03bb7139f79e44534c0158175a629a98f4b585f87330442382e4e51b6de60635494d4e66a3aabd88b4c8874f268cd5ec3e5f334b84b75e06fd0fbc3afaa27a6af9303ed65e2af56d02a8aeaceadcd48679055748fa722d14f6c4961534
        EAP-Message =
0x5a1cade40955c92b534083c6292fd0bac23cb7bb5bb1d90f14030100010116030100307e72a5c4189bf36cac8747ffabc198bd4f5d400baf2bb5cb001a022908448a37cf7ddea27654ff7fc282934932a55ffa
        Message-Authenticator = 0x11d9f6622d3f3949df452fd64e4e7a03
        NAS-Port-Type = Ethernet
        NAS-Port = 50016
        NAS-Port-Id = "GigabitEthernet0/16"
        State = 0x01794096057f59e4c1b393ed153b7774
        NAS-IP-Address = 10.11.200.73
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "host/DAN01", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 326
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[peap]     TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap]     TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap]     TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap]     TLS_accept: SSLv3 write finished A
[peap]     TLS_accept: SSLv3 flush data
[peap]     (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 241 to 10.11.200.73 port 1645
        EAP-Message =
0x010700411900140301000101160301003088525279f0a666be9158b77193e0cb5d44491d1d577a8862254f5ef9f6dba07116b5e566e39572ba0e981cbd85b7bbc5
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x01794096047e59e4c1b393ed153b7774
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.11.200.73 port 1645, id=242,
length=167
        User-Name = "host/DAN01"
        Service-Type = Framed-User
        Framed-MTU = 1500
        Called-Station-Id = "9C-AF-CA-F4-40-10"
        Calling-Station-Id = "64-31-50-7D-72-DE"
        EAP-Message = 0x020700061900
        Message-Authenticator = 0x211323fa12841ee03e548aa79f457385
        NAS-Port-Type = Ethernet
        NAS-Port = 50016
        NAS-Port-Id = "GigabitEthernet0/16"
        State = 0x01794096047e59e4c1b393ed153b7774
        NAS-IP-Address = 10.11.200.73
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "host/DAN01", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] returns handled
Sending Access-Challenge of id 242 to 10.11.200.73 port 1645
        EAP-Message =
0x0108002b19001703010020ac4efbfa7535f97705d24f884cbcff69c35d3995a8cf49f9f54b5839d5fbbc70
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x01794096077159e4c1b393ed153b7774
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.11.200.73 port 1645, id=243,
length=204
        User-Name = "host/DAN01"
        Service-Type = Framed-User
        Framed-MTU = 1500
        Called-Station-Id = "9C-AF-CA-F4-40-10"
        Calling-Station-Id = "64-31-50-7D-72-DE"
        EAP-Message =
0x0208002b190017030100207a18e0fc66bc4e107ff7c3add2fd502f7c9de5a24918f020cd08237c80606225
        Message-Authenticator = 0x58eb948731c85961f83971425c7f49d0
        NAS-Port-Type = Ethernet
        NAS-Port = 50016
        NAS-Port-Id = "GigabitEthernet0/16"
        State = 0x01794096077159e4c1b393ed153b7774
        NAS-IP-Address = 10.11.200.73
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "host/DAN01", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - host/DAN01
[peap] Got inner identity 'host/DAN01'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
        EAP-Message = 0x0208000f01686f73742f44414e3031
server  {
[peap] Setting User-Name to host/DAN01
Sending tunneled request
        EAP-Message = 0x0208000f01686f73742f44414e3031
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "host/DAN01"
server inner-tunnel {
# Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "host/DAN01", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 8 length 15
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
        EAP-Message =
0x010900241a0109001f1030afe7e31b9243b22b1edc4da600654f686f73742f44414e3031
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xf36f0859f36612161ae524fe7d89d60e
[peap] Got tunneled reply RADIUS code 11
        EAP-Message =
0x010900241a0109001f1030afe7e31b9243b22b1edc4da600654f686f73742f44414e3031
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xf36f0859f36612161ae524fe7d89d60e
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 243 to 10.11.200.73 port 1645
        EAP-Message =
0x0109004b190017030100406378cb7289eb8c26ab103a27d7ddd562178502ee511763eb4dcdd2148b2e2828f04def0d118c5f79480070084a5d6d20db5e2d378185c951aefa1db0ed8373f8
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x01794096067059e4c1b393ed153b7774
Finished request 7.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.11.200.73 port 1645, id=244,
length=268
        User-Name = "host/DAN01"
        Service-Type = Framed-User
        Framed-MTU = 1500
        Called-Station-Id = "9C-AF-CA-F4-40-10"
        Calling-Station-Id = "64-31-50-7D-72-DE"
        EAP-Message =
0x0209006b190017030100602ba93efbbefd59197061b3c1cfe8a8c3ed52c8c3bb04d8407d3a8a194ff63d304de6151122e5f2ee830478996fd21f1b386795640464bd68df45b537168ea55a5733946cd255eab36e80551b6b1e1e77b43b075925fd7722f626a31be711402d
        Message-Authenticator = 0xcc8e1ecd017ffb90d560f6c53e4646e3
        NAS-Port-Type = Ethernet
        NAS-Port = 50016
        NAS-Port-Id = "GigabitEthernet0/16"
        State = 0x01794096067059e4c1b393ed153b7774
        NAS-IP-Address = 10.11.200.73
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "host/DAN01", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 9 length 107
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
        EAP-Message =
0x020900451a0209004031efe81adb9299be4739da1763d1702e44000000000000000000000000000000000000000000000000000000000000000000686f73742f44414e3031
server  {
[peap] Setting User-Name to host/DAN01
Sending tunneled request
        EAP-Message =
0x020900451a0209004031efe81adb9299be4739da1763d1702e44000000000000000000000000000000000000000000000000000000000000000000686f73742f44414e3031
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "host/DAN01"
        State = 0xf36f0859f36612161ae524fe7d89d60e
server inner-tunnel {
# Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "host/DAN01", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 9 length 69
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] Creating challenge hash with username: host/DAN01
[mschap] Told to do MS-CHAPv2 for host/DAN01 with NT-Password
[mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
        MS-CHAP-Error = "\tE=691 R=1"
        EAP-Message = 0x04090004
        Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
        MS-CHAP-Error = "\tE=691 R=1"
        EAP-Message = 0x04090004
        Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 244 to 10.11.200.73 port 1645
        EAP-Message =
0x010a002b19001703010020b18b2f6ba2a15eb8ccf6796e5f1978974c30c0ab7e60faef3aab29c75ebfa183
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x01794096097359e4c1b393ed153b7774
Finished request 8.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.11.200.73 port 1645, id=245,
length=204
        User-Name = "host/DAN01"
        Service-Type = Framed-User
        Framed-MTU = 1500
        Called-Station-Id = "9C-AF-CA-F4-40-10"
        Calling-Station-Id = "64-31-50-7D-72-DE"
        EAP-Message =
0x020a002b19001703010020da286d0d7cd1b91d931d0059695ecf9ed2f5640c0975ae5ec20d8b34d2cc599a
        Message-Authenticator = 0xc4e84370ab6a69e7ccecf9b8f70ec4e0
        NAS-Port-Type = Ethernet
        NAS-Port = 50016
        NAS-Port-Id = "GigabitEthernet0/16"
        State = 0x01794096097359e4c1b393ed153b7774
        NAS-IP-Address = 10.11.200.73
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "host/DAN01", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 10 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state send tlv failure
[peap] Received EAP-TLV response.
[peap]  The users session was previously rejected: returning reject (again.)
[peap]  *** This means you need to read the PREVIOUS messages in the debug
output
[peap]  *** to find out the reason why the user was rejected.
[peap]  *** Look for "reject" or "fail".  Those earlier messages will tell
you.
[peap]  *** what went wrong, and how to fix the problem.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> host/DAN01
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 9 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 9
Sending Access-Reject of id 245 to 10.11.200.73 port 1645
        EAP-Message = 0x040a0004
        Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.8 seconds.
Cleaning up request 0 ID 236 with timestamp +39
Cleaning up request 1 ID 237 with timestamp +39
Cleaning up request 2 ID 238 with timestamp +39
Cleaning up request 3 ID 239 with timestamp +39
Cleaning up request 4 ID 240 with timestamp +39
Cleaning up request 5 ID 241 with timestamp +39
Cleaning up request 6 ID 242 with timestamp +39
Cleaning up request 7 ID 243 with timestamp +39
Cleaning up request 8 ID 244 with timestamp +39
Waking up in 1.0 seconds.
Cleaning up request 9 ID 245 with timestamp +39
Ready to process requests.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20121207/a7db0995/attachment-0001.html>


More information about the Freeradius-Users mailing list