No EAP Start, assuming it's an on-going EAP conversation
dvmp
dvmpbox at gmail.com
Tue Nov 6 23:59:45 CET 2012
>> Follow, all the radiusd -X when start:
> That doesn't help, either.
> You need to post the FULL LOGS from WHEN IT FAILS.
> I have no idea why this is a difficult concept.
Hello Alan, follow the FULL LOGS from WHEN IT FAILS:
Ready to process requests.
rad_recv: Access-Request packet from host ip_AP_cisco port 1645, id=167,
length=167
User-Name = "DOMAIN\\userADaccount"
Framed-MTU = 1400
Called-Station-Id = "003a.994b.fd40"
Calling-Station-Id = "e02a.8255.86ba"
Service-Type = Login-User
Message-Authenticator = 0xbe734e6d92fd8666df3d4be010ee9302
EAP-Message = 0x020200190153554d4f4c434f4d50414c5c5343313031383536
NAS-Port-Type = Wireless-802.11
NAS-Port = 33391
NAS-Port-Id = "33391"
NAS-IP-Address = ip_AP_cisco
NAS-Identifier = "SC_APSI01"
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "DOMAIN\userADaccount", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 25
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[sql] expand: %{User-Name} -> DOMAIN\userADaccount
[sql] sql_set_user escaped user --> 'DOMAIN\userADaccount'
rlm_sql (sql): Reserving sql socket id: 0
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
-> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'DOMAIN=5CuserADaccount' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username =
'DOMAIN=5CuserADaccount' ORDER BY priority
rlm_sql (sql): Released sql socket id: 0
[sql] User DOMAIN\userADaccount not found
++[sql] returns notfound
++? if (ok)
? Evaluating (ok) -> FALSE
++? if (ok) -> FALSE
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 167 to ip_AP_cisco port 1645
EAP-Message = 0x010300061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2bebcbfd2be8d2392b8b84ab35544cf2
Finished request 380.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host ip_AP_cisco port 1645, id=168,
length=265
User-Name = "DOMAIN\\userADaccount"
Framed-MTU = 1400
Called-Station-Id = "003a.994b.fd40"
Calling-Station-Id = "e02a.8255.86ba"
Service-Type = Login-User
Message-Authenticator = 0xe9675777fbc46a829f9242cb4a9c570e
EAP-Message =
0x0203006919800000005f160301005a01000056030150917f3c269f39337bdde42e0cd4e09c
18a51faeeeaf74407f2fb85e72af0d9d000018002f00350005000ac013c014c009c00a003200
380013000401000015ff01000100000a0006000400170018000b00020100
NAS-Port-Type = Wireless-802.11
NAS-Port = 33391
NAS-Port-Id = "33391"
State = 0x2bebcbfd2be8d2392b8b84ab35544cf2
NAS-IP-Address = ip_AP_cisco
NAS-Identifier = "SC_APSI01"
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "DOMAIN\userADaccount", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 105
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 95
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 005a], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 0791], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate
A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 168 to ip_AP_cisco port 1645
EAP-Message =
0x0104040019c0000007ce160301002a02000026030150917f59f69fe716f4b49831fcd5e0cb
1b23a89dddb6dfc21ecf9c6f0d68f98300002f0016030107910b00078d00078a00030f308203
0b308201f3a003020102020101300d06092a864886f70d0101040500308181310b3009060355
040613025054310f300d060355040813064c6973626f613112301006035504071309416c6672
616769646531143012060355040a130b53756d6f6c436f6d70616c3121301f06092a864886f7
0d01090116126473694073756d6f6c636f6d70616c2e7074311430120603550403130b53756d
6f6c436f6d70616c301e170d3130303530333138303030375a17
EAP-Message =
0x0d3133303530323138303030375a307b310b3009060355040613025054310f300d06035504
0813064c6973626f6131143012060355040a130b53756d6f6c436f6d70616c310c300a060355
040b1303647369311430120603550403130b53756d6f6c436f6d70616c3121301f06092a8648
86f70d01090116126473694073756d6f6c636f6d70616c2e707430819f300d06092a864886f7
0d010101050003818d0030818902818100f8957c8923b7bbefa910f557ab74f5f950f50b7211
be83d0ac53630430edf40257c6b4f7f4cbb584e3ae97b48f66ac31cb8ac302f064d9c8967654
128a9288297ff276e3c2dd91669b90d1ba52215990ad7a6a07e5
EAP-Message =
0x655f09ef328a16f80604e9df43c40d4b197981fe41bc0d3dc5950b56b1eb846226d3bcbca0
5be2c5de6faf0203010001a317301530130603551d25040c300a06082b06010505070301300d
06092a864886f70d0101040500038201010051142c0e7e03b78e59ae31d321302ff36b0f12d6
e289a38234d7ede583e3b668d33ff6f3ed2b02d19d6b0e56d7dd6626c085141fc9817327db0c
cfadba32432eff943b646b8ddc71a022eef73e4dc78db61b754a088f68924f8ca6f4c6be87b5
e18340a9f7bf38e2818c593004289d08b47897da3ef342f58a4fe7af887635d90a7032e70cd5
bcc7345c6eaf2192930b30af56e55704799517a87adc6e9a630f
EAP-Message =
0x5ed60b0ec2127ac4bbd28a605825c91d0f2d6f566e72e16e28baa9b6a9053176f3067465f1
3c92ac05deaba34a6a93ba1e35ac0bbd6eb1fd2def51f8d60cddde7d591e29d0f320a7cf5141
8c818b6fce6cadef076ef1614d1d26804377d7bb620004753082047130820359a00302010202
0900f17af5bcd5a336d4300d06092a864886f70d0101050500308181310b3009060355040613
025054310f300d060355040813064c6973626f613112301006035504071309416c6672616769
646531143012060355040a130b53756d6f6c436f6d70616c3121301f06092a864886f70d0109
0116126473694073756d6f6c636f6d70616c2e70743114301206
EAP-Message = 0x03550403130b53756d6f6c43
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2bebcbfd2aefd2392b8b84ab35544cf2
Finished request 381.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host ip_AP_cisco port 1645, id=169,
length=166
User-Name = "DOMAIN\\userADaccount"
Framed-MTU = 1400
Called-Station-Id = "003a.994b.fd40"
Calling-Station-Id = "e02a.8255.86ba"
Service-Type = Login-User
Message-Authenticator = 0xe9ee7fe2259ec0eb41eca800cfefc9b3
EAP-Message = 0x020400061900
NAS-Port-Type = Wireless-802.11
NAS-Port = 33391
NAS-Port-Id = "33391"
State = 0x2bebcbfd2aefd2392b8b84ab35544cf2
NAS-IP-Address = ip_AP_cisco
NAS-Identifier = "SC_APSI01"
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "DOMAIN\userADaccount", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 169 to ip_AP_cisco port 1645
EAP-Message =
0x010503de19006f6d70616c301e170d3130303530333138303030375a170d31333035303231
38303030375a308181310b3009060355040613025054310f300d060355040813064c6973626f
613112301006035504071309416c6672616769646531143012060355040a130b53756d6f6c43
6f6d70616c3121301f06092a864886f70d01090116126473694073756d6f6c636f6d70616c2e
7074311430120603550403130b53756d6f6c436f6d70616c30820122300d06092a864886f70d
01010105000382010f003082010a0282010100c22f4331e11c8a97823dd2e22b09bb25d14519
b49edca72e81123bbd4bbdfdad77a968c8e3f8d46a8bd657a636
EAP-Message =
0x1544b1e58ac3589d701ee275a5d386a892def7dd0d90edb7adf46793d1bc90044e770f801e
90156b02162ef932142d4c6f26db1faf5000bf1a910fd5427e4e25ca904ef164e30983841e5a
f2acfbf082eb4dbaabea870699ca7319d857dcfaaa3483097d0afea7286265f2a85df491c222
508c15e21bec0eaaeb13822ba9c0d67818db0bf0b37f6660e35d0f95383bb780c8adb6791086
cdc90cba8efa705b051a660d16c13bbfd9a56188e6deb6a044f12d2ff81efcc141608ad42310
9b52cce64543a2c9b3927e3101f1b8b6ca60a3e043810203010001a381e93081e6301d060355
1d0e041604143f6ba9f9a46015e19021e778c73e34281fe547cd
EAP-Message =
0x3081b60603551d230481ae3081ab80143f6ba9f9a46015e19021e778c73e34281fe547cda1
8187a48184308181310b3009060355040613025054310f300d060355040813064c6973626f61
3112301006035504071309416c6672616769646531143012060355040a130b53756d6f6c436f
6d70616c3121301f06092a864886f70d01090116126473694073756d6f6c636f6d70616c2e70
74311430120603550403130b53756d6f6c436f6d70616c820900f17af5bcd5a336d4300c0603
551d13040530030101ff300d06092a864886f70d0101050500038201010071e8ab8308a34ac0
b8a083c5a6d85025b9e17a677db2c2f68d7cb42c906e9f3032e3
EAP-Message =
0x82bd876717c5f62932ca6a52145bb0050aec8af14c318eaef68b4c659b2b21f515ab29276d
06deb095cab322c3b3de511edfae55fa290d84e4038a2b1aabb45f0dca3e5875fab8cf241fb4
646f04e9e02c41ae9c1db6c9a23b1a63f9e9d7b708c62cafdc0274f7083fd81ce4e15287e938
ec06824545373b911cfe58a37bf41c72869947dc217fed008884a7b6c8dad73616637691dde2
b76addcbf184832b97e9466ca7c05ef33eb16104f0c81f094daa4f6e9367ce79c1a05cfed53c
494c64dffbfca5d1268e63bd4233a722499d893d774287bb2bc6729a28f906f5281603010004
0e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2bebcbfd29eed2392b8b84ab35544cf2
Finished request 382.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host ip_AP_cisco port 1645, id=170,
length=368
User-Name = "DOMAIN\\userADaccount"
Framed-MTU = 1400
Called-Station-Id = "003a.994b.fd40"
Calling-Station-Id = "e02a.8255.86ba"
Service-Type = Login-User
Message-Authenticator = 0x51c7051a6df98542134d7a4cad9364c4
EAP-Message =
0x020500d01980000000c6160301008610000082008091af4c6faa831c1fc81bb03e5ff94cf2
3e731941943dea2dfcd35b81a308a7c067baa9e9aa2957c246de00432cba628cd7539865ae4d
372b66f4fa0933bd45a5bb8714024a62af0dbc76093ab5f21462a4ca1a591749ef832ae95a34
da7324b770200ff87137821260203bae545c6420fe45a1182f2b15b6be59d3a0c4843ae91403
010001011603010030bde7b5b5b80bee6457a448f8b308cecaedcfafa9d9bae2b308a8f981bb
dd6f3282870b56282593d4f354cef83cd99d77
NAS-Port-Type = Wireless-802.11
NAS-Port = 33391
NAS-Port-Id = "33391"
State = 0x2bebcbfd29eed2392b8b84ab35544cf2
NAS-IP-Address = ip_AP_cisco
NAS-Identifier = "SC_APSI01"
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "DOMAIN\userADaccount", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 208
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 198
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 170 to ip_AP_cisco port 1645
EAP-Message =
0x01060041190014030100010116030100305ec9a3d4315420edbdc6c028395219fd94158e26
a45115351bf193c7038c04f670986dabb7b1c41f8ce9144e68757914
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2bebcbfd28edd2392b8b84ab35544cf2
Finished request 383.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host ip_AP_cisco port 1645, id=171,
length=166
User-Name = "DOMAIN\\userADaccount"
Framed-MTU = 1400
Called-Station-Id = "003a.994b.fd40"
Calling-Station-Id = "e02a.8255.86ba"
Service-Type = Login-User
Message-Authenticator = 0xfe8482b3d38145735b0f520c17cc1691
EAP-Message = 0x020600061900
NAS-Port-Type = Wireless-802.11
NAS-Port = 33391
NAS-Port-Id = "33391"
State = 0x2bebcbfd28edd2392b8b84ab35544cf2
NAS-IP-Address = ip_AP_cisco
NAS-Identifier = "SC_APSI01"
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "DOMAIN\userADaccount", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 171 to ip_AP_cisco port 1645
EAP-Message =
0x0107002b1900170301002061a42fd36d3a766b798f27c976cddafc206068a3c819ff6eb651
d15eed5b0f3f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2bebcbfd2fecd2392b8b84ab35544cf2
Finished request 384.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host ip_AP_cisco port 1645, id=172,
length=219
User-Name = "DOMAIN\\userADaccount"
Framed-MTU = 1400
Called-Station-Id = "003a.994b.fd40"
Calling-Station-Id = "e02a.8255.86ba"
Service-Type = Login-User
Message-Authenticator = 0xe3de5f32cf757439798596452a62f220
EAP-Message =
0x0207003b19001703010030c6a7e446886971749bd33a49dce1a8c66f7dc40acf7ea5e96ae5
3ef63b52e0839fc9ddde75f6e7db43fb5973b885005e
NAS-Port-Type = Wireless-802.11
NAS-Port = 33391
NAS-Port-Id = "33391"
State = 0x2bebcbfd2fecd2392b8b84ab35544cf2
NAS-IP-Address = ip_AP_cisco
NAS-Identifier = "SC_APSI01"
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "DOMAIN\userADaccount", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 59
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Identity - DOMAIN\userADaccount
[peap] Got tunneled request
EAP-Message = 0x020700190153554d4f4c434f4d50414c5c5343313031383536
server {
PEAP: Got tunneled identity of DOMAIN\userADaccount
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to DOMAIN\userADaccount
Sending tunneled request
EAP-Message = 0x020700190153554d4f4c434f4d50414c5c5343313031383536
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "DOMAIN\\userADaccount"
server inner-tunnel {
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "DOMAIN\userADaccount", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 25
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[sql] expand: %{User-Name} -> DOMAIN\userADaccount
[sql] sql_set_user escaped user --> 'DOMAIN\userADaccount'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
-> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'DOMAIN=5CuserADaccount' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username =
'DOMAIN=5CuserADaccount' ORDER BY priority
rlm_sql (sql): Released sql socket id: 4
[sql] User DOMAIN\userADaccount not found
++[sql] returns notfound
++? if (ok)
? Evaluating (ok) -> FALSE
++? if (ok) -> FALSE
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message =
0x0108002e1a0108002910fcadce522673bc246f119f7426a0a16e53554d4f4c434f4d50414c
5c5343313031383536
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc282d9b6c28ac325c2d75d655a3b20bb
[peap] Got tunneled reply RADIUS code 11
EAP-Message =
0x0108002e1a0108002910fcadce522673bc246f119f7426a0a16e53554d4f4c434f4d50414c
5c5343313031383536
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc282d9b6c28ac325c2d75d655a3b20bb
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 172 to ip_AP_cisco port 1645
EAP-Message =
0x0108004b190017030100406d42040665bd9d04f2b78a1eb2be3610727e48b2e3516c0299bd
b36241946ef288f565f1b18c6368b4028478ffdd39bc74f57de8d3f9b201b5b1064f0b198bf5
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2bebcbfd2ee3d2392b8b84ab35544cf2
Finished request 385.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host ip_AP_cisco port 1645, id=173,
length=267
User-Name = "DOMAIN\\userADaccount"
Framed-MTU = 1400
Called-Station-Id = "003a.994b.fd40"
Calling-Station-Id = "e02a.8255.86ba"
Service-Type = Login-User
Message-Authenticator = 0xd311903f2735fc06f2d6884aee5b1656
EAP-Message =
0x0208006b19001703010060989c617a4d75a71675d49b93798de03e0f756947618713174213
b3d5adace82bdd184ba506f1973dd881a8940bf0b36a33d406da7324fc84e71a3240d8773e16
c053b7ff734d9b1946a89cd876010c8a5f318d55f08536fe1bdb185df7f013e6
NAS-Port-Type = Wireless-802.11
NAS-Port = 33391
NAS-Port-Id = "33391"
State = 0x2bebcbfd2ee3d2392b8b84ab35544cf2
NAS-IP-Address = ip_AP_cisco
NAS-Identifier = "SC_APSI01"
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "DOMAIN\userADaccount", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 107
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message =
0x0208004f1a0208004a319afcbf0d90146863dcce62e55cbf6b2600000000000000003213a6
67f5405fe084a9e7291e326e0f0c68ce28482c998a0053554d4f4c434f4d50414c5c53433130
31383536
server {
PEAP: Setting User-Name to DOMAIN\userADaccount
Sending tunneled request
EAP-Message =
0x0208004f1a0208004a319afcbf0d90146863dcce62e55cbf6b2600000000000000003213a6
67f5405fe084a9e7291e326e0f0c68ce28482c998a0053554d4f4c434f4d50414c5c53433130
31383536
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "DOMAIN\\userADaccount"
State = 0xc282d9b6c28ac325c2d75d655a3b20bb
server inner-tunnel {
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "DOMAIN\userADaccount", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 79
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[sql] expand: %{User-Name} -> DOMAIN\userADaccount
[sql] sql_set_user escaped user --> 'DOMAIN\userADaccount'
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
-> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'DOMAIN=5CuserADaccount' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username =
'DOMAIN=5CuserADaccount' ORDER BY priority
rlm_sql (sql): Released sql socket id: 3
[sql] User DOMAIN\userADaccount not found
++[sql] returns notfound
++? if (ok)
? Evaluating (ok) -> FALSE
++? if (ok) -> FALSE
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv2 for userADaccount with NT-Password
[mschap] expand: %{mschap:NT-Domain} -> DOMAIN
[mschap] expand: --domain=%{%{mschap:NT-Domain}:-DOMAIN} ->
--domain=DOMAIN
[mschap] expand: %{Stripped-User-Name} ->
[mschap] ... expanding second conditional
[mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang"
for details
[mschap] expand: %{User-Name:-None} -> DOMAIN\userADaccount
[mschap] expand:
--username=%{%{Stripped-User-Name}:-%{User-Name:-None}} ->
--username=DOMAIN\userADaccount
[mschap] mschap2: fc
[mschap] expand: --challenge=%{mschap:Challenge:-00} ->
--challenge=6aa1a18a77be8437
[mschap] expand: --nt-response=%{mschap:NT-Response:-00} ->
--nt-response=3213a667f5405fe084a9e7291e326e0f0c68ce28482c998a
Exec-Program output: NT_KEY: 56F8FF72C1E6DB98E25A86F7E98A3C53
Exec-Program-Wait: plaintext: NT_KEY: 56F8FF72C1E6DB98E25A86F7E98A3C53
Exec-Program: returned: 0
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message =
0x010900331a0308002e533d4436464245433343433334343334373542443835343334333432
3745313831384243414639333030
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc282d9b6c38bc325c2d75d655a3b20bb
[peap] Got tunneled reply RADIUS code 11
EAP-Message =
0x010900331a0308002e533d4436464245433343433334343334373542443835343334333432
3745313831384243414639333030
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc282d9b6c38bc325c2d75d655a3b20bb
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 173 to ip_AP_cisco port 1645
EAP-Message =
0x0109005b190017030100505317a8177c77666155012c3211bf6b1c09ef17d29e1bb1fdcf91
ae82bf7dc5baae0e670350b67151aefb6bc5e1f18861cd55c6cdb04a829d8d59349be4ae0f68
a1ccd3f6714ea7a663b7c98ff3904cf9
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2bebcbfd2de2d2392b8b84ab35544cf2
Finished request 386.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host ip_AP_cisco port 1645, id=174,
length=167
User-Name = "DOMAIN\\userADaccount"
Framed-MTU = 1400
Called-Station-Id = "003a.994b.fd40"
Calling-Station-Id = "e02a.8255.86ba"
Service-Type = Login-User
Message-Authenticator = 0xbfbafd91f0c8db0b664454958ff46920
EAP-Message = 0x020200190153554d4f4c434f4d50414c5c5343313031383536
NAS-Port-Type = Wireless-802.11
NAS-Port = 33392
NAS-Port-Id = "33392"
NAS-IP-Address = ip_AP_cisco
NAS-Identifier = "SC_APSI01"
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "DOMAIN\userADaccount", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 25
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[sql] expand: %{User-Name} -> DOMAIN\userADaccount
[sql] sql_set_user escaped user --> 'DOMAIN\userADaccount'
rlm_sql (sql): Reserving sql socket id: 2
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
-> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'DOMAIN=5CuserADaccount' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username =
'DOMAIN=5CuserADaccount' ORDER BY priority
rlm_sql (sql): Released sql socket id: 2
[sql] User DOMAIN\userADaccount not found
++[sql] returns notfound
++? if (ok)
? Evaluating (ok) -> FALSE
++? if (ok) -> FALSE
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 174 to ip_AP_cisco port 1645
EAP-Message = 0x010300061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf9273f5cf924268144e0f611590a6390
Finished request 387.
Going to the next request
Waking up in 2.5 seconds.
rad_recv: Access-Request packet from host ip_AP_cisco port 1645, id=175,
length=265
User-Name = "DOMAIN\\userADaccount"
Framed-MTU = 1400
Called-Station-Id = "003a.994b.fd40"
Calling-Station-Id = "e02a.8255.86ba"
Service-Type = Login-User
Message-Authenticator = 0x654642a79ad18d4f9b0b43b0b5ff6b49
EAP-Message =
0x0203006919800000005f160301005a01000056030150917f3e21eb8628177ee842a7970a30
5073e5097d4247271e936867232502aa000018002f00350005000ac013c014c009c00a003200
380013000401000015ff01000100000a0006000400170018000b00020100
NAS-Port-Type = Wireless-802.11
NAS-Port = 33392
NAS-Port-Id = "33392"
State = 0xf9273f5cf924268144e0f611590a6390
NAS-IP-Address = ip_AP_cisco
NAS-Identifier = "SC_APSI01"
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "DOMAIN\userADaccount", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 105
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 95
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 005a], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 0791], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate
A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 175 to ip_AP_cisco port 1645
EAP-Message =
0x0104040019c0000007ce160301002a02000026030150917f5b99dba76efa6994d17c05dfc4
c4c0d6a083078cb567fa7b772806479700002f0016030107910b00078d00078a00030f308203
0b308201f3a003020102020101300d06092a864886f70d0101040500308181310b3009060355
040613025054310f300d060355040813064c6973626f613112301006035504071309416c6672
616769646531143012060355040a130b53756d6f6c436f6d70616c3121301f06092a864886f7
0d01090116126473694073756d6f6c636f6d70616c2e7074311430120603550403130b53756d
6f6c436f6d70616c301e170d3130303530333138303030375a17
EAP-Message =
0x0d3133303530323138303030375a307b310b3009060355040613025054310f300d06035504
0813064c6973626f6131143012060355040a130b53756d6f6c436f6d70616c310c300a060355
040b1303647369311430120603550403130b53756d6f6c436f6d70616c3121301f06092a8648
86f70d01090116126473694073756d6f6c636f6d70616c2e707430819f300d06092a864886f7
0d010101050003818d0030818902818100f8957c8923b7bbefa910f557ab74f5f950f50b7211
be83d0ac53630430edf40257c6b4f7f4cbb584e3ae97b48f66ac31cb8ac302f064d9c8967654
128a9288297ff276e3c2dd91669b90d1ba52215990ad7a6a07e5
EAP-Message =
0x655f09ef328a16f80604e9df43c40d4b197981fe41bc0d3dc5950b56b1eb846226d3bcbca0
5be2c5de6faf0203010001a317301530130603551d25040c300a06082b06010505070301300d
06092a864886f70d0101040500038201010051142c0e7e03b78e59ae31d321302ff36b0f12d6
e289a38234d7ede583e3b668d33ff6f3ed2b02d19d6b0e56d7dd6626c085141fc9817327db0c
cfadba32432eff943b646b8ddc71a022eef73e4dc78db61b754a088f68924f8ca6f4c6be87b5
e18340a9f7bf38e2818c593004289d08b47897da3ef342f58a4fe7af887635d90a7032e70cd5
bcc7345c6eaf2192930b30af56e55704799517a87adc6e9a630f
EAP-Message =
0x5ed60b0ec2127ac4bbd28a605825c91d0f2d6f566e72e16e28baa9b6a9053176f3067465f1
3c92ac05deaba34a6a93ba1e35ac0bbd6eb1fd2def51f8d60cddde7d591e29d0f320a7cf5141
8c818b6fce6cadef076ef1614d1d26804377d7bb620004753082047130820359a00302010202
0900f17af5bcd5a336d4300d06092a864886f70d0101050500308181310b3009060355040613
025054310f300d060355040813064c6973626f613112301006035504071309416c6672616769
646531143012060355040a130b53756d6f6c436f6d70616c3121301f06092a864886f70d0109
0116126473694073756d6f6c636f6d70616c2e70743114301206
EAP-Message = 0x03550403130b53756d6f6c43
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf9273f5cf823268144e0f611590a6390
Finished request 388.
Going to the next request
Waking up in 2.5 seconds.
rad_recv: Access-Request packet from host ip_AP_cisco port 1645, id=176,
length=166
User-Name = "DOMAIN\\userADaccount"
Framed-MTU = 1400
Called-Station-Id = "003a.994b.fd40"
Calling-Station-Id = "e02a.8255.86ba"
Service-Type = Login-User
Message-Authenticator = 0xb9efc78ddc56b5697c3c806970efcccb
EAP-Message = 0x020400061900
NAS-Port-Type = Wireless-802.11
NAS-Port = 33392
NAS-Port-Id = "33392"
State = 0xf9273f5cf823268144e0f611590a6390
NAS-IP-Address = ip_AP_cisco
NAS-Identifier = "SC_APSI01"
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "DOMAIN\userADaccount", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 176 to ip_AP_cisco port 1645
EAP-Message =
0x010503de19006f6d70616c301e170d3130303530333138303030375a170d31333035303231
38303030375a308181310b3009060355040613025054310f300d060355040813064c6973626f
613112301006035504071309416c6672616769646531143012060355040a130b53756d6f6c43
6f6d70616c3121301f06092a864886f70d01090116126473694073756d6f6c636f6d70616c2e
7074311430120603550403130b53756d6f6c436f6d70616c30820122300d06092a864886f70d
01010105000382010f003082010a0282010100c22f4331e11c8a97823dd2e22b09bb25d14519
b49edca72e81123bbd4bbdfdad77a968c8e3f8d46a8bd657a636
EAP-Message =
0x1544b1e58ac3589d701ee275a5d386a892def7dd0d90edb7adf46793d1bc90044e770f801e
90156b02162ef932142d4c6f26db1faf5000bf1a910fd5427e4e25ca904ef164e30983841e5a
f2acfbf082eb4dbaabea870699ca7319d857dcfaaa3483097d0afea7286265f2a85df491c222
508c15e21bec0eaaeb13822ba9c0d67818db0bf0b37f6660e35d0f95383bb780c8adb6791086
cdc90cba8efa705b051a660d16c13bbfd9a56188e6deb6a044f12d2ff81efcc141608ad42310
9b52cce64543a2c9b3927e3101f1b8b6ca60a3e043810203010001a381e93081e6301d060355
1d0e041604143f6ba9f9a46015e19021e778c73e34281fe547cd
EAP-Message =
0x3081b60603551d230481ae3081ab80143f6ba9f9a46015e19021e778c73e34281fe547cda1
8187a48184308181310b3009060355040613025054310f300d060355040813064c6973626f61
3112301006035504071309416c6672616769646531143012060355040a130b53756d6f6c436f
6d70616c3121301f06092a864886f70d01090116126473694073756d6f6c636f6d70616c2e70
74311430120603550403130b53756d6f6c436f6d70616c820900f17af5bcd5a336d4300c0603
551d13040530030101ff300d06092a864886f70d0101050500038201010071e8ab8308a34ac0
b8a083c5a6d85025b9e17a677db2c2f68d7cb42c906e9f3032e3
EAP-Message =
0x82bd876717c5f62932ca6a52145bb0050aec8af14c318eaef68b4c659b2b21f515ab29276d
06deb095cab322c3b3de511edfae55fa290d84e4038a2b1aabb45f0dca3e5875fab8cf241fb4
646f04e9e02c41ae9c1db6c9a23b1a63f9e9d7b708c62cafdc0274f7083fd81ce4e15287e938
ec06824545373b911cfe58a37bf41c72869947dc217fed008884a7b6c8dad73616637691dde2
b76addcbf184832b97e9466ca7c05ef33eb16104f0c81f094daa4f6e9367ce79c1a05cfed53c
494c64dffbfca5d1268e63bd4233a722499d893d774287bb2bc6729a28f906f5281603010004
0e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf9273f5cfb22268144e0f611590a6390
Finished request 389.
Going to the next request
Waking up in 2.4 seconds.
rad_recv: Access-Request packet from host ip_AP_cisco port 1645, id=177,
length=368
User-Name = "DOMAIN\\userADaccount"
Framed-MTU = 1400
Called-Station-Id = "003a.994b.fd40"
Calling-Station-Id = "e02a.8255.86ba"
Service-Type = Login-User
Message-Authenticator = 0x4f560baf11832d1a5d0d5b2d35375199
EAP-Message =
0x020500d01980000000c61603010086100000820080b4e23df0bfeb70abedd7ab35ccce316b
e7924e118e44403bd076df506ee79eb284639660b5c1f3cd7e2479b45d18944c79b70a193e43
98b7b92c9803e4f8366694528dbe1bd1ed59effdc1d8af7b5edc532b98c024389f4b6fb8ff82
813d9ef41b720cf9fb01d5a1705a0b0e325f312637d6c0bfec72db4a5c315fbff59da6ee1403
010001011603010030015784c05b51b9b8accc4f80602a9c32259b10e88c619b7c51cd2aec2d
91f49457fe314e35831d3affa91bd3a6dd41a7
NAS-Port-Type = Wireless-802.11
NAS-Port = 33392
NAS-Port-Id = "33392"
State = 0xf9273f5cfb22268144e0f611590a6390
NAS-IP-Address = ip_AP_cisco
NAS-Identifier = "SC_APSI01"
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "DOMAIN\userADaccount", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 208
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 198
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 177 to ip_AP_cisco port 1645
EAP-Message =
0x01060041190014030100010116030100304e5b08197c4a7a7d3f8147d32c699a0f3b58be1f
122a2bc4a7b19a429ee64b0e97c279728180cbb966bc73523c1a22cf
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf9273f5cfa21268144e0f611590a6390
Finished request 390.
Going to the next request
Waking up in 2.4 seconds.
rad_recv: Access-Request packet from host ip_AP_cisco port 1645, id=178,
length=166
User-Name = "DOMAIN\\userADaccount"
Framed-MTU = 1400
Called-Station-Id = "003a.994b.fd40"
Calling-Station-Id = "e02a.8255.86ba"
Service-Type = Login-User
Message-Authenticator = 0xd32f574e1096954528e1958f06a538be
EAP-Message = 0x020600061900
NAS-Port-Type = Wireless-802.11
NAS-Port = 33392
NAS-Port-Id = "33392"
State = 0xf9273f5cfa21268144e0f611590a6390
NAS-IP-Address = ip_AP_cisco
NAS-Identifier = "SC_APSI01"
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "DOMAIN\userADaccount", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 178 to ip_AP_cisco port 1645
EAP-Message =
0x0107002b1900170301002016e05c3a7c54b262bc4ef127d51d1bd9fb01a1da703100ee3f2a
12d8a22be1f6
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf9273f5cfd20268144e0f611590a6390
Finished request 391.
Going to the next request
Waking up in 2.4 seconds.
rad_recv: Access-Request packet from host ip_AP_cisco port 1645, id=179,
length=219
User-Name = "DOMAIN\\userADaccount"
Framed-MTU = 1400
Called-Station-Id = "003a.994b.fd40"
Calling-Station-Id = "e02a.8255.86ba"
Service-Type = Login-User
Message-Authenticator = 0xc7634ddb6b0a8e14ee1cb9b14b5148b9
EAP-Message =
0x0207003b19001703010030c84fb828e6fd4d888488a6e21767c8671bc5e7d560156e18bafc
2f455241ed32b713ce0cceb5c8db4a67fa407f094b26
NAS-Port-Type = Wireless-802.11
NAS-Port = 33392
NAS-Port-Id = "33392"
State = 0xf9273f5cfd20268144e0f611590a6390
NAS-IP-Address = ip_AP_cisco
NAS-Identifier = "SC_APSI01"
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "DOMAIN\userADaccount", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 59
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Identity - DOMAIN\userADaccount
[peap] Got tunneled request
EAP-Message = 0x020700190153554d4f4c434f4d50414c5c5343313031383536
server {
PEAP: Got tunneled identity of DOMAIN\userADaccount
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to DOMAIN\userADaccount
Sending tunneled request
EAP-Message = 0x020700190153554d4f4c434f4d50414c5c5343313031383536
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "DOMAIN\\userADaccount"
server inner-tunnel {
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "DOMAIN\userADaccount", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 25
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[sql] expand: %{User-Name} -> DOMAIN\userADaccount
[sql] sql_set_user escaped user --> 'DOMAIN\userADaccount'
rlm_sql (sql): Reserving sql socket id: 1
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
-> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'DOMAIN=5CuserADaccount' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username =
'DOMAIN=5CuserADaccount' ORDER BY priority
rlm_sql (sql): Released sql socket id: 1
[sql] User DOMAIN\userADaccount not found
++[sql] returns notfound
++? if (ok)
? Evaluating (ok) -> FALSE
++? if (ok) -> FALSE
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message =
0x0108002e1a01080029103e012c895c707cfdb101ee68490e0bc753554d4f4c434f4d50414c
5c5343313031383536
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf27c6434f2747e5953b4425059470cef
[peap] Got tunneled reply RADIUS code 11
EAP-Message =
0x0108002e1a01080029103e012c895c707cfdb101ee68490e0bc753554d4f4c434f4d50414c
5c5343313031383536
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf27c6434f2747e5953b4425059470cef
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 179 to ip_AP_cisco port 1645
EAP-Message =
0x0108004b1900170301004057de040d203c3cc762a15223cbb44c524ae68b650240d40c5b0a
a5577592f5d13d774a67022677016666a1fd8e4f6e667e2b0170e76de2a0321999d3965a323d
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf9273f5cfc2f268144e0f611590a6390
Finished request 392.
Going to the next request
Waking up in 2.4 seconds.
rad_recv: Access-Request packet from host ip_AP_cisco port 1645, id=180,
length=267
User-Name = "DOMAIN\\userADaccount"
Framed-MTU = 1400
Called-Station-Id = "003a.994b.fd40"
Calling-Station-Id = "e02a.8255.86ba"
Service-Type = Login-User
Message-Authenticator = 0x2310c60f37236cf885df903d9e417627
EAP-Message =
0x0208006b19001703010060fe540af30166803c2194908bec8c0f99f59304e2cc130549ce9c
284f30df439a93ed9c024feae41899750f970fc23047e637b25c81a7c6fef32537b0d3a6e8ee
7e279294982d2caede51bd341db026c2090297cf56845d8fcf7ef1bb8388951b
NAS-Port-Type = Wireless-802.11
NAS-Port = 33392
NAS-Port-Id = "33392"
State = 0xf9273f5cfc2f268144e0f611590a6390
NAS-IP-Address = ip_AP_cisco
NAS-Identifier = "SC_APSI01"
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "DOMAIN\userADaccount", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 107
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message =
0x0208004f1a0208004a3159b3a0b6d49a89138f04f52abeb1f362000000000000000084a503
90b18fcd9f48bfdfd54cac709dc182cbc0937830e80053554d4f4c434f4d50414c5c53433130
31383536
server {
PEAP: Setting User-Name to DOMAIN\userADaccount
Sending tunneled request
EAP-Message =
0x0208004f1a0208004a3159b3a0b6d49a89138f04f52abeb1f362000000000000000084a503
90b18fcd9f48bfdfd54cac709dc182cbc0937830e80053554d4f4c434f4d50414c5c53433130
31383536
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "DOMAIN\\userADaccount"
State = 0xf27c6434f2747e5953b4425059470cef
server inner-tunnel {
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "DOMAIN\userADaccount", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 79
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[sql] expand: %{User-Name} -> DOMAIN\userADaccount
[sql] sql_set_user escaped user --> 'DOMAIN\userADaccount'
rlm_sql (sql): Reserving sql socket id: 0
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
-> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'DOMAIN=5CuserADaccount' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username =
'DOMAIN=5CuserADaccount' ORDER BY priority
rlm_sql (sql): Released sql socket id: 0
[sql] User DOMAIN\userADaccount not found
++[sql] returns notfound
++? if (ok)
? Evaluating (ok) -> FALSE
++? if (ok) -> FALSE
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv2 for userADaccount with NT-Password
[mschap] expand: %{mschap:NT-Domain} -> DOMAIN
[mschap] expand: --domain=%{%{mschap:NT-Domain}:-DOMAIN} ->
--domain=DOMAIN
[mschap] expand: %{Stripped-User-Name} ->
[mschap] ... expanding second conditional
[mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang"
for details
[mschap] expand: %{User-Name:-None} -> DOMAIN\userADaccount
[mschap] expand:
--username=%{%{Stripped-User-Name}:-%{User-Name:-None}} ->
--username=DOMAIN\userADaccount
[mschap] mschap2: 3e
[mschap] expand: --challenge=%{mschap:Challenge:-00} ->
--challenge=b439b68a07408f48
[mschap] expand: --nt-response=%{mschap:NT-Response:-00} ->
--nt-response=84a50390b18fcd9f48bfdfd54cac709dc182cbc0937830e8
Exec-Program output: NT_KEY: 56F8FF72C1E6DB98E25A86F7E98A3C53
Exec-Program-Wait: plaintext: NT_KEY: 56F8FF72C1E6DB98E25A86F7E98A3C53
Exec-Program: returned: 0
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message =
0x010900331a0308002e533d3732364234443430444634413838334346394336374342353743
4431414437373839303931373839
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf27c6434f3757e5953b4425059470cef
[peap] Got tunneled reply RADIUS code 11
EAP-Message =
0x010900331a0308002e533d3732364234443430444634413838334346394336374342353743
4431414437373839303931373839
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf27c6434f3757e5953b4425059470cef
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 180 to ip_AP_cisco port 1645
EAP-Message =
0x0109005b190017030100502f79f75d930239412dc6c2abfbbed6c6930ef8ed21bedee2d972
9a2a1c987a285ddfd23ef4379fa1e6bf44ffa1eb1d08f8a24c50606ba462b9cbdf8c68923e52
72a032112af4c2f1af939b470d00b30b
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf9273f5cff2e268144e0f611590a6390
Finished request 393.
Going to the next request
Waking up in 2.4 seconds.
More information about the Freeradius-Users
mailing list