radlogin works, mobile device not

Mihajlo Joksimovic mihajlo.joksimovic at adfinis-sygroup.ch
Tue Sep 11 14:42:23 CEST 2012


No there are no other lines before that one.

I cannot update, because univention ucs2.4 is based on lenny and FR 2.2
depends on newer packets from squeeze. Already tried that.

well radlogin worked even when unix in default was active. But after i
#-ed everything with unix i could login. After the login there comes the
information for accepting the certificate.
But after a klick for accepting there comes the loginscreen another time.

output from -X:
rad_recv: Access-Request packet from host 10.119.12.2 port 1332, id=74,
length=197
    Message-Authenticator = 0xb8f705a6d721830c471b297ff86bc1da
    Service-Type = Framed-User
    User-Name = "nadine.bosshard"
    Framed-MTU = 1488
    Called-Station-Id = "204E7FE98EF3:TCSVO-Intern"
    Calling-Station-Id = "9803D861E85C"
    NAS-Identifier = "aptcsvo02"
    NAS-Port-Type = Wireless-802.11
    Connect-Info = "CONNECT 54Mbps 802.11g"
    EAP-Message = 0x02000014016e6164696e652e626f737368617264
    NAS-IP-Address = 10.119.12.2
    NAS-Port = 1
    NAS-Port-Id = "STA port # 1"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "nadine.bosshard", looking up realm
NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: EAP packet type response id 0 length 20
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for nadine.bosshard
WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
details
    expand:
(&(objectClass=sambaSamAccount)(!(shadowExpire=1))(uid=%{Stripped-User-Name:-%{User-Name}}))
-> (&(objectClass=sambaSamAccount)(!(shadowExpire=1))(uid=nadine.bosshard))
    expand: dc=tcsvo,dc=local -> dc=tcsvo,dc=local
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: starting TLS
rlm_ldap: bind as cn=admin,dc=tcsvo,dc=local/pPWSrf5 to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=tcsvo,dc=local, with filter
(&(objectClass=sambaSamAccount)(!(shadowExpire=1))(uid=nadine.bosshard))
rlm_ldap: checking if remote access for nadine.bosshard is allowed by uid
rlm_ldap: No default NMAS login sequence
rlm_ldap: looking for check items in directory...
rlm_ldap: LDAP attribute userPassword as RADIUS attribute
Cleartext-Password == "{crypt}$1$QWzPnrgt$zDhDp8t6inQRkVyuvb6en/"
rlm_ldap: LDAP attribute sambaNtPassword as RADIUS attribute NT-Password
== 0x4431393433313746304145303337384139434535423745394230313835334233
rlm_ldap: LDAP attribute sambaLmPassword as RADIUS attribute LM-Password
== 0x3944443632393938313730333033343036463342414634373331353033384646
rlm_ldap: looking for reply items in directory...
rlm_ldap: user nadine.bosshard authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Normalizing NT-Password from hex encoding
rlm_pap: Normalizing LM-Password from hex encoding
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: EAP Identity
  rlm_eap: processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 74 to 10.119.12.2 port 1332
    EAP-Message = 0x010100160410ce5ed62bba0b994eed20635dd85199a8
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x16b4654516b5618cb11aad47c413c7ca
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.119.12.2 port 1332, id=75,
length=201
    Message-Authenticator = 0x4ba48fcb53c68cc0e385d0d12cfad5fc
    Service-Type = Framed-User
    User-Name = "nadine.bosshard"
    Framed-MTU = 1488
    State = 0x16b4654516b5618cb11aad47c413c7ca
    Called-Station-Id = "204E7FE98EF3:TCSVO-Intern"
    Calling-Station-Id = "9803D861E85C"
    NAS-Identifier = "aptcsvo02"
    NAS-Port-Type = Wireless-802.11
    Connect-Info = "CONNECT 54Mbps 802.11g"
    EAP-Message = 0x020100060319
    NAS-IP-Address = 10.119.12.2
    NAS-Port = 1
    NAS-Port-Id = "STA port # 1"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "nadine.bosshard", looking up realm
NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: EAP packet type response id 1 length 6
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for nadine.bosshard
WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
details
    expand:
(&(objectClass=sambaSamAccount)(!(shadowExpire=1))(uid=%{Stripped-User-Name:-%{User-Name}}))
-> (&(objectClass=sambaSamAccount)(!(shadowExpire=1))(uid=nadine.bosshard))
    expand: dc=tcsvo,dc=local -> dc=tcsvo,dc=local
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=tcsvo,dc=local, with filter
(&(objectClass=sambaSamAccount)(!(shadowExpire=1))(uid=nadine.bosshard))
rlm_ldap: checking if remote access for nadine.bosshard is allowed by uid
rlm_ldap: No default NMAS login sequence
rlm_ldap: looking for check items in directory...
rlm_ldap: LDAP attribute userPassword as RADIUS attribute
Cleartext-Password == "{crypt}$1$QWzPnrgt$zDhDp8t6inQRkVyuvb6en/"
rlm_ldap: LDAP attribute sambaNtPassword as RADIUS attribute NT-Password
== 0x4431393433313746304145303337384139434535423745394230313835334233
rlm_ldap: LDAP attribute sambaLmPassword as RADIUS attribute LM-Password
== 0x3944443632393938313730333033343036463342414634373331353033384646
rlm_ldap: looking for reply items in directory...
rlm_ldap: user nadine.bosshard authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Normalizing NT-Password from hex encoding
rlm_pap: Normalizing LM-Password from hex encoding
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP NAK
 rlm_eap: EAP-NAK asked for EAP-Type/peap
  rlm_eap: processing type tls
  rlm_eap_tls: Initiate
  rlm_eap_tls: Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 75 to 10.119.12.2 port 1332
    EAP-Message = 0x010200061920
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x16b4654517b67c8cb11aad47c413c7ca
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.119.12.2 port 1332, id=76,
length=323
    Message-Authenticator = 0x32ce24190f3bd9a7fe8b5bfcba1fc4dc
    Service-Type = Framed-User
    User-Name = "nadine.bosshard"
    Framed-MTU = 1488
    State = 0x16b4654517b67c8cb11aad47c413c7ca
    Called-Station-Id = "204E7FE98EF3:TCSVO-Intern"
    Calling-Station-Id = "9803D861E85C"
    NAS-Identifier = "aptcsvo02"
    NAS-Port-Type = Wireless-802.11
    Connect-Info = "CONNECT 54Mbps 802.11g"
    EAP-Message =
0x0202008019800000007616030100710100006d0301504f2f339bf42035c99689e4b9f5f239952eeccfc90cde3694f18e32a18a204e00003200ffc00ac009c007c008c014c013c011c012c004c005c002c003c00ec00fc00cc00d002f000500040035000a00330039001601000012000a00080006001700180019000b00020100
    NAS-IP-Address = 10.119.12.2
    NAS-Port = 1
    NAS-Port-Id = "STA port # 1"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "nadine.bosshard", looking up realm
NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: EAP packet type response id 2 length 128
  rlm_eap: Continuing tunnel setup.
++[eap] returns ok
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  TLS Length 118
rlm_eap_tls:  Length Included
  eaptls_verify returned 11
    (other): before/accept initialization
    TLS_accept: before/accept initialization
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0071], ClientHello 
    TLS_accept: SSLv3 read client hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0051], ServerHello 
    TLS_accept: SSLv3 write server hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0ac9], Certificate 
    TLS_accept: SSLv3 write certificate A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone 
    TLS_accept: SSLv3 write server done A
    TLS_accept: SSLv3 flush data
    TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode 
  eaptls_process returned 13
  rlm_eap_peap: EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 76 to 10.119.12.2 port 1332
    EAP-Message =
0x0103040019c000000b2d16030100510200004d0301504f2f34362fc1262c3b636e2050c8649ca8051cd6e96e77afeacceb0b82f6b020d64590097eda15b621fa50f97c6ff690cbe70000754bfce0db0efd7bb2f58af5002f000005ff010001001603010ac90b000ac5000ac20004c5308204c1308203a9a003020102020101300d06092a864886f70d01010505003081cf310b3009060355040613024348311430120603550408130b537769747a65726c616e64311330110603550407130a566f6c6b65747377696c312a3028060355040a142154435320536572766963652043656e7465722053656b74696f6e205afc72696368311b301906035504
    EAP-Message =
0x0b131254435320536572766963652043656e746572312c302a06035504031323556e6976656e74696f6e20436f72706f726174652053657276657220526f6f74204341311e301c06092a864886f70d010901160f73736c40746373766f2e6c6f63616c301e170d3131313031383132343135325a170d3136313031363132343135325a3081c1310b3009060355040613024348311430120603550408130b537769747a65726c616e64311330110603550407130a566f6c6b65747377696c312a3028060355040a142154435320536572766963652043656e7465722053656b74696f6e205afc72696368311b3019060355040b13125443532053657276
    EAP-Message =
0x6963652043656e746572311e301c060355040313157372746373766f30342e746373766f2e6c6f63616c311e301c06092a864886f70d010901160f73736c40746373766f2e6c6f63616c30819f300d06092a864886f70d010101050003818d0030818902818100aa068e1696137a6013728212da97bde84338a84c01434740dd7c3d76e9ac208d33efef6cf5b19436e09f71aae9517ec9a79ab6386ac2cee886c4b82e306ab065799071439537013af6f32fcf103e563341e5ec03837fefb32cab3a80e085624a722dca77fb2d0881e2912d078a404708506df80f9fa5459a3846c41b3a1be8410203010001a38201363082013230090603551d130402
    EAP-Message =
0x3000301d0603551d0e04160414d60b8a292f824ee8593ead12079908a996fa25ce308201040603551d230481fc3081f980141894cd73cc0286f2e6b0ab65777f605667044a3ca181d5a481d23081cf310b3009060355040613024348311430120603550408130b537769747a65726c616e64311330110603550407130a566f6c6b65747377696c312a3028060355040a142154435320536572766963652043656e7465722053656b74696f6e205afc72696368311b3019060355040b131254435320536572766963652043656e746572312c302a06035504031323556e6976656e74696f6e20436f72706f726174652053657276657220526f6f742043
    EAP-Message = 0x41311e301c06092a864886f7
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x16b4654514b77c8cb11aad47c413c7ca
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.119.12.2 port 1332, id=77,
length=201
    Message-Authenticator = 0xc5cd91f31beec31485c1a018cca1a538
    Service-Type = Framed-User
    User-Name = "nadine.bosshard"
    Framed-MTU = 1488
    State = 0x16b4654514b77c8cb11aad47c413c7ca
    Called-Station-Id = "204E7FE98EF3:TCSVO-Intern"
    Calling-Station-Id = "9803D861E85C"
    NAS-Identifier = "aptcsvo02"
    NAS-Port-Type = Wireless-802.11
    Connect-Info = "CONNECT 54Mbps 802.11g"
    EAP-Message = 0x020300061900
    NAS-IP-Address = 10.119.12.2
    NAS-Port = 1
    NAS-Port-Id = "STA port # 1"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "nadine.bosshard", looking up realm
NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: EAP packet type response id 3 length 6
  rlm_eap: Continuing tunnel setup.
++[eap] returns ok
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake fragment handler
  eaptls_verify returned 1
  eaptls_process returned 13
  rlm_eap_peap: EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 77 to 10.119.12.2 port 1332
    EAP-Message =
0x010403fc19400d010901160f73736c40746373766f2e6c6f63616c820900de6d547bd0d02bb7300d06092a864886f70d0101050500038201010070b8aa764d29097af2190422c618f6c5a4753df81c1ff392cb1b379de862bd338b414b5fdcdc7b8ed053df5224ec2e4e85babe4adac4a490fd663627c211c837819ae267f4d9125d19e04fc82ac089a9ab9c3a7f01be2f54ff64381d8f233dd0f4e1070221a6d9751e3f5c5f4a4d3a81c2784377ac37056e3472e64770818f741f39659163dfb5b72e44cba594acb1fc8549bbd3ca2a42eed1741fedd1fd784f88270182168861461bf8e395f33544d1d6950ccb5bd39bf31e06c7a95e3134dba44f7a
    EAP-Message =
0x00f72b04cb086681c2fca1497fd8842e6453e9c305971535d8ec031581b1a37c97199ed6295c692c91515b121b459421b4d320429da9eebf9fa46692560005f7308205f3308204dba003020102020900de6d547bd0d02bb7300d06092a864886f70d01010505003081cf310b3009060355040613024348311430120603550408130b537769747a65726c616e64311330110603550407130a566f6c6b65747377696c312a3028060355040a142154435320536572766963652043656e7465722053656b74696f6e205afc72696368311b3019060355040b131254435320536572766963652043656e746572312c302a06035504031323556e6976656e74
    EAP-Message =
0x696f6e20436f72706f726174652053657276657220526f6f74204341311e301c06092a864886f70d010901160f73736c40746373766f2e6c6f63616c301e170d3131313031383132343135325a170d3136313031363132343135325a3081cf310b3009060355040613024348311430120603550408130b537769747a65726c616e64311330110603550407130a566f6c6b65747377696c312a3028060355040a142154435320536572766963652043656e7465722053656b74696f6e205afc72696368311b3019060355040b131254435320536572766963652043656e746572312c302a06035504031323556e6976656e74696f6e20436f72706f7261
    EAP-Message =
0x74652053657276657220526f6f74204341311e301c06092a864886f70d010901160f73736c40746373766f2e6c6f63616c30820122300d06092a864886f70d01010105000382010f003082010a0282010100cb23aad5b224b6451b2b71d383a8fdab7fc47c1d3c01a4cbbc495530c121edf8e00206507e5c357930f32483539f43f3f4523fbc6f180225477898f1e28d89627ebeda8a0f33264ba5431b43403033b32b662913717a2ced71906fb24c710dcd2b51494c2f9f9a4cdbe655248673c6d520d3012350b8cc999d7e319bd0dc15bd28696d03c06adea3e7e45d506f342f54428c9914664b30110c85771b9b6b6d4709ba70075d85c4a96860b4
    EAP-Message = 0xcbfcc9fde3fc1e69
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x16b4654515b07c8cb11aad47c413c7ca
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.119.12.2 port 1332, id=78,
length=201
    Message-Authenticator = 0xe1657a312df473007ae4e66e5386abba
    Service-Type = Framed-User
    User-Name = "nadine.bosshard"
    Framed-MTU = 1488
    State = 0x16b4654515b07c8cb11aad47c413c7ca
    Called-Station-Id = "204E7FE98EF3:TCSVO-Intern"
    Calling-Station-Id = "9803D861E85C"
    NAS-Identifier = "aptcsvo02"
    NAS-Port-Type = Wireless-802.11
    Connect-Info = "CONNECT 54Mbps 802.11g"
    EAP-Message = 0x020400061900
    NAS-IP-Address = 10.119.12.2
    NAS-Port = 1
    NAS-Port-Id = "STA port # 1"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "nadine.bosshard", looking up realm
NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: EAP packet type response id 4 length 6
  rlm_eap: Continuing tunnel setup.
++[eap] returns ok
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake fragment handler
  eaptls_verify returned 1
  eaptls_process returned 13
  rlm_eap_peap: EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 78 to 10.119.12.2 port 1332
    EAP-Message =
0x0105034719006c0ac5bff0ac06e64f339336a607f02d6f89c67c8db227cf7d6dd61df083dc348a6b83d9f5a6b83186380ef5fd3ea29a95649910de04d80494fae634bd6ea242623c8a520c996d77b9e43ceaa10203010001a38201ce308201ca300f0603551d130101ff040530030101ff301d0603551d0e041604141894cd73cc0286f2e6b0ab65777f605667044a3c308201040603551d230481fc3081f980141894cd73cc0286f2e6b0ab65777f605667044a3ca181d5a481d23081cf310b3009060355040613024348311430120603550408130b537769747a65726c616e64311330110603550407130a566f6c6b65747377696c312a3028060355
    EAP-Message =
0x040a142154435320536572766963652043656e7465722053656b74696f6e205afc72696368311b3019060355040b131254435320536572766963652043656e746572312c302a06035504031323556e6976656e74696f6e20436f72706f726174652053657276657220526f6f74204341311e301c06092a864886f70d010901160f73736c40746373766f2e6c6f63616c820900de6d547bd0d02bb7300b0603551d0f040403020106301106096086480186f8420101040403020007301a0603551d1104133011810f73736c40746373766f2e6c6f63616c301a0603551d1204133011810f73736c40746373766f2e6c6f63616c303806096086480186f8
    EAP-Message =
0x42010d042b162954686973206365727469666963617465206973206120526f6f74204341204365727469666963617465300d06092a864886f70d01010505000382010100620c56161414e3959e61866f66eb546cd7bf45398138cfb59e89c222e518454951c9fb0bb3dee9a950d577e4d48ac79dcada6a52b9abee23756bf3af3132425af8367294e2766d119ddfa86ebf64be0ad752149a9b42762f94ddbbc9a85f338c53a9252175dea564dc6c74bcf9bfb60c63f4580e463c2c21cb0048b08f8e6a93026de80f60191ec1fe5a07074161986f7f18eb4b5e2e93b1e1b084ceed5193a264aaa275353c7d1bc13b2dce45a799727b68aa79a39073263d
    EAP-Message =
0xb65a905d7bab8419a963ea7f069d0c618070bb107ffd9c291baf3f3908a4fbbf9a8ca172e1f39301934bdf17939a65b9c794b7162169b2c5bceb6aaf48fa715a584c6eea1e0dd916030100040e000000
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x16b4654512b17c8cb11aad47c413c7ca
Finished request 4.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.119.12.2 port 1332, id=79,
length=403
    Message-Authenticator = 0xf76ea41848db75155a999de19b0b8ab8
    Service-Type = Framed-User
    User-Name = "nadine.bosshard"
    Framed-MTU = 1488
    State = 0x16b4654512b17c8cb11aad47c413c7ca
    Called-Station-Id = "204E7FE98EF3:TCSVO-Intern"
    Calling-Station-Id = "9803D861E85C"
    NAS-Identifier = "aptcsvo02"
    NAS-Port-Type = Wireless-802.11
    Connect-Info = "CONNECT 54Mbps 802.11g"
    EAP-Message =
0x020500d01980000000c61603010086100000820080a9fa249e85b6565a5675f299fd98e7f2db6767a944b7691b5b42e738a2034e254510fa33eaa56734c708cf596d81b193ea6a1947769cb63f83fac6c2d71dd434985b3a115e8a90a68349d2dd7cca49d3cec3f32fa190b21111949bf1829bfe7dbe5bd1ac6a1c37544a1b04d81ad98f89e0806aeb827a955deefc1bdf0b60e82e1403010001011603010030341c5ed324da181fd43d39d7ed41f23724e32cb3e2e55a57da946c5691257bb74199385181f308e2e6450489745d04c9
    NAS-IP-Address = 10.119.12.2
    NAS-Port = 1
    NAS-Port-Id = "STA port # 1"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "nadine.bosshard", looking up realm
NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: EAP packet type response id 5 length 208
  rlm_eap: Continuing tunnel setup.
++[eap] returns ok
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  TLS Length 198
rlm_eap_tls:  Length Included
  eaptls_verify returned 11
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange 
    TLS_accept: SSLv3 read client key exchange A
  rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] 
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished 
    TLS_accept: SSLv3 read finished A
  rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] 
    TLS_accept: SSLv3 write change cipher spec A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished 
    TLS_accept: SSLv3 write finished A
    TLS_accept: SSLv3 flush data
    (other): SSL negotiation finished successfully
SSL Connection Established
  eaptls_process returned 13
  rlm_eap_peap: EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 79 to 10.119.12.2 port 1332
    EAP-Message =
0x0106004119001403010001011603010030b213aaedf5b207d7f89aa93d1379c29e85c4c32f1927ca9318dcd335398921d3014d7ef185c94ecc6167c183f3178c37
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x16b4654513b27c8cb11aad47c413c7ca
Finished request 5.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.119.12.2 port 1332, id=80,
length=201
    Message-Authenticator = 0xa7658f5b5828f25d72267be5a62ee3d9
    Service-Type = Framed-User
    User-Name = "nadine.bosshard"
    Framed-MTU = 1488
    State = 0x16b4654513b27c8cb11aad47c413c7ca
    Called-Station-Id = "204E7FE98EF3:TCSVO-Intern"
    Calling-Station-Id = "9803D861E85C"
    NAS-Identifier = "aptcsvo02"
    NAS-Port-Type = Wireless-802.11
    Connect-Info = "CONNECT 54Mbps 802.11g"
    EAP-Message = 0x020600061900
    NAS-IP-Address = 10.119.12.2
    NAS-Port = 1
    NAS-Port-Id = "STA port # 1"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "nadine.bosshard", looking up realm
NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: EAP packet type response id 6 length 6
  rlm_eap: Continuing tunnel setup.
++[eap] returns ok
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake is finished
  eaptls_verify returned 3
  eaptls_process returned 3
  rlm_eap_peap: EAPTLS_SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 80 to 10.119.12.2 port 1332
    EAP-Message =
0x0107002b1900170301002076cff579edcc27200d5c7a2da8010742e440dcfec3cbf4a4586062522b8feee8
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x16b4654510b37c8cb11aad47c413c7ca
Finished request 6.
Going to the next request
Waking up in 1.2 seconds.
rad_recv: Access-Request packet from host 10.119.12.2 port 1332, id=81,
length=254
    Message-Authenticator = 0xe19f6b601971918ae28622d4e1023915
    Service-Type = Framed-User
    User-Name = "nadine.bosshard"
    Framed-MTU = 1488
    State = 0x16b4654510b37c8cb11aad47c413c7ca
    Called-Station-Id = "204E7FE98EF3:TCSVO-Intern"
    Calling-Station-Id = "9803D861E85C"
    NAS-Identifier = "aptcsvo02"
    NAS-Port-Type = Wireless-802.11
    Connect-Info = "CONNECT 54Mbps 802.11g"
    EAP-Message =
0x0207003b19001703010030a363428512dd817485942d2771ad4bc57cfd522bbca80127738d56ba90b901fdc460d220b30b1e326ed6ef5392338784
    NAS-IP-Address = 10.119.12.2
    NAS-Port = 1
    NAS-Port-Id = "STA port # 1"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "nadine.bosshard", looking up realm
NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: EAP packet type response id 7 length 59
  rlm_eap: Continuing tunnel setup.
++[eap] returns ok
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_peap: Identity - nadine.bosshard
  PEAP: Got tunneled EAP-Message
    EAP-Message = 0x02070014016e6164696e652e626f737368617264
  PEAP: Got tunneled identity of nadine.bosshard
  PEAP: Setting default EAP type for tunneled EAP session.
  PEAP: Setting User-Name to nadine.bosshard
  PEAP: Sending tunneled request
    EAP-Message = 0x02070014016e6164696e652e626f737368617264
    FreeRADIUS-Proxied-To = 127.0.0.1
    User-Name = "nadine.bosshard"
server inner-tunnel {
+- entering group authorize
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "nadine.bosshard", looking up realm
NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
  rlm_eap: Request is supposed to be proxied to Realm LOCAL.  Not doing EAP.
++[eap] returns noop
++[files] returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for nadine.bosshard
WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
details
    expand:
(&(objectClass=sambaSamAccount)(!(shadowExpire=1))(uid=%{Stripped-User-Name:-%{User-Name}}))
-> (&(objectClass=sambaSamAccount)(!(shadowExpire=1))(uid=nadine.bosshard))
    expand: dc=tcsvo,dc=local -> dc=tcsvo,dc=local
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=tcsvo,dc=local, with filter
(&(objectClass=sambaSamAccount)(!(shadowExpire=1))(uid=nadine.bosshard))
rlm_ldap: checking if remote access for nadine.bosshard is allowed by uid
rlm_ldap: No default NMAS login sequence
rlm_ldap: looking for check items in directory...
rlm_ldap: LDAP attribute userPassword as RADIUS attribute
Cleartext-Password == "{crypt}$1$QWzPnrgt$zDhDp8t6inQRkVyuvb6en/"
rlm_ldap: LDAP attribute sambaNtPassword as RADIUS attribute NT-Password
== 0x4431393433313746304145303337384139434535423745394230313835334233
rlm_ldap: LDAP attribute sambaLmPassword as RADIUS attribute LM-Password
== 0x3944443632393938313730333033343036463342414634373331353033384646
rlm_ldap: looking for reply items in directory...
rlm_ldap: user nadine.bosshard authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Normalizing NT-Password from hex encoding
rlm_pap: Normalizing LM-Password from hex encoding
rlm_pap: No clear-text password in the request.  Not performing PAP.
++[pap] returns noop
  WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not
exist!  Cancelling invalid proxy request.
auth: type Local
auth: No User-Password or CHAP-Password attribute in the request
auth: Failed to validate the user.
Login incorrect: [nadine.bosshard/<no User-Password attribute>] (from
client aptcsvo02 port 0 via TLS tunnel)
} # server inner-tunnel
  PEAP: Got tunneled reply RADIUS code 3
  PEAP: Processing from tunneled session code 0x15a7cd0 3
  PEAP: Tunneled authentication was rejected.
  rlm_eap_peap: FAILURE
++[eap] returns handled
Sending Access-Challenge of id 81 to 10.119.12.2 port 1332
    EAP-Message =
0x0108002b19001703010020fd01c27653428a0b4c1b91a8c8a72745376f00967edad64c2942c892ce583c95
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x16b4654511bc7c8cb11aad47c413c7ca
Finished request 7.
Going to the next request
Waking up in 1.2 seconds.
rad_recv: Access-Request packet from host 10.119.12.2 port 1332, id=82,
length=238
    Message-Authenticator = 0xf77a7553970336997c53b0f4dd243710
    Service-Type = Framed-User
    User-Name = "nadine.bosshard"
    Framed-MTU = 1488
    State = 0x16b4654511bc7c8cb11aad47c413c7ca
    Called-Station-Id = "204E7FE98EF3:TCSVO-Intern"
    Calling-Station-Id = "9803D861E85C"
    NAS-Identifier = "aptcsvo02"
    NAS-Port-Type = Wireless-802.11
    Connect-Info = "CONNECT 54Mbps 802.11g"
    EAP-Message =
0x0208002b1900170301002025cb1272fcd8494d630037f0c267cf2b860f7edfeeb4b730993de53c79e20735
    NAS-IP-Address = 10.119.12.2
    NAS-Port = 1
    NAS-Port-Id = "STA port # 1"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "nadine.bosshard", looking up realm
NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: EAP packet type response id 8 length 43
  rlm_eap: Continuing tunnel setup.
++[eap] returns ok
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_peap: Received EAP-TLV response.
  rlm_eap_peap:  Had sent TLV failure.  User was rejected earlier in
this session.
 rlm_eap: Handler failed in EAP/peap
  rlm_eap: Failed in EAP select
++[eap] returns invalid
auth: Failed to validate the user.
Login incorrect: [nadine.bosshard/<via Auth-Type = EAP>] (from client
aptcsvo02 port 1 cli 9803D861E85C)
  Found Post-Auth-Type Reject
+- entering group REJECT
    expand: %{User-Name} -> nadine.bosshard
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 8 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 10.119.12.2 port 1332, id=82,
length=238
Waiting to send Access-Reject to client aptcsvo02 port 1332 - ID: 82
Sending delayed reject for request 8
Sending Access-Reject of id 82 to 10.119.12.2 port 1332
    EAP-Message = 0x04080004
    Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 0.1 seconds.
Cleaning up request 0 ID 74 with timestamp +313
Cleaning up request 1 ID 75 with timestamp +313
Cleaning up request 2 ID 76 with timestamp +313
Cleaning up request 3 ID 77 with timestamp +313
Cleaning up request 4 ID 78 with timestamp +313
Cleaning up request 5 ID 79 with timestamp +313
Waking up in 3.6 seconds.
Cleaning up request 6 ID 80 with timestamp +317
Cleaning up request 7 ID 81 with timestamp +317
Waking up in 1.0 seconds.
Cleaning up request 8 ID 82 with timestamp +317
Ready to process requests.

Thanks for the help.



Am 09/11/2012 11:06 AM, schrieb Fajar A. Nugraha:
> On Tue, Sep 11, 2012 at 3:54 PM, Mihajlo Joksimovic
> <mihajlo.joksimovic at adfinis-sygroup.ch> wrote:
>
>> IPhone test:
>> rad_recv: Access-Request packet from host 10.119.12.2 port 1318, id=21,
>> length=197
>>     Message-Authenticator = 0x24691ccd1f2040d828405d72ef7189ec
>>
>>     Service-Type = Framed-User
>>     User-Name = "nadine.bosshard"
>>     Framed-MTU = 1488
>>     Called-Station-Id = "204E7FE98EF3:TCSVO-Intern"
>>     Calling-Station-Id = "9803D861E85C"
>>     NAS-Identifier = "aptcsvo02"
>>     NAS-Port-Type = Wireless-802.11
>>     Connect-Info = "CONNECT 54Mbps 802.11g"
>>     EAP-Message = 0x02000014016e6164696e652e626f737368617264
>>     NAS-IP-Address = 10.119.12.2
>>     NAS-Port = 1
>>     NAS-Port-Id = "STA port # 1"
>> +- entering group authorize
>> ++[preprocess] returns ok
>> ++[chap] returns noop
>> ++[mschap] returns noop
>>     rlm_realm: No '@' in User-Name = "nadine.bosshard", looking up realm
>> NULL
>>     rlm_realm: No such realm "NULL"
>> ++[suffix] returns noop
>>   rlm_eap: EAP packet type response id 0 length 20
>>   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
> There should be other lines before that. Like the ones that says it's
> using inner-tunnel?
>
>
>> rlm_unix: [nadine.bosshard]: invalid shell [/bin/false]
>> ++[unix] returns reject
> Did you read that line? You have "unix" in authorize section of inner
> tunnel. And user nadine.bosshard is not allowed to login to the system
> (invalid shell). FR does the right thing. Comment-out that line in
> inner tunnel.
>
> Your radlogin test succeed because you don't have "unix" in authorize
> section of default virtual server.
>
>
> See how important complete debug logs are?
>
> ... and seriously, upgrade. There are many known bugs fixed since
> 2.0.x. And if you can edit the configuration freely by hand, you
> should be able to upgrade.
>

-- 
Adfinis SyGroup AG
Mihajlo Joksimovic, System Engineer

Güterstrasse 86 | CH-4053 Basel
Tel. 061 333 80 33

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120911/428de552/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 553 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120911/428de552/attachment-0001.pgp>


More information about the Freeradius-Users mailing list