Need help: login incorrect with FR 2.2.1

Wang, Yu ywang10 at fsu.edu
Thu May 16 21:09:58 CEST 2013


Hello,

I upgraded FR from 2.1.10 to 2.2.1. Everything went well except about 25% of our wireless users cannot authenticate after the upgrade. The backend authentication server is Active Directory and we use ntlm_auth from winbind to pass MSCHAPv2 response from FR to AD. After upgrade FR, I also restart winbindd, smbd, and nmbd. For the users who cannot authenticate, I found that reset password would resolve the issue. However we have over 50,000 users. Our helpdesk would be overwhelmed to help 13k users to change their password. So I had to roll back to 2.1.10 and the users I know who cannot authenticate with 2.2.1 were able to authenticate again with 2.1.10 without changing password.

Here is radiusd -X for one user's failed authentication. On AD Event Log it shows error
0xC000006A

An incorrect password was supplied.

And on radius side, it shows Login incorrect (mschap_ad: External script says Logon failure (0xc000006d)).

What changes in the new code could affects mschap handling? Or what should I do to make 2.2.1 work without forcing users to reset their password?

Thanks for your help. If you need more information, please let me know and I'll post them.

Yu Wang
Network Architect
FSU

======================radiusd -X =====================================

rad_recv: Access-Request packet from host 192.168.255.233 port 32846, id=112, length=343
        User-Name = "myusername"
        NAS-IP-Address = 192.168.255.200
        NAS-IPv6-Address = ::1
        NAS-Port = 0
        NAS-Identifier = "192.168.255.233"
        NAS-Port-Type = Wireless-802.11
        Calling-Station-Id = "8C58779F3105"
        Called-Station-Id = "000B860E2A80"
        Service-Type = Login-User
        Framed-MTU = 1100
        EAP-Message = 0x020a006b190017030100608bfce27df6c312388e67d06a84921c88cbeb2729d13da08d98f6cd46cab227836f576e262c5543a0cfc8aaaac88dc02450477cac6b06a3c816ac01090b848190401617a0a19eb2b79a1e49f
d687087b02918d5e588764ab0f07c03d9eecf9f80
        State = 0x5858357f50522cd58c1225ecc15d6edb
        Aruba-Essid-Name = "FSUSecure"
        Aruba-Location-Id = "wg-a105-4012-Rm.wlan.fsu.edu"
        Aruba-AP-Group = "wlan"
        Aruba-Device-Type = "iPhone"
        Message-Authenticator = 0x245bb0a5f3165db6d047fb13cfb41042
server virtual.dot1x_1814 {
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/virtual.dot1x_1814
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "myusername", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "myusername"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 10 length 107
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/virtual.dot1x_1814
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
        EAP-Message = 0x020a00411a020a003c31c8a5f4da7f3f5fee24c0f8c2a0ad12390000000000000000d1ec3781f44920bf27bd2445d0d4db58c2f199c141667c0100616d61313263
server virtual.dot1x_1814 {
[peap] Setting User-Name to myusername
Sending tunneled request
        EAP-Message = 0x020a00411a020a003c31c8a5f4da7f3f5fee24c0f8c2a0ad12390000000000000000d1ec3781f44920bf27bd2445d0d4db58c2f199c141667c0100616d61313263
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "myusername"
        State = 0x9e97c83a9e9dd2677d1fae1010f8f18d
server virtual.dot1x_1814_inner_tunnel {
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/virtual.dot1x_1814_inner_tunnel
+- entering group authorize {...}
++? if ((outer.request:EAP-Message) )
?? Evaluating (outer.request:EAP-Message) -> TRUE
++? if ((outer.request:EAP-Message) ) -> TRUE
++- entering if ((outer.request:EAP-Message) ) {...}
        expand: %{request:User-Name} -> myusername
+++[outer.request] returns notfound
        expand: %{request:User-Name} -> myusername
+++[reply] returns notfound
++- if ((outer.request:EAP-Message) ) returns notfound
++? if ("%{request:User-Name}" =~ /(^host\/)([A-Za-z0-9]+[A-Za-z0-9-]*)(\.fsu\.edu)*$/i)
        expand: %{request:User-Name} -> myusername
? Evaluating ("%{request:User-Name}" =~ /(^host\/)([A-Za-z0-9]+[A-Za-z0-9-]*)(\.fsu\.edu)*$/i) -> FALSE
++? if ("%{request:User-Name}" =~ /(^host\/)([A-Za-z0-9]+[A-Za-z0-9-]*)(\.fsu\.edu)*$/i) -> FALSE
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "myusername", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "myusername"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
++? if (( outer.request:EAP-Message) && Realm != "%{config:local.MY.realm}" )
?? Evaluating (outer.request:EAP-Message) -> TRUE
        expand: local.MY.realm -> local.MY.realm
WARNING: No such configuration item local.MY.realm
        expand: %{config:local.MY.realm} ->
? Evaluating (Realm != "%{config:local.MY.realm}" ) -> TRUE
++? if (( outer.request:EAP-Message) && Realm != "%{config:local.MY.realm}" ) -> TRUE
++- entering if (( outer.request:EAP-Message) && Realm != "%{config:local.MY.realm}" ) {...}
        expand: Realm is '%{Realm}' on Inside -> Realm is 'NULL' on Inside
+++[outer.reply] returns ok
++- if (( outer.request:EAP-Message) && Realm != "%{config:local.MY.realm}" ) returns ok
[eap] EAP packet type response id 10 length 65
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 8
++[files] returns ok
++? if ("%{request:User-Name}" =~ /(^host\/)([A-Za-z0-9]+[A-Za-z0-9-]*)(\.fsu\.edu)*$/i)
        expand: %{request:User-Name} -> myusername
? Evaluating ("%{request:User-Name}" =~ /(^host\/)([A-Za-z0-9]+[A-Za-z0-9-]*)(\.fsu\.edu)*$/i) -> FALSE
++? if ("%{request:User-Name}" =~ /(^host\/)([A-Za-z0-9]+[A-Za-z0-9-]*)(\.fsu\.edu)*$/i) -> FALSE
++- entering else else {...}
[ldap-mds] performing user authorization for myusername
[ldap-mds] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details
[ldap-mds]      expand: (&(uid=%{Stripped-User-Name:-%{User-Name}})(!(uid=lib-guest*))) -> (&(uid=myusername)(!(uid=lib-guest*)))
[ldap-mds]      expand: dc=fsu,dc=edu -> dc=fsu,dc=edu
  [ldap-mds] ldap_get_conn: Checking Id: 0
  [ldap-mds] ldap_get_conn: Got Id: 0
  [ldap-mds] performing search in dc=fsu,dc=edu, with filter (&(uid=myusername)(!(uid=lib-guest*)))
[ldap-mds] looking for check items in directory...
  [ldap-mds] ntPassword -> NT-Password == 0x4444333431333443313741333642433142444136383333324232323239443431
[ldap-mds] looking for reply items in directory...
  [ldap-mds] employeeStatus -> My-Local-employeeStatus = "Active"
  [ldap-mds] ldap_release_conn: Release Id: 0
+++[ldap-mds] returns ok
++- else else returns ok
rlm_perl: RAD_REQUEST: User-Name = myusername
rlm_perl: RAD_REQUEST: EAP-Message = 0x020a00411a020a003c31c8a5f4da7f3f5fee24c0f8c2a0ad12390000000000000000d1ec3781f44920bf27bd2445d0d4db58c2f199c141667c0100616d61313263
rlm_perl: RAD_REQUEST: Realm = NULL
rlm_perl: RAD_REQUEST: EAP-Type = MS-CHAP-V2
rlm_perl: RAD_REQUEST: Stripped-User-Name = myusername
rlm_perl: RAD_REQUEST: State = 0x9e97c83a9e9dd2677d1fae1010f8f18d
rlm_perl: RAD_REQUEST: FreeRADIUS-Proxied-To = 127.0.0.1
rlm_perl: Assign myusername to VLAN employee2b.
rlm_perl: Added pair User-Name = myusername
rlm_perl: Added pair EAP-Message = 0x020a00411a020a003c31c8a5f4da7f3f5fee24c0f8c2a0ad12390000000000000000d1ec3781f44920bf27bd2445d0d4db58c2f199c141667c0100616d61313263
rlm_perl: Added pair Realm = NULL
rlm_perl: Added pair EAP-Type = MS-CHAP-V2
rlm_perl: Added pair Stripped-User-Name = myusername
rlm_perl: Added pair State = 0x9e97c83a9e9dd2677d1fae1010f8f18d
rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1
rlm_perl: Added pair User-Name = myusername
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair Tunnel-Medium-Type = IEEE-802
rlm_perl: Added pair Tunnel-Type = VLAN
rlm_perl: Added pair My-Local-employeeStatus = Active
rlm_perl: Added pair Tunnel-Private-Group-Id = employee2b
rlm_perl: Added pair NT-Password = 0x4444333431333443313741333642433142444136383333324232323239443431
rlm_perl: Added pair Ldap-UserDn = uid=myusername,dc=users,dc=fsu,dc=edu
rlm_perl: Added pair Auth-Type = EAP
++[perl_dot1x] returns updated
        expand: %{Realm} -> NULL
++- entering switch %{Realm} {...}
+++- switch %{Realm} returns updated
++- group authorize returns updated
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing NT-Password from hex encoding
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/virtual.dot1x_1814_inner_tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2

[eap] processing type mschapv2
[mschapv2] # Executing group from file /usr/local/etc/raddb/sites-enabled/virtual.dot1x_1814_inner_tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap_ad] Found NT-Password
[mschap_ad] Creating challenge hash with username: myusername
[mschap_ad] Client is using MS-CHAPv2 for myusername, we need NT-Password
[mschap_ad] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details
[mschap_ad]     expand: --username=%{Stripped-User-Name:-%{User-Name:-None}} -> --username=myusername
[mschap_ad] No NT-Domain was found in the User-Name.
[mschap_ad]     expand: %{mschap:NT-Domain} ->
[mschap_ad]     ... expanding second conditional
[mschap_ad]     expand: --domain=%{%{mschap:NT-Domain}:-FSU} -> --domain=FSU
[mschap_ad] Creating challenge hash with username: myusername
[mschap_ad]     expand: --challenge=%{mschap:Challenge:-00} -> --challenge=671fda289ab79035
[mschap_ad]     expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=d1ec3781f44920bf27bd2445d0d4db58c2f199c141667c01
Exec output: Logon failure (0xc000006d)
Exec plaintext: Logon failure (0xc000006d)
[mschap_ad] Exec: program returned: 1
[mschap_ad] External script failed.
[mschap_ad] FAILED: MS-CHAP2-Response is incorrect
++[mschap_ad] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
Login incorrect (mschap_ad: External script says Logon failure (0xc000006d)): [myusername] (from client aruba233 port 0 via TLS tunnel)
Using Post-Auth-Type REJECT
# Executing group from file /usr/local/etc/raddb/sites-enabled/virtual.dot1x_1814_inner_tunnel
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> myusername
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
} # server virtual.dot1x_1814_inner_tunnel
[peap] Got tunneled reply code 3
        EAP-Message = 0x040a0004
        Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
        EAP-Message = 0x040a0004
        Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
} # server virtual.dot1x_1814
Sending Access-Challenge of id 112 to 192.168.255.233 port 32846
        Reply-Message = "Realm is 'NULL' on Inside"
        EAP-Message = 0x010b002b19001703010020c717f8462edd4b081a4cab8c17a2a77939f2b7ed8f45477fa43ca7ae59cdded3
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x5858357f51532cd58c1225ecc15d6edb
Finished request 91419.
Going to the next request

========================================================================================
rad_recv: Access-Request packet from host 192.168.255.233 port 32846, id=185, length=343
        User-Name = "myusername"
        NAS-IP-Address = 192.168.255.200
        NAS-IPv6-Address = ::1
        NAS-Port = 0
        NAS-Identifier = "192.168.255.233"
        NAS-Port-Type = Wireless-802.11
        Calling-Station-Id = "8C58779F3105"
        Called-Station-Id = "000B860E2A80"
        Service-Type = Login-User
        Framed-MTU = 1100
        EAP-Message = 0x020a006b190017030100601fa8cfb41d8a736603cccfac039a1e796b70c551d0229a7054620a3569e504875e69eb4f348dc1db446dc778c0c797ce8df3680674d1cf083167c839473737483bbf4564cbca6a2ab0e045b
dc7549f45664c3aca1497463410664e0ae91cee39
        State = 0xcbac7161c3a6687448dbbe7553b6baed
        Aruba-Essid-Name = "FSUSecure"
        Aruba-Location-Id = "wg-a105-4012-Rm.wlan.fsu.edu"
        Aruba-AP-Group = "wlan"
        Aruba-Device-Type = "iPhone"
        Message-Authenticator = 0x5eebfb60034622676aaa614c5dec1ec8
server virtual.dot1x_1814 {
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/virtual.dot1x_1814
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "myusername", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "myusername"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 10 length 107
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/virtual.dot1x_1814
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
        EAP-Message = 0x020a00411a020a003c3167b550c58cc6458a22569f9b3d545f240000000000000000b27cc6b8b53cd52cefd00805875b297ede8772635050987500616d61313263
server virtual.dot1x_1814 {
[peap] Setting User-Name to myusername
Sending tunneled request
        EAP-Message = 0x020a00411a020a003c3167b550c58cc6458a22569f9b3d545f240000000000000000b27cc6b8b53cd52cefd00805875b297ede8772635050987500616d61313263
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "myusername"
        State = 0xa7e44290a7ee58094f4ed0f3925b59a6
server virtual.dot1x_1814_inner_tunnel {
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/virtual.dot1x_1814_inner_tunnel
+- entering group authorize {...}
++? if ((outer.request:EAP-Message) )
?? Evaluating (outer.request:EAP-Message) -> TRUE
++? if ((outer.request:EAP-Message) ) -> TRUE
++- entering if ((outer.request:EAP-Message) ) {...}
        expand: %{request:User-Name} -> myusername
+++[outer.request] returns notfound
        expand: %{request:User-Name} -> myusername
+++[reply] returns notfound
++- if ((outer.request:EAP-Message) ) returns notfound
++? if ("%{request:User-Name}" =~ /(^host\/)([A-Za-z0-9]+[A-Za-z0-9-]*)(\.fsu\.edu)*$/i)
        expand: %{request:User-Name} -> myusername
? Evaluating ("%{request:User-Name}" =~ /(^host\/)([A-Za-z0-9]+[A-Za-z0-9-]*)(\.fsu\.edu)*$/i) -> FALSE
++? if ("%{request:User-Name}" =~ /(^host\/)([A-Za-z0-9]+[A-Za-z0-9-]*)(\.fsu\.edu)*$/i) -> FALSE
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "myusername", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "myusername"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
++? if (( outer.request:EAP-Message) && Realm != "%{config:local.MY.realm}" )
?? Evaluating (outer.request:EAP-Message) -> TRUE
        expand: local.MY.realm -> local.MY.realm
WARNING: No such configuration item local.MY.realm
        expand: %{config:local.MY.realm} ->
? Evaluating (Realm != "%{config:local.MY.realm}" ) -> TRUE
++? if (( outer.request:EAP-Message) && Realm != "%{config:local.MY.realm}" ) -> TRUE
++- entering if (( outer.request:EAP-Message) && Realm != "%{config:local.MY.realm}" ) {...}
        expand: Realm is '%{Realm}' on Inside -> Realm is 'NULL' on Inside
+++[outer.reply] returns ok
++- if (( outer.request:EAP-Message) && Realm != "%{config:local.MY.realm}" ) returns ok
[eap] EAP packet type response id 10 length 65
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 8
++[files] returns ok
++? if ("%{request:User-Name}" =~ /(^host\/)([A-Za-z0-9]+[A-Za-z0-9-]*)(\.fsu\.edu)*$/i)
        expand: %{request:User-Name} -> myusername
? Evaluating ("%{request:User-Name}" =~ /(^host\/)([A-Za-z0-9]+[A-Za-z0-9-]*)(\.fsu\.edu)*$/i) -> FALSE
++? if ("%{request:User-Name}" =~ /(^host\/)([A-Za-z0-9]+[A-Za-z0-9-]*)(\.fsu\.edu)*$/i) -> FALSE
++- entering else else {...}
[ldap-mds] performing user authorization for myusername
[ldap-mds] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details
[ldap-mds]      expand: (&(uid=%{Stripped-User-Name:-%{User-Name}})(!(uid=lib-guest*))) -> (&(uid=myusername)(!(uid=lib-guest*)))
[ldap-mds]      expand: dc=fsu,dc=edu -> dc=fsu,dc=edu
  [ldap-mds] ldap_get_conn: Checking Id: 0
  [ldap-mds] ldap_get_conn: Got Id: 0
  [ldap-mds] performing search in dc=fsu,dc=edu, with filter (&(uid=myusername)(!(uid=lib-guest*)))
[ldap-mds] looking for check items in directory...
  [ldap-mds] ntPassword -> NT-Password == 0x4444333431333443313741333642433142444136383333324232323239443431
[ldap-mds] looking for reply items in directory...
  [ldap-mds] employeeStatus -> My-Local-employeeStatus = "Active"
  [ldap-mds] ldap_release_conn: Release Id: 0
+++[ldap-mds] returns ok
++- else else returns ok
rlm_perl: RAD_REQUEST: User-Name = myusername
rlm_perl: RAD_REQUEST: EAP-Message = 0x020a00411a020a003c3167b550c58cc6458a22569f9b3d545f240000000000000000b27cc6b8b53cd52cefd00805875b297ede8772635050987500616d61313263
rlm_perl: RAD_REQUEST: Realm = NULL
rlm_perl: RAD_REQUEST: EAP-Type = MS-CHAP-V2
rlm_perl: RAD_REQUEST: Stripped-User-Name = myusername
rlm_perl: RAD_REQUEST: State = 0xa7e44290a7ee58094f4ed0f3925b59a6
rlm_perl: RAD_REQUEST: FreeRADIUS-Proxied-To = 127.0.0.1
rlm_perl: Assign myusername to VLAN employee2b.
rlm_perl: Added pair User-Name = myusername
rlm_perl: Added pair EAP-Message = 0x020a00411a020a003c3167b550c58cc6458a22569f9b3d545f240000000000000000b27cc6b8b53cd52cefd00805875b297ede8772635050987500616d61313263
rlm_perl: Added pair Realm = NULL
rlm_perl: Added pair EAP-Type = MS-CHAP-V2
rlm_perl: Added pair Stripped-User-Name = myusername
rlm_perl: Added pair State = 0xa7e44290a7ee58094f4ed0f3925b59a6
rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1
rlm_perl: Added pair User-Name = myusername
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair Tunnel-Medium-Type = IEEE-802
rlm_perl: Added pair Tunnel-Type = VLAN
rlm_perl: Added pair My-Local-employeeStatus = Active
rlm_perl: Added pair Tunnel-Private-Group-Id = employee2b
rlm_perl: Added pair NT-Password = 0x4444333431333443313741333642433142444136383333324232323239443431
rlm_perl: Added pair Ldap-UserDn = uid=myusername,dc=users,dc=fsu,dc=edu
rlm_perl: Added pair Auth-Type = EAP
++[perl_dot1x] returns updated
        expand: %{Realm} -> NULL
++- entering switch %{Realm} {...}
+++- switch %{Realm} returns updated
++- group authorize returns updated
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing NT-Password from hex encoding
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/virtual.dot1x_1814_inner_tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /usr/local/etc/raddb/sites-enabled/virtual.dot1x_1814_inner_tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap_ad] Found NT-Password
[mschap_ad] Creating challenge hash with username: myusername
[mschap_ad] Client is using MS-CHAPv2 for myusername, we need NT-Password
[mschap_ad] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details
[mschap_ad]     expand: --username=%{Stripped-User-Name:-%{User-Name:-None}} -> --username=myusername
[mschap_ad] No NT-Domain was found in the User-Name.
[mschap_ad]     expand: %{mschap:NT-Domain} ->
[mschap_ad]     ... expanding second conditional
[mschap_ad]     expand: --domain=%{%{mschap:NT-Domain}:-FSU} -> --domain=FSU
[mschap_ad] Creating challenge hash with username: myusername
[mschap_ad]     expand: --challenge=%{mschap:Challenge:-00} -> --challenge=c8b28e6460a5a132
[mschap_ad]     expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=b27cc6b8b53cd52cefd00805875b297ede87726350509875
Exec output: Logon failure (0xc000006d)
Exec plaintext: Logon failure (0xc000006d)
[mschap_ad] Exec: program returned: 1
[mschap_ad] External script failed.
[mschap_ad] FAILED: MS-CHAP2-Response is incorrect
++[mschap_ad] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
Login incorrect (mschap_ad: External script says Logon failure (0xc000006d)): [myusername] (from client aruba233 port 0 via TLS tunnel)
Using Post-Auth-Type REJECT
# Executing group from file /usr/local/etc/raddb/sites-enabled/virtual.dot1x_1814_inner_tunnel
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> myusername
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
} # server virtual.dot1x_1814_inner_tunnel
[peap] Got tunneled reply code 3
        EAP-Message = 0x040a0004
        Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
        EAP-Message = 0x040a0004
        Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
} # server virtual.dot1x_1814
Sending Access-Challenge of id 185 to 192.168.255.233 port 32846
        Reply-Message = "Realm is 'NULL' on Inside"
        EAP-Message = 0x010b002b19001703010020e64116a3874fb2f1731c248a0424a0ea316a859f4831ed7585f3ac3fe11ed5e1
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xcbac7161c2a7687448dbbe7553b6baed
Finished request 91531.
Going to the next request

====================end of radiusd -X =======================================
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130516/ce5eafc7/attachment-0001.html>


More information about the Freeradius-Users mailing list