802.1x radius request reject.

sampath jayashantha esampathj at gmail.com
Wed Feb 12 08:11:04 CET 2014


Hi ,

I have created a user and added a node to that user. But im getting below
access reject packet. :( Any clue ?


rad_recv: Access-Request packet from host 192.168.13.45 port 1812, id=199,
length=152
        NAS-IP-Address = 192.168.13.45
        NAS-Port = 50004
        Cisco-NAS-Port = "FastEthernet0/4"
        NAS-Port-Type = Ethernet
        User-Name = "sampath"
        Called-Station-Id = "00-0A-B7-BC-5A-84"
        Calling-Station-Id = "78-45-C4-B5-AC-41"
        Service-Type = Framed-User
        Framed-MTU = 1500
        EAP-Message = 0x0200000c0173616d70617468
        Message-Authenticator = 0xe791fd6ef5be4d1bbc964ebf48dcdefa
server packetfence {
# Executing section authorize from file
/usr/local/pf/raddb/sites-enabled/packetfence
+- entering group authorize {...}
[suffix] No '@' in User-Name = "sampath", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[preprocess] returns ok
[eap] EAP packet type response id 0 length 12
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_perl: Added pair NAS-Port-Type = Ethernet
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair Calling-Station-Id = 78-45-C4-B5-AC-41
rlm_perl: Added pair Called-Station-Id = 00-0A-B7-BC-5A-84
rlm_perl: Added pair Cisco-NAS-Port = FastEthernet0/4
rlm_perl: Added pair Message-Authenticator =
0xe791fd6ef5be4d1bbc964ebf48dcdefa
rlm_perl: Added pair User-Name = sampath
rlm_perl: Added pair EAP-Message = 0x0200000c0173616d70617468
rlm_perl: Added pair EAP-Type = Identity
rlm_perl: Added pair NAS-IP-Address = 192.168.13.45
rlm_perl: Added pair NAS-Port = 50004
rlm_perl: Added pair Framed-MTU = 1500
rlm_perl: Added pair Auth-Type = EAP
++[packetfence] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
} # server packetfence
Sending Access-Challenge of id 199 to 192.168.13.45 port 1812
        EAP-Message = 0x010100061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x3cbd15d33cbc0cb31e5b71f340264f3a
Finished request 54.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.13.45 port 1812, id=200,
length=279
        NAS-IP-Address = 192.168.13.45
        NAS-Port = 50004
        Cisco-NAS-Port = "FastEthernet0/4"
        NAS-Port-Type = Ethernet
        User-Name = "sampath"
        Called-Station-Id = "00-0A-B7-BC-5A-84"
        Calling-Station-Id = "78-45-C4-B5-AC-41"
        Service-Type = Framed-User
        Framed-MTU = 1500
        State = 0x3cbd15d33cbc0cb31e5b71f340264f3a
        EAP-Message =
0x0201007919800000006f160301006a01000066030152fb07ded3e51b3a9c9aa55b0ba6f46016c14e1644de4fbd07186f436a4f3b4e000018002f00
350005000ac013c014c009c00a003200380013000401000025ff010001000000000c000a00000773616d70617468000a0006000400170018000b00020100
        Message-Authenticator = 0x6aafb4e647c1076bc2b718e2181f6671
server packetfence {
# Executing section authorize from file
/usr/local/pf/raddb/sites-enabled/packetfence
+- entering group authorize {...}
[suffix] No '@' in User-Name = "sampath", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[preprocess] returns ok
[eap] EAP packet type response id 1 length 121
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 111
[peap] Length Included
[peap] eaptls_verify returned 11
[peap]     (other): before/accept initialization
[peap]     TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 006a], ClientHello
[peap]     TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0031], ServerHello
[peap]     TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 049b], Certificate
[peap]     TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap]     TLS_accept: SSLv3 write server done A
[peap]     TLS_accept: SSLv3 flush data
[peap]     TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
} # server packetfence
Sending Access-Challenge of id 200 to 192.168.13.45 port 1812
        EAP-Message =
0x0102040019c0000004df16030100310200002d030152fb07bc28df3e052535a0db2ea09acfb1e4bce937947a1f3b22eeb766292f1400002f000005
ff01000100160301049b0b0004970004940004913082048d30820375a003020102020900884ec713d33dcea8300d06092a864886f70d01010505003076310b3009060355040613
024341310b30090603550408130251433111300f060355040713084d6f6e747265616c3110300e060355040a1307496e766572736531123010060355040313093132372e302e30
2e313121301f06092a864886f70d0109011612737570706f727440696e76657273652e6361301e170d3134303133303038323134
        EAP-Message =
0x325a170d3135303133303038323134325a3076310b3009060355040613024341310b30090603550408130251433111300f060355040713084d6f6e
747265616c3110300e060355040a1307496e766572736531123010060355040313093132372e302e302e313121301f06092a864886f70d0109011612737570706f727440696e76
657273652e636130820122300d06092a864886f70d01010105000382010f003082010a0282010100cb6e98c86adb80fda9fe7c0396961929f7fb69fe2fe295ea79c8b71b9375ef
72feee48711980d5a8fd428e6e3233e0daf800f73b0b7095f2d669c6bce2faaeda9d4734c0a20aaeeb948771b6cbf52daef842d4
        EAP-Message =
0xcc7c33a9c611e08be2ffe2c786ad1b685d607f90126c4d262bed4c683e97cdd39c6d03a7c3f2d2acea03542ce43004008518611445858caecde8e5
84104684170db2327c16861bdb2a7e6d827cf4c25197275278d702626a3b2bbcaf28d011d37252e79b7d041c2c0f715134ba4d92afdd9c9f09411877ba134798ff6d74c11ea95f
e96c2f70e2c4c42333f750dc88cca9fb13c960eff392c7981f34ab6b27169db27f9f1a8832a8901ffcf29b0203010001a382011c30820118301d0603551d0e04160414d35fe892
a095707f22eee3cb19be4b6cab49ee3c3081a80603551d230481a030819d8014d35fe892a095707f22eee3cb19be4b6cab49ee3c
        EAP-Message =
0xa17aa4783076310b3009060355040613024341310b30090603550408130251433111300f060355040713084d6f6e747265616c3110300e06035504
0a1307496e766572736531123010060355040313093132372e302e302e313121301f06092a864886f70d0109011612737570706f727440696e76657273652e6361820900884ec7
13d33dcea8300c0603551d130101ff0402300030090603551d1204023000300b0603551d0f0404030205e030130603551d25040c300a06082b0601050507030130110609608648
0186f8420101040403020640300d06092a864886f70d010105050003820101009e1fdecc9821df724b9d9c78b12af5551673703f
        EAP-Message = 0xd588ff15429f1f34ed6b7926
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x3cbd15d33dbf0cb31e5b71f340264f3a
Finished request 55.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.13.45 port 1812, id=201,
length=164
        NAS-IP-Address = 192.168.13.45
        NAS-Port = 50004
        Cisco-NAS-Port = "FastEthernet0/4"
        NAS-Port-Type = Ethernet
        User-Name = "sampath"
        Called-Station-Id = "00-0A-B7-BC-5A-84"
        Calling-Station-Id = "78-45-C4-B5-AC-41"
        Service-Type = Framed-User
        Framed-MTU = 1500
        State = 0x3cbd15d33dbf0cb31e5b71f340264f3a
        EAP-Message = 0x020200061900
        Message-Authenticator = 0x353191b59561f9f1fe76fed6e28ef8a9
server packetfence {
# Executing section authorize from file
/usr/local/pf/raddb/sites-enabled/packetfence
+- entering group authorize {...}
[suffix] No '@' in User-Name = "sampath", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[preprocess] returns ok
[eap] EAP packet type response id 2 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
} # server packetfence
Sending Access-Challenge of id 201 to 192.168.13.45 port 1812
        EAP-Message =
0x010300ef19007bb5e27c4da9bd39dfefc5c3402654575ff7204a10c5e4f018a975a2630c5599830e34267ba452b94ac1b7e2442ea616aecc99dc4b
47687b862d9b4df2fc607342e483df9231cd5c320f09ad144ba7980db161959853db1ca476fcdee76a1fae8744e7583d57291c42904a8c353f7f1ee417e4625efd2a6d8662301c
778e81f944fa4fa66deacb7f01d8687b39b7cc9054c58e4e0a43146042677aa701399ca609a08a9a4bf7a57c9bf36f03898dc606d7fd92cefd01b3976d1f2c217ce90a8dd1a956
c7b0e34d4e99e54f6278e229e3ed458dc2c4f7512023ccd6384a517bef16030100040e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x3cbd15d33ebe0cb31e5b71f340264f3a
Finished request 56.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.13.45 port 1812, id=202,
length=496
        NAS-IP-Address = 192.168.13.45
        NAS-Port = 50004
        Cisco-NAS-Port = "FastEthernet0/4"
        NAS-Port-Type = Ethernet
        User-Name = "sampath"
        Called-Station-Id = "00-0A-B7-BC-5A-84"
        Calling-Station-Id = "78-45-C4-B5-AC-41"
        Service-Type = Framed-User
        Framed-MTU = 1500
        State = 0x3cbd15d33ebe0cb31e5b71f340264f3a
        EAP-Message =
0x02030150198000000146160301010610000102010059580f2ba30cc29dc5a15d7df2a9dead82de23679970708fb1c0ace280aee5f6db7256ef1b8f
659768e6e6959d71b576fd75c2d10e484741edf492f0fa72cf2144616a2591fa8bf10da5959fbbd6f98e9d1ae6005c890cb35f4038e0015a8fe69801f8c6601f096a1b5fed5ddf
07c16cdf1845a9bc0fea83db38aa4dba5ab0448f1b78e51230b7d3dadaf1b369882273d34c58ffd4e2d11ad96c5136019a2591a4a667b230511e776e954539b63327cacec28be8
84ffe88fee2be913ee19e0c69396495a1242a0fbaeb5d10536cb5b26670d7e32ee27a4715b402bda8bf497a8564e1832f28df7f5
        EAP-Message =
0x31026b26edf1c7a46c69b5f35940c27541d48a52a1e235d91403010001011603010030d7cb7d641679a62d43055e25b36a2a4e2c487b7b313cb39d
38a3bd9d2dc5a4920a83fe83098070b6211205c38efa7b68
        Message-Authenticator = 0x69c90a78fea5c6b936dbe253ccf88a43
server packetfence {
# Executing section authorize from file
/usr/local/pf/raddb/sites-enabled/packetfence
+- entering group authorize {...}
[suffix] No '@' in User-Name = "sampath", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[preprocess] returns ok
[eap] EAP packet type response id 3 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 326
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[peap]     TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap]     TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap]     TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap]     TLS_accept: SSLv3 write finished A
[peap]     TLS_accept: SSLv3 flush data
[peap]     (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
} # server packetfence
Sending Access-Challenge of id 202 to 192.168.13.45 port 1812
        EAP-Message =
0x01040041190014030100010116030100302d72e9da629993e710a01375e44f3ff6c496bc91aafe3b5efea86d1af805a7b9a01238efc53d2efc31a7
ff63472088bf
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x3cbd15d33fb90cb31e5b71f340264f3a
Finished request 57.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.13.45 port 1812, id=203,
length=164
        NAS-IP-Address = 192.168.13.45
        NAS-Port = 50004
        Cisco-NAS-Port = "FastEthernet0/4"
        NAS-Port-Type = Ethernet
        User-Name = "sampath"
        Called-Station-Id = "00-0A-B7-BC-5A-84"
        Calling-Station-Id = "78-45-C4-B5-AC-41"
        Service-Type = Framed-User
        Framed-MTU = 1500
        State = 0x3cbd15d33fb90cb31e5b71f340264f3a
        EAP-Message = 0x020400061900
        Message-Authenticator = 0x3c84ad083e4e9d0a8240786169b376cf
server packetfence {
# Executing section authorize from file
/usr/local/pf/raddb/sites-enabled/packetfence
+- entering group authorize {...}
[suffix] No '@' in User-Name = "sampath", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[preprocess] returns ok
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] returns handled
} # server packetfence
Sending Access-Challenge of id 203 to 192.168.13.45 port 1812
        EAP-Message =
0x0105002b19001703010020233ca5ac7fdbf4aee3541cb39f7899bb7e74ea734215947f14d822d238425e59
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x3cbd15d338b80cb31e5b71f340264f3a
Finished request 58.
Going to the next request
Waking up in 4.3 seconds.
rad_recv: Access-Request packet from host 192.168.13.45 port 1812, id=204,
length=201
        NAS-IP-Address = 192.168.13.45
        NAS-Port = 50004
        Cisco-NAS-Port = "FastEthernet0/4"
        NAS-Port-Type = Ethernet
        User-Name = "sampath"
        Called-Station-Id = "00-0A-B7-BC-5A-84"
        Calling-Station-Id = "78-45-C4-B5-AC-41"
        Service-Type = Framed-User
        Framed-MTU = 1500
        State = 0x3cbd15d338b80cb31e5b71f340264f3a
        EAP-Message =
0x0205002b19001703010020738e4cb80e9a4f1f0d240d62bd1cecdd81e2ceef1fcd8a736f92a620ab1e6827
        Message-Authenticator = 0x4d5068c89b9e99b0fcac71687069f264
server packetfence {
# Executing section authorize from file
/usr/local/pf/raddb/sites-enabled/packetfence
+- entering group authorize {...}
[suffix] No '@' in User-Name = "sampath", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[preprocess] returns ok
[eap] EAP packet type response id 5 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - sampath
[peap] Got inner identity 'sampath'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
        EAP-Message = 0x0205000c0173616d70617468
server packetfence {
[peap] Setting User-Name to sampath
Sending tunneled request
        EAP-Message = 0x0205000c0173616d70617468
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "sampath"
        NAS-IP-Address = 192.168.13.45
        NAS-Port = 50004
        Cisco-NAS-Port = "FastEthernet0/4"
        NAS-Port-Type = Ethernet
        Called-Station-Id = "00-0A-B7-BC-5A-84"
        Calling-Station-Id = "78-45-C4-B5-AC-41"
        Service-Type = Framed-User
        Framed-MTU = 1500
server packetfence-tunnel {
# Executing section authorize from file
/usr/local/pf/raddb/sites-enabled/packetfence-tunnel
+- entering group authorize {...}
[suffix] No '@' in User-Name = "sampath", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "sampath", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
[eap] EAP packet type response id 5 length 12
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = EAP
# Executing group from file
/usr/local/pf/raddb/sites-enabled/packetfence-tunnel
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server packetfence-tunnel
[peap] Got tunneled reply code 11
        EAP-Message =
0x010600211a0106001c103c9631cb9240941b8ff7cb26b01cdccd73616d70617468
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xb763a09fb765baae8b5ff4f7e1e703c3
[peap] Got tunneled reply RADIUS code 11
        EAP-Message =
0x010600211a0106001c103c9631cb9240941b8ff7cb26b01cdccd73616d70617468
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xb763a09fb765baae8b5ff4f7e1e703c3
[peap] Got tunneled Access-Challenge
++[eap] returns handled
} # server packetfence
Sending Access-Challenge of id 204 to 192.168.13.45 port 1812
        EAP-Message =
0x0106004b190017030100407ea62a6842f0b519ec0bf48a630b60f7e9f84151bee10b16cba686cd23951470367e059996c25fe5f9ab0312a3af8e05
222bd031372641bbc939adbacd345ea6
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x3cbd15d339bb0cb31e5b71f340264f3a
Finished request 59.
Going to the next request
Waking up in 3.0 seconds.
rad_recv: Access-Request packet from host 192.168.13.45 port 1812, id=205,
length=265
        NAS-IP-Address = 192.168.13.45
        NAS-Port = 50004
        Cisco-NAS-Port = "FastEthernet0/4"
        NAS-Port-Type = Ethernet
        User-Name = "sampath"
        Called-Station-Id = "00-0A-B7-BC-5A-84"
        Calling-Station-Id = "78-45-C4-B5-AC-41"
        Service-Type = Framed-User
        Framed-MTU = 1500
        State = 0x3cbd15d339bb0cb31e5b71f340264f3a
        EAP-Message =
0x0206006b190017030100605c575006ef74492c6d35cf856541302dd4f1fb1272c048206638ab77315df28a5585a4cbd8fe6b9accf1e03d27ac3c2c
64d8052b1d08f12dcc61829dbddd05acb0dff7a2427b7fb0f096fe68defb30cecd74a4b9321c185184166c83c77f60a7
        Message-Authenticator = 0xdaa88d9bc6343059a93a80ca449d11ae
server packetfence {
# Executing section authorize from file
/usr/local/pf/raddb/sites-enabled/packetfence
+- entering group authorize {...}
[suffix] No '@' in User-Name = "sampath", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[preprocess] returns ok
[eap] EAP packet type response id 6 length 107
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
        EAP-Message =
0x020600421a0206003d31e3766c4f25bb1e54194b8e8fc97544ed0000000000000000fead0628b2da8557a51d90b546624ef9f4ee5e1bdf2eec4400
73616d70617468
server packetfence {
[peap] Setting User-Name to sampath
Sending tunneled request
        EAP-Message =
0x020600421a0206003d31e3766c4f25bb1e54194b8e8fc97544ed0000000000000000fead0628b2da8557a51d90b546624ef9f4ee5e1bdf2eec4400
73616d70617468
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "sampath"
        State = 0xb763a09fb765baae8b5ff4f7e1e703c3
        NAS-IP-Address = 192.168.13.45
        NAS-Port = 50004
        Cisco-NAS-Port = "FastEthernet0/4"
        NAS-Port-Type = Ethernet
        Called-Station-Id = "00-0A-B7-BC-5A-84"
        Calling-Station-Id = "78-45-C4-B5-AC-41"
        Service-Type = Framed-User
        Framed-MTU = 1500
server packetfence-tunnel {
# Executing section authorize from file
/usr/local/pf/raddb/sites-enabled/packetfence-tunnel
+- entering group authorize {...}
[suffix] No '@' in User-Name = "sampath", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "sampath", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
[eap] EAP packet type response id 6 length 66
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = EAP
# Executing group from file
/usr/local/pf/raddb/sites-enabled/packetfence-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file
/usr/local/pf/raddb/sites-enabled/packetfence-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] Creating challenge hash with username: sampath
[mschap] Client is using MS-CHAPv2 for sampath, we need NT-Password
[mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
Login incorrect: [sampath] (from client 192.168.13.45 port 50004 cli
78-45-C4-B5-AC-41 via TLS tunnel)
} # server packetfence-tunnel
[peap] Got tunneled reply code 3
        MS-CHAP-Error = "\006E=691 R=1"
        EAP-Message = 0x04060004
        Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
        MS-CHAP-Error = "\006E=691 R=1"
        EAP-Message = 0x04060004
        Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
} # server packetfence
Sending Access-Challenge of id 205 to 192.168.13.45 port 1812
        EAP-Message =
0x0107002b190017030100204facc5d6c6a20c7d1d8da40959527f726dbb84e495fd0ebc71ea913fc79b2b12
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x3cbd15d33aba0cb31e5b71f340264f3a
Finished request 60.
Going to the next request
Waking up in 2.2 seconds.
rad_recv: Access-Request packet from host 192.168.13.45 port 1812, id=206,
length=201
        NAS-IP-Address = 192.168.13.45
        NAS-Port = 50004
        Cisco-NAS-Port = "FastEthernet0/4"
        NAS-Port-Type = Ethernet
        User-Name = "sampath"
        Called-Station-Id = "00-0A-B7-BC-5A-84"
        Calling-Station-Id = "78-45-C4-B5-AC-41"
        Service-Type = Framed-User
        Framed-MTU = 1500
        State = 0x3cbd15d33aba0cb31e5b71f340264f3a
        EAP-Message =
0x0207002b19001703010020e803f872cda2fc4834ed5079ccedbc963ca3580ad74aada3ce4f6ef81e932f3a
        Message-Authenticator = 0x2b593816dc1b145744204630a7a77fee
server packetfence {
# Executing section authorize from file
/usr/local/pf/raddb/sites-enabled/packetfence
+- entering group authorize {...}
[suffix] No '@' in User-Name = "sampath", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[preprocess] returns ok
[eap] EAP packet type response id 7 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state send tlv failure
[peap] Received EAP-TLV response.
[peap]  The users session was previously rejected: returning reject (again.)
[peap]  *** This means you need to read the PREVIOUS messages in the debug
output
[peap]  *** to find out the reason why the user was rejected.
[peap]  *** Look for "reject" or "fail".  Those earlier messages will tell
you.
[peap]  *** what went wrong, and how to fix the problem.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [sampath] (from client 192.168.13.45 port 50004 cli
78-45-C4-B5-AC-41)
} # server packetfence
Using Post-Auth-Type REJECT
# Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> sampath
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 61 for 1 seconds
Going to the next request
Waking up in 0.4 seconds.
Cleaning up request 54 ID 199 with timestamp +2742
Cleaning up request 55 ID 200 with timestamp +2742
Cleaning up request 56 ID 201 with timestamp +2742
Cleaning up request 57 ID 202 with timestamp +2742
Waking up in 0.4 seconds.
Sending delayed reject for request 61
Sending Access-Reject of id 206 to 192.168.13.45 port 1812
        EAP-Message = 0x04070004
        Message-Authenticator = 0x00000000000000000000000000000000
Cleaning up request 58 ID 203 with timestamp +2743
Waking up in 1.2 seconds.
Cleaning up request 59 ID 204 with timestamp +2744
Waking up in 0.8 seconds.
Cleaning up request 60 ID 205 with timestamp +2745
Waking up in 2.7 seconds.
Cleaning up request 61 ID 206 with timestamp +2747
Ready to process requests.


Regards,
Sampath Jayashantha
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140212/c7e16118/attachment-0001.html>


More information about the Freeradius-Users mailing list