MSCHAP Machine/User Authentication with Windows
Tynan Young
tynany at gmail.com
Mon May 11 09:18:06 CEST 2015
Hi,
I've searched high and low for answers/a solution on this and haven't
had much luck, so I'm hoping someone on this list might be able to
help.
I have a near default freeradius3 setup using NTLM to authenticate our
PEAP MSCHAP wireless clients. Non-windows machines work fine (mac,
phones etc), but I'm having difficulty getting Windows 7/8
authenticated using machine authentication or user authentication.
Essentially I'm seeing the below error:
Auth: Invalid user: [DOMAIN\\user]
or
Auth: Invalid user: [host\\MACHINE-NAME]
Successful authentications (from a mac) look like this:
Auth: Login OK: [user]
Running "ntlm_auth --request-nt-key --username=domain\\user" returns
NT_STATUS_OK
The only real configuration changes I've made are in the mschap mod,
having tried both of the following:
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}"
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:-None}
--domain=%{%{mschap:NT-Domain}:-TESTDOMAIN}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
Below is a debug of a windows 8 wireless client attempting to
authenticate. First it tries machine authentication, then it tries
user authentication.
Any help would be greatly appreciated.
Cheers
Ready to process requests.
Received Access-Request Id 211 from 172.17.6.253:32985 to
192.168.254.181:1812 length 240
User-Name = 'host/win81-ops.in.testdomain'
NAS-IP-Address = 172.17.6.253
NAS-Port = 0
NAS-Identifier = 'wirelesscontroller'
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = '5C514FFA8C73'
Called-Station-Id = '000B869A9037'
Service-Type = Framed-User
Framed-MTU = 1100
EAP-Message = 0x0201002001686f73742f77696e38312d6f70732e696e2e667265736876696577
Aruba-Essid-Name = 'bandit'
Aruba-Location-Id = 'ap1'
Aruba-AP-Group = 'syd'
Aruba-Device-Type = 'Windows'
Message-Authenticator = 0xb1632e4c77e27f16f9cdd51c91aa5ee9
(0) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(0) authorize {
(0) filter_username filter_username {
(0) if (User-Name != "%{tolower:%{User-Name}}")
(0) EXPAND %{tolower:%{User-Name}}
(0) --> host/win81-ops.in.testdomain
(0) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(0) if (User-Name =~ / /)
(0) if (User-Name =~ / /) -> FALSE
(0) if (User-Name =~ /@.*@/ )
(0) if (User-Name =~ /@.*@/ ) -> FALSE
(0) if (User-Name =~ /\\.\\./ )
(0) if (User-Name =~ /\\.\\./ ) -> FALSE
(0) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(0) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(0) if (User-Name =~ /\\.$/)
(0) if (User-Name =~ /\\.$/) -> FALSE
(0) if (User-Name =~ /@\\./)
(0) if (User-Name =~ /@\\./) -> FALSE
(0) } # filter_username filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix : No '@' in User-Name = "host/win81-ops.in.testdomain",
looking up realm NULL
(0) suffix : No such realm "NULL"
(0) [suffix] = noop
(0) eap : EAP packet type response id 1 length 32
(0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit
the rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = EAP
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) authenticate {
(0) eap : Peer sent Identity (1)
(0) eap : Calling eap_peap to process EAP data
(0) eap_peap : Flushing SSL sessions (of #0)
(0) eap_peap : Initiate
(0) eap_peap : Start returned 1
(0) eap : New EAP session, adding 'State' attribute to reply 0xaf7aab12af78b29f
(0) [eap] = handled
(0) } # authenticate = handled
Sending Access-Challenge Id 211 from 192.168.254.181:1812 to 172.17.6.253:32985
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xaf7aab12af78b29f91f28722b6106031
(0) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 203 from 172.17.6.253:32985 to
192.168.254.181:1812 length 344
User-Name = 'host/win81-ops.in.testdomain'
NAS-IP-Address = 172.17.6.253
NAS-Port = 0
NAS-Identifier = 'wirelesscontroller'
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = '5C514FFA8C73'
Called-Station-Id = '000B869A9037'
Service-Type = Framed-User
Framed-MTU = 1100
EAP-Message = 0x0202007619800000006c16030100670100006303015550523bf4af127e5fe0dfcfc8c5a896e7cfc31a2a7746ab87d162af997a04a5000018c014c0130035002fc00ac00900380032000a00130005000401000022ff01000100000500050100000000000a0006000400170018000b0002010000230000
State = 0xaf7aab12af78b29f91f28722b6106031
Aruba-Essid-Name = 'bandit'
Aruba-Location-Id = 'ap1'
Aruba-AP-Group = 'syd'
Aruba-Device-Type = 'Windows'
Message-Authenticator = 0xa9f4a8b97958f630a9984c92c0fcc7bd
(1) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(1) authorize {
(1) filter_username filter_username {
(1) if (User-Name != "%{tolower:%{User-Name}}")
(1) EXPAND %{tolower:%{User-Name}}
(1) --> host/win81-ops.in.testdomain
(1) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(1) if (User-Name =~ / /)
(1) if (User-Name =~ / /) -> FALSE
(1) if (User-Name =~ /@.*@/ )
(1) if (User-Name =~ /@.*@/ ) -> FALSE
(1) if (User-Name =~ /\\.\\./ )
(1) if (User-Name =~ /\\.\\./ ) -> FALSE
(1) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(1) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(1) if (User-Name =~ /\\.$/)
(1) if (User-Name =~ /\\.$/) -> FALSE
(1) if (User-Name =~ /@\\./)
(1) if (User-Name =~ /@\\./) -> FALSE
(1) } # filter_username filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix : No '@' in User-Name = "host/win81-ops.in.testdomain",
looking up realm NULL
(1) suffix : No such realm "NULL"
(1) [suffix] = noop
(1) eap : EAP packet type response id 2 length 118
(1) eap : Continuing tunnel setup.
(1) [eap] = ok
(1) } # authorize = ok
(1) Found Auth-Type = EAP
(1) # Executing group from file /etc/freeradius/sites-enabled/default
(1) authenticate {
(1) eap : Expiring EAP session with state 0xaf7aab12af78b29f
(1) eap : Finished EAP session with state 0xaf7aab12af78b29f
(1) eap : Previous EAP request found for state 0xaf7aab12af78b29f,
released from the list
(1) eap : Peer sent PEAP (25)
(1) eap : EAP PEAP (25)
(1) eap : Calling eap_peap to process EAP data
(1) eap_peap : processing EAP-TLS
TLS Length 108
(1) eap_peap : Length Included
(1) eap_peap : eaptls_verify returned 11
(1) eap_peap : (other): before/accept initialization
(1) eap_peap : TLS_accept: before/accept initialization
(1) eap_peap : <<< TLS 1.0 Handshake [length 0067], ClientHello
(1) eap_peap : TLS_accept: SSLv3 read client hello A
(1) eap_peap : >>> TLS 1.0 Handshake [length 0059], ServerHello
(1) eap_peap : TLS_accept: SSLv3 write server hello A
(1) eap_peap : >>> TLS 1.0 Handshake [length 0c61], Certificate
(1) eap_peap : TLS_accept: SSLv3 write certificate A
(1) eap_peap : >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
(1) eap_peap : TLS_accept: SSLv3 write key exchange A
(1) eap_peap : >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
(1) eap_peap : TLS_accept: SSLv3 write server done A
(1) eap_peap : TLS_accept: SSLv3 flush data
(1) eap_peap : TLS_accept: Need to read more data: SSLv3 read
client certificate A
In SSL Handshake Phase
In SSL Accept mode
(1) eap_peap : eaptls_process returned 13
(1) eap_peap : FR_TLS_HANDLED
(1) eap : New EAP session, adding 'State' attribute to reply 0xaf7aab12ae79b29f
(1) [eap] = handled
(1) } # authenticate = handled
Sending Access-Challenge Id 203 from 192.168.254.181:1812 to 172.17.6.253:32985
EAP-Message = 0x010303ec19c000000e1d1603010059020000550301f9a84ded3c3d019330abd1de6d7ff97f916e4aa4140b0733d9c1a1686ec5ba212041db36e17b59817fcc7a5d510c0ab6febebd2f0dfc04701386f3dad95265c63dc01400000dff01000100000b0004030001021603010c610b000c5d000c5a0004a7308204a33082038ba00302010202030439a3300d06092a864886f70d01010b05003047310b300906035504061302555331163014060355040a130d47656f547275737420496e632e3120301e06035504031317526170696453534c20534841323536204341202d204733301e170d3135303530373033333932305a170d3136303530383233353131385a30819431133011060355040b130a475432333636383233393131302f060355040b1328536565207777772e726170696473736c2e636f6d2f7265736f75726365732f637073202863293135312f302d060355040b1326446f6d61696e20436f6e74726f6c2056616c696461746564202d20526170696453534c2852293119301706035504031310776966692e63616d706d6f6e2e6e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100c2b2d2c1ff3c2380d9d47968c4a76b101501d4b4d3efd5857da81b6610580c9021e898e1beb2f5ea06a98dfd06a3f04bfa7b68fc77481cc7b9eb5777938
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xaf7aab12ae79b29f91f28722b6106031
(1) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 213 from 172.17.6.253:32985 to
192.168.254.181:1812 length 232
User-Name = 'host/win81-ops.in.testdomain'
NAS-IP-Address = 172.17.6.253
NAS-Port = 0
NAS-Identifier = 'wirelesscontroller'
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = '5C514FFA8C73'
Called-Station-Id = '000B869A9037'
Service-Type = Framed-User
Framed-MTU = 1100
EAP-Message = 0x020300061900
State = 0xaf7aab12ae79b29f91f28722b6106031
Aruba-Essid-Name = 'bandit'
Aruba-Location-Id = 'ap1'
Aruba-AP-Group = 'syd'
Aruba-Device-Type = 'Windows'
Message-Authenticator = 0x78dd3eaf48cf6c7dbaa005633cb99020
(2) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(2) authorize {
(2) filter_username filter_username {
(2) if (User-Name != "%{tolower:%{User-Name}}")
(2) EXPAND %{tolower:%{User-Name}}
(2) --> host/win81-ops.in.testdomain
(2) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(2) if (User-Name =~ / /)
(2) if (User-Name =~ / /) -> FALSE
(2) if (User-Name =~ /@.*@/ )
(2) if (User-Name =~ /@.*@/ ) -> FALSE
(2) if (User-Name =~ /\\.\\./ )
(2) if (User-Name =~ /\\.\\./ ) -> FALSE
(2) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(2) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(2) if (User-Name =~ /\\.$/)
(2) if (User-Name =~ /\\.$/) -> FALSE
(2) if (User-Name =~ /@\\./)
(2) if (User-Name =~ /@\\./) -> FALSE
(2) } # filter_username filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix : No '@' in User-Name = "host/win81-ops.in.testdomain",
looking up realm NULL
(2) suffix : No such realm "NULL"
(2) [suffix] = noop
(2) eap : EAP packet type response id 3 length 6
(2) eap : Continuing tunnel setup.
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = EAP
(2) # Executing group from file /etc/freeradius/sites-enabled/default
(2) authenticate {
(2) eap : Expiring EAP session with state 0xaf7aab12ae79b29f
(2) eap : Finished EAP session with state 0xaf7aab12ae79b29f
(2) eap : Previous EAP request found for state 0xaf7aab12ae79b29f,
released from the list
(2) eap : Peer sent PEAP (25)
(2) eap : EAP PEAP (25)
(2) eap : Calling eap_peap to process EAP data
(2) eap_peap : processing EAP-TLS
(2) eap_peap : Received TLS ACK
(2) eap_peap : Received TLS ACK
(2) eap_peap : ACK handshake fragment handler
(2) eap_peap : eaptls_verify returned 1
(2) eap_peap : eaptls_process returned 13
(2) eap_peap : FR_TLS_HANDLED
(2) eap : New EAP session, adding 'State' attribute to reply 0xaf7aab12ad7eb29f
(2) [eap] = handled
(2) } # authenticate = handled
Sending Access-Challenge Id 213 from 192.168.254.181:1812 to 172.17.6.253:32985
EAP-Message = 0x010403e8194068747470733a2f2f7777772e726170696473736c2e636f6d2f6c6567616c300d06092a864886f70d01010b05000382010100412ebe33348a8106947be103048d5e4157080515045c19a8462a51e4feeca012ee0dc94be9e68ac04f9f65e221ce68f9fbe8e8168bc96facb82798fc5b13ea06f1ffd6f2a1683b5b7724324583f81c1488b36ebb24dc5fc2869a56deca8df3d8280bd435a6a0da7538811583165a5472ac3083e17d572ee39b22330b526f78ee4cb3a6bddd5da72964d40dc24886262c496e902b113cec927570ad97c97b69139b6e7a3fd880364272157aa9d8d1282b47629eec34e7c9f7e7bcdc542844ef1ad4a5d0af52c5998f3eb7fc16750e053edfd5ec552c3605586e652059d7df62719839c9be47acc6da9bc55822c024b98fd93ea1f864785e73066c022efa89ed7f000429308204253082030da0030201020203023a77300d06092a864886f70d01010b05003042310b300906035504061302555331163014060355040a130d47656f547275737420496e632e311b30190603550403131247656f547275737420476c6f62616c204341301e170d3134303832393231333933325a170d3232303532303231333933325a3047310b300906035504061302555331163014060355040a130d47656f547275737420496e632e3120301e06035504031317526170696
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xaf7aab12ad7eb29f91f28722b6106031
(2) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 212 from 172.17.6.253:32985 to
192.168.254.181:1812 length 232
User-Name = 'host/win81-ops.in.testdomain'
NAS-IP-Address = 172.17.6.253
NAS-Port = 0
NAS-Identifier = 'wirelesscontroller'
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = '5C514FFA8C73'
Called-Station-Id = '000B869A9037'
Service-Type = Framed-User
Framed-MTU = 1100
EAP-Message = 0x020400061900
State = 0xaf7aab12ad7eb29f91f28722b6106031
Aruba-Essid-Name = 'bandit'
Aruba-Location-Id = 'ap1'
Aruba-AP-Group = 'syd'
Aruba-Device-Type = 'Windows'
Message-Authenticator = 0x318c68ac9fd3cec956e3ad0fe6630868
(3) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(3) authorize {
(3) filter_username filter_username {
(3) if (User-Name != "%{tolower:%{User-Name}}")
(3) EXPAND %{tolower:%{User-Name}}
(3) --> host/win81-ops.in.testdomain
(3) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(3) if (User-Name =~ / /)
(3) if (User-Name =~ / /) -> FALSE
(3) if (User-Name =~ /@.*@/ )
(3) if (User-Name =~ /@.*@/ ) -> FALSE
(3) if (User-Name =~ /\\.\\./ )
(3) if (User-Name =~ /\\.\\./ ) -> FALSE
(3) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(3) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(3) if (User-Name =~ /\\.$/)
(3) if (User-Name =~ /\\.$/) -> FALSE
(3) if (User-Name =~ /@\\./)
(3) if (User-Name =~ /@\\./) -> FALSE
(3) } # filter_username filter_username = notfound
(3) [preprocess] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix : No '@' in User-Name = "host/win81-ops.in.testdomain",
looking up realm NULL
(3) suffix : No such realm "NULL"
(3) [suffix] = noop
(3) eap : EAP packet type response id 4 length 6
(3) eap : Continuing tunnel setup.
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = EAP
(3) # Executing group from file /etc/freeradius/sites-enabled/default
(3) authenticate {
(3) eap : Expiring EAP session with state 0xaf7aab12ad7eb29f
(3) eap : Finished EAP session with state 0xaf7aab12ad7eb29f
(3) eap : Previous EAP request found for state 0xaf7aab12ad7eb29f,
released from the list
(3) eap : Peer sent PEAP (25)
(3) eap : EAP PEAP (25)
(3) eap : Calling eap_peap to process EAP data
(3) eap_peap : processing EAP-TLS
(3) eap_peap : Received TLS ACK
(3) eap_peap : Received TLS ACK
(3) eap_peap : ACK handshake fragment handler
(3) eap_peap : eaptls_verify returned 1
(3) eap_peap : eaptls_process returned 13
(3) eap_peap : FR_TLS_HANDLED
(3) eap : New EAP session, adding 'State' attribute to reply 0xaf7aab12ac7fb29f
(3) [eap] = handled
(3) } # authenticate = handled
Sending Access-Challenge Id 212 from 192.168.254.181:1812 to 172.17.6.253:32985
EAP-Message = 0x010503e819400105050730018612687474703a2f2f672e73796d63642e636f6d304c0603551d20044530433041060a6086480186f8450107363033303106082b060105050702011625687474703a2f2f7777772e67656f74727573742e636f6d2f7265736f75726365732f637073300d06092a864886f70d01010b05000382010100a3581ec64332acac2f9378b7eaae5440472d7e788d50f6f866acd64f73d644efaf0bcc5bc1f44f9a8f497e60afc227c716f1fb938190a97cef6f7e6e45941684bdec49f1c40ef4af045983870f2c3b97c35a129b7b04357ba39533087b93712242b3a9d96f4f8192fc07b679bc844a9d7709f1c589f2f0b49c54aa127b0dba4fef9319ecef7d4e61a38e769c59cf8c94b18497f71ab907b8b2c64f1379dbbf4f511b7f690d512ac1d615ff3751346551f41ebe386aec0eabbf3d7b39057bf4f3fb1aa1d0c87e4e648dcd8c615590fe3aca5d250ff81da34a74564f1a5540707525a6332eba4ba55d539a0d30e18d5f612cafccefb099a180ff0bf2624c7026980003813082037d308202e6a003020102020312bbe6300d06092a864886f70d0101050500304e310b30090603550406130255533110300e060355040a130745717569666178312d302b060355040b1324457175696661782053656375726520436572746966696361746520417574686f726974793
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xaf7aab12ac7fb29f91f28722b6106031
(3) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 215 from 172.17.6.253:32985 to
192.168.254.181:1812 length 232
User-Name = 'host/win81-ops.in.testdomain'
NAS-IP-Address = 172.17.6.253
NAS-Port = 0
NAS-Identifier = 'wirelesscontroller'
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = '5C514FFA8C73'
Called-Station-Id = '000B869A9037'
Service-Type = Framed-User
Framed-MTU = 1100
EAP-Message = 0x020500061900
State = 0xaf7aab12ac7fb29f91f28722b6106031
Aruba-Essid-Name = 'bandit'
Aruba-Location-Id = 'ap1'
Aruba-AP-Group = 'syd'
Aruba-Device-Type = 'Windows'
Message-Authenticator = 0xa1f200dd5a90136447ce1b37b4b067f6
(4) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(4) authorize {
(4) filter_username filter_username {
(4) if (User-Name != "%{tolower:%{User-Name}}")
(4) EXPAND %{tolower:%{User-Name}}
(4) --> host/win81-ops.in.testdomain
(4) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(4) if (User-Name =~ / /)
(4) if (User-Name =~ / /) -> FALSE
(4) if (User-Name =~ /@.*@/ )
(4) if (User-Name =~ /@.*@/ ) -> FALSE
(4) if (User-Name =~ /\\.\\./ )
(4) if (User-Name =~ /\\.\\./ ) -> FALSE
(4) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(4) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(4) if (User-Name =~ /\\.$/)
(4) if (User-Name =~ /\\.$/) -> FALSE
(4) if (User-Name =~ /@\\./)
(4) if (User-Name =~ /@\\./) -> FALSE
(4) } # filter_username filter_username = notfound
(4) [preprocess] = ok
(4) [chap] = noop
(4) [mschap] = noop
(4) [digest] = noop
(4) suffix : No '@' in User-Name = "host/win81-ops.in.testdomain",
looking up realm NULL
(4) suffix : No such realm "NULL"
(4) [suffix] = noop
(4) eap : EAP packet type response id 5 length 6
(4) eap : Continuing tunnel setup.
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = EAP
(4) # Executing group from file /etc/freeradius/sites-enabled/default
(4) authenticate {
(4) eap : Expiring EAP session with state 0xaf7aab12ac7fb29f
(4) eap : Finished EAP session with state 0xaf7aab12ac7fb29f
(4) eap : Previous EAP request found for state 0xaf7aab12ac7fb29f,
released from the list
(4) eap : Peer sent PEAP (25)
(4) eap : EAP PEAP (25)
(4) eap : Calling eap_peap to process EAP data
(4) eap_peap : processing EAP-TLS
(4) eap_peap : Received TLS ACK
(4) eap_peap : Received TLS ACK
(4) eap_peap : ACK handshake fragment handler
(4) eap_peap : eaptls_verify returned 1
(4) eap_peap : eaptls_process returned 13
(4) eap_peap : FR_TLS_HANDLED
(4) eap : New EAP session, adding 'State' attribute to reply 0xaf7aab12ab7cb29f
(4) [eap] = handled
(4) } # authenticate = handled
Sending Access-Challenge Id 215 from 192.168.254.181:1812 to 172.17.6.253:32985
EAP-Message = 0x0106027d19003a0603551d1f04333031302fa02da02b8629687474703a2f2f63726c2e67656f74727573742e636f6d2f63726c732f73656375726563612e63726c304e0603551d200447304530430604551d2000303b303906082b06010505070201162d68747470733a2f2f7777772e67656f74727573742e636f6d2f7265736f75726365732f7265706f7369746f7279300d06092a864886f70d01010505000381810076e1126e4e4b1612863006b28108cff008c7c7717e66eec2edd43b1ffff0f0c84ed64338b0b9307d18d05583a26acb36119ce84866a36d7fb813d447fe8b5a5c73fcaed91b321938ab973414aa96d2eba31c140849b6bbe591ef8336eb1d566fcadabc736390e47f7b3e22cb3d07ed5f38749ce303504ea1af98ee61f2843f12160301014b0c0001470300174104897a41b10d790abe7d33a7bae7191df884039b23026439f474763fa6cb936641097d6e73ce79a5d3ee3b2dfa1b6742cbcfb4d94a2af4c9fb6f756ba052b43beb01009562f546db63c6a53f98650f9c9d234c62b3baccfd8e26d7b9d6c78e6e3a07a30382f753afb96cb8ec266b728877907a1c97f6c7948f7e9fa2ef2b571fbeb92748fee46d52b20070b28559f1f20027269f02be9d63f5756b166ceaa06afa8c13fcd38c8a4133c0288c9ed1fa2aa55e92d8a3cf16fa192847ce5bbb08ab2fdad640d11
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xaf7aab12ab7cb29f91f28722b6106031
(4) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 216 from 172.17.6.253:32985 to
192.168.254.181:1812 length 370
User-Name = 'host/win81-ops.in.testdomain'
NAS-IP-Address = 172.17.6.253
NAS-Port = 0
NAS-Identifier = 'wirelesscontroller'
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = '5C514FFA8C73'
Called-Station-Id = '000B869A9037'
Service-Type = Framed-User
Framed-MTU = 1100
EAP-Message = 0x020600901980000000861603010046100000424104d85d873dea9326b04b69add1a56edb8644246c919b8f460725f22d19b7bfbf30fe22e7d993c960b2ffeebbd155bb316e63ba7796287a737a52d0367b3ab5eb5614030100010116030100306bf7326dd2963bc5094534034ea75caccf46011de517912c4d0c91d510ef3644496711ac075146320a47c686b17ee94c
State = 0xaf7aab12ab7cb29f91f28722b6106031
Aruba-Essid-Name = 'bandit'
Aruba-Location-Id = 'ap1'
Aruba-AP-Group = 'syd'
Aruba-Device-Type = 'Windows'
Message-Authenticator = 0x3d5c9d2133066c4b3420ff366a49e175
(5) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(5) authorize {
(5) filter_username filter_username {
(5) if (User-Name != "%{tolower:%{User-Name}}")
(5) EXPAND %{tolower:%{User-Name}}
(5) --> host/win81-ops.in.testdomain
(5) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(5) if (User-Name =~ / /)
(5) if (User-Name =~ / /) -> FALSE
(5) if (User-Name =~ /@.*@/ )
(5) if (User-Name =~ /@.*@/ ) -> FALSE
(5) if (User-Name =~ /\\.\\./ )
(5) if (User-Name =~ /\\.\\./ ) -> FALSE
(5) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(5) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(5) if (User-Name =~ /\\.$/)
(5) if (User-Name =~ /\\.$/) -> FALSE
(5) if (User-Name =~ /@\\./)
(5) if (User-Name =~ /@\\./) -> FALSE
(5) } # filter_username filter_username = notfound
(5) [preprocess] = ok
(5) [chap] = noop
(5) [mschap] = noop
(5) [digest] = noop
(5) suffix : No '@' in User-Name = "host/win81-ops.in.testdomain",
looking up realm NULL
(5) suffix : No such realm "NULL"
(5) [suffix] = noop
(5) eap : EAP packet type response id 6 length 144
(5) eap : Continuing tunnel setup.
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = EAP
(5) # Executing group from file /etc/freeradius/sites-enabled/default
(5) authenticate {
(5) eap : Expiring EAP session with state 0xaf7aab12ab7cb29f
(5) eap : Finished EAP session with state 0xaf7aab12ab7cb29f
(5) eap : Previous EAP request found for state 0xaf7aab12ab7cb29f,
released from the list
(5) eap : Peer sent PEAP (25)
(5) eap : EAP PEAP (25)
(5) eap : Calling eap_peap to process EAP data
(5) eap_peap : processing EAP-TLS
TLS Length 134
(5) eap_peap : Length Included
(5) eap_peap : eaptls_verify returned 11
(5) eap_peap : <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
(5) eap_peap : TLS_accept: SSLv3 read client key exchange A
(5) eap_peap : <<< TLS 1.0 ChangeCipherSpec [length 0001]
(5) eap_peap : <<< TLS 1.0 Handshake [length 0010], Finished
(5) eap_peap : TLS_accept: SSLv3 read finished A
(5) eap_peap : >>> TLS 1.0 ChangeCipherSpec [length 0001]
(5) eap_peap : TLS_accept: SSLv3 write change cipher spec A
(5) eap_peap : >>> TLS 1.0 Handshake [length 0010], Finished
(5) eap_peap : TLS_accept: SSLv3 write finished A
(5) eap_peap : TLS_accept: SSLv3 flush data
SSL: adding session
41db36e17b59817fcc7a5d510c0ab6febebd2f0dfc04701386f3dad95265c63d to
cache
(5) eap_peap : (other): SSL negotiation finished successfully
SSL Connection Established
(5) eap_peap : eaptls_process returned 13
(5) eap_peap : FR_TLS_HANDLED
(5) eap : New EAP session, adding 'State' attribute to reply 0xaf7aab12aa7db29f
(5) [eap] = handled
(5) } # authenticate = handled
Sending Access-Challenge Id 216 from 192.168.254.181:1812 to 172.17.6.253:32985
EAP-Message = 0x0107004119001403010001011603010030904c13f5aa90bc06c6a9e4a9a9fe076ac1facca994920e0028b62392ef0d62e3dffb6d45d1198e88cbe9b9ce70df1d39
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xaf7aab12aa7db29f91f28722b6106031
(5) Finished request
Waking up in 0.2 seconds.
Waking up in 4.6 seconds.
Received Access-Request Id 218 from 172.17.6.253:32985 to
192.168.254.181:1812 length 232
User-Name = 'host/win81-ops.in.testdomain'
NAS-IP-Address = 172.17.6.253
NAS-Port = 0
NAS-Identifier = 'wirelesscontroller'
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = '5C514FFA8C73'
Called-Station-Id = '000B869A9037'
Service-Type = Framed-User
Framed-MTU = 1100
EAP-Message = 0x020700061900
State = 0xaf7aab12aa7db29f91f28722b6106031
Aruba-Essid-Name = 'bandit'
Aruba-Location-Id = 'ap1'
Aruba-AP-Group = 'syd'
Aruba-Device-Type = 'Windows'
Message-Authenticator = 0x870a84bb1fdef1e9e576bb097297dafc
(6) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(6) authorize {
(6) filter_username filter_username {
(6) if (User-Name != "%{tolower:%{User-Name}}")
(6) EXPAND %{tolower:%{User-Name}}
(6) --> host/win81-ops.in.testdomain
(6) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(6) if (User-Name =~ / /)
(6) if (User-Name =~ / /) -> FALSE
(6) if (User-Name =~ /@.*@/ )
(6) if (User-Name =~ /@.*@/ ) -> FALSE
(6) if (User-Name =~ /\\.\\./ )
(6) if (User-Name =~ /\\.\\./ ) -> FALSE
(6) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(6) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(6) if (User-Name =~ /\\.$/)
(6) if (User-Name =~ /\\.$/) -> FALSE
(6) if (User-Name =~ /@\\./)
(6) if (User-Name =~ /@\\./) -> FALSE
(6) } # filter_username filter_username = notfound
(6) [preprocess] = ok
(6) [chap] = noop
(6) [mschap] = noop
(6) [digest] = noop
(6) suffix : No '@' in User-Name = "host/win81-ops.in.testdomain",
looking up realm NULL
(6) suffix : No such realm "NULL"
(6) [suffix] = noop
(6) eap : EAP packet type response id 7 length 6
(6) eap : Continuing tunnel setup.
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = EAP
(6) # Executing group from file /etc/freeradius/sites-enabled/default
(6) authenticate {
(6) eap : Expiring EAP session with state 0xaf7aab12aa7db29f
(6) eap : Finished EAP session with state 0xaf7aab12aa7db29f
(6) eap : Previous EAP request found for state 0xaf7aab12aa7db29f,
released from the list
(6) eap : Peer sent PEAP (25)
(6) eap : EAP PEAP (25)
(6) eap : Calling eap_peap to process EAP data
(6) eap_peap : processing EAP-TLS
(6) eap_peap : Received TLS ACK
(6) eap_peap : Received TLS ACK
(6) eap_peap : ACK handshake is finished
(6) eap_peap : eaptls_verify returned 3
(6) eap_peap : eaptls_process returned 3
(6) eap_peap : FR_TLS_SUCCESS
(6) eap_peap : Session established. Decoding tunneled attributes.
(6) eap_peap : Peap state TUNNEL ESTABLISHED
(6) eap : New EAP session, adding 'State' attribute to reply 0xaf7aab12a972b29f
(6) [eap] = handled
(6) } # authenticate = handled
Sending Access-Challenge Id 218 from 192.168.254.181:1812 to 172.17.6.253:32985
EAP-Message = 0x0108002b19001703010020f022350972cbaf550411b0a05e940de89489d54aaa26eea60fa42c528e37b598
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xaf7aab12a972b29f91f28722b6106031
(6) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 219 from 172.17.6.253:32985 to
192.168.254.181:1812 length 301
User-Name = 'host/win81-ops.in.testdomain'
NAS-IP-Address = 172.17.6.253
NAS-Port = 0
NAS-Identifier = 'wirelesscontroller'
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = '5C514FFA8C73'
Called-Station-Id = '000B869A9037'
Service-Type = Framed-User
Framed-MTU = 1100
EAP-Message = 0x0208004b190017030100401450d110896340dd1527e3b736b40db579761481d7c7bd8df6f8a8bafe346ae902d6eca6adb3ce318e7f8a82345ed565cb364dbaf6fea0c3ea2fe03f596781b8
State = 0xaf7aab12a972b29f91f28722b6106031
Aruba-Essid-Name = 'bandit'
Aruba-Location-Id = 'ap1'
Aruba-AP-Group = 'syd'
Aruba-Device-Type = 'Windows'
Message-Authenticator = 0x81748904e69029b5c562279f77a1fa9a
(7) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(7) authorize {
(7) filter_username filter_username {
(7) if (User-Name != "%{tolower:%{User-Name}}")
(7) EXPAND %{tolower:%{User-Name}}
(7) --> host/win81-ops.in.testdomain
(7) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(7) if (User-Name =~ / /)
(7) if (User-Name =~ / /) -> FALSE
(7) if (User-Name =~ /@.*@/ )
(7) if (User-Name =~ /@.*@/ ) -> FALSE
(7) if (User-Name =~ /\\.\\./ )
(7) if (User-Name =~ /\\.\\./ ) -> FALSE
(7) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(7) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(7) if (User-Name =~ /\\.$/)
(7) if (User-Name =~ /\\.$/) -> FALSE
(7) if (User-Name =~ /@\\./)
(7) if (User-Name =~ /@\\./) -> FALSE
(7) } # filter_username filter_username = notfound
(7) [preprocess] = ok
(7) [chap] = noop
(7) [mschap] = noop
(7) [digest] = noop
(7) suffix : No '@' in User-Name = "host/win81-ops.in.testdomain",
looking up realm NULL
(7) suffix : No such realm "NULL"
(7) [suffix] = noop
(7) eap : EAP packet type response id 8 length 75
(7) eap : Continuing tunnel setup.
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = EAP
(7) # Executing group from file /etc/freeradius/sites-enabled/default
(7) authenticate {
(7) eap : Expiring EAP session with state 0xaf7aab12a972b29f
(7) eap : Finished EAP session with state 0xaf7aab12a972b29f
(7) eap : Previous EAP request found for state 0xaf7aab12a972b29f,
released from the list
(7) eap : Peer sent PEAP (25)
(7) eap : EAP PEAP (25)
(7) eap : Calling eap_peap to process EAP data
(7) eap_peap : processing EAP-TLS
(7) eap_peap : eaptls_verify returned 7
(7) eap_peap : Done initial handshake
(7) eap_peap : eaptls_process returned 7
(7) eap_peap : FR_TLS_OK
(7) eap_peap : Session established. Decoding tunneled attributes.
(7) eap_peap : Peap state WAITING FOR INNER IDENTITY
(7) eap_peap : Identity - host/win81-ops.in.testdomain
(7) eap_peap : Got inner identity 'host/win81-ops.in.testdomain'
(7) eap_peap : Setting default EAP type for tunneled EAP session.
(7) eap_peap : Got tunneled request
EAP-Message = 0x0208002001686f73742f77696e38312d6f70732e696e2e667265736876696577
server default {
(7) eap_peap : Setting User-Name to host/win81-ops.in.testdomain
Sending tunneled request
EAP-Message = 0x0208002001686f73742f77696e38312d6f70732e696e2e667265736876696577
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = 'host/win81-ops.in.testdomain'
server inner-tunnel {
(7) # Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
(7) authorize {
(7) [chap] = noop
(7) [mschap] = noop
(7) suffix : No '@' in User-Name = "host/win81-ops.in.testdomain",
looking up realm NULL
(7) suffix : No such realm "NULL"
(7) [suffix] = noop
(7) ntdomain : No '\' in User-Name = "host/win81-ops.in.testdomain",
looking up realm NULL
(7) ntdomain : No such realm "NULL"
(7) [ntdomain] = noop
(7) update control {
(7) Proxy-To-Realm := 'LOCAL'
(7) } # update control = noop
(7) eap : EAP packet type response id 8 length 32
(7) eap : EAP-Identity reply, returning 'ok' so we can short-circuit
the rest of authorize
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = EAP
(7) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(7) authenticate {
(7) eap : Peer sent Identity (1)
(7) eap : Calling eap_mschapv2 to process EAP data
(7) eap_mschapv2 : Issuing Challenge
(7) eap : New EAP session, adding 'State' attribute to reply 0xdf4bb440df42ae97
(7) [eap] = handled
(7) } # authenticate = handled
} # server inner-tunnel
(7) eap_peap : Got tunneled reply code 11
EAP-Message = 0x010900351a0109003010ec2d3f9c331be8cc8f308fb3e36354f7686f73742f77696e38312d6f70732e696e2e667265736876696577
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xdf4bb440df42ae976131f6adcea1c414
(7) eap_peap : Got tunneled reply RADIUS code 11
EAP-Message = 0x010900351a0109003010ec2d3f9c331be8cc8f308fb3e36354f7686f73742f77696e38312d6f70732e696e2e667265736876696577
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xdf4bb440df42ae976131f6adcea1c414
(7) eap_peap : Got tunneled Access-Challenge
(7) eap : New EAP session, adding 'State' attribute to reply 0xaf7aab12a873b29f
(7) [eap] = handled
(7) } # authenticate = handled
Sending Access-Challenge Id 219 from 192.168.254.181:1812 to 172.17.6.253:32985
EAP-Message = 0x0109005b1900170301005026e15c112b330ea70a897a62e1e776e56a8cfc3542db91a040be524e2ecd90127236545cd0d513ea877cdd23c887e844dd5fc775bd5cb9fc5aeb0e0d08ee6646e96621abff9801bf0b83f07219a91189
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xaf7aab12a873b29f91f28722b6106031
(7) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 217 from 172.17.6.253:32985 to
192.168.254.181:1812 length 349
User-Name = 'host/win81-ops.in.testdomain'
NAS-IP-Address = 172.17.6.253
NAS-Port = 0
NAS-Identifier = 'wirelesscontroller'
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = '5C514FFA8C73'
Called-Station-Id = '000B869A9037'
Service-Type = Framed-User
Framed-MTU = 1100
EAP-Message = 0x0209007b19001703010070c28751119ce4f468f4da5543f53dfa82dc9fb4ec3663880ebc4225065cf9de7314a32afc8093225d3fc12d012659cc234ee541504d9fde5d06fa80dfe83e331aa6527744476fd0f2aed8b4596f0efd388f1b20164aba971c8de1654bc68e9b63b89c741d4067a43f254bc083a03ea937
State = 0xaf7aab12a873b29f91f28722b6106031
Aruba-Essid-Name = 'bandit'
Aruba-Location-Id = 'ap1'
Aruba-AP-Group = 'syd'
Aruba-Device-Type = 'Windows'
Message-Authenticator = 0x60c7b813e29d7f613e573fca00dadb1f
(8) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(8) authorize {
(8) filter_username filter_username {
(8) if (User-Name != "%{tolower:%{User-Name}}")
(8) EXPAND %{tolower:%{User-Name}}
(8) --> host/win81-ops.in.testdomain
(8) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(8) if (User-Name =~ / /)
(8) if (User-Name =~ / /) -> FALSE
(8) if (User-Name =~ /@.*@/ )
(8) if (User-Name =~ /@.*@/ ) -> FALSE
(8) if (User-Name =~ /\\.\\./ )
(8) if (User-Name =~ /\\.\\./ ) -> FALSE
(8) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(8) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(8) if (User-Name =~ /\\.$/)
(8) if (User-Name =~ /\\.$/) -> FALSE
(8) if (User-Name =~ /@\\./)
(8) if (User-Name =~ /@\\./) -> FALSE
(8) } # filter_username filter_username = notfound
(8) [preprocess] = ok
(8) [chap] = noop
(8) [mschap] = noop
(8) [digest] = noop
(8) suffix : No '@' in User-Name = "host/win81-ops.in.testdomain",
looking up realm NULL
(8) suffix : No such realm "NULL"
(8) [suffix] = noop
(8) eap : EAP packet type response id 9 length 123
(8) eap : Continuing tunnel setup.
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = EAP
(8) # Executing group from file /etc/freeradius/sites-enabled/default
(8) authenticate {
(8) eap : Expiring EAP session with state 0xdf4bb440df42ae97
(8) eap : Finished EAP session with state 0xaf7aab12a873b29f
(8) eap : Previous EAP request found for state 0xaf7aab12a873b29f,
released from the list
(8) eap : Peer sent PEAP (25)
(8) eap : EAP PEAP (25)
(8) eap : Calling eap_peap to process EAP data
(8) eap_peap : processing EAP-TLS
(8) eap_peap : eaptls_verify returned 7
(8) eap_peap : Done initial handshake
(8) eap_peap : eaptls_process returned 7
(8) eap_peap : FR_TLS_OK
(8) eap_peap : Session established. Decoding tunneled attributes.
(8) eap_peap : Peap state phase2
(8) eap_peap : EAP type MSCHAPv2 (26)
(8) eap_peap : Got tunneled request
EAP-Message = 0x020900561a020900513145439c4e90869e9f6ceab1d1297c6d380000000000000000d0dd725641db826ddf168b4b2144c203e6d3280c10fec22900686f73742f77696e38312d6f70732e696e2e667265736876696577
server default {
(8) eap_peap : Setting User-Name to host/win81-ops.in.testdomain
Sending tunneled request
EAP-Message = 0x020900561a020900513145439c4e90869e9f6ceab1d1297c6d380000000000000000d0dd725641db826ddf168b4b2144c203e6d3280c10fec22900686f73742f77696e38312d6f70732e696e2e667265736876696577
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = 'host/win81-ops.in.testdomain'
State = 0xdf4bb440df42ae976131f6adcea1c414
server inner-tunnel {
(8) # Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
(8) authorize {
(8) [chap] = noop
(8) [mschap] = noop
(8) suffix : No '@' in User-Name = "host/win81-ops.in.testdomain",
looking up realm NULL
(8) suffix : No such realm "NULL"
(8) [suffix] = noop
(8) ntdomain : No '\' in User-Name = "host/win81-ops.in.testdomain",
looking up realm NULL
(8) ntdomain : No such realm "NULL"
(8) [ntdomain] = noop
(8) update control {
(8) Proxy-To-Realm := 'LOCAL'
(8) } # update control = noop
(8) eap : EAP packet type response id 9 length 86
(8) eap : No EAP Start, assuming it's an on-going EAP conversation
(8) [eap] = updated
(8) [files] = noop
(8) [expiration] = noop
(8) [logintime] = noop
(8) [pap] = noop
(8) } # authorize = updated
(8) Found Auth-Type = EAP
(8) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(8) authenticate {
(8) eap : Expiring EAP session with state 0xdf4bb440df42ae97
(8) eap : Finished EAP session with state 0xdf4bb440df42ae97
(8) eap : Previous EAP request found for state 0xdf4bb440df42ae97,
released from the list
(8) eap : Peer sent MSCHAPv2 (26)
(8) eap : EAP MSCHAPv2 (26)
(8) eap : Calling eap_mschapv2 to process EAP data
(8) eap_mschapv2 : # Executing group from file
/etc/freeradius/sites-enabled/inner-tunnel
(8) eap_mschapv2 : Auth-Type MS-CHAP {
(8) mschap : Creating challenge hash with username: host/win81-ops.in.testdomain
(8) mschap : Client is using MS-CHAPv2
(8) mschap : Executing: /usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:-None}
--domain=%{%{mschap:NT-Domain}:-TESTDOMAIN}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
(8) mschap : EXPAND --username=%{mschap:User-Name:-None}
(8) mschap : --> --username=win81-ops$
(8) mschap : EXPAND --domain=%{%{mschap:NT-Domain}:-TESTDOMAIN}
(8) mschap : --> --domain=in
(8) mschap : Creating challenge hash with username: host/win81-ops.in.testdomain
(8) mschap : EXPAND --challenge=%{mschap:Challenge:-00}
(8) mschap : --> --challenge=4d7bb6f00f0d7a38
(8) mschap : EXPAND --nt-response=%{mschap:NT-Response:-00}
(8) mschap : -->
--nt-response=d0dd725641db826ddf168b4b2144c203e6d3280c10fec229
(8) ERROR: mschap : Program returned code (1) and output 'Logon
failure (0xc000006d)'
(8) mschap : External script failed.
(8) ERROR: mschap : External script says: Logon failure (0xc000006d)
(8) ERROR: mschap : MS-CHAP2-Response is incorrect
(8) [mschap] = reject
(8) } # Auth-Type MS-CHAP = reject
(8) eap : Freeing handler
(8) [eap] = reject
(8) } # authenticate = reject
(8) Failed to authenticate the user.
(8) Login incorrect (mschap: Program returned code (1) and output
'Logon failure (0xc000006d)'): [host/win81-ops.in.testdomain] (from
client ap1-38-wlsclt-00 port 0 via TLS tunnel)
(8) Using Post-Auth-Type Reject
(8) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(8) Post-Auth-Type REJECT {
(8) attr_filter.access_reject : EXPAND %{User-Name}
(8) attr_filter.access_reject : --> host/win81-ops.in.testdomain
(8) attr_filter.access_reject : Matched entry DEFAULT at line 11
(8) [attr_filter.access_reject] = updated
(8) } # Post-Auth-Type REJECT = updated
} # server inner-tunnel
(8) eap_peap : Got tunneled reply code 3
MS-CHAP-Error = '\tE=691 R=1'
EAP-Message = 0x04090004
Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap : Got tunneled reply RADIUS code 3
MS-CHAP-Error = '\tE=691 R=1'
EAP-Message = 0x04090004
Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap : Tunneled authentication was rejected.
(8) eap_peap : FAILURE
(8) eap : New EAP session, adding 'State' attribute to reply 0xaf7aab12a770b29f
(8) [eap] = handled
(8) } # authenticate = handled
Sending Access-Challenge Id 217 from 192.168.254.181:1812 to 172.17.6.253:32985
EAP-Message = 0x010a002b190017030100200b738039b4f535481dff197a39ee81927b772fac96781dd6e727a46a1fce1378
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xaf7aab12a770b29f91f28722b6106031
(8) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 220 from 172.17.6.253:32985 to
192.168.254.181:1812 length 269
User-Name = 'host/win81-ops.in.testdomain'
NAS-IP-Address = 172.17.6.253
NAS-Port = 0
NAS-Identifier = 'wirelesscontroller'
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = '5C514FFA8C73'
Called-Station-Id = '000B869A9037'
Service-Type = Framed-User
Framed-MTU = 1100
EAP-Message = 0x020a002b19001703010020544957a4f102082595db7a5beab83a5e39c5618bc043779c4640f13519373571
State = 0xaf7aab12a770b29f91f28722b6106031
Aruba-Essid-Name = 'bandit'
Aruba-Location-Id = 'ap1'
Aruba-AP-Group = 'syd'
Aruba-Device-Type = 'Windows'
Message-Authenticator = 0x567dfee464244ff803f97a5369736c65
(9) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(9) authorize {
(9) filter_username filter_username {
(9) if (User-Name != "%{tolower:%{User-Name}}")
(9) EXPAND %{tolower:%{User-Name}}
(9) --> host/win81-ops.in.testdomain
(9) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(9) if (User-Name =~ / /)
(9) if (User-Name =~ / /) -> FALSE
(9) if (User-Name =~ /@.*@/ )
(9) if (User-Name =~ /@.*@/ ) -> FALSE
(9) if (User-Name =~ /\\.\\./ )
(9) if (User-Name =~ /\\.\\./ ) -> FALSE
(9) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(9) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(9) if (User-Name =~ /\\.$/)
(9) if (User-Name =~ /\\.$/) -> FALSE
(9) if (User-Name =~ /@\\./)
(9) if (User-Name =~ /@\\./) -> FALSE
(9) } # filter_username filter_username = notfound
(9) [preprocess] = ok
(9) [chap] = noop
(9) [mschap] = noop
(9) [digest] = noop
(9) suffix : No '@' in User-Name = "host/win81-ops.in.testdomain",
looking up realm NULL
(9) suffix : No such realm "NULL"
(9) [suffix] = noop
(9) eap : EAP packet type response id 10 length 43
(9) eap : Continuing tunnel setup.
(9) [eap] = ok
(9) } # authorize = ok
(9) Found Auth-Type = EAP
(9) # Executing group from file /etc/freeradius/sites-enabled/default
(9) authenticate {
(9) eap : Expiring EAP session with state 0xaf7aab12a770b29f
(9) eap : Finished EAP session with state 0xaf7aab12a770b29f
(9) eap : Previous EAP request found for state 0xaf7aab12a770b29f,
released from the list
(9) eap : Peer sent PEAP (25)
(9) eap : EAP PEAP (25)
(9) eap : Calling eap_peap to process EAP data
(9) eap_peap : processing EAP-TLS
(9) eap_peap : eaptls_verify returned 7
(9) eap_peap : Done initial handshake
(9) eap_peap : eaptls_process returned 7
(9) eap_peap : FR_TLS_OK
(9) eap_peap : Session established. Decoding tunneled attributes.
(9) eap_peap : Peap state send tlv failure
(9) eap_peap : Received EAP-TLV response.
(9) eap_peap : The users session was previously rejected: returning
reject (again.)
(9) eap_peap : *** This means you need to read the PREVIOUS messages
in the debug output
(9) eap_peap : *** to find out the reason why the user was rejected.
(9) eap_peap : *** Look for "reject" or "fail". Those earlier
messages will tell you.
(9) eap_peap : *** what went wrong, and how to fix the problem.
SSL: Removing session
41db36e17b59817fcc7a5d510c0ab6febebd2f0dfc04701386f3dad95265c63d from
the cache
(9) ERROR: eap : Failed continuing EAP PEAP (25) session. EAP sub-module failed
(9) eap : Failed in EAP select
(9) [eap] = invalid
(9) } # authenticate = invalid
(9) Failed to authenticate the user.
(9) Login incorrect (eap: Failed continuing EAP PEAP (25) session. EAP
sub-module failed): [host/win81-ops.in.testdomain] (from client
ap1-38-wlsclt-00 port 0 cli 5C514FFA8C73)
(9) Using Post-Auth-Type Reject
(9) # Executing group from file /etc/freeradius/sites-enabled/default
(9) Post-Auth-Type REJECT {
(9) attr_filter.access_reject : EXPAND %{User-Name}
(9) attr_filter.access_reject : --> host/win81-ops.in.testdomain
(9) attr_filter.access_reject : Matched entry DEFAULT at line 11
(9) [attr_filter.access_reject] = updated
(9) eap : Reply already contained an EAP-Message, not inserting EAP-Failure
(9) [eap] = noop
(9) remove_reply_message_if_eap remove_reply_message_if_eap {
(9) if (reply:EAP-Message && reply:Reply-Message)
(9) if (reply:EAP-Message && reply:Reply-Message) -> FALSE
(9) else else {
(9) [noop] = noop
(9) } # else else = noop
(9) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(9) } # Post-Auth-Type REJECT = updated
(9) Delaying response for 1 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(9) Sending delayed response
Sending Access-Reject Id 220 from 192.168.254.181:1812 to 172.17.6.253:32985
EAP-Message = 0x040a0004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 2.5 seconds.
(0) Cleaning up request packet ID 211 with timestamp +5
(1) Cleaning up request packet ID 203 with timestamp +5
(2) Cleaning up request packet ID 213 with timestamp +5
(3) Cleaning up request packet ID 212 with timestamp +5
(4) Cleaning up request packet ID 215 with timestamp +5
(5) Cleaning up request packet ID 216 with timestamp +5
Waking up in 1.4 seconds.
(6) Cleaning up request packet ID 218 with timestamp +7
(7) Cleaning up request packet ID 219 with timestamp +7
(8) Cleaning up request packet ID 217 with timestamp +7
(9) Cleaning up request packet ID 220 with timestamp +7
Ready to process requests.
Received Access-Request Id 221 from 172.17.6.253:32985 to
192.168.254.181:1812 length 218
User-Name = 'TESTDOMAIN\\testuser'
NAS-IP-Address = 172.17.6.253
NAS-Port = 0
NAS-Identifier = 'wirelesscontroller'
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = '5C514FFA8C73'
Called-Station-Id = '000B869A9037'
Service-Type = Framed-User
Framed-MTU = 1100
EAP-Message = 0x02010015014652455348564945575c74796e616e79
Aruba-Essid-Name = 'bandit'
Aruba-Location-Id = 'ap1'
Aruba-AP-Group = 'syd'
Aruba-Device-Type = 'Windows'
Message-Authenticator = 0xdd9875a4f200bb105676cc44bbc1990a
(10) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(10) authorize {
(10) filter_username filter_username {
(10) if (User-Name != "%{tolower:%{User-Name}}")
(10) EXPAND %{tolower:%{User-Name}}
(10) --> testdomain\\testuser
(10) if (User-Name != "%{tolower:%{User-Name}}") -> TRUE
(10) if (User-Name != "%{tolower:%{User-Name}}") {
(10) [reject] = reject
(10) } # if (User-Name != "%{tolower:%{User-Name}}") = reject
(10) } # filter_username filter_username = reject
(10) } # authorize = reject
(10) Invalid user: [TESTDOMAIN\\testuser] (from client
ap1-38-wlsclt-00 port 0 cli 5C514FFA8C73)
(10) Using Post-Auth-Type Reject
(10) # Executing group from file /etc/freeradius/sites-enabled/default
(10) Post-Auth-Type REJECT {
(10) attr_filter.access_reject : EXPAND %{User-Name}
(10) attr_filter.access_reject : --> TESTDOMAIN\\testuser
(10) attr_filter.access_reject : Matched entry DEFAULT at line 11
(10) [attr_filter.access_reject] = updated
(10) eap : Request was previously rejected, inserting EAP-Failure
(10) [eap] = updated
(10) remove_reply_message_if_eap remove_reply_message_if_eap {
(10) if (reply:EAP-Message && reply:Reply-Message)
(10) if (reply:EAP-Message && reply:Reply-Message) -> FALSE
(10) else else {
(10) [noop] = noop
(10) } # else else = noop
(10) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(10) } # Post-Auth-Type REJECT = updated
(10) Delaying response for 1 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(10) Sending delayed response
Sending Access-Reject Id 221 from 192.168.254.181:1812 to 172.17.6.253:32985
EAP-Message = 0x04010004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
(10) Cleaning up request packet ID 221 with timestamp +12
Ready to process requests.
More information about the Freeradius-Users
mailing list