Yet Another PEAP-MSCHAPV2 problem
Alex Moen
alexm at ndtel.com
Tue Sep 22 00:02:05 CEST 2015
First of all, thanks for the input, Matthew! It is really nice to get
good feedback from knowledgeable people!
On 09/21/2015 04:39 PM, Matthew Newton wrote:
> On Mon, Sep 21, 2015 at 04:18:32PM -0500, Alex Moen wrote:
>> I have multiple directories on that server. My basedn was too
>> broad, and I was getting an answer from a different directory tree
>> than I thought.
>
> OK.
>
>> Now I just have to figure out why I can't authenticate. I know one
>> of the differences between the "branches" of the directory tree, is
>> that the incorrect one is using Crypt passwords, and the correct one
>> is using SSHA passwords. Seems that the SSHA passwords are not
>> working while the Crypt passwords do.
>
> It's impossible to authenticate MSCHAP with Crypt or SSHA.
>
> Your first e-mail had this:
>
>> (29) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
>> (29) ldap: --> (uid=alexm)
>> (29) ldap: Performing search in "o=ndtc" with filter "(uid=alexm)", scope "sub"
>> (29) ldap: Waiting for search result...
>> (29) ldap: User object found at DN "uid=alexm,ou=ndtcadministration,o=ndtc"
>> (29) ldap: Processing user attributes
>
> So it must have been getting a plain text password.
>
> The next e-mail had:
>
>> # debio at ndtel.com, ndtel, ndtc
>> dn: uid=debio at ndtel.com,ou=ndtel,o=ndtc
>> uid: debio at ndtel.com
> ...
>> sambaLMPassword: B15F999EA3OBFUSCATED!NOTHING2SEE
>> sambaAcctFlags: [U]
>> sambaNTPassword: 6F005855B7OBFUSCATED!NOTHING2SEE
> ...
>> userPassword:: e1NTSEF9cEkwUUOBFUSCATED!NOTHING2SEERWJ5VFlLTVkyUzk=
>
> so there you've got userPassword (I presume plaintext)
Nope. It's definitely an ssha. Her password is not 50 characters long.
But it would definitely explain why it's not working, if SSHA
passwords won't work.
> and sambaNTPassword, which is NTLM and can be used for MSCHAPv2.
> Nothing else will work.
>
> What does the debug output look like now? What attribute is the
> ldap module looking for to get the password? Is there a NTLM or
> plaintext password in the record you are using?
>
> Matthew
>
Yes, there are NTLM passwords on the accounts I want to use, since they
are the same authentication mechanism used for our Samba server...
So, I have switched (in the /etc/raddb/mods-available/ldap file) from:
control:Password-With-Header += 'userPassword'
to:
control:Password-With-Header += 'sambaNTPassword'
It did not help, here's the debug:
(0) Received Access-Request Id 141 from 192.168.255.112:51351 to
192.168.255.5:1812 length 195
(0) User-Name = "alexm at ndtel.com"
(0) NAS-IP-Address = 192.168.255.112
(0) NAS-Identifier = "0418d620086c"
(0) NAS-Port = 0
(0) Called-Station-Id = "0E-18-D6-22-08-6C:NDTC Corporate 11x"
(0) Calling-Station-Id = "C4-85-08-F5-2C-10"
(0) Framed-MTU = 1400
(0) NAS-Port-Type = Wireless-802.11
(0) Connect-Info = "CONNECT 0Mbps 802.11b"
(0) EAP-Message = 0x0253001401616c65786d406e6474656c2e636f6d
(0) Message-Authenticator = 0x7799e9c43e42407c6ab8c899513dd40e
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (!&User-Name) {
(0) if (!&User-Name) -> FALSE
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@.*@/ ) {
(0) if (&User-Name =~ /@.*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: Looking up realm "ndtel.com" for User-Name = "alexm at ndtel.com"
(0) suffix: Found realm "ndtel.com"
(0) suffix: Adding Stripped-User-Name = "alexm"
(0) suffix: Adding Realm = "ndtel.com"
(0) suffix: Authentication realm is LOCAL
(0) [suffix] = ok
(0) eap: Peer sent EAP Response (code 2) ID 83 length 20
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = EAP
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_peap to process data
(0) eap_peap: Initiating new EAP-TLS session
(0) eap_peap: Flushing SSL sessions (of #0)
(0) eap_peap: [eaptls start] = request
(0) eap: Sending EAP Request (code 1) ID 84 length 6
(0) eap: EAP session adding &reply:State = 0x2b5395752b078cc5
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) Post-Auth-Type sub-section not found. Ignoring.
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) Sent Access-Challenge Id 141 from 192.168.255.5:1812 to
192.168.255.112:51351 length 0
(0) EAP-Message = 0x015400061920
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x2b5395752b078cc5b4eb6d412c1f1224
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 142 from 192.168.255.112:51351 to
192.168.255.5:1812 length 332
(1) User-Name = "alexm at ndtel.com"
(1) NAS-IP-Address = 192.168.255.112
(1) NAS-Identifier = "0418d620086c"
(1) NAS-Port = 0
(1) Called-Station-Id = "0E-18-D6-22-08-6C:NDTC Corporate 11x"
(1) Calling-Station-Id = "C4-85-08-F5-2C-10"
(1) Framed-MTU = 1400
(1) NAS-Port-Type = Wireless-802.11
(1) Connect-Info = "CONNECT 0Mbps 802.11b"
(1) EAP-Message =
0x0254008b198000000081160301007c01000078030156007d08a87d8597598082bbaa005c4251db39a4722c74d60048d33bc90bdeb820c73e063cc970e85b38f61e11652d3c96ba288807dc179deb631decc5b033fe790018c014c013c00ac0090035002f00380032000a00130005000401000017000a00
(1) State = 0x2b5395752b078cc5b4eb6d412c1f1224
(1) Message-Authenticator = 0x2c232cd9435e251a02a7ca3233707200
(1) session-state: No cached attributes
(1) # Executing section authorize from file /etc/raddb/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (!&User-Name) {
(1) if (!&User-Name) -> FALSE
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@.*@/ ) {
(1) if (&User-Name =~ /@.*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /@\./) {
(1) if (&User-Name =~ /@\./) -> FALSE
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: Looking up realm "ndtel.com" for User-Name = "alexm at ndtel.com"
(1) suffix: Found realm "ndtel.com"
(1) suffix: Adding Stripped-User-Name = "alexm"
(1) suffix: Adding Realm = "ndtel.com"
(1) suffix: Authentication realm is LOCAL
(1) [suffix] = ok
(1) eap: Peer sent EAP Response (code 2) ID 84 length 139
(1) eap: Continuing tunnel setup
(1) [eap] = ok
(1) } # authorize = ok
(1) Found Auth-Type = EAP
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0x2b5395752b078cc5
(1) eap: Finished EAP session with state 0x2b5395752b078cc5
(1) eap: Previous EAP request found for state 0x2b5395752b078cc5,
released from the list
(1) eap: Peer sent packet with method EAP PEAP (25)
(1) eap: Calling submodule eap_peap to process data
(1) eap_peap: Continuing EAP-TLS
(1) eap_peap: Peer indicated complete TLS record size will be 129 bytes
(1) eap_peap: Got complete TLS record (129 bytes)
(1) eap_peap: [eaptls verify] = length included
(1) eap_peap: (other): before/accept initialization
(1) eap_peap: TLS_accept: before/accept initialization
(1) eap_peap: <<< TLS 1.0 Handshake [length 007c], ClientHello
(1) eap_peap: TLS_accept: SSLv3 read client hello A
(1) eap_peap: >>> TLS 1.0 Handshake [length 0059], ServerHello
(1) eap_peap: TLS_accept: SSLv3 write server hello A
(1) eap_peap: >>> TLS 1.0 Handshake [length 08b0], Certificate
(1) eap_peap: TLS_accept: SSLv3 write certificate A
(1) eap_peap: >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
(1) eap_peap: TLS_accept: SSLv3 write key exchange A
(1) eap_peap: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
(1) eap_peap: TLS_accept: SSLv3 write server done A
(1) eap_peap: TLS_accept: SSLv3 flush data
(1) eap_peap: TLS_accept: Need to read more data: SSLv3 read client
certificate A
(1) eap_peap: TLS_accept: Need to read more data: SSLv3 read client
certificate A
(1) eap_peap: In SSL Handshake Phase
(1) eap_peap: In SSL Accept mode
(1) eap_peap: [eaptls process] = handled
(1) eap: Sending EAP Request (code 1) ID 85 length 1004
(1) eap: EAP session adding &reply:State = 0x2b5395752a068cc5
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) Post-Auth-Type sub-section not found. Ignoring.
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) Sent Access-Challenge Id 142 from 192.168.255.5:1812 to
192.168.255.112:51351 length 0
(1) EAP-Message =
0x015503ec19c000000a6c160301005902000055030156007d07f4135b60d176b1cbdd312b383a5726641da87c3bfa65bbe5520a425a2007a1e52adb07eb9959c70ab0dfdede48fbecbfec67e300869caa54803c88e4aac01400000dff01000100000b00040300010216030108b00b0008ac0008a90003d0
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x2b5395752a068cc5b4eb6d412c1f1224
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 143 from 192.168.255.112:51351 to
192.168.255.5:1812 length 199
(2) User-Name = "alexm at ndtel.com"
(2) NAS-IP-Address = 192.168.255.112
(2) NAS-Identifier = "0418d620086c"
(2) NAS-Port = 0
(2) Called-Station-Id = "0E-18-D6-22-08-6C:NDTC Corporate 11x"
(2) Calling-Station-Id = "C4-85-08-F5-2C-10"
(2) Framed-MTU = 1400
(2) NAS-Port-Type = Wireless-802.11
(2) Connect-Info = "CONNECT 0Mbps 802.11b"
(2) EAP-Message = 0x025500061900
(2) State = 0x2b5395752a068cc5b4eb6d412c1f1224
(2) Message-Authenticator = 0x5f5bd3c85ca4a8a951f2f756feef1fa4
(2) session-state: No cached attributes
(2) # Executing section authorize from file /etc/raddb/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (!&User-Name) {
(2) if (!&User-Name) -> FALSE
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@.*@/ ) {
(2) if (&User-Name =~ /@.*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /@\./) {
(2) if (&User-Name =~ /@\./) -> FALSE
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: Looking up realm "ndtel.com" for User-Name = "alexm at ndtel.com"
(2) suffix: Found realm "ndtel.com"
(2) suffix: Adding Stripped-User-Name = "alexm"
(2) suffix: Adding Realm = "ndtel.com"
(2) suffix: Authentication realm is LOCAL
(2) [suffix] = ok
(2) eap: Peer sent EAP Response (code 2) ID 85 length 6
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = EAP
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0x2b5395752a068cc5
(2) eap: Finished EAP session with state 0x2b5395752a068cc5
(2) eap: Previous EAP request found for state 0x2b5395752a068cc5,
released from the list
(2) eap: Peer sent packet with method EAP PEAP (25)
(2) eap: Calling submodule eap_peap to process data
(2) eap_peap: Continuing EAP-TLS
(2) eap_peap: Peer ACKed our handshake fragment
(2) eap_peap: [eaptls verify] = request
(2) eap_peap: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 86 length 1000
(2) eap: EAP session adding &reply:State = 0x2b53957529058cc5
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) Post-Auth-Type sub-section not found. Ignoring.
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2) Sent Access-Challenge Id 143 from 192.168.255.5:1812 to
192.168.255.112:51351 length 0
(2) EAP-Message =
0x015603e81940cb266556c619c5b2efa5b201a6104aeffbbebb8cfd465f6a691bd7b1d49fb2d61b1273cc603b2a22bbabcde5c31eabc6bbff16f1a1e487f5daded9fe6ffc9dfacbdac64c43825dee4e2a378bcc2859de84c80339fd6dedd41a13450004d3308204cf308203b7a0030201020209008be4d1
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x2b53957529058cc5b4eb6d412c1f1224
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 144 from 192.168.255.112:51351 to
192.168.255.5:1812 length 199
(3) User-Name = "alexm at ndtel.com"
(3) NAS-IP-Address = 192.168.255.112
(3) NAS-Identifier = "0418d620086c"
(3) NAS-Port = 0
(3) Called-Station-Id = "0E-18-D6-22-08-6C:NDTC Corporate 11x"
(3) Calling-Station-Id = "C4-85-08-F5-2C-10"
(3) Framed-MTU = 1400
(3) NAS-Port-Type = Wireless-802.11
(3) Connect-Info = "CONNECT 0Mbps 802.11b"
(3) EAP-Message = 0x025600061900
(3) State = 0x2b53957529058cc5b4eb6d412c1f1224
(3) Message-Authenticator = 0xd3e01d5515d908d68255faec3260845a
(3) session-state: No cached attributes
(3) # Executing section authorize from file /etc/raddb/sites-enabled/default
(3) authorize {
(3) policy filter_username {
(3) if (!&User-Name) {
(3) if (!&User-Name) -> FALSE
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@.*@/ ) {
(3) if (&User-Name =~ /@.*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /@\./) {
(3) if (&User-Name =~ /@\./) -> FALSE
(3) } # policy filter_username = notfound
(3) [preprocess] = ok
(3) [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: Looking up realm "ndtel.com" for User-Name = "alexm at ndtel.com"
(3) suffix: Found realm "ndtel.com"
(3) suffix: Adding Stripped-User-Name = "alexm"
(3) suffix: Adding Realm = "ndtel.com"
(3) suffix: Authentication realm is LOCAL
(3) [suffix] = ok
(3) eap: Peer sent EAP Response (code 2) ID 86 length 6
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = EAP
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3) authenticate {
(3) eap: Expiring EAP session with state 0x2b53957529058cc5
(3) eap: Finished EAP session with state 0x2b53957529058cc5
(3) eap: Previous EAP request found for state 0x2b53957529058cc5,
released from the list
(3) eap: Peer sent packet with method EAP PEAP (25)
(3) eap: Calling submodule eap_peap to process data
(3) eap_peap: Continuing EAP-TLS
(3) eap_peap: Peer ACKed our handshake fragment
(3) eap_peap: [eaptls verify] = request
(3) eap_peap: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 87 length 686
(3) eap: EAP session adding &reply:State = 0x2b53957528048cc5
(3) [eap] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) Post-Auth-Type sub-section not found. Ignoring.
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3) Sent Access-Challenge Id 144 from 192.168.255.5:1812 to
192.168.255.112:51351 length 0
(3) EAP-Message =
0x015702ae19000101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010505000382010100b707329146869fa84ff08f2d837b56ab01c7cf46e55fb12e73f7b6ca691d156b9074
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0x2b53957528048cc5b4eb6d412c1f1224
(3) Finished request
Waking up in 4.9 seconds.
(4) Received Access-Request Id 145 from 192.168.255.112:51351 to
192.168.255.5:1812 length 337
(4) User-Name = "alexm at ndtel.com"
(4) NAS-IP-Address = 192.168.255.112
(4) NAS-Identifier = "0418d620086c"
(4) NAS-Port = 0
(4) Called-Station-Id = "0E-18-D6-22-08-6C:NDTC Corporate 11x"
(4) Calling-Station-Id = "C4-85-08-F5-2C-10"
(4) Framed-MTU = 1400
(4) NAS-Port-Type = Wireless-802.11
(4) Connect-Info = "CONNECT 0Mbps 802.11b"
(4) EAP-Message =
0x02570090198000000086160301004610000042410455ca43a7135c4be04545956605bef0fc43060d7b6424b1a3a8695208df444e7bc01db682e6ac08edf16c67d3b65177079ad1b1ea38a836e644c5e62aea16c70b1403010001011603010030aba63c661b4e12a06cc03e8e8f1ffacecbf16db600a91b
(4) State = 0x2b53957528048cc5b4eb6d412c1f1224
(4) Message-Authenticator = 0x0cc3c5467a3f3f16ee6cba2fcb75eb36
(4) session-state: No cached attributes
(4) # Executing section authorize from file /etc/raddb/sites-enabled/default
(4) authorize {
(4) policy filter_username {
(4) if (!&User-Name) {
(4) if (!&User-Name) -> FALSE
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@.*@/ ) {
(4) if (&User-Name =~ /@.*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /@\./) {
(4) if (&User-Name =~ /@\./) -> FALSE
(4) } # policy filter_username = notfound
(4) [preprocess] = ok
(4) [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: Looking up realm "ndtel.com" for User-Name = "alexm at ndtel.com"
(4) suffix: Found realm "ndtel.com"
(4) suffix: Adding Stripped-User-Name = "alexm"
(4) suffix: Adding Realm = "ndtel.com"
(4) suffix: Authentication realm is LOCAL
(4) [suffix] = ok
(4) eap: Peer sent EAP Response (code 2) ID 87 length 144
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = EAP
(4) # Executing group from file /etc/raddb/sites-enabled/default
(4) authenticate {
(4) eap: Expiring EAP session with state 0x2b53957528048cc5
(4) eap: Finished EAP session with state 0x2b53957528048cc5
(4) eap: Previous EAP request found for state 0x2b53957528048cc5,
released from the list
(4) eap: Peer sent packet with method EAP PEAP (25)
(4) eap: Calling submodule eap_peap to process data
(4) eap_peap: Continuing EAP-TLS
(4) eap_peap: Peer indicated complete TLS record size will be 134 bytes
(4) eap_peap: Got complete TLS record (134 bytes)
(4) eap_peap: [eaptls verify] = length included
(4) eap_peap: <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
(4) eap_peap: TLS_accept: SSLv3 read client key exchange A
(4) eap_peap: <<< TLS 1.0 ChangeCipherSpec [length 0001]
(4) eap_peap: <<< TLS 1.0 Handshake [length 0010], Finished
(4) eap_peap: TLS_accept: SSLv3 read finished A
(4) eap_peap: >>> TLS 1.0 ChangeCipherSpec [length 0001]
(4) eap_peap: TLS_accept: SSLv3 write change cipher spec A
(4) eap_peap: >>> TLS 1.0 Handshake [length 0010], Finished
(4) eap_peap: TLS_accept: SSLv3 write finished A
(4) eap_peap: TLS_accept: SSLv3 flush data
(4) eap_peap: (other): SSL negotiation finished successfully
(4) eap_peap: SSL Connection Established
(4) eap_peap: [eaptls process] = handled
(4) eap: Sending EAP Request (code 1) ID 88 length 65
(4) eap: EAP session adding &reply:State = 0x2b5395752f0b8cc5
(4) [eap] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) Post-Auth-Type sub-section not found. Ignoring.
(4) # Executing group from file /etc/raddb/sites-enabled/default
(4) Sent Access-Challenge Id 145 from 192.168.255.5:1812 to
192.168.255.112:51351 length 0
(4) EAP-Message =
0x0158004119001403010001011603010030a4cd503e6da77ff57e0056cb61bdcedf2749156a5e0e09557d2ef58df6677e67ddb4d3b38925d566b0f7e8cba57ff8f8
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x2b5395752f0b8cc5b4eb6d412c1f1224
(4) Finished request
Waking up in 4.9 seconds.
(5) Received Access-Request Id 146 from 192.168.255.112:51351 to
192.168.255.5:1812 length 199
(5) User-Name = "alexm at ndtel.com"
(5) NAS-IP-Address = 192.168.255.112
(5) NAS-Identifier = "0418d620086c"
(5) NAS-Port = 0
(5) Called-Station-Id = "0E-18-D6-22-08-6C:NDTC Corporate 11x"
(5) Calling-Station-Id = "C4-85-08-F5-2C-10"
(5) Framed-MTU = 1400
(5) NAS-Port-Type = Wireless-802.11
(5) Connect-Info = "CONNECT 0Mbps 802.11b"
(5) EAP-Message = 0x025800061900
(5) State = 0x2b5395752f0b8cc5b4eb6d412c1f1224
(5) Message-Authenticator = 0x2698bbfc6ee24f44a45e0ec60b8c97bb
(5) session-state: No cached attributes
(5) # Executing section authorize from file /etc/raddb/sites-enabled/default
(5) authorize {
(5) policy filter_username {
(5) if (!&User-Name) {
(5) if (!&User-Name) -> FALSE
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@.*@/ ) {
(5) if (&User-Name =~ /@.*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /@\./) {
(5) if (&User-Name =~ /@\./) -> FALSE
(5) } # policy filter_username = notfound
(5) [preprocess] = ok
(5) [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: Looking up realm "ndtel.com" for User-Name = "alexm at ndtel.com"
(5) suffix: Found realm "ndtel.com"
(5) suffix: Adding Stripped-User-Name = "alexm"
(5) suffix: Adding Realm = "ndtel.com"
(5) suffix: Authentication realm is LOCAL
(5) [suffix] = ok
(5) eap: Peer sent EAP Response (code 2) ID 88 length 6
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = EAP
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5) authenticate {
(5) eap: Expiring EAP session with state 0x2b5395752f0b8cc5
(5) eap: Finished EAP session with state 0x2b5395752f0b8cc5
(5) eap: Previous EAP request found for state 0x2b5395752f0b8cc5,
released from the list
(5) eap: Peer sent packet with method EAP PEAP (25)
(5) eap: Calling submodule eap_peap to process data
(5) eap_peap: Continuing EAP-TLS
(5) eap_peap: Peer ACKed our handshake fragment. handshake is finished
(5) eap_peap: [eaptls verify] = success
(5) eap_peap: [eaptls process] = success
(5) eap_peap: Session established. Decoding tunneled attributes
(5) eap_peap: PEAP state TUNNEL ESTABLISHED
(5) eap: Sending EAP Request (code 1) ID 89 length 43
(5) eap: EAP session adding &reply:State = 0x2b5395752e0a8cc5
(5) [eap] = handled
(5) } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) Post-Auth-Type sub-section not found. Ignoring.
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5) Sent Access-Challenge Id 146 from 192.168.255.5:1812 to
192.168.255.112:51351 length 0
(5) EAP-Message =
0x0159002b1900170301002034aef62f575a790ac3ba19862d79f445a223065a3811dbcab04e90397978bafc
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x2b5395752e0a8cc5b4eb6d412c1f1224
(5) Finished request
Waking up in 4.9 seconds.
(6) Received Access-Request Id 147 from 192.168.255.112:51351 to
192.168.255.5:1812 length 252
(6) User-Name = "alexm at ndtel.com"
(6) NAS-IP-Address = 192.168.255.112
(6) NAS-Identifier = "0418d620086c"
(6) NAS-Port = 0
(6) Called-Station-Id = "0E-18-D6-22-08-6C:NDTC Corporate 11x"
(6) Calling-Station-Id = "C4-85-08-F5-2C-10"
(6) Framed-MTU = 1400
(6) NAS-Port-Type = Wireless-802.11
(6) Connect-Info = "CONNECT 0Mbps 802.11b"
(6) EAP-Message =
0x0259003b19001703010030fa3bbb6faacd50c65acef4cceeda0df4a2477dbaf0d9ca50b4b2adbb2903ffd890689831552546f43061e6f54622e538
(6) State = 0x2b5395752e0a8cc5b4eb6d412c1f1224
(6) Message-Authenticator = 0x4f72249e337a17d25b4f292f9ea9d8f2
(6) session-state: No cached attributes
(6) # Executing section authorize from file /etc/raddb/sites-enabled/default
(6) authorize {
(6) policy filter_username {
(6) if (!&User-Name) {
(6) if (!&User-Name) -> FALSE
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@.*@/ ) {
(6) if (&User-Name =~ /@.*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /@\./) {
(6) if (&User-Name =~ /@\./) -> FALSE
(6) } # policy filter_username = notfound
(6) [preprocess] = ok
(6) [digest] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: Looking up realm "ndtel.com" for User-Name = "alexm at ndtel.com"
(6) suffix: Found realm "ndtel.com"
(6) suffix: Adding Stripped-User-Name = "alexm"
(6) suffix: Adding Realm = "ndtel.com"
(6) suffix: Authentication realm is LOCAL
(6) [suffix] = ok
(6) eap: Peer sent EAP Response (code 2) ID 89 length 59
(6) eap: Continuing tunnel setup
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = EAP
(6) # Executing group from file /etc/raddb/sites-enabled/default
(6) authenticate {
(6) eap: Expiring EAP session with state 0x2b5395752e0a8cc5
(6) eap: Finished EAP session with state 0x2b5395752e0a8cc5
(6) eap: Previous EAP request found for state 0x2b5395752e0a8cc5,
released from the list
(6) eap: Peer sent packet with method EAP PEAP (25)
(6) eap: Calling submodule eap_peap to process data
(6) eap_peap: Continuing EAP-TLS
(6) eap_peap: [eaptls verify] = ok
(6) eap_peap: Done initial handshake
(6) eap_peap: [eaptls process] = ok
(6) eap_peap: Session established. Decoding tunneled attributes
(6) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(6) eap_peap: Identity - alexm at ndtel.com
(6) eap_peap: Got inner identity 'alexm at ndtel.com'
(6) eap_peap: Setting default EAP type for tunneled EAP session
(6) eap_peap: Got tunneled request
(6) eap_peap: EAP-Message = 0x0259001401616c65786d406e6474656c2e636f6d
(6) eap_peap: Setting User-Name to alexm at ndtel.com
(6) eap_peap: Sending tunneled request to inner-tunnel
(6) eap_peap: EAP-Message = 0x0259001401616c65786d406e6474656c2e636f6d
(6) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(6) eap_peap: User-Name = "alexm at ndtel.com"
(6) Virtual server inner-tunnel received request
(6) EAP-Message = 0x0259001401616c65786d406e6474656c2e636f6d
(6) FreeRADIUS-Proxied-To = 127.0.0.1
(6) User-Name = "alexm at ndtel.com"
(6) server inner-tunnel {
(6) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(6) authorize {
(6) [mschap] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: Looking up realm "ndtel.com" for User-Name = "alexm at ndtel.com"
(6) suffix: Found realm "ndtel.com"
(6) suffix: Adding Stripped-User-Name = "alexm"
(6) suffix: Adding Realm = "ndtel.com"
(6) suffix: Authentication realm is LOCAL
(6) [suffix] = ok
(6) update control {
(6) &Proxy-To-Realm := LOCAL
(6) } # update control = noop
(6) eap: Peer sent EAP Response (code 2) ID 89 length 20
(6) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = EAP
(6) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(6) authenticate {
(6) eap: Peer sent packet with method EAP Identity (1)
(6) eap: Calling submodule eap_mschapv2 to process data
(6) eap_mschapv2: Issuing Challenge
(6) eap: Sending EAP Request (code 1) ID 90 length 42
(6) eap: EAP session adding &reply:State = 0xf624fb83f67ee10e
(6) [eap] = handled
(6) } # authenticate = handled
(6) } # server inner-tunnel
(6) Virtual server sending reply
(6) EAP-Message =
0x015a002a1a015a002510f20c2d72f97808a7a844122e0208f35d667265657261646975732d332e302e39
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0xf624fb83f67ee10e1d676a0188257602
(6) eap_peap: Got tunneled reply code 11
(6) eap_peap: EAP-Message =
0x015a002a1a015a002510f20c2d72f97808a7a844122e0208f35d667265657261646975732d332e302e39
(6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(6) eap_peap: State = 0xf624fb83f67ee10e1d676a0188257602
(6) eap_peap: Got tunneled reply RADIUS code 11
(6) eap_peap: EAP-Message =
0x015a002a1a015a002510f20c2d72f97808a7a844122e0208f35d667265657261646975732d332e302e39
(6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(6) eap_peap: State = 0xf624fb83f67ee10e1d676a0188257602
(6) eap_peap: Got tunneled Access-Challenge
(6) eap: Sending EAP Request (code 1) ID 90 length 75
(6) eap: EAP session adding &reply:State = 0x2b5395752d098cc5
(6) [eap] = handled
(6) } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) Post-Auth-Type sub-section not found. Ignoring.
(6) # Executing group from file /etc/raddb/sites-enabled/default
(6) Sent Access-Challenge Id 147 from 192.168.255.5:1812 to
192.168.255.112:51351 length 0
(6) EAP-Message =
0x015a004b190017030100401d3547312c7cd75375fc325fcd9b61cc8eaca97275259a317e33860f55923efa11fa6d01c8c671c4c6176ea78896e58d84aad593d17d8372c598c413faba6c1e
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0x2b5395752d098cc5b4eb6d412c1f1224
(6) Finished request
Waking up in 4.9 seconds.
(7) Received Access-Request Id 148 from 192.168.255.112:51351 to
192.168.255.5:1812 length 300
(7) User-Name = "alexm at ndtel.com"
(7) NAS-IP-Address = 192.168.255.112
(7) NAS-Identifier = "0418d620086c"
(7) NAS-Port = 0
(7) Called-Station-Id = "0E-18-D6-22-08-6C:NDTC Corporate 11x"
(7) Calling-Station-Id = "C4-85-08-F5-2C-10"
(7) Framed-MTU = 1400
(7) NAS-Port-Type = Wireless-802.11
(7) Connect-Info = "CONNECT 0Mbps 802.11b"
(7) EAP-Message =
0x025a006b19001703010060fb9cfd910dffbfe36a6c35d00b8a8f8eed0f3538749e722a1c8dcac3c6872a80380a472698c8503b7b97317016615ec22f2a3b39c99aeffd620ed4d8f86405908c7ed2345a349b00eaef972b79b5bc5b5cff84b7c76aecd76d1ed5879055965b
(7) State = 0x2b5395752d098cc5b4eb6d412c1f1224
(7) Message-Authenticator = 0xa36d8b1e8ea7282f6ba40ef571f556e6
(7) session-state: No cached attributes
(7) # Executing section authorize from file /etc/raddb/sites-enabled/default
(7) authorize {
(7) policy filter_username {
(7) if (!&User-Name) {
(7) if (!&User-Name) -> FALSE
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@.*@/ ) {
(7) if (&User-Name =~ /@.*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /@\./) {
(7) if (&User-Name =~ /@\./) -> FALSE
(7) } # policy filter_username = notfound
(7) [preprocess] = ok
(7) [digest] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: Looking up realm "ndtel.com" for User-Name = "alexm at ndtel.com"
(7) suffix: Found realm "ndtel.com"
(7) suffix: Adding Stripped-User-Name = "alexm"
(7) suffix: Adding Realm = "ndtel.com"
(7) suffix: Authentication realm is LOCAL
(7) [suffix] = ok
(7) eap: Peer sent EAP Response (code 2) ID 90 length 107
(7) eap: Continuing tunnel setup
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = EAP
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7) authenticate {
(7) eap: Expiring EAP session with state 0xf624fb83f67ee10e
(7) eap: Finished EAP session with state 0x2b5395752d098cc5
(7) eap: Previous EAP request found for state 0x2b5395752d098cc5,
released from the list
(7) eap: Peer sent packet with method EAP PEAP (25)
(7) eap: Calling submodule eap_peap to process data
(7) eap_peap: Continuing EAP-TLS
(7) eap_peap: [eaptls verify] = ok
(7) eap_peap: Done initial handshake
(7) eap_peap: [eaptls process] = ok
(7) eap_peap: Session established. Decoding tunneled attributes
(7) eap_peap: PEAP state phase2
(7) eap_peap: EAP method MSCHAPv2 (26)
(7) eap_peap: Got tunneled request
(7) eap_peap: EAP-Message =
0x025a004a1a025a004531c17f260aff8f5a75e22e9ed3383b33f2000000000000000063b3c01788f9019f61200d41d77ccc45c4623596563de07e00616c65786d406e6474656c2e636f6d
(7) eap_peap: Setting User-Name to alexm at ndtel.com
(7) eap_peap: Sending tunneled request to inner-tunnel
(7) eap_peap: EAP-Message =
0x025a004a1a025a004531c17f260aff8f5a75e22e9ed3383b33f2000000000000000063b3c01788f9019f61200d41d77ccc45c4623596563de07e00616c65786d406e6474656c2e636f6d
(7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(7) eap_peap: User-Name = "alexm at ndtel.com"
(7) eap_peap: State = 0xf624fb83f67ee10e1d676a0188257602
(7) Virtual server inner-tunnel received request
(7) EAP-Message =
0x025a004a1a025a004531c17f260aff8f5a75e22e9ed3383b33f2000000000000000063b3c01788f9019f61200d41d77ccc45c4623596563de07e00616c65786d406e6474656c2e636f6d
(7) FreeRADIUS-Proxied-To = 127.0.0.1
(7) User-Name = "alexm at ndtel.com"
(7) State = 0xf624fb83f67ee10e1d676a0188257602
(7) server inner-tunnel {
(7) session-state: No cached attributes
(7) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(7) authorize {
(7) [mschap] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: Looking up realm "ndtel.com" for User-Name = "alexm at ndtel.com"
(7) suffix: Found realm "ndtel.com"
(7) suffix: Adding Stripped-User-Name = "alexm"
(7) suffix: Adding Realm = "ndtel.com"
(7) suffix: Authentication realm is LOCAL
(7) [suffix] = ok
(7) update control {
(7) &Proxy-To-Realm := LOCAL
(7) } # update control = noop
(7) eap: Peer sent EAP Response (code 2) ID 90 length 74
(7) eap: No EAP Start, assuming it's an on-going EAP conversation
(7) [eap] = updated
rlm_ldap (ldap): Reserved connection (0)
(7) ldap: EXPAND (uid=%{User-Name})
(7) ldap: --> (uid=alexm at ndtel.com)
(7) ldap: Performing search in "ou=ndtel,o=ndtc" with filter
"(uid=alexm at ndtel.com)", scope "sub"
(7) ldap: Waiting for search result...
(7) ldap: User object found at DN "uid=alexm at ndtel.com,ou=ndtel,o=ndtc"
(7) ldap: Processing user attributes
(7) ldap: control:Password-With-Header +=
'CF1189B22D7E43F062F8E1A4AE1B8418'
rlm_ldap (ldap): Released connection (0)
rlm_ldap (ldap): 0 of 5 connections in use. Need more spares
rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending
slots used
rlm_ldap (ldap): Connecting to ldap://66.163.129.140:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(7) [ldap] = updated
(7) [expiration] = noop
(7) [logintime] = noop
(7) pap: No {...} in Password-With-Header, re-writing to Cleartext-Password
(7) pap: Removing &control:Password-With-Header
(7) pap: WARNING: Auth-Type already set. Not setting to PAP
(7) [pap] = noop
(7) } # authorize = updated
(7) Found Auth-Type = EAP
(7) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(7) authenticate {
(7) eap: Expiring EAP session with state 0xf624fb83f67ee10e
(7) eap: Finished EAP session with state 0xf624fb83f67ee10e
(7) eap: Previous EAP request found for state 0xf624fb83f67ee10e,
released from the list
(7) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(7) eap: Calling submodule eap_mschapv2 to process data
(7) eap_mschapv2: # Executing group from file
/etc/raddb/sites-enabled/inner-tunnel
(7) eap_mschapv2: Auth-Type MS-CHAP {
(7) mschap: Found Cleartext-Password, hashing to create NT-Password
(7) mschap: Found Cleartext-Password, hashing to create LM-Password
(7) mschap: Creating challenge hash with username: alexm at ndtel.com
(7) mschap: Client is using MS-CHAPv2
(7) mschap: ERROR: MS-CHAP2-Response is incorrect
(7) [mschap] = reject
(7) } # Auth-Type MS-CHAP = reject
(7) MSCHAP-Error: ZE=691 R=1
(7) Could not parse new challenge from MS-CHAP-Error: 2
(7) ERROR: MSCHAP Failure
(7) eap: Sending EAP Request (code 1) ID 91 length 18
(7) eap: EAP session adding &reply:State = 0xf624fb83f77fe10e
(7) [eap] = handled
(7) } # authenticate = handled
(7) } # server inner-tunnel
(7) Virtual server sending reply
(7) EAP-Message = 0x015b00121a045a000d453d36393120523d31
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0xf624fb83f77fe10e1d676a0188257602
(7) eap_peap: Got tunneled reply code 11
(7) eap_peap: EAP-Message = 0x015b00121a045a000d453d36393120523d31
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: State = 0xf624fb83f77fe10e1d676a0188257602
(7) eap_peap: Got tunneled reply RADIUS code 11
(7) eap_peap: EAP-Message = 0x015b00121a045a000d453d36393120523d31
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: State = 0xf624fb83f77fe10e1d676a0188257602
(7) eap_peap: Got tunneled Access-Challenge
(7) eap: Sending EAP Request (code 1) ID 91 length 59
(7) eap: EAP session adding &reply:State = 0x2b5395752c088cc5
(7) [eap] = handled
(7) } # authenticate = handled
(7) Using Post-Auth-Type Challenge
(7) Post-Auth-Type sub-section not found. Ignoring.
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7) Sent Access-Challenge Id 148 from 192.168.255.5:1812 to
192.168.255.112:51351 length 0
(7) EAP-Message =
0x015b003b19001703010030c12e30aa61c15629dac014d387dadd7ccaa4f9a143aec072484f5f5c2258d6a8e949dbb905ab5b7ddd126b0e2b0d6a5e
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0x2b5395752c088cc5b4eb6d412c1f1224
(7) Finished request
Waking up in 4.9 seconds.
(0) <done>: Cleaning up request packet ID 141 with timestamp +27
(1) <done>: Cleaning up request packet ID 142 with timestamp +27
(2) <done>: Cleaning up request packet ID 143 with timestamp +27
(3) <done>: Cleaning up request packet ID 144 with timestamp +27
(4) <done>: Cleaning up request packet ID 145 with timestamp +27
(5) <done>: Cleaning up request packet ID 146 with timestamp +27
(6) <done>: Cleaning up request packet ID 147 with timestamp +27
(7) <done>: Cleaning up request packet ID 148 with timestamp +27
Ready to process requests
More information about the Freeradius-Users
mailing list