Unable to authenticate a user
TOURE Amidou Florian
amidoufloriantoure at yahoo.fr
Wed May 11 21:07:44 CEST 2016
Hi all I'm using a NAC solution which is Packetefcence and I want to authenticate an Active Directory user but I got this 3 specifics errors,please I need help :(16) mschap: ERROR: Program returned code (1) and output 'Logon failure (0xc000006d)'(16) mschap: External script failed(16) mschap: ERROR: External script says: Logon failure (0xc000006d)(16) mschap: ERROR: MS-CHAP2-Response is incorrect
Ans this is my full radius debug file FreeRADIUS-Proxied-To = 127.0.0.1(21) User-Name = "Administrateur"(21) State = 0x42fe33fd42f7296034bd9bd88f2ca30f(21) Service-Type = Framed-User(21) Framed-MTU = 1500(21) Calling-Station-Id := "00:40:d0:67:d0:b1"(21) Cisco-AVPair = "audit-session-id=C0A801050000003200BCDD37"(21) NAS-Port-Type = Ethernet(21) NAS-Port = 50003(21) NAS-Port-Id = "FastEthernet0/3"(21) NAS-IP-Address = 192.168.1.5(21) Called-Station-Id := "ec:44:76:87:f0:83"(21) Event-Timestamp = "May 10 2016 16:57:28 CEST"(21) WARNING: Outer and inner identities are the same. User privacy is compromised.(21) server packetfence-tunnel {(21) session-state: No cached attributes(21) # Executing section authorize from file /usr/local/pf/raddb//sites-enabled/packetfence-tunnel(21) authorize {(21) policy filter_username {(21) if (&User-Name) {(21) if (&User-Name) -> TRUE(21) if (&User-Name) {(21) if (&User-Name =~ / /) {(21) if (&User-Name =~ / /) -> FALSE(21) if (&User-Name =~ /@[^@]*@/ ) {(21) if (&User-Name =~ /@[^@]*@/ ) -> FALSE(21) if (&User-Name =~ /\.\./ ) {(21) if (&User-Name =~ /\.\./ ) -> FALSE(21) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {(21) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE(21) if (&User-Name =~ /\.$/) {(21) if (&User-Name =~ /\.$/) -> FALSE(21) if (&User-Name =~ /@\./) {(21) if (&User-Name =~ /@\./) -> FALSE(21) } # if (&User-Name) = notfound(21) } # policy filter_username = notfound(21) [mschap] = noop(21) suffix: Checking for suffix after "@"(21) suffix: No '@' in User-Name = "Administrateur", skipping NULL due to config.(21) [suffix] = noop(21) ntdomain: Checking for prefix before "\"(21) ntdomain: No '\' in User-Name = "Administrateur", looking up realm NULL(21) ntdomain: No such realm "NULL"(21) [ntdomain] = noop(21) update control {(21) &Proxy-To-Realm := LOCAL(21) } # update control = noop(21) eap: Peer sent EAP Response (code 2) ID 9 length 73(21) eap: No EAP Start, assuming it's an on-going EAP conversation(21) [eap] = updated(21) policy rewrite_called_station_id {(21) if ((&Called-Station-Id) && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)) {(21) if ((&Called-Station-Id) && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)) -> TRUE(21) if ((&Called-Station-Id) && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)) {(21) update request {(21) &Called-Station-Id !* ANY(21) EXPAND %{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}(21) --> ec:44:76:87:f0:83(21) &Called-Station-Id := ec:44:76:87:f0:83(21) } # update request = noop(21) if ("%{8}") {(21) EXPAND %{8}(21) --> (21) if ("%{8}") -> FALSE(21) elsif ( (Colubris-AVPair) && "%{Colubris-AVPair}" =~ /^ssid=(.*)$/i) {(21) elsif ( (Colubris-AVPair) && "%{Colubris-AVPair}" =~ /^ssid=(.*)$/i) -> FALSE(21) elsif (Aruba-Essid-Name) {(21) elsif (Aruba-Essid-Name) -> FALSE(21) elsif ( (Cisco-AVPair) && "%{Cisco-AVPair}" =~ /^ssid=(.*)$/i) {(21) EXPAND %{Cisco-AVPair}(21) --> audit-session-id=C0A801050000003200BCDD37(21) elsif ( (Cisco-AVPair) && "%{Cisco-AVPair}" =~ /^ssid=(.*)$/i) -> FALSE(21) [updated] = updated(21) } # if ((&Called-Station-Id) && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)) = updated(21) ... skipping else for request 21: Preceding "if" was taken(21) } # policy rewrite_called_station_id = updated(21) [pap] = noop(21) } # authorize = updated(21) Found Auth-Type = eap(21) # Executing group from file /usr/local/pf/raddb//sites-enabled/packetfence-tunnel(21) authenticate {(21) eap: Expiring EAP session with state 0x42fe33fd42f72960(21) eap: Finished EAP session with state 0x42fe33fd42f72960(21) eap: Previous EAP request found for state 0x42fe33fd42f72960, released from the list(21) eap: Peer sent packet with method EAP MSCHAPv2 (26)(21) eap: Calling submodule eap_mschapv2 to process data(21) eap_mschapv2: # Executing group from file /usr/local/pf/raddb//sites-enabled/packetfence-tunnel(21) eap_mschapv2: Auth-Type MS-CHAP {(21) packetfence: $RAD_REQUEST{'User-Name'} = &request:User-Name -> 'Administrateur'(21) packetfence: $RAD_REQUEST{'NAS-IP-Address'} = &request:NAS-IP-Address -> '192.168.1.5'(21) packetfence: $RAD_REQUEST{'NAS-Port'} = &request:NAS-Port -> '50003'(21) packetfence: $RAD_REQUEST{'Service-Type'} = &request:Service-Type -> 'Framed-User'(21) packetfence: $RAD_REQUEST{'Framed-MTU'} = &request:Framed-MTU -> '1500'(21) packetfence: $RAD_REQUEST{'State'} = &request:State -> '0x42fe33fd42f7296034bd9bd88f2ca30f'(21) packetfence: $RAD_REQUEST{'Called-Station-Id'} = &request:Called-Station-Id -> 'ec:44:76:87:f0:83'(21) packetfence: $RAD_REQUEST{'Calling-Station-Id'} = &request:Calling-Station-Id -> '00:40:d0:67:d0:b1'(21) packetfence: $RAD_REQUEST{'NAS-Port-Type'} = &request:NAS-Port-Type -> 'Ethernet'(21) packetfence: $RAD_REQUEST{'Event-Timestamp'} = &request:Event-Timestamp -> 'May 10 2016 16:57:28 CEST'(21) packetfence: $RAD_REQUEST{'EAP-Message'} = &request:EAP-Message -> '0x020900491a0209004431eb4ca34aee1ad514b736c229c9e0798a0000000000000000fa1cb5436a574339be984a38670c37bd8554f4e5afe4a1410041646d696e697374726174657572'(21) packetfence: $RAD_REQUEST{'NAS-Port-Id'} = &request:NAS-Port-Id -> 'FastEthernet0/3'(21) packetfence: $RAD_REQUEST{'Cisco-AVPair'} = &request:Cisco-AVPair -> 'audit-session-id=C0A801050000003200BCDD37'(21) packetfence: $RAD_REQUEST{'FreeRADIUS-Proxied-To'} = &request:FreeRADIUS-Proxied-To -> '127.0.0.1'(21) packetfence: $RAD_REQUEST{'MS-CHAP-Challenge'} = &request:MS-CHAP-Challenge -> '0xc3bbd40002f9ff77a7078554def335eb'(21) packetfence: $RAD_REQUEST{'MS-CHAP2-Response'} = &request:MS-CHAP2-Response -> '0x0964eb4ca34aee1ad514b736c229c9e0798a0000000000000000fa1cb5436a574339be984a38670c37bd8554f4e5afe4a141'(21) packetfence: $RAD_REQUEST{'EAP-Type'} = &request:EAP-Type -> 'MSCHAPv2'(21) packetfence: $RAD_REQUEST{'MS-CHAP-User-Name'} = &request:MS-CHAP-User-Name -> 'Administrateur'(21) packetfence: $RAD_CHECK{'Auth-Type'} = &control:Auth-Type -> 'eap'(21) packetfence: $RAD_CHECK{'Proxy-To-Realm'} = &control:Proxy-To-Realm -> 'LOCAL'(21) packetfence: $RAD_CONFIG{'Auth-Type'} = &control:Auth-Type -> 'eap'(21) packetfence: $RAD_CONFIG{'Proxy-To-Realm'} = &control:Proxy-To-Realm -> 'LOCAL'(21) packetfence: &request:NAS-Port-Type = $RAD_REQUEST{'NAS-Port-Type'} -> 'Ethernet'(21) packetfence: &request:Service-Type = $RAD_REQUEST{'Service-Type'} -> 'Framed-User'(21) packetfence: &request:Called-Station-Id = $RAD_REQUEST{'Called-Station-Id'} -> 'ec:44:76:87:f0:83'(21) packetfence: &request:State = $RAD_REQUEST{'State'} -> '0x42fe33fd42f7296034bd9bd88f2ca30f'(21) packetfence: &request:FreeRADIUS-Proxied-To = $RAD_REQUEST{'FreeRADIUS-Proxied-To'} -> '127.0.0.1'(21) packetfence: &request:EAP-Type = $RAD_REQUEST{'EAP-Type'} -> 'MSCHAPv2'(21) packetfence: &request:NAS-IP-Address = $RAD_REQUEST{'NAS-IP-Address'} -> '192.168.1.5'(21) packetfence: &request:NAS-Port-Id = $RAD_REQUEST{'NAS-Port-Id'} -> 'FastEthernet0/3'(21) packetfence: &request:Calling-Station-Id = $RAD_REQUEST{'Calling-Station-Id'} -> '00:40:d0:67:d0:b1'(21) packetfence: &request:MS-CHAP-User-Name = $RAD_REQUEST{'MS-CHAP-User-Name'} -> 'Administrateur'(21) packetfence: &request:MS-CHAP-Challenge = $RAD_REQUEST{'MS-CHAP-Challenge'} -> '0xc3bbd40002f9ff77a7078554def335eb'(21) packetfence: &request:Cisco-AVPair = $RAD_REQUEST{'Cisco-AVPair'} -> 'audit-session-id=C0A801050000003200BCDD37'(21) packetfence: &request:User-Name = $RAD_REQUEST{'User-Name'} -> 'Administrateur'(21) packetfence: &request:Event-Timestamp = $RAD_REQUEST{'Event-Timestamp'} -> 'May 10 2016 16:57:28 CEST'(21) packetfence: &request:EAP-Message = $RAD_REQUEST{'EAP-Message'} -> '0x020900491a0209004431eb4ca34aee1ad514b736c229c9e0798a0000000000000000fa1cb5436a574339be984a38670c37bd8554f4e5afe4a1410041646d696e697374726174657572'(21) packetfence: &request:MS-CHAP2-Response = $RAD_REQUEST{'MS-CHAP2-Response'} -> '0x0964eb4ca34aee1ad514b736c229c9e0798a0000000000000000fa1cb5436a574339be984a38670c37bd8554f4e5afe4a141'(21) packetfence: &request:NAS-Port = $RAD_REQUEST{'NAS-Port'} -> '50003'(21) packetfence: &request:Framed-MTU = $RAD_REQUEST{'Framed-MTU'} -> '1500'(21) packetfence: &control:Auth-Type = $RAD_CHECK{'Auth-Type'} -> 'eap'(21) packetfence: &control:Proxy-To-Realm = $RAD_CHECK{'Proxy-To-Realm'} -> 'LOCAL'(21) [packetfence] = noop(21) if (PacketFence-Domain) {(21) if (PacketFence-Domain) -> FALSE(21) else {(21) mschap: Creating challenge hash with username: Administrateur(21) mschap: Client is using MS-CHAPv2(21) mschap: Executing: /usr/local/pf/bin/ntlm_auth_wrapper -- --request-nt-key --username=%{%{Stripped-User-Name}:-%{mschap:User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}:(21) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{mschap:User-Name:-None}}(21) mschap: --> --username=Administrateur(21) mschap: Creating challenge hash with username: Administrateur(21) mschap: EXPAND --challenge=%{mschap:Challenge:-00}(21) mschap: --> --challenge=c330d9e5a3d1ecdf(21) mschap: EXPAND --nt-response=%{mschap:NT-Response:-00}(21) mschap: --> --nt-response=fa1cb5436a574339be984a38670c37bd8554f4e5afe4a141(21) mschap: ERROR: Abnormal child exit: No error(21) mschap: External script failed(21) mschap: ERROR: External script says: Logon failure (0xc000006d)(21) mschap: ERROR: MS-CHAP2-Response is incorrect(21) [mschap] = reject(21) } # else = reject(21) } # Auth-Type MS-CHAP = reject(21) eap: Sending EAP Failure (code 4) ID 9 length 4(21) eap: Freeing handler(21) [eap] = reject(21) } # authenticate = reject(21) Failed to authenticate the user(21) Login incorrect (mschap: Abnormal child exit: No error): [Administrateur] (from client 192.168.1.5 port 50003 cli 00:40:d0:67:d0:b1 via TLS tunnel)(21) Using Post-Auth-Type Reject(21) # Executing group from file /usr/local/pf/raddb//sites-enabled/packetfence-tunnel(21) Post-Auth-Type REJECT {(21) policy request-timing {(21) if (control:PacketFence-Request-Time != 0) {(21) ERROR: Failed retrieving values required to evaluate condition(21) } # policy request-timing = noop(21) sql_reject: EXPAND type.reject.query(21) sql_reject: --> type.reject.query(21) sql_reject: Using query template 'query'rlm_sql (sql): Reserved connection (6)(21) sql_reject: EXPAND %{User-Name}(21) sql_reject: --> Administrateur(21) sql_reject: SQL-User-Name set to 'Administrateur'(21) sql_reject: EXPAND INSERT INTO radius_audit_log ( mac, ip, computer_name, user_name, stripped_user_name, realm, event_type, switch_id, switch_mac, switch_ip_address, radius_source_ip_address, called_station_id, calling_station_id, nas_port_type, ssid, nas_port_id, ifindex, nas_port, connection_type, nas_ip_address, nas_identifier, auth_status, reason, auth_type, eap_type, role, node_status, profile, source, auto_reg, is_phone, pf_domain, uuid, radius_request, radius_reply, request_time) VALUES ( '%{request:Calling-Station-Id}', '%{request:Framed-IP-Address}', '%{%{control:PacketFence-Computer-Name}:-N/A}', '%{request:User-Name}', '%{request:Stripped-User-Name}', '%{request:Realm}', 'Radius-Access-Request', '%{%{control:PacketFence-Switch-Id}:-N/A}', '%{%{control:PacketFence-Switch-Mac}:-N/A}', '%{%{control:PacketFence-Switch-Ip-Address}:-N/A}', '%{Packet-Src-IP-Address}', '%{request:Called-Station-Id}', '%{request:Calling-Station-Id}', '%{request:NAS-Port-Type}', '%{request:Called-Station-SSID}', '%{request:NAS-Port-Id}', '%{%{control:PacketFence-IfIndex}:-N/A}', '%{request:NAS-Port}', '%{%{control:PacketFence-Connection-Type}:-N/A}', '%{request:NAS-IP-Address}', '%{request:NAS-Identifier}', 'Reject', '%{request:Module-Failure-Message}', '%{control:Auth-Type}', '%{request:EAP-Type}', '%{%{control:PacketFence-Role}:-N/A}', '%{%{control:PacketFence-Status}:-N/A}', '%{%{control:PacketFence-Profile}:-N/A}', '%{%{control:PacketFence-Source}:-N/A}', '%{%{control:PacketFence-AutoReg}:-N/A}', '%{%{control:PacketFence-IsPhone}:-N/A}', '%{request:PacketFence-Domain}', '', '%{pairs:&request:[*]}','%{pairs:&reply:[*]}', '%{%{control:PacketFence-Request-Time}:-N/A}')(21) sql_reject: --> INSERT INTO radius_audit_log ( mac, ip, computer_name, user_name, stripped_user_name, realm, event_type, switch_id, switch_mac, switch_ip_address, radius_source_ip_address, called_station_id, calling_station_id, nas_port_type, ssid, nas_port_id, ifindex, nas_port, connection_type, nas_ip_address, nas_identifier, auth_status, reason, auth_type, eap_type, role, node_status, profile, source, auto_reg, is_phone, pf_domain, uuid, radius_request, radius_reply, request_time) VALUES ( '00:40:d0:67:d0:b1', '', 'N/A', 'Administrateur', '', '', 'Radius-Access-Request', 'N/A', 'N/A', 'N/A', '192.168.1.5', 'ec:44:76:87:f0:83', '00:40:d0:67:d0:b1', 'Ethernet', '', 'FastEthernet0/3', 'N/A', '50003', 'N/A', '192.168.1.5', '', 'Reject', 'mschap: Abnormal child exit: No error', 'eap', 'MSCHAPv2', 'N/A', 'N/A', 'N/A', 'N/A', 'N/A', 'N/A', '', '', 'NAS-Port-Type =3D Ethernet=2C Service-Type =3D Framed-User=2C Called-Station-Id =3D =22ec:44:76:87:f0:83=22=2C State =3D 0x42fe33fd42f7296034bd9bd88f2ca30f=2C FreeRADIUS-Proxied-To =3D 127.0.0.1=2C EAP-Type =3D MSCHAPv2=2C NAS-IP-Address =3D 192.168.1.5=2C NAS-Port-Id =3D =22FastEthernet0/3=22=2C Calling-Station-Id =3D =2200:40:d0:67:d0:b1=22=2C MS-CHAP-User-Name =3D =22Administrateur=22=2C MS-CHAP-Challenge =3D 0xc3bbd40002f9ff77a7078554def335eb=2C Cisco-AVPair =3D =22audit-session-id=3DC0A801050000003200BCDD37=22=2C User-Name =3D =22Administrateur=22=2C Event-Timestamp =3D =22May 10 2016 16:57:28 CEST=22=2C EAP-Message =3D 0x020900491a0209004431eb4ca34aee1ad514b736c229c9e0798a0000000000000000fa1cb5436a574339be984a38670c37bd8554f4e5afe4a1410041646d696e697374726174657572=2C MS-CHAP2-Response =3D 0x0964eb4ca34aee1ad514b736c229c9e0798a0000000000000000fa1cb5436a574339be984a38670c37bd8554f4e5afe4a141=2C NAS-Port =3D 50003=2C Framed-MTU =3D 1500=2C Module-Failure-Message =3D =22mschap: Abnormal child exit: No error=22=2C Module-Failure-Message =3D =22mschap: External script says: Logon failure =280xc000006d=29=22=2C Module-Failure-Message =3D =22mschap: MS-CHAP2-Response is incorrect=22=2C Module-Failure-Message =3D =22Failed retrieving values required to evaluate condition=22=2C SQL-User-Name =3D =22Administrateur=22','MS-CHAP-Error =3D =22=5CtE=3D691 R=3D0 C=3D45ea37e23aa1e0bb6635a42ede246a62 V=3D3 M=3DAuthentication failed=22=2C EAP-Message =3D 0x04090004=2C Message-Authenticator =3D 0x00000000000000000000000000000000', 'N/A')(21) sql_reject: Executing query: INSERT INTO radius_audit_log ( mac, ip, computer_name, user_name, stripped_user_name, realm, event_type, switch_id, switch_mac, switch_ip_address, radius_source_ip_address, called_station_id, calling_station_id, nas_port_type, ssid, nas_port_id, ifindex, nas_port, connection_type, nas_ip_address, nas_identifier, auth_status, reason, auth_type, eap_type, role, node_status, profile, source, auto_reg, is_phone, pf_domain, uuid, radius_request, radius_reply, request_time) VALUES ( '00:40:d0:67:d0:b1', '', 'N/A', 'Administrateur', '', '', 'Radius-Access-Request', 'N/A', 'N/A', 'N/A', '192.168.1.5', 'ec:44:76:87:f0:83', '00:40:d0:67:d0:b1', 'Ethernet', '', 'FastEthernet0/3', 'N/A', '50003', 'N/A', '192.168.1.5', '', 'Reject', 'mschap: Abnormal child exit: No error', 'eap', 'MSCHAPv2', 'N/A', 'N/A', 'N/A', 'N/A', 'N/A', 'N/A', '', '', 'NAS-Port-Type =3D Ethernet=2C Service-Type =3D Framed-User=2C Called-Station-Id =3D =22ec:44:76:87:f0:83=22=2C State =3D 0x42fe33fd42f7296034bd9bd88f2ca30f=2C FreeRADIUS-Proxied-To =3D 127.0.0.1=2C EAP-Type =3D MSCHAPv2=2C NAS-IP-Address =3D 192.168.1.5=2C NAS-Port-Id =3D =22FastEthernet0/3=22=2C Calling-Station-Id =3D =2200:40:d0:67:d0:b1=22=2C MS-CHAP-User-Name =3D =22Administrateur=22=2C MS-CHAP-Challenge =3D 0xc3bbd40002f9ff77a7078554def335eb=2C Cisco-AVPair =3D =22audit-session-id=3DC0A801050000003200BCDD37=22=2C User-Name =3D =22Administrateur=22=2C Event-Timestamp =3D =22May 10 2016 16:57:28 CEST=22=2C EAP-Message =3D 0x020900491a0209004431eb4ca34aee1ad514b736c229c9e0798a0000000000000000fa1cb5436a574339be984a38670c37bd8554f4e5afe4a1410041646d696e697374726174657572=2C MS-CHAP2-Response =3D 0x0964eb4ca34aee1ad514b736c229c9e0798a0000000000000000fa1cb5436a574339be984a38670c37bd8554f4e5afe4a141=2C NAS-Port =3D 50003=2C Framed-MTU =3D 1500=2C Module-Failure-Message =3D =22mschap: Abnormal child exit: No error=22=2C Module-Failure-Message =3D =22mschap: External script says: Logon failure =280xc000006d=29=22=2C Module-Failure-Message =3D =22mschap: MS-CHAP2-Response is incorrect=22=2C Module-Failure-Message =3D =22Failed retrieving values required to evaluate condition=22=2C SQL-User-Name =3D =22Administrateur=22','MS-CHAP-Error =3D =22=5CtE=3D691 R=3D0 C=3D45ea37e23aa1e0bb6635a42ede246a62 V=3D3 M=3DAuthentication failed=22=2C EAP-Message =3D 0x04090004=2C Message-Authenticator =3D 0x00000000000000000000000000000000', 'N/A')(21) sql_reject: SQL query returned: success(21) sql_reject: 1 record(s) updatedrlm_sql (sql): Released connection (6)rlm_sql (sql): Need 1 more connections to reach 10 sparesrlm_sql (sql): Opening additional connection (8), 1 of 62 pending slots usedrlm_sql_mysql: Starting connect to MySQL serverrlm_sql_mysql: Connected to database 'pf' on Localhost via UNIX socket, server version 5.1.73, protocol version 10(21) [sql_reject] = ok(21) attr_filter.access_reject: EXPAND %{User-Name}(21) attr_filter.access_reject: --> Administrateur(21) attr_filter.access_reject: Matched entry DEFAULT at line 11(21) [attr_filter.access_reject] = updated(21) update outer.session-state {(21) &Module-Failure-Message := &request:Module-Failure-Message -> 'mschap: Abnormal child exit: No error'(21) } # update outer.session-state = noop(21) } # Post-Auth-Type REJECT = updated(21) } # server packetfence-tunnel(21) Virtual server sending reply(21) MS-CHAP-Error = "\tE=691 R=0 C=45ea37e23aa1e0bb6635a42ede246a62 V=3 M=Authentication failed"(21) EAP-Message = 0x04090004(21) Message-Authenticator = 0x00000000000000000000000000000000(21) eap_peap: Got tunneled reply code 3(21) eap_peap: MS-CHAP-Error = "\tE=691 R=0 C=45ea37e23aa1e0bb6635a42ede246a62 V=3 M=Authentication failed"(21) eap_peap: EAP-Message = 0x04090004(21) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000(21) eap_peap: Got tunneled reply RADIUS code 3(21) eap_peap: MS-CHAP-Error = "\tE=691 R=0 C=45ea37e23aa1e0bb6635a42ede246a62 V=3 M=Authentication failed"(21) eap_peap: EAP-Message = 0x04090004(21) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000(21) eap_peap: Tunneled authentication was rejected(21) eap_peap: FAILURE(21) eap: Sending EAP Request (code 1) ID 10 length 43(21) eap: EAP session adding &reply:State = 0x951d7ff092176631(21) [eap] = handled(21) } # authenticate = handled(21) Using Post-Auth-Type Challenge(21) Post-Auth-Type sub-section not found. Ignoring.(21) # Executing group from file /usr/local/pf/raddb//sites-enabled/packetfence(21) session-state: Saving cached attributes(21) Module-Failure-Message := "mschap: Abnormal child exit: No error"(21) Sent Access-Challenge Id 232 from 192.168.10.1:1812 to 192.168.1.5:1645 length 0(21) EAP-Message = 0x010a002b190017030100201ed3bed6b95fc062e4214f5873237f64dd93b7c3d63baf0b3d3f4768bb2e1c53(21) Message-Authenticator = 0x00000000000000000000000000000000(21) State = 0x951d7ff092176631b7716540afc4a8a1(21) Finished requestWaking up in 4.8 seconds.(22) Received Access-Request Id 233 from 192.168.1.5:1645 to 192.168.10.1:1812 length 251(22) User-Name = "Administrateur"(22) Service-Type = Framed-User(22) Framed-MTU = 1500(22) Called-Station-Id = "EC-44-76-87-F0-83"(22) Calling-Station-Id = "00-40-D0-67-D0-B1"(22) EAP-Message = 0x020a002b190017030100208dd4569e8656380cf464c8a46b0823720880d6c90e1207ec982375a8254bc4ff(22) Message-Authenticator = 0xaae91e23d504d18abb24df64cae111ce(22) Cisco-AVPair = "audit-session-id=C0A801050000003200BCDD37"(22) NAS-Port-Type = Ethernet(22) NAS-Port = 50003(22) NAS-Port-Id = "FastEthernet0/3"(22) State = 0x951d7ff092176631b7716540afc4a8a1(22) NAS-IP-Address = 192.168.1.5(22) Restoring &session-state(22) &session-state:Module-Failure-Message := "mschap: Abnormal child exit: No error"(22) # Executing section authorize from file /usr/local/pf/raddb//sites-enabled/packetfence(22) authorize {(22) update {(22) EXPAND %{Packet-Src-IP-Address}(22) --> 192.168.1.5(22) &request:FreeRADIUS-Client-IP-Address := 192.168.1.5(22) &control:PacketFence-RPC-Server = 127.0.0.1(22) &control:PacketFence-RPC-Port = 7070(22) &control:PacketFence-RPC-User = (22) &control:PacketFence-RPC-Pass = (22) &control:PacketFence-RPC-Proto = http(22) EXPAND %l(22) --> 1462892248(22) &control:Tmp-Integer-0 := 1462892248(22) &control:PacketFence-Request-Time := 0(22) } # update = noop(22) policy rewrite_calling_station_id {(22) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {(22) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE(22) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {(22) update request {(22) EXPAND %{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}(22) --> 00:40:d0:67:d0:b1(22) &Calling-Station-Id := 00:40:d0:67:d0:b1(22) } # update request = noop(22) [updated] = updated(22) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated(22) ... skipping else for request 22: Preceding "if" was taken(22) } # policy rewrite_calling_station_id = updated(22) policy rewrite_called_station_id {(22) if ((&Called-Station-Id) && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)) {(22) if ((&Called-Station-Id) && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)) -> TRUE(22) if ((&Called-Station-Id) && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)) {(22) update request {(22) &Called-Station-Id !* ANY(22) EXPAND %{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}(22) --> ec:44:76:87:f0:83(22) &Called-Station-Id := ec:44:76:87:f0:83(22) } # update request = noop(22) if ("%{8}") {(22) EXPAND %{8}(22) --> (22) if ("%{8}") -> FALSE(22) elsif ( (Colubris-AVPair) && "%{Colubris-AVPair}" =~ /^ssid=(.*)$/i) {(22) elsif ( (Colubris-AVPair) && "%{Colubris-AVPair}" =~ /^ssid=(.*)$/i) -> FALSE(22) elsif (Aruba-Essid-Name) {(22) elsif (Aruba-Essid-Name) -> FALSE(22) elsif ( (Cisco-AVPair) && "%{Cisco-AVPair}" =~ /^ssid=(.*)$/i) {(22) EXPAND %{Cisco-AVPair}(22) --> audit-session-id=C0A801050000003200BCDD37(22) elsif ( (Cisco-AVPair) && "%{Cisco-AVPair}" =~ /^ssid=(.*)$/i) -> FALSE(22) [updated] = updated(22) } # if ((&Called-Station-Id) && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i)) = updated(22) ... skipping else for request 22: Preceding "if" was taken(22) } # policy rewrite_called_station_id = updated(22) policy filter_username {(22) if (&User-Name) {(22) if (&User-Name) -> TRUE(22) if (&User-Name) {(22) if (&User-Name =~ / /) {(22) if (&User-Name =~ / /) -> FALSE(22) if (&User-Name =~ /@[^@]*@/ ) {(22) if (&User-Name =~ /@[^@]*@/ ) -> FALSE(22) if (&User-Name =~ /\.\./ ) {(22) if (&User-Name =~ /\.\./ ) -> FALSE(22) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {(22) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE(22) if (&User-Name =~ /\.$/) {(22) if (&User-Name =~ /\.$/) -> FALSE(22) if (&User-Name =~ /@\./) {(22) if (&User-Name =~ /@\./) -> FALSE(22) } # if (&User-Name) = updated(22) } # policy filter_username = updated(22) policy filter_password {(22) if (&User-Password && (&User-Password != "%{string:User-Password}")) {(22) if (&User-Password && (&User-Password != "%{string:User-Password}")) -> FALSE(22) } # policy filter_password = updated(22) [preprocess] = ok(22) suffix: Checking for suffix after "@"(22) suffix: No '@' in User-Name = "Administrateur", skipping NULL due to config.(22) [suffix] = noop(22) ntdomain: Checking for prefix before "\"(22) ntdomain: No '\' in User-Name = "Administrateur", looking up realm NULL(22) ntdomain: No such realm "NULL"(22) [ntdomain] = noop(22) eap: Peer sent EAP Response (code 2) ID 10 length 43(22) eap: Continuing tunnel setup(22) [eap] = ok(22) } # authorize = ok(22) Found Auth-Type = eap(22) # Executing group from file /usr/local/pf/raddb//sites-enabled/packetfence(22) authenticate {(22) eap: Expiring EAP session with state 0x951d7ff092176631(22) eap: Finished EAP session with state 0x951d7ff092176631(22) eap: Previous EAP request found for state 0x951d7ff092176631, released from the list(22) eap: Peer sent packet with method EAP PEAP (25)(22) eap: Calling submodule eap_peap to process data(22) eap_peap: Continuing EAP-TLS(22) eap_peap: [eaptls verify] = ok(22) eap_peap: Done initial handshake(22) eap_peap: [eaptls process] = ok(22) eap_peap: Session established. Decoding tunneled attributes(22) eap_peap: PEAP state send tlv failure(22) eap_peap: Received EAP-TLV response(22) eap_peap: The users session was previously rejected: returning reject (again.)(22) eap_peap: This means you need to read the PREVIOUS messages in the debug output(22) eap_peap: to find out the reason why the user was rejected(22) eap_peap: Look for "reject" or "fail". Those earlier messages will tell you(22) eap_peap: what went wrong, and how to fix the problem(22) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed(22) eap: Sending EAP Failure (code 4) ID 10 length 4(22) eap: Failed in EAP select(22) [eap] = invalid(22) } # authenticate = invalid(22) Failed to authenticate the user(22) Login incorrect (eap: Failed continuing EAP PEAP (25) session. EAP sub-module failed): [Administrateur] (from client 192.168.1.5 port 50003 cli 00:40:d0:67:d0:b1)(22) Using Post-Auth-Type Reject(22) # Executing group from file /usr/local/pf/raddb//sites-enabled/packetfence(22) Post-Auth-Type REJECT {(22) if (! EAP-Type || (EAP-Type != TTLS && EAP-Type != PEAP) ) {(22) if (! EAP-Type || (EAP-Type != TTLS && EAP-Type != PEAP) ) -> FALSE(22) attr_filter.access_reject: EXPAND %{User-Name}(22) attr_filter.access_reject: --> Administrateur(22) attr_filter.access_reject: Matched entry DEFAULT at line 11(22) [attr_filter.access_reject] = updated(22) attr_filter.packetfence_post_auth: EXPAND %{User-Name}(22) attr_filter.packetfence_post_auth: --> Administrateur(22) attr_filter.packetfence_post_auth: Matched entry DEFAULT at line 10(22) [attr_filter.packetfence_post_auth] = updated(22) [eap] = noop(22) policy remove_reply_message_if_eap {(22) if (&reply:EAP-Message && &reply:Reply-Message) {(22) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE(22) else {(22) [noop] = noop(22) } # else = noop(22) } # policy remove_reply_message_if_eap = noop(22) linelog: EXPAND messages.%{%{reply:Packet-Type}:-default}(22) linelog: --> messages.Access-Reject(22) linelog: EXPAND %t : [mac:%{Calling-Station-Id}] Rejected user: %{User-Name}(22) linelog: --> Tue May 10 16:57:28 2016 : [mac:00:40:d0:67:d0:b1] Rejected user: Administrateur(22) linelog: EXPAND /usr/local/pf/logs/radius.log(22) linelog: --> /usr/local/pf/logs/radius.log(22) [linelog] = ok(22) } # Post-Auth-Type REJECT = updated(22) Delaying response for 1.000000 secondsWaking up in 0.3 seconds.Waking up in 0.6 seconds.(22) Sending delayed response(22) Sent Access-Reject Id 233 from 192.168.10.1:1812 to 192.168.1.5:1645 length 44(22) EAP-Message = 0x040a0004(22) Message-Authenticator = 0x00000000000000000000000000000000Waking up in 3.7 seconds.(14) Cleaning up request packet ID 225 with timestamp +160(15) Cleaning up request packet ID 226 with timestamp +160(16) Cleaning up request packet ID 227 with timestamp +160(17) Cleaning up request packet ID 228 with timestamp +160(18) Cleaning up request packet ID 229 with timestamp +160(19) Cleaning up request packet ID 230 with timestamp +160(20) Cleaning up request packet ID 231 with timestamp +160Waking up in 0.1 seconds.(21) Cleaning up request packet ID 232 with timestamp +160(22) Cleaning up request packet ID 233 with timestamp +160Ready to process requests
More information about the Freeradius-Users
mailing list