Stripping the domain from the username
Stuart Ramdeen
stuart at crossover.solutions
Mon Jan 13 00:42:48 CET 2020
Hi Alan
Thank you for your reply. I have made the change you suggested and (in
my novice view) there now appears to be more progress than before.
I completely appreciate that it's an old build, but it was included
with an older version of macOS Server and I'm trying to get things
working before I attempt to update anything. It relies on an Apple
module 'opendirectory', which is responsible for querying the
directory service running on the Mac server, and so I don't want to
change anything yet until I can get things going. I certainly take
your point on board though and will look to update to 2.2.10 as soon
as possible.
Here is the latest debug output after making the change you suggested.
If I am interpreting this correctly, the 'radiustest at example.co.uk'
username is being stripped and passed to the directory server during
request 0:
[opendirectory] User radiustest exists in OD
[opendirectory] User radiustest is a member of the RADUIS SACL
but by the time it gets to request 6 it is using the full username
rather than the portion before the @:
[mschap] Creating challenge hash with username: radiustest at example.co.uk
[mschap] Client is using MS-CHAPv2 for radiustest at example.co.uk, we
need NT-Password
[mschap] Using OpenDirectory to authenticate
[mschap] Unable to find record radiustest at example.co.uk in OD
[mschap] Authentication failed for radiustest at example.co.uk
++[mschap] = fail
At this point the directory server is seeing a request for
radiustest at example.co.uk and rejecting it because of course the
username in that format does not exist. Do I need to change anything
so that the mschap module is creating the challenge hash with
'radiustest' rather than 'radiustest at example.co.uk', or am I barking
up the wrong tree?
rad_recv: Access-Request packet from host 192.168.236.45 port 1814,
id=139, length=238
User-Name = "radiustest at example.co.uk"
NAS-IP-Address = 192.168.236.28
NAS-Port = 0
NAS-Identifier = "192.168.236.26"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "109ADDC49B75"
Called-Station-Id = "001A1E04AB58"
Service-Type = Framed-User
Framed-MTU = 1100
EAP-Message = 0x02010022017261646975737465737440676f73682e63616d64656e2e7363682e756b
Aruba-Essid-Name = "school"
Aruba-Location-Id = "ICT-TEST"
Aruba-AP-Group = "test"
Aruba-Device-Type = "Apple"
Message-Authenticator = 0x2577b12b1827b2d1f2a6a2b4f41b74c5
Proxy-State = 0x3635
# Executing section authorize from file
/Library/Server/radius/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "example.co.uk" for User-Name =
"radiustest at example.co.uk"
[suffix] Found realm "example.co.uk"
[suffix] Adding Stripped-User-Name = "radiustest"
[suffix] Adding Realm = "example.co.uk"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 1 length 34
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[opendirectory] The host 192.168.236.45 does not have an access group.
[opendirectory] User radiustest exists in OD
[opendirectory] User radiustest is a member of the RADUIS SACL
++[opendirectory] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /Library/Server/radius/raddb/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 139 to 192.168.236.45 port 1814
EAP-Message = 0x010200061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa2d10e0fa2d31bd8fb902e08f9c31ec3
Proxy-State = 0x3635
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.236.45 port 1814,
id=140, length=353
User-Name = "radiustest at example.co.uk"
NAS-IP-Address = 192.168.236.28
NAS-Port = 0
NAS-Identifier = "192.168.236.26"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "109ADDC49B75"
Called-Station-Id = "001A1E04AB58"
Service-Type = Framed-User
Framed-MTU = 1100
EAP-Message = 0x0202008315800000007916030100740100007003015e1baa8d3cb0084332627d1fd466f39541f629dc3248b4d4771d23ad28bd3a1800002800ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f000ac007c011000500040100001f000a00080006001700180019000b0002010000050005010000000000120000
Aruba-Essid-Name = "school"
Aruba-Location-Id = "ICT-TEST"
Aruba-AP-Group = "test"
Aruba-Device-Type = "Apple"
Message-Authenticator = 0x9e28ec7582c40e3e92a115082a8f054a
Proxy-State = 0x3636
State = 0xa2d10e0fa2d31bd8fb902e08f9c31ec3
# Executing section authorize from file
/Library/Server/radius/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "example.co.uk" for User-Name =
"radiustest at example.co.uk"
[suffix] Found realm "example.co.uk"
[suffix] Adding Stripped-User-Name = "radiustest"
[suffix] Adding Realm = "example.co.uk"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 2 length 131
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /Library/Server/radius/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
TLS Length 121
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls] (other): before/accept initialization
[ttls] TLS_accept: before/accept initialization
[ttls] <<< TLS 1.0 Handshake [length 0074], ClientHello
[ttls] TLS_accept: SSLv3 read client hello A
[ttls] >>> TLS 1.0 Handshake [length 0039], ServerHello
[ttls] TLS_accept: SSLv3 write server hello A
[ttls] >>> TLS 1.0 Handshake [length 0665], Certificate
[ttls] TLS_accept: SSLv3 write certificate A
[ttls] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
[ttls] TLS_accept: SSLv3 write key exchange A
[ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[ttls] TLS_accept: SSLv3 write server done A
[ttls] TLS_accept: SSLv3 flush data
[ttls] TLS_accept: SSLv3 read client certificate A
[ttls] TLS_accept: Need to read more data: SSLv3 read client key exchange A
[ttls] TLS_accept: Need to read more data: SSLv3 read client key exchange A
In SSL Handshake Phase
In SSL Accept mode
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 140 to 192.168.236.45 port 1814
EAP-Message = 0x0103040015c0000008011603010039020000350301b48378abbf7494e069a915f1a572a970e6394437deb9b6fcfba966858aa4697900c01400000dff01000100000b00040300010216030106650b00066100065e00032c3082032830820210a003020102020101300b06092a864886f70d01010b302e311f301d06035504030c16706574657270616e2e676f73682e696e7465726e616c310b3009060355040613024742301e170d3134303832373132313431355a170d3334303832323132313431355a302e311f301d06035504030c16706574657270616e2e676f73682e696e7465726e616c310b300906035504061302474230820122300d06092a
EAP-Message = 0x864886f70d01010105000382010f003082010a0282010100a77252a7791bb62f2b8123027ad8cbc388283bee0e334f72e1ca133ebc9b22b84e05b44db7056bcbe8cb4030ff756f91ae48ac7455c6b062c1009301e68847860ab9d642c6ad5990ee7edc417d7dedc3507246ab2ff72afd4160bbe9e0389b20d830082cf91439c344537294b34d78a485df9a8234fe82371c1e16d64cfcce85307216d6517061719f78192f576dd747d805bfa099ed386cbc0ad934b27b311d293aa72af0b7890038ab339df22f70d032ace28ab07d14306232a6a38cfa685afe8bff98f3bddc97cf4389aa0b5f6fa21f7386b72fd14a0879663b618acae7eca2ad59d1d8
EAP-Message = 0x5d927df217427226e7085981260b2f3c7d11bed5808be9333240c10203010001a3533051300e0603551d0f0101ff04040302078030160603551d250101ff040c300a06082b0601050507030130270603551d110420301e8216706574657270616e2e676f73682e696e7465726e616c87040a285cfe300d06092a864886f70d01010b05000382010100407dcb7982c1ec5523ba0b0012255c1d9a11e749b64f2fc121c82529faa3a23fe0fdc53e13004e301fd589ed13f31ca5d63f7cbbce08e211774b6a7ed2b55eed07ab4814046390e8cb22cc47eddd4846c6a709379572875b93dc87a5fe6c54c9a04b6dff791669df38a076ddbd2e718d123fcec7
EAP-Message = 0xe5797635ce17913c9960ba6d82aa46e460bc0abe7384d06d5499d42939f2c72e706e8dbc9cac22dc315f5539af9662461f1f85a5dbd5a892f0ec10c3578ef8c1bf5d2d8150df94eb034146ec458654dd1740c1707f86bb4203a549b9d0d98ab19788238717c1140842ae944d4c2dc50ddf1d4adf6d61d932f892495a264a8b87629bb0a7d76f1b7187a2118200032c3082032830820210a003020102020101300b06092a864886f70d01010b302e311f301d06035504030c16706574657270616e2e676f73682e696e7465726e616c310b3009060355040613024742301e170d3134303832373132313431355a170d3334303832323132313431355a30
EAP-Message = 0x2e311f301d06035504030c16
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa2d10e0fa3d21bd8fb902e08f9c31ec3
Proxy-State = 0x3636
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.236.45 port 1814,
id=141, length=228
User-Name = "radiustest at example.co.uk"
NAS-IP-Address = 192.168.236.28
NAS-Port = 0
NAS-Identifier = "192.168.236.26"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "109ADDC49B75"
Called-Station-Id = "001A1E04AB58"
Service-Type = Framed-User
Framed-MTU = 1100
EAP-Message = 0x020300061500
Aruba-Essid-Name = "school"
Aruba-Location-Id = "ICT-TEST"
Aruba-AP-Group = "test"
Aruba-Device-Type = "Apple"
Message-Authenticator = 0xe4c9628a13844ea439eb4d01e968ed8c
Proxy-State = 0x3637
State = 0xa2d10e0fa3d21bd8fb902e08f9c31ec3
# Executing section authorize from file
/Library/Server/radius/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "example.co.uk" for User-Name =
"radiustest at example.co.uk"
[suffix] Found realm "example.co.uk"
[suffix] Adding Stripped-User-Name = "radiustest"
[suffix] Adding Realm = "example.co.uk"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /Library/Server/radius/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 141 to 192.168.236.45 port 1814
EAP-Message = 0x0104040015c000000801706574657270616e2e676f73682e696e7465726e616c310b300906035504061302474230820122300d06092a864886f70d01010105000382010f003082010a0282010100a77252a7791bb62f2b8123027ad8cbc388283bee0e334f72e1ca133ebc9b22b84e05b44db7056bcbe8cb4030ff756f91ae48ac7455c6b062c1009301e68847860ab9d642c6ad5990ee7edc417d7dedc3507246ab2ff72afd4160bbe9e0389b20d830082cf91439c344537294b34d78a485df9a8234fe82371c1e16d64cfcce85307216d6517061719f78192f576dd747d805bfa099ed386cbc0ad934b27b311d293aa72af0b7890038ab339df22f70
EAP-Message = 0xd032ace28ab07d14306232a6a38cfa685afe8bff98f3bddc97cf4389aa0b5f6fa21f7386b72fd14a0879663b618acae7eca2ad59d1d85d927df217427226e7085981260b2f3c7d11bed5808be9333240c10203010001a3533051300e0603551d0f0101ff04040302078030160603551d250101ff040c300a06082b0601050507030130270603551d110420301e8216706574657270616e2e676f73682e696e7465726e616c87040a285cfe300d06092a864886f70d01010b05000382010100407dcb7982c1ec5523ba0b0012255c1d9a11e749b64f2fc121c82529faa3a23fe0fdc53e13004e301fd589ed13f31ca5d63f7cbbce08e211774b6a7ed2b5
EAP-Message = 0x5eed07ab4814046390e8cb22cc47eddd4846c6a709379572875b93dc87a5fe6c54c9a04b6dff791669df38a076ddbd2e718d123fcec7e5797635ce17913c9960ba6d82aa46e460bc0abe7384d06d5499d42939f2c72e706e8dbc9cac22dc315f5539af9662461f1f85a5dbd5a892f0ec10c3578ef8c1bf5d2d8150df94eb034146ec458654dd1740c1707f86bb4203a549b9d0d98ab19788238717c1140842ae944d4c2dc50ddf1d4adf6d61d932f892495a264a8b87629bb0a7d76f1b7187a21182160301014b0c00014703001741048d722a0b65270892e9bc75ac1f1878571255941d4b8abaed393150566d0825d54eaa1b976720593172fa05575d
EAP-Message = 0x93e38a901481b6bf8c6b160cfa68e176d2b873010040ee1d51f30a3fbe39eb5378d2dc0922e18af5a76a55055036a18ecf84a8935a29f89c2b397a655bee4a613a6fdbc955890061dc2534b37a3d5d61a189f27dded1401addc29706f7abbdbb7e761d62a9a9a88411ac32061423a1660fb4db6fdf46ea2706778337476fe961a5cb0319284962c0d40397fc21e97cca94a6360540e51eb2137ebb4675c5cee9ef6473900a10d3a0a35e1dfab899237d996d40341df170cd8f10cc3b511eece77dea00ec3b779de982dec5d4cc664407ec59455e220d9a09438e870c413f4964eb05f043ac9acaa7937e8f7b448aed3123d2600bc471092aa7dafc2d32
EAP-Message = 0x6bc8be0bf5a6db8e5df2c928
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa2d10e0fa0d51bd8fb902e08f9c31ec3
Proxy-State = 0x3637
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.236.45 port 1814,
id=142, length=228
User-Name = "radiustest at example.co.uk"
NAS-IP-Address = 192.168.236.28
NAS-Port = 0
NAS-Identifier = "192.168.236.26"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "109ADDC49B75"
Called-Station-Id = "001A1E04AB58"
Service-Type = Framed-User
Framed-MTU = 1100
EAP-Message = 0x020400061500
Aruba-Essid-Name = "school"
Aruba-Location-Id = "ICT-TEST"
Aruba-AP-Group = "test"
Aruba-Device-Type = "Apple"
Message-Authenticator = 0x5721d8a0eb68e0f1a13a0125c7c3a987
Proxy-State = 0x3639
State = 0xa2d10e0fa0d51bd8fb902e08f9c31ec3
# Executing section authorize from file
/Library/Server/radius/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "example.co.uk" for User-Name =
"radiustest at example.co.uk"
[suffix] Found realm "example.co.uk"
[suffix] Adding Stripped-User-Name = "radiustest"
[suffix] Adding Realm = "example.co.uk"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /Library/Server/radius/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 142 to 192.168.236.45 port 1814
EAP-Message = 0x0105001f1580000008014456b73978ff61a3af0ca4ba16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa2d10e0fa1d41bd8fb902e08f9c31ec3
Proxy-State = 0x3639
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.236.45 port 1814,
id=143, length=366
User-Name = "radiustest at example.co.uk"
NAS-IP-Address = 192.168.236.28
NAS-Port = 0
NAS-Identifier = "192.168.236.26"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "109ADDC49B75"
Called-Station-Id = "001A1E04AB58"
Service-Type = Framed-User
Framed-MTU = 1100
EAP-Message = 0x020500901580000000861603010046100000424104210a608054c8ddd857c4896c9107fbe88964d18caf4ad086cee42cda06ea5d685038f7ca5521bfa175227cca875345b6c9e0c6445a4e4f23d362eab64360d9e41403010001011603010030941a8535af0b548685d350fc4433c7ef5cad07647d29bd43f42191382861f4391c2f9198dfe9f4e8863ef7c875ce53a5
Aruba-Essid-Name = "school"
Aruba-Location-Id = "ICT-TEST"
Aruba-AP-Group = "test"
Aruba-Device-Type = "Apple"
Message-Authenticator = 0x3038ce0ef15655a7fe33028aaa671617
Proxy-State = 0x3730
State = 0xa2d10e0fa1d41bd8fb902e08f9c31ec3
# Executing section authorize from file
/Library/Server/radius/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "example.co.uk" for User-Name =
"radiustest at example.co.uk"
[suffix] Found realm "example.co.uk"
[suffix] Adding Stripped-User-Name = "radiustest"
[suffix] Adding Realm = "example.co.uk"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 5 length 144
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /Library/Server/radius/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
TLS Length 134
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
[ttls] TLS_accept: SSLv3 read client key exchange A
[ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[ttls] <<< TLS 1.0 Handshake [length 0010], Finished
[ttls] TLS_accept: SSLv3 read finished A
[ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[ttls] TLS_accept: SSLv3 write change cipher spec A
[ttls] >>> TLS 1.0 Handshake [length 0010], Finished
[ttls] TLS_accept: SSLv3 write finished A
[ttls] TLS_accept: SSLv3 flush data
[ttls] (other): SSL negotiation finished successfully
SSL Connection Established
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 143 to 192.168.236.45 port 1814
EAP-Message = 0x0106004515800000003b140301000101160301003002a2021500d744536bcfcf1b18ab41d9b3dbdeb95b34c6589d07ed092183aeb8f4ce37bcc6bd820084049674e9820ccb
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa2d10e0fa6d71bd8fb902e08f9c31ec3
Proxy-State = 0x3730
Finished request 4.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.236.45 port 1814,
id=144, length=317
User-Name = "radiustest at example.co.uk"
NAS-IP-Address = 192.168.236.28
NAS-Port = 0
NAS-Identifier = "192.168.236.26"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "109ADDC49B75"
Called-Station-Id = "001A1E04AB58"
Service-Type = Framed-User
Framed-MTU = 1100
EAP-Message = 0x0206005f158000000055170301005005b067f60adac124a184ecc57e6ecc32a8221bbb603ee5924bb79b3ff765334f5cc0c61e0bdd250711ce7888313e6aa003d960b2b9f6843f1a3a94e5e21b7421540dd7f1d2336dc9cbe0bbf664ca1a08
Aruba-Essid-Name = "school"
Aruba-Location-Id = "ICT-TEST"
Aruba-AP-Group = "test"
Aruba-Device-Type = "Apple"
Message-Authenticator = 0x20dd42545594cfbe970274ddab52a1d6
Proxy-State = 0x3731
State = 0xa2d10e0fa6d71bd8fb902e08f9c31ec3
# Executing section authorize from file
/Library/Server/radius/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "example.co.uk" for User-Name =
"radiustest at example.co.uk"
[suffix] Found realm "example.co.uk"
[suffix] Adding Stripped-User-Name = "radiustest"
[suffix] Adding Realm = "example.co.uk"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 6 length 95
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /Library/Server/radius/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
TLS Length 85
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls] eaptls_process returned 7
[ttls] Session established. Proceeding to decode tunneled attributes.
[ttls] Got tunneled request
EAP-Message = 0x02000022017261646975737465737440676f73682e63616d64656e2e7363682e756b
FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Got tunneled identity of radiustest at example.co.uk
[ttls] Setting default EAP type for tunneled EAP session.
[ttls] Sending tunneled request
EAP-Message = 0x02000022017261646975737465737440676f73682e63616d64656e2e7363682e756b
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "radiustest at example.co.uk"
server inner-tunnel {
# Executing section authorize from file
/Library/Server/radius/raddb/sites-enabled/inner-tunnel
+group authorize {
++[chap] = noop
++[mschap] = noop
[suffix] Looking up realm "example.co.uk" for User-Name =
"radiustest at example.co.uk"
[suffix] Found realm "example.co.uk"
[suffix] Adding Stripped-User-Name = "radiustest"
[suffix] Adding Realm = "example.co.uk"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
++update control {
++} # update control = noop
[eap] EAP packet type response id 0 length 34
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
++[expiration] = noop
++[logintime] = noop
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file
/Library/Server/radius/raddb/sites-enabled/inner-tunnel
+group authenticate {
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] = handled
+} # group authenticate = handled
} # server inner-tunnel
[ttls] Got tunneled reply code Access-Challenge
EAP-Message = 0x010100371a0101003210006815de0f512aa5e084a9c577c5aef27261646975737465737440676f73682e63616d64656e2e7363682e756b
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x6d27f3ae6d26e9777944e6ecebb16dd4
[ttls] Got tunneled Access-Challenge
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 144 to 192.168.236.45 port 1814
EAP-Message = 0x0107009415800000008a17030100201e23f0c8900a7e96509629eb6ee466d25f4ad0e738cf60f9715db3766bd3435a1703010060712a160f13ed9d92772dee8895efb7918e93bd920ee8204bc2d5c89a30a08551f9e4a480fcc024f50ca4d16cb7dd0cf5594e88ffcfe0415d46c1d79c317675af2fcc8a32a1eb0e1686adf3c006ed894e174e4eefb10dd7d158fcf8a2c9bb736a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa2d10e0fa7d61bd8fb902e08f9c31ec3
Proxy-State = 0x3731
Finished request 5.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.236.45 port 1814,
id=145, length=365
User-Name = "radiustest at example.co.uk"
NAS-IP-Address = 192.168.236.28
NAS-Port = 0
NAS-Identifier = "192.168.236.26"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "109ADDC49B75"
Called-Station-Id = "001A1E04AB58"
Service-Type = Framed-User
Framed-MTU = 1100
EAP-Message = 0x0207008f1580000000851703010080271f7fdade241a0c58e453a885367d4a60ed1ff1569ac5ae6157a339509575b444fb0cd29369a63bc9b2c148cb3e9a8b8806c557ac9be0955c149262709898b4eff18819206df5f98590494f9c4ad8824d6d586540d365f00ab52f6c82604a4f8e4188ca3733a3fbfe70121824006bdd47a2fed015d775560c16e6c8e39de6a2
Aruba-Essid-Name = "school"
Aruba-Location-Id = "ICT-TEST"
Aruba-AP-Group = "test"
Aruba-Device-Type = "Apple"
Message-Authenticator = 0xb5e0114d038530bdd5213c43186c635c
Proxy-State = 0x3732
State = 0xa2d10e0fa7d61bd8fb902e08f9c31ec3
# Executing section authorize from file
/Library/Server/radius/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "example.co.uk" for User-Name =
"radiustest at example.co.uk"
[suffix] Found realm "example.co.uk"
[suffix] Adding Stripped-User-Name = "radiustest"
[suffix] Adding Realm = "example.co.uk"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 7 length 143
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /Library/Server/radius/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
TLS Length 133
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls] eaptls_process returned 7
[ttls] Session established. Proceeding to decode tunneled attributes.
[ttls] Got tunneled request
EAP-Message = 0x020100581a0201005331a8ee034419131e7f9fddd19a5a0ba426000000000000000077e94ca004cea6e84942642ad7a244ac8bba9b32193bbfd1007261646975737465737440676f73682e63616d64656e2e7363682e756b
FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Sending tunneled request
EAP-Message = 0x020100581a0201005331a8ee034419131e7f9fddd19a5a0ba426000000000000000077e94ca004cea6e84942642ad7a244ac8bba9b32193bbfd1007261646975737465737440676f73682e63616d64656e2e7363682e756b
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "radiustest at example.co.uk"
State = 0x6d27f3ae6d26e9777944e6ecebb16dd4
server inner-tunnel {
# Executing section authorize from file
/Library/Server/radius/raddb/sites-enabled/inner-tunnel
+group authorize {
++[chap] = noop
++[mschap] = noop
[suffix] Looking up realm "example.co.uk" for User-Name =
"radiustest at example.co.uk"
[suffix] Found realm "example.co.uk"
[suffix] Adding Stripped-User-Name = "radiustest"
[suffix] Adding Realm = "example.co.uk"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
++update control {
++} # update control = noop
[eap] EAP packet type response id 1 length 88
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
++[expiration] = noop
++[logintime] = noop
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file
/Library/Server/radius/raddb/sites-enabled/inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file
/Library/Server/radius/raddb/sites-enabled/inner-tunnel
[mschapv2] +group MS-CHAP {
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Creating challenge hash with username: radiustest at example.co.uk
[mschap] Client is using MS-CHAPv2 for radiustest at example.co.uk, we
need NT-Password
[mschap] Using OpenDirectory to authenticate
[mschap] Unable to find record radiustest at example.co.uk in OD
[mschap] Authentication failed for radiustest at example.co.uk
++[mschap] = fail
+} # group MS-CHAP = fail
[eap] Freeing handler
++[eap] = reject
+} # group authenticate = reject
Failed to authenticate the user.
Login incorrect: [radiustest at example.co.uk/<via Auth-Type = EAP>]
(from client clearpass port 0 via TLS tunnel)
Using Post-Auth-Type Reject
# Executing group from file
/Library/Server/radius/raddb/sites-enabled/inner-tunnel
+group REJECT {
[attr_filter.access_reject] expand: %{User-Name} -> radiustest at example.co.uk
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
} # server inner-tunnel
[ttls] Got tunneled reply code Access-Reject
MS-CHAP-Error = "\001E=691 R=1"
EAP-Message = 0x04010004
Message-Authenticator = 0x00000000000000000000000000000000
[ttls] Got tunneled Access-Reject
[eap] Handler failed in EAP/ttls
rlm_eap_ttls: Freeing handler for user radiustest at example.co.uk
[eap] Failed in EAP select
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.
Login incorrect: [radiustest at example.co.uk/<via Auth-Type = EAP>]
(from client clearpass port 0 cli 109ADDC49B75)
Using Post-Auth-Type Reject
# Executing group from file /Library/Server/radius/raddb/sites-enabled/default
+group REJECT {
++? if ("%{EAP-Message}")
expand: %{EAP-Message} ->
0x0207008f1580000000851703010080271f7fdade241a0c58e453a885367d4a60ed1ff1569ac5ae6157a339509575b444fb0cd29369a63bc9b2c148cb3e9a8b8806c557ac9be0955c149262709898b4eff18819206df5f98590494f9c4ad8824d6d586540d365f00ab52f6c82604a4f8e4188ca3733a3fbfe70121824006bdd47a2fed015d775560c16e6c8e39de6a2
? Evaluating ("%{EAP-Message}") -> TRUE
++? if ("%{EAP-Message}") -> TRUE
++if ("%{EAP-Message}") {
+++update reply {
expand: %{Message-Authenticator} -> 0xb5e0114d038530bdd5213c43186c635c
+++} # update reply = noop
++} # if ("%{EAP-Message}") = noop
[attr_filter.access_reject] expand: %{User-Name} -> radiustest at example.co.uk
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 6 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 6
Sending Access-Reject of id 145 to 192.168.236.45 port 1814
EAP-Message = 0x04070004
Message-Authenticator = 0x00000000000000000000000000000000
Proxy-State = 0x3732
Waking up in 3.8 seconds.
Thank you
Stuart
--
Crossover Solutions Ltd
Pound House, 62A Highgate High Street, London, N6
5HX
www.crossover.solutions <http://crossover.solutions> • 020 3637 4655
Registered in England and Wales No: 9593204 Registered address as stated
Members of the Apple Consultants Network
<https://consultants.apple.com/uk/988258>
Please submit new support
requests to support at crossover.solutions
<mailto:support at crossover.solutions>
More information about the Freeradius-Users
mailing list