Hi @ALL.
Not sure if we have a bug, but i tried to get an AD authentication about ldap more then 4 days. I read a lot of documentation and testet a lot of stuff.
i have the following:
If i try to login via «radtest -x test testpwd 127.0.0.1:18120 0 testing123» on the linux console, everything is working via ldap. If i try this over the 802.1X AccessPoint, it doesn’t work.
If i try the same with a defined user in users like «bob Cleartext-Password := «hello»» over the accessPoint, it works fine.
Anything goes wrong with the password if we i use peap:
via console with domain User over inner-tunnel:
(1) Received Access-Request Id 7 from 127.0.0.1:48026 to 127.0.0.1:18120 length 74
(1) User-Name = «test»
(1) User-Password = «password»
(1) NAS-IP-Address = 192.168.8.27
(1) NAS-Port = 0
(1) Message-Authenticator = 0xc7c247ef109fb66332c18aab75068b33
(1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel-domain
(1) authorize {
(1) [files] = noop
(1) [mschap] = noop
(1) suffix: Checking for suffix after «@»
(1) suffix: No ‘@’ in User-Name = «test», looking up realm NULL
(1) suffix: No such realm «NULL»
(1) [suffix] = noop
(1) update control {
(1) Proxy-To-Realm := LOCAL
(1) } # update control = noop
(1) eap: No EAP-Message, not doing EAP
(1) [eap] = noop
(1) [expiration] = noop
(1) [logintime] = noop
rlm_ldap (ldap_domain): Reserved connection (0)
(1) ldap_domain: EXPAND (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})
(1) ldap_domain: —> (sAMAccountName=test)
(1) ldap_domain: Performing search in «cn=Users,dc=domain,dc=local» with filter «(sAMAccountName=test)», scope «sub»
(1) ldap_domain: Waiting for search result…
(1) ldap_domain: User object found at DN «CN=Test TEST,CN=Users,DC=domain,DC=local»
(1) ldap_domain: Processing user attributes
(1) ldap_domain: WARNING: No «known good» password added. Ensure the admin user has permission to read the password attribute
(1) ldap_domain: WARNING: PAP authentication will NOT work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap_domain): Released connection (0)
rlm_ldap (ldap_domain): Need 5 more connections to reach 10 spares
rlm_ldap (ldap_domain): Opening additional connection (5), 1 of 27 pending slots used
rlm_ldap (ldap_domain): Connecting to ldap://dc.domain.local:389
rlm_ldap (ldap_domain): Waiting for bind result…
rlm_ldap (ldap_domain): Bind successful
(1) [ldap_domain] = ok
(1) if ((ok || updated) && User-Password) {
(1) if ((ok || updated) && User-Password) -> TRUE
(1) if ((ok || updated) && User-Password) {
(1) update {
(1) control:Auth-Type := LDAP
(1) } # update = noop
(1) } # if ((ok || updated) && User-Password) = noop
(1) [pap] = noop
(1) if (User-Password) {
(1) if (User-Password) -> TRUE
(1) if (User-Password) {
(1) update control {
(1) Auth-Type := LDAP
(1) } # update control = noop
(1) } # if (User-Password) = noop
(1) } # authorize = ok
(1) Found Auth-Type = LDAP
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel-domain
(1) Auth-Type LDAP {
rlm_ldap (ldap_domain): Reserved connection (1)
(1) ldap_domain: Login attempt by «test»
(1) ldap_domain: Using user DN from request «CN=Test TEST,CN=Users,DC=domain,DC=local»
(1) ldap_domain: Waiting for bind result…
(1) ldap_domain: Bind successful
(1) ldap_domain: Bind as user «CN=Test TEST,CN=Users,DC=domain,DC=local» was successful
rlm_ldap (ldap_domain): Released connection (1)
(1) [ldap_domain] = ok
(1) } # Auth-Type LDAP = ok
(1) Sent Access-Accept Id 7 from 127.0.0.1:18120 to 127.0.0.1:48026 length 0
(1) Finished request
Waking up in 0.3 seconds.
(0) Cleaning up request packet ID 130 with timestamp +4
Waking up in 4.6 seconds.
(1) Cleaning up request packet ID 7 with timestamp +9
Ready to process requests
via AccessPoint with domain User:
(2) Received Access-Request Id 42 from 192.168.2.250:3072 to 192.168.8.27:1812 length 178
(2) User-Name = «test»
(2) Service-Type = Framed-User
(2) NAS-IP-Address = 192.168.2.250
(2) NAS-Port = 10
(2) NAS-Port-Id = «10»
(2) Called-Station-Id = «0E-0B-6B-2F-12-67:domain 8021X»
(2) Calling-Station-Id = «B8-E8-56-41-2C-2A»
(2) Connect-Info = «CONNECT 54 Mbps 802.11g»
(2) NAS-Identifier = «AP-domain01»
(2) NAS-Port-Type = Wireless-802.11
(2) Framed-MTU = 1500
(2) EAP-Message = 0x020100090174657374
(2) Message-Authenticator = 0x83d8e6487c3977ae8116026c26702525
(2) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/domain
(2) authorize {
(2) [files] = noop
(2) [preprocess] = ok
(2) suffix: Checking for suffix after «@»
(2) suffix: No ‘@’ in User-Name = «test», looking up realm NULL
(2) suffix: No such realm «NULL»
(2) [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 1 length 9
(2) eap: EAP-Identity reply, returning ‘ok’ so we can short-circuit the rest of authorize
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = EAP
(2) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain
(2) authenticate {
(2) eap: Peer sent packet with method EAP Identity (1)
(2) eap: Calling submodule eap_peap to process data
(2) eap_peap: Initiating new EAP-TLS session
(2) eap_peap: [eaptls start] = request
(2) eap: Sending EAP Request (code 1) ID 2 length 6
(2) eap: EAP session adding &reply:State = 0x714e61bf714c78fd
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) Post-Auth-Type sub-section not found. Ignoring.
(2) Sent Access-Challenge Id 42 from 192.168.8.27:1812 to 192.168.2.250:3072 length 0
(2) EAP-Message = 0x010200061920
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x714e61bf714c78fd13de40933f3a43c8
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 58 from 192.168.2.250:3072 to 192.168.8.27:1812 length 339
(3) User-Name = «test»
(3) Service-Type = Framed-User
(3) NAS-IP-Address = 192.168.2.250
(3) NAS-Port = 10
(3) NAS-Port-Id = «10»
(3) State = 0x714e61bf714c78fd13de40933f3a43c8
(3) Called-Station-Id = «0E-0B-6B-2F-12-67:domain 8021X»
(3) Calling-Station-Id = «B8-E8-56-41-2C-2A»
(3) Connect-Info = «CONNECT 54 Mbps 802.11g»
(3) NAS-Identifier = «AP-domain01»
(3) NAS-Port-Type = Wireless-802.11
(3) Framed-MTU = 1500
(3) EAP-Message = 0x0202009819800000008e160301008901000085030156162f87a13e4465c695b7754a35671de87e37f1c9c068c51ee0c258d39cc34f00004a00ffc024c023c00ac009c008c028c027c014c013c012c026c025c005c004c003c02ac029c00fc00ec00d006b0067003900330016003d003c0035002f000ac0
(3) Message-Authenticator = 0x1b3f4a72c416640c87d6f902d0effe2e
(3) session-state: No cached attributes
(3) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/domain
(3) authorize {
(3) [files] = noop
(3) [preprocess] = ok
(3) suffix: Checking for suffix after «@»
(3) suffix: No ‘@’ in User-Name = «test», looking up realm NULL
(3) suffix: No such realm «NULL»
(3) [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 2 length 152
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = EAP
(3) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain
(3) authenticate {
(3) eap: Expiring EAP session with state 0x714e61bf714c78fd
(3) eap: Finished EAP session with state 0x714e61bf714c78fd
(3) eap: Previous EAP request found for state 0x714e61bf714c78fd, released from the list
(3) eap: Peer sent packet with method EAP PEAP (25)
(3) eap: Calling submodule eap_peap to process data
(3) eap_peap: Continuing EAP-TLS
(3) eap_peap: Peer indicated complete TLS record size will be 142 bytes
(3) eap_peap: Got complete TLS record (142 bytes)
(3) eap_peap: [eaptls verify] = length included
(3) eap_peap: (other): before/accept initialization
(3) eap_peap: TLS_accept: before/accept initialization
(3) eap_peap: <<< TLS 1.0 Handshake [length 0089], ClientHello
(3) eap_peap: TLS_accept: SSLv3 read client hello A
(3) eap_peap: >>> TLS 1.0 Handshake [length 0039], ServerHello
(3) eap_peap: TLS_accept: SSLv3 write server hello A
(3) eap_peap: >>> TLS 1.0 Handshake [length 0964], Certificate
(3) eap_peap: TLS_accept: SSLv3 write certificate A
(3) eap_peap: >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
(3) eap_peap: TLS_accept: SSLv3 write key exchange A
(3) eap_peap: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
(3) eap_peap: TLS_accept: SSLv3 write server done A
(3) eap_peap: TLS_accept: SSLv3 flush data
(3) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A
(3) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A
(3) eap_peap: In SSL Handshake Phase
(3) eap_peap: In SSL Accept mode
(3) eap_peap: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 3 length 1004
(3) eap: EAP session adding &reply:State = 0x714e61bf704d78fd
(3) [eap] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) Post-Auth-Type sub-section not found. Ignoring.
(3) Sent Access-Challenge Id 58 from 192.168.8.27:1812 to 192.168.2.250:3072 length 0
(3) EAP-Message = 0x010303ec19c000000b00160301003902000035030194873ddf6cee275a11fcde492d5ae2b8261f83dd50ed9063133a31be2e3d24b500c01400000dff01000100000b00040300010216030109640b00096000095d0005a7308205a33082048ba0030201020213720000003379461d9f383b20c900010000
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0x714e61bf704d78fd13de40933f3a43c8
(3) Finished request
Waking up in 4.9 seconds.
(4) Received Access-Request Id 46 from 192.168.2.250:3072 to 192.168.8.27:1812 length 193
(4) User-Name = «test»
(4) Service-Type = Framed-User
(4) NAS-IP-Address = 192.168.2.250
(4) NAS-Port = 10
(4) NAS-Port-Id = «10»
(4) State = 0x714e61bf704d78fd13de40933f3a43c8
(4) Called-Station-Id = «0E-0B-6B-2F-12-67:domain 8021X»
(4) Calling-Station-Id = «B8-E8-56-41-2C-2A»
(4) Connect-Info = «CONNECT 54 Mbps 802.11g»
(4) NAS-Identifier = «AP-domain01»
(4) NAS-Port-Type = Wireless-802.11
(4) Framed-MTU = 1500
(4) EAP-Message = 0x020300061900
(4) Message-Authenticator = 0xe7c2576faeb3228ae2d056b77bc6cce8
(4) session-state: No cached attributes
(4) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/domain
(4) authorize {
(4) [files] = noop
(4) [preprocess] = ok
(4) suffix: Checking for suffix after «@»
(4) suffix: No ‘@’ in User-Name = «test», looking up realm NULL
(4) suffix: No such realm «NULL»
(4) [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 3 length 6
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = EAP
(4) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain
(4) authenticate {
(4) eap: Expiring EAP session with state 0x714e61bf704d78fd
(4) eap: Finished EAP session with state 0x714e61bf704d78fd
(4) eap: Previous EAP request found for state 0x714e61bf704d78fd, released from the list
(4) eap: Peer sent packet with method EAP PEAP (25)
(4) eap: Calling submodule eap_peap to process data
(4) eap_peap: Continuing EAP-TLS
(4) eap_peap: Peer ACKed our handshake fragment
(4) eap_peap: [eaptls verify] = request
(4) eap_peap: [eaptls process] = handled
(4) eap: Sending EAP Request (code 1) ID 4 length 1000
(4) eap: EAP session adding &reply:State = 0x714e61bf734a78fd
(4) [eap] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) Post-Auth-Type sub-section not found. Ignoring.
(4) Sent Access-Challenge Id 46 from 192.168.8.27:1812 to 192.168.2.250:3072 length 0
(4) EAP-Message = 0x010403e81940b53081b206082b060105050730028681a56c6461703a2f2f2f434e3d6e656465636f253230476d624825323043412c434e3d4149412c434e3d5075626c69632532304b657925323053657276696365732c434e3d53657276696365732c434e3d436f6e66696775726174696f6e2c44433d
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x714e61bf734a78fd13de40933f3a43c8
(4) Finished request
Waking up in 4.9 seconds.
(2) Cleaning up request packet ID 42 with timestamp +151
(3) Cleaning up request packet ID 58 with timestamp +151
(4) Cleaning up request packet ID 46 with timestamp +151
Ready to process requests
(5) Received Access-Request Id 216 from 192.168.2.250:3072 to 192.168.8.27:1812 length 193
(5) User-Name = «test»
(5) Service-Type = Framed-User
(5) NAS-IP-Address = 192.168.2.250
(5) NAS-Port = 10
(5) NAS-Port-Id = «10»
(5) State = 0x714e61bf734a78fd13de40933f3a43c8
(5) Called-Station-Id = «0E-0B-6B-2F-12-67:domain 8021X»
(5) Calling-Station-Id = «B8-E8-56-41-2C-2A»
(5) Connect-Info = «CONNECT 54 Mbps 802.11g»
(5) NAS-Identifier = «AP-domain01»
(5) NAS-Port-Type = Wireless-802.11
(5) Framed-MTU = 1500
(5) EAP-Message = 0x020400061900
(5) Message-Authenticator = 0xdf4b4a18dbd046ae4568ed5b900675ca
(5) session-state: No cached attributes
(5) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/domain
(5) authorize {
(5) [files] = noop
(5) [preprocess] = ok
(5) suffix: Checking for suffix after «@»
(5) suffix: No ‘@’ in User-Name = «test», looking up realm NULL
(5) suffix: No such realm «NULL»
(5) [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 4 length 6
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = EAP
(5) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain
(5) authenticate {
(5) eap: Expiring EAP session with state 0x714e61bf734a78fd
(5) eap: Finished EAP session with state 0x714e61bf734a78fd
(5) eap: Previous EAP request found for state 0x714e61bf734a78fd, released from the list
(5) eap: Peer sent packet with method EAP PEAP (25)
(5) eap: Calling submodule eap_peap to process data
(5) eap_peap: Continuing EAP-TLS
(5) eap_peap: Peer ACKed our handshake fragment
(5) eap_peap: [eaptls verify] = request
(5) eap_peap: [eaptls process] = handled
(5) eap: Sending EAP Request (code 1) ID 5 length 834
(5) eap: EAP session adding &reply:State = 0x714e61bf724b78fd
(5) [eap] = handled
(5) } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) Post-Auth-Type sub-section not found. Ignoring.
(5) Sent Access-Challenge Id 216 from 192.168.8.27:1812 to 192.168.2.250:3072 length 0
(5) EAP-Message = 0x01050342190068d99b627f3ca6561e6c1dcd0e8bb529b85d2515a36c2ba6f906ee9a223e619decfff2f24ef8674307735d591964d50ac988776a55970203010001a3819130818e301306092b060104018237140204061e0400430041300e0603551d0f0101ff040403020186300f0603551d130101ff04
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x714e61bf724b78fd13de40933f3a43c8
(5) Finished request
Waking up in 4.9 seconds.
(6) Received Access-Request Id 228 from 192.168.2.250:3072 to 192.168.8.27:1812 length 331
(6) User-Name = «test»
(6) Service-Type = Framed-User
(6) NAS-IP-Address = 192.168.2.250
(6) NAS-Port = 10
(6) NAS-Port-Id = «10»
(6) State = 0x714e61bf724b78fd13de40933f3a43c8
(6) Called-Station-Id = «0E-0B-6B-2F-12-67:domain 8021X»
(6) Calling-Station-Id = «B8-E8-56-41-2C-2A»
(6) Connect-Info = «CONNECT 54 Mbps 802.11g»
(6) NAS-Identifier = «AP-domain01»
(6) NAS-Port-Type = Wireless-802.11
(6) Framed-MTU = 1500
(6) EAP-Message = 0x0205009019800000008616030100461000004241041ddb75e112e6a51620e1d90e79faf858ba440ee51859f6f36dbb3d61474b8fc891e7a246f576a1aef8372b95f81c96af01b2ba44e938f2dde2e5fa57032812201403010001011603010030680540b7b149e993c9f964d5e0a79cda35934c4c8e292f
(6) Message-Authenticator = 0x96295d1faa87d10973b6fe400102f545
(6) session-state: No cached attributes
(6) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/domain
(6) authorize {
(6) [files] = noop
(6) [preprocess] = ok
(6) suffix: Checking for suffix after «@»
(6) suffix: No ‘@’ in User-Name = «test», looking up realm NULL
(6) suffix: No such realm «NULL»
(6) [suffix] = noop
(6) eap: Peer sent EAP Response (code 2) ID 5 length 144
(6) eap: Continuing tunnel setup
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = EAP
(6) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain
(6) authenticate {
(6) eap: Expiring EAP session with state 0x714e61bf724b78fd
(6) eap: Finished EAP session with state 0x714e61bf724b78fd
(6) eap: Previous EAP request found for state 0x714e61bf724b78fd, released from the list
(6) eap: Peer sent packet with method EAP PEAP (25)
(6) eap: Calling submodule eap_peap to process data
(6) eap_peap: Continuing EAP-TLS
(6) eap_peap: Peer indicated complete TLS record size will be 134 bytes
(6) eap_peap: Got complete TLS record (134 bytes)
(6) eap_peap: [eaptls verify] = length included
(6) eap_peap: <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
(6) eap_peap: TLS_accept: SSLv3 read client key exchange A
(6) eap_peap: <<< TLS 1.0 ChangeCipherSpec length 0001 eap_peap: <<< TLS 1.0 Handshake [length 0010], Finished
(6) eap_peap: TLS_accept: SSLv3 read finished A
(6) eap_peap: >>> TLS 1.0 ChangeCipherSpec length 0001 eap_peap: TLS_accept: SSLv3 write change cipher spec A
(6) eap_peap: >>> TLS 1.0 Handshake [length 0010], Finished
(6) eap_peap: TLS_accept: SSLv3 write finished A
(6) eap_peap: TLS_accept: SSLv3 flush data
(6) eap_peap: (other): SSL negotiation finished successfully
(6) eap_peap: SSL Connection Established
(6) eap_peap: [eaptls process] = handled
(6) eap: Sending EAP Request (code 1) ID 6 length 65
(6) eap: EAP session adding &reply:State = 0x714e61bf754878fd
(6) [eap] = handled
(6) } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) Post-Auth-Type sub-section not found. Ignoring.
(6) Sent Access-Challenge Id 228 from 192.168.8.27:1812 to 192.168.2.250:3072 length 0
(6) EAP-Message = 0x01060041190014030100010116030100301b8a91b9523361e58c472a6f4bedc223a3780b77e80492846d5f574cd2db238cdd236645e7e78ed7e706e2dd3aecd6a2
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0x714e61bf754878fd13de40933f3a43c8
(6) Finished request
Waking up in 4.8 seconds.
(7) Received Access-Request Id 77 from 192.168.2.250:3072 to 192.168.8.27:1812 length 193
(7) User-Name = «test»
(7) Service-Type = Framed-User
(7) NAS-IP-Address = 192.168.2.250
(7) NAS-Port = 10
(7) NAS-Port-Id = «10»
(7) State = 0x714e61bf754878fd13de40933f3a43c8
(7) Called-Station-Id = «0E-0B-6B-2F-12-67:domain 8021X»
(7) Calling-Station-Id = «B8-E8-56-41-2C-2A»
(7) Connect-Info = «CONNECT 54 Mbps 802.11g»
(7) NAS-Identifier = «AP-domain01»
(7) NAS-Port-Type = Wireless-802.11
(7) Framed-MTU = 1500
(7) EAP-Message = 0x020600061900
(7) Message-Authenticator = 0xaabe36b47f3a6a409dd2ec806970d983
(7) session-state: No cached attributes
(7) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/domain
(7) authorize {
(7) [files] = noop
(7) [preprocess] = ok
(7) suffix: Checking for suffix after «@»
(7) suffix: No ‘@’ in User-Name = «test», looking up realm NULL
(7) suffix: No such realm «NULL»
(7) [suffix] = noop
(7) eap: Peer sent EAP Response (code 2) ID 6 length 6
(7) eap: Continuing tunnel setup
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = EAP
(7) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain
(7) authenticate {
(7) eap: Expiring EAP session with state 0x714e61bf754878fd
(7) eap: Finished EAP session with state 0x714e61bf754878fd
(7) eap: Previous EAP request found for state 0x714e61bf754878fd, released from the list
(7) eap: Peer sent packet with method EAP PEAP (25)
(7) eap: Calling submodule eap_peap to process data
(7) eap_peap: Continuing EAP-TLS
(7) eap_peap: Peer ACKed our handshake fragment. handshake is finished
(7) eap_peap: [eaptls verify] = success
(7) eap_peap: [eaptls process] = success
(7) eap_peap: Session established. Decoding tunneled attributes
(7) eap_peap: PEAP state TUNNEL ESTABLISHED
(7) eap: Sending EAP Request (code 1) ID 7 length 43
(7) eap: EAP session adding &reply:State = 0x714e61bf744978fd
(7) [eap] = handled
(7) } # authenticate = handled
(7) Using Post-Auth-Type Challenge
(7) Post-Auth-Type sub-section not found. Ignoring.
(7) Sent Access-Challenge Id 77 from 192.168.8.27:1812 to 192.168.2.250:3072 length 0
(7) EAP-Message = 0x0107002b19001703010020a6135f04ae6dffd42c8ef419d75113ac720759219e31f74d4247b6b610e9a071
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0x714e61bf744978fd13de40933f3a43c8
(7) Finished request
Waking up in 4.8 seconds.
(8) Received Access-Request Id 86 from 192.168.2.250:3072 to 192.168.8.27:1812 length 230
(8) User-Name = «test»
(8) Service-Type = Framed-User
(8) NAS-IP-Address = 192.168.2.250
(8) NAS-Port = 10
(8) NAS-Port-Id = «10»
(8) State = 0x714e61bf744978fd13de40933f3a43c8
(8) Called-Station-Id = «0E-0B-6B-2F-12-67:domain 8021X»
(8) Calling-Station-Id = «B8-E8-56-41-2C-2A»
(8) Connect-Info = «CONNECT 54 Mbps 802.11g»
(8) NAS-Identifier = «AP-domain01»
(8) NAS-Port-Type = Wireless-802.11
(8) Framed-MTU = 1500
(8) EAP-Message = 0x0207002b19001703010020aa7e796b21bdc47f3c2b751c50ffbf8aaaafc3ad47a3a4a6dab850e706bf7227
(8) Message-Authenticator = 0xb0ef481a7beafe09a46383286750ead8
(8) session-state: No cached attributes
(8) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/domain
(8) authorize {
(8) [files] = noop
(8) [preprocess] = ok
(8) suffix: Checking for suffix after «@»
(8) suffix: No ‘@’ in User-Name = «test», looking up realm NULL
(8) suffix: No such realm «NULL»
(8) [suffix] = noop
(8) eap: Peer sent EAP Response (code 2) ID 7 length 43
(8) eap: Continuing tunnel setup
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = EAP
(8) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain
(8) authenticate {
(8) eap: Expiring EAP session with state 0x714e61bf744978fd
(8) eap: Finished EAP session with state 0x714e61bf744978fd
(8) eap: Previous EAP request found for state 0x714e61bf744978fd, released from the list
(8) eap: Peer sent packet with method EAP PEAP (25)
(8) eap: Calling submodule eap_peap to process data
(8) eap_peap: Continuing EAP-TLS
(8) eap_peap: [eaptls verify] = ok
(8) eap_peap: Done initial handshake
(8) eap_peap: [eaptls process] = ok
(8) eap_peap: Session established. Decoding tunneled attributes
(8) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(8) eap_peap: Identity — test
(8) eap_peap: Got inner identity ‘test’
(8) eap_peap: Setting default EAP type for tunneled EAP session
(8) eap_peap: Got tunneled request
(8) eap_peap: EAP-Message = 0x020700090174657374
(8) eap_peap: Setting User-Name to test
(8) eap_peap: Sending tunneled request to inner-tunnel
(8) eap_peap: EAP-Message = 0x020700090174657374
(8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(8) eap_peap: User-Name = «test»
(8) Virtual server inner-tunnel received request
(8) EAP-Message = 0x020700090174657374
(8) FreeRADIUS-Proxied-To = 127.0.0.1
(8) User-Name = «test»
(8) server inner-tunnel {
(8) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel-domain
(8) authorize {
(8) [files] = noop
(8) [mschap] = noop
(8) suffix: Checking for suffix after «@»
(8) suffix: No ‘@’ in User-Name = «test», looking up realm NULL
(8) suffix: No such realm «NULL»
(8) [suffix] = noop
(8) update control {
(8) Proxy-To-Realm := LOCAL
(8) } # update control = noop
(8) eap: Peer sent EAP Response (code 2) ID 7 length 9
(8) eap: EAP-Identity reply, returning ‘ok’ so we can short-circuit the rest of authorize
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = EAP
(8) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel-domain
(8) authenticate {
(8) eap: Peer sent packet with method EAP Identity (1)
(8) eap: Calling submodule eap_mschapv2 to process data
(8) eap_mschapv2: Issuing Challenge
(8) eap: Sending EAP Request (code 1) ID 8 length 43
(8) eap: EAP session adding &reply:State = 0xbd1845cebd105fc4
(8) [eap] = handled
(8) } # authenticate = handled
(8) } # server inner-tunnel
(8) Virtual server sending reply
(8) EAP-Message = 0x0108002b1a0108002610ba684a0833e561a9e780eedf9829518f667265657261646975732d332e302e3131
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0xbd1845cebd105fc4a22a1c51082d7ecf
(8) eap_peap: Got tunneled reply code 11
(8) eap_peap: EAP-Message = 0x0108002b1a0108002610ba684a0833e561a9e780eedf9829518f667265657261646975732d332e302e3131
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: State = 0xbd1845cebd105fc4a22a1c51082d7ecf
(8) eap_peap: Got tunneled reply RADIUS code 11
(8) eap_peap: EAP-Message = 0x0108002b1a0108002610ba684a0833e561a9e780eedf9829518f667265657261646975732d332e302e3131
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: State = 0xbd1845cebd105fc4a22a1c51082d7ecf
(8) eap_peap: Got tunneled Access-Challenge
(8) eap: Sending EAP Request (code 1) ID 8 length 75
(8) eap: EAP session adding &reply:State = 0x714e61bf774678fd
(8) [eap] = handled
(8) } # authenticate = handled
(8) Using Post-Auth-Type Challenge
(8) Post-Auth-Type sub-section not found. Ignoring.
(8) Sent Access-Challenge Id 86 from 192.168.8.27:1812 to 192.168.2.250:3072 length 0
(8) EAP-Message = 0x0108004b19001703010040c6831d9a1c5c30c64d40563c5fa21ee3cc103adbb4e99517563c9e67d781aefdd941ba0f19bc124976046e7471792eec1d4771c20abf67b78282a152634eed5e
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0x714e61bf774678fd13de40933f3a43c8
(8) Finished request
Waking up in 4.8 seconds.
(5) Cleaning up request packet ID 216 with timestamp +181
(6) Cleaning up request packet ID 228 with timestamp +181
(7) Cleaning up request packet ID 77 with timestamp +181
(8) Cleaning up request packet ID 86 with timestamp +181
Ready to process requests
(9) Received Access-Request Id 14 from 192.168.2.250:3072 to 192.168.8.27:1812 length 278
(9) User-Name = «test»
(9) Service-Type = Framed-User
(9) NAS-IP-Address = 192.168.2.250
(9) NAS-Port = 10
(9) NAS-Port-Id = «10»
(9) State = 0x714e61bf774678fd13de40933f3a43c8
(9) Called-Station-Id = «0E-0B-6B-2F-12-67:domain 8021X»
(9) Calling-Station-Id = «B8-E8-56-41-2C-2A»
(9) Connect-Info = «CONNECT 54 Mbps 802.11g»
(9) NAS-Identifier = «AP-domain01»
(9) NAS-Port-Type = Wireless-802.11
(9) Framed-MTU = 1500
(9) EAP-Message = 0x0208005b1900170301005041a588e579c1a63e94555d08bea2166f123e059dea3d7f8a17bcbfd8e4f4a54c876ceee7b33a4a101a4afd0dc078e77a3c8163b76b6c9e9567e6954214f5e1ec01cdafcd013db92c58ae136658519d20
(9) Message-Authenticator = 0xac0b3e273dede594c80988c13eaafd54
(9) session-state: No cached attributes
(9) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/domain
(9) authorize {
(9) [files] = noop
(9) [preprocess] = ok
(9) suffix: Checking for suffix after «@»
(9) suffix: No ‘@’ in User-Name = «test», looking up realm NULL
(9) suffix: No such realm «NULL»
(9) [suffix] = noop
(9) eap: Peer sent EAP Response (code 2) ID 8 length 91
(9) eap: Continuing tunnel setup
(9) [eap] = ok
(9) } # authorize = ok
(9) Found Auth-Type = EAP
(9) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain
(9) authenticate {
(9) eap: Expiring EAP session with state 0xbd1845cebd105fc4
(9) eap: Finished EAP session with state 0x714e61bf774678fd
(9) eap: Previous EAP request found for state 0x714e61bf774678fd, released from the list
(9) eap: Peer sent packet with method EAP PEAP (25)
(9) eap: Calling submodule eap_peap to process data
(9) eap_peap: Continuing EAP-TLS
(9) eap_peap: [eaptls verify] = ok
(9) eap_peap: Done initial handshake
(9) eap_peap: [eaptls process] = ok
(9) eap_peap: Session established. Decoding tunneled attributes
(9) eap_peap: PEAP state phase2
(9) eap_peap: EAP method MSCHAPv2 (26)
(9) eap_peap: Got tunneled request
(9) eap_peap: EAP-Message = 0x0208003f1a0208003a316670e0343c5cde7c22158c2f3b1e05bd0000000000000000e36cbc3c625721798db23c5fc199979df656a52246010d310074657374
(9) eap_peap: Setting User-Name to test
(9) eap_peap: Sending tunneled request to inner-tunnel
(9) eap_peap: EAP-Message = 0x0208003f1a0208003a316670e0343c5cde7c22158c2f3b1e05bd0000000000000000e36cbc3c625721798db23c5fc199979df656a52246010d310074657374
(9) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(9) eap_peap: User-Name = «test»
(9) eap_peap: State = 0xbd1845cebd105fc4a22a1c51082d7ecf
(9) Virtual server inner-tunnel received request
(9) EAP-Message = 0x0208003f1a0208003a316670e0343c5cde7c22158c2f3b1e05bd0000000000000000e36cbc3c625721798db23c5fc199979df656a52246010d310074657374
(9) FreeRADIUS-Proxied-To = 127.0.0.1
(9) User-Name = «test»
(9) State = 0xbd1845cebd105fc4a22a1c51082d7ecf
(9) server inner-tunnel {
(9) session-state: No cached attributes
(9) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel-domain
(9) authorize {
(9) [files] = noop
(9) [mschap] = noop
(9) suffix: Checking for suffix after «@»
(9) suffix: No ‘@’ in User-Name = «test», looking up realm NULL
(9) suffix: No such realm «NULL»
(9) [suffix] = noop
(9) update control {
(9) Proxy-To-Realm := LOCAL
(9) } # update control = noop
(9) eap: Peer sent EAP Response (code 2) ID 8 length 63
(9) eap: No EAP Start, assuming it’s an on-going EAP conversation
(9) [eap] = updated
(9) [expiration] = noop
(9) [logintime] = noop
rlm_ldap (ldap_domain): Closing connection (2): Hit idle_timeout, was idle for 211 seconds
rlm_ldap (ldap_domain): Closing connection (3): Hit idle_timeout, was idle for 211 seconds
rlm_ldap (ldap_domain): Closing connection (4): Hit idle_timeout, was idle for 211 seconds
rlm_ldap (ldap_domain): Closing connection (0): Hit idle_timeout, was idle for 202 seconds
rlm_ldap (ldap_domain): You probably need to lower «min»
rlm_ldap (ldap_domain): Closing connection (5): Hit idle_timeout, was idle for 202 seconds
rlm_ldap (ldap_domain): You probably need to lower «min»
rlm_ldap (ldap_domain): Closing connection (1): Hit idle_timeout, was idle for 202 seconds
rlm_ldap (ldap_domain): You probably need to lower «min»
rlm_ldap (ldap_domain): 0 of 0 connections in use. You may need to increase «spare»
rlm_ldap (ldap_domain): Opening additional connection (6), 1 of 32 pending slots used
rlm_ldap (ldap_domain): Connecting to ldap://dc.domain.local:389
rlm_ldap (ldap_domain): Waiting for bind result…
rlm_ldap (ldap_domain): Bind successful
rlm_ldap (ldap_domain): Reserved connection (6)
(9) ldap_domain: EXPAND (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})
(9) ldap_domain: —> (sAMAccountName=test)
(9) ldap_domain: Performing search in «cn=Users,dc=domain,dc=local» with filter «(sAMAccountName=test)», scope «sub»
(9) ldap_domain: Waiting for search result…
(9) ldap_domain: User object found at DN «CN=Test TEST,CN=Users,DC=domain,DC=local»
(9) ldap_domain: Processing user attributes
(9) ldap_domain: WARNING: No «known good» password added. Ensure the admin user has permission to read the password attribute
(9) ldap_domain: WARNING: PAP authentication will NOT work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap_domain): Released connection (6)
rlm_ldap (ldap_domain): Need 2 more connections to reach 10 spares
rlm_ldap (ldap_domain): Opening additional connection (7), 1 of 31 pending slots used
rlm_ldap (ldap_domain): Connecting to ldap://dc.domain.local:389
rlm_ldap (ldap_domain): Waiting for bind result…
rlm_ldap (ldap_domain): Bind successful
(9) [ldap_domain] = ok
(9) if ((ok || updated) && User-Password) {
(9) if ((ok || updated) && User-Password) -> FALSE
(9) [pap] = noop
(9) if (User-Password) {
(9) if (User-Password) -> FALSE
(9) } # authorize = updated
(9) Found Auth-Type = EAP
(9) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel-domain
(9) authenticate {
(9) eap: Expiring EAP session with state 0xbd1845cebd105fc4
(9) eap: Finished EAP session with state 0xbd1845cebd105fc4
(9) eap: Previous EAP request found for state 0xbd1845cebd105fc4, released from the list
(9) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(9) eap: Calling submodule eap_mschapv2 to process data
(9) eap_mschapv2: # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel-domain
(9) eap_mschapv2: Auth-Type MS-CHAP {
(9) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password
(9) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password
(9) mschap: Creating challenge hash with username: test
(9) mschap: Client is using MS-CHAPv2
(9) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication
(9) mschap: ERROR: MS-CHAP2-Response is incorrect
(9) [mschap] = reject
(9) } # Auth-Type MS-CHAP = reject
(9) eap: Sending EAP Failure (code 4) ID 8 length 4
(9) eap: Freeing handler
(9) [eap] = reject
(9) } # authenticate = reject
(9) Failed to authenticate the user
(9) Using Post-Auth-Type Reject
(9) Post-Auth-Type sub-section not found. Ignoring.
(9) } # server inner-tunnel
(9) Virtual server sending reply
(9) MS-CHAP-Error = «10E=691 R=1 C=12a7b91273b8d4ea014f8d6353762c6f V=3 M=Authentication failed»
(9) EAP-Message = 0x04080004
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) eap_peap: Got tunneled reply code 3
(9) eap_peap: MS-CHAP-Error = «10E=691 R=1 C=12a7b91273b8d4ea014f8d6353762c6f V=3 M=Authentication failed»
(9) eap_peap: EAP-Message = 0x04080004
(9) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(9) eap_peap: Got tunneled reply RADIUS code 3
(9) eap_peap: MS-CHAP-Error = «10E=691 R=1 C=12a7b91273b8d4ea014f8d6353762c6f V=3 M=Authentication failed»
(9) eap_peap: EAP-Message = 0x04080004
(9) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(9) eap_peap: Tunneled authentication was rejected
(9) eap_peap: FAILURE
(9) eap: Sending EAP Request (code 1) ID 9 length 43
(9) eap: EAP session adding &reply:State = 0x714e61bf764778fd
(9) [eap] = handled
(9) } # authenticate = handled
(9) Using Post-Auth-Type Challenge
(9) Post-Auth-Type sub-section not found. Ignoring.
(9) Sent Access-Challenge Id 14 from 192.168.8.27:1812 to 192.168.2.250:3072 length 0
(9) EAP-Message = 0x0109002b19001703010020b8c28870cb31e457ad24447c2dad4915f836138d395b9e74200fe48a71906242
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) State = 0x714e61bf764778fd13de40933f3a43c8
(9) Finished request
Waking up in 4.9 seconds.
(10) Received Access-Request Id 10 from 192.168.2.250:3072 to 192.168.8.27:1812 length 230
(10) User-Name = «test»
(10) Service-Type = Framed-User
(10) NAS-IP-Address = 192.168.2.250
(10) NAS-Port = 10
(10) NAS-Port-Id = «10»
(10) State = 0x714e61bf764778fd13de40933f3a43c8
(10) Called-Station-Id = «0E-0B-6B-2F-12-67:domain 8021X»
(10) Calling-Station-Id = «B8-E8-56-41-2C-2A»
(10) Connect-Info = «CONNECT 54 Mbps 802.11g»
(10) NAS-Identifier = «AP-domain01»
(10) NAS-Port-Type = Wireless-802.11
(10) Framed-MTU = 1500
(10) EAP-Message = 0x0209002b190017030100209f64c67a9a32761683b0d21eb6f28bfb8a42fa0a50d6ef3dfbf3815d7511e4a1
(10) Message-Authenticator = 0x26f3267a7372bfa1b0f71a27ccba5c9f
(10) session-state: No cached attributes
(10) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/domain
(10) authorize {
(10) [files] = noop
(10) [preprocess] = ok
(10) suffix: Checking for suffix after «@»
(10) suffix: No ‘@’ in User-Name = «test», looking up realm NULL
(10) suffix: No such realm «NULL»
(10) [suffix] = noop
(10) eap: Peer sent EAP Response (code 2) ID 9 length 43
(10) eap: Continuing tunnel setup
(10) [eap] = ok
(10) } # authorize = ok
(10) Found Auth-Type = EAP
(10) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain
(10) authenticate {
(10) eap: Expiring EAP session with state 0x714e61bf764778fd
(10) eap: Finished EAP session with state 0x714e61bf764778fd
(10) eap: Previous EAP request found for state 0x714e61bf764778fd, released from the list
(10) eap: Peer sent packet with method EAP PEAP (25)
(10) eap: Calling submodule eap_peap to process data
(10) eap_peap: Continuing EAP-TLS
(10) eap_peap: [eaptls verify] = ok
(10) eap_peap: Done initial handshake
(10) eap_peap: [eaptls process] = ok
(10) eap_peap: Session established. Decoding tunneled attributes
(10) eap_peap: PEAP state send tlv failure
(10) eap_peap: Received EAP-TLV response
(10) eap_peap: The users session was previously rejected: returning reject (again.)
(10) eap_peap: This means you need to read the PREVIOUS messages in the debug output
(10) eap_peap: to find out the reason why the user was rejected
(10) eap_peap: Look for «reject» or «fail». Those earlier messages will tell you
(10) eap_peap: what went wrong, and how to fix the problem
(10) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed
(10) eap: Sending EAP Failure (code 4) ID 9 length 4
(10) eap: Failed in EAP select
(10) [eap] = invalid
(10) } # authenticate = invalid
(10) Failed to authenticate the user
(10) Using Post-Auth-Type Reject
(10) Post-Auth-Type sub-section not found. Ignoring.
(10) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(10) Sending delayed response
(10) Sent Access-Reject Id 10 from 192.168.8.27:1812 to 192.168.2.250:3072 length 44
(10) EAP-Message = 0x04090004
(10) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
(9) Cleaning up request packet ID 14 with timestamp +211
(10) Cleaning up request packet ID 10 with timestamp +211
Ready to process requests
default site:
server default {
listen {
type = auth
ipaddr = *
port = 0
# clients = per_socket_clients
limit {
max_connections = 0
lifetime = 0
idle_timeout = 30
}
}
listen {
ipaddr = *
port = 0
type = acct
# interface = eth0
# clients = per_socket_clients
limit {
idle_timeout = 0
lifetime = 0
max_connections = 0
}
}
authorize {
files
preprocess
suffix
eap {
ok = return
}
expiration
logintime
}
authenticate {
eap
}
preacct {
}
accounting {
detail
sql_domain
}
session {
radutmp
sql_domain
}
post-auth {
}
pre-proxy {
}
post-proxy {
}
}
inner-tunnel site:
server inner-tunnel {
listen {
ipaddr = 127.0.0.1
port = 18120
type = auth
}
authorize {
files
mschap
suffix
update control {
Proxy-To-Realm := LOCAL
}
eap {
ok = return
}
expiration
logintime
ldap_domain
if ((ok || updated) && User-Password) {
update {
control:Auth-Type := ldap
}
}
pap
if (User-Password) {
update control {
Auth-Type := ldap
}
}
}
authenticate {
Auth-Type PAP {
#ldap_domain
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
Auth-Type LDAP {
ldap_domain
}
ldap_domain
eap
}
session {
radutmp
}
post-auth {
}
pre-proxy {
}
post-proxy {
}
}
eap configuration:
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = ${max_requests}
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls-config tls-common {
private_key_password = whatever
private_key_file = ${certdir}/nedeco/aaa.nedeco.local.key
certificate_file = ${certdir}/nedeco/aaa.nedeco.local.pem
ca_file = ${cadir}/nedeco/nedeco_CA.pem
dh_file = ${certdir}/dh
random_file = /dev/urandom
ca_path = ${cadir}
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24 # hours
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
}
}
tls {
tls = tls-common
}
ttls {
}
peap {
tls = tls-common
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = no
virtual_server = "inner-tunnel"
}
mschapv2 {
}
}
the chap configuration:
chap {
# no configuration
}
the mschap configuration
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
pool {
start = ${thread[pool].start_servers}
min = ${thread[pool].min_spare_servers}
max = ${thread[pool].max_servers}
spare = ${thread[pool].max_spare_servers}
uses = 0
retry_delay = 30
lifetime = 86400
cleanup_interval = 300
idle_timeout = 600
}
passchange {
}
retry_msg = "Re-enter (or reset) the password"
}
ldap configuration:
ldap ldap_domain {
server = ‘dc.domain.local’
port = 389
identity = ‘cn=Administrator,cn=Users,dc=domain,dc=local’
password = password
base_dn = ‘cn=Users,dc=domain,dc=local’
sasl {
realm = 'domain.local'
}
update {
control:Password-With-Header += 'userPassword'
control:NT-Password := 'ntPassword'
control: += 'radiusControlAttribute'
request: += 'radiusRequestAttribute'
reply: += 'radiusReplyAttribute'
}
edir_autz = yes
user {
base_dn = "${..base_dn}"
filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
sasl {
}
scope = 'sub'
}
group {
base_dn = "${..base_dn}"
filter = '(objectClass=posixGroup)'
membership_attribute = 'memberOf'
}
profile {
}
client {
base_dn = "${..base_dn}"
filter = '(objectClass=radiusClient)'
}
attribute {
ipaddr = 'radiusClientIdentifier'
secret = 'radiusClientSecret'
}
}
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}}"
type {
start {
update {
description := "Online at %S"
}
}
interim-update {
update {
description := "Last seen at %S"
}
}
stop {
update {
description := "Offline at %S"
}
}
}
}
post-auth {
update {
description := "Authenticated at %S"
}
}
options {
chase_referrals = yes
rebind = yes
res_timeout = 10
srv_timelimit = 3
net_timeout = 1
idle = 60
probes = 3
interval = 3
ldap_debug = 0x0028
}
tls {
start_tls = yes
require_cert = 'never'
}
pool {
start = ${thread[pool].start_servers}
min = ${thread[pool].min_spare_servers}
max = ${thread[pool].max_servers}
spare = ${thread[pool].max_spare_servers}
uses = 0
retry_delay = 30
lifetime = 0
idle_timeout = 60
}
}
radius Version: radiusd: FreeRADIUS Version 3.0.11 (git #7a659a2), for host x86_64-unknown-linux-gnu, built on Oct 7 2015 at 15:23:07
with user bob over console:
(0) Received Access-Request Id 213 from 127.0.0.1:45282 to 127.0.0.1:18120 length 73
(0) User-Name = «bob»
(0) User-Password = «hello»
(0) NAS-IP-Address = 192.168.8.27
(0) NAS-Port = 0
(0) Message-Authenticator = 0xbed4902174d4f8ff5f36492af1ae51de
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel-domain
(0) authorize {
(0) files: users: Matched entry bob at line 69
(0) [files] = ok
(0) [mschap] = noop
(0) suffix: Checking for suffix after «@»
(0) suffix: No ‘@’ in User-Name = «bob», looking up realm NULL
(0) suffix: No such realm «NULL»
(0) [suffix] = noop
(0) update control {
(0) Proxy-To-Realm := LOCAL
(0) } # update control = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) [expiration] = noop
(0) [logintime] = noop
rlm_ldap (ldap_domain): Reserved connection (0)
(0) ldap_domain: EXPAND (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})
(0) ldap_domain: —> (sAMAccountName=bob)
(0) ldap_domain: Performing search in «cn=Users,dc=domain,dc=local» with filter «(sAMAccountName=bob)», scope «sub»
(0) ldap_domain: Waiting for search result…
(0) ldap_domain: Search returned no results
rlm_ldap (ldap_domain): Released connection (0)
rlm_ldap (ldap_domain): Need 5 more connections to reach 10 spares
rlm_ldap (ldap_domain): Opening additional connection (5), 1 of 27 pending slots used
rlm_ldap (ldap_domain): Connecting to ldap://dc.domain.local:389
rlm_ldap (ldap_domain): Waiting for bind result…
rlm_ldap (ldap_domain): Bind successful
(0) [ldap_domain] = notfound
(0) if ((ok || updated) && User-Password) {
(0) if ((ok || updated) && User-Password) -> FALSE
(0) [pap] = updated
(0) if (User-Password) {
(0) if (User-Password) -> TRUE
(0) if (User-Password) {
(0) update control {
(0) Auth-Type := LDAP
(0) } # update control = noop
(0) } # if (User-Password) = noop
(0) } # authorize = updated
(0) Found Auth-Type = LDAP
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel-domain
(0) Auth-Type LDAP {
rlm_ldap (ldap_domain): Reserved connection (1)
(0) ldap_domain: Login attempt by «bob»
(0) ldap_domain: EXPAND (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})
(0) ldap_domain: —> (sAMAccountName=bob)
(0) ldap_domain: Performing search in «cn=Users,dc=domain,dc=local» with filter «(sAMAccountName=bob)», scope «sub»
(0) ldap_domain: Waiting for search result…
(0) ldap_domain: Search returned no results
rlm_ldap (ldap_domain): Released connection (1)
(0) [ldap_domain] = notfound
(0) } # Auth-Type LDAP = notfound
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) Post-Auth-Type sub-section not found. Ignoring.
(0) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 213 from 127.0.0.1:18120 to 127.0.0.1:45282 length 20
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 213 with timestamp +5
Ready to process requests
with user bob over AccessPoint:
(1) Received Access-Request Id 155 from 192.168.2.250:3072 to 192.168.8.27:1812 length 176
(1) User-Name = «bob»
(1) Service-Type = Framed-User
(1) NAS-IP-Address = 192.168.2.250
(1) NAS-Port = 10
(1) NAS-Port-Id = «10»
(1) Called-Station-Id = «0E-0B-6B-2F-12-67:domain 8021X»
(1) Calling-Station-Id = «B8-E8-56-41-2C-2A»
(1) Connect-Info = «CONNECT 54 Mbps 802.11g»
(1) NAS-Identifier = «AP-domain01»
(1) NAS-Port-Type = Wireless-802.11
(1) Framed-MTU = 1500
(1) EAP-Message = 0x0201000801626f62
(1) Message-Authenticator = 0x4680895a204b3df7d15d82558ff9e6ea
(1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/domain
(1) authorize {
(1) files: users: Matched entry bob at line 69
(1) [files] = ok
(1) [preprocess] = ok
(1) suffix: Checking for suffix after «@»
(1) suffix: No ‘@’ in User-Name = «bob», looking up realm NULL
(1) suffix: No such realm «NULL»
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 1 length 8
(1) eap: EAP-Identity reply, returning ‘ok’ so we can short-circuit the rest of authorize
(1) [eap] = ok
(1) } # authorize = ok
(1) Found Auth-Type = EAP
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain
(1) authenticate {
(1) eap: Peer sent packet with method EAP Identity (1)
(1) eap: Calling submodule eap_peap to process data
(1) eap_peap: Initiating new EAP-TLS session
(1) eap_peap: [eaptls start] = request
(1) eap: Sending EAP Request (code 1) ID 2 length 6
(1) eap: EAP session adding &reply:State = 0x7322fa167320e364
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) Post-Auth-Type sub-section not found. Ignoring.
(1) Sent Access-Challenge Id 155 from 192.168.8.27:1812 to 192.168.2.250:3072 length 0
(1) EAP-Message = 0x010200061920
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x7322fa167320e3641bb25e163c98a49d
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 219 from 192.168.2.250:3072 to 192.168.8.27:1812 length 338
(2) User-Name = «bob»
(2) Service-Type = Framed-User
(2) NAS-IP-Address = 192.168.2.250
(2) NAS-Port = 10
(2) NAS-Port-Id = «10»
(2) State = 0x7322fa167320e3641bb25e163c98a49d
(2) Called-Station-Id = «0E-0B-6B-2F-12-67:domain 8021X»
(2) Calling-Station-Id = «B8-E8-56-41-2C-2A»
(2) Connect-Info = «CONNECT 54 Mbps 802.11g»
(2) NAS-Identifier = «AP-domain01»
(2) NAS-Port-Type = Wireless-802.11
(2) Framed-MTU = 1500
(2) EAP-Message = 0x0202009819800000008e1603010089010000850301561634f097408b8f9058fa38f1f34ce4854696e71aebecb3ae3cd9850b14d4cc00004a00ffc024c023c00ac009c008c028c027c014c013c012c026c025c005c004c003c02ac029c00fc00ec00d006b0067003900330016003d003c0035002f000ac0
(2) Message-Authenticator = 0x5309b752e9ed063e669ba97b7c937db8
(2) session-state: No cached attributes
(2) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/domain
(2) authorize {
(2) files: users: Matched entry bob at line 69
(2) [files] = ok
(2) [preprocess] = ok
(2) suffix: Checking for suffix after «@»
(2) suffix: No ‘@’ in User-Name = «bob», looking up realm NULL
(2) suffix: No such realm «NULL»
(2) [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 2 length 152
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = EAP
(2) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain
(2) authenticate {
(2) eap: Expiring EAP session with state 0x7322fa167320e364
(2) eap: Finished EAP session with state 0x7322fa167320e364
(2) eap: Previous EAP request found for state 0x7322fa167320e364, released from the list
(2) eap: Peer sent packet with method EAP PEAP (25)
(2) eap: Calling submodule eap_peap to process data
(2) eap_peap: Continuing EAP-TLS
(2) eap_peap: Peer indicated complete TLS record size will be 142 bytes
(2) eap_peap: Got complete TLS record (142 bytes)
(2) eap_peap: [eaptls verify] = length included
(2) eap_peap: (other): before/accept initialization
(2) eap_peap: TLS_accept: before/accept initialization
(2) eap_peap: <<< TLS 1.0 Handshake [length 0089], ClientHello
(2) eap_peap: TLS_accept: SSLv3 read client hello A
(2) eap_peap: >>> TLS 1.0 Handshake [length 0039], ServerHello
(2) eap_peap: TLS_accept: SSLv3 write server hello A
(2) eap_peap: >>> TLS 1.0 Handshake [length 0964], Certificate
(2) eap_peap: TLS_accept: SSLv3 write certificate A
(2) eap_peap: >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
(2) eap_peap: TLS_accept: SSLv3 write key exchange A
(2) eap_peap: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
(2) eap_peap: TLS_accept: SSLv3 write server done A
(2) eap_peap: TLS_accept: SSLv3 flush data
(2) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A
(2) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A
(2) eap_peap: In SSL Handshake Phase
(2) eap_peap: In SSL Accept mode
(2) eap_peap: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 3 length 1004
(2) eap: EAP session adding &reply:State = 0x7322fa167221e364
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) Post-Auth-Type sub-section not found. Ignoring.
(2) Sent Access-Challenge Id 219 from 192.168.8.27:1812 to 192.168.2.250:3072 length 0
(2) EAP-Message = 0x010303ec19c000000b001603010039020000350301da2dfe903d7c37a7634c8742deb0c9de5ef2b5d7f4c0d4d8d1697deec243cc5600c01400000dff01000100000b00040300010216030109640b00096000095d0005a7308205a33082048ba0030201020213720000003379461d9f383b20c900010000
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x7322fa167221e3641bb25e163c98a49d
(2) Finished request
Waking up in 4.9 seconds.
(1) Cleaning up request packet ID 155 with timestamp +61
(2) Cleaning up request packet ID 219 with timestamp +61
Ready to process requests
(3) Received Access-Request Id 54 from 192.168.2.250:3072 to 192.168.8.27:1812 length 192
(3) User-Name = «bob»
(3) Service-Type = Framed-User
(3) NAS-IP-Address = 192.168.2.250
(3) NAS-Port = 10
(3) NAS-Port-Id = «10»
(3) State = 0x7322fa167221e3641bb25e163c98a49d
(3) Called-Station-Id = «0E-0B-6B-2F-12-67:domain 8021X»
(3) Calling-Station-Id = «B8-E8-56-41-2C-2A»
(3) Connect-Info = «CONNECT 54 Mbps 802.11g»
(3) NAS-Identifier = «AP-domain01»
(3) NAS-Port-Type = Wireless-802.11
(3) Framed-MTU = 1500
(3) EAP-Message = 0x020300061900
(3) Message-Authenticator = 0xa70b8b8371dc21e4a3352e99bad8a487
(3) session-state: No cached attributes
(3) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/domain
(3) authorize {
(3) files: users: Matched entry bob at line 69
(3) [files] = ok
(3) [preprocess] = ok
(3) suffix: Checking for suffix after «@»
(3) suffix: No ‘@’ in User-Name = «bob», looking up realm NULL
(3) suffix: No such realm «NULL»
(3) [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 3 length 6
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = EAP
(3) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain
(3) authenticate {
(3) eap: Expiring EAP session with state 0x7322fa167221e364
(3) eap: Finished EAP session with state 0x7322fa167221e364
(3) eap: Previous EAP request found for state 0x7322fa167221e364, released from the list
(3) eap: Peer sent packet with method EAP PEAP (25)
(3) eap: Calling submodule eap_peap to process data
(3) eap_peap: Continuing EAP-TLS
(3) eap_peap: Peer ACKed our handshake fragment
(3) eap_peap: [eaptls verify] = request
(3) eap_peap: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 4 length 1000
(3) eap: EAP session adding &reply:State = 0x7322fa167126e364
(3) [eap] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) Post-Auth-Type sub-section not found. Ignoring.
(3) Sent Access-Challenge Id 54 from 192.168.8.27:1812 to 192.168.2.250:3072 length 0
(3) EAP-Message = 0x010403e81940b53081b206082b060105050730028681a56c6461703a2f2f2f434e3d6e656465636f253230476d624825323043412c434e3d4149412c434e3d5075626c69632532304b657925323053657276696365732c434e3d53657276696365732c434e3d436f6e66696775726174696f6e2c44433d
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0x7322fa167126e3641bb25e163c98a49d
(3) Finished request
Waking up in 4.9 seconds.
(4) Received Access-Request Id 29 from 192.168.2.250:3072 to 192.168.8.27:1812 length 192
(4) User-Name = «bob»
(4) Service-Type = Framed-User
(4) NAS-IP-Address = 192.168.2.250
(4) NAS-Port = 10
(4) NAS-Port-Id = «10»
(4) State = 0x7322fa167126e3641bb25e163c98a49d
(4) Called-Station-Id = «0E-0B-6B-2F-12-67:domain 8021X»
(4) Calling-Station-Id = «B8-E8-56-41-2C-2A»
(4) Connect-Info = «CONNECT 54 Mbps 802.11g»
(4) NAS-Identifier = «AP-domain01»
(4) NAS-Port-Type = Wireless-802.11
(4) Framed-MTU = 1500
(4) EAP-Message = 0x020400061900
(4) Message-Authenticator = 0x841ce2c1c9b797b25c3aff5bba5e059d
(4) session-state: No cached attributes
(4) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/domain
(4) authorize {
(4) files: users: Matched entry bob at line 69
(4) [files] = ok
(4) [preprocess] = ok
(4) suffix: Checking for suffix after «@»
(4) suffix: No ‘@’ in User-Name = «bob», looking up realm NULL
(4) suffix: No such realm «NULL»
(4) [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 4 length 6
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = EAP
(4) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain
(4) authenticate {
(4) eap: Expiring EAP session with state 0x7322fa167126e364
(4) eap: Finished EAP session with state 0x7322fa167126e364
(4) eap: Previous EAP request found for state 0x7322fa167126e364, released from the list
(4) eap: Peer sent packet with method EAP PEAP (25)
(4) eap: Calling submodule eap_peap to process data
(4) eap_peap: Continuing EAP-TLS
(4) eap_peap: Peer ACKed our handshake fragment
(4) eap_peap: [eaptls verify] = request
(4) eap_peap: [eaptls process] = handled
(4) eap: Sending EAP Request (code 1) ID 5 length 834
(4) eap: EAP session adding &reply:State = 0x7322fa167027e364
(4) [eap] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) Post-Auth-Type sub-section not found. Ignoring.
(4) Sent Access-Challenge Id 29 from 192.168.8.27:1812 to 192.168.2.250:3072 length 0
(4) EAP-Message = 0x01050342190068d99b627f3ca6561e6c1dcd0e8bb529b85d2515a36c2ba6f906ee9a223e619decfff2f24ef8674307735d591964d50ac988776a55970203010001a3819130818e301306092b060104018237140204061e0400430041300e0603551d0f0101ff040403020186300f0603551d130101ff04
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x7322fa167027e3641bb25e163c98a49d
(4) Finished request
Waking up in 4.9 seconds.
(5) Received Access-Request Id 215 from 192.168.2.250:3072 to 192.168.8.27:1812 length 330
(5) User-Name = «bob»
(5) Service-Type = Framed-User
(5) NAS-IP-Address = 192.168.2.250
(5) NAS-Port = 10
(5) NAS-Port-Id = «10»
(5) State = 0x7322fa167027e3641bb25e163c98a49d
(5) Called-Station-Id = «0E-0B-6B-2F-12-67:domain 8021X»
(5) Calling-Station-Id = «B8-E8-56-41-2C-2A»
(5) Connect-Info = «CONNECT 54 Mbps 802.11g»
(5) NAS-Identifier = «AP-domain01»
(5) NAS-Port-Type = Wireless-802.11
(5) Framed-MTU = 1500
(5) EAP-Message = 0x0205009019800000008616030100461000004241048075a5ca05d012d0fd77b0f9e1664c5ce577eda72a1368e0a8e78fd9072b0a6e04ce9f7f3cb1339ca9fd58bdc40e0afce833807f1c4035e532e91d07e8d45fdb1403010001011603010030bff39ef9cf9a0400269ae5fd8888ba5c4940b72599bca5
(5) Message-Authenticator = 0xfaa49416d762fdf0846428951f176829
(5) session-state: No cached attributes
(5) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/domain
(5) authorize {
(5) files: users: Matched entry bob at line 69
(5) [files] = ok
(5) [preprocess] = ok
(5) suffix: Checking for suffix after «@»
(5) suffix: No ‘@’ in User-Name = «bob», looking up realm NULL
(5) suffix: No such realm «NULL»
(5) [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 5 length 144
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = EAP
(5) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain
(5) authenticate {
(5) eap: Expiring EAP session with state 0x7322fa167027e364
(5) eap: Finished EAP session with state 0x7322fa167027e364
(5) eap: Previous EAP request found for state 0x7322fa167027e364, released from the list
(5) eap: Peer sent packet with method EAP PEAP (25)
(5) eap: Calling submodule eap_peap to process data
(5) eap_peap: Continuing EAP-TLS
(5) eap_peap: Peer indicated complete TLS record size will be 134 bytes
(5) eap_peap: Got complete TLS record (134 bytes)
(5) eap_peap: [eaptls verify] = length included
(5) eap_peap: <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
(5) eap_peap: TLS_accept: SSLv3 read client key exchange A
(5) eap_peap: <<< TLS 1.0 ChangeCipherSpec length 0001 eap_peap: <<< TLS 1.0 Handshake [length 0010], Finished
(5) eap_peap: TLS_accept: SSLv3 read finished A
(5) eap_peap: >>> TLS 1.0 ChangeCipherSpec length 0001 eap_peap: TLS_accept: SSLv3 write change cipher spec A
(5) eap_peap: >>> TLS 1.0 Handshake [length 0010], Finished
(5) eap_peap: TLS_accept: SSLv3 write finished A
(5) eap_peap: TLS_accept: SSLv3 flush data
(5) eap_peap: (other): SSL negotiation finished successfully
(5) eap_peap: SSL Connection Established
(5) eap_peap: [eaptls process] = handled
(5) eap: Sending EAP Request (code 1) ID 6 length 65
(5) eap: EAP session adding &reply:State = 0x7322fa167724e364
(5) [eap] = handled
(5) } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) Post-Auth-Type sub-section not found. Ignoring.
(5) Sent Access-Challenge Id 215 from 192.168.8.27:1812 to 192.168.2.250:3072 length 0
(5) EAP-Message = 0x010600411900140301000101160301003055bf61e75ec8b42df54cc0a1eab6dd5e274dd8db872c3a18e2616a373eda384dcffbfa8de45423ccb8890ee689f1f4cb
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x7322fa167724e3641bb25e163c98a49d
(5) Finished request
Waking up in 4.8 seconds.
(6) Received Access-Request Id 116 from 192.168.2.250:3072 to 192.168.8.27:1812 length 192
(6) User-Name = «bob»
(6) Service-Type = Framed-User
(6) NAS-IP-Address = 192.168.2.250
(6) NAS-Port = 10
(6) NAS-Port-Id = «10»
(6) State = 0x7322fa167724e3641bb25e163c98a49d
(6) Called-Station-Id = «0E-0B-6B-2F-12-67:domain 8021X»
(6) Calling-Station-Id = «B8-E8-56-41-2C-2A»
(6) Connect-Info = «CONNECT 54 Mbps 802.11g»
(6) NAS-Identifier = «AP-domain01»
(6) NAS-Port-Type = Wireless-802.11
(6) Framed-MTU = 1500
(6) EAP-Message = 0x020600061900
(6) Message-Authenticator = 0xb468a031e9e011addea02301e58313cb
(6) session-state: No cached attributes
(6) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/domain
(6) authorize {
(6) files: users: Matched entry bob at line 69
(6) [files] = ok
(6) [preprocess] = ok
(6) suffix: Checking for suffix after «@»
(6) suffix: No ‘@’ in User-Name = «bob», looking up realm NULL
(6) suffix: No such realm «NULL»
(6) [suffix] = noop
(6) eap: Peer sent EAP Response (code 2) ID 6 length 6
(6) eap: Continuing tunnel setup
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = EAP
(6) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain
(6) authenticate {
(6) eap: Expiring EAP session with state 0x7322fa167724e364
(6) eap: Finished EAP session with state 0x7322fa167724e364
(6) eap: Previous EAP request found for state 0x7322fa167724e364, released from the list
(6) eap: Peer sent packet with method EAP PEAP (25)
(6) eap: Calling submodule eap_peap to process data
(6) eap_peap: Continuing EAP-TLS
(6) eap_peap: Peer ACKed our handshake fragment. handshake is finished
(6) eap_peap: [eaptls verify] = success
(6) eap_peap: [eaptls process] = success
(6) eap_peap: Session established. Decoding tunneled attributes
(6) eap_peap: PEAP state TUNNEL ESTABLISHED
(6) eap: Sending EAP Request (code 1) ID 7 length 43
(6) eap: EAP session adding &reply:State = 0x7322fa167625e364
(6) [eap] = handled
(6) } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) Post-Auth-Type sub-section not found. Ignoring.
(6) Sent Access-Challenge Id 116 from 192.168.8.27:1812 to 192.168.2.250:3072 length 0
(6) EAP-Message = 0x0107002b19001703010020ba0b3d2b7d949cf1727c708a6c6ac8606201ef325b4408284fbf4115ccf1e60c
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0x7322fa167625e3641bb25e163c98a49d
(6) Finished request
Waking up in 4.8 seconds.
(7) Received Access-Request Id 108 from 192.168.2.250:3072 to 192.168.8.27:1812 length 229
(7) User-Name = «bob»
(7) Service-Type = Framed-User
(7) NAS-IP-Address = 192.168.2.250
(7) NAS-Port = 10
(7) NAS-Port-Id = «10»
(7) State = 0x7322fa167625e3641bb25e163c98a49d
(7) Called-Station-Id = «0E-0B-6B-2F-12-67:domain 8021X»
(7) Calling-Station-Id = «B8-E8-56-41-2C-2A»
(7) Connect-Info = «CONNECT 54 Mbps 802.11g»
(7) NAS-Identifier = «AP-domain01»
(7) NAS-Port-Type = Wireless-802.11
(7) Framed-MTU = 1500
(7) EAP-Message = 0x0207002b190017030100205db45e564856f45f7af7cc0f3ec2e54ef3aab9a99f6cb2d9944b2c53980f0bde
(7) Message-Authenticator = 0xd2092e590023b1e9af89a2d5f9927801
(7) session-state: No cached attributes
(7) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/domain
(7) authorize {
(7) files: users: Matched entry bob at line 69
(7) [files] = ok
(7) [preprocess] = ok
(7) suffix: Checking for suffix after «@»
(7) suffix: No ‘@’ in User-Name = «bob», looking up realm NULL
(7) suffix: No such realm «NULL»
(7) [suffix] = noop
(7) eap: Peer sent EAP Response (code 2) ID 7 length 43
(7) eap: Continuing tunnel setup
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = EAP
(7) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain
(7) authenticate {
(7) eap: Expiring EAP session with state 0x7322fa167625e364
(7) eap: Finished EAP session with state 0x7322fa167625e364
(7) eap: Previous EAP request found for state 0x7322fa167625e364, released from the list
(7) eap: Peer sent packet with method EAP PEAP (25)
(7) eap: Calling submodule eap_peap to process data
(7) eap_peap: Continuing EAP-TLS
(7) eap_peap: [eaptls verify] = ok
(7) eap_peap: Done initial handshake
(7) eap_peap: [eaptls process] = ok
(7) eap_peap: Session established. Decoding tunneled attributes
(7) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(7) eap_peap: Identity — bob
(7) eap_peap: Got inner identity ‘bob’
(7) eap_peap: Setting default EAP type for tunneled EAP session
(7) eap_peap: Got tunneled request
(7) eap_peap: EAP-Message = 0x0207000801626f62
(7) eap_peap: Setting User-Name to bob
(7) eap_peap: Sending tunneled request to inner-tunnel
(7) eap_peap: EAP-Message = 0x0207000801626f62
(7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(7) eap_peap: User-Name = «bob»
(7) Virtual server inner-tunnel received request
(7) EAP-Message = 0x0207000801626f62
(7) FreeRADIUS-Proxied-To = 127.0.0.1
(7) User-Name = «bob»
(7) server inner-tunnel {
(7) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel-domain
(7) authorize {
(7) files: users: Matched entry bob at line 69
(7) [files] = ok
(7) [mschap] = noop
(7) suffix: Checking for suffix after «@»
(7) suffix: No ‘@’ in User-Name = «bob», looking up realm NULL
(7) suffix: No such realm «NULL»
(7) [suffix] = noop
(7) update control {
(7) Proxy-To-Realm := LOCAL
(7) } # update control = noop
(7) eap: Peer sent EAP Response (code 2) ID 7 length 8
(7) eap: EAP-Identity reply, returning ‘ok’ so we can short-circuit the rest of authorize
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = EAP
(7) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel-domain
(7) authenticate {
(7) eap: Peer sent packet with method EAP Identity (1)
(7) eap: Calling submodule eap_mschapv2 to process data
(7) eap_mschapv2: Issuing Challenge
(7) eap: Sending EAP Request (code 1) ID 8 length 43
(7) eap: EAP session adding &reply:State = 0xa0773c37a07f2697
(7) [eap] = handled
(7) } # authenticate = handled
(7) } # server inner-tunnel
(7) Virtual server sending reply
(7) EAP-Message = 0x0108002b1a0108002610499c5c634fd1c53afcf63e2a20dc0dbd667265657261646975732d332e302e3131
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0xa0773c37a07f269794c91e639bc0d99c
(7) eap_peap: Got tunneled reply code 11
(7) eap_peap: EAP-Message = 0x0108002b1a0108002610499c5c634fd1c53afcf63e2a20dc0dbd667265657261646975732d332e302e3131
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: State = 0xa0773c37a07f269794c91e639bc0d99c
(7) eap_peap: Got tunneled reply RADIUS code 11
(7) eap_peap: EAP-Message = 0x0108002b1a0108002610499c5c634fd1c53afcf63e2a20dc0dbd667265657261646975732d332e302e3131
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: State = 0xa0773c37a07f269794c91e639bc0d99c
(7) eap_peap: Got tunneled Access-Challenge
(7) eap: Sending EAP Request (code 1) ID 8 length 75
(7) eap: EAP session adding &reply:State = 0x7322fa16752ae364
(7) [eap] = handled
(7) } # authenticate = handled
(7) Using Post-Auth-Type Challenge
(7) Post-Auth-Type sub-section not found. Ignoring.
(7) Sent Access-Challenge Id 108 from 192.168.8.27:1812 to 192.168.2.250:3072 length 0
(7) EAP-Message = 0x0108004b19001703010040d8e4f8be725dc18720efdaf547282b5b876c26c5fdbea8c05f380bf87ea452cdf6938d2793528a14f784d70ad64f66ebcb6998cae0cdb2ec340b208caf7adddc
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0x7322fa16752ae3641bb25e163c98a49d
(7) Finished request
Waking up in 4.8 seconds.
(8) Received Access-Request Id 50 from 192.168.2.250:3072 to 192.168.8.27:1812 length 277
(8) User-Name = «bob»
(8) Service-Type = Framed-User
(8) NAS-IP-Address = 192.168.2.250
(8) NAS-Port = 10
(8) NAS-Port-Id = «10»
(8) State = 0x7322fa16752ae3641bb25e163c98a49d
(8) Called-Station-Id = «0E-0B-6B-2F-12-67:domain 8021X»
(8) Calling-Station-Id = «B8-E8-56-41-2C-2A»
(8) Connect-Info = «CONNECT 54 Mbps 802.11g»
(8) NAS-Identifier = «AP-domain01»
(8) NAS-Port-Type = Wireless-802.11
(8) Framed-MTU = 1500
(8) EAP-Message = 0x0208005b1900170301005035d828d77a9cd3611fc5b79937ff5a2749a2d013a332137a52fe3a206717cde550258b9914956f0b2f88dd7f4491d6d52e7b97a1fd99e59010b7e346d7692d768748d8d8efb3995a7d8d58863b0e3c9f
(8) Message-Authenticator = 0x27a3860baf38d3fd1d0e7f85c85a398e
(8) session-state: No cached attributes
(8) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/domain
(8) authorize {
(8) files: users: Matched entry bob at line 69
(8) [files] = ok
(8) [preprocess] = ok
(8) suffix: Checking for suffix after «@»
(8) suffix: No ‘@’ in User-Name = «bob», looking up realm NULL
(8) suffix: No such realm «NULL»
(8) [suffix] = noop
(8) eap: Peer sent EAP Response (code 2) ID 8 length 91
(8) eap: Continuing tunnel setup
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = EAP
(8) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain
(8) authenticate {
(8) eap: Expiring EAP session with state 0xa0773c37a07f2697
(8) eap: Finished EAP session with state 0x7322fa16752ae364
(8) eap: Previous EAP request found for state 0x7322fa16752ae364, released from the list
(8) eap: Peer sent packet with method EAP PEAP (25)
(8) eap: Calling submodule eap_peap to process data
(8) eap_peap: Continuing EAP-TLS
(8) eap_peap: [eaptls verify] = ok
(8) eap_peap: Done initial handshake
(8) eap_peap: [eaptls process] = ok
(8) eap_peap: Session established. Decoding tunneled attributes
(8) eap_peap: PEAP state phase2
(8) eap_peap: EAP method MSCHAPv2 (26)
(8) eap_peap: Got tunneled request
(8) eap_peap: EAP-Message = 0x0208003e1a02080039318c4c5187cb6d3acc25374e1a666c6ebd00000000000000005c626c4605277cd81e771f53707290714956dfed703aa31a00626f62
(8) eap_peap: Setting User-Name to bob
(8) eap_peap: Sending tunneled request to inner-tunnel
(8) eap_peap: EAP-Message = 0x0208003e1a02080039318c4c5187cb6d3acc25374e1a666c6ebd00000000000000005c626c4605277cd81e771f53707290714956dfed703aa31a00626f62
(8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(8) eap_peap: User-Name = «bob»
(8) eap_peap: State = 0xa0773c37a07f269794c91e639bc0d99c
(8) Virtual server inner-tunnel received request
(8) EAP-Message = 0x0208003e1a02080039318c4c5187cb6d3acc25374e1a666c6ebd00000000000000005c626c4605277cd81e771f53707290714956dfed703aa31a00626f62
(8) FreeRADIUS-Proxied-To = 127.0.0.1
(8) User-Name = «bob»
(8) State = 0xa0773c37a07f269794c91e639bc0d99c
(8) server inner-tunnel {
(8) session-state: No cached attributes
(8) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel-domain
(8) authorize {
(8) files: users: Matched entry bob at line 69
(8) [files] = ok
(8) [mschap] = noop
(8) suffix: Checking for suffix after «@»
(8) suffix: No ‘@’ in User-Name = «bob», looking up realm NULL
(8) suffix: No such realm «NULL»
(8) [suffix] = noop
(8) update control {
(8) Proxy-To-Realm := LOCAL
(8) } # update control = noop
(8) eap: Peer sent EAP Response (code 2) ID 8 length 62
(8) eap: No EAP Start, assuming it’s an on-going EAP conversation
(8) [eap] = updated
(8) [expiration] = noop
(8) [logintime] = noop
rlm_ldap (ldap_domain): Closing connection (2): Hit idle_timeout, was idle for 90 seconds
rlm_ldap (ldap_domain): Closing connection (3): Hit idle_timeout, was idle for 90 seconds
rlm_ldap (ldap_domain): Closing connection (4): Hit idle_timeout, was idle for 90 seconds
rlm_ldap (ldap_domain): Closing connection (0): Hit idle_timeout, was idle for 85 seconds
rlm_ldap (ldap_domain): You probably need to lower «min»
rlm_ldap (ldap_domain): Closing connection (5): Hit idle_timeout, was idle for 85 seconds
rlm_ldap (ldap_domain): You probably need to lower «min»
rlm_ldap (ldap_domain): Closing connection (1): Hit idle_timeout, was idle for 85 seconds
rlm_ldap (ldap_domain): You probably need to lower «min»
rlm_ldap (ldap_domain): 0 of 0 connections in use. You may need to increase «spare»
rlm_ldap (ldap_domain): Opening additional connection (6), 1 of 32 pending slots used
rlm_ldap (ldap_domain): Connecting to ldap://dc.domain.local:389
rlm_ldap (ldap_domain): Waiting for bind result…
rlm_ldap (ldap_domain): Bind successful
rlm_ldap (ldap_domain): Reserved connection (6)
(8) ldap_domain: EXPAND (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})
(8) ldap_domain: —> (sAMAccountName=bob)
(8) ldap_domain: Performing search in «cn=Users,dc=domain,dc=local» with filter «(sAMAccountName=bob)», scope «sub»
(8) ldap_domain: Waiting for search result…
(8) ldap_domain: Search returned no results
rlm_ldap (ldap_domain): Released connection (6)
rlm_ldap (ldap_domain): Need 2 more connections to reach 10 spares
rlm_ldap (ldap_domain): Opening additional connection (7), 1 of 31 pending slots used
rlm_ldap (ldap_domain): Connecting to ldap://dc.domain.local:389
rlm_ldap (ldap_domain): Waiting for bind result…
rlm_ldap (ldap_domain): Bind successful
(8) [ldap_domain] = notfound
(8) if ((ok || updated) && User-Password) {
(8) if ((ok || updated) && User-Password) -> FALSE
(8) pap: WARNING: Auth-Type already set. Not setting to PAP
(8) [pap] = noop
(8) if (User-Password) {
(8) if (User-Password) -> FALSE
(8) } # authorize = updated
(8) Found Auth-Type = EAP
(8) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel-domain
(8) authenticate {
(8) eap: Expiring EAP session with state 0xa0773c37a07f2697
(8) eap: Finished EAP session with state 0xa0773c37a07f2697
(8) eap: Previous EAP request found for state 0xa0773c37a07f2697, released from the list
(8) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(8) eap: Calling submodule eap_mschapv2 to process data
(8) eap_mschapv2: # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel-domain
(8) eap_mschapv2: Auth-Type MS-CHAP {
(8) mschap: Found Cleartext-Password, hashing to create NT-Password
(8) mschap: Found Cleartext-Password, hashing to create LM-Password
(8) mschap: Creating challenge hash with username: bob
(8) mschap: Client is using MS-CHAPv2
(8) mschap: Adding MS-CHAPv2 MPPE keys
(8) [mschap] = ok
(8) } # Auth-Type MS-CHAP = ok
(8) MSCHAP Success
(8) eap: Sending EAP Request (code 1) ID 9 length 51
(8) eap: EAP session adding &reply:State = 0xa0773c37a17e2697
(8) [eap] = handled
(8) } # authenticate = handled
(8) } # server inner-tunnel
(8) Virtual server sending reply
(8) EAP-Message = 0x010900331a0308002e533d41303037313532323444323837324439434432334437363345354535313444393146323441424646
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0xa0773c37a17e269794c91e639bc0d99c
(8) eap_peap: Got tunneled reply code 11
(8) eap_peap: EAP-Message = 0x010900331a0308002e533d41303037313532323444323837324439434432334437363345354535313444393146323441424646
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: State = 0xa0773c37a17e269794c91e639bc0d99c
(8) eap_peap: Got tunneled reply RADIUS code 11
(8) eap_peap: EAP-Message = 0x010900331a0308002e533d41303037313532323444323837324439434432334437363345354535313444393146323441424646
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: State = 0xa0773c37a17e269794c91e639bc0d99c
(8) eap_peap: Got tunneled Access-Challenge
(8) eap: Sending EAP Request (code 1) ID 9 length 91
(8) eap: EAP session adding &reply:State = 0x7322fa16742be364
(8) [eap] = handled
(8) } # authenticate = handled
(8) Using Post-Auth-Type Challenge
(8) Post-Auth-Type sub-section not found. Ignoring.
(8) Sent Access-Challenge Id 50 from 192.168.8.27:1812 to 192.168.2.250:3072 length 0
(8) EAP-Message = 0x0109005b19001703010050859ea345fa5ac6b144a9e42ed8bff28f0b2320a237ac8370d029cb70f52d482a0d76da88b813e4df36252cb6397300ec8d8d78b8622e934b5283b40ee5a8abe75b64b6667666fd21f0cac5fcc60f98ed
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0x7322fa16742be3641bb25e163c98a49d
(8) Finished request
Waking up in 4.7 seconds.
(9) Received Access-Request Id 168 from 192.168.2.250:3072 to 192.168.8.27:1812 length 229
(9) User-Name = «bob»
(9) Service-Type = Framed-User
(9) NAS-IP-Address = 192.168.2.250
(9) NAS-Port = 10
(9) NAS-Port-Id = «10»
(9) State = 0x7322fa16742be3641bb25e163c98a49d
(9) Called-Station-Id = «0E-0B-6B-2F-12-67:domain 8021X»
(9) Calling-Station-Id = «B8-E8-56-41-2C-2A»
(9) Connect-Info = «CONNECT 54 Mbps 802.11g»
(9) NAS-Identifier = «AP-domain01»
(9) NAS-Port-Type = Wireless-802.11
(9) Framed-MTU = 1500
(9) EAP-Message = 0x0209002b19001703010020ef0b01a2e1a2ce59b84fcd3a36f6101ad280a2da6de9e3034ee1142fd2c2d87b
(9) Message-Authenticator = 0xcbef8a5238f2450a86714781617cb91e
(9) session-state: No cached attributes
(9) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/domain
(9) authorize {
(9) files: users: Matched entry bob at line 69
(9) [files] = ok
(9) [preprocess] = ok
(9) suffix: Checking for suffix after «@»
(9) suffix: No ‘@’ in User-Name = «bob», looking up realm NULL
(9) suffix: No such realm «NULL»
(9) [suffix] = noop
(9) eap: Peer sent EAP Response (code 2) ID 9 length 43
(9) eap: Continuing tunnel setup
(9) [eap] = ok
(9) } # authorize = ok
(9) Found Auth-Type = EAP
(9) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain
(9) authenticate {
(9) eap: Expiring EAP session with state 0xa0773c37a17e2697
(9) eap: Finished EAP session with state 0x7322fa16742be364
(9) eap: Previous EAP request found for state 0x7322fa16742be364, released from the list
(9) eap: Peer sent packet with method EAP PEAP (25)
(9) eap: Calling submodule eap_peap to process data
(9) eap_peap: Continuing EAP-TLS
(9) eap_peap: [eaptls verify] = ok
(9) eap_peap: Done initial handshake
(9) eap_peap: [eaptls process] = ok
(9) eap_peap: Session established. Decoding tunneled attributes
(9) eap_peap: PEAP state phase2
(9) eap_peap: EAP method MSCHAPv2 (26)
(9) eap_peap: Got tunneled request
(9) eap_peap: EAP-Message = 0x020900061a03
(9) eap_peap: Setting User-Name to bob
(9) eap_peap: Sending tunneled request to inner-tunnel
(9) eap_peap: EAP-Message = 0x020900061a03
(9) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(9) eap_peap: User-Name = «bob»
(9) eap_peap: State = 0xa0773c37a17e269794c91e639bc0d99c
(9) Virtual server inner-tunnel received request
(9) EAP-Message = 0x020900061a03
(9) FreeRADIUS-Proxied-To = 127.0.0.1
(9) User-Name = «bob»
(9) State = 0xa0773c37a17e269794c91e639bc0d99c
(9) server inner-tunnel {
(9) session-state: No cached attributes
(9) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel-domain
(9) authorize {
(9) files: users: Matched entry bob at line 69
(9) [files] = ok
(9) [mschap] = noop
(9) suffix: Checking for suffix after «@»
(9) suffix: No ‘@’ in User-Name = «bob», looking up realm NULL
(9) suffix: No such realm «NULL»
(9) [suffix] = noop
(9) update control {
(9) Proxy-To-Realm := LOCAL
(9) } # update control = noop
(9) eap: Peer sent EAP Response (code 2) ID 9 length 6
(9) eap: No EAP Start, assuming it’s an on-going EAP conversation
(9) [eap] = updated
(9) [expiration] = noop
(9) [logintime] = noop
rlm_ldap (ldap_domain): Reserved connection (6)
(9) ldap_domain: EXPAND (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})
(9) ldap_domain: —> (sAMAccountName=bob)
(9) ldap_domain: Performing search in «cn=Users,dc=domain,dc=local» with filter «(sAMAccountName=bob)», scope «sub»
(9) ldap_domain: Waiting for search result…
(9) ldap_domain: Search returned no results
rlm_ldap (ldap_domain): Released connection (6)
(9) [ldap_domain] = notfound
(9) if ((ok || updated) && User-Password) {
(9) if ((ok || updated) && User-Password) -> FALSE
(9) pap: WARNING: Auth-Type already set. Not setting to PAP
(9) [pap] = noop
(9) if (User-Password) {
(9) if (User-Password) -> FALSE
(9) } # authorize = updated
(9) Found Auth-Type = EAP
(9) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel-domain
(9) authenticate {
(9) eap: Expiring EAP session with state 0xa0773c37a17e2697
(9) eap: Finished EAP session with state 0xa0773c37a17e2697
(9) eap: Previous EAP request found for state 0xa0773c37a17e2697, released from the list
(9) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(9) eap: Calling submodule eap_mschapv2 to process data
(9) eap: Sending EAP Success (code 3) ID 9 length 4
(9) eap: Freeing handler
(9) [eap] = ok
(9) } # authenticate = ok
(9) } # server inner-tunnel
(9) Virtual server sending reply
(9) MS-MPPE-Encryption-Policy = Encryption-Required
(9) MS-MPPE-Encryption-Types = 4
(9) MS-MPPE-Send-Key = 0xc40f7d178a19b383691a863644016790
(9) MS-MPPE-Recv-Key = 0x1f490d8645a1a87f762bc38738f37149
(9) EAP-Message = 0x03090004
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) User-Name = «bob»
(9) eap_peap: Got tunneled reply code 2
(9) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Required
(9) eap_peap: MS-MPPE-Encryption-Types = 4
(9) eap_peap: MS-MPPE-Send-Key = 0xc40f7d178a19b383691a863644016790
(9) eap_peap: MS-MPPE-Recv-Key = 0x1f490d8645a1a87f762bc38738f37149
(9) eap_peap: EAP-Message = 0x03090004
(9) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(9) eap_peap: User-Name = «bob»
(9) eap_peap: Got tunneled reply RADIUS code 2
(9) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Required
(9) eap_peap: MS-MPPE-Encryption-Types = 4
(9) eap_peap: MS-MPPE-Send-Key = 0xc40f7d178a19b383691a863644016790
(9) eap_peap: MS-MPPE-Recv-Key = 0x1f490d8645a1a87f762bc38738f37149
(9) eap_peap: EAP-Message = 0x03090004
(9) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(9) eap_peap: User-Name = «bob»
(9) eap_peap: Tunneled authentication was successful
(9) eap_peap: SUCCESS
(9) eap: Sending EAP Request (code 1) ID 10 length 43
(9) eap: EAP session adding &reply:State = 0x7322fa167b28e364
(9) [eap] = handled
(9) } # authenticate = handled
(9) Using Post-Auth-Type Challenge
(9) Post-Auth-Type sub-section not found. Ignoring.
(9) Sent Access-Challenge Id 168 from 192.168.8.27:1812 to 192.168.2.250:3072 length 0
(9) EAP-Message = 0x010a002b190017030100209ebe5c178129e763273f16ddd56f3f5e123f6a27587c42e7e480f2874b2985ac
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) State = 0x7322fa167b28e3641bb25e163c98a49d
(9) Finished request
Waking up in 4.7 seconds.
(10) Received Access-Request Id 89 from 192.168.2.250:3072 to 192.168.8.27:1812 length 229
(10) User-Name = «bob»
(10) Service-Type = Framed-User
(10) NAS-IP-Address = 192.168.2.250
(10) NAS-Port = 10
(10) NAS-Port-Id = «10»
(10) State = 0x7322fa167b28e3641bb25e163c98a49d
(10) Called-Station-Id = «0E-0B-6B-2F-12-67:domain 8021X»
(10) Calling-Station-Id = «B8-E8-56-41-2C-2A»
(10) Connect-Info = «CONNECT 54 Mbps 802.11g»
(10) NAS-Identifier = «AP-domain01»
(10) NAS-Port-Type = Wireless-802.11
(10) Framed-MTU = 1500
(10) EAP-Message = 0x020a002b19001703010020ae6a94676019ad167b393353926209ead29be3185de748899304ff6a50957c1a
(10) Message-Authenticator = 0x64a847e3ae161cf68eccda80a2f11f16
(10) session-state: No cached attributes
(10) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/domain
(10) authorize {
(10) files: users: Matched entry bob at line 69
(10) [files] = ok
(10) [preprocess] = ok
(10) suffix: Checking for suffix after «@»
(10) suffix: No ‘@’ in User-Name = «bob», looking up realm NULL
(10) suffix: No such realm «NULL»
(10) [suffix] = noop
(10) eap: Peer sent EAP Response (code 2) ID 10 length 43
(10) eap: Continuing tunnel setup
(10) [eap] = ok
(10) } # authorize = ok
(10) Found Auth-Type = EAP
(10) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain
(10) authenticate {
(10) eap: Expiring EAP session with state 0x7322fa167b28e364
(10) eap: Finished EAP session with state 0x7322fa167b28e364
(10) eap: Previous EAP request found for state 0x7322fa167b28e364, released from the list
(10) eap: Peer sent packet with method EAP PEAP (25)
(10) eap: Calling submodule eap_peap to process data
(10) eap_peap: Continuing EAP-TLS
(10) eap_peap: [eaptls verify] = ok
(10) eap_peap: Done initial handshake
(10) eap_peap: [eaptls process] = ok
(10) eap_peap: Session established. Decoding tunneled attributes
(10) eap_peap: PEAP state send tlv success
(10) eap_peap: Received EAP-TLV response
(10) eap_peap: Success
(10) eap: Sending EAP Success (code 3) ID 10 length 4
(10) eap: Freeing handler
(10) [eap] = ok
(10) } # authenticate = ok
(10) Sent Access-Accept Id 89 from 192.168.8.27:1812 to 192.168.2.250:3072 length 0
(10) MS-MPPE-Recv-Key = 0xa16bc44cb5331571c4f3d362fd38e1bb11a2670822b415e53eb7ebbc67c2cb93
(10) MS-MPPE-Send-Key = 0xbd2081385181a9a51170b7fa40bfd3b32e396b6e7d46f9b5369a38d64be27cc8
(10) EAP-Message = 0x030a0004
(10) Message-Authenticator = 0x00000000000000000000000000000000
(10) User-Name = «bob»
(10) Finished request
Waking up in 4.7 seconds.
(3) Cleaning up request packet ID 54 with timestamp +90
(4) Cleaning up request packet ID 29 with timestamp +90
Waking up in 0.1 seconds.
(5) Cleaning up request packet ID 215 with timestamp +90
(6) Cleaning up request packet ID 116 with timestamp +90
(7) Cleaning up request packet ID 108 with timestamp +90
(8) Cleaning up request packet ID 50 with timestamp +90
(9) Cleaning up request packet ID 168 with timestamp +90
(10) Cleaning up request packet ID 89 with timestamp +90
Ready to process requests
I think that everything goes wrong with encrypt/decrypt the Domain User password or no User-Password is given after eap or something else. I tried a lot of stuff, but nothing works.
users configuration
bob Cleartext-Password := «hello»
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == «CSLIP»
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == «SLIP»
Framed-Protocol = SLIP
Messages:
(7) ldap_nedeco: Processing user attributes
(7) ldap_nedeco: WARNING: No «known good» password added. Ensure the admin user has permission to read the password attribute
(7) ldap_nedeco: WARNING: PAP authentication will NOT work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap_nedeco): Released connection (0)
..
(7) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password
(7) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password
(7) mschap: Creating challenge hash with username: test
(7) mschap: Client is using MS-CHAPv2
(7) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication
(7) mschap: ERROR: MS-CHAP2-Response is incorrect
..
(8) eap_peap: Received EAP-TLV response
(8) eap_peap: The users session was previously rejected: returning reject (again.)
(8) eap_peap: This means you need to read the PREVIOUS messages in the debug output
(8) eap_peap: to find out the reason why the user was rejected
(8) eap_peap: Look for «reject» or «fail». Those earlier messages will tell you
(8) eap_peap: what went wrong, and how to fix the problem
(8) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed
..
Any Idea?
Содержание
- Настройка Freeradius с MsCHAPv2
- forum.lissyara.su
- Freeradius mschap непонятки.
- Freeradius mschap непонятки.
- Услуги хостинговой компании Host-Food.ru
- Re: Freeradius mschap непонятки.
- Re: Freeradius mschap непонятки.
- Re: Freeradius mschap непонятки.
- Re: Freeradius mschap непонятки.
Настройка Freeradius с MsCHAPv2
Нужно протестить поддержку WPA-EAP на устройстве. Устройство умеет в WPA-EAP с PEAP/TTLS MsCHAPv2. Маршрутизатор я настроил, но ему нужен RADIUS сервер.
Я взял свой ноут, поставил freeradius, полез в гугель и внезапно осознал, что годного мана по настройке этой штуки (именно с указанным способом авторизации) нет. Хотя я нашел хороший ман, как завести TLS. Но это немного не то, что мне надо.
Всемогущий анон наверняка знает, где есть ман. Киньте ссылкой.
Если именно потестировать, то есть бесплатное «облачное» решение: http://cloudessa.com/products/cloudessa-radius-service/
Возвращаясь к этой теме, не могу настроить так что бы телефоны подключались к сети через radius. Пишет что подключение , потом подключено, потом разрыв опять пытается подключиться. Проверял на android только.К одному роутеру подключился всё таки, но интернета не было. Замучился уже маны искать , месяц долблюсь уже с этой проблемой.Есть кто-нибуть кто реализовывал тут такое?
Такс, какое, такое? У меня работает. У меня сделано так: samba4, как LDAP сервер, freeradius как собственно radius севрер. Точки доступа wi-fi: unifi или как там их. Там прописан radius. Windows+Linux+Android — подключаются успешно.
Можешь дать статью где это может быть описано? Я сделал просто. установил freeradius, прописал юзеров в файле users, в конфиге прописал точку вайфая, в роутере указал свой радиус порт и секрет как надо.в общем всё как в мануалах написано делал, там протоколы peap сравнивал всё один в один, но телефон к вафле не подключается. Логи посмотреть не могу найти даже где, нашел какие то но там о попытке подключения ни слова. Если на точке вайфай включен firewall она сможет общаться нормально с radius serverom?
на другой точке вайфая он пишет что ошибка проверка подлинности
Не имею понятия про firewall и прочие вещи, смотри трафик tcpdump, приходят у тебя твои точки или нет. Статью дать не могу, ибо не сохранил, да и я делал ldap, а не в файле users.
Можешь с консоли, проверить:
В конце выдает ошибку, по гуглу выводит на самбу и на ошибку доступа к файлам, но я её не использую, где смотреть нужно? radtest -t mschap test test123 localhost 0 testing123 Sending Access-Request of id 80 to 127.0.0.1 port 1812 User-Name = «test» NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Message-Authenticator = 0x00000000000000000000000000000000 MS-CHAP-Challenge = 0x28d8716706d86e4d MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000ceb1083a96ad1c063830db50be525455d8a22d2038b6ba15 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, length=38 MS-CHAP-Error = «00E=691 R=1»
sudo radtest -t mschap test test123 localhost 0 testing123
Sending Access-Request of id 80 to 127.0.0.1 port 1812
Message-Authenticator = 0x00000000000000000000000000000000 MS-CHAP-Challenge = 0x28d8716706d86e4d
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, length=38
MS-CHAP-Error = «00E=691 R=1»
Ну значит, не работает у тебя аутотентификация пользователей. Смотри настройки radius сервера.
Всё нашел где проблема, в файле /etc/freeradius/radiusd.conf есть строчки # IP address on which to listen. # Allowed values are: # dotted quad (1.2.3.4) # hostname (radius.example.com) # wildcard (*) ipaddr = *
Вместо строчек нужно указать адрес сервера. Нигде этого не описанно, тоже самое с портом звездочку исправил на 1812. Полный бред вообще((Столько времени из за такой куйни.
Кхм. Забавно. 🙂 Ну отлично!
А средствами freeradius возможно ограничить доступ всего и вся кроме допустим разрешенных мак адресов?
А средствами freeradius возможно ограничить доступ всего и вся кроме допустим разрешенных мак адресов?
Да я думаю, что возможно. Только это нужно будет настроить dhcp правильно, и свитчи нужные дорогие. А если касаемо wi-fi — то там я думаю уже потребуются дорогие точки доступа.
без разницы дорогой вай фай или дешевый, они мак адрес в каком то формате же посылают. Нашел статьи если кому понадобится то тут
там ( http://wiki.freeradius.org/guide/Mac Auth) описывается как виды мак адресов преобразовать к стандарту одному.Хорошая темо ибо даже если левый чел узнает пароль всё равно не подключится.
без разницы дорогой вай фай или дешевый
Эм. Смотри, к примеру тебе нужно организовать доступ в локальную сеть через wi-fi, чтобы твои wi-fi устройства были членами одного LAN домена, в таком случае, тебе необходимо их перекидывать из недоверенного VLAN, в доверенный, после того как они пройдут аутотентификацию на radius сервере. Я об этом. Или, же, тебе надо, чтобы в зависимости от той группы, членом которой является учётная запись в LDAP, у тебя wi-fi точка назначала нужный VLAN. А то, чем занимаешься ты — пустое занятие же. Или я чего-то не понял? MAC подделывать же не трудно, совсем.
Если у тебя левый чел узнает пароль, он подключится к твоей точке, и просканирует все MAC адреса в две секунды. Это во-первых. Во-вторых, в твоём случае, тебе придётся руками сопровождать базу данных MAC, что в современном мире, где одни мобильные гаджеты приходят на смену другим гаджетам раз в пол года — не представляется хоть сколько-нибудь ценным занятием.
У меня небольшая группа пользователей будет которая вафлей пользуется, поэтому сопровозждать таблицу мак будет совсем нетрудно.Телефоны я надеюсь они редко менять будут.Всё что я хотел что бы левый чел придя с ноутом или своим гаджетом не мог подцепиться по вафле даже зная логин пароль, так как мака его не будет в базе. Да мак подделывать не трудно, но ты же не знаешь на какой его подделать надо)
У меня небольшая группа пользователей будет которая вафлей пользуется, поэтому сопровозждать таблицу мак будет совсем нетрудно.Телефоны я надеюсь они редко менять будут.
Я тоже раньше ТОЧНО так же думал. В итоге, для гостей, и своих пользователей, которым нужен только Интернет, я впилил captive portal + wpa2-personal + ldap, на вот, специально для тебя я сделал снимок экрана, сколько у меня сейчас маков болтается в портале (это за полтора года накопилось. ): http://i.imgur.com/EUWML9v.png уж извини, не стал ещё более уменьшать, чтобы тебе показать весь список.
Мануала у тебя опять же нет на эту куню да?)
Ну я просто взял, pfSense, на точках доступа везде настроил WPA2 с единым паролем, в качестве шлюза указал pfSense, забросил это дело в VLAN, на pfSense сделал dhcp сервер, и настроил captive portal, и настроил ldap аутотентификацию по группе wi-fi. И всё в общем то. Приходит свой сотрудник с мобильным телефоном: и просит Интернет. — Идёт получает добро от своего начальника отдела, далее: он вносится в группу wi-fi, ему настраивается точка доступа, то есть в целом он может и даже случайно узнать пароль от wpa2, но на практике, они и этого не знают особо. Затем, он открывает браузер, и там страница аутотентификации, там он вводит свои логин+пароль из LDAP, и всё (один раз за всю жизнь моб. устройства), его mac попадает в белый список, а в лог заносится, кому принадлежит мак+ip.
В dhcp сервере, стоит долгоиграющая аренда ip адреса. Так что в случае проблем, я в конце месяца, просто беру, и строю netflow отчёты по нужному мне ip, и выдаю звездюлей (а такие случаи уже были!), когда люди начинают борзеть, и качать сотни гигов! Как узнать ip: надо в pfSense найти: mac+user, затем на dhcp найти пару: mac+ip. Ну и потом через nfseen построить нужный отчёт. Всё. Даже в консоль не надо никуда входить, всё можно сделать через webGUI.
С теми кому нужна локальная сеть на ноуте: я просто через freeradius настраиваю точку доступа с WPA2-enterprise, и они становятся членами лок. сети. — А там уже вступают в силу привычные инструменты учёта: корпоративные прокси и т.д. — Однако, win 8.1, почему-то дурит, и раз в две недели забывает логин/пароль от точки. Почему — пока не знаю.
Ну и вестимо, всё это гавнище я виртуализовал.
А гостевого доступа нет? Клиенты если приходят чтоб не скучать в инет зайти могут?
и еще средствами freeradius что нибудь из этого можно сделать если его донастроить. -Узнать ip по логину -контролировать обьем трафика -мож даже контролировать посещенный ресурс.
или он не сможет эту инфу забирать?
Нет, не могут. Сейчас в общем то у всех есть 3G. Так что большой необходимости в этом не вижу. Но в целом, не сложно и это реализовать, конечно, достаточно поднять ещё один SSID, с названием Free.
Я боюсь, что эту инфу, он сможет получать только от умных устройств доступа (я тебе как раз и писал про дорогие свитчи, и дорогие точки доступа). Однако, есть и бюджетные модели, которые кое-чего в этом плане умеют.
Я с телефонов подключиться могу , а с ноутов нет .Сначала запрашивает логин пароль, после этого запрашивает почему-то доменимя пользователя и ключ. В курсе что может быть?
Рискну предположить, что у тебя криво настроен freeradius, и он сперва ищет в локальной базе, а потом начинает искать в ldap.
ldap я не настраивал, в файлах /etc/freeradius/sites-available/default и /etc/freeradius/sites-available/inner-tunnel все что связано с ldap закоментированно, в файле /etc/freeradius/radiusd.config про ldap упоминаний нет. Там ведь можно без сертификатов буки подключить?
Блин, я не знаю настолько глубоко, да и не помню уже. Я настроил Freeradius+samba4, и настроил по MSCHAP всё это дело. Прописал на точках доступа, и у меня всё заработало. Без особых сложностей. Хотя, я повторюсь, что винда, 8я, у меня дурит, и периодически забывает логин/пароль от точки.
Источник
forum.lissyara.su
Если с нами Бог, то кто же против нас?
Freeradius mschap непонятки.
Freeradius mschap непонятки.
Услуги хостинговой компании Host-Food.ru
Re: Freeradius mschap непонятки.
Непрочитанное сообщение Гость » 2013-10-18 11:33:53
Re: Freeradius mschap непонятки.
Непрочитанное сообщение dlyni » 2013-10-22 8:31:24
Вот лог с ROOT’ом
rad_recv: Access-Request packet from host 172.21.1.179 port 49716, length=44
User-Name = ‘root’
User-Password = ‘root’
(1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(1) authorize <
(1) [preprocess] = ok
(1) auth_log : expand: «/var/log/radacct/%<%:-%>/auth-detail-%Y%m%d» -> ‘/var/log/radacct/172.21.1.179/auth-detail-20131022’
(1) auth_log : /var/log/radacct/%<%:-%>/auth-detail-%Y%m%d expands to /var/log/radacct/172.21.1.179/auth-detail-20131022
(1) auth_log : expand: «%t» -> ‘Tue Oct 22 16:29:14 2013’
(1) [auth_log] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) ntdomain : No ‘’ in User-Name = «root», looking up realm NULL
(1) ntdomain : No such realm «NULL»
(1) [ntdomain] = noop
(1) eap : No EAP-Message, not doing EAP
(1) [eap] = noop
(1) files : users: Matched entry root at line 100
(1) [files] = ok
(1) [expiration] = noop
(1) [logintime] = noop
(1) [pap] = updated
(1) > # authorize = updated
(1) Found Auth-Type = PAP
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1) Auth-Type PAP <
(1) pap : login attempt with password «root»
(1) pap : Using clear text password «root»
(1) pap : User authenticated successfully
(1) [pap] = ok
(1) > # Auth-Type PAP = ok
(1) Login OK: [root] (from client network1 port 0)
(1) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
(1) post-auth <
(1) [exec] = noop
(1) remove_reply_message_if_eap remove_reply_message_if_eap <
(1) ? if (reply:EAP-Message && reply:Reply-Message)
(1) ? if (reply:EAP-Message && reply:Reply-Message) -> FALSE
(1) else else <
(1) [noop] = noop
(1) > # else else = noop
(1) > # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(1) > # post-auth = noop
Sending Access-Accept of id 9 from 172.21.1.208 port 1812 to 172.21.1.179 port 49716
(1) Finished request 1.
Waking up in 0.3 seconds.
Waking up in 4.6 seconds.
(1) Cleaning up request packet ID 9 with timestamp +183
Ready to process requests.
Re: Freeradius mschap непонятки.
Непрочитанное сообщение Гость » 2013-10-22 10:11:08
/usr/local/etc/raddb/sites-enabled/default
в одном случае
(1) files : users: Matched entry root at line 100
в другом случае
[files] users: Matched entry DEFAULT at line 209
и далее
в одном случе
Found Auth-Type = MSCHAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group MS-CHAP
в другом случае
1) Found Auth-Type = PAP
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1) Auth-Type PAP <
надеюсь обьяснять ничего не надо. все и так очевидно
Re: Freeradius mschap непонятки.
Непрочитанное сообщение dlyni » 2013-10-23 3:03:56
Все это ясно, в конфиге users прописан root, а в [216] этого же конфига, указано DEFAULT Auth-Type = mschap
Проверку т.е. request делаю NTPRADPING, также Pix 515 (вывод radiusd -X одинаковый)
root как вы показали PAP отрабатывает
далее вводим пользователя AD можно также что угодно
вывод такой
rad_recv: Access-Request packet from host 172.21.1.179 port 50608, length=44
User-Name = ‘ldap’
User-Password = ‘ssss’
(4) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(4) authorize <
(4) [preprocess] = ok
(4) auth_log : expand: «/var/log/radacct/%<%:-%>/auth-detail-%Y%m%d» -> ‘/var/log/radacct/172.21.1.179/auth-detail-20131023’
(4) auth_log : /var/log/radacct/%<%:-%>/auth-detail-%Y%m%d expands to /var/log/radacct/172.21.1.179/auth-detail-20131023
(4) auth_log : expand: «%t» -> ‘Wed Oct 23 10:51:43 2013’
(4) [auth_log] = ok
(4) [chap] = noop
(4) [mschap] = noop
(4) ntdomain : No ‘’ in User-Name = «ldap», looking up realm NULL
(4) ntdomain : No such realm «NULL»
(4) [ntdomain] = noop
(4) eap : No EAP-Message, not doing EAP
(4) [eap] = noop
(4) files : users: Matched entry DEFAULT at line 216
(4) [files] = ok
(4) [expiration] = noop
(4) [logintime] = noop
(4) WARNING: pap : No «known good» password found for the user. Not setting Auth-Type.
(4) WARNING: pap : Authentication will fail unless a «known good» password is available.
(4) [pap] = noop
(4) > # authorize = ok
(4) Found Auth-Type = MSCHAP
(4) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(4) Auth-Type mschap <
(4) ERROR: mschap : You set ‘Auth-Type = MS-CHAP’ for a request that does not contain any MS-CHAP attributes!
(4) [mschap] = reject
(4) > # Auth-Type mschap = reject
(4) Failed to authenticate the user.
(4) Login incorrect (mschap: You set ‘Auth-Type = MS-CHAP’ for a request that does not contain any MS-CHAP attributes!): [ldap] (from client network1 port 0)
(4) Using Post-Auth-Type Reject
(4) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(4) Post-Auth-Type REJECT <
(4) attr_filter.access_reject : expand: «%» -> ‘ldap’
(4) attr_filter.access_reject : Matched entry DEFAULT at line 11
(4) [attr_filter.access_reject] = updated
(4) > # Post-Auth-Type REJECT = updated
(4) Finished request 4.
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(4) Sending delayed reject
Sending Access-Reject of id 34 from 172.21.1.208 port 1812 to 172.21.1.179 port 50608
Waking up in 4.9 seconds.
(4) Cleaning up request packet ID 34 with timestamp +61
Из которого лично я делаю вывод,PAP он не прошел, ясно такого пользователя там нет, далее сработала запись «DEFAULT Auth-Type = mschap» и вот здесь
4) Found Auth-Type = MSCHAP
(4) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(4) Auth-Type mschap <
(4) ERROR: mschap : You set ‘Auth-Type = MS-CHAP’ for a request that does not contain any MS-CHAP attributes!
т.е. NAS не передает необходимые attributes для RADIUS,чтобы тот мог послать CHALENGE(приглашение) т.е. NAS понятие не имеет о MS-CHAP,
тупо что было послал: User-Name = ‘ldap’ User-Password = ‘ssss’ и все. Или всетаки проблема в другом. Спасибо.
Источник
Дано: существующий
домен-контроллер (DC) на Windows Server 2012 R2, заполненный Active Directory (AD) каталог пользователей.
Задача: поднять
бесплатный RADIUS сервер и настроить его на аутентификацию
пользователей через вышеуказанный AD.
Предыстория
такова, что первоначальная задача, это не радиус, а Caprive Portal (о котором напишу в другой статье), который будет авторизовывать (показывать страницу логина-пароля) и
контролировать пользователей, подключающихся к корпоративному WiFi.
В
качестве источника бесплатного готового решения Caprive
портала был выбран pfSense 2.3, которому для сторонней (в том числе доменной) авторизации
пользователей нужен радиус-сервер.
Статья больше является неким логом действий и
ошибкок от закоренелого Windows-админа, поэтому не судите строго, это заметка для unix-чайников от unix-чайников.
В
качестве радиус сервера был выбран бесплатный FreeRadius версии
3.
В
качестве операционной системы для него — FreeBSD 10.3
Допустим,
что FreeBSD 10.3 уже установлена.
Дистрибутив FreeBSD/releases/amd64/amd64/ISO-IMAGES/10.3/
Зададим, например,
следующие исходные данные:
Пусть
имя ПК с FreeBSD и радиусом будет:
FreeRADIUS-AO
Его IP: 192.168.10.30
IP ПК с pfSense: 192.168.10.12
IP DC (домен контроллеров): 192.168.10.4 и 192.168.0.4
Домен:
corp.domain.net
Логинимся
на машину FreeRADIUS-AO и
переходим в режим суперадмина (рута, su).
Если
удобнее работать из Windows, то можно подключиться через ssh клиент PuTTY:
Для
удобства сразу установим файловый менеджер MC (Midnight Commander)
# pkg
install mc
Запустить
его без псевдографики можно по команде:
# mc
-a
Т.к.
входить на машину сразу под рутом через тот же PuTTY не рекомендуется, входим
под другим пользователем, например, admin, который предварительно должен быть
добавлен в спец. группу wheel. Добавляем так:
# pw
groupmod wheel -m admin
#
pw groupshow wheel
Вход
под суперпользователем (root):
$ su
Настраиваем
сервера времени на контроллеры домена CORP.DOMAIN.NET
Где, dc1.corp.domain.net и dc2.corp.domain.net имена контроллеров домена.
В
файле /etc/resolv.conf должны быть правильно
настроены наши адреса домен-контроллеров.
nameserver
192.168.10.4
nameserver
192.168.0.4
search corp.domain.net
В файле /etc/hosts
прописываем домены:
127.0.0.1 localhost
192.168.10.30
freeradius-ao.corp.domain.net freeradius-ao
Смотрим,
что уже установлено, какие пакеты имеются:
#
pkg info
Проверяем нет ли
обновлений пакетов:
#
pkg update
#
pkg upgrade
Далее
основной источник, по которому ведется установка и настройка — это официальный
мануал от разработчиков FreeRadius
— wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-Integration-HOWTO
Устанавливаем
пакет Samba (версия 4.4) (необходим для доменной авторизации пользователей).
#
pkg install net/samba44
Установятся также
сопутствующие пакеты
Здесь стоит обратить
внимание на расположение конфигурационных файлов и логов.
Samba
содержит компоненты, которые в дальнейшем понадобятся для
работы с AD:
- winbind, служба (демон в
терминах FreeBSD) для связи линукс машины и контроллера домена. - ntlm_auth, утилита, использующая
службу winbind для NTLM запросов. Она разрешает проверку пользовательских
данных (логин и пароль) на контроллере домена и возвращает ответ либо
успешный результат проверки, либо сообщения об ошибках.
Для просмотра опций
самбы можно выполнить команду:
#
smbd -b
Результат
ее выполнения:
Build environment:
Built
by: root@101amd64-quarterly-job-14
Built
on: Thu Jul 28 15:46:26 UTC 2016
Built
using: cc
Build
host: FreeBSD 101amd64-quarterly-job-14
10.1-RELEASE-p37 FreeBSD 10.1-RELEASE-p37 amd64
SRCDIR:
/wrkdirs/usr/ports/net/samba44/work/samba-4.4.5/source3
BUILDDIR:
/wrkdirs/usr/ports/net/samba44/work/samba-4.4.5/source3
Paths:
SBINDIR:
/usr/local/sbin
BINDIR:
/usr/local/bin
CONFIGFILE:
/usr/local/etc/smb4.conf
LOGFILEBASE: /var/log/samba4
LMHOSTSFILE: /usr/local/etc/lmhosts
LIBDIR:
/usr/local/lib/samba4
MODULESDIR:
/usr/local/lib/shared-modules
SHLIBEXT:
so
LOCKDIR:
/var/db/samba4
STATEDIR:
/var/db/samba4
CACHEDIR:
/var/db/samba4
PIDDIR:
/var/run/samba4
SMB_PASSWD_FILE: /var/db/samba4/private/smbpasswd
PRIVATE_DIR: /var/db/samba4/private
System Headers:
HAVE_SYS_ACL_H
HAVE_SYS_CAPABILITY_H
HAVE_SYS_CDEFS_H
…
Headers:
HAVE_AIO_H
…
UTMP Options:
HAVE_UTMPX_H
HAVE_* Defines:
HAVE_ACL
HAVE_ACL_EVERYONE
HAVE_ACL_GET_FILE
HAVE_ACL_GET_PERM_NP
…
—with Options:
WITH_ADS
WITH_AUTOMOUNT
WITH_DNS_UPDATES
WITH_PAM
WITH_PAM_MODULES
WITH_PTHREADPOOL
WITH_QUOTAS
WITH_SENDFILE
WITH_SYSLOG
WITH_WINBIND
Build Options:
AD_DC_BUILD_IS_ENABLED
BROKEN_NISPLUS_INCLUDE_FILES
BSD_STYLE_STATVFS
…
Cluster support features:
NONE
Type sizes:
sizeof(char): 1
sizeof(int): 4
sizeof(long): 8
sizeof(long
long): 8
sizeof(uint8_t): 1
sizeof(uint16_t): 2
sizeof(uint32_t): 4
sizeof(short): 2
sizeof(void*): 8
sizeof(size_t): 8
sizeof(off_t): 8
sizeof(ino_t): 4
sizeof(dev_t): 4
Builtin modules:
vfs_default
vfs_posixacl auth_domain auth_builtin auth_sam auth_winbind pdb_smbpasswd
pdb_tdbsam pdb_wbc_sam auth_unix auth_wbc nss_info_template idmap_tdb
idmap_passdb idmap_nss pdb_samba_dsdb auth_samba4 vfs_dfs_samba4 pdb_ldapsam
idmap_ldap
Теперь нужно настроить Samba на наши адреса и домены.
Создаем
конфигурационный файл по пути /usr/local/etc/smb4.conf:
#
vi /usr/local/etc/smb4.conf
Добавляем следующие
настройки (могут меняться по ситуации, в разных
мануалах в сети, каждый пишет свой вариант настроек, здесь некий сводный
результат моего анализа вариантов):
[global]
# WORKGROUP — название рабочей группы
# realm — полное имя домена
#
Пишем эти параметры прописными (заглавными) буквами
workgroup = CORP
realm = CORP.DOMAIN.NET
# server string — комментарий к серверу, который будет
#
виден клиентам, например в проводнике.
server string = Radius
Samba Server
# тип авторизации
# Эти две опции отвечают за авторизацию через AD
# В этом режиме Samba работает как член домена AD
security = ads
encrypt passwords = yes
# hosts allow — разрешить доступ только в указаных подсетях
# Список сетей, которым разрешено соединяться с сервером.
# hosts allow =
192.168.0. 127.
# log file — файл журнала
log file = /var/log/samba4/log.%m
# max log size — максимальный размер журнала (в килобайтах?)
max log size = 500
#
Запрещаем nmbd делать запросы к DNS
dns
proxy = no
socket options = TCP_NODELAY
# samba может
«захотеть» стать контроллером домена,
# чтобы она этого не сделала, указываем
следующие параметры
domain
master = no
local
master = no
preferred
master = no
os
level = 0
domain
logons = no
# Отключаем поддержку принтеров
load
printers = no
show
add printer wizard = no
printcap
name = /dev/null
disable
spoolss = yes
# кодировки
# display charset
= koi8-r
# unix charset =
koi8-r
dos charset = cp866
# Параметры сопоставления AD пользователей при помощи winbind
# Указываем для
виртуальных пользователей
# диапазоны идентификаторов
idmap
config * : range = 10000-20000
idmap
config * : backend = tdb
#
Также не выключаем эти параметры
winbind
enum groups = yes
winbind
enum users = yes
#
Следующую настройку придется выбрать самостоятельно.
# Если нет (no), то будет использовано доменимя
# Если да (yes), то
будет использовано просто имя
# Хотя на странице
настройки AD для FreeRadius предлагают «no«
winbind
use default domain = yes
# Если требуется автообновление билета Kerberos
# модулем pam_winbind.so, то снимаем
комментарий
# winbind refresh tickets = yes
#==
Share Definitions =============
[homes]
comment = Home Directories
browseable = no
writable = yes
Для
проверки конфигурации Samba на
ошибки можно выполнить команду:
#
testparm
Правим конфигурационный файл /etc/nsswitch.conf: (указываем ссылку на winbind у group,
passwd, services, protocols)
В
файле etc/rc.conf добавить включение служб:
samba_enable=»YES»
winbindd_enable=»YES»
Теперь можно
включать машину в домен:
#
net join -U Administrator
Где Administrator — это
имя администратора домена.
Спросит пароль
администратора домена, вводим, в итоге должно быть:
Using short domain
name — CORP
Joined
‘FREERADIUS-AO’ to dns domain ‘corp.domain.net’
Примечание: выход из домена, если нужно: net ads leave -U
Administrator
Если
будет сообщение:
Failed to
leave domain: failed to leave realm: No such file or directory
То машина уже не в
домене (например, администратор удалил ее на самом контроллере домена).
Перезагружаемся
#
reboot
(не забываем перезагружать и делать рестарт служб, если меняем настройки
и конфигурационные файлы)
По
команде проверяем статус состояния в домене:
#
net ads testjoin
Если
получаем сообщение:
kerberos_kinit_password FREERADIUS-AO$@CORP.DOMAIN.NET
failed: Client not found in Kerberos database
Join to domain is not valid: Improperly formed account name
То означает, что
машина не в домене.
Если всё
успешно, то должны получить сообщение:
Join is OK
Стартуем
samba
#
samba
Стартуем
winbind
#
winbindd
Проверяем статус
коннекта к домену:
#
wbinfo -p
Если получаем
сообщение:
Ping to winbindd failed
could not ping winbindd!
То
сервис winbind не запущен, надо
его запустить по команде выше.
Проверяем
утилиту авторизации ntlm_auth пытаясь войти под каким-либо доменным пользователем:
#
ntlm_auth —request-nt-key —domain=corp.domain.net —username=test1
Запросит пароль,
вводим, покажет статус NT_STATUS_OK:
Success (0x0)
Если получаем
сообщение:
could not obtain winbind separator!
Reading winbind reply failed! (0x01)
: (0x0)
То
значит сервис winbind не запущен,
надо его запустить по команде # winbindd.
Если
сообщение:
NT_STATUS_USER_SESSION_DELETED:
User session deleted (0xc0000203)
То возможно забыли
включить машину в домен.
Теперь ставим FreeRadius (последняя версия на дату статьи 3.0.11)
#
pkg install freeradius3
Добавляем
клиента, который будет пользоваться радиусом, в конфигурационный файл /usr/local/etc/raddb/clients.conf (в нашем случае это машина с pfSense)
client 192.168.10.12 {
secret = ХХХpf—SenseXXX
ipaddr = 192.168.10.12
shortname = 192.168.10.12
}
Где
ХХХpf—SenseXXX — это придуманное Вами секретное
кодовое слово для обмена с радиус-сервером.
Также
проверяем секцию client localhost,
чтобы сервер мог обращаться к самому себе:
client localhost {
ipaddr = 127.0.0.1
secret = testing123
…
Теперь настраиваем радиус для работы с ntlm_auth.
(источник wiki.freeradius.org/guide/NTLM-Auth-with-PAP-HOWTO)
Корректируем
конфигурационный файл /usr/local/etc/raddb/mods-available/ntlm_auth. Нужно указать в нем правильный путь до утилиты ntlm_auth и прописать
домен (необязательно). Пример:
program = «/usr/local/bin/ntlm_auth
—request-nt-key —username=%{mschap:User-Name}
—password=%{User-Password}»
Также
создаем файл /usr/local/etc/raddb/policy.d/ntlm_auth со следующим содержимым:
ntlm_auth.authorize
{
if (!control:Auth-Type &&
User-Password) {
update control {
Auth-Type := ntlm_auth
}
}
}
Далее
дополняем файл /usr/local/etc/raddb/sites-enabled/default следующим содержимым (находим соответствующие секции, а также
комментируем модуль pap):
authorize {
…
ntlm_auth
# pap
}
authenticate
{
Auth-Type ntlm_auth {
ntlm_auth
}
…
}
Теперь
добавляем включение радиуса в ранее упоминавшийся файл rc.conf
#
echo ‘radiusd_enable=»YES»‘ >> /etc/rc.conf
(либо этой командой, либо вручную)
Проверить
корректность настройки конфигурационных файлов радиуса можно командой:
#
radiusd -X
Ошибки
будут подсвечены.
Возможные
предупреждения при проверке:
[/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11
Check item «FreeRADIUS-Response-Delay» found in filter list for realm
«DEFAULT».
[/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11
Check item «FreeRADIUS-Response-Delay-USec» found in filter list for realm
«DEFAULT».
Ignoring «sql» (see
raddb/mods-available/README.rst)
Ignoring «ldap» (see
raddb/mods-available/README.rst)
Если
получили сообщение:
Failed binding to auth address 127.0.0.1 port 18120 bound to server
inner-tunnel: Address already in use
/usr/local/etc/raddb/sites-enabled/inner-tunnel[33]: Error binding
to port for 127.0.0.1 port 18120
То
значит радиус уже запущен и для валидации нужно его предварительно отключить по
команде:
#
service radiusd stop
Старт
радиуса
#
service radiusd start
Теперь можно делать
проверку связи и работу радиус сервера по команде:
#
radtest test1 testpass localhost 1218 testing123
Где,
test1 — логин пользователя
testpass — пароль
пользователя
localhost — машина,
где расположен радиус (в данном случае запрос к самому себе)
1218 — порт по умолчанию
testing123 —
секретное слово по умолчанию для клиента localhost
Если нет связи или
радиус не запущен, будет бесконечный цикл отправки запроса:
После
запуска, вариант с отклонением пользователя:
Пример удачного
ответа:
Возможные ошибки:
Access-Reject:
admin@FreeRADIUS-AO:/#
radtest test1 testpass localhost
0 testing123
Sent
Access-Request Id 169 from 0.0.0.0:40117 to 127.0.0.1:1812 length 89
User-Name = «test1»
User-Password = «testpass«
NAS-IP-Address = 192.168.10.30
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = «testpass«
Received Access-Reject Id 169 from 127.0.0.1:1812 to 0.0.0.0:0
length 20
(0) -: Expected Access-Accept got Access-Reject
Если ответ Reject,
хотя всё введено правильно, то включаем режим отладки радиуса и смотрим на
каком этапе проблема.
Включение
радиуса в режиме отладки:
#
service radiusd stop
#
service radiusd debug
Не
выходя из отладочного режима, запускаем команду radtest и смотрим логи.
Пример лога с
ошибкой:
Если
на самом радиус сервере тест проходит, можно попробовать сделать тест на машине
с pfSense (при условии, что там
установлен модуль freeradius,
иначе проверить можно будет только через pfSense):
#
radtest test1 testpass 192.168.10.30 0 ХХХpf-SenseXXX
В итоге должен быть
ответ: Access-Accept
Далее настраиваем работу протокола mschap (если
требуется).
В
конфигурационном файле /usr/local/etc/raddb/mods-available/mschap нужно скорректировать строку ntlm_auth (указать путь к утилите
ntlm_auth, указать правильный домен (указывать домен необязательно), изменить
параметры запроса имени пользователя, если отличается).
Здесь, возможно
придется поэкспериментировать с вариантами:
ntlm_auth = «/usr/local/bin/ntlm_auth
—request-nt-key —domain=corp.domain.net
—username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
—challenge=%{%{mschap:Challenge}:-00}
—nt-response=%{%{mschap:NT-Response}:-00}»
Или так
ntlm_auth = «/usr/local/bin/ntlm_auth
—request-nt-key —username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
—challenge=%{%{mschap:Challenge}:-00}
—nt-response=%{%{mschap:NT-Response}:-00}»
Или так
ntlm_auth = «/usr/local/bin/ntlm_auth
—request-nt-key —username=%{mschap:User-Name}
—challenge=%{%{mschap:Challenge}:-00}
—nt-response=%{%{mschap:NT-Response}:-00}»
В конфигурационном файле /usr/local/etc/raddb/mods-available/eap нужно заменить опцию:
default_eap_type = md5
Меняем md5 на peap,
в итоге:
default_eap_type = peap
А также
расскомментируем строку
random_file = /dev/urandom
Теперь можно
тестировать работу радиус сервера:
#
radtest -t mschap test1 testpass localhost 0 testing123
Ответы будут такие
же, как было указано ранее.
Возможные ошибки: ошибка 691:
admin@FreeRADIUS-AO:/# radtest -t mschap
test1 testpass localhost 0 testing123
Sent Access-Request Id 191 from 0.0.0.0:13388 to
127.0.0.1:1812 length 145
User-Name = «test1»
MS-CHAP-Password = «testpass«
NAS-IP-Address = 192.168.10.30
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = «testpass«
MS-CHAP-Challenge = 0x343cf762608b18eb
MS-CHAP-Response =
0x0001000000000000000000000000000000000000000000000000c5d3be2d767350eccce93ac4f1dc4bb7c32558c8d9bd1508
Received Access-Reject Id 191 from 127.0.0.1:1812 to 0.0.0.0:0
length 61
MS-CHAP-Error =
«00E=691 R=1 C=0dca59ab2eb746b8
V=2″
(0) -: Expected Access-Accept got Access-Reject
Еще варианты ошибок:
MS-CHAP2-Response is incorrect mschap = reject
mschap: ERROR: Program returned code (1) and output ‘Logon failure
(0xc000006d)’
Опять же
включаем отладку и смотрим логи.
Если
все тесты прошли успешно, можно пробовать подключать радиус сервер на Captive портале на сервере pfSense, как было задумано в первоначальной
задаче.
Какие еще не исследованные проблемы на данный момент:
1) не стартовала
автоматически служба winbind, возможно не верно указаны параметры запуска.
2)
отказ входа пользователя, если имя указано вместе с доменом, например, test1@corp.domain.net (всегда возвращается
Reject). Возможно надо разбираться
в шаблоне имени пользователя при задании подключения по ntlm_auth.
Также
ради проверки были предприняты неудачные
попытки понизить уровень безопасности на домен контроллере и разрешении
протокола NTLMv1.
Вот
какие поверочные действия были сделаны:
1.
На контроллере домена в реестре в ветке HKEY_LOCAL_MACHINESystemCurrentControlSetServicesRemoteAccessPolicy
был создан DWORD ключ «Enable NTLMv2 Compatibility» со значением 1.
2.
Через оснастку secpol.msc (Run — secpol.msc) в
Security Options в параметре «Network security: LAN Manager authentication
level» разрешен «Send LM & NTLM Response», а также в
параметре «Minimum session security for NTLM SSP» отключен
«Disable Require 128-bit encryption».
Если Вам понравилась статья, пожалуйста, поставьте лайк, сделайте репост или оставьте комментарий. Если у Вас есть какие-либо замечания, также пишите комментарии.
Модераторы: vadim64, terminus
Правила форума
Убедительная просьба юзать теги [cоde] при оформлении листингов.
Сообщения не оформленные должным образом имеют все шансы быть незамеченными.
-
Sorryxs
- рядовой
- Сообщения: 47
- Зарегистрирован: 2012-07-04 6:12:25
Freeradius mschap непонятки.
Есть проблема с mschap auth.
С доменом проблем нету. radtest -t mschap user pass ip port testarg — проходит на ура. Создан локальный root который на сервере так же проходит авторизацию. Зацеплена Cisco pix 515e, локальным рутом радиуса она проходит отлично, а доменную учетку reject. При этом в режиме дебага идет такой вывод:
Код: Выделить всё
rad_recv: Access-Request packet from host 172.21.1.120 port 1025, id=111, length=62
User-Name = "ldap"
User-Password = "passwd"
NAS-IP-Address = 172.21.1.120
NAS-Port = 93
NAS-Port-Type = Virtual
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "ldap", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '' in User-Name = "ldap", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 209
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group MS-CHAP {...}
[mschap] ERROR: You set 'Auth-Type = MS-CHAP' for a request that does not contain any MS-CHAP attributes!
++[mschap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type REJECT
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> ldap
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 5 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 5
Sending Access-Reject of id 111 to 172.21.1.120 port 1025
Waking up in 4.9 seconds.
Cleaning up request 5 ID 111 with timestamp +115
Ready to process requests.
Не понимаю какие он хочет атрибуты?
И почему во всех мануалах говорится указать Default auth-type = mschap, возможно ему нужно указать еще параметры?
спасибо
Последний раз редактировалось f_andrey 2013-10-18 13:32:53, всего редактировалось 1 раз.
Причина: Автору. пожалуйста, выбирайте соответствующий раздел форума.
-
Хостинг HostFood.ru
Услуги хостинговой компании Host-Food.ru
Хостинг HostFood.ru
Тарифы на хостинг в России, от 12 рублей: https://www.host-food.ru/tariffs/hosting/
Тарифы на виртуальные сервера (VPS/VDS/KVM) в РФ, от 189 руб.: https://www.host-food.ru/tariffs/virtualny-server-vps/
Выделенные сервера, Россия, Москва, от 2000 рублей (HP Proliant G5, Intel Xeon E5430 (2.66GHz, Quad-Core, 12Mb), 8Gb RAM, 2x300Gb SAS HDD, P400i, 512Mb, BBU):
https://www.host-food.ru/tariffs/vydelennyi-server-ds/
Недорогие домены в популярных зонах: https://www.host-food.ru/domains/
-
dlyni
- проходил мимо
Re: Freeradius mschap непонятки.
Непрочитанное сообщение
dlyni » 2013-10-22 8:31:24
Вот лог с ROOT’ом
rad_recv: Access-Request packet from host 172.21.1.179 port 49716, id=9, length=44
User-Name = ‘root’
User-Password = ‘root’
(1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(1) authorize {
(1) [preprocess] = ok
(1) auth_log : expand: «/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d» -> ‘/var/log/radacct/172.21.1.179/auth-detail-20131022’
(1) auth_log : /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radacct/172.21.1.179/auth-detail-20131022
(1) auth_log : expand: «%t» -> ‘Tue Oct 22 16:29:14 2013’
(1) [auth_log] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) ntdomain : No » in User-Name = «root», looking up realm NULL
(1) ntdomain : No such realm «NULL»
(1) [ntdomain] = noop
(1) eap : No EAP-Message, not doing EAP
(1) [eap] = noop
(1) files : users: Matched entry root at line 100
(1) [files] = ok
(1) [expiration] = noop
(1) [logintime] = noop
(1) [pap] = updated
(1) } # authorize = updated
(1) Found Auth-Type = PAP
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1) Auth-Type PAP {
(1) pap : login attempt with password «root»
(1) pap : Using clear text password «root»
(1) pap : User authenticated successfully
(1) [pap] = ok
(1) } # Auth-Type PAP = ok
(1) Login OK: [root] (from client network1 port 0)
(1) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
(1) post-auth {
(1) [exec] = noop
(1) remove_reply_message_if_eap remove_reply_message_if_eap {
(1) ? if (reply:EAP-Message && reply:Reply-Message)
(1) ? if (reply:EAP-Message && reply:Reply-Message) -> FALSE
(1) else else {
(1) [noop] = noop
(1) } # else else = noop
(1) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(1) } # post-auth = noop
Sending Access-Accept of id 9 from 172.21.1.208 port 1812 to 172.21.1.179 port 49716
(1) Finished request 1.
Waking up in 0.3 seconds.
Waking up in 4.6 seconds.
(1) Cleaning up request packet ID 9 with timestamp +183
Ready to process requests.
-
Гость
- проходил мимо
Re: Freeradius mschap непонятки.
Непрочитанное сообщение
Гость » 2013-10-22 10:11:08
/usr/local/etc/raddb/sites-enabled/default
в одном случае
(1) files : users: Matched entry root at line 100
в другом случае
[files] users: Matched entry DEFAULT at line 209
и далее
в одном случе
Found Auth-Type = MSCHAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group MS-CHAP {…}
в другом случае
1) Found Auth-Type = PAP
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1) Auth-Type PAP {
надеюсь обьяснять ничего не надо. все и так очевидно
-
dlyni
- проходил мимо
Re: Freeradius mschap непонятки.
Непрочитанное сообщение
dlyni » 2013-10-23 3:03:56
Все это ясно, в конфиге users прописан root, а в [216] этого же конфига, указано DEFAULT Auth-Type = mschap
Проверку т.е. request делаю NTPRADPING, также Pix 515 (вывод radiusd -X одинаковый)
root как вы показали PAP отрабатывает
далее вводим пользователя AD можно также что угодно
вывод такой
rad_recv: Access-Request packet from host 172.21.1.179 port 50608, id=34, length=44
User-Name = ‘ldap’
User-Password = ‘ssss’
(4) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(4) authorize {
(4) [preprocess] = ok
(4) auth_log : expand: «/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d» -> ‘/var/log/radacct/172.21.1.179/auth-detail-20131023’
(4) auth_log : /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radacct/172.21.1.179/auth-detail-20131023
(4) auth_log : expand: «%t» -> ‘Wed Oct 23 10:51:43 2013’
(4) [auth_log] = ok
(4) [chap] = noop
(4) [mschap] = noop
(4) ntdomain : No » in User-Name = «ldap», looking up realm NULL
(4) ntdomain : No such realm «NULL»
(4) [ntdomain] = noop
(4) eap : No EAP-Message, not doing EAP
(4) [eap] = noop
(4) files : users: Matched entry DEFAULT at line 216
(4) [files] = ok
(4) [expiration] = noop
(4) [logintime] = noop
(4) WARNING: pap : No «known good» password found for the user. Not setting Auth-Type.
(4) WARNING: pap : Authentication will fail unless a «known good» password is available.
(4) [pap] = noop
(4) } # authorize = ok
(4) Found Auth-Type = MSCHAP
(4) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(4) Auth-Type mschap {
(4) ERROR: mschap : You set ‘Auth-Type = MS-CHAP’ for a request that does not contain any MS-CHAP attributes!
(4) [mschap] = reject
(4) } # Auth-Type mschap = reject
(4) Failed to authenticate the user.
(4) Login incorrect (mschap: You set ‘Auth-Type = MS-CHAP’ for a request that does not contain any MS-CHAP attributes!): [ldap] (from client network1 port 0)
(4) Using Post-Auth-Type Reject
(4) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(4) Post-Auth-Type REJECT {
(4) attr_filter.access_reject : expand: «%{User-Name}» -> ‘ldap’
(4) attr_filter.access_reject : Matched entry DEFAULT at line 11
(4) [attr_filter.access_reject] = updated
(4) } # Post-Auth-Type REJECT = updated
(4) Finished request 4.
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(4) Sending delayed reject
Sending Access-Reject of id 34 from 172.21.1.208 port 1812 to 172.21.1.179 port 50608
Waking up in 4.9 seconds.
(4) Cleaning up request packet ID 34 with timestamp +61
Из которого лично я делаю вывод,PAP он не прошел, ясно такого пользователя там нет, далее сработала запись «DEFAULT Auth-Type = mschap» и вот здесь
4) Found Auth-Type = MSCHAP
(4) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(4) Auth-Type mschap {
(4) ERROR: mschap : You set ‘Auth-Type = MS-CHAP’ for a request that does not contain any MS-CHAP attributes!
т.е. NAS не передает необходимые attributes для RADIUS,чтобы тот мог послать CHALENGE(приглашение) т.е. NAS понятие не имеет о MS-CHAP,
тупо что было послал: User-Name = ‘ldap’ User-Password = ‘ssss’ и все. Или всетаки проблема в другом??????? Спасибо.
-
Гость
- проходил мимо
Re: Freeradius mschap непонятки.
Непрочитанное сообщение
Гость » 2013-10-23 8:25:03
т.е. NAS не передает необходимые attributes для RADIUS,чтобы тот мог послать CHALENGE(приглашение) т.е. NAS понятие не имеет о MS-CHAP,
да все правильно, это я уже подзабыл,
NAS должен уметь отправлять на радиус атрибуты chap/chap-ms
если он этого не умеет. то радиус ничем помочь не может