Mschap error ms chap2 response is incorrect

Issue type

• Questions about the server or its usage should be posted to the users
  mailing list http://freeradius.org/list/users.html.
• Remote security exploits MUST be sent to security@freeradius.org.
• Defect — Crash or memory corruption.
• Defect — Non compliance with a standards document, or incorrect API
  usage.
• Defect — Unexpected behaviour (obvious or verified by project
  member).
• Feature request.

See here
https://github.com/FreeRADIUS/freeradius-server/blob/v4.0.x/doc/bugs
for debugging instructions.

NOTE: PATCHES GO IN PULL REQUESTS. IF YOU SUBMIT A DIFF HERE, THE
DEVELOPMENT TEAM WILL HUNT YOU DOWN AND BEAT YOU OVER THE HEAD WITH YOUR
OWN KEYBOARD.
Defect/Feature description

We are using freeradius-server-3.0.11 and we have two different
wireless controller — Cisco WLC and Extricom. Configuration is done
for well-known network «eduroam» — we are using PEAP/MSCHAP, passwords
are in the LDAP backend.

If the clients are connecting to cisco WLC, everything
is always working fine. Problem is that if the clients are connecting
to extricom switches, we have random problems with authentication —
sometimes the auth is successfull, sometimes not (for the same client and
the same configuration). This occurs on different clients — not related to
one device.

For example, sometimes the client is connected for first try, sometimes
must repeat the connection for more times. In radius log, if the auth
fails, I can see this:

mschap: MS-CHAP2-Response is incorrect

I would like to ask, if is it possible to say if the problem is
on the extricom switches or freeradius side.

I am sending two debug logs from freeradius — both are for the same user
and the extricom switch — one successfull and one failed.
How to reproduce issue

Try to auth more times — sometimes it failed.
Output of [radiusd|freeradius] -X showing issue occurring

Accept:
Server was built with:
accounting : yes
authentication : yes
ascend-binary-attributes : yes
coa : yes
control-socket : yes
detail : yes
dhcp : yes
dynamic-clients : yes
osfc2 : no
proxy : yes
regex-pcre : no
regex-posix : yes
regex-posix-extended : yes
session-management : yes
stats : yes
tcp : yes
threads : yes
tls : yes
unlang : yes
vmps : yes
developer : no
Server core libs:
freeradius-server : 3.0.11
talloc : 2.0.*
ssl : 1.0.1t release
Endianness:
little
Compilation flags:
cppflags : -D_FORTIFY_SOURCE=2
cflags : -I/opt/src/freeradius-server-3.0.11 -I/opt/src/freeradius-server-3.0.11/src -include /opt/src/freeradius-server-3.0.11/src/freeradius-devel/autoconf.h -include /opt/src/freeradius-server-3.0.11/src/freeradius-devel/build.h -include /opt/src/freeradius-server-3.0.11/src/freeradius-devel/features.h -include /opt/src/freeradius-server-3.0.11/src/freeradius-devel/radpaths.h -fno-strict-aliasing -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -O2 -Wall -std=c99 -D_GNU_SOURCE -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -DNDEBUG -DIS_MODULE=1
ldflags : -Wl,-z,relro
libs : -lcrypto -lssl -ltalloc -lcap -lnsl -lresolv -ldl -lpthread -lreadline

Copyright (C) 1999-2016 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting — reading configuration files …
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/freeradius/dictionary
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/mods-enabled/
including configuration file /etc/freeradius/mods-enabled/replicate
including configuration file /etc/freeradius/mods-enabled/echo
including configuration file /etc/freeradius/mods-enabled/cache_eap
including configuration file /etc/freeradius/mods-enabled/sradutmp
including configuration file /etc/freeradius/mods-enabled/dynamic_clients
including configuration file /etc/freeradius/mods-enabled/ldap
including configuration file /etc/freeradius/mods-enabled/detail
including configuration file /etc/freeradius/mods-enabled/logintime
including configuration file /etc/freeradius/mods-enabled/mschap
including configuration file /etc/freeradius/mods-enabled/files
including configuration file /etc/freeradius/mods-enabled/passwd
including configuration file /etc/freeradius/mods-enabled/ntlm_auth
including configuration file /etc/freeradius/mods-enabled/eap
including configuration file /etc/freeradius/mods-enabled/attr_filter
including configuration file /etc/freeradius/mods-enabled/utf8
including configuration file /etc/freeradius/mods-enabled/always
including configuration file /etc/freeradius/mods-enabled/preprocess
including configuration file /etc/freeradius/mods-enabled/unix
including configuration file /etc/freeradius/mods-enabled/expiration
including configuration file /etc/freeradius/mods-enabled/unpack
including configuration file /etc/freeradius/mods-enabled/linelog
including configuration file /etc/freeradius/mods-enabled/detail.log
including configuration file /etc/freeradius/mods-enabled/pap
including configuration file /etc/freeradius/mods-enabled/realm
including configuration file /etc/freeradius/mods-enabled/soh
including configuration file /etc/freeradius/mods-enabled/chap
including configuration file /etc/freeradius/mods-enabled/exec
including configuration file /etc/freeradius/mods-enabled/radutmp
including configuration file /etc/freeradius/mods-enabled/expr
including configuration file /etc/freeradius/mods-enabled/digest
including files in directory /etc/freeradius/policy.d/
including configuration file /etc/freeradius/policy.d/filter
including configuration file /etc/freeradius/policy.d/operator-name
including configuration file /etc/freeradius/policy.d/accounting
including configuration file /etc/freeradius/policy.d/canonicalization
including configuration file /etc/freeradius/policy.d/eap
including configuration file /etc/freeradius/policy.d/debug
including configuration file /etc/freeradius/policy.d/control
including configuration file /etc/freeradius/policy.d/abfab-tr
including configuration file /etc/freeradius/policy.d/cui
including configuration file /etc/freeradius/policy.d/dhcp
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
main {
security {
user = «freerad»
group = «freerad»
allow_core_dumps = no
}
name = «freeradius»
prefix = «/usr»
localstatedir = «/var»
logdir = «/var/log/freeradius»
run_dir = «/var/run/freeradius»
}
main {
name = «freeradius»
prefix = «/usr»
localstatedir = «/var»
sbindir = «/usr/sbin»
logdir = «/var/log/freeradius»
run_dir = «/var/run/freeradius»
libdir = «/usr/lib/freeradius»
radacctdir = «/var/log/freeradius/radacct»
hostname_lookups = no
max_request_time = 30
cleanup_delay = 10
max_requests = 16384
pidfile = «/var/run/freeradius/freeradius.pid»
checkrad = «/usr/sbin/checkrad»
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = «You are already logged in — access denied»
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = «auth»
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = «status-server»
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
realm LOCAL {
}
realm NULL {
virtual_server = auth-reject
}
realm cvut.cz {
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = «other»
proto = «_»
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client briza.civ.cvut.cz {
ipaddr = 10.31.235.140
require_message_authenticator = no
secret = <<< secret >>>
shortname = «briza»
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 10.31.235.50 {
require_message_authenticator = no
secret = <<< secret >>>
shortname = «WLC4402»
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
No ‘ipaddr’ or ‘ipv4addr’ or ‘ipv6addr’ field found in client 10.31.235.50. Please fix your configuration
Support for old-style clients will be removed in a future release
client 10.31.235.22 {
require_message_authenticator = no
secret = <<< secret >>>
shortname = «WLC5520»
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
No ‘ipaddr’ or ‘ipv4addr’ or ‘ipv6addr’ field found in client 10.31.235.22. Please fix your configuration
Support for old-style clients will be removed in a future release
client 10.31.140.192/28 {
require_message_authenticator = no
secret = <<< secret >>>
shortname = «fsv-controlers»
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
No ‘ipaddr’ or ‘ipv4addr’ or ‘ipv6addr’ field found in client 10.31.140.192/28. Please fix your configuration
Support for old-style clients will be removed in a future release
client 10.31.144.0/28 {
require_message_authenticator = no
secret = <<< secret >>>
shortname = «fsv-controlers»
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
No ‘ipaddr’ or ‘ipv4addr’ or ‘ipv6addr’ field found in client 10.31.144.0/28. Please fix your configuration
Support for old-style clients will be removed in a future release
client 10.31.140.62 {
require_message_authenticator = no
secret = <<< secret >>>
shortname = «fsv-test»
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
No ‘ipaddr’ or ‘ipv4addr’ or ‘ipv6addr’ field found in client 10.31.140.62. Please fix your configuration
Support for old-style clients will be removed in a future release
client 10.31.67.6 {
require_message_authenticator = no
secret = <<< secret >>>
shortname = «service-muvs»
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
No ‘ipaddr’ or ‘ipv4addr’ or ‘ipv6addr’ field found in client 10.31.67.6. Please fix your configuration
Support for old-style clients will be removed in a future release
client 10.31.62.2 {
require_message_authenticator = no
secret = <<< secret >>>
shortname = «ap-muvs»
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
No ‘ipaddr’ or ‘ipv4addr’ or ‘ipv6addr’ field found in client 10.31.62.2. Please fix your configuration
Support for old-style clients will be removed in a future release
client 10.31.155.1 {
require_message_authenticator = no
secret = <<< secret >>>
shortname = «josef»
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
No ‘ipaddr’ or ‘ipv4addr’ or ‘ipv6addr’ field found in client 10.31.155.1. Please fix your configuration
Support for old-style clients will be removed in a future release
client 10.31.252.42 {
require_message_authenticator = no
secret = <<< secret >>>
shortname = «josef»
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
No ‘ipaddr’ or ‘ipv4addr’ or ‘ipv6addr’ field found in client 10.31.252.42. Please fix your configuration
Support for old-style clients will be removed in a future release
client 10.31.155.254 {
require_message_authenticator = no
secret = <<< secret >>>
shortname = «josef»
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
No ‘ipaddr’ or ‘ipv4addr’ or ‘ipv6addr’ field found in client 10.31.155.254. Please fix your configuration
Support for old-style clients will be removed in a future release
client 10.31.155.251 {
require_message_authenticator = no
secret = <<< secret >>>
shortname = «josef»
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
No ‘ipaddr’ or ‘ipv4addr’ or ‘ipv6addr’ field found in client 10.31.155.251. Please fix your configuration
Support for old-style clients will be removed in a future release
client 10.31.155.252 {
require_message_authenticator = no
secret = <<< secret >>>
shortname = «josef»
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
No ‘ipaddr’ or ‘ipv4addr’ or ‘ipv6addr’ field found in client 10.31.155.252. Please fix your configuration
Support for old-style clients will be removed in a future release
client 10.31.155.237 {
require_message_authenticator = no
secret = <<< secret >>>
shortname = «josef»
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
No ‘ipaddr’ or ‘ipv4addr’ or ‘ipv6addr’ field found in client 10.31.155.237. Please fix your configuration
Support for old-style clients will be removed in a future release
client 10.31.252.5 {
require_message_authenticator = no
secret = <<< secret >>>
shortname = «ap-zokl2»
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
No ‘ipaddr’ or ‘ipv4addr’ or ‘ipv6addr’ field found in client 10.31.252.5. Please fix your configuration
Support for old-style clients will be removed in a future release
client 10.31.32.129 {
require_message_authenticator = no
secret = <<< secret >>>
shortname = «mksuz-ruckus»
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
No ‘ipaddr’ or ‘ipv4addr’ or ‘ipv6addr’ field found in client 10.31.32.129. Please fix your configuration
Support for old-style clients will be removed in a future release
client 195.113.233.246 {
require_message_authenticator = no
secret = <<< secret >>>
shortname = «ermon»
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
No ‘ipaddr’ or ‘ipv4addr’ or ‘ipv6addr’ field found in client 195.113.233.246. Please fix your configuration
Support for old-style clients will be removed in a future release
client 10.31.235.106 {
require_message_authenticator = no
secret = <<< secret >>>
shortname = «nagios-civ»
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
No ‘ipaddr’ or ‘ipv4addr’ or ‘ipv6addr’ field found in client 10.31.235.106. Please fix your configuration
Support for old-style clients will be removed in a future release
client 10.31.3.195 {
require_message_authenticator = no
secret = <<< secret >>>
shortname = «prtg-is»
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
No ‘ipaddr’ or ‘ipv4addr’ or ‘ipv6addr’ field found in client 10.31.3.195. Please fix your configuration
Support for old-style clients will be removed in a future release
Debugger not attached

Creating Auth-Type = PAP

Creating Auth-Type = CHAP

Creating Auth-Type = MS-CHAP

Creating Auth-Type = digest

Creating Auth-Type = eap

Creating Auth-Type = LDAP

radiusd: #### Instantiating modules ####
modules {

Loaded module rlm_replicate

Loading module «replicate» from file /etc/freeradius/mods-enabled/replicate

Loaded module rlm_exec

Loading module «echo» from file /etc/freeradius/mods-enabled/echo

exec echo {
wait = yes
program = «/bin/echo %{User-Name}»
input_pairs = «request»
output_pairs = «reply»
shell_escape = yes
}

Loaded module rlm_cache

Loading module «cache_eap» from file /etc/freeradius/mods-enabled/cache_eap

cache cache_eap {
driver = «rlm_cache_rbtree»
key = «%{%{control:State}:-%{%{reply:State}:-%{State}}}»
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}

Loaded module rlm_radutmp

Loading module «sradutmp» from file /etc/freeradius/mods-enabled/sradutmp

radutmp sradutmp {
filename = «/var/log/freeradius/sradutmp»
username = «%{User-Name}»
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}

Loaded module rlm_dynamic_clients

Loading module «dynamic_clients» from file /etc/freeradius/mods-enabled/dynamic_clients

Loaded module rlm_ldap

Loading module «ldap» from file /etc/freeradius/mods-enabled/ldap

ldap {
server = «ldaps://hades.xx.local.cz»
identity = «CN=svc-vic-shibboleth,OU=VIC,OU=MEMBER,DC=ms,DC=cvut,DC=cz»
password = <<< secret >>>
sasl {
}
user {
scope = «sub»
access_positive = yes
sasl {
}
}
group {
filter = «(objectClass=posixGroup)»
scope = «sub»
name_attribute = «cn»
membership_attribute = «memberOf»
cacheable_name = no
cacheable_dn = no
}
client {
filter = «(objectClass=radiusClient)»
scope = «sub»
base_dn = «OU=IDM,DC=ms,DC=cvut,DC=cz»
}
profile {
}
options {
ldap_debug = 40
chase_referrals = yes
rebind = yes
net_timeout = 1
res_timeout = 10
srv_timelimit = 3
idle = 60
probes = 3
interval = 3
}
tls {
ca_file = «/etc/freeradius/certs/tcs-ca-bundle.pem»
start_tls = no
require_cert = «allow»
}
}
Creating attribute LDAP-Group

Loaded module rlm_detail

Loading module «detail» from file /etc/freeradius/mods-enabled/detail

detail {
filename = «/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d»
header = «%t»
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}

Loaded module rlm_logintime

Loading module «logintime» from file /etc/freeradius/mods-enabled/logintime

logintime {
minimum_timeout = 60
}

Loaded module rlm_mschap

Loading module «mschap» from file /etc/freeradius/mods-enabled/mschap

mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
}

Loaded module rlm_files

Loading module «files» from file /etc/freeradius/mods-enabled/files

files {
filename = «/etc/freeradius/mods-config/files/authorize»
acctusersfile = «/etc/freeradius/mods-config/files/accounting»
preproxy_usersfile = «/etc/freeradius/mods-config/files/pre-proxy»
}

Loaded module rlm_passwd

Loading module «etc_passwd» from file /etc/freeradius/mods-enabled/passwd

passwd etc_passwd {
filename = «/etc/passwd»
format = «_User-Name:Crypt-Password:»
delimiter = «:»
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}

Loading module «ntlm_auth» from file /etc/freeradius/mods-enabled/ntlm_auth

exec ntlm_auth {
wait = yes
program = «/path/to/ntlm_auth —request-nt-key —domain=MYDOMAIN —username=%{mschap:User-Name} —password=%{User-Password}»
shell_escape = yes
}

Loaded module rlm_eap

Loading module «eap» from file /etc/freeradius/mods-enabled/eap

eap {
default_eap_type = «md5»
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 16384
}

Loaded module rlm_attr_filter

Loading module «attr_filter.post-proxy» from file /etc/freeradius/mods-enabled/attr_filter

attr_filter attr_filter.post-proxy {
filename = «/etc/freeradius/mods-config/attr_filter/post-proxy»
key = «%{Realm}»
relaxed = no
}

Loading module «attr_filter.pre-proxy» from file /etc/freeradius/mods-enabled/attr_filter

attr_filter attr_filter.pre-proxy {
filename = «/etc/freeradius/mods-config/attr_filter/pre-proxy»
key = «%{Realm}»
relaxed = no
}

Loading module «attr_filter.access_reject» from file /etc/freeradius/mods-enabled/attr_filter

attr_filter attr_filter.access_reject {
filename = «/etc/freeradius/mods-config/attr_filter/access_reject»
key = «%{User-Name}»
relaxed = no
}

Loading module «attr_filter.access_challenge» from file /etc/freeradius/mods-enabled/attr_filter

attr_filter attr_filter.access_challenge {
filename = «/etc/freeradius/mods-config/attr_filter/access_challenge»
key = «%{User-Name}»
relaxed = no
}

Loading module «attr_filter.accounting_response» from file /etc/freeradius/mods-enabled/attr_filter

attr_filter attr_filter.accounting_response {
filename = «/etc/freeradius/mods-config/attr_filter/accounting_response»
key = «%{User-Name}»
relaxed = no
}

Loaded module rlm_utf8

Loading module «utf8» from file /etc/freeradius/mods-enabled/utf8

Loaded module rlm_always

Loading module «reject» from file /etc/freeradius/mods-enabled/always

always reject {
rcode = «reject»
simulcount = 0
mpp = no
}

Loading module «fail» from file /etc/freeradius/mods-enabled/always

always fail {
rcode = «fail»
simulcount = 0
mpp = no
}

Loading module «ok» from file /etc/freeradius/mods-enabled/always

always ok {
rcode = «ok»
simulcount = 0
mpp = no
}

Loading module «handled» from file /etc/freeradius/mods-enabled/always

always handled {
rcode = «handled»
simulcount = 0
mpp = no
}

Loading module «invalid» from file /etc/freeradius/mods-enabled/always

always invalid {
rcode = «invalid»
simulcount = 0
mpp = no
}

Loading module «userlock» from file /etc/freeradius/mods-enabled/always

always userlock {
rcode = «userlock»
simulcount = 0
mpp = no
}

Loading module «notfound» from file /etc/freeradius/mods-enabled/always

always notfound {
rcode = «notfound»
simulcount = 0
mpp = no
}

Loading module «noop» from file /etc/freeradius/mods-enabled/always

always noop {
rcode = «noop»
simulcount = 0
mpp = no
}

Loading module «updated» from file /etc/freeradius/mods-enabled/always

always updated {
rcode = «updated»
simulcount = 0
mpp = no
}

Loaded module rlm_preprocess

Loading module «preprocess» from file /etc/freeradius/mods-enabled/preprocess

preprocess {
huntgroups = «/etc/freeradius/mods-config/preprocess/huntgroups»
hints = «/etc/freeradius/mods-config/preprocess/hints»
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}

Loaded module rlm_unix

Loading module «unix» from file /etc/freeradius/mods-enabled/unix

unix {
radwtmp = «/var/log/freeradius/radwtmp»
}
Creating attribute Unix-Group

Loaded module rlm_expiration

Loading module «expiration» from file /etc/freeradius/mods-enabled/expiration

Loaded module rlm_unpack

Loading module «unpack» from file /etc/freeradius/mods-enabled/unpack

Loaded module rlm_linelog

Loading module «linelog» from file /etc/freeradius/mods-enabled/linelog

linelog {
filename = «/var/log/freeradius/linelog»
escape_filenames = no
syslog_severity = «info»
permissions = 384
format = «This is a log message for %{User-Name}»
reference = «messages.%{%{reply:Packet-Type}:-default}»
}

Loading module «log_accounting» from file /etc/freeradius/mods-enabled/linelog

linelog log_accounting {
filename = «/var/log/freeradius/linelog-accounting»
escape_filenames = no
syslog_severity = «info»
permissions = 384
format = «»
reference = «Accounting-Request.%{%{Acct-Status-Type}:-unknown}»
}

Loading module «auth_log» from file /etc/freeradius/mods-enabled/detail.log

detail auth_log {
filename = «/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d»
header = «%t»
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}

Loading module «reply_log» from file /etc/freeradius/mods-enabled/detail.log

detail reply_log {
filename = «/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d»
header = «%t»
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}

Loading module «pre_proxy_log» from file /etc/freeradius/mods-enabled/detail.log

detail pre_proxy_log {
filename = «/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d»
header = «%t»
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}

Loading module «post_proxy_log» from file /etc/freeradius/mods-enabled/detail.log

detail post_proxy_log {
filename = «/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d»
header = «%t»
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}

Loaded module rlm_pap

Loading module «pap» from file /etc/freeradius/mods-enabled/pap

pap {
normalise = yes
}

Loaded module rlm_realm

Loading module «IPASS» from file /etc/freeradius/mods-enabled/realm

realm IPASS {
format = «prefix»
delimiter = «/»
ignore_default = no
ignore_null = no
}

Loading module «suffix» from file /etc/freeradius/mods-enabled/realm

realm suffix {
format = «suffix»
delimiter = «@»
ignore_default = no
ignore_null = no
}

Loading module «realmpercent» from file /etc/freeradius/mods-enabled/realm

realm realmpercent {
format = «suffix»
delimiter = «%»
ignore_default = no
ignore_null = no
}

Loading module «ntdomain» from file /etc/freeradius/mods-enabled/realm

realm ntdomain {
format = «prefix»
delimiter = «»
ignore_default = no
ignore_null = no
}

Loaded module rlm_soh

Loading module «soh» from file /etc/freeradius/mods-enabled/soh

soh {
dhcp = yes
}

Loaded module rlm_chap

Loading module «chap» from file /etc/freeradius/mods-enabled/chap

Loading module «exec» from file /etc/freeradius/mods-enabled/exec

exec {
wait = no
input_pairs = «request»
shell_escape = yes
timeout = 10
}

Loading module «radutmp» from file /etc/freeradius/mods-enabled/radutmp

radutmp {
filename = «/var/log/freeradius/radutmp»
username = «%{User-Name}»
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}

Loaded module rlm_expr

Loading module «expr» from file /etc/freeradius/mods-enabled/expr

expr {
safe_characters = «@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ»
}

Loaded module rlm_digest

Loading module «digest» from file /etc/freeradius/mods-enabled/digest

instantiate {
}

Instantiating module «cache_eap» from file /etc/freeradius/mods-enabled/cache_eap

rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked

Instantiating module «ldap» from file /etc/freeradius/mods-enabled/ldap

rlm_ldap: libldap vendor: OpenLDAP, version: 20440
accounting {
reference = «%{tolower:type.%{Acct-Status-Type}}»
}
post-auth {
reference = «.»
}
rlm_ldap (ldap): Initialising connection pool
pool {
start = 5
min = 3
max = 32
spare = 10
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 30
spread = no
}
rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots used
rlm_ldap (ldap): Connecting to ldaps://hades.xx.local.cz:636
rlm_ldap (ldap): Waiting for bind result…
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (1), 1 of 31 pending slots used
rlm_ldap (ldap): Connecting to ldaps://hades.xx.local.cz:636
rlm_ldap (ldap): Waiting for bind result…
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (2), 1 of 30 pending slots used
rlm_ldap (ldap): Connecting to ldaps://hades.xx.local.cz:636
rlm_ldap (ldap): Waiting for bind result…
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (3), 1 of 29 pending slots used
rlm_ldap (ldap): Connecting to ldaps://hades.xx.local.cz:636
rlm_ldap (ldap): Waiting for bind result…
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (4), 1 of 28 pending slots used
rlm_ldap (ldap): Connecting to ldaps://hades.xx.local.cz:636
rlm_ldap (ldap): Waiting for bind result…
rlm_ldap (ldap): Bind successful

Instantiating module «detail» from file /etc/freeradius/mods-enabled/detail

Instantiating module «logintime» from file /etc/freeradius/mods-enabled/logintime

Instantiating module «mschap» from file /etc/freeradius/mods-enabled/mschap

rlm_mschap (mschap): using internal authentication

Instantiating module «files» from file /etc/freeradius/mods-enabled/files

reading pairlist file /etc/freeradius/mods-config/files/authorize
reading pairlist file /etc/freeradius/mods-config/files/accounting
reading pairlist file /etc/freeradius/mods-config/files/pre-proxy

Instantiating module «etc_passwd» from file /etc/freeradius/mods-enabled/passwd

rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no

Instantiating module «eap» from file /etc/freeradius/mods-enabled/eap

Linked to sub-module rlm_eap_md5

Linked to sub-module rlm_eap_leap

Linked to sub-module rlm_eap_gtc

gtc {
challenge = «Password: «
auth_type = «PAP»
}

Linked to sub-module rlm_eap_tls

tls {
tls = «tls-common»
}
tls-config tls-common {
verify_depth = 0
ca_path = «/etc/freeradius/certs»
pem_file_type = yes
private_key_file = «/etc/freeradius/certs/radius2.civ.cvut.cz.pem.key»
certificate_file = «/etc/freeradius/certs/radius2.civ.cvut.cz.pem.crt»
dh_file = «/etc/freeradius/certs/dh»
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = «DEFAULT»
ecdh_curve = «prime256v1»
cache {
enable = yes
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = «http://127.0.0.1/ocsp/»
use_nonce = yes
timeout = 0
softfail = no
}
}

Linked to sub-module rlm_eap_ttls

ttls {
tls = «tls-common»
default_eap_type = «md5»
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = «inner-tunnel»
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation

Linked to sub-module rlm_eap_peap

peap {
tls = «tls-common»
default_eap_type = «mschapv2»
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = «inner-tunnel»
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation

Linked to sub-module rlm_eap_mschapv2

mschapv2 {
with_ntdomain_hack = no
send_error = no
}

Instantiating module «attr_filter.post-proxy» from file /etc/freeradius/mods-enabled/attr_filter

reading pairlist file /etc/freeradius/mods-config/attr_filter/post-proxy

Instantiating module «attr_filter.pre-proxy» from file /etc/freeradius/mods-enabled/attr_filter

reading pairlist file /etc/freeradius/mods-config/attr_filter/pre-proxy

Instantiating module «attr_filter.access_reject» from file /etc/freeradius/mods-enabled/attr_filter

reading pairlist file /etc/freeradius/mods-config/attr_filter/access_reject
[/etc/freeradius/mods-config/attr_filter/access_reject]:11 Check item «FreeRADIUS-Response-Delay» found in filter list for realm «DEFAULT».
[/etc/freeradius/mods-config/attr_filter/access_reject]:11 Check item «FreeRADIUS-Response-Delay-USec» found in filter list for realm «DEFAULT».

Instantiating module «attr_filter.access_challenge» from file /etc/freeradius/mods-enabled/attr_filter

reading pairlist file /etc/freeradius/mods-config/attr_filter/access_challenge

Instantiating module «attr_filter.accounting_response» from file /etc/freeradius/mods-enabled/attr_filter

reading pairlist file /etc/freeradius/mods-config/attr_filter/accounting_response

Instantiating module «reject» from file /etc/freeradius/mods-enabled/always

Instantiating module «fail» from file /etc/freeradius/mods-enabled/always

Instantiating module «ok» from file /etc/freeradius/mods-enabled/always

Instantiating module «handled» from file /etc/freeradius/mods-enabled/always

Instantiating module «invalid» from file /etc/freeradius/mods-enabled/always

Instantiating module «userlock» from file /etc/freeradius/mods-enabled/always

Instantiating module «notfound» from file /etc/freeradius/mods-enabled/always

Instantiating module «noop» from file /etc/freeradius/mods-enabled/always

Instantiating module «updated» from file /etc/freeradius/mods-enabled/always

Instantiating module «preprocess» from file /etc/freeradius/mods-enabled/preprocess

reading pairlist file /etc/freeradius/mods-config/preprocess/huntgroups
reading pairlist file /etc/freeradius/mods-config/preprocess/hints

Instantiating module «expiration» from file /etc/freeradius/mods-enabled/expiration

Instantiating module «linelog» from file /etc/freeradius/mods-enabled/linelog

Instantiating module «log_accounting» from file /etc/freeradius/mods-enabled/linelog

Instantiating module «auth_log» from file /etc/freeradius/mods-enabled/detail.log

rlm_detail (auth_log): ‘User-Password’ suppressed, will not appear in detail output

Instantiating module «reply_log» from file /etc/freeradius/mods-enabled/detail.log

Instantiating module «pre_proxy_log» from file /etc/freeradius/mods-enabled/detail.log

Instantiating module «post_proxy_log» from file /etc/freeradius/mods-enabled/detail.log

Instantiating module «pap» from file /etc/freeradius/mods-enabled/pap

Instantiating module «IPASS» from file /etc/freeradius/mods-enabled/realm

Instantiating module «suffix» from file /etc/freeradius/mods-enabled/realm

Instantiating module «realmpercent» from file /etc/freeradius/mods-enabled/realm

Instantiating module «ntdomain» from file /etc/freeradius/mods-enabled/realm

} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/radiusd.conf
} # server
server default { # from file /etc/freeradius/sites-enabled/default

Loading authenticate {…}

Loading authorize {…}

Ignoring «sql» (see raddb/mods-available/README.rst)

Loading preacct {…}

Loading accounting {…}

Loading post-proxy {…}

Loading post-auth {…}

} # server default
server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel

Loading authenticate {…}

Loading authorize {…}

Loading session {…}

Loading post-proxy {…}

Loading post-auth {…}

} # server inner-tunnel
radiusd: #### Opening IP addresses and Ports ####
listen {
type = «auth»
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = «acct»
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = «auth»
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = «acct»
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = «auth»
ipaddr = 127.0.0.1
port = 18120
}
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on proxy address * port 40231
Listening on proxy address :: port 53502
Ready to process requests

(155) Received Access-Request Id 66 from 10.31.140.199:37208 to 10.31.235.128:1812 length 219
(155) User-Name = «ivancpet@cvut.cz»
(155) Acct-Multi-Session-Id = «Octopus 48:51:B7:6E:98:DA 0x2084d»
(155) Acct-Session-Id = «Octopus 48:51:B7:6E:98:DA 0xdbb4b»
(155) NAS-IP-Address = 10.31.140.199
(155) NAS-Port-Type = Wireless-802.11
(155) NAS-Port = 88
(155) Called-Station-Id = «00-13-A6-24-FC-C1:eduroam»
(155) Calling-Station-Id = «48-51-B7-6E-98-DA»
(155) Framed-MTU = 1400
(155) EAP-Message = 0x02000015016976616e6370657440637675742e637a
(155) Message-Authenticator = 0x30626bf185ad61fa6148eaa15c093783
(155) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(155) authorize {
(155) policy filter_username {
(155) if (&User-Name) {
(155) if (&User-Name) -> TRUE
(155) if (&User-Name) {
(155) if (&User-Name =~ / /) {
(155) if (&User-Name =~ / /) -> FALSE
(155) if (&User-Name =~ /@[^@]@/ ) {
(155) if (&User-Name =~ /@[^@]@/ ) -> FALSE
(155) if (&User-Name =~ /../ ) {
(155) if (&User-Name =~ /../ ) -> FALSE
(155) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+).(.+)$/)) {
(155) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+).(.+)$/)) -> FALSE
(155) if (&User-Name =~ /.$/) {
(155) if (&User-Name =~ /.$/) -> FALSE
(155) if (&User-Name =~ /@./) {
(155) if (&User-Name =~ /@./) -> FALSE
(155) } # if (&User-Name) = notfound
(155) } # policy filter_username = notfound
(155) [preprocess] = ok
(155) [chap] = noop
(155) [mschap] = noop
(155) [digest] = noop
(155) suffix: Checking for suffix after «@»
(155) suffix: Looking up realm «cvut.cz» for User-Name = «ivancpet@cvut.cz»
(155) suffix: Found realm «cvut.cz»
(155) suffix: Adding Stripped-User-Name = «ivancpet»
(155) suffix: Adding Realm = «cvut.cz»
(155) suffix: Authentication realm is LOCAL
(155) [suffix] = ok
(155) eap: Peer sent EAP Response (code 2) ID 0 length 21
(155) eap: EAP-Identity reply, returning ‘ok’ so we can short-circuit the rest of authorize
(155) [eap] = ok
(155) } # authorize = ok
(155) Found Auth-Type = eap
(155) # Executing group from file /etc/freeradius/sites-enabled/default
(155) authenticate {
(155) eap: Peer sent packet with method EAP Identity (1)
(155) eap: Calling submodule eap_md5 to process data
(155) eap_md5: Issuing MD5 Challenge
(155) eap: Sending EAP Request (code 1) ID 1 length 22
(155) eap: EAP session adding &reply:State = 0xe2275d04e2265953
(155) [eap] = handled
(155) } # authenticate = handled
(155) Using Post-Auth-Type Challenge
(155) Post-Auth-Type sub-section not found. Ignoring.
(155) # Executing group from file /etc/freeradius/sites-enabled/default
(155) Sent Access-Challenge Id 66 from 10.31.235.128:1812 to 10.31.140.199:37208 length 0
(155) EAP-Message = 0x0101001604101eeb532e4e163e36d6a2a492ebbb4cab
(155) Message-Authenticator = 0x00000000000000000000000000000000
(155) State = 0xe2275d04e2265953c0b9cfa459a01fd0
(155) Finished request
Waking up in 1.5 seconds.
(156) Received Access-Request Id 67 from 10.31.140.199:37208 to 10.31.235.128:1812 length 222
(156) User-Name = «ivancpet@cvut.cz»
(156) Acct-Multi-Session-Id = «Octopus 48:51:B7:6E:98:DA 0x2084d»
(156) Acct-Session-Id = «Octopus 48:51:B7:6E:98:DA 0xdbb4b»
(156) NAS-IP-Address = 10.31.140.199
(156) NAS-Port-Type = Wireless-802.11
(156) NAS-Port = 88
(156) Called-Station-Id = «00-13-A6-24-FC-C1:eduroam»
(156) Calling-Station-Id = «48-51-B7-6E-98-DA»
(156) Framed-MTU = 1400
(156) EAP-Message = 0x020100060319
(156) Message-Authenticator = 0xc689d2b3fba5bb21b78f965da7b68b11
(156) State = 0xe2275d04e2265953c0b9cfa459a01fd0
(156) session-state: No cached attributes
(156) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(156) authorize {
(156) policy filter_username {
(156) if (&User-Name) {
(156) if (&User-Name) -> TRUE
(156) if (&User-Name) {
(156) if (&User-Name =~ / /) {
(156) if (&User-Name =~ / /) -> FALSE
(156) if (&User-Name =~ /@[^@]@/ ) {
(156) if (&User-Name =~ /@[^@]@/ ) -> FALSE
(156) if (&User-Name =~ /../ ) {
(156) if (&User-Name =~ /../ ) -> FALSE
(156) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+).(.+)$/)) {
(156) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+).(.+)$/)) -> FALSE
(156) if (&User-Name =~ /.$/) {
(156) if (&User-Name =~ /.$/) -> FALSE
(156) if (&User-Name =~ /@./) {
(156) if (&User-Name =~ /@./) -> FALSE
(156) } # if (&User-Name) = notfound
(156) } # policy filter_username = notfound
(156) [preprocess] = ok
(156) [chap] = noop
(156) [mschap] = noop
(156) [digest] = noop
(156) suffix: Checking for suffix after «@»
(156) suffix: Looking up realm «cvut.cz» for User-Name = «ivancpet@cvut.cz»
(156) suffix: Found realm «cvut.cz»
(156) suffix: Adding Stripped-User-Name = «ivancpet»
(156) suffix: Adding Realm = «cvut.cz»
(156) suffix: Authentication realm is LOCAL
(156) [suffix] = ok
(156) eap: Peer sent EAP Response (code 2) ID 1 length 6
(156) eap: No EAP Start, assuming it’s an on-going EAP conversation
(156) [eap] = updated
(156) [files] = noop
rlm_ldap (ldap): Reserved connection (3)
(156) ldap: EXPAND (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})
(156) ldap: —> (sAMAccountName=ivancpet)
(156) ldap: Performing search in «OU=test,DC=xx,DC=local,DC=cz» with filter «(sAMAccountName=ivancpet)», scope «sub»
(156) ldap: Waiting for search result…
(156) ldap: User object found at DN «CN=ivancpet,OU=I,OU=test,DC=xx,DC=local,DC=cz»
(156) ldap: Processing user attributes
(156) ldap: control:Cleartext-Password := ‘netapp12’
rlm_ldap (ldap): Released connection (3)
rlm_ldap (ldap): Need 1 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (9), 1 of 23 pending slots used
rlm_ldap (ldap): Connecting to ldaps://hades.xx.local.cz:636
rlm_ldap (ldap): Waiting for bind result…
rlm_ldap (ldap): Bind successful
(156) [ldap] = updated
(156) [expiration] = noop
(156) [logintime] = noop
(156) pap: WARNING: Auth-Type already set. Not setting to PAP
(156) [pap] = noop
(156) } # authorize = updated
(156) Found Auth-Type = eap
(156) # Executing group from file /etc/freeradius/sites-enabled/default
(156) authenticate {
(156) eap: Expiring EAP session with state 0xdb38e7e4d83cfe50
(156) eap: Finished EAP session with state 0xe2275d04e2265953
(156) eap: Previous EAP request found for state 0xe2275d04e2265953, released from the list
(156) eap: Peer sent packet with method EAP NAK (3)
(156) eap: Found mutually acceptable type PEAP (25)
(156) eap: Calling submodule eap_peap to process data
(156) eap_peap: Initiating new EAP-TLS session
(156) eap_peap: [eaptls start] = request
(156) eap: Sending EAP Request (code 1) ID 2 length 6
(156) eap: EAP session adding &reply:State = 0xe2275d04e3254453
(156) [eap] = handled
(156) } # authenticate = handled
(156) Using Post-Auth-Type Challenge
(156) Post-Auth-Type sub-section not found. Ignoring.
(156) # Executing group from file /etc/freeradius/sites-enabled/default
(156) Sent Access-Challenge Id 67 from 10.31.235.128:1812 to 10.31.140.199:37208 length 0
(156) EAP-Message = 0x010200061920
(156) Message-Authenticator = 0x00000000000000000000000000000000
(156) State = 0xe2275d04e3254453c0b9cfa459a01fd0
(156) Finished request
Waking up in 1.4 seconds.
(157) Received Access-Request Id 68 from 10.31.140.199:37208 to 10.31.235.128:1812 length 398
(157) User-Name = «ivancpet@cvut.cz»
(157) Acct-Multi-Session-Id = «Octopus 48:51:B7:6E:98:DA 0x2084d»
(157) Acct-Session-Id = «Octopus 48:51:B7:6E:98:DA 0xdbb4b»
(157) NAS-IP-Address = 10.31.140.199
(157) NAS-Port-Type = Wireless-802.11
(157) NAS-Port = 88
(157) Called-Station-Id = «00-13-A6-24-FC-C1:eduroam»
(157) Calling-Station-Id = «48-51-B7-6E-98-DA»
(157) Framed-MTU = 1400
(157) EAP-Message = 0x020200b61980000000ac16030300a7010000a303035811f6573e148116ccc52f888f490df5fa6686a3b19e19d659ee5ce70f42a18200003cc02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c01300390033009d009c003d003c0035002f000a006a004000380032001300050004010000
(157) Message-Authenticator = 0xe36a22e4de33a65760293836986626ca
(157) State = 0xe2275d04e3254453c0b9cfa459a01fd0
(157) session-state: No cached attributes
(157) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(157) authorize {
(157) policy filter_username {
(157) if (&User-Name) {
(157) if (&User-Name) -> TRUE
(157) if (&User-Name) {
(157) if (&User-Name =~ / /) {
(157) if (&User-Name =~ / /) -> FALSE
(157) if (&User-Name =~ /@[^@]@/ ) {
(157) if (&User-Name =~ /@[^@]@/ ) -> FALSE
(157) if (&User-Name =~ /../ ) {
(157) if (&User-Name =~ /../ ) -> FALSE
(157) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+).(.+)$/)) {
(157) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+).(.+)$/)) -> FALSE
(157) if (&User-Name =~ /.$/) {
(157) if (&User-Name =~ /.$/) -> FALSE
(157) if (&User-Name =~ /@./) {
(157) if (&User-Name =~ /@./) -> FALSE
(157) } # if (&User-Name) = notfound
(157) } # policy filter_username = notfound
(157) [preprocess] = ok
(157) [chap] = noop
(157) [mschap] = noop
(157) [digest] = noop
(157) suffix: Checking for suffix after «@»
(157) suffix: Looking up realm «cvut.cz» for User-Name = «ivancpet@cvut.cz»
(157) suffix: Found realm «cvut.cz»
(157) suffix: Adding Stripped-User-Name = «ivancpet»
(157) suffix: Adding Realm = «cvut.cz»
(157) suffix: Authentication realm is LOCAL
(157) [suffix] = ok
(157) eap: Peer sent EAP Response (code 2) ID 2 length 182
(157) eap: Continuing tunnel setup
(157) [eap] = ok
(157) } # authorize = ok
(157) Found Auth-Type = eap
(157) # Executing group from file /etc/freeradius/sites-enabled/default
(157) authenticate {
(157) eap: Expiring EAP session with state 0xdb38e7e4d83cfe50
(157) eap: Finished EAP session with state 0xe2275d04e3254453
(157) eap: Previous EAP request found for state 0xe2275d04e3254453, released from the list
(157) eap: Peer sent packet with method EAP PEAP (25)
(157) eap: Calling submodule eap_peap to process data
(157) eap_peap: Continuing EAP-TLS
(157) eap_peap: Peer indicated complete TLS record size will be 172 bytes
(157) eap_peap: Got complete TLS record (172 bytes)
(157) eap_peap: [eaptls verify] = length included
(157) eap_peap: (other): before/accept initialization
(157) eap_peap: TLS_accept: before/accept initialization
(157) eap_peap: <<< recv TLS 1.2 length 00a7 eap_peap: TLS_accept: unknown state
(157) eap_peap: >>> send TLS 1.2 length 0059 eap_peap: TLS_accept: unknown state
(157) eap_peap: >>> send TLS 1.2 length 0577 eap_peap: TLS_accept: unknown state
(157) eap_peap: >>> send TLS 1.2 length 014d eap_peap: TLS_accept: unknown state
(157) eap_peap: >>> send TLS 1.2 length 0004 eap_peap: TLS_accept: unknown state
(157) eap_peap: TLS_accept: unknown state
(157) eap_peap: TLS_accept: Need to read more data: unknown state
(157) eap_peap: TLS_accept: Need to read more data: unknown state
(157) eap_peap: In SSL Handshake Phase
(157) eap_peap: In SSL Accept mode
(157) eap_peap: [eaptls process] = handled
(157) eap: Sending EAP Request (code 1) ID 3 length 1004
(157) eap: EAP session adding &reply:State = 0xe2275d04e0244453
(157) [eap] = handled
(157) } # authenticate = handled
(157) Using Post-Auth-Type Challenge
(157) Post-Auth-Type sub-section not found. Ignoring.
(157) # Executing group from file /etc/freeradius/sites-enabled/default
(157) Sent Access-Challenge Id 68 from 10.31.235.128:1812 to 10.31.140.199:37208 length 0
(157) EAP-Message = 0x010303ec19c00000073516030300590200005503039d241a3e03111d56e75bd5dc42b1afbc187e454eec8a0f3978dcab5c0e56488f20a76d2d024af5aaf57c6fd1184df22dd20c053afbff976913a3925081ddc054c4c03000000dff01000100000b00040300010216030305770b00057300057000056d
(157) Message-Authenticator = 0x00000000000000000000000000000000
(157) State = 0xe2275d04e0244453c0b9cfa459a01fd0
(157) Finished request
Waking up in 1.4 seconds.
(158) Received Access-Request Id 69 from 10.31.140.199:37208 to 10.31.235.128:1812 length 222
(158) User-Name = «ivancpet@cvut.cz»
(158) Acct-Multi-Session-Id = «Octopus 48:51:B7:6E:98:DA 0x2084d»
(158) Acct-Session-Id = «Octopus 48:51:B7:6E:98:DA 0xdbb4b»
(158) NAS-IP-Address = 10.31.140.199
(158) NAS-Port-Type = Wireless-802.11
(158) NAS-Port = 88
(158) Called-Station-Id = «00-13-A6-24-FC-C1:eduroam»
(158) Calling-Station-Id = «48-51-B7-6E-98-DA»
(158) Framed-MTU = 1400
(158) EAP-Message = 0x020300061900
(158) Message-Authenticator = 0x269beca41401ed021a1820763c70b6ca
(158) State = 0xe2275d04e0244453c0b9cfa459a01fd0
(158) session-state: No cached attributes
(158) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(158) authorize {
(158) policy filter_username {
(158) if (&User-Name) {
(158) if (&User-Name) -> TRUE
(158) if (&User-Name) {
(158) if (&User-Name =~ / /) {
(158) if (&User-Name =~ / /) -> FALSE
(158) if (&User-Name =~ /@[^@]@/ ) {
(158) if (&User-Name =~ /@[^@]@/ ) -> FALSE
(158) if (&User-Name =~ /../ ) {
(158) if (&User-Name =~ /../ ) -> FALSE
(158) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+).(.+)$/)) {
(158) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+).(.+)$/)) -> FALSE
(158) if (&User-Name =~ /.$/) {
(158) if (&User-Name =~ /.$/) -> FALSE
(158) if (&User-Name =~ /@./) {
(158) if (&User-Name =~ /@./) -> FALSE
(158) } # if (&User-Name) = notfound
(158) } # policy filter_username = notfound
(158) [preprocess] = ok
(158) [chap] = noop
(158) [mschap] = noop
(158) [digest] = noop
(158) suffix: Checking for suffix after «@»
(158) suffix: Looking up realm «cvut.cz» for User-Name = «ivancpet@cvut.cz»
(158) suffix: Found realm «cvut.cz»
(158) suffix: Adding Stripped-User-Name = «ivancpet»
(158) suffix: Adding Realm = «cvut.cz»
(158) suffix: Authentication realm is LOCAL
(158) [suffix] = ok
(158) eap: Peer sent EAP Response (code 2) ID 3 length 6
(158) eap: Continuing tunnel setup
(158) [eap] = ok
(158) } # authorize = ok
(158) Found Auth-Type = eap
(158) # Executing group from file /etc/freeradius/sites-enabled/default
(158) authenticate {
(158) eap: Expiring EAP session with state 0xdb38e7e4d83cfe50
(158) eap: Finished EAP session with state 0xe2275d04e0244453
(158) eap: Previous EAP request found for state 0xe2275d04e0244453, released from the list
(158) eap: Peer sent packet with method EAP PEAP (25)
(158) eap: Calling submodule eap_peap to process data
(158) eap_peap: Continuing EAP-TLS
(158) eap_peap: Peer ACKed our handshake fragment
(158) eap_peap: [eaptls verify] = request
(158) eap_peap: [eaptls process] = handled
(158) eap: Sending EAP Request (code 1) ID 4 length 857
(158) eap: EAP session adding &reply:State = 0xe2275d04e1234453
(158) [eap] = handled
(158) } # authenticate = handled
(158) Using Post-Auth-Type Challenge
(158) Post-Auth-Type sub-section not found. Ignoring.
(158) # Executing group from file /etc/freeradius/sites-enabled/default
(158) Sent Access-Challenge Id 69 from 10.31.235.128:1812 to 10.31.140.199:37208 length 0
(158) EAP-Message = 0x0104035919006572742e636f6d2f544552454e4153534c4341332e63726c304c0603551d2004453043303706096086480186fd6c0101302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533008060667810c010202306e06082b060105050701
(158) Message-Authenticator = 0x00000000000000000000000000000000
(158) State = 0xe2275d04e1234453c0b9cfa459a01fd0
(158) Finished request
Waking up in 1.4 seconds.
(159) Received Access-Request Id 70 from 10.31.140.199:37208 to 10.31.235.128:1812 length 352
(159) User-Name = «ivancpet@cvut.cz»
(159) Acct-Multi-Session-Id = «Octopus 48:51:B7:6E:98:DA 0x2084d»
(159) Acct-Session-Id = «Octopus 48:51:B7:6E:98:DA 0xdbb4b»
(159) NAS-IP-Address = 10.31.140.199
(159) NAS-Port-Type = Wireless-802.11
(159) NAS-Port = 88
(159) Called-Station-Id = «00-13-A6-24-FC-C1:eduroam»
(159) Calling-Station-Id = «48-51-B7-6E-98-DA»
(159) Framed-MTU = 1400
(159) EAP-Message = 0x0204008819800000007e160303004610000042410410f2bf300dd7692c961d084c19f678399c9f18ce00c8efa4b359a38dbf502335b0e7608c118ebc0a25285d312ef2b12e75dbfd71364b63dccbe8b21b39ab6757140303000101160303002800000000000000009d44f31e02f70da2e3f5352cd479be
(159) Message-Authenticator = 0x0da22f2a1740a6f4c71440234bc5f233
(159) State = 0xe2275d04e1234453c0b9cfa459a01fd0
(159) session-state: No cached attributes
(159) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(159) authorize {
(159) policy filter_username {
(159) if (&User-Name) {
(159) if (&User-Name) -> TRUE
(159) if (&User-Name) {
(159) if (&User-Name =~ / /) {
(159) if (&User-Name =~ / /) -> FALSE
(159) if (&User-Name =~ /@[^@]@/ ) {
(159) if (&User-Name =~ /@[^@]@/ ) -> FALSE
(159) if (&User-Name =~ /../ ) {
(159) if (&User-Name =~ /../ ) -> FALSE
(159) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+).(.+)$/)) {
(159) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+).(.+)$/)) -> FALSE
(159) if (&User-Name =~ /.$/) {
(159) if (&User-Name =~ /.$/) -> FALSE
(159) if (&User-Name =~ /@./) {
(159) if (&User-Name =~ /@./) -> FALSE
(159) } # if (&User-Name) = notfound
(159) } # policy filter_username = notfound
(159) [preprocess] = ok
(159) [chap] = noop
(159) [mschap] = noop
(159) [digest] = noop
(159) suffix: Checking for suffix after «@»
(159) suffix: Looking up realm «cvut.cz» for User-Name = «ivancpet@cvut.cz»
(159) suffix: Found realm «cvut.cz»
(159) suffix: Adding Stripped-User-Name = «ivancpet»
(159) suffix: Adding Realm = «cvut.cz»
(159) suffix: Authentication realm is LOCAL
(159) [suffix] = ok
(159) eap: Peer sent EAP Response (code 2) ID 4 length 136
(159) eap: Continuing tunnel setup
(159) [eap] = ok
(159) } # authorize = ok
(159) Found Auth-Type = eap
(159) # Executing group from file /etc/freeradius/sites-enabled/default
(159) authenticate {
(159) eap: Expiring EAP session with state 0xdb38e7e4d83cfe50
(159) eap: Finished EAP session with state 0xe2275d04e1234453
(159) eap: Previous EAP request found for state 0xe2275d04e1234453, released from the list
(159) eap: Peer sent packet with method EAP PEAP (25)
(159) eap: Calling submodule eap_peap to process data
(159) eap_peap: Continuing EAP-TLS
(159) eap_peap: Peer indicated complete TLS record size will be 126 bytes
(159) eap_peap: Got complete TLS record (126 bytes)
(159) eap_peap: [eaptls verify] = length included
(159) eap_peap: <<< recv TLS 1.2 length 0046 eap_peap: TLS_accept: unknown state
(159) eap_peap: TLS_accept: unknown state
(159) eap_peap: <<< recv TLS 1.2 length 0001 eap_peap: <<< recv TLS 1.2 length 0010 eap_peap: TLS_accept: unknown state
(159) eap_peap: >>> send TLS 1.2 length 0001 eap_peap: TLS_accept: unknown state
(159) eap_peap: >>> send TLS 1.2 length 0010 eap_peap: TLS_accept: unknown state
(159) eap_peap: TLS_accept: unknown state
(159) eap_peap: (other): SSL negotiation finished successfully
(159) eap_peap: SSL Connection Established
(159) eap_peap: [eaptls process] = handled
(159) eap: Sending EAP Request (code 1) ID 5 length 57
(159) eap: EAP session adding &reply:State = 0xe2275d04e6224453
(159) [eap] = handled
(159) } # authenticate = handled
(159) Using Post-Auth-Type Challenge
(159) Post-Auth-Type sub-section not found. Ignoring.
(159) # Executing group from file /etc/freeradius/sites-enabled/default
(159) Sent Access-Challenge Id 70 from 10.31.235.128:1812 to 10.31.140.199:37208 length 0
(159) EAP-Message = 0x0105003919001403030001011603030028ff54c3eaf06ce1925cccd1e40b1c576fe8195b8fc5c0f378dbf976a7bd74fa48cdf093185ea69a3e
(159) Message-Authenticator = 0x00000000000000000000000000000000
(159) State = 0xe2275d04e6224453c0b9cfa459a01fd0
(159) Finished request
Waking up in 1.4 seconds.
(160) Received Access-Request Id 71 from 10.31.140.199:37208 to 10.31.235.128:1812 length 222
(160) User-Name = «ivancpet@cvut.cz»
(160) Acct-Multi-Session-Id = «Octopus 48:51:B7:6E:98:DA 0x2084d»
(160) Acct-Session-Id = «Octopus 48:51:B7:6E:98:DA 0xdbb4b»
(160) NAS-IP-Address = 10.31.140.199
(160) NAS-Port-Type = Wireless-802.11
(160) NAS-Port = 88
(160) Called-Station-Id = «00-13-A6-24-FC-C1:eduroam»
(160) Calling-Station-Id = «48-51-B7-6E-98-DA»
(160) Framed-MTU = 1400
(160) EAP-Message = 0x020500061900
(160) Message-Authenticator = 0x86719879090d29dd58b03e6280f5f2c4
(160) State = 0xe2275d04e6224453c0b9cfa459a01fd0
(160) session-state: No cached attributes
(160) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(160) authorize {
(160) policy filter_username {
(160) if (&User-Name) {
(160) if (&User-Name) -> TRUE
(160) if (&User-Name) {
(160) if (&User-Name =~ / /) {
(160) if (&User-Name =~ / /) -> FALSE
(160) if (&User-Name =~ /@[^@]*@/ ) {
(1

Mschap error ms chap2 response is incorrect

Tue May 11, 2021 10:59 am

Hi everyone, is mirkortik compatible to be a client of an external Radius server?

I just sing up with jumpcloud.com but cannot get mikrotik to athenticate to their radius server

I have my local radius server and have no issues connecting to it

tried to search on the internet but all the guides talk about the local server but not the cloud one

Re: external Radius server and mikrotik .

Tue May 11, 2021 11:11 am

What are you trying to use the radius client for? Hotspot, PPP, Local Auth etc?

Provide an /export (or at least /radius export and config of the service you want using it) so we can help.

Personally I connect all our mikrotiks to a ‘cloud hosted’ Radius server in a different country for ppp auth without issue. Most likely — it is a configuration issue on either your mikrotik or radius server.

Re: external Radius server and mikrotik .

Tue May 11, 2021 11:32 am

What are you trying to use the radius client for? Hotspot, PPP, Local Auth etc?

Provide an /export (or at least /radius export and config of the service you want using it) so we can help.

Personally I connect all our mikrotiks to a ‘cloud hosted’ Radius server in a different country for ppp auth without issue. Most likely — it is a configuration issue on either your mikrotik or radius server.

/radius
add address=18.182.131.248 secret=»sjsdfsdf$cEdfdsfgsdfsdltPGfsdfssdfdsfdsmsdfqfWr232wr3″
service=login,ipsec timeout=600ms

requests 1,2 — timeouts 1, 2 etc

I tried to use of of the testing tools on wondows and tested authentications of users and it works fine but how do I connect to that radius server via mikotik?

I have ikvev2 server but even for local authentication to mikrotik if that worked i would be happy

Looks like it’s a connectivity issue?? I disabled all the firewall rules and same issues

Re: external Radius server and mikrotik .

Tue May 11, 2021 1:32 pm

It works fine against FreeRADIUS.

It could be the RADIUS server does not support the required authentication methods — the JumpCloud documentation says «JumpCloud RaaS servers offer both EAP-TTLS/PAP and PEAP (MSCHAPv2) for authentication», it doesn’t indicate if it responds to requests with unsupported authentication methods or silently ignores them.

Since RouterOS v6.43 the login service uses MS-CHAPv2, note this is not the same as PEAP (more correctly PEAPv0/EAP-MSCHAPv2).

Re: external Radius server and mikrotik .

Wed May 12, 2021 12:38 am

are you using foxpass?

Re: external Radius server and mikrotik .

Wed May 12, 2021 5:36 am

are you using foxpass?

No I am using Radiator on a cloud hosted Dedicated Server in a different country from most of my routers.

You can run debug radius log to get the packets being sent and any received to really drill down into the problem (And do the same level on the cloud end) this way you can see if its even being received or if its an auth problem etc.

Re: external Radius server and mikrotik .

Wed May 12, 2021 10:02 am

600ms timeout ?
Perhaps as a test increase this slightly ?
I’m aware that 600ms is like eternity but still .

Apart from that, give JumpCall a call/mail and simply ask them ? «Do you guys reply to my radius-client with even if I would me making a invalid request?»
I mean, you have the shared-secret that is correct, I would assume the remote AAA-platform would reply with SOMETHING.

If you make requests with an invalid preshared key offcourse I can imagine the remote platform remains silent.

Also, perhaps try a simple pre-shared key, perhaps there is some bug in RouterOS with such a long key or chars used.

you are sure your IP is not passed by some CGNAT gateway on its way out ? Basically JumpCloud has your correct public IP ?

Re: external Radius server and mikrotik .

Wed May 12, 2021 11:23 am

Re: external Radius server and mikrotik .

Fri Jul 08, 2022 12:21 pm

/interface wireless security-profiles
add authentication-types=wpa2-eap mode=dynamic-keys name=EAP_AP
supplicant-identity=Mikrotik

You need to set EAP Method=passthrough
Just now test login to mikrotik AP using RADIUS from jumpcloud

What are you trying to use the radius client for? Hotspot, PPP, Local Auth etc?

Provide an /export (or at least /radius export and config of the service you want using it) so we can help.

Personally I connect all our mikrotiks to a ‘cloud hosted’ Radius server in a different country for ppp auth without issue. Most likely — it is a configuration issue on either your mikrotik or radius server.

/radius
add address=18.182.131.248 secret=»sjsdfsdf$cEdfdsfgsdfsdltPGfsdfssdfdsfdsmsdfqfWr232wr3″
service=login,ipsec timeout=600ms

requests 1,2 — timeouts 1, 2 etc

I tried to use of of the testing tools on wondows and tested authentications of users and it works fine but how do I connect to that radius server via mikotik?

I have ikvev2 server but even for local authentication to mikrotik if that worked i would be happy

Looks like it’s a connectivity issue?? I disabled all the firewall rules and same issues

Источник

mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication #1314

Not sure if we have a bug, but i tried to get an AD authentication about ldap more then 4 days. I read a lot of documentation and testet a lot of stuff.
i have the following:
If i try to login via «radtest -x test testpwd 127.0.0.1:18120 0 testing123» on the linux console, everything is working via ldap. If i try this over the 802.1X AccessPoint, it doesn’t work.
If i try the same with a defined user in users like «bob Cleartext-Password := «hello»» over the accessPoint, it works fine.
Anything goes wrong with the password if we i use peap:

via console with domain User over inner-tunnel:
(1) Received Access-Request Id 7 from 127.0.0.1:48026 to 127.0.0.1:18120 length 74
(1) User-Name = «test»
(1) User-Password = «password»
(1) NAS-IP-Address = 192.168.8.27
(1) NAS-Port = 0
(1) Message-Authenticator = 0xc7c247ef109fb66332c18aab75068b33
(1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel-domain
(1) authorize <
(1) [files] = noop
(1) [mschap] = noop
(1) suffix: Checking for suffix after «@»
(1) suffix: No ‘@’ in User-Name = «test», looking up realm NULL
(1) suffix: No such realm «NULL»
(1) [suffix] = noop
(1) update control <
(1) Proxy-To-Realm := LOCAL
(1) > # update control = noop
(1) eap: No EAP-Message, not doing EAP
(1) [eap] = noop
(1) [expiration] = noop
(1) [logintime] = noop
rlm_ldap (ldap_domain): Reserved connection (0)
(1) ldap_domain: EXPAND (sAMAccountName=%<%:-%>)
(1) ldap_domain: —> (sAMAccountName=test)
(1) ldap_domain: Performing search in «cn=Users,dc=domain,dc=local» with filter «(sAMAccountName=test)», scope «sub»
(1) ldap_domain: Waiting for search result.
(1) ldap_domain: User object found at DN «CN=Test TEST,CN=Users,DC=domain,DC=local»
(1) ldap_domain: Processing user attributes
(1) ldap_domain: WARNING: No «known good» password added. Ensure the admin user has permission to read the password attribute
(1) ldap_domain: WARNING: PAP authentication will NOT work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap_domain): Released connection (0)
rlm_ldap (ldap_domain): Need 5 more connections to reach 10 spares
rlm_ldap (ldap_domain): Opening additional connection (5), 1 of 27 pending slots used
rlm_ldap (ldap_domain): Connecting to ldap://dc.domain.local:389
rlm_ldap (ldap_domain): Waiting for bind result.
rlm_ldap (ldap_domain): Bind successful
(1) [ldap_domain] = ok
(1) if ((ok || updated) && User-Password) <
(1) if ((ok || updated) && User-Password) -> TRUE
(1) if ((ok || updated) && User-Password) <
(1) update <
(1) control:Auth-Type := LDAP
(1) > # update = noop
(1) > # if ((ok || updated) && User-Password) = noop
(1) [pap] = noop
(1) if (User-Password) <
(1) if (User-Password) -> TRUE
(1) if (User-Password) <
(1) update control <
(1) Auth-Type := LDAP
(1) > # update control = noop
(1) > # if (User-Password) = noop
(1) > # authorize = ok
(1) Found Auth-Type = LDAP
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel-domain
(1) Auth-Type LDAP <
rlm_ldap (ldap_domain): Reserved connection (1)
(1) ldap_domain: Login attempt by «test»
(1) ldap_domain: Using user DN from request «CN=Test TEST,CN=Users,DC=domain,DC=local»
(1) ldap_domain: Waiting for bind result.
(1) ldap_domain: Bind successful
(1) ldap_domain: Bind as user «CN=Test TEST,CN=Users,DC=domain,DC=local» was successful
rlm_ldap (ldap_domain): Released connection (1)
(1) [ldap_domain] = ok
(1) > # Auth-Type LDAP = ok
(1) Sent Access-Accept Id 7 from 127.0.0.1:18120 to 127.0.0.1:48026 length 0
(1) Finished request
Waking up in 0.3 seconds.
(0) Cleaning up request packet ID 130 with timestamp +4
Waking up in 4.6 seconds.
(1) Cleaning up request packet ID 7 with timestamp +9
Ready to process requests

via AccessPoint with domain User:
(2) Received Access-Request Id 42 from 192.168.2.250:3072 to 192.168.8.27:1812 length 178
(2) User-Name = «test»
(2) Service-Type = Framed-User
(2) NAS-IP-Address = 192.168.2.250
(2) NAS-Port = 10
(2) NAS-Port-Id = «10»
(2) Called-Station-Id = «0E-0B-6B-2F-12-67:domain 8021X»
(2) Calling-Station-Id = «B8-E8-56-41-2C-2A»
(2) Connect-Info = «CONNECT 54 Mbps 802.11g»
(2) NAS-Identifier = «AP-domain01»
(2) NAS-Port-Type = Wireless-802.11
(2) Framed-MTU = 1500
(2) EAP-Message = 0x020100090174657374
(2) Message-Authenticator = 0x83d8e6487c3977ae8116026c26702525
(2) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/domain
(2) authorize <
(2) [files] = noop
(2) [preprocess] = ok
(2) suffix: Checking for suffix after «@»
(2) suffix: No ‘@’ in User-Name = «test», looking up realm NULL
(2) suffix: No such realm «NULL»
(2) [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 1 length 9
(2) eap: EAP-Identity reply, returning ‘ok’ so we can short-circuit the rest of authorize
(2) [eap] = ok
(2) > # authorize = ok
(2) Found Auth-Type = EAP
(2) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain
(2) authenticate <
(2) eap: Peer sent packet with method EAP Identity (1)
(2) eap: Calling submodule eap_peap to process data
(2) eap_peap: Initiating new EAP-TLS session
(2) eap_peap: [eaptls start] = request
(2) eap: Sending EAP Request (code 1) ID 2 length 6
(2) eap: EAP session adding &reply:State = 0x714e61bf714c78fd
(2) [eap] = handled
(2) > # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) Post-Auth-Type sub-section not found. Ignoring.
(2) Sent Access-Challenge Id 42 from 192.168.8.27:1812 to 192.168.2.250:3072 length 0
(2) EAP-Message = 0x010200061920
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x714e61bf714c78fd13de40933f3a43c8
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 58 from 192.168.2.250:3072 to 192.168.8.27:1812 length 339
(3) User-Name = «test»
(3) Service-Type = Framed-User
(3) NAS-IP-Address = 192.168.2.250
(3) NAS-Port = 10
(3) NAS-Port-Id = «10»
(3) State = 0x714e61bf714c78fd13de40933f3a43c8
(3) Called-Station-Id = «0E-0B-6B-2F-12-67:domain 8021X»
(3) Calling-Station-Id = «B8-E8-56-41-2C-2A»
(3) Connect-Info = «CONNECT 54 Mbps 802.11g»
(3) NAS-Identifier = «AP-domain01»
(3) NAS-Port-Type = Wireless-802.11
(3) Framed-MTU = 1500
(3) EAP-Message = 0x0202009819800000008e160301008901000085030156162f87a13e4465c695b7754a35671de87e37f1c9c068c51ee0c258d39cc34f00004a00ffc024c023c00ac009c008c028c027c014c013c012c026c025c005c004c003c02ac029c00fc00ec00d006b0067003900330016003d003c0035002f000ac0
(3) Message-Authenticator = 0x1b3f4a72c416640c87d6f902d0effe2e
(3) session-state: No cached attributes
(3) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/domain
(3) authorize <
(3) [files] = noop
(3) [preprocess] = ok
(3) suffix: Checking for suffix after «@»
(3) suffix: No ‘@’ in User-Name = «test», looking up realm NULL
(3) suffix: No such realm «NULL»
(3) [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 2 length 152
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) > # authorize = ok
(3) Found Auth-Type = EAP
(3) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain
(3) authenticate <
(3) eap: Expiring EAP session with state 0x714e61bf714c78fd
(3) eap: Finished EAP session with state 0x714e61bf714c78fd
(3) eap: Previous EAP request found for state 0x714e61bf714c78fd, released from the list
(3) eap: Peer sent packet with method EAP PEAP (25)
(3) eap: Calling submodule eap_peap to process data
(3) eap_peap: Continuing EAP-TLS
(3) eap_peap: Peer indicated complete TLS record size will be 142 bytes
(3) eap_peap: Got complete TLS record (142 bytes)
(3) eap_peap: [eaptls verify] = length included
(3) eap_peap: (other): before/accept initialization
(3) eap_peap: TLS_accept: before/accept initialization
(3) eap_peap: >> TLS 1.0 Handshake [length 0039], ServerHello
(3) eap_peap: TLS_accept: SSLv3 write server hello A
(3) eap_peap: >>> TLS 1.0 Handshake [length 0964], Certificate
(3) eap_peap: TLS_accept: SSLv3 write certificate A
(3) eap_peap: >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
(3) eap_peap: TLS_accept: SSLv3 write key exchange A
(3) eap_peap: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
(3) eap_peap: TLS_accept: SSLv3 write server done A
(3) eap_peap: TLS_accept: SSLv3 flush data
(3) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A
(3) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A
(3) eap_peap: In SSL Handshake Phase
(3) eap_peap: In SSL Accept mode
(3) eap_peap: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 3 length 1004
(3) eap: EAP session adding &reply:State = 0x714e61bf704d78fd
(3) [eap] = handled
(3) > # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) Post-Auth-Type sub-section not found. Ignoring.
(3) Sent Access-Challenge Id 58 from 192.168.8.27:1812 to 192.168.2.250:3072 length 0
(3) EAP-Message = 0x010303ec19c000000b00160301003902000035030194873ddf6cee275a11fcde492d5ae2b8261f83dd50ed9063133a31be2e3d24b500c01400000dff01000100000b00040300010216030109640b00096000095d0005a7308205a33082048ba0030201020213720000003379461d9f383b20c900010000
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0x714e61bf704d78fd13de40933f3a43c8
(3) Finished request
Waking up in 4.9 seconds.
(4) Received Access-Request Id 46 from 192.168.2.250:3072 to 192.168.8.27:1812 length 193
(4) User-Name = «test»
(4) Service-Type = Framed-User
(4) NAS-IP-Address = 192.168.2.250
(4) NAS-Port = 10
(4) NAS-Port-Id = «10»
(4) State = 0x714e61bf704d78fd13de40933f3a43c8
(4) Called-Station-Id = «0E-0B-6B-2F-12-67:domain 8021X»
(4) Calling-Station-Id = «B8-E8-56-41-2C-2A»
(4) Connect-Info = «CONNECT 54 Mbps 802.11g»
(4) NAS-Identifier = «AP-domain01»
(4) NAS-Port-Type = Wireless-802.11
(4) Framed-MTU = 1500
(4) EAP-Message = 0x020300061900
(4) Message-Authenticator = 0xe7c2576faeb3228ae2d056b77bc6cce8
(4) session-state: No cached attributes
(4) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/domain
(4) authorize <
(4) [files] = noop
(4) [preprocess] = ok
(4) suffix: Checking for suffix after «@»
(4) suffix: No ‘@’ in User-Name = «test», looking up realm NULL
(4) suffix: No such realm «NULL»
(4) [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 3 length 6
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) > # authorize = ok
(4) Found Auth-Type = EAP
(4) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain
(4) authenticate <
(4) eap: Expiring EAP session with state 0x714e61bf704d78fd
(4) eap: Finished EAP session with state 0x714e61bf704d78fd
(4) eap: Previous EAP request found for state 0x714e61bf704d78fd, released from the list
(4) eap: Peer sent packet with method EAP PEAP (25)
(4) eap: Calling submodule eap_peap to process data
(4) eap_peap: Continuing EAP-TLS
(4) eap_peap: Peer ACKed our handshake fragment
(4) eap_peap: [eaptls verify] = request
(4) eap_peap: [eaptls process] = handled
(4) eap: Sending EAP Request (code 1) ID 4 length 1000
(4) eap: EAP session adding &reply:State = 0x714e61bf734a78fd
(4) [eap] = handled
(4) > # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) Post-Auth-Type sub-section not found. Ignoring.
(4) Sent Access-Challenge Id 46 from 192.168.8.27:1812 to 192.168.2.250:3072 length 0
(4) EAP-Message = 0x010403e81940b53081b206082b060105050730028681a56c6461703a2f2f2f434e3d6e656465636f253230476d624825323043412c434e3d4149412c434e3d5075626c69632532304b657925323053657276696365732c434e3d53657276696365732c434e3d436f6e66696775726174696f6e2c44433d
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x714e61bf734a78fd13de40933f3a43c8
(4) Finished request
Waking up in 4.9 seconds.
(2) Cleaning up request packet ID 42 with timestamp +151
(3) Cleaning up request packet ID 58 with timestamp +151
(4) Cleaning up request packet ID 46 with timestamp +151
Ready to process requests
(5) Received Access-Request Id 216 from 192.168.2.250:3072 to 192.168.8.27:1812 length 193
(5) User-Name = «test»
(5) Service-Type = Framed-User
(5) NAS-IP-Address = 192.168.2.250
(5) NAS-Port = 10
(5) NAS-Port-Id = «10»
(5) State = 0x714e61bf734a78fd13de40933f3a43c8
(5) Called-Station-Id = «0E-0B-6B-2F-12-67:domain 8021X»
(5) Calling-Station-Id = «B8-E8-56-41-2C-2A»
(5) Connect-Info = «CONNECT 54 Mbps 802.11g»
(5) NAS-Identifier = «AP-domain01»
(5) NAS-Port-Type = Wireless-802.11
(5) Framed-MTU = 1500
(5) EAP-Message = 0x020400061900
(5) Message-Authenticator = 0xdf4b4a18dbd046ae4568ed5b900675ca
(5) session-state: No cached attributes
(5) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/domain
(5) authorize <
(5) [files] = noop
(5) [preprocess] = ok
(5) suffix: Checking for suffix after «@»
(5) suffix: No ‘@’ in User-Name = «test», looking up realm NULL
(5) suffix: No such realm «NULL»
(5) [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 4 length 6
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) > # authorize = ok
(5) Found Auth-Type = EAP
(5) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain
(5) authenticate <
(5) eap: Expiring EAP session with state 0x714e61bf734a78fd
(5) eap: Finished EAP session with state 0x714e61bf734a78fd
(5) eap: Previous EAP request found for state 0x714e61bf734a78fd, released from the list
(5) eap: Peer sent packet with method EAP PEAP (25)
(5) eap: Calling submodule eap_peap to process data
(5) eap_peap: Continuing EAP-TLS
(5) eap_peap: Peer ACKed our handshake fragment
(5) eap_peap: [eaptls verify] = request
(5) eap_peap: [eaptls process] = handled
(5) eap: Sending EAP Request (code 1) ID 5 length 834
(5) eap: EAP session adding &reply:State = 0x714e61bf724b78fd
(5) [eap] = handled
(5) > # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) Post-Auth-Type sub-section not found. Ignoring.
(5) Sent Access-Challenge Id 216 from 192.168.8.27:1812 to 192.168.2.250:3072 length 0
(5) EAP-Message = 0x01050342190068d99b627f3ca6561e6c1dcd0e8bb529b85d2515a36c2ba6f906ee9a223e619decfff2f24ef8674307735d591964d50ac988776a55970203010001a3819130818e301306092b060104018237140204061e0400430041300e0603551d0f0101ff040403020186300f0603551d130101ff04
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x714e61bf724b78fd13de40933f3a43c8
(5) Finished request
Waking up in 4.9 seconds.
(6) Received Access-Request Id 228 from 192.168.2.250:3072 to 192.168.8.27:1812 length 331
(6) User-Name = «test»
(6) Service-Type = Framed-User
(6) NAS-IP-Address = 192.168.2.250
(6) NAS-Port = 10
(6) NAS-Port-Id = «10»
(6) State = 0x714e61bf724b78fd13de40933f3a43c8
(6) Called-Station-Id = «0E-0B-6B-2F-12-67:domain 8021X»
(6) Calling-Station-Id = «B8-E8-56-41-2C-2A»
(6) Connect-Info = «CONNECT 54 Mbps 802.11g»
(6) NAS-Identifier = «AP-domain01»
(6) NAS-Port-Type = Wireless-802.11
(6) Framed-MTU = 1500
(6) EAP-Message = 0x0205009019800000008616030100461000004241041ddb75e112e6a51620e1d90e79faf858ba440ee51859f6f36dbb3d61474b8fc891e7a246f576a1aef8372b95f81c96af01b2ba44e938f2dde2e5fa57032812201403010001011603010030680540b7b149e993c9f964d5e0a79cda35934c4c8e292f
(6) Message-Authenticator = 0x96295d1faa87d10973b6fe400102f545
(6) session-state: No cached attributes
(6) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/domain
(6) authorize <
(6) [files] = noop
(6) [preprocess] = ok
(6) suffix: Checking for suffix after «@»
(6) suffix: No ‘@’ in User-Name = «test», looking up realm NULL
(6) suffix: No such realm «NULL»
(6) [suffix] = noop
(6) eap: Peer sent EAP Response (code 2) ID 5 length 144
(6) eap: Continuing tunnel setup
(6) [eap] = ok
(6) > # authorize = ok
(6) Found Auth-Type = EAP
(6) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain
(6) authenticate <
(6) eap: Expiring EAP session with state 0x714e61bf724b78fd
(6) eap: Finished EAP session with state 0x714e61bf724b78fd
(6) eap: Previous EAP request found for state 0x714e61bf724b78fd, released from the list
(6) eap: Peer sent packet with method EAP PEAP (25)
(6) eap: Calling submodule eap_peap to process data
(6) eap_peap: Continuing EAP-TLS
(6) eap_peap: Peer indicated complete TLS record size will be 134 bytes
(6) eap_peap: Got complete TLS record (134 bytes)
(6) eap_peap: [eaptls verify] = length included
(6) eap_peap: >> TLS 1.0 ChangeCipherSpec length 0001 eap_peap: TLS_accept: SSLv3 write change cipher spec A
(6) eap_peap: >>> TLS 1.0 Handshake [length 0010], Finished
(6) eap_peap: TLS_accept: SSLv3 write finished A
(6) eap_peap: TLS_accept: SSLv3 flush data
(6) eap_peap: (other): SSL negotiation finished successfully
(6) eap_peap: SSL Connection Established
(6) eap_peap: [eaptls process] = handled
(6) eap: Sending EAP Request (code 1) ID 6 length 65
(6) eap: EAP session adding &reply:State = 0x714e61bf754878fd
(6) [eap] = handled
(6) > # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) Post-Auth-Type sub-section not found. Ignoring.
(6) Sent Access-Challenge Id 228 from 192.168.8.27:1812 to 192.168.2.250:3072 length 0
(6) EAP-Message = 0x01060041190014030100010116030100301b8a91b9523361e58c472a6f4bedc223a3780b77e80492846d5f574cd2db238cdd236645e7e78ed7e706e2dd3aecd6a2
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0x714e61bf754878fd13de40933f3a43c8
(6) Finished request
Waking up in 4.8 seconds.
(7) Received Access-Request Id 77 from 192.168.2.250:3072 to 192.168.8.27:1812 length 193
(7) User-Name = «test»
(7) Service-Type = Framed-User
(7) NAS-IP-Address = 192.168.2.250
(7) NAS-Port = 10
(7) NAS-Port-Id = «10»
(7) State = 0x714e61bf754878fd13de40933f3a43c8
(7) Called-Station-Id = «0E-0B-6B-2F-12-67:domain 8021X»
(7) Calling-Station-Id = «B8-E8-56-41-2C-2A»
(7) Connect-Info = «CONNECT 54 Mbps 802.11g»
(7) NAS-Identifier = «AP-domain01»
(7) NAS-Port-Type = Wireless-802.11
(7) Framed-MTU = 1500
(7) EAP-Message = 0x020600061900
(7) Message-Authenticator = 0xaabe36b47f3a6a409dd2ec806970d983
(7) session-state: No cached attributes
(7) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/domain
(7) authorize <
(7) [files] = noop
(7) [preprocess] = ok
(7) suffix: Checking for suffix after «@»
(7) suffix: No ‘@’ in User-Name = «test», looking up realm NULL
(7) suffix: No such realm «NULL»
(7) [suffix] = noop
(7) eap: Peer sent EAP Response (code 2) ID 6 length 6
(7) eap: Continuing tunnel setup
(7) [eap] = ok
(7) > # authorize = ok
(7) Found Auth-Type = EAP
(7) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain
(7) authenticate <
(7) eap: Expiring EAP session with state 0x714e61bf754878fd
(7) eap: Finished EAP session with state 0x714e61bf754878fd
(7) eap: Previous EAP request found for state 0x714e61bf754878fd, released from the list
(7) eap: Peer sent packet with method EAP PEAP (25)
(7) eap: Calling submodule eap_peap to process data
(7) eap_peap: Continuing EAP-TLS
(7) eap_peap: Peer ACKed our handshake fragment. handshake is finished
(7) eap_peap: [eaptls verify] = success
(7) eap_peap: [eaptls process] = success
(7) eap_peap: Session established. Decoding tunneled attributes
(7) eap_peap: PEAP state TUNNEL ESTABLISHED
(7) eap: Sending EAP Request (code 1) ID 7 length 43
(7) eap: EAP session adding &reply:State = 0x714e61bf744978fd
(7) [eap] = handled
(7) > # authenticate = handled
(7) Using Post-Auth-Type Challenge
(7) Post-Auth-Type sub-section not found. Ignoring.
(7) Sent Access-Challenge Id 77 from 192.168.8.27:1812 to 192.168.2.250:3072 length 0
(7) EAP-Message = 0x0107002b19001703010020a6135f04ae6dffd42c8ef419d75113ac720759219e31f74d4247b6b610e9a071
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0x714e61bf744978fd13de40933f3a43c8
(7) Finished request
Waking up in 4.8 seconds.
(8) Received Access-Request Id 86 from 192.168.2.250:3072 to 192.168.8.27:1812 length 230
(8) User-Name = «test»
(8) Service-Type = Framed-User
(8) NAS-IP-Address = 192.168.2.250
(8) NAS-Port = 10
(8) NAS-Port-Id = «10»
(8) State = 0x714e61bf744978fd13de40933f3a43c8
(8) Called-Station-Id = «0E-0B-6B-2F-12-67:domain 8021X»
(8) Calling-Station-Id = «B8-E8-56-41-2C-2A»
(8) Connect-Info = «CONNECT 54 Mbps 802.11g»
(8) NAS-Identifier = «AP-domain01»
(8) NAS-Port-Type = Wireless-802.11
(8) Framed-MTU = 1500
(8) EAP-Message = 0x0207002b19001703010020aa7e796b21bdc47f3c2b751c50ffbf8aaaafc3ad47a3a4a6dab850e706bf7227
(8) Message-Authenticator = 0xb0ef481a7beafe09a46383286750ead8
(8) session-state: No cached attributes
(8) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/domain
(8) authorize <
(8) [files] = noop
(8) [preprocess] = ok
(8) suffix: Checking for suffix after «@»
(8) suffix: No ‘@’ in User-Name = «test», looking up realm NULL
(8) suffix: No such realm «NULL»
(8) [suffix] = noop
(8) eap: Peer sent EAP Response (code 2) ID 7 length 43
(8) eap: Continuing tunnel setup
(8) [eap] = ok
(8) > # authorize = ok
(8) Found Auth-Type = EAP
(8) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain
(8) authenticate <
(8) eap: Expiring EAP session with state 0x714e61bf744978fd
(8) eap: Finished EAP session with state 0x714e61bf744978fd
(8) eap: Previous EAP request found for state 0x714e61bf744978fd, released from the list
(8) eap: Peer sent packet with method EAP PEAP (25)
(8) eap: Calling submodule eap_peap to process data
(8) eap_peap: Continuing EAP-TLS
(8) eap_peap: [eaptls verify] = ok
(8) eap_peap: Done initial handshake
(8) eap_peap: [eaptls process] = ok
(8) eap_peap: Session established. Decoding tunneled attributes
(8) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(8) eap_peap: Identity — test
(8) eap_peap: Got inner identity ‘test’
(8) eap_peap: Setting default EAP type for tunneled EAP session
(8) eap_peap: Got tunneled request
(8) eap_peap: EAP-Message = 0x020700090174657374
(8) eap_peap: Setting User-Name to test
(8) eap_peap: Sending tunneled request to inner-tunnel
(8) eap_peap: EAP-Message = 0x020700090174657374
(8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(8) eap_peap: User-Name = «test»
(8) Virtual server inner-tunnel received request
(8) EAP-Message = 0x020700090174657374
(8) FreeRADIUS-Proxied-To = 127.0.0.1
(8) User-Name = «test»
(8) server inner-tunnel <
(8) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel-domain
(8) authorize <
(8) [files] = noop
(8) [mschap] = noop
(8) suffix: Checking for suffix after «@»
(8) suffix: No ‘@’ in User-Name = «test», looking up realm NULL
(8) suffix: No such realm «NULL»
(8) [suffix] = noop
(8) update control <
(8) Proxy-To-Realm := LOCAL
(8) > # update control = noop
(8) eap: Peer sent EAP Response (code 2) ID 7 length 9
(8) eap: EAP-Identity reply, returning ‘ok’ so we can short-circuit the rest of authorize
(8) [eap] = ok
(8) > # authorize = ok
(8) Found Auth-Type = EAP
(8) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel-domain
(8) authenticate <
(8) eap: Peer sent packet with method EAP Identity (1)
(8) eap: Calling submodule eap_mschapv2 to process data
(8) eap_mschapv2: Issuing Challenge
(8) eap: Sending EAP Request (code 1) ID 8 length 43
(8) eap: EAP session adding &reply:State = 0xbd1845cebd105fc4
(8) [eap] = handled
(8) > # authenticate = handled
(8) > # server inner-tunnel
(8) Virtual server sending reply
(8) EAP-Message = 0x0108002b1a0108002610ba684a0833e561a9e780eedf9829518f667265657261646975732d332e302e3131
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0xbd1845cebd105fc4a22a1c51082d7ecf
(8) eap_peap: Got tunneled reply code 11
(8) eap_peap: EAP-Message = 0x0108002b1a0108002610ba684a0833e561a9e780eedf9829518f667265657261646975732d332e302e3131
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: State = 0xbd1845cebd105fc4a22a1c51082d7ecf
(8) eap_peap: Got tunneled reply RADIUS code 11
(8) eap_peap: EAP-Message = 0x0108002b1a0108002610ba684a0833e561a9e780eedf9829518f667265657261646975732d332e302e3131
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: State = 0xbd1845cebd105fc4a22a1c51082d7ecf
(8) eap_peap: Got tunneled Access-Challenge
(8) eap: Sending EAP Request (code 1) ID 8 length 75
(8) eap: EAP session adding &reply:State = 0x714e61bf774678fd
(8) [eap] = handled
(8) > # authenticate = handled
(8) Using Post-Auth-Type Challenge
(8) Post-Auth-Type sub-section not found. Ignoring.
(8) Sent Access-Challenge Id 86 from 192.168.8.27:1812 to 192.168.2.250:3072 length 0
(8) EAP-Message = 0x0108004b19001703010040c6831d9a1c5c30c64d40563c5fa21ee3cc103adbb4e99517563c9e67d781aefdd941ba0f19bc124976046e7471792eec1d4771c20abf67b78282a152634eed5e
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0x714e61bf774678fd13de40933f3a43c8
(8) Finished request
Waking up in 4.8 seconds.
(5) Cleaning up request packet ID 216 with timestamp +181
(6) Cleaning up request packet ID 228 with timestamp +181
(7) Cleaning up request packet ID 77 with timestamp +181
(8) Cleaning up request packet ID 86 with timestamp +181
Ready to process requests
(9) Received Access-Request Id 14 from 192.168.2.250:3072 to 192.168.8.27:1812 length 278
(9) User-Name = «test»
(9) Service-Type = Framed-User
(9) NAS-IP-Address = 192.168.2.250
(9) NAS-Port = 10
(9) NAS-Port-Id = «10»
(9) State = 0x714e61bf774678fd13de40933f3a43c8
(9) Called-Station-Id = «0E-0B-6B-2F-12-67:domain 8021X»
(9) Calling-Station-Id = «B8-E8-56-41-2C-2A»
(9) Connect-Info = «CONNECT 54 Mbps 802.11g»
(9) NAS-Identifier = «AP-domain01»
(9) NAS-Port-Type = Wireless-802.11
(9) Framed-MTU = 1500
(9) EAP-Message = 0x0208005b1900170301005041a588e579c1a63e94555d08bea2166f123e059dea3d7f8a17bcbfd8e4f4a54c876ceee7b33a4a101a4afd0dc078e77a3c8163b76b6c9e9567e6954214f5e1ec01cdafcd013db92c58ae136658519d20
(9) Message-Authenticator = 0xac0b3e273dede594c80988c13eaafd54
(9) session-state: No cached attributes
(9) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/domain
(9) authorize <
(9) [files] = noop
(9) [preprocess] = ok
(9) suffix: Checking for suffix after «@»
(9) suffix: No ‘@’ in User-Name = «test», looking up realm NULL
(9) suffix: No such realm «NULL»
(9) [suffix] = noop
(9) eap: Peer sent EAP Response (code 2) ID 8 length 91
(9) eap: Continuing tunnel setup
(9) [eap] = ok
(9) > # authorize = ok
(9) Found Auth-Type = EAP
(9) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain
(9) authenticate <
(9) eap: Expiring EAP session with state 0xbd1845cebd105fc4
(9) eap: Finished EAP session with state 0x714e61bf774678fd
(9) eap: Previous EAP request found for state 0x714e61bf774678fd, released from the list
(9) eap: Peer sent packet with method EAP PEAP (25)
(9) eap: Calling submodule eap_peap to process data
(9) eap_peap: Continuing EAP-TLS
(9) eap_peap: [eaptls verify] = ok
(9) eap_peap: Done initial handshake
(9) eap_peap: [eaptls process] = ok
(9) eap_peap: Session established. Decoding tunneled attributes
(9) eap_peap: PEAP state phase2
(9) eap_peap: EAP method MSCHAPv2 (26)
(9) eap_peap: Got tunneled request
(9) eap_peap: EAP-Message = 0x0208003f1a0208003a316670e0343c5cde7c22158c2f3b1e05bd0000000000000000e36cbc3c625721798db23c5fc199979df656a52246010d310074657374
(9) eap_peap: Setting User-Name to test
(9) eap_peap: Sending tunneled request to inner-tunnel
(9) eap_peap: EAP-Message = 0x0208003f1a0208003a316670e0343c5cde7c22158c2f3b1e05bd0000000000000000e36cbc3c625721798db23c5fc199979df656a52246010d310074657374
(9) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(9) eap_peap: User-Name = «test»
(9) eap_peap: State = 0xbd1845cebd105fc4a22a1c51082d7ecf
(9) Virtual server inner-tunnel received request
(9) EAP-Message = 0x0208003f1a0208003a316670e0343c5cde7c22158c2f3b1e05bd0000000000000000e36cbc3c625721798db23c5fc199979df656a52246010d310074657374
(9) FreeRADIUS-Proxied-To = 127.0.0.1
(9) User-Name = «test»
(9) State = 0xbd1845cebd105fc4a22a1c51082d7ecf
(9) server inner-tunnel <
(9) session-state: No cached attributes
(9) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel-domain
(9) authorize <
(9) [files] = noop
(9) [mschap] = noop
(9) suffix: Checking for suffix after «@»
(9) suffix: No ‘@’ in User-Name = «test», looking up realm NULL
(9) suffix: No such realm «NULL»
(9) [suffix] = noop
(9) update control <
(9) Proxy-To-Realm := LOCAL
(9) > # update control = noop
(9) eap: Peer sent EAP Response (code 2) ID 8 length 63
(9) eap: No EAP Start, assuming it’s an on-going EAP conversation
(9) [eap] = updated
(9) [expiration] = noop
(9) [logintime] = noop
rlm_ldap (ldap_domain): Closing connection (2): Hit idle_timeout, was idle for 211 seconds
rlm_ldap (ldap_domain): Closing connection (3): Hit idle_timeout, was idle for 211 seconds
rlm_ldap (ldap_domain): Closing connection (4): Hit idle_timeout, was idle for 211 seconds
rlm_ldap (ldap_domain): Closing connection (0): Hit idle_timeout, was idle for 202 seconds
rlm_ldap (ldap_domain): You probably need to lower «min»
rlm_ldap (ldap_domain): Closing connection (5): Hit idle_timeout, was idle for 202 seconds
rlm_ldap (ldap_domain): You probably need to lower «min»
rlm_ldap (ldap_domain): Closing connection (1): Hit idle_timeout, was idle for 202 seconds
rlm_ldap (ldap_domain): You probably need to lower «min»
rlm_ldap (ldap_domain): 0 of 0 connections in use. You may need to increase «spare»
rlm_ldap (ldap_domain): Opening additional connection (6), 1 of 32 pending slots used
rlm_ldap (ldap_domain): Connecting to ldap://dc.domain.local:389
rlm_ldap (ldap_domain): Waiting for bind result.
rlm_ldap (ldap_domain): Bind successful
rlm_ldap (ldap_domain): Reserved connection (6)
(9) ldap_domain: EXPAND (sAMAccountName=%<%:-%>)
(9) ldap_domain: —> (sAMAccountName=test)
(9) ldap_domain: Performing search in «cn=Users,dc=domain,dc=local» with filter «(sAMAccountName=test)», scope «sub»
(9) ldap_domain: Waiting for search result.
(9) ldap_domain: User object found at DN «CN=Test TEST,CN=Users,DC=domain,DC=local»
(9) ldap_domain: Processing user attributes
(9) ldap_domain: WARNING: No «known good» password added. Ensure the admin user has permission to read the password attribute
(9) ldap_domain: WARNING: PAP authentication will NOT work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap_domain): Released connection (6)
rlm_ldap (ldap_domain): Need 2 more connections to reach 10 spares
rlm_ldap (ldap_domain): Opening additional connection (7), 1 of 31 pending slots used
rlm_ldap (ldap_domain): Connecting to ldap://dc.domain.local:389
rlm_ldap (ldap_domain): Waiting for bind result.
rlm_ldap (ldap_domain): Bind successful
(9) [ldap_domain] = ok
(9) if ((ok || updated) && User-Password) <
(9) if ((ok || updated) && User-Password) -> FALSE
(9) [pap] = noop
(9) if (User-Password) <
(9) if (User-Password) -> FALSE
(9) > # authorize = updated
(9) Found Auth-Type = EAP
(9) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel-domain
(9) authenticate <
(9) eap: Expiring EAP session with state 0xbd1845cebd105fc4
(9) eap: Finished EAP session with state 0xbd1845cebd105fc4
(9) eap: Previous EAP request found for state 0xbd1845cebd105fc4, released from the list
(9) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(9) eap: Calling submodule eap_mschapv2 to process data
(9) eap_mschapv2: # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel-domain
(9) eap_mschapv2: Auth-Type MS-CHAP <
(9) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password
(9) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password
(9) mschap: Creating challenge hash with username: test
(9) mschap: Client is using MS-CHAPv2
(9) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication
(9) mschap: ERROR: MS-CHAP2-Response is incorrect
(9) [mschap] = reject
(9) > # Auth-Type MS-CHAP = reject
(9) eap: Sending EAP Failure (code 4) ID 8 length 4
(9) eap: Freeing handler
(9) [eap] = reject
(9) > # authenticate = reject
(9) Failed to authenticate the user
(9) Using Post-Auth-Type Reject
(9) Post-Auth-Type sub-section not found. Ignoring.
(9) > # server inner-tunnel
(9) Virtual server sending reply
(9) MS-CHAP-Error = «10E=691 R=1 C=12a7b91273b8d4ea014f8d6353762c6f V=3 M=Authentication failed»
(9) EAP-Message = 0x04080004
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) eap_peap: Got tunneled reply code 3
(9) eap_peap: MS-CHAP-Error = «10E=691 R=1 C=12a7b91273b8d4ea014f8d6353762c6f V=3 M=Authentication failed»
(9) eap_peap: EAP-Message = 0x04080004
(9) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(9) eap_peap: Got tunneled reply RADIUS code 3
(9) eap_peap: MS-CHAP-Error = «10E=691 R=1 C=12a7b91273b8d4ea014f8d6353762c6f V=3 M=Authentication failed»
(9) eap_peap: EAP-Message = 0x04080004
(9) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(9) eap_peap: Tunneled authentication was rejected
(9) eap_peap: FAILURE
(9) eap: Sending EAP Request (code 1) ID 9 length 43
(9) eap: EAP session adding &reply:State = 0x714e61bf764778fd
(9) [eap] = handled
(9) > # authenticate = handled
(9) Using Post-Auth-Type Challenge
(9) Post-Auth-Type sub-section not found. Ignoring.
(9) Sent Access-Challenge Id 14 from 192.168.8.27:1812 to 192.168.2.250:3072 length 0
(9) EAP-Message = 0x0109002b19001703010020b8c28870cb31e457ad24447c2dad4915f836138d395b9e74200fe48a71906242
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) State = 0x714e61bf764778fd13de40933f3a43c8
(9) Finished request
Waking up in 4.9 seconds.
(10) Received Access-Request Id 10 from 192.168.2.250:3072 to 192.168.8.27:1812 length 230
(10) User-Name = «test»
(10) Service-Type = Framed-User
(10) NAS-IP-Address = 192.168.2.250
(10) NAS-Port = 10
(10) NAS-Port-Id = «10»
(10) State = 0x714e61bf764778fd13de40933f3a43c8
(10) Called-Station-Id = «0E-0B-6B-2F-12-67:domain 8021X»
(10) Calling-Station-Id = «B8-E8-56-41-2C-2A»
(10) Connect-Info = «CONNECT 54 Mbps 802.11g»
(10) NAS-Identifier = «AP-domain01»
(10) NAS-Port-Type = Wireless-802.11
(10) Framed-MTU = 1500
(10) EAP-Message = 0x0209002b190017030100209f64c67a9a32761683b0d21eb6f28bfb8a42fa0a50d6ef3dfbf3815d7511e4a1
(10) Message-Authenticator = 0x26f3267a7372bfa1b0f71a27ccba5c9f
(10) session-state: No cached attributes
(10) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/domain
(10) authorize <
(10) [files] = noop
(10) [preprocess] = ok
(10) suffix: Checking for suffix after «@»
(10) suffix: No ‘@’ in User-Name = «test», looking up realm NULL
(10) suffix: No such realm «NULL»
(10) [suffix] = noop
(10) eap: Peer sent EAP Response (code 2) ID 9 length 43
(10) eap: Continuing tunnel setup
(10) [eap] = ok
(10) > # authorize = ok
(10) Found Auth-Type = EAP
(10) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain
(10) authenticate <
(10) eap: Expiring EAP session with state 0x714e61bf764778fd
(10) eap: Finished EAP session with state 0x714e61bf764778fd
(10) eap: Previous EAP request found for state 0x714e61bf764778fd, released from the list
(10) eap: Peer sent packet with method EAP PEAP (25)
(10) eap: Calling submodule eap_peap to process data
(10) eap_peap: Continuing EAP-TLS
(10) eap_peap: [eaptls verify] = ok
(10) eap_peap: Done initial handshake
(10) eap_peap: [eaptls process] = ok
(10) eap_peap: Session established. Decoding tunneled attributes
(10) eap_peap: PEAP state send tlv failure
(10) eap_peap: Received EAP-TLV response
(10) eap_peap: The users session was previously rejected: returning reject (again.)
(10) eap_peap: This means you need to read the PREVIOUS messages in the debug output
(10) eap_peap: to find out the reason why the user was rejected
(10) eap_peap: Look for «reject» or «fail». Those earlier messages will tell you
(10) eap_peap: what went wrong, and how to fix the problem
(10) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed
(10) eap: Sending EAP Failure (code 4) ID 9 length 4
(10) eap: Failed in EAP select
(10) [eap] = invalid
(10) > # authenticate = invalid
(10) Failed to authenticate the user
(10) Using Post-Auth-Type Reject
(10) Post-Auth-Type sub-section not found. Ignoring.
(10) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(10) Sending delayed response
(10) Sent Access-Reject Id 10 from 192.168.8.27:1812 to 192.168.2.250:3072 length 44
(10) EAP-Message = 0x04090004
(10) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
(9) Cleaning up request packet ID 14 with timestamp +211
(10) Cleaning up request packet ID 10 with timestamp +211
Ready to process requests

inner-tunnel site:
server inner-tunnel <

eap <
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = $
md5 <
>

the chap configuration:

chap <
# no configuration
>

the mschap configuration

mschap <
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
pool <
start = $min = $max = $spare = $uses = 0
retry_delay = 30
lifetime = 86400
cleanup_interval = 300
idle_timeout = 600
>

ldap ldap_domain <
server = ‘dc.domain.local’
port = 389
identity = ‘cn=Administrator,cn=Users,dc=domain,dc=local’
password = password
base_dn = ‘cn=Users,dc=domain,dc=local’

radius Version: radiusd: FreeRADIUS Version 3.0.11 (git #7a659a2), for host x86_64-unknown-linux-gnu, built on Oct 7 2015 at 15:23:07

with user bob over console:

(0) Received Access-Request Id 213 from 127.0.0.1:45282 to 127.0.0.1:18120 length 73
(0) User-Name = «bob»
(0) User-Password = «hello»
(0) NAS-IP-Address = 192.168.8.27
(0) NAS-Port = 0
(0) Message-Authenticator = 0xbed4902174d4f8ff5f36492af1ae51de
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel-domain
(0) authorize <
(0) files: users: Matched entry bob at line 69
(0) [files] = ok
(0) [mschap] = noop
(0) suffix: Checking for suffix after «@»
(0) suffix: No ‘@’ in User-Name = «bob», looking up realm NULL
(0) suffix: No such realm «NULL»
(0) [suffix] = noop
(0) update control <
(0) Proxy-To-Realm := LOCAL
(0) > # update control = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) [expiration] = noop
(0) [logintime] = noop
rlm_ldap (ldap_domain): Reserved connection (0)
(0) ldap_domain: EXPAND (sAMAccountName=%<%:-%>)
(0) ldap_domain: —> (sAMAccountName=bob)
(0) ldap_domain: Performing search in «cn=Users,dc=domain,dc=local» with filter «(sAMAccountName=bob)», scope «sub»
(0) ldap_domain: Waiting for search result.
(0) ldap_domain: Search returned no results
rlm_ldap (ldap_domain): Released connection (0)
rlm_ldap (ldap_domain): Need 5 more connections to reach 10 spares
rlm_ldap (ldap_domain): Opening additional connection (5), 1 of 27 pending slots used
rlm_ldap (ldap_domain): Connecting to ldap://dc.domain.local:389
rlm_ldap (ldap_domain): Waiting for bind result.
rlm_ldap (ldap_domain): Bind successful
(0) [ldap_domain] = notfound
(0) if ((ok || updated) && User-Password) <
(0) if ((ok || updated) && User-Password) -> FALSE
(0) [pap] = updated
(0) if (User-Password) <
(0) if (User-Password) -> TRUE
(0) if (User-Password) <
(0) update control <
(0) Auth-Type := LDAP
(0) > # update control = noop
(0) > # if (User-Password) = noop
(0) > # authorize = updated
(0) Found Auth-Type = LDAP
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel-domain
(0) Auth-Type LDAP <
rlm_ldap (ldap_domain): Reserved connection (1)
(0) ldap_domain: Login attempt by «bob»
(0) ldap_domain: EXPAND (sAMAccountName=%<%:-%>)
(0) ldap_domain: —> (sAMAccountName=bob)
(0) ldap_domain: Performing search in «cn=Users,dc=domain,dc=local» with filter «(sAMAccountName=bob)», scope «sub»
(0) ldap_domain: Waiting for search result.
(0) ldap_domain: Search returned no results
rlm_ldap (ldap_domain): Released connection (1)
(0) [ldap_domain] = notfound
(0) > # Auth-Type LDAP = notfound
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) Post-Auth-Type sub-section not found. Ignoring.
(0) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 213 from 127.0.0.1:18120 to 127.0.0.1:45282 length 20
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 213 with timestamp +5
Ready to process requests

with user bob over AccessPoint:

(1) Received Access-Request Id 155 from 192.168.2.250:3072 to 192.168.8.27:1812 length 176
(1) User-Name = «bob»
(1) Service-Type = Framed-User
(1) NAS-IP-Address = 192.168.2.250
(1) NAS-Port = 10
(1) NAS-Port-Id = «10»
(1) Called-Station-Id = «0E-0B-6B-2F-12-67:domain 8021X»
(1) Calling-Station-Id = «B8-E8-56-41-2C-2A»
(1) Connect-Info = «CONNECT 54 Mbps 802.11g»
(1) NAS-Identifier = «AP-domain01»
(1) NAS-Port-Type = Wireless-802.11
(1) Framed-MTU = 1500
(1) EAP-Message = 0x0201000801626f62
(1) Message-Authenticator = 0x4680895a204b3df7d15d82558ff9e6ea
(1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/domain
(1) authorize <
(1) files: users: Matched entry bob at line 69
(1) [files] = ok
(1) [preprocess] = ok
(1) suffix: Checking for suffix after «@»
(1) suffix: No ‘@’ in User-Name = «bob», looking up realm NULL
(1) suffix: No such realm «NULL»
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 1 length 8
(1) eap: EAP-Identity reply, returning ‘ok’ so we can short-circuit the rest of authorize
(1) [eap] = ok
(1) > # authorize = ok
(1) Found Auth-Type = EAP
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain
(1) authenticate <
(1) eap: Peer sent packet with method EAP Identity (1)
(1) eap: Calling submodule eap_peap to process data
(1) eap_peap: Initiating new EAP-TLS session
(1) eap_peap: [eaptls start] = request
(1) eap: Sending EAP Request (code 1) ID 2 length 6
(1) eap: EAP session adding &reply:State = 0x7322fa167320e364
(1) [eap] = handled
(1) > # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) Post-Auth-Type sub-section not found. Ignoring.
(1) Sent Access-Challenge Id 155 from 192.168.8.27:1812 to 192.168.2.250:3072 length 0
(1) EAP-Message = 0x010200061920
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x7322fa167320e3641bb25e163c98a49d
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 219 from 192.168.2.250:3072 to 192.168.8.27:1812 length 338
(2) User-Name = «bob»
(2) Service-Type = Framed-User
(2) NAS-IP-Address = 192.168.2.250
(2) NAS-Port = 10
(2) NAS-Port-Id = «10»
(2) State = 0x7322fa167320e3641bb25e163c98a49d
(2) Called-Station-Id = «0E-0B-6B-2F-12-67:domain 8021X»
(2) Calling-Station-Id = «B8-E8-56-41-2C-2A»
(2) Connect-Info = «CONNECT 54 Mbps 802.11g»
(2) NAS-Identifier = «AP-domain01»
(2) NAS-Port-Type = Wireless-802.11
(2) Framed-MTU = 1500
(2) EAP-Message = 0x0202009819800000008e1603010089010000850301561634f097408b8f9058fa38f1f34ce4854696e71aebecb3ae3cd9850b14d4cc00004a00ffc024c023c00ac009c008c028c027c014c013c012c026c025c005c004c003c02ac029c00fc00ec00d006b0067003900330016003d003c0035002f000ac0
(2) Message-Authenticator = 0x5309b752e9ed063e669ba97b7c937db8
(2) session-state: No cached attributes
(2) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/domain
(2) authorize <
(2) files: users: Matched entry bob at line 69
(2) [files] = ok
(2) [preprocess] = ok
(2) suffix: Checking for suffix after «@»
(2) suffix: No ‘@’ in User-Name = «bob», looking up realm NULL
(2) suffix: No such realm «NULL»
(2) [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 2 length 152
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) > # authorize = ok
(2) Found Auth-Type = EAP
(2) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain
(2) authenticate <
(2) eap: Expiring EAP session with state 0x7322fa167320e364
(2) eap: Finished EAP session with state 0x7322fa167320e364
(2) eap: Previous EAP request found for state 0x7322fa167320e364, released from the list
(2) eap: Peer sent packet with method EAP PEAP (25)
(2) eap: Calling submodule eap_peap to process data
(2) eap_peap: Continuing EAP-TLS
(2) eap_peap: Peer indicated complete TLS record size will be 142 bytes
(2) eap_peap: Got complete TLS record (142 bytes)
(2) eap_peap: [eaptls verify] = length included
(2) eap_peap: (other): before/accept initialization
(2) eap_peap: TLS_accept: before/accept initialization
(2) eap_peap: >> TLS 1.0 Handshake [length 0039], ServerHello
(2) eap_peap: TLS_accept: SSLv3 write server hello A
(2) eap_peap: >>> TLS 1.0 Handshake [length 0964], Certificate
(2) eap_peap: TLS_accept: SSLv3 write certificate A
(2) eap_peap: >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
(2) eap_peap: TLS_accept: SSLv3 write key exchange A
(2) eap_peap: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
(2) eap_peap: TLS_accept: SSLv3 write server done A
(2) eap_peap: TLS_accept: SSLv3 flush data
(2) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A
(2) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A
(2) eap_peap: In SSL Handshake Phase
(2) eap_peap: In SSL Accept mode
(2) eap_peap: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 3 length 1004
(2) eap: EAP session adding &reply:State = 0x7322fa167221e364
(2) [eap] = handled
(2) > # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) Post-Auth-Type sub-section not found. Ignoring.
(2) Sent Access-Challenge Id 219 from 192.168.8.27:1812 to 192.168.2.250:3072 length 0
(2) EAP-Message = 0x010303ec19c000000b001603010039020000350301da2dfe903d7c37a7634c8742deb0c9de5ef2b5d7f4c0d4d8d1697deec243cc5600c01400000dff01000100000b00040300010216030109640b00096000095d0005a7308205a33082048ba0030201020213720000003379461d9f383b20c900010000
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x7322fa167221e3641bb25e163c98a49d
(2) Finished request
Waking up in 4.9 seconds.
(1) Cleaning up request packet ID 155 with timestamp +61
(2) Cleaning up request packet ID 219 with timestamp +61
Ready to process requests
(3) Received Access-Request Id 54 from 192.168.2.250:3072 to 192.168.8.27:1812 length 192
(3) User-Name = «bob»
(3) Service-Type = Framed-User
(3) NAS-IP-Address = 192.168.2.250
(3) NAS-Port = 10
(3) NAS-Port-Id = «10»
(3) State = 0x7322fa167221e3641bb25e163c98a49d
(3) Called-Station-Id = «0E-0B-6B-2F-12-67:domain 8021X»
(3) Calling-Station-Id = «B8-E8-56-41-2C-2A»
(3) Connect-Info = «CONNECT 54 Mbps 802.11g»
(3) NAS-Identifier = «AP-domain01»
(3) NAS-Port-Type = Wireless-802.11
(3) Framed-MTU = 1500
(3) EAP-Message = 0x020300061900
(3) Message-Authenticator = 0xa70b8b8371dc21e4a3352e99bad8a487
(3) session-state: No cached attributes
(3) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/domain
(3) authorize <
(3) files: users: Matched entry bob at line 69
(3) [files] = ok
(3) [preprocess] = ok
(3) suffix: Checking for suffix after «@»
(3) suffix: No ‘@’ in User-Name = «bob», looking up realm NULL
(3) suffix: No such realm «NULL»
(3) [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 3 length 6
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) > # authorize = ok
(3) Found Auth-Type = EAP
(3) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain
(3) authenticate <
(3) eap: Expiring EAP session with state 0x7322fa167221e364
(3) eap: Finished EAP session with state 0x7322fa167221e364
(3) eap: Previous EAP request found for state 0x7322fa167221e364, released from the list
(3) eap: Peer sent packet with method EAP PEAP (25)
(3) eap: Calling submodule eap_peap to process data
(3) eap_peap: Continuing EAP-TLS
(3) eap_peap: Peer ACKed our handshake fragment
(3) eap_peap: [eaptls verify] = request
(3) eap_peap: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 4 length 1000
(3) eap: EAP session adding &reply:State = 0x7322fa167126e364
(3) [eap] = handled
(3) > # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) Post-Auth-Type sub-section not found. Ignoring.
(3) Sent Access-Challenge Id 54 from 192.168.8.27:1812 to 192.168.2.250:3072 length 0
(3) EAP-Message = 0x010403e81940b53081b206082b060105050730028681a56c6461703a2f2f2f434e3d6e656465636f253230476d624825323043412c434e3d4149412c434e3d5075626c69632532304b657925323053657276696365732c434e3d53657276696365732c434e3d436f6e66696775726174696f6e2c44433d
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0x7322fa167126e3641bb25e163c98a49d
(3) Finished request
Waking up in 4.9 seconds.
(4) Received Access-Request Id 29 from 192.168.2.250:3072 to 192.168.8.27:1812 length 192
(4) User-Name = «bob»
(4) Service-Type = Framed-User
(4) NAS-IP-Address = 192.168.2.250
(4) NAS-Port = 10
(4) NAS-Port-Id = «10»
(4) State = 0x7322fa167126e3641bb25e163c98a49d
(4) Called-Station-Id = «0E-0B-6B-2F-12-67:domain 8021X»
(4) Calling-Station-Id = «B8-E8-56-41-2C-2A»
(4) Connect-Info = «CONNECT 54 Mbps 802.11g»
(4) NAS-Identifier = «AP-domain01»
(4) NAS-Port-Type = Wireless-802.11
(4) Framed-MTU = 1500
(4) EAP-Message = 0x020400061900
(4) Message-Authenticator = 0x841ce2c1c9b797b25c3aff5bba5e059d
(4) session-state: No cached attributes
(4) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/domain
(4) authorize <
(4) files: users: Matched entry bob at line 69
(4) [files] = ok
(4) [preprocess] = ok
(4) suffix: Checking for suffix after «@»
(4) suffix: No ‘@’ in User-Name = «bob», looking up realm NULL
(4) suffix: No such realm «NULL»
(4) [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 4 length 6
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) > # authorize = ok
(4) Found Auth-Type = EAP
(4) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain
(4) authenticate <
(4) eap: Expiring EAP session with state 0x7322fa167126e364
(4) eap: Finished EAP session with state 0x7322fa167126e364
(4) eap: Previous EAP request found for state 0x7322fa167126e364, released from the list
(4) eap: Peer sent packet with method EAP PEAP (25)
(4) eap: Calling submodule eap_peap to process data
(4) eap_peap: Continuing EAP-TLS
(4) eap_peap: Peer ACKed our handshake fragment
(4) eap_peap: [eaptls verify] = request
(4) eap_peap: [eaptls process] = handled
(4) eap: Sending EAP Request (code 1) ID 5 length 834
(4) eap: EAP session adding &reply:State = 0x7322fa167027e364
(4) [eap] = handled
(4) > # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) Post-Auth-Type sub-section not found. Ignoring.
(4) Sent Access-Challenge Id 29 from 192.168.8.27:1812 to 192.168.2.250:3072 length 0
(4) EAP-Message = 0x01050342190068d99b627f3ca6561e6c1dcd0e8bb529b85d2515a36c2ba6f906ee9a223e619decfff2f24ef8674307735d591964d50ac988776a55970203010001a3819130818e301306092b060104018237140204061e0400430041300e0603551d0f0101ff040403020186300f0603551d130101ff04
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x7322fa167027e3641bb25e163c98a49d
(4) Finished request
Waking up in 4.9 seconds.
(5) Received Access-Request Id 215 from 192.168.2.250:3072 to 192.168.8.27:1812 length 330
(5) User-Name = «bob»
(5) Service-Type = Framed-User
(5) NAS-IP-Address = 192.168.2.250
(5) NAS-Port = 10
(5) NAS-Port-Id = «10»
(5) State = 0x7322fa167027e3641bb25e163c98a49d
(5) Called-Station-Id = «0E-0B-6B-2F-12-67:domain 8021X»
(5) Calling-Station-Id = «B8-E8-56-41-2C-2A»
(5) Connect-Info = «CONNECT 54 Mbps 802.11g»
(5) NAS-Identifier = «AP-domain01»
(5) NAS-Port-Type = Wireless-802.11
(5) Framed-MTU = 1500
(5) EAP-Message = 0x0205009019800000008616030100461000004241048075a5ca05d012d0fd77b0f9e1664c5ce577eda72a1368e0a8e78fd9072b0a6e04ce9f7f3cb1339ca9fd58bdc40e0afce833807f1c4035e532e91d07e8d45fdb1403010001011603010030bff39ef9cf9a0400269ae5fd8888ba5c4940b72599bca5
(5) Message-Authenticator = 0xfaa49416d762fdf0846428951f176829
(5) session-state: No cached attributes
(5) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/domain
(5) authorize <
(5) files: users: Matched entry bob at line 69
(5) [files] = ok
(5) [preprocess] = ok
(5) suffix: Checking for suffix after «@»
(5) suffix: No ‘@’ in User-Name = «bob», looking up realm NULL
(5) suffix: No such realm «NULL»
(5) [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 5 length 144
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) > # authorize = ok
(5) Found Auth-Type = EAP
(5) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain
(5) authenticate <
(5) eap: Expiring EAP session with state 0x7322fa167027e364
(5) eap: Finished EAP session with state 0x7322fa167027e364
(5) eap: Previous EAP request found for state 0x7322fa167027e364, released from the list
(5) eap: Peer sent packet with method EAP PEAP (25)
(5) eap: Calling submodule eap_peap to process data
(5) eap_peap: Continuing EAP-TLS
(5) eap_peap: Peer indicated complete TLS record size will be 134 bytes
(5) eap_peap: Got complete TLS record (134 bytes)
(5) eap_peap: [eaptls verify] = length included
(5) eap_peap: >> TLS 1.0 ChangeCipherSpec length 0001 eap_peap: TLS_accept: SSLv3 write change cipher spec A
(5) eap_peap: >>> TLS 1.0 Handshake [length 0010], Finished
(5) eap_peap: TLS_accept: SSLv3 write finished A
(5) eap_peap: TLS_accept: SSLv3 flush data
(5) eap_peap: (other): SSL negotiation finished successfully
(5) eap_peap: SSL Connection Established
(5) eap_peap: [eaptls process] = handled
(5) eap: Sending EAP Request (code 1) ID 6 length 65
(5) eap: EAP session adding &reply:State = 0x7322fa167724e364
(5) [eap] = handled
(5) > # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) Post-Auth-Type sub-section not found. Ignoring.
(5) Sent Access-Challenge Id 215 from 192.168.8.27:1812 to 192.168.2.250:3072 length 0
(5) EAP-Message = 0x010600411900140301000101160301003055bf61e75ec8b42df54cc0a1eab6dd5e274dd8db872c3a18e2616a373eda384dcffbfa8de45423ccb8890ee689f1f4cb
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x7322fa167724e3641bb25e163c98a49d
(5) Finished request
Waking up in 4.8 seconds.
(6) Received Access-Request Id 116 from 192.168.2.250:3072 to 192.168.8.27:1812 length 192
(6) User-Name = «bob»
(6) Service-Type = Framed-User
(6) NAS-IP-Address = 192.168.2.250
(6) NAS-Port = 10
(6) NAS-Port-Id = «10»
(6) State = 0x7322fa167724e3641bb25e163c98a49d
(6) Called-Station-Id = «0E-0B-6B-2F-12-67:domain 8021X»
(6) Calling-Station-Id = «B8-E8-56-41-2C-2A»
(6) Connect-Info = «CONNECT 54 Mbps 802.11g»
(6) NAS-Identifier = «AP-domain01»
(6) NAS-Port-Type = Wireless-802.11
(6) Framed-MTU = 1500
(6) EAP-Message = 0x020600061900
(6) Message-Authenticator = 0xb468a031e9e011addea02301e58313cb
(6) session-state: No cached attributes
(6) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/domain
(6) authorize <
(6) files: users: Matched entry bob at line 69
(6) [files] = ok
(6) [preprocess] = ok
(6) suffix: Checking for suffix after «@»
(6) suffix: No ‘@’ in User-Name = «bob», looking up realm NULL
(6) suffix: No such realm «NULL»
(6) [suffix] = noop
(6) eap: Peer sent EAP Response (code 2) ID 6 length 6
(6) eap: Continuing tunnel setup
(6) [eap] = ok
(6) > # authorize = ok
(6) Found Auth-Type = EAP
(6) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain
(6) authenticate <
(6) eap: Expiring EAP session with state 0x7322fa167724e364
(6) eap: Finished EAP session with state 0x7322fa167724e364
(6) eap: Previous EAP request found for state 0x7322fa167724e364, released from the list
(6) eap: Peer sent packet with method EAP PEAP (25)
(6) eap: Calling submodule eap_peap to process data
(6) eap_peap: Continuing EAP-TLS
(6) eap_peap: Peer ACKed our handshake fragment. handshake is finished
(6) eap_peap: [eaptls verify] = success
(6) eap_peap: [eaptls process] = success
(6) eap_peap: Session established. Decoding tunneled attributes
(6) eap_peap: PEAP state TUNNEL ESTABLISHED
(6) eap: Sending EAP Request (code 1) ID 7 length 43
(6) eap: EAP session adding &reply:State = 0x7322fa167625e364
(6) [eap] = handled
(6) > # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) Post-Auth-Type sub-section not found. Ignoring.
(6) Sent Access-Challenge Id 116 from 192.168.8.27:1812 to 192.168.2.250:3072 length 0
(6) EAP-Message = 0x0107002b19001703010020ba0b3d2b7d949cf1727c708a6c6ac8606201ef325b4408284fbf4115ccf1e60c
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0x7322fa167625e3641bb25e163c98a49d
(6) Finished request
Waking up in 4.8 seconds.
(7) Received Access-Request Id 108 from 192.168.2.250:3072 to 192.168.8.27:1812 length 229
(7) User-Name = «bob»
(7) Service-Type = Framed-User
(7) NAS-IP-Address = 192.168.2.250
(7) NAS-Port = 10
(7) NAS-Port-Id = «10»
(7) State = 0x7322fa167625e3641bb25e163c98a49d
(7) Called-Station-Id = «0E-0B-6B-2F-12-67:domain 8021X»
(7) Calling-Station-Id = «B8-E8-56-41-2C-2A»
(7) Connect-Info = «CONNECT 54 Mbps 802.11g»
(7) NAS-Identifier = «AP-domain01»
(7) NAS-Port-Type = Wireless-802.11
(7) Framed-MTU = 1500
(7) EAP-Message = 0x0207002b190017030100205db45e564856f45f7af7cc0f3ec2e54ef3aab9a99f6cb2d9944b2c53980f0bde
(7) Message-Authenticator = 0xd2092e590023b1e9af89a2d5f9927801
(7) session-state: No cached attributes
(7) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/domain
(7) authorize <
(7) files: users: Matched entry bob at line 69
(7) [files] = ok
(7) [preprocess] = ok
(7) suffix: Checking for suffix after «@»
(7) suffix: No ‘@’ in User-Name = «bob», looking up realm NULL
(7) suffix: No such realm «NULL»
(7) [suffix] = noop
(7) eap: Peer sent EAP Response (code 2) ID 7 length 43
(7) eap: Continuing tunnel setup
(7) [eap] = ok
(7) > # authorize = ok
(7) Found Auth-Type = EAP
(7) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain
(7) authenticate <
(7) eap: Expiring EAP session with state 0x7322fa167625e364
(7) eap: Finished EAP session with state 0x7322fa167625e364
(7) eap: Previous EAP request found for state 0x7322fa167625e364, released from the list
(7) eap: Peer sent packet with method EAP PEAP (25)
(7) eap: Calling submodule eap_peap to process data
(7) eap_peap: Continuing EAP-TLS
(7) eap_peap: [eaptls verify] = ok
(7) eap_peap: Done initial handshake
(7) eap_peap: [eaptls process] = ok
(7) eap_peap: Session established. Decoding tunneled attributes
(7) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(7) eap_peap: Identity — bob
(7) eap_peap: Got inner identity ‘bob’
(7) eap_peap: Setting default EAP type for tunneled EAP session
(7) eap_peap: Got tunneled request
(7) eap_peap: EAP-Message = 0x0207000801626f62
(7) eap_peap: Setting User-Name to bob
(7) eap_peap: Sending tunneled request to inner-tunnel
(7) eap_peap: EAP-Message = 0x0207000801626f62
(7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(7) eap_peap: User-Name = «bob»
(7) Virtual server inner-tunnel received request
(7) EAP-Message = 0x0207000801626f62
(7) FreeRADIUS-Proxied-To = 127.0.0.1
(7) User-Name = «bob»
(7) server inner-tunnel <
(7) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel-domain
(7) authorize <
(7) files: users: Matched entry bob at line 69
(7) [files] = ok
(7) [mschap] = noop
(7) suffix: Checking for suffix after «@»
(7) suffix: No ‘@’ in User-Name = «bob», looking up realm NULL
(7) suffix: No such realm «NULL»
(7) [suffix] = noop
(7) update control <
(7) Proxy-To-Realm := LOCAL
(7) > # update control = noop
(7) eap: Peer sent EAP Response (code 2) ID 7 length 8
(7) eap: EAP-Identity reply, returning ‘ok’ so we can short-circuit the rest of authorize
(7) [eap] = ok
(7) > # authorize = ok
(7) Found Auth-Type = EAP
(7) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel-domain
(7) authenticate <
(7) eap: Peer sent packet with method EAP Identity (1)
(7) eap: Calling submodule eap_mschapv2 to process data
(7) eap_mschapv2: Issuing Challenge
(7) eap: Sending EAP Request (code 1) ID 8 length 43
(7) eap: EAP session adding &reply:State = 0xa0773c37a07f2697
(7) [eap] = handled
(7) > # authenticate = handled
(7) > # server inner-tunnel
(7) Virtual server sending reply
(7) EAP-Message = 0x0108002b1a0108002610499c5c634fd1c53afcf63e2a20dc0dbd667265657261646975732d332e302e3131
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0xa0773c37a07f269794c91e639bc0d99c
(7) eap_peap: Got tunneled reply code 11
(7) eap_peap: EAP-Message = 0x0108002b1a0108002610499c5c634fd1c53afcf63e2a20dc0dbd667265657261646975732d332e302e3131
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: State = 0xa0773c37a07f269794c91e639bc0d99c
(7) eap_peap: Got tunneled reply RADIUS code 11
(7) eap_peap: EAP-Message = 0x0108002b1a0108002610499c5c634fd1c53afcf63e2a20dc0dbd667265657261646975732d332e302e3131
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: State = 0xa0773c37a07f269794c91e639bc0d99c
(7) eap_peap: Got tunneled Access-Challenge
(7) eap: Sending EAP Request (code 1) ID 8 length 75
(7) eap: EAP session adding &reply:State = 0x7322fa16752ae364
(7) [eap] = handled
(7) > # authenticate = handled
(7) Using Post-Auth-Type Challenge
(7) Post-Auth-Type sub-section not found. Ignoring.
(7) Sent Access-Challenge Id 108 from 192.168.8.27:1812 to 192.168.2.250:3072 length 0
(7) EAP-Message = 0x0108004b19001703010040d8e4f8be725dc18720efdaf547282b5b876c26c5fdbea8c05f380bf87ea452cdf6938d2793528a14f784d70ad64f66ebcb6998cae0cdb2ec340b208caf7adddc
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0x7322fa16752ae3641bb25e163c98a49d
(7) Finished request
Waking up in 4.8 seconds.
(8) Received Access-Request Id 50 from 192.168.2.250:3072 to 192.168.8.27:1812 length 277
(8) User-Name = «bob»
(8) Service-Type = Framed-User
(8) NAS-IP-Address = 192.168.2.250
(8) NAS-Port = 10
(8) NAS-Port-Id = «10»
(8) State = 0x7322fa16752ae3641bb25e163c98a49d
(8) Called-Station-Id = «0E-0B-6B-2F-12-67:domain 8021X»
(8) Calling-Station-Id = «B8-E8-56-41-2C-2A»
(8) Connect-Info = «CONNECT 54 Mbps 802.11g»
(8) NAS-Identifier = «AP-domain01»
(8) NAS-Port-Type = Wireless-802.11
(8) Framed-MTU = 1500
(8) EAP-Message = 0x0208005b1900170301005035d828d77a9cd3611fc5b79937ff5a2749a2d013a332137a52fe3a206717cde550258b9914956f0b2f88dd7f4491d6d52e7b97a1fd99e59010b7e346d7692d768748d8d8efb3995a7d8d58863b0e3c9f
(8) Message-Authenticator = 0x27a3860baf38d3fd1d0e7f85c85a398e
(8) session-state: No cached attributes
(8) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/domain
(8) authorize <
(8) files: users: Matched entry bob at line 69
(8) [files] = ok
(8) [preprocess] = ok
(8) suffix: Checking for suffix after «@»
(8) suffix: No ‘@’ in User-Name = «bob», looking up realm NULL
(8) suffix: No such realm «NULL»
(8) [suffix] = noop
(8) eap: Peer sent EAP Response (code 2) ID 8 length 91
(8) eap: Continuing tunnel setup
(8) [eap] = ok
(8) > # authorize = ok
(8) Found Auth-Type = EAP
(8) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain
(8) authenticate <
(8) eap: Expiring EAP session with state 0xa0773c37a07f2697
(8) eap: Finished EAP session with state 0x7322fa16752ae364
(8) eap: Previous EAP request found for state 0x7322fa16752ae364, released from the list
(8) eap: Peer sent packet with method EAP PEAP (25)
(8) eap: Calling submodule eap_peap to process data
(8) eap_peap: Continuing EAP-TLS
(8) eap_peap: [eaptls verify] = ok
(8) eap_peap: Done initial handshake
(8) eap_peap: [eaptls process] = ok
(8) eap_peap: Session established. Decoding tunneled attributes
(8) eap_peap: PEAP state phase2
(8) eap_peap: EAP method MSCHAPv2 (26)
(8) eap_peap: Got tunneled request
(8) eap_peap: EAP-Message = 0x0208003e1a02080039318c4c5187cb6d3acc25374e1a666c6ebd00000000000000005c626c4605277cd81e771f53707290714956dfed703aa31a00626f62
(8) eap_peap: Setting User-Name to bob
(8) eap_peap: Sending tunneled request to inner-tunnel
(8) eap_peap: EAP-Message = 0x0208003e1a02080039318c4c5187cb6d3acc25374e1a666c6ebd00000000000000005c626c4605277cd81e771f53707290714956dfed703aa31a00626f62
(8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(8) eap_peap: User-Name = «bob»
(8) eap_peap: State = 0xa0773c37a07f269794c91e639bc0d99c
(8) Virtual server inner-tunnel received request
(8) EAP-Message = 0x0208003e1a02080039318c4c5187cb6d3acc25374e1a666c6ebd00000000000000005c626c4605277cd81e771f53707290714956dfed703aa31a00626f62
(8) FreeRADIUS-Proxied-To = 127.0.0.1
(8) User-Name = «bob»
(8) State = 0xa0773c37a07f269794c91e639bc0d99c
(8) server inner-tunnel <
(8) session-state: No cached attributes
(8) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel-domain
(8) authorize <
(8) files: users: Matched entry bob at line 69
(8) [files] = ok
(8) [mschap] = noop
(8) suffix: Checking for suffix after «@»
(8) suffix: No ‘@’ in User-Name = «bob», looking up realm NULL
(8) suffix: No such realm «NULL»
(8) [suffix] = noop
(8) update control <
(8) Proxy-To-Realm := LOCAL
(8) > # update control = noop
(8) eap: Peer sent EAP Response (code 2) ID 8 length 62
(8) eap: No EAP Start, assuming it’s an on-going EAP conversation
(8) [eap] = updated
(8) [expiration] = noop
(8) [logintime] = noop
rlm_ldap (ldap_domain): Closing connection (2): Hit idle_timeout, was idle for 90 seconds
rlm_ldap (ldap_domain): Closing connection (3): Hit idle_timeout, was idle for 90 seconds
rlm_ldap (ldap_domain): Closing connection (4): Hit idle_timeout, was idle for 90 seconds
rlm_ldap (ldap_domain): Closing connection (0): Hit idle_timeout, was idle for 85 seconds
rlm_ldap (ldap_domain): You probably need to lower «min»
rlm_ldap (ldap_domain): Closing connection (5): Hit idle_timeout, was idle for 85 seconds
rlm_ldap (ldap_domain): You probably need to lower «min»
rlm_ldap (ldap_domain): Closing connection (1): Hit idle_timeout, was idle for 85 seconds
rlm_ldap (ldap_domain): You probably need to lower «min»
rlm_ldap (ldap_domain): 0 of 0 connections in use. You may need to increase «spare»
rlm_ldap (ldap_domain): Opening additional connection (6), 1 of 32 pending slots used
rlm_ldap (ldap_domain): Connecting to ldap://dc.domain.local:389
rlm_ldap (ldap_domain): Waiting for bind result.
rlm_ldap (ldap_domain): Bind successful
rlm_ldap (ldap_domain): Reserved connection (6)
(8) ldap_domain: EXPAND (sAMAccountName=%<%:-%>)
(8) ldap_domain: —> (sAMAccountName=bob)
(8) ldap_domain: Performing search in «cn=Users,dc=domain,dc=local» with filter «(sAMAccountName=bob)», scope «sub»
(8) ldap_domain: Waiting for search result.
(8) ldap_domain: Search returned no results
rlm_ldap (ldap_domain): Released connection (6)
rlm_ldap (ldap_domain): Need 2 more connections to reach 10 spares
rlm_ldap (ldap_domain): Opening additional connection (7), 1 of 31 pending slots used
rlm_ldap (ldap_domain): Connecting to ldap://dc.domain.local:389
rlm_ldap (ldap_domain): Waiting for bind result.
rlm_ldap (ldap_domain): Bind successful
(8) [ldap_domain] = notfound
(8) if ((ok || updated) && User-Password) <
(8) if ((ok || updated) && User-Password) -> FALSE
(8) pap: WARNING: Auth-Type already set. Not setting to PAP
(8) [pap] = noop
(8) if (User-Password) <
(8) if (User-Password) -> FALSE
(8) > # authorize = updated
(8) Found Auth-Type = EAP
(8) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel-domain
(8) authenticate <
(8) eap: Expiring EAP session with state 0xa0773c37a07f2697
(8) eap: Finished EAP session with state 0xa0773c37a07f2697
(8) eap: Previous EAP request found for state 0xa0773c37a07f2697, released from the list
(8) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(8) eap: Calling submodule eap_mschapv2 to process data
(8) eap_mschapv2: # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel-domain
(8) eap_mschapv2: Auth-Type MS-CHAP <
(8) mschap: Found Cleartext-Password, hashing to create NT-Password
(8) mschap: Found Cleartext-Password, hashing to create LM-Password
(8) mschap: Creating challenge hash with username: bob
(8) mschap: Client is using MS-CHAPv2
(8) mschap: Adding MS-CHAPv2 MPPE keys
(8) [mschap] = ok
(8) > # Auth-Type MS-CHAP = ok
(8) MSCHAP Success
(8) eap: Sending EAP Request (code 1) ID 9 length 51
(8) eap: EAP session adding &reply:State = 0xa0773c37a17e2697
(8) [eap] = handled
(8) > # authenticate = handled
(8) > # server inner-tunnel
(8) Virtual server sending reply
(8) EAP-Message = 0x010900331a0308002e533d41303037313532323444323837324439434432334437363345354535313444393146323441424646
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0xa0773c37a17e269794c91e639bc0d99c
(8) eap_peap: Got tunneled reply code 11
(8) eap_peap: EAP-Message = 0x010900331a0308002e533d41303037313532323444323837324439434432334437363345354535313444393146323441424646
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: State = 0xa0773c37a17e269794c91e639bc0d99c
(8) eap_peap: Got tunneled reply RADIUS code 11
(8) eap_peap: EAP-Message = 0x010900331a0308002e533d41303037313532323444323837324439434432334437363345354535313444393146323441424646
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: State = 0xa0773c37a17e269794c91e639bc0d99c
(8) eap_peap: Got tunneled Access-Challenge
(8) eap: Sending EAP Request (code 1) ID 9 length 91
(8) eap: EAP session adding &reply:State = 0x7322fa16742be364
(8) [eap] = handled
(8) > # authenticate = handled
(8) Using Post-Auth-Type Challenge
(8) Post-Auth-Type sub-section not found. Ignoring.
(8) Sent Access-Challenge Id 50 from 192.168.8.27:1812 to 192.168.2.250:3072 length 0
(8) EAP-Message = 0x0109005b19001703010050859ea345fa5ac6b144a9e42ed8bff28f0b2320a237ac8370d029cb70f52d482a0d76da88b813e4df36252cb6397300ec8d8d78b8622e934b5283b40ee5a8abe75b64b6667666fd21f0cac5fcc60f98ed
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0x7322fa16742be3641bb25e163c98a49d
(8) Finished request
Waking up in 4.7 seconds.
(9) Received Access-Request Id 168 from 192.168.2.250:3072 to 192.168.8.27:1812 length 229
(9) User-Name = «bob»
(9) Service-Type = Framed-User
(9) NAS-IP-Address = 192.168.2.250
(9) NAS-Port = 10
(9) NAS-Port-Id = «10»
(9) State = 0x7322fa16742be3641bb25e163c98a49d
(9) Called-Station-Id = «0E-0B-6B-2F-12-67:domain 8021X»
(9) Calling-Station-Id = «B8-E8-56-41-2C-2A»
(9) Connect-Info = «CONNECT 54 Mbps 802.11g»
(9) NAS-Identifier = «AP-domain01»
(9) NAS-Port-Type = Wireless-802.11
(9) Framed-MTU = 1500
(9) EAP-Message = 0x0209002b19001703010020ef0b01a2e1a2ce59b84fcd3a36f6101ad280a2da6de9e3034ee1142fd2c2d87b
(9) Message-Authenticator = 0xcbef8a5238f2450a86714781617cb91e
(9) session-state: No cached attributes
(9) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/domain
(9) authorize <
(9) files: users: Matched entry bob at line 69
(9) [files] = ok
(9) [preprocess] = ok
(9) suffix: Checking for suffix after «@»
(9) suffix: No ‘@’ in User-Name = «bob», looking up realm NULL
(9) suffix: No such realm «NULL»
(9) [suffix] = noop
(9) eap: Peer sent EAP Response (code 2) ID 9 length 43
(9) eap: Continuing tunnel setup
(9) [eap] = ok
(9) > # authorize = ok
(9) Found Auth-Type = EAP
(9) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain
(9) authenticate <
(9) eap: Expiring EAP session with state 0xa0773c37a17e2697
(9) eap: Finished EAP session with state 0x7322fa16742be364
(9) eap: Previous EAP request found for state 0x7322fa16742be364, released from the list
(9) eap: Peer sent packet with method EAP PEAP (25)
(9) eap: Calling submodule eap_peap to process data
(9) eap_peap: Continuing EAP-TLS
(9) eap_peap: [eaptls verify] = ok
(9) eap_peap: Done initial handshake
(9) eap_peap: [eaptls process] = ok
(9) eap_peap: Session established. Decoding tunneled attributes
(9) eap_peap: PEAP state phase2
(9) eap_peap: EAP method MSCHAPv2 (26)
(9) eap_peap: Got tunneled request
(9) eap_peap: EAP-Message = 0x020900061a03
(9) eap_peap: Setting User-Name to bob
(9) eap_peap: Sending tunneled request to inner-tunnel
(9) eap_peap: EAP-Message = 0x020900061a03
(9) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(9) eap_peap: User-Name = «bob»
(9) eap_peap: State = 0xa0773c37a17e269794c91e639bc0d99c
(9) Virtual server inner-tunnel received request
(9) EAP-Message = 0x020900061a03
(9) FreeRADIUS-Proxied-To = 127.0.0.1
(9) User-Name = «bob»
(9) State = 0xa0773c37a17e269794c91e639bc0d99c
(9) server inner-tunnel <
(9) session-state: No cached attributes
(9) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel-domain
(9) authorize <
(9) files: users: Matched entry bob at line 69
(9) [files] = ok
(9) [mschap] = noop
(9) suffix: Checking for suffix after «@»
(9) suffix: No ‘@’ in User-Name = «bob», looking up realm NULL
(9) suffix: No such realm «NULL»
(9) [suffix] = noop
(9) update control <
(9) Proxy-To-Realm := LOCAL
(9) > # update control = noop
(9) eap: Peer sent EAP Response (code 2) ID 9 length 6
(9) eap: No EAP Start, assuming it’s an on-going EAP conversation
(9) [eap] = updated
(9) [expiration] = noop
(9) [logintime] = noop
rlm_ldap (ldap_domain): Reserved connection (6)
(9) ldap_domain: EXPAND (sAMAccountName=%<%:-%>)
(9) ldap_domain: —> (sAMAccountName=bob)
(9) ldap_domain: Performing search in «cn=Users,dc=domain,dc=local» with filter «(sAMAccountName=bob)», scope «sub»
(9) ldap_domain: Waiting for search result.
(9) ldap_domain: Search returned no results
rlm_ldap (ldap_domain): Released connection (6)
(9) [ldap_domain] = notfound
(9) if ((ok || updated) && User-Password) <
(9) if ((ok || updated) && User-Password) -> FALSE
(9) pap: WARNING: Auth-Type already set. Not setting to PAP
(9) [pap] = noop
(9) if (User-Password) <
(9) if (User-Password) -> FALSE
(9) > # authorize = updated
(9) Found Auth-Type = EAP
(9) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel-domain
(9) authenticate <
(9) eap: Expiring EAP session with state 0xa0773c37a17e2697
(9) eap: Finished EAP session with state 0xa0773c37a17e2697
(9) eap: Previous EAP request found for state 0xa0773c37a17e2697, released from the list
(9) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(9) eap: Calling submodule eap_mschapv2 to process data
(9) eap: Sending EAP Success (code 3) ID 9 length 4
(9) eap: Freeing handler
(9) [eap] = ok
(9) > # authenticate = ok
(9) > # server inner-tunnel
(9) Virtual server sending reply
(9) MS-MPPE-Encryption-Policy = Encryption-Required
(9) MS-MPPE-Encryption-Types = 4
(9) MS-MPPE-Send-Key = 0xc40f7d178a19b383691a863644016790
(9) MS-MPPE-Recv-Key = 0x1f490d8645a1a87f762bc38738f37149
(9) EAP-Message = 0x03090004
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) User-Name = «bob»
(9) eap_peap: Got tunneled reply code 2
(9) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Required
(9) eap_peap: MS-MPPE-Encryption-Types = 4
(9) eap_peap: MS-MPPE-Send-Key = 0xc40f7d178a19b383691a863644016790
(9) eap_peap: MS-MPPE-Recv-Key = 0x1f490d8645a1a87f762bc38738f37149
(9) eap_peap: EAP-Message = 0x03090004
(9) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(9) eap_peap: User-Name = «bob»
(9) eap_peap: Got tunneled reply RADIUS code 2
(9) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Required
(9) eap_peap: MS-MPPE-Encryption-Types = 4
(9) eap_peap: MS-MPPE-Send-Key = 0xc40f7d178a19b383691a863644016790
(9) eap_peap: MS-MPPE-Recv-Key = 0x1f490d8645a1a87f762bc38738f37149
(9) eap_peap: EAP-Message = 0x03090004
(9) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(9) eap_peap: User-Name = «bob»
(9) eap_peap: Tunneled authentication was successful
(9) eap_peap: SUCCESS
(9) eap: Sending EAP Request (code 1) ID 10 length 43
(9) eap: EAP session adding &reply:State = 0x7322fa167b28e364
(9) [eap] = handled
(9) > # authenticate = handled
(9) Using Post-Auth-Type Challenge
(9) Post-Auth-Type sub-section not found. Ignoring.
(9) Sent Access-Challenge Id 168 from 192.168.8.27:1812 to 192.168.2.250:3072 length 0
(9) EAP-Message = 0x010a002b190017030100209ebe5c178129e763273f16ddd56f3f5e123f6a27587c42e7e480f2874b2985ac
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) State = 0x7322fa167b28e3641bb25e163c98a49d
(9) Finished request
Waking up in 4.7 seconds.
(10) Received Access-Request Id 89 from 192.168.2.250:3072 to 192.168.8.27:1812 length 229
(10) User-Name = «bob»
(10) Service-Type = Framed-User
(10) NAS-IP-Address = 192.168.2.250
(10) NAS-Port = 10
(10) NAS-Port-Id = «10»
(10) State = 0x7322fa167b28e3641bb25e163c98a49d
(10) Called-Station-Id = «0E-0B-6B-2F-12-67:domain 8021X»
(10) Calling-Station-Id = «B8-E8-56-41-2C-2A»
(10) Connect-Info = «CONNECT 54 Mbps 802.11g»
(10) NAS-Identifier = «AP-domain01»
(10) NAS-Port-Type = Wireless-802.11
(10) Framed-MTU = 1500
(10) EAP-Message = 0x020a002b19001703010020ae6a94676019ad167b393353926209ead29be3185de748899304ff6a50957c1a
(10) Message-Authenticator = 0x64a847e3ae161cf68eccda80a2f11f16
(10) session-state: No cached attributes
(10) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/domain
(10) authorize <
(10) files: users: Matched entry bob at line 69
(10) [files] = ok
(10) [preprocess] = ok
(10) suffix: Checking for suffix after «@»
(10) suffix: No ‘@’ in User-Name = «bob», looking up realm NULL
(10) suffix: No such realm «NULL»
(10) [suffix] = noop
(10) eap: Peer sent EAP Response (code 2) ID 10 length 43
(10) eap: Continuing tunnel setup
(10) [eap] = ok
(10) > # authorize = ok
(10) Found Auth-Type = EAP
(10) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain
(10) authenticate <
(10) eap: Expiring EAP session with state 0x7322fa167b28e364
(10) eap: Finished EAP session with state 0x7322fa167b28e364
(10) eap: Previous EAP request found for state 0x7322fa167b28e364, released from the list
(10) eap: Peer sent packet with method EAP PEAP (25)
(10) eap: Calling submodule eap_peap to process data
(10) eap_peap: Continuing EAP-TLS
(10) eap_peap: [eaptls verify] = ok
(10) eap_peap: Done initial handshake
(10) eap_peap: [eaptls process] = ok
(10) eap_peap: Session established. Decoding tunneled attributes
(10) eap_peap: PEAP state send tlv success
(10) eap_peap: Received EAP-TLV response
(10) eap_peap: Success
(10) eap: Sending EAP Success (code 3) ID 10 length 4
(10) eap: Freeing handler
(10) [eap] = ok
(10) > # authenticate = ok
(10) Sent Access-Accept Id 89 from 192.168.8.27:1812 to 192.168.2.250:3072 length 0
(10) MS-MPPE-Recv-Key = 0xa16bc44cb5331571c4f3d362fd38e1bb11a2670822b415e53eb7ebbc67c2cb93
(10) MS-MPPE-Send-Key = 0xbd2081385181a9a51170b7fa40bfd3b32e396b6e7d46f9b5369a38d64be27cc8
(10) EAP-Message = 0x030a0004
(10) Message-Authenticator = 0x00000000000000000000000000000000
(10) User-Name = «bob»
(10) Finished request
Waking up in 4.7 seconds.
(3) Cleaning up request packet ID 54 with timestamp +90
(4) Cleaning up request packet ID 29 with timestamp +90
Waking up in 0.1 seconds.
(5) Cleaning up request packet ID 215 with timestamp +90
(6) Cleaning up request packet ID 116 with timestamp +90
(7) Cleaning up request packet ID 108 with timestamp +90
(8) Cleaning up request packet ID 50 with timestamp +90
(9) Cleaning up request packet ID 168 with timestamp +90
(10) Cleaning up request packet ID 89 with timestamp +90
Ready to process requests

I think that everything goes wrong with encrypt/decrypt the Domain User password or no User-Password is given after eap or something else. I tried a lot of stuff, but nothing works.

bob Cleartext-Password := «hello»

DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP

DEFAULT Hint == «CSLIP»
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP

DEFAULT Hint == «SLIP»
Framed-Protocol = SLIP

(7) ldap_nedeco: Processing user attributes
(7) ldap_nedeco: WARNING: No «known good» password added. Ensure the admin user has permission to read the password attribute
(7) ldap_nedeco: WARNING: PAP authentication will NOT work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap_nedeco): Released connection (0)
..
(7) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password
(7) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password
(7) mschap: Creating challenge hash with username: test
(7) mschap: Client is using MS-CHAPv2
(7) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication
(7) mschap: ERROR: MS-CHAP2-Response is incorrect
..
(8) eap_peap: Received EAP-TLV response
(8) eap_peap: The users session was previously rejected: returning reject (again.)
(8) eap_peap: This means you need to read the PREVIOUS messages in the debug output
(8) eap_peap: to find out the reason why the user was rejected
(8) eap_peap: Look for «reject» or «fail». Those earlier messages will tell you
(8) eap_peap: what went wrong, and how to fix the problem
(8) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed
..

Источник

Hello All,

I am working on setting up authentication into an Acme Packet Net-Net 3820 (SBC) via RADIUS. The accounting side of things is working just fine with no issues. The authentication side of things is another matter. I can see from a packet capture that the access-request
messages are in fact getting to the RADIUS server at which point the RADIUS server starts communicating with the domain controllers. I then see the chain of communication going back to the RADIUS and then finally back to the SBC. The problem is the response
I get back is always an access-reject message with a reason code of 16 (Authentication failed due to a user credentials mismatch. Either the user name provided does not match an existing user account or the password was incorrect). This is confirmed by looking
at the security event logs where I can see events 4625 and 6273. See the events below (Note: The names and IPs have been changed to protect the innocent):

Event ID: 6273
******************************************************************************
Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
Security ID:
NULL SID
Account Name:
real_username
Account Domain:
real_domain
Fully Qualified Account Name:
real_domainreal_username

Client Machine:
Security ID:
NULL SID
Account Name:
—
Fully Qualified Account Name:
—
OS-Version:
—
Called Station Identifier:
—
Calling Station Identifier:
—

NAS:
NAS IPv4 Address:
10.0.0.10
NAS IPv6 Address:
—
NAS Identifier:
radius1.real_domain
NAS Port-Type:
—
NAS Port:
101451540

RADIUS Client:
Client Friendly Name:
sbc1mgmt
Client IP Address:
10.0.0.10

Authentication Details:
Connection Request Policy Name:
SBC Authentication
Network Policy Name:
—
Authentication Provider:
Windows
Authentication Server:
RADIUS1.real_domain
Authentication Type:
MS-CHAPv2
EAP Type:
—
Account Session Identifier:
—
Logging Results:
Accounting information was written to the SQL data store and the local log file.
Reason Code:
16
Reason:
Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
******************************************************************************

Event ID: 4625
******************************************************************************
An account failed to log on.

Subject:
Security ID:
SYSTEM
Account Name:
RADIUS1$
Account Domain:
REAL_DOMAIN
Logon ID:
0x3E7

Logon Type: 3

Account For Which Logon Failed:
Security ID:
NULL SID
Account Name:
real_username
Account Domain:
REAL_DOMAIN

Failure Information:
Failure Reason:
Unknown user name or bad password.
Status:
0xC000006D
Sub Status:
0xC000006A

Process Information:
Caller Process ID:
0x2cc
Caller Process Name:
C:WindowsSystem32svchost.exe

Network Information:
Workstation Name:

Source Network Address:
—
Source Port:
—

Detailed Authentication Information:
Logon Process:
IAS
Authentication Package:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Transited Services:
—
Package Name (NTLM only):
—
Key Length:
0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
— Transited services indicate which intermediate services have participated in this logon request.
— Package name indicates which sub-protocol was used among the NTLM protocols.
— Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
******************************************************************************

So at first glance it would seem that the issue is merely a case of an invalid username or mismatched password. This is further confirmed in the packet capture where I can see the MSCHAPv2 response has an error code of 691 (Access denied because username or
password, or both, are not valid on the domain). The thing is I know I am using a valid username and I have tried many usernames including new ones I created just for troubleshooting. I don’t know how many times I have reset the password in an attempt to ensure
it is not a mismatch password. I have even made sure to use passwords that are fairly short and contain only letters to ensure there was no terminal encoding issues (we connect to the SBC via SSH clients). I have also done this same thing with the shared secret
used during communication between the SBC and the RADIUS server. I have tried prefixing the username with the domain name at login (though I don’t think that should be necessary). I have also tried using the full UPN of the user to login. I have tried several
RADIUS testing clients (NTRadPing, RadiusTest, etc.), but they either don’t support MSCHAPv2 or only support EAP-MSCHAPv2. I have even created my own client using PHP’s PECL RADIUS module. Still it always seems to fail with the MSCHAPv2 authentication with
an error code of 691. Does anyone have any ideas as to why I always get an invalid username or bad password response when I have done everything possible to ensure that is not the case?

Here are the specs for our RADIUS configuration:

The only other things of note to consider is the fact that in the events above you can see that the Security ID is «NULL SID». Now I know this is common especially among failed logons but given that this issue is stating an invalid username or
bad password, perhaps it matters in this case. Also, this server has been rebuilt using the same computer account in Active Directory. I do not know if it would have worked before the rebuild. Essentially we built this server and only got as far as authorizing
the server to the domain and adding SQL when we decided to separate out the SQL role onto another server. Rather than uninstalling SQL we just rebuilt the machine. However, before reinstalling Windows I did do a reset on the computer account. I don’t think
this should matter but thought I would point it out if there is some weird quirk where reusing the same SID of a previously authorized NPS server would cause an issue.

All in all it is a fairly basic setup and hopefully I have provided enough information for someone to get an idea of what might be going on. I hope this was the right forum to post this too, I figured there would be a higher number of RADIUS experts here than
any of the other categories. Apologies if my understanding of this seems a bit basic, after all, when it comes to RADIUS servers I guess you could say I’m the new guy here.

Модератор: SLEDopit

rad_recv: Access-Request packet from host 127.0.0.1 port 56882, id=53, length=148
        Service-Type = Framed-User
        Framed-Protocol = PPP
        User-Name = "user1"
        MS-CHAP-Challenge = 0x70558a5f04f775f367995743de9a2c0d
        MS-CHAP2-Response = 0x3900d1e4fe5f18710ab0d39c8b2b9de8a63b000000000000000084455fb01e77df9aca7c602ac9
b0de1b7b2e56c413d7f06c
        Calling-Station-Id = "192.168.146.1"
        NAS-IP-Address = 127.0.1.1
        NAS-Port = 0
+- entering group authorize
++[preprocess] returns ok
  rlm_mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
++[mschap] returns ok
  rad_check_password:  Found Auth-Type mschap
auth: type "MSCHAP"
+- entering group authenticate
  rlm_mschap: No Cleartext-Password configured.  Cannot create LM-Password.
  rlm_mschap: No Cleartext-Password configured.  Cannot create NT-Password.
  rlm_mschap: Told to do MS-CHAPv2 for user1 with NT-Password
  rlm_mschap: FAILED: No NT/LM-Password.  Cannot perform authentication.
  rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
auth: Failed to validate the user.
Login incorrect: [user1/<via Auth-Type = mschap>] (from client localhost port 0 cli 192.168.146.1)
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 53 to 127.0.0.1 port 56882
        MS-CHAP-Error = "9E=691 R=1"
Waking up in 4.9 seconds.
Cleaning up request 0 ID 53 with timestamp +8
Ready to process requests.

select * from radcheck;
+-----+----------+----------------------+----+-----------------------+
| id  | UserName | Attribute            | op | Value                 |
+-----+----------+----------------------+----+-----------------------+
|  1  | user123  | Password-With-Header | := | {cleartext}secret1234 |
+-----+----------+----------------------+----+-----------------------+

You need neither enable the ntlm_auth row in /etc/raddb/mods-available/mschap nor set ntlm auth = yes in your smb.conf. As MSCHAPv2 doesn’t seem to support NTLMv2, you do need to set the following in your smb.conf:

ntlm auth = mschapv2-and-ntlmv2-only

To quote the smb.conf manpage:

”Only allow NTLMv1 when the client promises that it is providing MSCHAPv2 authentication (such as the ntlm_auth tool).”

However, with modern Sambas and recent versions of Freeradius you don’t need to enable ntlm_auth explicitly, because Freeradius 3.0.8 and newer ones can talk to Winbind directly. Just remember to give it read permissions for Winbind’s pipe! Eg. on Debian one could run setfacl -m u:freerad:rx /var/lib/samba/winbindd_privileged/.

All in all, all the changes to the mschap module config that I did to recieve Access-Accept from radtest -t mschap testaccount mypass 127.0.0.1 0 testing123 on a Debian Buster box running Samba as an AD DC and Freeradius are in the following diff:

diff --git a/freeradius/3.0/mods-available/mschap b/freeradius/3.0/mods-available/mschap
index d7efcb1..e297ed4 100644
--- a/freeradius/3.0/mods-available/mschap
+++ b/freeradius/3.0/mods-available/mschap
@@ -21,12 +21,12 @@ mschap {
        # if mppe is enabled require_encryption makes
        # encryption moderate
        #
-#      require_encryption = yes
+       require_encryption = yes

        # require_strong always requires 128 bit key
        # encryption
        #
-#      require_strong = yes
+       require_strong = yes

        # The module can perform authentication itself, OR
        # use a Windows Domain Controller.  This configuration
@@ -81,8 +81,8 @@ mschap {
        # or later to be installed. Make sure that ntlm_auth above is
        # commented out.
        #
-#      winbind_username = "%{mschap:User-Name}"
-#      winbind_domain = "%{mschap:NT-Domain}"
+       winbind_username = "%{mschap:User-Name}"
+       winbind_domain = "%{%{mschap:NT-Domain}:-MYDOMAIN}"

        # When using single sign-on with a winbind connection and the
        # client uses a different casing for the username than the
@@ -91,7 +91,7 @@ mschap {
        # user in the correct casing in the backend, and retry
        # authentication with that username.
        #
-#      winbind_retry_with_normalised_username = no
+       winbind_retry_with_normalised_username = yes

        #
        #  Information for the winbind connection pool.  The configuration

(Please note that winbind_retry_with_normalised_username is probably irrelevant in this testing context.)

MYDOMAIN is the domain name in the classic NT4-form, not in the Kerberos-like DOMAIN.TLD form. Even if you’re not running Freeradius straight on the DC, the actual mschap module config of Freeradius should still be the same, as long as the server has joined the domain properly. If the DC is Windows, then there is obviously no smb.conf, but the ability to use NTLMv1 is dependent of the domain functional level and whether the user belongs to a protected user group.

Note that if MSCHAPv2 is going to be used for Wi-Fi authentication, it should only be used inside mutually authenticated tunnels to guard against fake access points. For the EAP types, see Wikipedia and for a summary of client restrictions, see the second answer in Why would you use EAP-TTLS instead of PEAP?