Because a tried configure this, but always a have the error bellow:
PEAP: Got tunneled reply RADIUS code 3
Service-Type = Login-User
MS-CHAP-Error = "8E=691 R=1"
EAP-Message = 0x04380004
Message-Authenticator = 0x00000000000000000000000000000000
PEAP: Processing from tunneled session code 0x817f5c8 3
Service-Type = Login-User
MS-CHAP-Error = "8E=691 R=1"
EAP-Message = 0x04380004
Message-Authenticator = 0x00000000000000000000000000000000
PEAP: Tunneled authentication was rejected.
rlm_eap_peap: FAILUREDebug file:
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/radius/etc/raddb/proxy.conf
Config: including file: /usr/local/radius/etc/raddb/clients.conf
Config: including file: /usr/local/radius/etc/raddb/snmp.conf
Config: including file: /usr/local/radius/etc/raddb/eap.conf
main: prefix = "/usr/local/radius"
main: localstatedir = "/usr/local/radius/var"
main: logdir = "/usr/local/radius/var/log/radius"
main: libdir = "/usr/local/radius/lib"
main: radacctdir = "/usr/local/radius/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/usr/local/radius/var/log/radius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/usr/local/radius/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/radius/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/radius/lib
Module: Loaded PAP
pap: encryption_scheme = "clear"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = yes
mschap: require_strong = yes
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded LDAP
ldap: server = "localhost"
ldap: port = 389
ldap: net_timeout = 1
ldap: timeout = 4
ldap: timelimit = 3
ldap: identity = "cn=admin,dc=testdomain,dc=com"
ldap: tls_mode = no
ldap: start_tls = no
ldap: tls_cacertfile = "(null)"
ldap: tls_cacertdir = "(null)"
ldap: tls_certfile = "(null)"
ldap: tls_keyfile = "(null)"
ldap: tls_randfile = "(null)"
ldap: tls_require_cert = "allow"
ldap: password = "xtopazio"
ldap: basedn = "dc=testdomain,dc=com"
ldap: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
ldap: base_filter = "(objectclass=radiusprofile)"
ldap: default_profile = "(null)"
ldap: profile_attribute = "radiusProfileDn"
ldap: password_header = "{CRYPT}"
ldap: password_attribute = "userPassword"
ldap: access_attr = "(null)"
ldap: groupname_attribute = "cn"
ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
ldap: groupmembership_attribute = "radiusGroupName"
ldap: dictionary_mapping = "/usr/local/radius/etc/raddb/ldap.attrmap"
ldap: ldap_debug = 0
ldap: ldap_connections_number = 5
ldap: compare_check_items = no
ldap: access_attr_used_for_allow = yes
ldap: do_xlat = yes
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap<->radius mappings from file /usr/local/radius/etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
conns: 0x814cfe8
Module: Instantiated ldap (ldap)
Module: Loaded eap
eap: default_eap_type = "peap"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = yes
eap: cisco_accounting_username_bug = no
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/usr/local/openssl/ssl/misc/cert-srv.pem"
tls: certificate_file = "/usr/local/openssl/ssl/misc/cert-srv.pem"
tls: CA_file = "/usr/local/openssl/ssl/misc/root.pem"
tls: private_key_password = "whatever"
tls: dh_file = "/usr/local/openssl/ssl/misc/dh"
tls: random_file = "/usr/local/openssl/ssl/misc/random"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = "(null)"
rlm_eap: Loaded and initialized type tls
peap: default_eap_type = "mschapv2"
peap: copy_request_to_tunnel = no
peap: use_tunneled_reply = no
peap: proxy_tunneled_request_as_eap = yes
rlm_eap: Loaded and initialized type peap
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/usr/local/radius/etc/raddb/huntgroups"
preprocess: hints = "/usr/local/radius/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1814
Ready to process requests.
rad_recv: Access-Request packet from host 172.22.2.32:1237, id=254, length=86
User-Name = "israel"
EAP-Message = 0x0232000b0169737261656c
NAS-IP-Address = 172.22.2.32
Service-Type = Login-User
Calling-Station-Id = "0.0.0.0"
NAS-Port-Type = Ethernet
Message-Authenticator = 0x538884dd87995e9d15ae98534ab66abe
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
rlm_eap: EAP packet type response id 50 length 11
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for israel
radius_xlat: '(uid=israel)'
radius_xlat: 'dc=testdomain,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as cn=admin,dc=testdomain,dc=com/xtopazio to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=testdomain,dc=com, with filter (uid=israel)
rlm_ldap: Added password 79/amk9cWxbpM in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding ntPassword as NT-Password, value 6C4C4EB68A4C6082AB37166A9E967273 & op=21
rlm_ldap: Adding lmPassword as LM-Password, value 24C4A2B160D56070C187B8085FE1D9DF & op=21
rlm_ldap: Adding radiusAuthType as Auth-Type, value PEAP & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusServiceType as Service-Type, value login & op=11
rlm_ldap: user israel authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 0
modcall: group authorize returns updated for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 0
modcall: group authenticate returns handled for request 0
Sending Access-Challenge of id 254 to 172.22.2.32:1237
Service-Type = Login-User
EAP-Message = 0x013300061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa54c60f332d5157356d99e31c44b321e
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 172.22.2.32:1238, id=44, length=173
User-Name = "israel"
EAP-Message = 0x0233005019800000004616030100410100003d030141e6d4792b0ae33065691a3feeb3e20d05197228315e4655918f04dda89920a500001600040005000a000900640062000300060013001200630100
NAS-IP-Address = 172.22.2.32
Service-Type = Login-User
Calling-Station-Id = "0.0.0.0"
NAS-Port-Type = Ethernet
State = 0xa54c60f332d5157356d99e31c44b321e
Message-Authenticator = 0xb55e3fd5ac22f6961123f40472b01220
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
rlm_eap: EAP packet type response id 51 length 80
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1
rlm_ldap: - authorize
rlm_ldap: performing user authorization for israel
radius_xlat: '(uid=israel)'
radius_xlat: 'dc=testdomain,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=testdomain,dc=com, with filter (uid=israel)
rlm_ldap: Added password 79/amk9cWxbpM in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding ntPassword as NT-Password, value 6C4C4EB68A4C6082AB37166A9E967273 & op=21
rlm_ldap: Adding lmPassword as LM-Password, value 24C4A2B160D56070C187B8085FE1D9DF & op=21
rlm_ldap: Adding radiusAuthType as Auth-Type, value PEAP & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusServiceType as Service-Type, value login & op=11
rlm_ldap: user israel authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 1
modcall: group authorize returns updated for request 1
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 06c7], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
TLS_accept: SSLv3 write server done A
TLS_accept: SSLv3 flush data
TLS_accept:error in SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 1
modcall: group authenticate returns handled for request 1
Sending Access-Challenge of id 44 to 172.22.2.32:1238
Service-Type = Login-User
EAP-Message = 0x0134040a19c000000724160301004a02000046030141e6b3617355afa485e92b58dac08b938404bdd0b8b747c1d5434e107dce721020fbca68f16cd3a7aab3a525966132e523526f41e7c4fedc9b0782f3c553be708300040016030106c70b0006c30006c00002e8308202e43082024da003020102020900bdec7848e2ff4368300d06092a864886f70d01010405003081a1310b3009060355040613024252311a30180603550408131152696f204772616e646520646f2053756c311230100603550407130943616d706f20426f6d31173015060355040a130e5175616e74697a61546573746532310b3009060355040b130249543119301706035504
EAP-Message = 0x0313105175616e74697a6154657374653243413121301f06092a864886f70d010901161269737261656c40746f70617a696f2e636f6d301e170d3034313132333034343731365a170d3039313132323034343731365a3081ac310b3009060355040613024252311a30180603550408131152696f204772616e646520646f2053756c311230100603550407130943616d706f20426f6d311d301b060355040a13145175616e74697a61536572766572546573746532310b3009060355040b13024954311e301c0603550403131564627261646975732e7175616e74697a612e636f6d3121301f06092a864886f70d010901161269737261656c40746f70
EAP-Message = 0x617a696f2e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100b1296cd63fa86e61d590d912ca6eb7e2de0cf97eca6f980bddd8012ba36416beedd54f99f6bc6c74ac7899253d37b39cb6f25569f5b8cdcf9cd4013ff94b08c99e30a919f26b9fd0f8fe1e64d33cbec4e5f758ad0c2f43e9a393271d2cb55221df6611bc15b6afa090b2f5854fd7d0815d67667fe27632ba6a78b7373c07ab6f0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038181006755175413f7c77ee75f8d0a2c9ecf18eda9d62ab802926a36ab867cc974c3547dfba19c0b456e
EAP-Message = 0x2cc22979e880320b765311e49c2b3258421c3c433b6f3a01a7bd3983406cc4566a7331097c450d65dc1b2fafdd216a59400baa80623256a94d434ab8febc41313c03c922735a0308898ed37fcb2209ea492a965229ded1d1f40003d2308203ce30820337a003020102020900bdec7848e2ff4366300d06092a864886f70d01010405003081a1310b3009060355040613024252311a30180603550408131152696f204772616e646520646f2053756c311230100603550407130943616d706f20426f6d31173015060355040a130e5175616e74697a61546573746532310b3009060355040b1302495431193017060355040313105175616e74697a6154
EAP-Message = 0x657374653243413121301f06092a864886f70d010901
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe88fda72bb08291884a0f9b01c9cf8fb
Finished request 1
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 172.22.2.32:1239, id=47, length=99
User-Name = "israel"
EAP-Message = 0x023400061900
NAS-IP-Address = 172.22.2.32
Service-Type = Login-User
Calling-Station-Id = "0.0.0.0"
NAS-Port-Type = Ethernet
State = 0xe88fda72bb08291884a0f9b01c9cf8fb
Message-Authenticator = 0xc38c20e66dd66fd20e419d4e9b800ad6
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
modcall[authorize]: module "preprocess" returns ok for request 2
rlm_eap: EAP packet type response id 52 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 2
rlm_ldap: - authorize
rlm_ldap: performing user authorization for israel
radius_xlat: '(uid=israel)'
radius_xlat: 'dc=testdomain,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=testdomain,dc=com, with filter (uid=israel)
rlm_ldap: Added password 79/amk9cWxbpM in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding ntPassword as NT-Password, value 6C4C4EB68A4C6082AB37166A9E967273 & op=21
rlm_ldap: Adding lmPassword as LM-Password, value 24C4A2B160D56070C187B8085FE1D9DF & op=21
rlm_ldap: Adding radiusAuthType as Auth-Type, value PEAP & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusServiceType as Service-Type, value login & op=11
rlm_ldap: user israel authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 2
modcall: group authorize returns updated for request 2
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 2
modcall: group authenticate returns handled for request 2
Sending Access-Challenge of id 47 to 172.22.2.32:1239
Service-Type = Login-User
EAP-Message = 0x0135032a1900161269737261656c40746f70617a696f2e636f6d301e170d3034313132333034343535335a170d3036313132333034343535335a3081a1310b3009060355040613024252311a30180603550408131152696f204772616e646520646f2053756c311230100603550407130943616d706f20426f6d31173015060355040a130e5175616e74697a61546573746532310b3009060355040b1302495431193017060355040313105175616e74697a6154657374653243413121301f06092a864886f70d010901161269737261656c40746f70617a696f2e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100a4eb
EAP-Message = 0x0b788323fac1be55f0a949db387efe1bd21145041e3c71305eea6b3badc0ee30785aefc4de57696d286e82bfe2f390da1644a9a2a04b1b88c61ad7e8045b9228168fd9d03e36f97dc7611b60ca1c4e28f5399a5edb4907cbd94d9bb91c0cd1f023ab26895b30b518fce2021eba6446776039be2b505994fda98f8ee4d6bd0203010001a382010a30820106301d0603551d0e041604144793557ca910fc0683f1951572f5adf94ca9881b3081d60603551d230481ce3081cb80144793557ca910fc0683f1951572f5adf94ca9881ba181a7a481a43081a1310b3009060355040613024252311a30180603550408131152696f204772616e646520646f20
EAP-Message = 0x53756c311230100603550407130943616d706f20426f6d31173015060355040a130e5175616e74697a61546573746532310b3009060355040b1302495431193017060355040313105175616e74697a6154657374653243413121301f06092a864886f70d010901161269737261656c40746f70617a696f2e636f6d820900bdec7848e2ff4366300c0603551d13040530030101ff300d06092a864886f70d0101040500038181008636cfc31687d813594199d042e71f00431907d535adc6ec48c742a02d8638f7d9ec5332190a737e9f14a3a40312dca89df48451d681e31202ce5ec61b23e2978e68b0189f910ccdfd2efc3bc0e528061128d4c13284
EAP-Message = 0xaf62b200ad99c84ceadaf853a2b5f45994c506dba20fea366fb2240725f0507ef34d75677a2ab714b88d16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x039d3e0d38fc9d62fc60df041f2098f2
Finished request 2
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 172.22.2.32:1240, id=65, length=285
User-Name = "israel"
EAP-Message = 0x023500c01980000000b616030100861000008200800dbd328618fcb44d916ddab3f84f208fa02d4095139707dc4355dc6028c6c0b5cb195b45c14fcd525234d6f9fb0747a4e45cac8bdb04a8a0edd7a149a7027bab7f27ba1aa2a79aaef50c4c93598f64a56351a92df2b4a2a2c2d6268d9fd14cf33c1cec059938d8f926e7c8a9a725f13e1137567fa1fd7da76aa38ee50660912314030100010116030100204086278646ecb495a5dc4c35c5952aa9a8c6ab1e04a2acc07e3bd535ae347a5a
NAS-IP-Address = 172.22.2.32
Service-Type = Login-User
Calling-Station-Id = "0.0.0.0"
NAS-Port-Type = Ethernet
State = 0x039d3e0d38fc9d62fc60df041f2098f2
Message-Authenticator = 0x94760a0da98dd58c0ae7c0da28d595de
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
modcall[authorize]: module "preprocess" returns ok for request 3
rlm_eap: EAP packet type response id 53 length 192
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 3
rlm_ldap: - authorize
rlm_ldap: performing user authorization for israel
radius_xlat: '(uid=israel)'
radius_xlat: 'dc=testdomain,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=testdomain,dc=com, with filter (uid=israel)
rlm_ldap: Added password 79/amk9cWxbpM in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding ntPassword as NT-Password, value 6C4C4EB68A4C6082AB37166A9E967273 & op=21
rlm_ldap: Adding lmPassword as LM-Password, value 24C4A2B160D56070C187B8085FE1D9DF & op=21
rlm_ldap: Adding radiusAuthType as Auth-Type, value PEAP & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusServiceType as Service-Type, value login & op=11
rlm_ldap: user israel authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 3
modcall: group authorize returns updated for request 3
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
TLS_accept: SSLv3 read client key exchange A
rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 read finished A
rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
TLS_accept: SSLv3 write change cipher spec A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 write finished A
TLS_accept: SSLv3 flush data
(other): SSL negotiation finished successfully
SSL Connection Established
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 3
modcall: group authenticate returns handled for request 3
Sending Access-Challenge of id 65 to 172.22.2.32:1240
Service-Type = Login-User
EAP-Message = 0x0136003119001403010001011603010020c67c10e9b83c4303ebbd7cb85e8ca4b92c69a7ee42250b20dabc3baa8c2c93dc
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8a1139fcb4f0449037d7122da0c266ac
Finished request 3
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 172.22.2.32:1241, id=79, length=99
User-Name = "israel"
EAP-Message = 0x023600061900
NAS-IP-Address = 172.22.2.32
Service-Type = Login-User
Calling-Station-Id = "0.0.0.0"
NAS-Port-Type = Ethernet
State = 0x8a1139fcb4f0449037d7122da0c266ac
Message-Authenticator = 0x3006d883e837a859b05411182f5ba41d
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
modcall[authorize]: module "preprocess" returns ok for request 4
rlm_eap: EAP packet type response id 54 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 4
rlm_ldap: - authorize
rlm_ldap: performing user authorization for israel
radius_xlat: '(uid=israel)'
radius_xlat: 'dc=testdomain,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=testdomain,dc=com, with filter (uid=israel)
rlm_ldap: Added password 79/amk9cWxbpM in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding ntPassword as NT-Password, value 6C4C4EB68A4C6082AB37166A9E967273 & op=21
rlm_ldap: Adding lmPassword as LM-Password, value 24C4A2B160D56070C187B8085FE1D9DF & op=21
rlm_ldap: Adding radiusAuthType as Auth-Type, value PEAP & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusServiceType as Service-Type, value login & op=11
rlm_ldap: user israel authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 4
modcall: group authorize returns updated for request 4
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake is finished
eaptls_verify returned 3
eaptls_process returned 3
rlm_eap_peap: EAPTLS_SUCCESS
modcall[authenticate]: module "eap" returns handled for request 4
modcall: group authenticate returns handled for request 4
Sending Access-Challenge of id 79 to 172.22.2.32:1241
Service-Type = Login-User
EAP-Message = 0x013700201900170301001514911454f60f1c2ef87c12055b0e97c3ce93e422a6
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd0d2def6e43eba69a30a199d6ad3960c
Finished request 4
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 172.22.2.32:1242, id=81, length=127
User-Name = "israel"
EAP-Message = 0x0237002219001703010017eb16ca428f1ea7fa77fe36dde246827077b20c2d9a8b21
NAS-IP-Address = 172.22.2.32
Service-Type = Login-User
Calling-Station-Id = "0.0.0.0"
NAS-Port-Type = Ethernet
State = 0xd0d2def6e43eba69a30a199d6ad3960c
Message-Authenticator = 0x72f4a9b2dc813e3190af52cade5cd549
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
modcall[authorize]: module "preprocess" returns ok for request 5
rlm_eap: EAP packet type response id 55 length 34
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 5
rlm_ldap: - authorize
rlm_ldap: performing user authorization for israel
radius_xlat: '(uid=israel)'
radius_xlat: 'dc=testdomain,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=testdomain,dc=com, with filter (uid=israel)
rlm_ldap: Added password 79/amk9cWxbpM in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding ntPassword as NT-Password, value 6C4C4EB68A4C6082AB37166A9E967273 & op=21
rlm_ldap: Adding lmPassword as LM-Password, value 24C4A2B160D56070C187B8085FE1D9DF & op=21
rlm_ldap: Adding radiusAuthType as Auth-Type, value PEAP & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusServiceType as Service-Type, value login & op=11
rlm_ldap: user israel authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 5
modcall: group authorize returns updated for request 5
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Identity - israel
rlm_eap_peap: Tunneled data is valid.
PEAP: Got tunneled EAP-Message
EAP-Message = 0x0237000b0169737261656c
PEAP: Got tunneled identity of israel
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to israel
PEAP: Sending tunneled request
EAP-Message = 0x0237000b0169737261656c
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "israel"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
modcall[authorize]: module "preprocess" returns ok for request 5
rlm_eap: EAP packet type response id 55 length 11
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 5
rlm_ldap: - authorize
rlm_ldap: performing user authorization for israel
radius_xlat: '(uid=israel)'
radius_xlat: 'dc=testdomain,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=testdomain,dc=com, with filter (uid=israel)
rlm_ldap: Added password 79/amk9cWxbpM in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding ntPassword as NT-Password, value 6C4C4EB68A4C6082AB37166A9E967273 & op=21
rlm_ldap: Adding lmPassword as LM-Password, value 24C4A2B160D56070C187B8085FE1D9DF & op=21
rlm_ldap: Adding radiusAuthType as Auth-Type, value PEAP & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusServiceType as Service-Type, value login & op=11
rlm_ldap: user israel authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 5
modcall: group authorize returns updated for request 5
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
rlm_eap: EAP Identity
rlm_eap: processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
modcall[authenticate]: module "eap" returns handled for request 5
modcall: group authenticate returns handled for request 5
PEAP: Got tunneled reply RADIUS code 11
Service-Type = Login-User
EAP-Message = 0x013800201a0138001b1090401350673c3a38b6a5c0e466512e6169737261656c
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x6e47be67f27de2502cd61fc55e3fd1d8
PEAP: Processing from tunneled session code 0x81858e0 11
Service-Type = Login-User
EAP-Message = 0x013800201a0138001b1090401350673c3a38b6a5c0e466512e6169737261656c
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x6e47be67f27de2502cd61fc55e3fd1d8
PEAP: Got tunneled Access-Challenge
modcall[authenticate]: module "eap" returns handled for request 5
modcall: group authenticate returns handled for request 5
Sending Access-Challenge of id 81 to 172.22.2.32:1242
Service-Type = Login-User
EAP-Message = 0x013800371900170301002c17943940505f668cbcf7661d95d2c7649c8951cba1f89f26466cef31868cf9162191b030ea99fba789ee8ac0
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x9dceba4f210b35c1bcb2da65bceffdb3
Finished request 5
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 172.22.2.32:1243, id=87, length=181
User-Name = "israel"
EAP-Message = 0x023800581900170301004dc4f4be62451c4dbe778f5894da1ec11fb42bf7edbe4b1c39c6b517cf8e4f131cc6d2094f2c35ff3fe8f657a163dbb8e178784ff6fd0af5fc382cea41b1f5f2be094843102eeea76ed3ed83a871
NAS-IP-Address = 172.22.2.32
Service-Type = Login-User
Calling-Station-Id = "0.0.0.0"
NAS-Port-Type = Ethernet
State = 0x9dceba4f210b35c1bcb2da65bceffdb3
Message-Authenticator = 0xc9513f1f83c9e66797a8f80f841d7276
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 6
modcall[authorize]: module "preprocess" returns ok for request 6
rlm_eap: EAP packet type response id 56 length 88
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 6
rlm_ldap: - authorize
rlm_ldap: performing user authorization for israel
radius_xlat: '(uid=israel)'
radius_xlat: 'dc=testdomain,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=testdomain,dc=com, with filter (uid=israel)
rlm_ldap: Added password 79/amk9cWxbpM in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding ntPassword as NT-Password, value 6C4C4EB68A4C6082AB37166A9E967273 & op=21
rlm_ldap: Adding lmPassword as LM-Password, value 24C4A2B160D56070C187B8085FE1D9DF & op=21
rlm_ldap: Adding radiusAuthType as Auth-Type, value PEAP & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusServiceType as Service-Type, value login & op=11
rlm_ldap: user israel authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 6
modcall: group authorize returns updated for request 6
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: EAP type mschapv2
rlm_eap_peap: Tunneled data is valid.
PEAP: Got tunneled EAP-Message
EAP-Message = 0x023800411a0238003c31b2d515e772772b769e0af58620ce6ebb0000000000000000b3118f98668f157ef2a162edec964622b973e22006893da50069737261656c
PEAP: Setting User-Name to israel
PEAP: Adding old state with 6e 47
PEAP: Sending tunneled request
EAP-Message = 0x023800411a0238003c31b2d515e772772b769e0af58620ce6ebb0000000000000000b3118f98668f157ef2a162edec964622b973e22006893da50069737261656c
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "israel"
State = 0x6e47be67f27de2502cd61fc55e3fd1d8
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 6
modcall[authorize]: module "preprocess" returns ok for request 6
rlm_eap: EAP packet type response id 56 length 65
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 6
rlm_ldap: - authorize
rlm_ldap: performing user authorization for israel
radius_xlat: '(uid=israel)'
radius_xlat: 'dc=testdomain,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=testdomain,dc=com, with filter (uid=israel)
rlm_ldap: Added password 79/amk9cWxbpM in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding ntPassword as NT-Password, value 6C4C4EB68A4C6082AB37166A9E967273 & op=21
rlm_ldap: Adding lmPassword as LM-Password, value 24C4A2B160D56070C187B8085FE1D9DF & op=21
rlm_ldap: Adding radiusAuthType as Auth-Type, value PEAP & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusServiceType as Service-Type, value login & op=11
rlm_ldap: user israel authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 6
modcall: group authorize returns updated for request 6
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 6
rlm_mschap: Found LM-Password
rlm_mschap: Found NT-Password
rlm_mschap: Told to do MS-CHAPv2 for israel with NT-Password
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
modcall[authenticate]: module "mschap" returns reject for request 6
modcall: group Auth-Type returns reject for request 6
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns reject for request 6
modcall: group authenticate returns reject for request 6
auth: Failed to validate the user.
PEAP: Got tunneled reply RADIUS code 3
Service-Type = Login-User
MS-CHAP-Error = "8E=691 R=1"
EAP-Message = 0x04380004
Message-Authenticator = 0x00000000000000000000000000000000
PEAP: Processing from tunneled session code 0x817f5c8 3
Service-Type = Login-User
MS-CHAP-Error = "8E=691 R=1"
EAP-Message = 0x04380004
Message-Authenticator = 0x00000000000000000000000000000000
PEAP: Tunneled authentication was rejected.
rlm_eap_peap: FAILURE
modcall[authenticate]: module "eap" returns handled for request 6
modcall: group authenticate returns handled for request 6
Sending Access-Challenge of id 87 to 172.22.2.32:1243
Service-Type = Login-User
EAP-Message = 0x013900261900170301001b9c431e0aef70813662d2cf5a13dad4266b857b5f90a55aa89bc9cd
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x659f1d947efe324a2ffa43bc885c3798
Finished request 6
Going to the next request
--- Walking the entire request list ---
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 172.22.2.32:1244, id=91, length=131
User-Name = "israel"
EAP-Message = 0x023900261900170301001ba42ef347d0efb20392c168d99200aec35a7025f3bea24e50263882
NAS-IP-Address = 172.22.2.32
Service-Type = Login-User
Calling-Station-Id = "0.0.0.0"
NAS-Port-Type = Ethernet
State = 0x659f1d947efe324a2ffa43bc885c3798
Message-Authenticator = 0x4c614c3398a4c5e0e050864d6e7bdf94
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 7
modcall[authorize]: module "preprocess" returns ok for request 7
rlm_eap: EAP packet type response id 57 length 38
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 7
rlm_ldap: - authorize
rlm_ldap: performing user authorization for israel
radius_xlat: '(uid=israel)'
radius_xlat: 'dc=testdomain,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=testdomain,dc=com, with filter (uid=israel)
rlm_ldap: Added password 79/amk9cWxbpM in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding ntPassword as NT-Password, value 6C4C4EB68A4C6082AB37166A9E967273 & op=21
rlm_ldap: Adding lmPassword as LM-Password, value 24C4A2B160D56070C187B8085FE1D9DF & op=21
rlm_ldap: Adding radiusAuthType as Auth-Type, value PEAP & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusServiceType as Service-Type, value login & op=11
rlm_ldap: user israel authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 7
modcall: group authorize returns updated for request 7
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 7
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Tunneled data is valid.
rlm_eap_peap: Had sent TLV failure, rejecting.
rlm_eap: Handler failed in EAP/peap
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 7
modcall: group authenticate returns invalid for request 7
auth: Failed to validate the user.
Delaying request 7 for 1 seconds
Finished request 7
Going to the next request
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 172.22.2.32:1244, id=91, length=131
Sending Access-Reject of id 91 to 172.22.2.32:1244
EAP-Message = 0x04390004
Message-Authenticator = 0x00000000000000000000000000000000
--- Walking the entire request list ---
Waking up in 2 seconds...
Radius.conf
prefix = /usr/local/radius
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacctconfdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusdlog_file = ${logdir}/radius.loglibdir = ${exec_prefix}/libpidfile = ${run_dir}/radiusd.pid
max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = * port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = no log_auth = no log_auth_badpass = no log_auth_goodpass = no usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no security { max_attributes = 200 reject_delay = 1 status_server = no }
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
snmp = no
$INCLUDE ${confdir}/snmp.confmodules {
# PAP module to authenticate users based on their stored password
#
# Supports multiple encryption schemes
# clear: Clear text
# crypt: Unix crypt
# md5: MD5 ecnryption
# sha1: SHA1 encryption.
# DEFAULT: crypt
pap {
encryption_scheme = clear
# encryption_scheme = crypt
} # CHAP module
#
# To authenticate requests containing a CHAP-Password attribute.
#
chap {
authtype = CHAP
}
$INCLUDE ${confdir}/eap.conf#
# This module supports MS-CHAP and MS-CHAPv2 authentication.
# It also enforces the SMB-Account-Ctrl attribute.
#
mschap {
authtype = MS-CHAP
use_mppe = yes
# #use_mppe = yes
require_encryption = yes
# #require_encryption = yes
require_strong = yes
# #require_strong = yes
with_ntdomain_hack = no
#with_ntdomain_hack = yes
#ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
#ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
}
ldap {
server = localhost
#server = "ldap.your.domain"
identity = cn=admin,dc=testdomain,dc=com
# identity = "cn=admin,o=My Org,c=UA"
password = teste
# password = mypass
basedn = dc=testdomain,dc=com
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
#filter = "(uid=%u)"
base_filter = "(objectclass=radiusprofile)"
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
# The StartTLS operation is supposed to be used with normal
# ldap connections instead of using ldaps (port 689) connections
start_tls = no
tls_mode = no # tls_cacertfile = /path/to/cacert.pem
# tls_cacertdir = /path/to/ca/dir/
# tls_certfile = /path/to/radius.crt
# tls_keyfile = /path/to/radius.key
# tls_randfile = /path/to/rnd
# tls_require_cert = "demand" # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
profile_attribute = "radiusProfileDn"
####access_attr = "dialupAccess" # Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap ####ldap_cache_timeout = 120
####ldap_cache_size = 0####ldap_connections_number = 5
#
# NOTICE: The password_header directive is NOT case insensitive
#
#password_header = "{clear}"
password_header = "{CRYPT}"
#
# The server can usually figure this out on its own, and pull
# the correct User-Password or NT-Password from the database.
#
# Note that NT-Passwords MUST be stored as a 32-digit hex
# string, and MUST start off with "0x", such as:
#
# 0x000102030405060708090a0b0c0d0e0f
#
# Without the leading "0x", NT-Passwords will not work.
# This goes for NT-Passwords stored in SQL, too.
#
password_attribute = userPassword
# groupname_attribute = cn
#groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
###compare_check_items = yes
compare_check_items = no
do_xlat = yes
#access_attr_used_for_allow = yes
}
realm IPASS {
format = prefix
delimiter = "/"
ignore_default = no
ignore_null = no
} # '[EMAIL PROTECTED]'
#
realm suffix {
format = suffix
delimiter = "@"
ignore_default = no
ignore_null = no
} # 'username%realm'
#
realm realmpercent {
format = suffix
delimiter = "%"
ignore_default = no
ignore_null = no
} #
# 'domain\user'
#
realm ntdomain {
format = prefix
delimiter = "\\"
ignore_default = no
ignore_null = no
} preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
} # Livingston-style 'users' file
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
compat = no
}acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
# The "always" module is here for debugging purposes. Each
# instance simply returns the same result, always, without
# doing anything.
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}}
authorize {
preprocess
#chap
#mschap
#suffix
# ntdomain
eap
#files
# sql
# etc_smbpasswd
ldap
# daily
# checkval
}authenticate {
Auth-Type PAP {
pap
} Auth-Type CHAP {
chap
} #
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
# digest
# pam
#unix
Auth-Type LDAP {
ldap
} eap
}
#
preacct {
preprocess
acct_unique
# IPASS
suffix
# ntdomain#files } # eap #}
eap.conf
#
# Whatever you do, do NOT set 'Auth-Type := EAP'. The server
# is smart enough to figure this out on its own. The most
# common side effect of setting 'Auth-Type := EAP' is that the
# users then cannot use ANY other authentication method.
#
# $Id: eap.conf,v 1.4 2004/04/15 18:34:41 aland Exp $
#
eap {
default_eap_type = peap timer_expire = 60
ignore_unknown_eap_types = yes
cisco_accounting_username_bug = no tls {
private_key_password = whatever
private_key_file =
/usr/local/openssl/ssl/misc/cert-srv.pem
certificate_file =
/usr/local/openssl/ssl/misc/cert-srv.pem
CA_file = /usr/local/openssl/ssl/misc/root.pem
dh_file = /usr/local/openssl/ssl/misc/dh
random_file = /usr/local/openssl/ssl/misc/random
fragment_size = 1024
include_length = yes
# check_crl = yes
# check_cert_cn = %{User-Name}
}
peap {
default_eap_type = mschapv2
}
mschapv2 {
}
}Willey Kurt D wrote:
yes
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Israel Fabio Alves Sent: Thursday, January 13, 2005 1:19 PM To: freeradius-users@lists.freeradius.org Subject: Re: LDAP, PEAP, Active Directory issue
Hi,
I have a question about the problem bellow.
If in LDAP (openldap) we provide the ntpassword (with samba), it will work for authenticate Windows XP users with PEAP + mschapv2 ??
Thanks.
Ron Wahler wrote:
You could still encrypt the passwords in the ldap database it just has to be A two way hash so you can get the password in the clear.
Ron.
Ron Wahler http://www.positive-logic.net
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christopher Price Sent: Thursday, January 13, 2005 8:58 AM To: freeradius-users@lists.freeradius.org Subject: Re: LDAP, PEAP, Active Directory issue
I am having the same problem. When you use an EAP type (like PEAP), a hash of the password is sent to the radius server. The radius server
is
able to deal with this if it has the password (such as in a mysql DB
or
local file). The password can be hashed and compared with the hash
that
was recieved from the client (WinXP PC in your case). If you use LDAP, you must supply a cleartext password (usually over SSL) in order to perform PAP authentication. Since you are sending the hash of the password to the LDAP server it cannot bind. The only solution that I have found is to store cleartext passwords in the LDAP DB, but this would defeat the purpose of authentication because than anyone could view passwords stored on the LDAP server. I hope this explanation
helps
(at least it wasn't filled with WTF's and RTFM's like some responses). :)
[EMAIL PROTECTED] 1/13/2005 9:07:17 AM >>>
On Thu, 13 Jan 2005 10:06:15 -0500, Alan DeKok <[EMAIL PROTECTED]> wrote:
AJ Grinnell <[EMAIL PROTECTED]> wrote:
Ok, I have peap working with the users file and with mysql, and I
have
radius working with ldap also. But I can not get a user to authenticate against ldap using peap.
The server does not authenticate against LDAP for any EAP type.
See
my previous message to you on this topic.
I have seen that you cant use eap and ldap,
You already asked this question, and I already answered it. If
you
don't remember, read the list archives.
but peap and ldap should work from what I have read.
PEAP is a type of EAP.
the debug that I am seeing is very long, so I have included the
part
where I am seeing an obvious error.
The part where is says it doesn't have a password?
rlm_mschap: No User-Password configured. Cannot create
LM-Password.
rlm_mschap: No User-Password configured. Cannot create
NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for agrinnell with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform
authentication.
You haven't told the server what the users password is. How the heck do you expect it to authenticate anyone?
Alan DeKok.
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Im sorry, I have not seen any replies that you may have given me. The server has been told what the users password is when they log in over the wireless, Windows XP asks for a username and password, both of which are in active directory. I can authenticate against the users file and a mysql database in the same fashion, why would ldap not work? Again, Im sorry if this is a basic question.
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-- Israel Alves - Gerente de Infraestrutura Quantiza Systems - 55(51) 598-2343
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
