Point ntlm_auth to your samba install; like: ntlm_auth = "/your/install/location/samba/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge= %{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Israel Fabio Alves Sent: Thursday, January 13, 2005 2:25 PM To: freeradius-users@lists.freeradius.org Subject: Re: LDAP, PEAP, Active Directory issue Sorry for the question, but do you have a sample radius.conf to publish for as. Because a tried configure this, but always a have the error bellow: PEAP: Got tunneled reply RADIUS code 3 Service-Type = Login-User MS-CHAP-Error = "8E=691 R=1" EAP-Message = 0x04380004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Processing from tunneled session code 0x817f5c8 3 Service-Type = Login-User MS-CHAP-Error = "8E=691 R=1" EAP-Message = 0x04380004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE Debug file: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/radius/etc/raddb/proxy.conf Config: including file: /usr/local/radius/etc/raddb/clients.conf Config: including file: /usr/local/radius/etc/raddb/snmp.conf Config: including file: /usr/local/radius/etc/raddb/eap.conf main: prefix = "/usr/local/radius" main: localstatedir = "/usr/local/radius/var" main: logdir = "/usr/local/radius/var/log/radius" main: libdir = "/usr/local/radius/lib" main: radacctdir = "/usr/local/radius/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/radius/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/radius/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/radius/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/radius/lib Module: Loaded PAP pap: encryption_scheme = "clear" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded LDAP ldap: server = "localhost" ldap: port = 389 ldap: net_timeout = 1 ldap: timeout = 4 ldap: timelimit = 3 ldap: identity = "cn=admin,dc=testdomain,dc=com" ldap: tls_mode = no ldap: start_tls = no ldap: tls_cacertfile = "(null)" ldap: tls_cacertdir = "(null)" ldap: tls_certfile = "(null)" ldap: tls_keyfile = "(null)" ldap: tls_randfile = "(null)" ldap: tls_require_cert = "allow" ldap: password = "xtopazio" ldap: basedn = "dc=testdomain,dc=com" ldap: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" ldap: base_filter = "(objectclass=radiusprofile)" ldap: default_profile = "(null)" ldap: profile_attribute = "radiusProfileDn" ldap: password_header = "{CRYPT}" ldap: password_attribute = "userPassword" ldap: access_attr = "(null)" ldap: groupname_attribute = "cn" ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=Gr oupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" ldap: groupmembership_attribute = "radiusGroupName" ldap: dictionary_mapping = "/usr/local/radius/etc/raddb/ldap.attrmap" ldap: ldap_debug = 0 ldap: ldap_connections_number = 5 ldap: compare_check_items = no ldap: access_attr_used_for_allow = yes ldap: do_xlat = yes rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /usr/local/radius/etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port conns: 0x814cfe8 Module: Instantiated ldap (ldap) Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 60 eap: ignore_unknown_eap_types = yes eap: cisco_accounting_username_bug = no tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/usr/local/openssl/ssl/misc/cert-srv.pem" tls: certificate_file = "/usr/local/openssl/ssl/misc/cert-srv.pem" tls: CA_file = "/usr/local/openssl/ssl/misc/root.pem" tls: private_key_password = "whatever" tls: dh_file = "/usr/local/openssl/ssl/misc/dh" tls: random_file = "/usr/local/openssl/ssl/misc/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" rlm_eap: Loaded and initialized type tls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/radius/etc/raddb/huntgroups" preprocess: hints = "/usr/local/radius/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Listening on authentication *:1812 Listening on accounting *:1813 Listening on proxy *:1814 Ready to process requests. rad_recv: Access-Request packet from host 172.22.2.32:1237, id=254, length=86 User-Name = "israel" EAP-Message = 0x0232000b0169737261656c NAS-IP-Address = 172.22.2.32 Service-Type = Login-User Calling-Station-Id = "0.0.0.0" NAS-Port-Type = Ethernet Message-Authenticator = 0x538884dd87995e9d15ae98534ab66abe Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_eap: EAP packet type response id 50 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for israel radius_xlat: '(uid=israel)' radius_xlat: 'dc=testdomain,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=admin,dc=testdomain,dc=com/xtopazio to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=testdomain,dc=com, with filter (uid=israel) rlm_ldap: Added password 79/amk9cWxbpM in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding ntPassword as NT-Password, value 6C4C4EB68A4C6082AB37166A9E967273 & op=21 rlm_ldap: Adding lmPassword as LM-Password, value 24C4A2B160D56070C187B8085FE1D9DF & op=21 rlm_ldap: Adding radiusAuthType as Auth-Type, value PEAP & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusServiceType as Service-Type, value login & op=11 rlm_ldap: user israel authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 254 to 172.22.2.32:1237 Service-Type = Login-User EAP-Message = 0x013300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa54c60f332d5157356d99e31c44b321e Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 172.22.2.32:1238, id=44, length=173 User-Name = "israel" EAP-Message = 0x0233005019800000004616030100410100003d030141e6d4792b0ae33065691a3feeb3 e20d05197228315e4655918f04dda89920a500001600040005000a000900640062000300 060013001200630100 NAS-IP-Address = 172.22.2.32 Service-Type = Login-User Calling-Station-Id = "0.0.0.0" NAS-Port-Type = Ethernet State = 0xa54c60f332d5157356d99e31c44b321e Message-Authenticator = 0xb55e3fd5ac22f6961123f40472b01220 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 rlm_eap: EAP packet type response id 51 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for israel radius_xlat: '(uid=israel)' radius_xlat: 'dc=testdomain,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=testdomain,dc=com, with filter (uid=israel) rlm_ldap: Added password 79/amk9cWxbpM in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding ntPassword as NT-Password, value 6C4C4EB68A4C6082AB37166A9E967273 & op=21 rlm_ldap: Adding lmPassword as LM-Password, value 24C4A2B160D56070C187B8085FE1D9DF & op=21 rlm_ldap: Adding radiusAuthType as Auth-Type, value PEAP & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusServiceType as Service-Type, value login & op=11 rlm_ldap: user israel authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 06c7], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 1 modcall: group authenticate returns handled for request 1 Sending Access-Challenge of id 44 to 172.22.2.32:1238 Service-Type = Login-User EAP-Message = 0x0134040a19c000000724160301004a02000046030141e6b3617355afa485e92b58dac0 8b938404bdd0b8b747c1d5434e107dce721020fbca68f16cd3a7aab3a525966132e52352 6f41e7c4fedc9b0782f3c553be708300040016030106c70b0006c30006c00002e8308202 e43082024da003020102020900bdec7848e2ff4368300d06092a864886f70d0101040500 3081a1310b3009060355040613024252311a30180603550408131152696f204772616e64 6520646f2053756c311230100603550407130943616d706f20426f6d3117301506035504 0a130e5175616e74697a61546573746532310b3009060355040b13024954311930170603 5504 EAP-Message = 0x0313105175616e74697a6154657374653243413121301f06092a864886f70d01090116 1269737261656c40746f70617a696f2e636f6d301e170d3034313132333034343731365a 170d3039313132323034343731365a3081ac310b3009060355040613024252311a301806 03550408131152696f204772616e646520646f2053756c31123010060355040713094361 6d706f20426f6d311d301b060355040a13145175616e74697a6153657276657254657374 6532310b3009060355040b13024954311e301c0603550403131564627261646975732e71 75616e74697a612e636f6d3121301f06092a864886f70d010901161269737261656c4074 6f70 EAP-Message = 0x617a696f2e636f6d30819f300d06092a864886f70d010101050003818d003081890281 8100b1296cd63fa86e61d590d912ca6eb7e2de0cf97eca6f980bddd8012ba36416beedd5 4f99f6bc6c74ac7899253d37b39cb6f25569f5b8cdcf9cd4013ff94b08c99e30a919f26b 9fd0f8fe1e64d33cbec4e5f758ad0c2f43e9a393271d2cb55221df6611bc15b6afa090b2 f5854fd7d0815d67667fe27632ba6a78b7373c07ab6f0203010001a31730153013060355 1d25040c300a06082b06010505070301300d06092a864886f70d01010405000381810067 55175413f7c77ee75f8d0a2c9ecf18eda9d62ab802926a36ab867cc974c3547dfba19c0b 456e EAP-Message = 0x2cc22979e880320b765311e49c2b3258421c3c433b6f3a01a7bd3983406cc4566a7331 097c450d65dc1b2fafdd216a59400baa80623256a94d434ab8febc41313c03c922735a03 08898ed37fcb2209ea492a965229ded1d1f40003d2308203ce30820337a0030201020209 00bdec7848e2ff4366300d06092a864886f70d01010405003081a1310b30090603550406 13024252311a30180603550408131152696f204772616e646520646f2053756c31123010 0603550407130943616d706f20426f6d31173015060355040a130e5175616e74697a6154 6573746532310b3009060355040b1302495431193017060355040313105175616e74697a 6154 EAP-Message = 0x657374653243413121301f06092a864886f70d010901 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe88fda72bb08291884a0f9b01c9cf8fb Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 172.22.2.32:1239, id=47, length=99 User-Name = "israel" EAP-Message = 0x023400061900 NAS-IP-Address = 172.22.2.32 Service-Type = Login-User Calling-Station-Id = "0.0.0.0" NAS-Port-Type = Ethernet State = 0xe88fda72bb08291884a0f9b01c9cf8fb Message-Authenticator = 0xc38c20e66dd66fd20e419d4e9b800ad6 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 rlm_eap: EAP packet type response id 52 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 rlm_ldap: - authorize rlm_ldap: performing user authorization for israel radius_xlat: '(uid=israel)' radius_xlat: 'dc=testdomain,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=testdomain,dc=com, with filter (uid=israel) rlm_ldap: Added password 79/amk9cWxbpM in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding ntPassword as NT-Password, value 6C4C4EB68A4C6082AB37166A9E967273 & op=21 rlm_ldap: Adding lmPassword as LM-Password, value 24C4A2B160D56070C187B8085FE1D9DF & op=21 rlm_ldap: Adding radiusAuthType as Auth-Type, value PEAP & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusServiceType as Service-Type, value login & op=11 rlm_ldap: user israel authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 2 modcall: group authorize returns updated for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 2 modcall: group authenticate returns handled for request 2 Sending Access-Challenge of id 47 to 172.22.2.32:1239 Service-Type = Login-User EAP-Message = 0x0135032a1900161269737261656c40746f70617a696f2e636f6d301e170d3034313132 333034343535335a170d3036313132333034343535335a3081a1310b3009060355040613 024252311a30180603550408131152696f204772616e646520646f2053756c3112301006 03550407130943616d706f20426f6d31173015060355040a130e5175616e74697a615465 73746532310b3009060355040b1302495431193017060355040313105175616e74697a61 54657374653243413121301f06092a864886f70d010901161269737261656c40746f7061 7a696f2e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100 a4eb EAP-Message = 0x0b788323fac1be55f0a949db387efe1bd21145041e3c71305eea6b3badc0ee30785aef c4de57696d286e82bfe2f390da1644a9a2a04b1b88c61ad7e8045b9228168fd9d03e36f9 7dc7611b60ca1c4e28f5399a5edb4907cbd94d9bb91c0cd1f023ab26895b30b518fce202 1eba6446776039be2b505994fda98f8ee4d6bd0203010001a382010a30820106301d0603 551d0e041604144793557ca910fc0683f1951572f5adf94ca9881b3081d60603551d2304 81ce3081cb80144793557ca910fc0683f1951572f5adf94ca9881ba181a7a481a43081a1 310b3009060355040613024252311a30180603550408131152696f204772616e64652064 6f20 EAP-Message = 0x53756c311230100603550407130943616d706f20426f6d31173015060355040a130e51 75616e74697a61546573746532310b3009060355040b1302495431193017060355040313 105175616e74697a6154657374653243413121301f06092a864886f70d01090116126973 7261656c40746f70617a696f2e636f6d820900bdec7848e2ff4366300c0603551d130405 30030101ff300d06092a864886f70d0101040500038181008636cfc31687d813594199d0 42e71f00431907d535adc6ec48c742a02d8638f7d9ec5332190a737e9f14a3a40312dca8 9df48451d681e31202ce5ec61b23e2978e68b0189f910ccdfd2efc3bc0e528061128d4c1 3284 EAP-Message = 0xaf62b200ad99c84ceadaf853a2b5f45994c506dba20fea366fb2240725f0507ef34d75 677a2ab714b88d16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x039d3e0d38fc9d62fc60df041f2098f2 Finished request 2 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 172.22.2.32:1240, id=65, length=285 User-Name = "israel" EAP-Message = 0x023500c01980000000b616030100861000008200800dbd328618fcb44d916ddab3f84f 208fa02d4095139707dc4355dc6028c6c0b5cb195b45c14fcd525234d6f9fb0747a4e45c ac8bdb04a8a0edd7a149a7027bab7f27ba1aa2a79aaef50c4c93598f64a56351a92df2b4 a2a2c2d6268d9fd14cf33c1cec059938d8f926e7c8a9a725f13e1137567fa1fd7da76aa3 8ee50660912314030100010116030100204086278646ecb495a5dc4c35c5952aa9a8c6ab 1e04a2acc07e3bd535ae347a5a NAS-IP-Address = 172.22.2.32 Service-Type = Login-User Calling-Station-Id = "0.0.0.0" NAS-Port-Type = Ethernet State = 0x039d3e0d38fc9d62fc60df041f2098f2 Message-Authenticator = 0x94760a0da98dd58c0ae7c0da28d595de Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 rlm_eap: EAP packet type response id 53 length 192 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 3 rlm_ldap: - authorize rlm_ldap: performing user authorization for israel radius_xlat: '(uid=israel)' radius_xlat: 'dc=testdomain,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=testdomain,dc=com, with filter (uid=israel) rlm_ldap: Added password 79/amk9cWxbpM in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding ntPassword as NT-Password, value 6C4C4EB68A4C6082AB37166A9E967273 & op=21 rlm_ldap: Adding lmPassword as LM-Password, value 24C4A2B160D56070C187B8085FE1D9DF & op=21 rlm_ldap: Adding radiusAuthType as Auth-Type, value PEAP & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusServiceType as Service-Type, value login & op=11 rlm_ldap: user israel authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 3 modcall: group authorize returns updated for request 3 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 3 modcall: group authenticate returns handled for request 3 Sending Access-Challenge of id 65 to 172.22.2.32:1240 Service-Type = Login-User EAP-Message = 0x0136003119001403010001011603010020c67c10e9b83c4303ebbd7cb85e8ca4b92c69 a7ee42250b20dabc3baa8c2c93dc Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8a1139fcb4f0449037d7122da0c266ac Finished request 3 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 172.22.2.32:1241, id=79, length=99 User-Name = "israel" EAP-Message = 0x023600061900 NAS-IP-Address = 172.22.2.32 Service-Type = Login-User Calling-Station-Id = "0.0.0.0" NAS-Port-Type = Ethernet State = 0x8a1139fcb4f0449037d7122da0c266ac Message-Authenticator = 0x3006d883e837a859b05411182f5ba41d Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 rlm_eap: EAP packet type response id 54 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 rlm_ldap: - authorize rlm_ldap: performing user authorization for israel radius_xlat: '(uid=israel)' radius_xlat: 'dc=testdomain,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=testdomain,dc=com, with filter (uid=israel) rlm_ldap: Added password 79/amk9cWxbpM in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding ntPassword as NT-Password, value 6C4C4EB68A4C6082AB37166A9E967273 & op=21 rlm_ldap: Adding lmPassword as LM-Password, value 24C4A2B160D56070C187B8085FE1D9DF & op=21 rlm_ldap: Adding radiusAuthType as Auth-Type, value PEAP & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusServiceType as Service-Type, value login & op=11 rlm_ldap: user israel authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 4 modcall: group authorize returns updated for request 4 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap_peap: EAPTLS_SUCCESS modcall[authenticate]: module "eap" returns handled for request 4 modcall: group authenticate returns handled for request 4 Sending Access-Challenge of id 79 to 172.22.2.32:1241 Service-Type = Login-User EAP-Message = 0x013700201900170301001514911454f60f1c2ef87c12055b0e97c3ce93e422a6 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd0d2def6e43eba69a30a199d6ad3960c Finished request 4 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 172.22.2.32:1242, id=81, length=127 User-Name = "israel" EAP-Message = 0x0237002219001703010017eb16ca428f1ea7fa77fe36dde246827077b20c2d9a8b21 NAS-IP-Address = 172.22.2.32 Service-Type = Login-User Calling-Station-Id = "0.0.0.0" NAS-Port-Type = Ethernet State = 0xd0d2def6e43eba69a30a199d6ad3960c Message-Authenticator = 0x72f4a9b2dc813e3190af52cade5cd549 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 rlm_eap: EAP packet type response id 55 length 34 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 rlm_ldap: - authorize rlm_ldap: performing user authorization for israel radius_xlat: '(uid=israel)' radius_xlat: 'dc=testdomain,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=testdomain,dc=com, with filter (uid=israel) rlm_ldap: Added password 79/amk9cWxbpM in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding ntPassword as NT-Password, value 6C4C4EB68A4C6082AB37166A9E967273 & op=21 rlm_ldap: Adding lmPassword as LM-Password, value 24C4A2B160D56070C187B8085FE1D9DF & op=21 rlm_ldap: Adding radiusAuthType as Auth-Type, value PEAP & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusServiceType as Service-Type, value login & op=11 rlm_ldap: user israel authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 5 modcall: group authorize returns updated for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - israel rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x0237000b0169737261656c PEAP: Got tunneled identity of israel PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to israel PEAP: Sending tunneled request EAP-Message = 0x0237000b0169737261656c FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "israel" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 rlm_eap: EAP packet type response id 55 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 rlm_ldap: - authorize rlm_ldap: performing user authorization for israel radius_xlat: '(uid=israel)' radius_xlat: 'dc=testdomain,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=testdomain,dc=com, with filter (uid=israel) rlm_ldap: Added password 79/amk9cWxbpM in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding ntPassword as NT-Password, value 6C4C4EB68A4C6082AB37166A9E967273 & op=21 rlm_ldap: Adding lmPassword as LM-Password, value 24C4A2B160D56070C187B8085FE1D9DF & op=21 rlm_ldap: Adding radiusAuthType as Auth-Type, value PEAP & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusServiceType as Service-Type, value login & op=11 rlm_ldap: user israel authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 5 modcall: group authorize returns updated for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 5 modcall: group authenticate returns handled for request 5 PEAP: Got tunneled reply RADIUS code 11 Service-Type = Login-User EAP-Message = 0x013800201a0138001b1090401350673c3a38b6a5c0e466512e6169737261656c Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6e47be67f27de2502cd61fc55e3fd1d8 PEAP: Processing from tunneled session code 0x81858e0 11 Service-Type = Login-User EAP-Message = 0x013800201a0138001b1090401350673c3a38b6a5c0e466512e6169737261656c Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6e47be67f27de2502cd61fc55e3fd1d8 PEAP: Got tunneled Access-Challenge modcall[authenticate]: module "eap" returns handled for request 5 modcall: group authenticate returns handled for request 5 Sending Access-Challenge of id 81 to 172.22.2.32:1242 Service-Type = Login-User EAP-Message = 0x013800371900170301002c17943940505f668cbcf7661d95d2c7649c8951cba1f89f26 466cef31868cf9162191b030ea99fba789ee8ac0 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9dceba4f210b35c1bcb2da65bceffdb3 Finished request 5 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 172.22.2.32:1243, id=87, length=181 User-Name = "israel" EAP-Message = 0x023800581900170301004dc4f4be62451c4dbe778f5894da1ec11fb42bf7edbe4b1c39 c6b517cf8e4f131cc6d2094f2c35ff3fe8f657a163dbb8e178784ff6fd0af5fc382cea41 b1f5f2be094843102eeea76ed3ed83a871 NAS-IP-Address = 172.22.2.32 Service-Type = Login-User Calling-Station-Id = "0.0.0.0" NAS-Port-Type = Ethernet State = 0x9dceba4f210b35c1bcb2da65bceffdb3 Message-Authenticator = 0xc9513f1f83c9e66797a8f80f841d7276 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 rlm_eap: EAP packet type response id 56 length 88 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 rlm_ldap: - authorize rlm_ldap: performing user authorization for israel radius_xlat: '(uid=israel)' radius_xlat: 'dc=testdomain,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=testdomain,dc=com, with filter (uid=israel) rlm_ldap: Added password 79/amk9cWxbpM in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding ntPassword as NT-Password, value 6C4C4EB68A4C6082AB37166A9E967273 & op=21 rlm_ldap: Adding lmPassword as LM-Password, value 24C4A2B160D56070C187B8085FE1D9DF & op=21 rlm_ldap: Adding radiusAuthType as Auth-Type, value PEAP & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusServiceType as Service-Type, value login & op=11 rlm_ldap: user israel authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 6 modcall: group authorize returns updated for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x023800411a0238003c31b2d515e772772b769e0af58620ce6ebb0000000000000000b3 118f98668f157ef2a162edec964622b973e22006893da50069737261656c PEAP: Setting User-Name to israel PEAP: Adding old state with 6e 47 PEAP: Sending tunneled request EAP-Message = 0x023800411a0238003c31b2d515e772772b769e0af58620ce6ebb0000000000000000b3 118f98668f157ef2a162edec964622b973e22006893da50069737261656c FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "israel" State = 0x6e47be67f27de2502cd61fc55e3fd1d8 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 rlm_eap: EAP packet type response id 56 length 65 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 rlm_ldap: - authorize rlm_ldap: performing user authorization for israel radius_xlat: '(uid=israel)' radius_xlat: 'dc=testdomain,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=testdomain,dc=com, with filter (uid=israel) rlm_ldap: Added password 79/amk9cWxbpM in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding ntPassword as NT-Password, value 6C4C4EB68A4C6082AB37166A9E967273 & op=21 rlm_ldap: Adding lmPassword as LM-Password, value 24C4A2B160D56070C187B8085FE1D9DF & op=21 rlm_ldap: Adding radiusAuthType as Auth-Type, value PEAP & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusServiceType as Service-Type, value login & op=11 rlm_ldap: user israel authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 6 modcall: group authorize returns updated for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 6 rlm_mschap: Found LM-Password rlm_mschap: Found NT-Password rlm_mschap: Told to do MS-CHAPv2 for israel with NT-Password rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 6 modcall: group Auth-Type returns reject for request 6 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 6 modcall: group authenticate returns reject for request 6 auth: Failed to validate the user. PEAP: Got tunneled reply RADIUS code 3 Service-Type = Login-User MS-CHAP-Error = "8E=691 R=1" EAP-Message = 0x04380004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Processing from tunneled session code 0x817f5c8 3 Service-Type = Login-User MS-CHAP-Error = "8E=691 R=1" EAP-Message = 0x04380004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE modcall[authenticate]: module "eap" returns handled for request 6 modcall: group authenticate returns handled for request 6 Sending Access-Challenge of id 87 to 172.22.2.32:1243 Service-Type = Login-User EAP-Message = 0x013900261900170301001b9c431e0aef70813662d2cf5a13dad4266b857b5f90a55aa8 9bc9cd Message-Authenticator = 0x00000000000000000000000000000000 State = 0x659f1d947efe324a2ffa43bc885c3798 Finished request 6 Going to the next request --- Walking the entire request list --- Waking up in 5 seconds... rad_recv: Access-Request packet from host 172.22.2.32:1244, id=91, length=131 User-Name = "israel" EAP-Message = 0x023900261900170301001ba42ef347d0efb20392c168d99200aec35a7025f3bea24e50 263882 NAS-IP-Address = 172.22.2.32 Service-Type = Login-User Calling-Station-Id = "0.0.0.0" NAS-Port-Type = Ethernet State = 0x659f1d947efe324a2ffa43bc885c3798 Message-Authenticator = 0x4c614c3398a4c5e0e050864d6e7bdf94 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 rlm_eap: EAP packet type response id 57 length 38 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 rlm_ldap: - authorize rlm_ldap: performing user authorization for israel radius_xlat: '(uid=israel)' radius_xlat: 'dc=testdomain,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=testdomain,dc=com, with filter (uid=israel) rlm_ldap: Added password 79/amk9cWxbpM in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding ntPassword as NT-Password, value 6C4C4EB68A4C6082AB37166A9E967273 & op=21 rlm_ldap: Adding lmPassword as LM-Password, value 24C4A2B160D56070C187B8085FE1D9DF & op=21 rlm_ldap: Adding radiusAuthType as Auth-Type, value PEAP & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusServiceType as Service-Type, value login & op=11 rlm_ldap: user israel authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 7 modcall: group authorize returns updated for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure, rejecting. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 7 modcall: group authenticate returns invalid for request 7 auth: Failed to validate the user. Delaying request 7 for 1 seconds Finished request 7 Going to the next request Waking up in 5 seconds... rad_recv: Access-Request packet from host 172.22.2.32:1244, id=91, length=131 Sending Access-Reject of id 91 to 172.22.2.32:1244 EAP-Message = 0x04390004 Message-Authenticator = 0x00000000000000000000000000000000 --- Walking the entire request list --- Waking up in 2 seconds... Radius.conf prefix = /usr/local/radius exec_prefix = ${prefix} sysconfdir = ${prefix}/etc localstatedir = ${prefix}/var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log libdir = ${exec_prefix}/lib pidfile = ${run_dir}/radiusd.pid max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = * port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = no log_auth = no log_auth_badpass = no log_auth_goodpass = no usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = yes $INCLUDE ${confdir}/proxy.conf $INCLUDE ${confdir}/clients.conf snmp = no $INCLUDE ${confdir}/snmp.conf modules { # PAP module to authenticate users based on their stored password # # Supports multiple encryption schemes # clear: Clear text # crypt: Unix crypt # md5: MD5 ecnryption # sha1: SHA1 encryption. # DEFAULT: crypt pap { encryption_scheme = clear # encryption_scheme = crypt } # CHAP module # # To authenticate requests containing a CHAP-Password attribute. # chap { authtype = CHAP } $INCLUDE ${confdir}/eap.conf # # This module supports MS-CHAP and MS-CHAPv2 authentication. # It also enforces the SMB-Account-Ctrl attribute. # mschap { authtype = MS-CHAP use_mppe = yes # #use_mppe = yes require_encryption = yes # #require_encryption = yes require_strong = yes # #require_strong = yes with_ntdomain_hack = no #with_ntdomain_hack = yes #ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" #ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" } ldap { server = localhost #server = "ldap.your.domain" identity = cn=admin,dc=testdomain,dc=com # identity = "cn=admin,o=My Org,c=UA" password = teste # password = mypass basedn = dc=testdomain,dc=com filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" #filter = "(uid=%u)" base_filter = "(objectclass=radiusprofile)" # set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # The StartTLS operation is supposed to be used with normal # ldap connections instead of using ldaps (port 689) connections start_tls = no tls_mode = no # tls_cacertfile = /path/to/cacert.pem # tls_cacertdir = /path/to/ca/dir/ # tls_certfile = /path/to/radius.crt # tls_keyfile = /path/to/radius.key # tls_randfile = /path/to/rnd # tls_require_cert = "demand" # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" profile_attribute = "radiusProfileDn" ####access_attr = "dialupAccess" # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap ####ldap_cache_timeout = 120 ####ldap_cache_size = 0 ####ldap_connections_number = 5 # # NOTICE: The password_header directive is NOT case insensitive # #password_header = "{clear}" password_header = "{CRYPT}" # # The server can usually figure this out on its own, and pull # the correct User-Password or NT-Password from the database. # # Note that NT-Passwords MUST be stored as a 32-digit hex # string, and MUST start off with "0x", such as: # # 0x000102030405060708090a0b0c0d0e0f # # Without the leading "0x", NT-Passwords will not work. # This goes for NT-Passwords stored in SQL, too. # password_attribute = userPassword # groupname_attribute = cn #groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=Gr oupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 ###compare_check_items = yes compare_check_items = no do_xlat = yes #access_attr_used_for_allow = yes } realm IPASS { format = prefix delimiter = "/" ignore_default = no ignore_null = no } # '[EMAIL PROTECTED]' # realm suffix { format = suffix delimiter = "@" ignore_default = no ignore_null = no } # 'username%realm' # realm realmpercent { format = suffix delimiter = "%" ignore_default = no ignore_null = no } # # 'domain\user' # realm ntdomain { format = prefix delimiter = "\\" ignore_default = no ignore_null = no } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } # Livingston-style 'users' file files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users compat = no } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } # The "always" module is here for debugging purposes. Each # instance simply returns the same result, always, without # doing anything. always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } } authorize { preprocess #chap #mschap #suffix # ntdomain eap #files # sql # etc_smbpasswd ldap # daily # checkval } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } # # MSCHAP authentication. Auth-Type MS-CHAP { mschap } # digest # pam #unix Auth-Type LDAP { ldap } eap } # preacct { preprocess acct_unique # IPASS suffix # ntdomain #files } # eap #} eap.conf # # Whatever you do, do NOT set 'Auth-Type := EAP'. The server # is smart enough to figure this out on its own. The most # common side effect of setting 'Auth-Type := EAP' is that the # users then cannot use ANY other authentication method. # # $Id: eap.conf,v 1.4 2004/04/15 18:34:41 aland Exp $ # eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = yes cisco_accounting_username_bug = no tls { private_key_password = whatever private_key_file = /usr/local/openssl/ssl/misc/cert-srv.pem certificate_file = /usr/local/openssl/ssl/misc/cert-srv.pem CA_file = /usr/local/openssl/ssl/misc/root.pem dh_file = /usr/local/openssl/ssl/misc/dh random_file = /usr/local/openssl/ssl/misc/random fragment_size = 1024 include_length = yes # check_crl = yes # check_cert_cn = %{User-Name} } peap { default_eap_type = mschapv2 } mschapv2 { } } Willey Kurt D wrote: > yes > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Israel > Fabio Alves > Sent: Thursday, January 13, 2005 1:19 PM > To: freeradius-users@lists.freeradius.org > Subject: Re: LDAP, PEAP, Active Directory issue > > Hi, > > I have a question about the problem bellow. > > If in LDAP (openldap) we provide the ntpassword (with samba), it will > work for authenticate Windows XP users with PEAP + mschapv2 ?? > > Thanks. > > Ron Wahler wrote: > > >>You could still encrypt the passwords in the ldap database it just has >>to be A two way hash so you can get the password in the clear. >> >>Ron. >> >>Ron Wahler >>http://www.positive-logic.net >> >>-----Original Message----- >>From: [EMAIL PROTECTED] >>[mailto:[EMAIL PROTECTED] On Behalf Of >>Christopher Price >>Sent: Thursday, January 13, 2005 8:58 AM >>To: freeradius-users@lists.freeradius.org >>Subject: Re: LDAP, PEAP, Active Directory issue >> >>I am having the same problem. When you use an EAP type (like PEAP), a >>hash of the password is sent to the radius server. The radius server > > is > >>able to deal with this if it has the password (such as in a mysql DB > > or > >>local file). The password can be hashed and compared with the hash > > that > >>was recieved from the client (WinXP PC in your case). If you use LDAP, >>you must supply a cleartext password (usually over SSL) in order to >>perform PAP authentication. Since you are sending the hash of the >>password to the LDAP server it cannot bind. The only solution that I >>have found is to store cleartext passwords in the LDAP DB, but this >>would defeat the purpose of authentication because than anyone could >>view passwords stored on the LDAP server. I hope this explanation > > helps > >>(at least it wasn't filled with WTF's and RTFM's like some responses). >>:) >> >> >> >>>>>[EMAIL PROTECTED] 1/13/2005 9:07:17 AM >>> >> >>On Thu, 13 Jan 2005 10:06:15 -0500, Alan DeKok <[EMAIL PROTECTED]> wrote: >> >> >>>AJ Grinnell <[EMAIL PROTECTED]> wrote: >>> >>> >>>>Ok, I have peap working with the users file and with mysql, and I >> >>have >> >> >>>>radius working with ldap also. But I can not get a user to >>>>authenticate against ldap using peap. >>> >>> The server does not authenticate against LDAP for any EAP type. >> >>See >> >> >>>my previous message to you on this topic. >>> >>> >>> >>>>I have seen that you cant use eap and ldap, >>> >>> You already asked this question, and I already answered it. If >> >>you >> >> >>>don't remember, read the list archives. >>> >>> >>> >>>>but peap and ldap should work from what I have read. >>> >>> PEAP is a type of EAP. >>> >>> >>> >>>>the debug that I am seeing is very long, so I have included the >> >>part >> >> >>>>where I am seeing an obvious error. >>> >>> The part where is says it doesn't have a password? >>> >>> >>> >>>>rlm_mschap: No User-Password configured. Cannot create >> >>LM-Password. >> >> >>>>rlm_mschap: No User-Password configured. Cannot create >> >>NT-Password. >> >> >>>>rlm_mschap: Told to do MS-CHAPv2 for agrinnell with NT-Password >>>>rlm_mschap: FAILED: No NT/LM-Password. Cannot perform >> >>authentication. >> >> >>> You haven't told the server what the users password is. How the >>>heck do you expect it to authenticate anyone? >>> >>> Alan DeKok. >>> >>>- >>>List info/subscribe/unsubscribe? See >> >>http://www.freeradius.org/list/users.html >> >> >>Im sorry, I have not seen any replies that you may have given me. The >>server has been told what the users password is when they log in over >>the wireless, Windows XP asks for a username and password, both of >>which are in active directory. I can authenticate against the users >>file and a mysql database in the same fashion, why would ldap not >>work? Again, Im sorry if this is a basic question. >> >>- >>List info/subscribe/unsubscribe? See >>http://www.freeradius.org/list/users.html >> >>- >>List info/subscribe/unsubscribe? See >>http://www.freeradius.org/list/users.html >> >> >>- >>List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > -- Israel Alves - Gerente de Infraestrutura Quantiza Systems - 55(51) 598-2343 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html