Hi,
I tried to configure Windows XP to autenthicate with 802.1x using PEAP + MSCHAPV2.
The freeradius 1.0.1 was configured to search user information in OpenLdap. In the same computer where is installed freeradius, I have the OpenLdap + Samba server "version 2.2.12" that store users passwords in OpenLDAP.
If a configure the autenticate to occur as "file" the autHentication is 100%, but when configured to OpenLdap, I always get the error bellow:
PEAP: Got tunneled reply RADIUS code 3
Service-Type = Login-User
MS-CHAP-Error = "8E=691 R=1"
EAP-Message = 0x04380004
Message-Authenticator = 0x00000000000000000000000000000000
PEAP: Processing from tunneled session code 0x817f5c8 3
Service-Type = Login-User
MS-CHAP-Error = "8E=691 R=1"
EAP-Message = 0x04380004
Message-Authenticator = 0x00000000000000000000000000000000
PEAP: Tunneled authentication was rejected.
rlm_eap_peap: FAILUREDebug file:
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/radius/etc/raddb/proxy.conf
Config: including file: /usr/local/radius/etc/raddb/clients.conf
Config: including file: /usr/local/radius/etc/raddb/snmp.conf
Config: including file: /usr/local/radius/etc/raddb/eap.conf
main: prefix = "/usr/local/radius"
main: localstatedir = "/usr/local/radius/var"
main: logdir = "/usr/local/radius/var/log/radius"
main: libdir = "/usr/local/radius/lib"
main: radacctdir = "/usr/local/radius/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/usr/local/radius/var/log/radius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/usr/local/radius/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/radius/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/radius/lib
Module: Loaded PAP
pap: encryption_scheme = "clear"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = yes
mschap: require_strong = yes
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded LDAP
ldap: server = "localhost"
ldap: port = 389
ldap: net_timeout = 1
ldap: timeout = 4
ldap: timelimit = 3
ldap: identity = "cn=admin,dc=testdomain,dc=com"
ldap: tls_mode = no
ldap: start_tls = no
ldap: tls_cacertfile = "(null)"
ldap: tls_cacertdir = "(null)"
ldap: tls_certfile = "(null)"
ldap: tls_keyfile = "(null)"
ldap: tls_randfile = "(null)"
ldap: tls_require_cert = "allow"
ldap: password = "xtopazio"
ldap: basedn = "dc=testdomain,dc=com"
ldap: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
ldap: base_filter = "(objectclass=radiusprofile)"
ldap: default_profile = "(null)"
ldap: profile_attribute = "radiusProfileDn"
ldap: password_header = "{CRYPT}"
ldap: password_attribute = "userPassword"
ldap: access_attr = "(null)"
ldap: groupname_attribute = "cn"
ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
ldap: groupmembership_attribute = "radiusGroupName"
ldap: dictionary_mapping = "/usr/local/radius/etc/raddb/ldap.attrmap"
ldap: ldap_debug = 0
ldap: ldap_connections_number = 5
ldap: compare_check_items = no
ldap: access_attr_used_for_allow = yes
ldap: do_xlat = yes
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap<->radius mappings from file /usr/local/radius/etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
conns: 0x814cfe8
Module: Instantiated ldap (ldap)
Module: Loaded eap
eap: default_eap_type = "peap"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = yes
eap: cisco_accounting_username_bug = no
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/usr/local/openssl/ssl/misc/cert-srv.pem"
tls: certificate_file = "/usr/local/openssl/ssl/misc/cert-srv.pem"
tls: CA_file = "/usr/local/openssl/ssl/misc/root.pem"
tls: private_key_password = "whatever"
tls: dh_file = "/usr/local/openssl/ssl/misc/dh"
tls: random_file = "/usr/local/openssl/ssl/misc/random"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = "(null)"
rlm_eap: Loaded and initialized type tls
peap: default_eap_type = "mschapv2"
peap: copy_request_to_tunnel = no
peap: use_tunneled_reply = no
peap: proxy_tunneled_request_as_eap = yes
rlm_eap: Loaded and initialized type peap
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/usr/local/radius/etc/raddb/huntgroups"
preprocess: hints = "/usr/local/radius/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1814
Ready to process requests.
rad_recv: Access-Request packet from host 172.22.2.32:1237, id=254, length=86
User-Name = "israel"
EAP-Message = 0x0232000b0169737261656c
NAS-IP-Address = 172.22.2.32
Service-Type = Login-User
Calling-Station-Id = "0.0.0.0"
NAS-Port-Type = Ethernet
Message-Authenticator = 0x538884dd87995e9d15ae98534ab66abe
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
rlm_eap: EAP packet type response id 50 length 11
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for israel
radius_xlat: '(uid=israel)'
radius_xlat: 'dc=testdomain,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as cn=admin,dc=testdomain,dc=com/xtopazio to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=testdomain,dc=com, with filter (uid=israel)
rlm_ldap: Added password 79/amk9cWxbpM in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding ntPassword as NT-Password, value 6C4C4EB68A4C6082AB37166A9E967273 & op=21
rlm_ldap: Adding lmPassword as LM-Password, value 24C4A2B160D56070C187B8085FE1D9DF & op=21
rlm_ldap: Adding radiusAuthType as Auth-Type, value PEAP & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusServiceType as Service-Type, value login & op=11
rlm_ldap: user israel authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 0
modcall: group authorize returns updated for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 0
modcall: group authenticate returns handled for request 0
Sending Access-Challenge of id 254 to 172.22.2.32:1237
Service-Type = Login-User
EAP-Message = 0x013300061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa54c60f332d5157356d99e31c44b321e
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 172.22.2.32:1238, id=44, length=173
User-Name = "israel"
EAP-Message = 0x0233005019800000004616030100410100003d030141e6d4792b0ae33065691a3feeb3e20d05197228315e4655918f04dda89920a500001600040005000a000900640062000300060013001200630100
NAS-IP-Address = 172.22.2.32
Service-Type = Login-User
Calling-Station-Id = "0.0.0.0"
NAS-Port-Type = Ethernet
State = 0xa54c60f332d5157356d99e31c44b321e
Message-Authenticator = 0xb55e3fd5ac22f6961123f40472b01220
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
rlm_eap: EAP packet type response id 51 length 80
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1
rlm_ldap: - authorize
rlm_ldap: performing user authorization for israel
radius_xlat: '(uid=israel)'
radius_xlat: 'dc=testdomain,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=testdomain,dc=com, with filter (uid=israel)
rlm_ldap: Added password 79/amk9cWxbpM in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding ntPassword as NT-Password, value 6C4C4EB68A4C6082AB37166A9E967273 & op=21
rlm_ldap: Adding lmPassword as LM-Password, value 24C4A2B160D56070C187B8085FE1D9DF & op=21
rlm_ldap: Adding radiusAuthType as Auth-Type, value PEAP & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusServiceType as Service-Type, value login & op=11
rlm_ldap: user israel authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 1
modcall: group authorize returns updated for request 1
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 06c7], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
TLS_accept: SSLv3 write server done A
TLS_accept: SSLv3 flush data
TLS_accept:error in SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 1
modcall: group authenticate returns handled for request 1
Sending Access-Challenge of id 44 to 172.22.2.32:1238
Service-Type = Login-User
EAP-Message = 0x0134040a19c000000724160301004a02000046030141e6b3617355afa485e92b58dac08b938404bdd0b8b747c1d5434e107dce721020fbca68f16cd3a7aab3a525966132e523526f41e7c4fedc9b0782f3c553be708300040016030106c70b0006c30006c00002e8308202e43082024da003020102020900bdec7848e2ff4368300d06092a864886f70d01010405003081a1310b3009060355040613024252311a30180603550408131152696f204772616e646520646f2053756c311230100603550407130943616d706f20426f6d31173015060355040a130e5175616e74697a61546573746532310b3009060355040b130249543119301706035504
EAP-Message = 0x0313105175616e74697a6154657374653243413121301f06092a864886f70d010901161269737261656c40746f70617a696f2e636f6d301e170d3034313132333034343731365a170d3039313132323034343731365a3081ac310b3009060355040613024252311a30180603550408131152696f204772616e646520646f2053756c311230100603550407130943616d706f20426f6d311d301b060355040a13145175616e74697a61536572766572546573746532310b3009060355040b13024954311e301c0603550403131564627261646975732e7175616e74697a612e636f6d3121301f06092a864886f70d010901161269737261656c40746f70
EAP-Message = 0x617a696f2e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100b1296cd63fa86e61d590d912ca6eb7e2de0cf97eca6f980bddd8012ba36416beedd54f99f6bc6c74ac7899253d37b39cb6f25569f5b8cdcf9cd4013ff94b08c99e30a919f26b9fd0f8fe1e64d33cbec4e5f758ad0c2f43e9a393271d2cb55221df6611bc15b6afa090b2f5854fd7d0815d67667fe27632ba6a78b7373c07ab6f0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038181006755175413f7c77ee75f8d0a2c9ecf18eda9d62ab802926a36ab867cc974c3547dfba19c0b456e
EAP-Message = 0x2cc22979e880320b765311e49c2b3258421c3c433b6f3a01a7bd3983406cc4566a7331097c450d65dc1b2fafdd216a59400baa80623256a94d434ab8febc41313c03c922735a0308898ed37fcb2209ea492a965229ded1d1f40003d2308203ce30820337a003020102020900bdec7848e2ff4366300d06092a864886f70d01010405003081a1310b3009060355040613024252311a30180603550408131152696f204772616e646520646f2053756c311230100603550407130943616d706f20426f6d31173015060355040a130e5175616e74697a61546573746532310b3009060355040b1302495431193017060355040313105175616e74697a6154
EAP-Message = 0x657374653243413121301f06092a864886f70d010901
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe88fda72bb08291884a0f9b01c9cf8fb
Finished request 1
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 172.22.2.32:1239, id=47, length=99
User-Name = "israel"
EAP-Message = 0x023400061900
NAS-IP-Address = 172.22.2.32
Service-Type = Login-User
Calling-Station-Id = "0.0.0.0"
NAS-Port-Type = Ethernet
State = 0xe88fda72bb08291884a0f9b01c9cf8fb
Message-Authenticator = 0xc38c20e66dd66fd20e419d4e9b800ad6
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
modcall[authorize]: module "preprocess" returns ok for request 2
rlm_eap: EAP packet type response id 52 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 2
rlm_ldap: - authorize
rlm_ldap: performing user authorization for israel
radius_xlat: '(uid=israel)'
radius_xlat: 'dc=testdomain,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=testdomain,dc=com, with filter (uid=israel)
rlm_ldap: Added password 79/amk9cWxbpM in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding ntPassword as NT-Password, value 6C4C4EB68A4C6082AB37166A9E967273 & op=21
rlm_ldap: Adding lmPassword as LM-Password, value 24C4A2B160D56070C187B8085FE1D9DF & op=21
rlm_ldap: Adding radiusAuthType as Auth-Type, value PEAP & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusServiceType as Service-Type, value login & op=11
rlm_ldap: user israel authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 2
modcall: group authorize returns updated for request 2
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 2
modcall: group authenticate returns handled for request 2
Sending Access-Challenge of id 47 to 172.22.2.32:1239
Service-Type = Login-User
EAP-Message = 0x0135032a1900161269737261656c40746f70617a696f2e636f6d301e170d3034313132333034343535335a170d3036313132333034343535335a3081a1310b3009060355040613024252311a30180603550408131152696f204772616e646520646f2053756c311230100603550407130943616d706f20426f6d31173015060355040a130e5175616e74697a61546573746532310b3009060355040b1302495431193017060355040313105175616e74697a6154657374653243413121301f06092a864886f70d010901161269737261656c40746f70617a696f2e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100a4eb
EAP-Message = 0x0b788323fac1be55f0a949db387efe1bd21145041e3c71305eea6b3badc0ee30785aefc4de57696d286e82bfe2f390da1644a9a2a04b1b88c61ad7e8045b9228168fd9d03e36f97dc7611b60ca1c4e28f5399a5edb4907cbd94d9bb91c0cd1f023ab26895b30b518fce2021eba6446776039be2b505994fda98f8ee4d6bd0203010001a382010a30820106301d0603551d0e041604144793557ca910fc0683f1951572f5adf94ca9881b3081d60603551d230481ce3081cb80144793557ca910fc0683f1951572f5adf94ca9881ba181a7a481a43081a1310b3009060355040613024252311a30180603550408131152696f204772616e646520646f20
EAP-Message = 0x53756c311230100603550407130943616d706f20426f6d31173015060355040a130e5175616e74697a61546573746532310b3009060355040b1302495431193017060355040313105175616e74697a6154657374653243413121301f06092a864886f70d010901161269737261656c40746f70617a696f2e636f6d820900bdec7848e2ff4366300c0603551d13040530030101ff300d06092a864886f70d0101040500038181008636cfc31687d813594199d042e71f00431907d535adc6ec48c742a02d8638f7d9ec5332190a737e9f14a3a40312dca89df48451d681e31202ce5ec61b23e2978e68b0189f910ccdfd2efc3bc0e528061128d4c13284
EAP-Message = 0xaf62b200ad99c84ceadaf853a2b5f45994c506dba20fea366fb2240725f0507ef34d75677a2ab714b88d16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x039d3e0d38fc9d62fc60df041f2098f2
Finished request 2
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 172.22.2.32:1240, id=65, length=285
User-Name = "israel"
EAP-Message = 0x023500c01980000000b616030100861000008200800dbd328618fcb44d916ddab3f84f208fa02d4095139707dc4355dc6028c6c0b5cb195b45c14fcd525234d6f9fb0747a4e45cac8bdb04a8a0edd7a149a7027bab7f27ba1aa2a79aaef50c4c93598f64a56351a92df2b4a2a2c2d6268d9fd14cf33c1cec059938d8f926e7c8a9a725f13e1137567fa1fd7da76aa38ee50660912314030100010116030100204086278646ecb495a5dc4c35c5952aa9a8c6ab1e04a2acc07e3bd535ae347a5a
NAS-IP-Address = 172.22.2.32
Service-Type = Login-User
Calling-Station-Id = "0.0.0.0"
NAS-Port-Type = Ethernet
State = 0x039d3e0d38fc9d62fc60df041f2098f2
Message-Authenticator = 0x94760a0da98dd58c0ae7c0da28d595de
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
modcall[authorize]: module "preprocess" returns ok for request 3
rlm_eap: EAP packet type response id 53 length 192
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 3
rlm_ldap: - authorize
rlm_ldap: performing user authorization for israel
radius_xlat: '(uid=israel)'
radius_xlat: 'dc=testdomain,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=testdomain,dc=com, with filter (uid=israel)
rlm_ldap: Added password 79/amk9cWxbpM in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding ntPassword as NT-Password, value 6C4C4EB68A4C6082AB37166A9E967273 & op=21
rlm_ldap: Adding lmPassword as LM-Password, value 24C4A2B160D56070C187B8085FE1D9DF & op=21
rlm_ldap: Adding radiusAuthType as Auth-Type, value PEAP & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusServiceType as Service-Type, value login & op=11
rlm_ldap: user israel authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 3
modcall: group authorize returns updated for request 3
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
TLS_accept: SSLv3 read client key exchange A
rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 read finished A
rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
TLS_accept: SSLv3 write change cipher spec A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 write finished A
TLS_accept: SSLv3 flush data
(other): SSL negotiation finished successfully
SSL Connection Established
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 3
modcall: group authenticate returns handled for request 3
Sending Access-Challenge of id 65 to 172.22.2.32:1240
Service-Type = Login-User
EAP-Message = 0x0136003119001403010001011603010020c67c10e9b83c4303ebbd7cb85e8ca4b92c69a7ee42250b20dabc3baa8c2c93dc
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8a1139fcb4f0449037d7122da0c266ac
Finished request 3
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 172.22.2.32:1241, id=79, length=99
User-Name = "israel"
EAP-Message = 0x023600061900
NAS-IP-Address = 172.22.2.32
Service-Type = Login-User
Calling-Station-Id = "0.0.0.0"
NAS-Port-Type = Ethernet
State = 0x8a1139fcb4f0449037d7122da0c266ac
Message-Authenticator = 0x3006d883e837a859b05411182f5ba41d
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
modcall[authorize]: module "preprocess" returns ok for request 4
rlm_eap: EAP packet type response id 54 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 4
rlm_ldap: - authorize
rlm_ldap: performing user authorization for israel
radius_xlat: '(uid=israel)'
radius_xlat: 'dc=testdomain,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=testdomain,dc=com, with filter (uid=israel)
rlm_ldap: Added password 79/amk9cWxbpM in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding ntPassword as NT-Password, value 6C4C4EB68A4C6082AB37166A9E967273 & op=21
rlm_ldap: Adding lmPassword as LM-Password, value 24C4A2B160D56070C187B8085FE1D9DF & op=21
rlm_ldap: Adding radiusAuthType as Auth-Type, value PEAP & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusServiceType as Service-Type, value login & op=11
rlm_ldap: user israel authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 4
modcall: group authorize returns updated for request 4
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake is finished
eaptls_verify returned 3
eaptls_process returned 3
rlm_eap_peap: EAPTLS_SUCCESS
modcall[authenticate]: module "eap" returns handled for request 4
modcall: group authenticate returns handled for request 4
Sending Access-Challenge of id 79 to 172.22.2.32:1241
Service-Type = Login-User
EAP-Message = 0x013700201900170301001514911454f60f1c2ef87c12055b0e97c3ce93e422a6
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd0d2def6e43eba69a30a199d6ad3960c
Finished request 4
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 172.22.2.32:1242, id=81, length=127
User-Name = "israel"
EAP-Message = 0x0237002219001703010017eb16ca428f1ea7fa77fe36dde246827077b20c2d9a8b21
NAS-IP-Address = 172.22.2.32
Service-Type = Login-User
Calling-Station-Id = "0.0.0.0"
NAS-Port-Type = Ethernet
State = 0xd0d2def6e43eba69a30a199d6ad3960c
Message-Authenticator = 0x72f4a9b2dc813e3190af52cade5cd549
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
modcall[authorize]: module "preprocess" returns ok for request 5
rlm_eap: EAP packet type response id 55 length 34
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 5
rlm_ldap: - authorize
rlm_ldap: performing user authorization for israel
radius_xlat: '(uid=israel)'
radius_xlat: 'dc=testdomain,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=testdomain,dc=com, with filter (uid=israel)
rlm_ldap: Added password 79/amk9cWxbpM in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding ntPassword as NT-Password, value 6C4C4EB68A4C6082AB37166A9E967273 & op=21
rlm_ldap: Adding lmPassword as LM-Password, value 24C4A2B160D56070C187B8085FE1D9DF & op=21
rlm_ldap: Adding radiusAuthType as Auth-Type, value PEAP & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusServiceType as Service-Type, value login & op=11
rlm_ldap: user israel authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 5
modcall: group authorize returns updated for request 5
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Identity - israel
rlm_eap_peap: Tunneled data is valid.
PEAP: Got tunneled EAP-Message
EAP-Message = 0x0237000b0169737261656c
PEAP: Got tunneled identity of israel
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to israel
PEAP: Sending tunneled request
EAP-Message = 0x0237000b0169737261656c
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "israel"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
modcall[authorize]: module "preprocess" returns ok for request 5
rlm_eap: EAP packet type response id 55 length 11
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 5
rlm_ldap: - authorize
rlm_ldap: performing user authorization for israel
radius_xlat: '(uid=israel)'
radius_xlat: 'dc=testdomain,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=testdomain,dc=com, with filter (uid=israel)
rlm_ldap: Added password 79/amk9cWxbpM in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding ntPassword as NT-Password, value 6C4C4EB68A4C6082AB37166A9E967273 & op=21
rlm_ldap: Adding lmPassword as LM-Password, value 24C4A2B160D56070C187B8085FE1D9DF & op=21
rlm_ldap: Adding radiusAuthType as Auth-Type, value PEAP & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusServiceType as Service-Type, value login & op=11
rlm_ldap: user israel authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 5
modcall: group authorize returns updated for request 5
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
rlm_eap: EAP Identity
rlm_eap: processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
modcall[authenticate]: module "eap" returns handled for request 5
modcall: group authenticate returns handled for request 5
PEAP: Got tunneled reply RADIUS code 11
Service-Type = Login-User
EAP-Message = 0x013800201a0138001b1090401350673c3a38b6a5c0e466512e6169737261656c
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x6e47be67f27de2502cd61fc55e3fd1d8
PEAP: Processing from tunneled session code 0x81858e0 11
Service-Type = Login-User
EAP-Message = 0x013800201a0138001b1090401350673c3a38b6a5c0e466512e6169737261656c
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x6e47be67f27de2502cd61fc55e3fd1d8
PEAP: Got tunneled Access-Challenge
modcall[authenticate]: module "eap" returns handled for request 5
modcall: group authenticate returns handled for request 5
Sending Access-Challenge of id 81 to 172.22.2.32:1242
Service-Type = Login-User
EAP-Message = 0x013800371900170301002c17943940505f668cbcf7661d95d2c7649c8951cba1f89f26466cef31868cf9162191b030ea99fba789ee8ac0
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x9dceba4f210b35c1bcb2da65bceffdb3
Finished request 5
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 172.22.2.32:1243, id=87, length=181
User-Name = "israel"
EAP-Message = 0x023800581900170301004dc4f4be62451c4dbe778f5894da1ec11fb42bf7edbe4b1c39c6b517cf8e4f131cc6d2094f2c35ff3fe8f657a163dbb8e178784ff6fd0af5fc382cea41b1f5f2be094843102eeea76ed3ed83a871
NAS-IP-Address = 172.22.2.32
Service-Type = Login-User
Calling-Station-Id = "0.0.0.0"
NAS-Port-Type = Ethernet
State = 0x9dceba4f210b35c1bcb2da65bceffdb3
Message-Authenticator = 0xc9513f1f83c9e66797a8f80f841d7276
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 6
modcall[authorize]: module "preprocess" returns ok for request 6
rlm_eap: EAP packet type response id 56 length 88
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 6
rlm_ldap: - authorize
rlm_ldap: performing user authorization for israel
radius_xlat: '(uid=israel)'
radius_xlat: 'dc=testdomain,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=testdomain,dc=com, with filter (uid=israel)
rlm_ldap: Added password 79/amk9cWxbpM in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding ntPassword as NT-Password, value 6C4C4EB68A4C6082AB37166A9E967273 & op=21
rlm_ldap: Adding lmPassword as LM-Password, value 24C4A2B160D56070C187B8085FE1D9DF & op=21
rlm_ldap: Adding radiusAuthType as Auth-Type, value PEAP & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusServiceType as Service-Type, value login & op=11
rlm_ldap: user israel authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 6
modcall: group authorize returns updated for request 6
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: EAP type mschapv2
rlm_eap_peap: Tunneled data is valid.
PEAP: Got tunneled EAP-Message
EAP-Message = 0x023800411a0238003c31b2d515e772772b769e0af58620ce6ebb0000000000000000b3118f98668f157ef2a162edec964622b973e22006893da50069737261656c
PEAP: Setting User-Name to israel
PEAP: Adding old state with 6e 47
PEAP: Sending tunneled request
EAP-Message = 0x023800411a0238003c31b2d515e772772b769e0af58620ce6ebb0000000000000000b3118f98668f157ef2a162edec964622b973e22006893da50069737261656c
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "israel"
State = 0x6e47be67f27de2502cd61fc55e3fd1d8
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 6
modcall[authorize]: module "preprocess" returns ok for request 6
rlm_eap: EAP packet type response id 56 length 65
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 6
rlm_ldap: - authorize
rlm_ldap: performing user authorization for israel
radius_xlat: '(uid=israel)'
radius_xlat: 'dc=testdomain,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=testdomain,dc=com, with filter (uid=israel)
rlm_ldap: Added password 79/amk9cWxbpM in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding ntPassword as NT-Password, value 6C4C4EB68A4C6082AB37166A9E967273 & op=21
rlm_ldap: Adding lmPassword as LM-Password, value 24C4A2B160D56070C187B8085FE1D9DF & op=21
rlm_ldap: Adding radiusAuthType as Auth-Type, value PEAP & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusServiceType as Service-Type, value login & op=11
rlm_ldap: user israel authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 6
modcall: group authorize returns updated for request 6
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 6
rlm_mschap: Found LM-Password
rlm_mschap: Found NT-Password
rlm_mschap: Told to do MS-CHAPv2 for israel with NT-Password
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
modcall[authenticate]: module "mschap" returns reject for request 6
modcall: group Auth-Type returns reject for request 6
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns reject for request 6
modcall: group authenticate returns reject for request 6
auth: Failed to validate the user.
PEAP: Got tunneled reply RADIUS code 3
Service-Type = Login-User
MS-CHAP-Error = "8E=691 R=1"
EAP-Message = 0x04380004
Message-Authenticator = 0x00000000000000000000000000000000
PEAP: Processing from tunneled session code 0x817f5c8 3
Service-Type = Login-User
MS-CHAP-Error = "8E=691 R=1"
EAP-Message = 0x04380004
Message-Authenticator = 0x00000000000000000000000000000000
PEAP: Tunneled authentication was rejected.
rlm_eap_peap: FAILURE
modcall[authenticate]: module "eap" returns handled for request 6
modcall: group authenticate returns handled for request 6
Sending Access-Challenge of id 87 to 172.22.2.32:1243
Service-Type = Login-User
EAP-Message = 0x013900261900170301001b9c431e0aef70813662d2cf5a13dad4266b857b5f90a55aa89bc9cd
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x659f1d947efe324a2ffa43bc885c3798
Finished request 6
Going to the next request
--- Walking the entire request list ---
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 172.22.2.32:1244, id=91, length=131
User-Name = "israel"
EAP-Message = 0x023900261900170301001ba42ef347d0efb20392c168d99200aec35a7025f3bea24e50263882
NAS-IP-Address = 172.22.2.32
Service-Type = Login-User
Calling-Station-Id = "0.0.0.0"
NAS-Port-Type = Ethernet
State = 0x659f1d947efe324a2ffa43bc885c3798
Message-Authenticator = 0x4c614c3398a4c5e0e050864d6e7bdf94
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 7
modcall[authorize]: module "preprocess" returns ok for request 7
rlm_eap: EAP packet type response id 57 length 38
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 7
rlm_ldap: - authorize
rlm_ldap: performing user authorization for israel
radius_xlat: '(uid=israel)'
radius_xlat: 'dc=testdomain,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=testdomain,dc=com, with filter (uid=israel)
rlm_ldap: Added password 79/amk9cWxbpM in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding ntPassword as NT-Password, value 6C4C4EB68A4C6082AB37166A9E967273 & op=21
rlm_ldap: Adding lmPassword as LM-Password, value 24C4A2B160D56070C187B8085FE1D9DF & op=21
rlm_ldap: Adding radiusAuthType as Auth-Type, value PEAP & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusServiceType as Service-Type, value login & op=11
rlm_ldap: user israel authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 7
modcall: group authorize returns updated for request 7
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 7
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Tunneled data is valid.
rlm_eap_peap: Had sent TLV failure, rejecting.
rlm_eap: Handler failed in EAP/peap
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 7
modcall: group authenticate returns invalid for request 7
auth: Failed to validate the user.
Delaying request 7 for 1 seconds
Finished request 7
Going to the next request
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 172.22.2.32:1244, id=91, length=131
Sending Access-Reject of id 91 to 172.22.2.32:1244
EAP-Message = 0x04390004
Message-Authenticator = 0x00000000000000000000000000000000
--- Walking the entire request list ---
Waking up in 2 seconds...
EAP configuration file:
#
# Whatever you do, do NOT set 'Auth-Type := EAP'. The server
# is smart enough to figure this out on its own. The most
# common side effect of setting 'Auth-Type := EAP' is that the
# users then cannot use ANY other authentication method.
#
# $Id: eap.conf,v 1.4 2004/04/15 18:34:41 aland Exp $
#
eap {
default_eap_type = peap timer_expire = 60
ignore_unknown_eap_types = yes
cisco_accounting_username_bug = no tls {
private_key_password = whatever
private_key_file =
/usr/local/openssl/ssl/misc/cert-srv.pem
certificate_file =
/usr/local/openssl/ssl/misc/cert-srv.pem
CA_file = /usr/local/openssl/ssl/misc/root.pem
dh_file = /usr/local/openssl/ssl/misc/dh
random_file = /usr/local/openssl/ssl/misc/random
fragment_size = 1024
include_length = yes
# check_crl = yes
# check_cert_cn = %{User-Name}
}
peap {
default_eap_type = mschapv2
}
mschapv2 {
}
}Radius configuration file:
prefix = /usr/local/radius
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacctconfdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusdlog_file = ${logdir}/radius.loglibdir = ${exec_prefix}/libpidfile = ${run_dir}/radiusd.pid
max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = * port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = no log_auth = no log_auth_badpass = no log_auth_goodpass = no usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no security { max_attributes = 200 reject_delay = 1 status_server = no }
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
snmp = no
$INCLUDE ${confdir}/snmp.confmodules {
# PAP module to authenticate users based on their stored password
#
# Supports multiple encryption schemes
# clear: Clear text
# crypt: Unix crypt
# md5: MD5 ecnryption
# sha1: SHA1 encryption.
# DEFAULT: crypt
pap {
encryption_scheme = clear
# encryption_scheme = crypt
} # CHAP module
#
# To authenticate requests containing a CHAP-Password attribute.
#
chap {
authtype = CHAP
}
$INCLUDE ${confdir}/eap.conf#
# This module supports MS-CHAP and MS-CHAPv2 authentication.
# It also enforces the SMB-Account-Ctrl attribute.
#
mschap {
authtype = MS-CHAP
use_mppe = yes
# #use_mppe = yes
require_encryption = yes
# #require_encryption = yes
require_strong = yes
# #require_strong = yes
with_ntdomain_hack = no
#with_ntdomain_hack = yes
#ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
#ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
}
ldap {
server = localhost
#server = "ldap.your.domain"
identity = cn=admin,dc=testdomain,dc=com
# identity = "cn=admin,o=My Org,c=UA"
password = teste
# password = mypass
basedn = dc=testdomain,dc=com
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
#filter = "(uid=%u)"
base_filter = "(objectclass=radiusprofile)"
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
# The StartTLS operation is supposed to be used with normal
# ldap connections instead of using ldaps (port 689) connections
start_tls = no
tls_mode = no # tls_cacertfile = /path/to/cacert.pem
# tls_cacertdir = /path/to/ca/dir/
# tls_certfile = /path/to/radius.crt
# tls_keyfile = /path/to/radius.key
# tls_randfile = /path/to/rnd
# tls_require_cert = "demand" # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
profile_attribute = "radiusProfileDn"
####access_attr = "dialupAccess" # Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap ####ldap_cache_timeout = 120
####ldap_cache_size = 0####ldap_connections_number = 5
#
# NOTICE: The password_header directive is NOT case insensitive
#
#password_header = "{clear}"
password_header = "{CRYPT}"
#
# The server can usually figure this out on its own, and pull
# the correct User-Password or NT-Password from the database.
#
# Note that NT-Passwords MUST be stored as a 32-digit hex
# string, and MUST start off with "0x", such as:
#
# 0x000102030405060708090a0b0c0d0e0f
#
# Without the leading "0x", NT-Passwords will not work.
# This goes for NT-Passwords stored in SQL, too.
#
password_attribute = userPassword
# groupname_attribute = cn
#groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
###compare_check_items = yes
compare_check_items = no
do_xlat = yes
#access_attr_used_for_allow = yes
}
realm IPASS {
format = prefix
delimiter = "/"
ignore_default = no
ignore_null = no
} # '[EMAIL PROTECTED]'
#
realm suffix {
format = suffix
delimiter = "@"
ignore_default = no
ignore_null = no
} # 'username%realm'
#
realm realmpercent {
format = suffix
delimiter = "%"
ignore_default = no
ignore_null = no
} #
# 'domain\user'
#
realm ntdomain {
format = prefix
delimiter = "\\"
ignore_default = no
ignore_null = no
} preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
} # Livingston-style 'users' file
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
compat = no
}acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
# The "always" module is here for debugging purposes. Each
# instance simply returns the same result, always, without
# doing anything.
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}}
authorize {
preprocess
#chap
#mschap
#suffix
# ntdomain
eap
#files
# sql
# etc_smbpasswd
ldap
# daily
# checkval
}authenticate {
Auth-Type PAP {
pap
} Auth-Type CHAP {
chap
} #
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
# digest
# pam
#unix
Auth-Type LDAP {
ldap
} eap
}
#
preacct {
preprocess
acct_unique
# IPASS
suffix
# ntdomain#files } # eap #}
Thanks for help,
Israel Alves.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
