Hi Guys, I'm trying to use freeradius with peap+mschapv2+ldap+realms.
If i don't use realms, everything works fine. But the problem is that i need to stripp of the domain part of the username, cause windows sends TEST\cfra . But i have only cfra in my ldap . So i di the follwing: radius.conf: realm ntdomain { format = prefix delimiter = "\\" } and enabled ntdomain under authorisation . My proxy.conf: realm test { type = radius authhost = LOCAL accthost = LOCAL } But when i want to login, it does not work. Seems like the domain is stripped of correctly for authorisation, but not for authentication. But what could be wrong ? Here is the output of radius: Config: including file: ../etc/raddb//radiusd.conf Config: including file: /usr/local/freeradius2/etc/raddb/proxy.conf Config: including file: /usr/local/freeradius2/etc/raddb/clients.conf Config: including file: /usr/local/freeradius2/etc/raddb/snmp.conf Config: including file: /usr/local/freeradius2/etc/raddb/eap.conf Config: including file: /usr/local/freeradius2/etc/raddb/sql.conf Config: including file: /usr/local/freeradius2/etc/raddb/sql/mysql-dialup.conf FreeRADIUS Version 2.0.0-pre1, for host i686-pc-linux-gnu, built on Aug 16 2007 at 13:45:55 Starting - reading configuration files ... read_config_files: reading dictionary main { prefix = "/usr/local/freeradius2" localstatedir = "/usr/local/freeradius2/var" logdir = "/usr/local/freeradius2/var/log/radius" libdir = "/usr/local/freeradius2/lib" radacctdir = "/usr/local/freeradius2/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no log_stripped_names = no log_file = "/usr/local/freeradius2/var/log/radius/radius.log" log_auth = no log_auth_badpass = no log_auth_goodpass = no pidfile = "/usr/local/freeradius2/var/run/radiusd/radiusd.pid" user = "radiusd" group = "radiusd" checkrad = "/usr/local/freeradius2/sbin/checkrad" debug_level = 0 proxy_requests = yes log { syslog_facility = "daemon" } proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } home_server localhost { ipaddr = 127.0.0.1 IP address [127.0.0.1] port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_check = "none" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } server_pool my_auth_failover { type = my_auth_failover home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { ldflag = fail_over } realm test { ldflag = fail_over } port = 1812 listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } client 127.0.0.1 { secret = "testing123" shortname = "localhost" nastype = "other" } client 150.150.40.0/16 { secret = "ciscotest1" shortname = "private-network-1" nastype = "cisco" } radiusd: entering modules setup radiusd: Library search path is /usr/local/freeradius2/lib instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = "request" shell_escape = yes } rlm_exec: wait=yes but no output defined. Did you mean output=none? Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } modules { Module: Instantiating section authenticate Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/usr/local/freeradius2/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no } eap: Linked to sub-module rlm_eap_md5 eap: Instantiating eap-md5 eap: Linked to sub-module rlm_eap_leap eap: Instantiating eap-leap eap: Linked to sub-module rlm_eap_gtc eap: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } eap: Linked to sub-module rlm_eap_tls eap: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/usr/local/certs/wcsserver.key" certificate_file = "/usr/local/certs/wcsserver.pem" CA_file = "/usr/local/certs/root.pem" private_key_password = "wcs" dh_file = "/usr/local/freeradius2/etc/raddb/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/usr/local/freeradius2/etc/raddb/certs/bootstrap" } rlm_eap_tls: Loading the certificate file as a chain eap: Linked to sub-module rlm_eap_ttls eap: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no } eap: Linked to sub-module rlm_eap_peap eap: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes } eap: Linked to sub-module rlm_eap_mschapv2 eap: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Instantiating section authorize Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/usr/local/freeradius2/etc/raddb/huntgroups" hints = "/usr/local/freeradius2/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Instantiating ntdomain realm ntdomain { format = "prefix" delimiter = "\" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/usr/local/freeradius2/etc/raddb/users" acctusersfile = "/usr/local/freeradius2/etc/raddb/acct_users" preproxy_usersfile = "/usr/local/freeradius2/etc/raddb/preproxy_users" compat = "no" } Module: Linked to module rlm_ldap Module: Instantiating ldap ldap { server = "150.150.40.241" port = 389 password = "secret" identity = "cn=Manager,dc=rsel,dc=com" net_timeout = 1 timeout = 4 timelimit = 3 tls_mode = no start_tls = no tls_require_cert = "allow" tls { start_tls = no require_cert = "allow" } basedn = "dc=rsel,dc=com" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" password_attribute = "userPassword" auto_header = no access_attr_used_for_allow = yes groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" dictionary_mapping = "/usr/local/freeradius2/etc/raddb/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes set_auth_type = yes } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: Over-riding set_auth_type, as we're not listed in the "authenticate" section. rlm_ldap: reading ldap<->radius mappings from file /usr/local/freeradius2/etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message conns: 0x9be8488 Module: Instantiating section preacct Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Instantiating section accounting Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/usr/local/freeradius2/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/usr/local/freeradius2/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/usr/local/freeradius2/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Instantiating section session Module: Instantiating section post-proxy Module: Instantiating section post-auth Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "/usr/local/freeradius2/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } Initializing the thread pool... Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. Nothing to do. Sleeping until we see a request. Processing the authorize section of radiusd.conf +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_realm: No '\' in User-Name = "anonymous", looking up realm NULL rlm_realm: No such realm "NULL" ++[ntdomain] returns noop rlm_eap: EAP packet type response id 13 length 14 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for anonymous radius_xlat: '(uid=anonymous)' radius_xlat: 'dc=rsel,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 150.150.40.241:389, authentication 0 rlm_ldap: bind as cn=Manager,dc=rsel,dc=com/secret to 150.150.40.241:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=rsel,dc=com, with filter (uid=anonymous) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns notfound ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop +- group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled +- group authenticate returns handled Finished request 0 state 5 Going to the next request Processing the authorize section of radiusd.conf +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_realm: No '\' in User-Name = "anonymous", looking up realm NULL rlm_realm: No such realm "NULL" ++[ntdomain] returns noop rlm_eap: EAP packet type response id 14 length 82 rlm_eap: Continuing tunnel setup. ++[eap] returns ok +- group authorize returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0043], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 04e9], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 018d], ServerKeyExchange TLS_accept: SSLv3 write key exchange A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled +- group authenticate returns handled Finished request 1 state 5 Going to the next request rad_recv: Access-Request packet from host 150.150.40.141 port 32769, id=235, length=160 User-Name = "anonymous" Calling-Station-Id = "00-0C-F1-10-95-48" Called-Station-Id = "00-0B-85-82-C3-60:RSEL" NAS-Port = 29 NAS-IP-Address = 150.150.40.141 NAS-Identifier = "RSEL-WLC" Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020d000e01616e6f6e796d6f7573 Message-Authenticator = 0x237df9d6a5ccc4b8a6e7e241372567f7 Sending Access-Challenge of id 235 to 150.150.40.141 port 32769 EAP-Message = 0x010e00061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7e04413c4ac3982e863e3bc1d40fc3cc rad_recv: Access-Request packet from host 150.150.40.141 port 32769, id=236, length=246 User-Name = "anonymous" Calling-Station-Id = "00-0C-F1-10-95-48" Called-Station-Id = "00-0B-85-82-C3-60:RSEL" NAS-Port = 29 NAS-IP-Address = 150.150.40.141 NAS-Identifier = "RSEL-WLC" Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020e005219800000004816030100430100003f030146c57f9e6adfd54e836ecd7108b2d9b0e8b32885ce5fb7dc236fd9502c507a1a00001800390038003300320016001300660035002f000a000500040100 State = 0x7e04413c4ac3982e863e3bc1d40fc3cc Message-Authenticator = 0x1ee566e14988e1656634a8bda1a23970 Sending Access-Challenge of id 236 to 150.150.40.141 port 32769 EAP-Message = 0x010f040a19c0000006d8160301004a02000046030146c580d914781e0631885babfd323f744e073c1a0d762fa5edd6dfe2690fbb9320d843d45cd88fecc5cb4b2c1256cc25c4d4e442e804158b8ec4485fc9bfeb53c000390016030104e90b0004e50004e200027430820270308201d9a003020102020101300d06092a864886f70d0101050500306d3110300e060355040313075253454c204341310b3009060355040b13024954310b3009060355040b13024954310d300b060355040a13045253454c3111300f060355040713084c616e64736875743110300e0603550408130742617661726961310b3009060355040613024445301e170d303730 EAP-Message = 0x3830363030303030305a170d3038303830363233353935395a301f311d301b060355040313147763732e7273656c2e72656e657361732e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100bfdca3c73f9d3442ee1d8fd3edb90bc20a935415000efe8003eca3cea0168658ccf33924df3648aa81744a9d15f69ceece4373e1b25d294f93b93cb98371cb9cfd159a917c2e099b8954d9751626ba4a0fe8972b9459538ff3894d078253dec1e445d976ad05207e6d4d2da68d1343e6db85fe7f64bab0f83a8dca8afd1d26370203010001a36e306c30160603551d250101ff040c300a06082b060105050703013052060355 EAP-Message = 0x1d1f044b30493047a045a0438641687474703a2f2f70633430333335313a383038302f736572766c65742f636f6d2e66756e6b2e6f6463612e7365727665722e736572766c6574732e47657443524c300d06092a864886f70d0101050500038181001ed004b5c41754dc2c5cfaaac2217d6a90aca3b5aaf7a27461102d4acdfe2905836a9baed7c6aaa41914893be6cfad54589fa57b359a491097b6d60fe8b2a090e68a2adc4f2654875d9585a9759eefa924cf421c29f71e08a4eeb5ad5d23da6bdd9b5a9bac4549edd8004c553ca9a19c948c0a895f0622141645d18dfea4427800026830820264308201cda003020102020100300d06092a864886 EAP-Message = 0xf70d0101050500306d3110300e060355040313075253454c204341310b3009060355040b13024954310b3009060355040b13024954310d300b060355040a13045253454c3111300f060355040713084c616e64736875743110300e0603550408130742617661726961310b3009060355040613024445301e170d3037303830363030303030305a170d3137303830363233353935395a306d3110300e060355040313075253454c204341310b3009060355040b13024954310b3009060355040b13024954310d300b060355040a13045253454c3111300f060355040713084c616e64736875743110300e0603550408130742617661726961310b300906 EAP-Message = 0x035504061302444530819d300d06092a864886f70d01 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x67538f85548078f113fef01af0d2efc4 rad_recv: Access-Request packet from host 150.150.40.141 port 32769, id=237, length=170 User-Name = "anonymous" Calling-Station-Id = "00-0C-F1-10-95-48" Called-Station-Id = "00-0B-85-82-C3-60:RSEL" NAS-Port = 29 NAS-IP-Address = 150.150.40.141 NAS-Identifier = "RSEL-WLC" Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020f00061900 State Processing the authorize section of radiusd.conf +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_realm: No '\' in User-Name = "anonymous", looking up realm NULL rlm_realm: No such realm "NULL" ++[ntdomain] returns noop rlm_eap: EAP packet type response id 15 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok +- group authorize returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled +- group authenticate returns handled Finished request 2 state 5 Going to the next request Processing the authorize section of radiusd.conf +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_realm: No '\' in User-Name = "anonymous", looking up realm NULL rlm_realm: No such realm "NULL" ++[ntdomain] returns noop rlm_eap: EAP packet type response id 16 length 208 rlm_eap: Continuing tunnel setup. ++[eap] returns ok +- group authorize returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled +- group authenticate returns handled Finished request 3 state 5 Going to the next request Processing the authorize section of radiusd.conf +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_realm: No '\' in User-Name = "anonymous", looking up realm NULL rlm_realm: No such realm "NULL" ++[ntdomain] returns noop rlm_eap: EAP packet type response id 17 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok +- group authorize returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap_peap: EAPTLS_SUCCESS ++[eap] returns handled +- group authenticate returns handled Finished request 4 state 5 Going to the next request = 0x67538f85548078f113fef01af0d2efc4 Message-Authenticator = 0x31cbc446aeb5a95d6e907b59aad4f27a Sending Access-Challenge of id 237 to 150.150.40.141 port 32769 EAP-Message = 0x011002de19000101050003818b0030818702818100b74f716b56b2464b8bd640955a1ffb274335f05646eddff3f93dcd47520eb764f5bd05d510275861f30e7e727c4b0ccc10797b1ed07bf9e98d88ba4d91ef041e0fc5a7f755b4b375d196170ab1a47c38a75e8d44bf09e20fe0e86994fe89060820e9f5fd284dc1551d48aa64951dbed7410548aeac1824ac5ddbdf629c946be5020111a316301430120603551d130101ff040830060101ff020100300d06092a864886f70d0101050500038181005649f966db9fe97da32747c5cc3af6cf15fde8f9c0db98db3aae700e3e74d1cc0fd07969def57f876d864aa05a01a5ef961487081ad57e4b18e7 EAP-Message = 0xd3a445ed9de2c9f4e79376f2991b4796ecf3ecb27786443b7e99b9e24b27756c03d9123a93a1eb8c091b796e6ce73f66a9700a71f24f7874de816052c4bc1f25b05235abf93c160301018d0c0001890080c7fdf4f2281a88444fb04733e293131bce140e28f08bb104facc9f16bbb0e3a1fc291776b898ec3e41884668163bc9a4f9feb445807c5b473a6c6714446d020935e87a0949c7863829e465c0ff1969384880e68b7f5add98429755464e76d4e239adb1de9dc8c4a376d1b61111dc0309c4e8b1abe76b3449ce313020d34216cb00010200800ea1768aedf982acd3dad43f3b5f6c440327d9656d82e0c0440e87bcc3f690741044f4d196bf4c EAP-Message = 0x9687da51560b696339059923f15ebc123fb1008fef0d5d0cb67832e5b51ac8e616d2ba10f34f980525ed587e8da3d42205a72964f12c96bd41c3b586ed93d12108699a5bb86e97b803c67d97225053d6f2f38084cf0f9e7a3e0080a1d348ca67045ab0ceebd35497c5e0a51795a534e4e902a06880f7bbbd288e5f0f502e36d5cfb50863f71253bd6ebc9e8d9208a54b1996cac92fba67886e98750a7867145a5706e41706baa75b32205aaa1f0916d5b519d525e9bcfd0bd447a01db9ebdcb0f821cbc1cbfe1f7facc3aea50cc2ccf5c93a588d69400ba2522f7d16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd613929d0835375b51b0bad22b0859c8 rad_recv: Access-Request packet from host 150.150.40.141 port 32769, id=238, length=372 User-Name = "anonymous" Calling-Station-Id = "00-0C-F1-10-95-48" Called-Station-Id = "00-0B-85-82-C3-60:RSEL" NAS-Port = 29 NAS-IP-Address = 150.150.40.141 NAS-Identifier = "RSEL-WLC" Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x021000d01980000000c6160301008610000082008039724b2d404ca74c3b10364d9cfdb3ae6aad2a2be4250d2bc8af99abec7f0123bbf1868d547d29217c1bb0029a4abbde00940c54686a852e8d76033992c36a886c95302c16ddce802ab4956d578ad648e7b5923aa7ce88a0199db9245531b02b2c1c31bbc3fcc37b461c5e2eebae2fc44235a4723e35d2d86e7feffb26e778111403010001011603010030d16158a87ab639360df086b3c2dff39bd1ce72bbb875734f1d0b485ef8a3fd4b645cccc8c0bb284a561374ec26304714 State = 0xd613929d0835375b51b0bad22b0859c8 Message-Authenticator = 0x0f8218941c2ce5d17ecdee9dcc4b2762 Sending Access-Challenge of id 238 to 150.150.40.141 port 32769 EAP-Message = 0x011100411900140301000101160301003088c0c27a6f51fb7527c91b1b5303922637f4cc60fedecadd80965391e8dba99bf9841f8d0eb24d9371259333eaa767cf Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3cafbd9fc9bad1cc56e6e3b7680d946f rad_recv: Access-Request packet from host 150.150.40.141 port 32769, id=239, length=170 User-Name = "anonymous" Calling-Station-Id = "00-0C-F1-10-95-48" Called-Station-Id = "00-0B-85-82-C3-60:RSEL" NAS-Port = 29 NAS-IP-Address = 150.150.40.141 NAS-Identifier = "RSEL-WLC" Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x021100061900 State = 0x3cafbd9fc9bad1cc56e6e3b7680d946f Message-Authenticator = 0x7e13c9b8d0b8083b90ef4f55195383ec Sending Access-Challenge of id 239 to 150.150.40.141 port 32769 EAP-Message = 0x0112002b19001703010020a9fce9f01fd333b6acd4e84c383b77d3c463b6847adf1ab77354f677ce6fe62e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0eca445faa2dd2b4a2e9097a7d976000 rad_recv: Access-Request packet from host 150.150.40.141 port 32769, id=240, length=207 User-Name = "anonymous" Calling-Station-Id = "00-0C-F1-10-95-48" Called-Station-Id = "00-0B-85-82-C3-60:RSEL" NAS-Port = 29 NAS-IP-Address = 150.150.40.141 NAS-Identifier = "RSEL-WLC" Airespac Processing the authorize section of radiusd.conf +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_realm: No '\' in User-Name = "anonymous", looking up realm NULL rlm_realm: No such realm "NULL" ++[ntdomain] returns noop rlm_eap: EAP packet type response id 18 length 43 rlm_eap: Continuing tunnel setup. ++[eap] returns ok +- group authorize returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - test\cfra rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled identity of test\cfra PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to test\cfra Processing the authorize section of radiusd.conf +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound rlm_realm: No '@' in User-Name = "test\cfra", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_realm: Looking up realm "test" for User-Name = "test\cfra" rlm_realm: Found realm "test" rlm_realm: Adding Stripped-User-Name = "cfra" rlm_realm: Proxying request from user cfra to realm test rlm_realm: Adding Realm = "test" rlm_realm: Authentication realm is LOCAL. ++[ntdomain] returns noop rlm_eap: EAP packet type response id 18 length 14 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for cfra radius_xlat: '(uid=cfra)' radius_xlat: 'dc=rsel,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=rsel,dc=com, with filter (uid=cfra) rlm_ldap: Added User-Password = cisco12 in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user cfra authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop +- group authorize returns updated rad_check_password: Found Auth-Type EAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! auth: type "EAP" Processing the authenticate section of radiusd.conf +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled +- group authenticate returns handled PEAP: Got tunneled Access-Challenge ++[eap] returns handled +- group authenticate returns handled Finished request 5 state 5 Going to the next request Processing the authorize section of radiusd.conf +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_realm: No '\' in User-Name = "anonymous", looking up realm NULL rlm_realm: No such realm "NULL" ++[ntdomain] returns noop rlm_eap: EAP packet type response id 19 length 91 rlm_eap: Continuing tunnel setup. ++[eap] returns ok +- group authorize returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Setting User-Name to test\cfra PEAP: Adding old state with 13 1f Processing the authorize section of radiusd.conf +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound rlm_realm: No '@' in User-Name = "test\cfra", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_realm: Looking up realm "test" for User-Name = "test\cfra" rlm_realm: Found realm "test" rlm_realm: Adding Stripped-User-Name = "cfra" rlm_realm: Proxying request from user cfra to realm test rlm_realm: Adding Realm = "test" rlm_realm: Authentication realm is LOCAL. ++[ntdomain] returns noop rlm_eap: EAP packet type response id 19 length 63 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for cfra radius_xlat: '(uid=cfra)' radius_xlat: 'dc=rsel,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=rsel,dc=com, with filter (uid=cfra) rlm_ldap: Added User-Password = cisco12 in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user cfra authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop +- group authorize returns updated rad_check_password: Found Auth-Type EAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! auth: type "EAP" Processing the authenticate section of radiusd.conf +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf +- entering group MS-CHAP rlm_mschap: NT Domain delimeter found, should we have enabled with_ntdomain_hack? rlm_mschap: Told to do MS-CHAPv2 for test\cfra with NT-Password rlm_mschap: FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject +- group MS-CHAP returns reject rlm_eap: Freeing handler ++[eap] returns reject +- group authenticate returns reject auth: Failed to validate the user. PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE ++[eap] returns handled +- group authenticate returns handled Finished request 6 state 5 Going to the next request Processing the authorize section of radiusd.conf +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_realm: No '\' in User-Name = "anonymous", looking up realm NULL rlm_realm: No such realm "NULL" ++[ntdomain] returns noop rlm_eap: EAP packet type response id 20 length 43 rlm_eap: Continuing tunnel setup. ++[eap] returns ok +- group authorize returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select ++[eap] returns invalid +- group authenticate returns invalid auth: Failed to validate the user. Found Post-Auth-Type Reject Processing the post-auth section of radiusd.conf +- entering group REJECT radius_xlat: 'anonymous' attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated +- group REJECT returns updated Delaying reject of request 7 for 1 seconds Going to the next request Sending delayed reject for request 7 Waking up in 3 seconds... Cleaning up request 0 ID 235 with timestamp +26 Waking up in 1 seconds... Cleaning up request 7 ID 242 with timestamp +26 Nothing to do. Sleeping until we see a request. Would be nice if someone could give me some hints. Thanks, Christian **************************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Access to this e-mail by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited. E-mail messages are not necessarily secure. Renesas does not accept responsibility for any changes made to this message after it was sent. Please note that this email message has been swept by Renesas for the presence of computer viruses. Renesas Semiconductor Europe (Landshut) GmbH Jenaer Strasse 1, 84034 Landshut Tel.: +49-(0)871-684-0, Fax: +49-(0)871-684-150 www.rsel.renesas.com GESCHAEFTSFUEHRER: Dipl.-Ing. YOSHIHARU KAKUI GESCHAEFTSFUEHRER: Dipl.-Phys. STEFAN SAUER Registergericht Landshut HRB 1464 Ust-ldNr.: DE 128953054 Steuer-Nr.: 132/136/30347 HypoVereinsbank, Landshut, Kto.-Nr. 3704 700 (BLZ 743 200 73) Mizuho Corporate Bank (Germany) AG, Frankfurt, Kto.-Nr. 200 733 (BLZ 503 308 00) **************************************************************************** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html