I trimmed this down some, although I'm sure it could be trimmed a lot
more...
Ready to process requests.
rad_recv: Access-Request packet from host 72.33.52.18:1645, id=158,
length=139
User-Name = "DOMAIN\\testuser"
Framed-MTU = 1400
Called-Station-Id = "0012.014d.d511"
Calling-Station-Id = "001f.5bbe.f006"
Service-Type = Login-User
Message-Authenticator = 0x9c667cafd791e54213885defa1c14f5f
EAP-Message = 0x020200140142494f4348454d5c6b77746f62696e
NAS-Port-Type = Wireless-802.11
NAS-Port = 26830
NAS-IP-Address = 72.33.52.18
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "DOMAIN\testuser", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN
\testuser"
rlm_realm: Found realm "DOMAIN"
rlm_realm: Adding Stripped-User-Name = "testuser"
rlm_realm: Proxying request from user testuser to realm DOMAIN
rlm_realm: Adding Realm = "DOMAIN"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "DOMAIN" returns noop for request 0
rlm_eap: EAP packet type response id 2 length 20
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
users: Matched entry DEFAULT at line 153
modcall[authorize]: module "files" returns ok for request 0
rlm_opendirectory: The SACL group "com.apple.access_radius" does not
exist on this system.
rlm_opendirectory: The host 72.33.52.18 does not have an access group.
rlm_opendirectory: no access control groups, all users allowed.
modcall[authorize]: module "opendirectory" returns ok for request 0
modcall: leaving group authorize (returns updated) for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 0
modcall: leaving group authenticate (returns handled) for request 0
Sending Access-Challenge of id 158 to 72.33.52.18 port 1645
EAP-Message = 0x010300061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x9ffcbe4309dcfe1624d52b4001437bc6
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 72.33.52.18:1645, id=159,
length=143
User-Name = "DOMAIN\\testuser"
Framed-MTU = 1400
Called-Station-Id = "0012.014d.d511"
Calling-Station-Id = "001f.5bbe.f006"
Service-Type = Login-User
Message-Authenticator = 0x2a97d54ce690c33ab793c9d08a60af28
EAP-Message = 0x020300060319
NAS-Port-Type = Wireless-802.11
NAS-Port = 26830
State = 0x9ffcbe4309dcfe1624d52b4001437bc6
NAS-IP-Address = 72.33.52.18
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
modcall[authorize]: module "chap" returns noop for request 1
modcall[authorize]: module "mschap" returns noop for request 1
rlm_realm: No '@' in User-Name = "DOMAIN\testuser", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1
rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN
\testuser"
rlm_realm: Found realm "DOMAIN"
rlm_realm: Adding Stripped-User-Name = "testuser"
rlm_realm: Proxying request from user testuser to realm DOMAIN
rlm_realm: Adding Realm = "DOMAIN"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "DOMAIN" returns noop for request 1
rlm_eap: EAP packet type response id 3 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1
users: Matched entry DEFAULT at line 153
modcall[authorize]: module "files" returns ok for request 1
rlm_opendirectory: The SACL group "com.apple.access_radius" does not
exist on this system.
rlm_opendirectory: The host 72.33.52.18 does not have an access group.
rlm_opendirectory: no access control groups, all users allowed.
modcall[authorize]: module "opendirectory" returns ok for request 1
modcall: leaving group authorize (returns updated) for request 1
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
rlm_eap: Request found, released from the list
rlm_eap: EAP NAK
rlm_eap: EAP-NAK asked for EAP-Type/peap
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 1
modcall: leaving group authenticate (returns handled) for request 1
Sending Access-Challenge of id 159 to 72.33.52.18 port 1645
EAP-Message = 0x010400061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x28e762b2e07141efde83bdebb85bb2c5
Finished request 1
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 72.33.52.18:1645, id=160,
length=295
User-Name = "DOMAIN\\testuser"
Framed-MTU = 1400
Called-Station-Id = "0012.014d.d511"
Calling-Station-Id = "001f.5bbe.f006"
Service-Type = Login-User
Message-Authenticator = 0xdb772428162765ec5ec66a0e883d323c
EAP-Message = 0x0204009e198000000094160301008f0100008b030
NAS-Port-Type = Wireless-802.11
NAS-Port = 26830
State = 0x28e762b2e07141efde83bdebb85bb2c5
NAS-IP-Address = 72.33.52.18
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
modcall[authorize]: module "preprocess" returns ok for request 2
modcall[authorize]: module "chap" returns noop for request 2
modcall[authorize]: module "mschap" returns noop for request 2
rlm_realm: No '@' in User-Name = "DOMAIN\testuser", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 2
rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN
\testuser"
rlm_realm: Found realm "DOMAIN"
rlm_realm: Adding Stripped-User-Name = "testuser"
rlm_realm: Proxying request from user testuser to realm DOMAIN
rlm_realm: Adding Realm = "DOMAIN"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "DOMAIN" returns noop for request 2
rlm_eap: EAP packet type response id 4 length 158
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 2
users: Matched entry DEFAULT at line 153
modcall[authorize]: module "files" returns ok for request 2
rlm_opendirectory: The SACL group "com.apple.access_radius" does not
exist on this system.
rlm_opendirectory: The host 72.33.52.18 does not have an access group.
rlm_opendirectory: no access control groups, all users allowed.
modcall[authorize]: module "opendirectory" returns ok for request 2
modcall: leaving group authorize (returns updated) for request 2
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 008f], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0652], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
TLS_accept: SSLv3 write server done A
TLS_accept: SSLv3 flush data
TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 2
modcall: leaving group authenticate (returns handled) for request 2
Sending Access-Challenge of id 160 to 72.33.52.18 port 1645
EAP-Message = 0x0105040a19c0000006af160301004a020
EAP-Message = 0x0b3009060355040613025553311230100
EAP-Message = 0x5d6e4a169057cacdca0c241f7664b4ee3
EAP-Message = 0x0d06092a864886f70d010105050003818
EAP-Message = 0x20417574686f72697479301e170d3938303832323136
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x6f4f1292aabb7bebdee1f88f31407af8
Finished request 2
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 72.33.52.18:1645, id=161,
length=143
User-Name = "DOMAIN\\testuser"
Framed-MTU = 1400
Called-Station-Id = "0012.014d.d511"
Calling-Station-Id = "001f.5bbe.f006"
Service-Type = Login-User
Message-Authenticator = 0x105bbd75eae3037f337d028796f90340
EAP-Message = 0x020500061900
NAS-Port-Type = Wireless-802.11
NAS-Port = 26830
State = 0x6f4f1292aabb7bebdee1f88f31407af8
NAS-IP-Address = 72.33.52.18
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
modcall[authorize]: module "preprocess" returns ok for request 3
modcall[authorize]: module "chap" returns noop for request 3
modcall[authorize]: module "mschap" returns noop for request 3
rlm_realm: No '@' in User-Name = "DOMAIN\testuser", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 3
rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN
\testuser"
rlm_realm: Found realm "DOMAIN"
rlm_realm: Adding Stripped-User-Name = "testuser"
rlm_realm: Proxying request from user testuser to realm DOMAIN
rlm_realm: Adding Realm = "DOMAIN"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "DOMAIN" returns noop for request 3
rlm_eap: EAP packet type response id 5 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 3
users: Matched entry DEFAULT at line 153
modcall[authorize]: module "files" returns ok for request 3
rlm_opendirectory: The SACL group "com.apple.access_radius" does not
exist on this system.
rlm_opendirectory: The host 72.33.52.18 does not have an access group.
rlm_opendirectory: no access control groups, all users allowed.
modcall[authorize]: module "opendirectory" returns ok for request 3
modcall: leaving group authorize (returns updated) for request 3
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 3
modcall: leaving group authenticate (returns handled) for request 3
Sending Access-Challenge of id 161 to 72.33.52.18 port 1645
EAP-Message = 0x010602b51900343135315a170d31383038323231363
EAP-Message = 0x0f3a88e7bf14fde0c7b90203010001a382010930820
EAP-Message = 0x0101ff301a06092a864886f67d074100040d300b1b0
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xee3b3812e9ee0e12d7bdb69c59963942
Finished request 3
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 72.33.52.18:1645, id=162,
length=345
User-Name = "DOMAIN\\testuser"
Framed-MTU = 1400
Called-Station-Id = "0012.014d.d511"
Calling-Station-Id = "001f.5bbe.f006"
Service-Type = Login-User
Message-Authenticator = 0x859d480da5b4827c223dd8358789478c
EAP-Message = 0x020600d01980000000c6160301008610000082008036
NAS-Port-Type = Wireless-802.11
NAS-Port = 26830
State = 0xee3b3812e9ee0e12d7bdb69c59963942
NAS-IP-Address = 72.33.52.18
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
modcall[authorize]: module "preprocess" returns ok for request 4
modcall[authorize]: module "chap" returns noop for request 4
modcall[authorize]: module "mschap" returns noop for request 4
rlm_realm: No '@' in User-Name = "DOMAIN\testuser", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 4
rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN
\testuser"
rlm_realm: Found realm "DOMAIN"
rlm_realm: Adding Stripped-User-Name = "testuser"
rlm_realm: Proxying request from user testuser to realm DOMAIN
rlm_realm: Adding Realm = "DOMAIN"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "DOMAIN" returns noop for request 4
rlm_eap: EAP packet type response id 6 length 208
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 4
users: Matched entry DEFAULT at line 153
modcall[authorize]: module "files" returns ok for request 4
rlm_opendirectory: The SACL group "com.apple.access_radius" does not
exist on this system.
rlm_opendirectory: The host 72.33.52.18 does not have an access group.
rlm_opendirectory: no access control groups, all users allowed.
modcall[authorize]: module "opendirectory" returns ok for request 4
modcall: leaving group authorize (returns updated) for request 4
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
TLS_accept: SSLv3 read client key exchange A
rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 read finished A
rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
TLS_accept: SSLv3 write change cipher spec A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 write finished A
TLS_accept: SSLv3 flush data
(other): SSL negotiation finished successfully
SSL Connection Established
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 4
modcall: leaving group authenticate (returns handled) for request 4
Sending Access-Challenge of id 162 to 72.33.52.18 port 1645
EAP-Message = 0x0107004119001403010001011603010030f3769ba79
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd002e1d1d12a1423701aa22fd36caecb
Finished request 4
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 72.33.52.18:1645, id=163,
length=143
User-Name = "DOMAIN\\testuser"
Framed-MTU = 1400
Called-Station-Id = "0012.014d.d511"
Calling-Station-Id = "001f.5bbe.f006"
Service-Type = Login-User
Message-Authenticator = 0xc7607f7b1b4df6de6d61f3ab291f389f
EAP-Message = 0x020700061900
NAS-Port-Type = Wireless-802.11
NAS-Port = 26830
State = 0xd002e1d1d12a1423701aa22fd36caecb
NAS-IP-Address = 72.33.52.18
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
modcall[authorize]: module "preprocess" returns ok for request 5
modcall[authorize]: module "chap" returns noop for request 5
modcall[authorize]: module "mschap" returns noop for request 5
rlm_realm: No '@' in User-Name = "DOMAIN\testuser", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 5
rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN
\testuser"
rlm_realm: Found realm "DOMAIN"
rlm_realm: Adding Stripped-User-Name = "testuser"
rlm_realm: Proxying request from user testuser to realm DOMAIN
rlm_realm: Adding Realm = "DOMAIN"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "DOMAIN" returns noop for request 5
rlm_eap: EAP packet type response id 7 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 5
users: Matched entry DEFAULT at line 153
modcall[authorize]: module "files" returns ok for request 5
rlm_opendirectory: The SACL group "com.apple.access_radius" does not
exist on this system.
rlm_opendirectory: The host 72.33.52.18 does not have an access group.
rlm_opendirectory: no access control groups, all users allowed.
modcall[authorize]: module "opendirectory" returns ok for request 5
modcall: leaving group authorize (returns updated) for request 5
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake is finished
eaptls_verify returned 3
eaptls_process returned 3
rlm_eap_peap: EAPTLS_SUCCESS
modcall[authenticate]: module "eap" returns handled for request 5
modcall: leaving group authenticate (returns handled) for request 5
Sending Access-Challenge of id 163 to 72.33.52.18 port 1645
EAP-Message = 0x0108002b190017030100204511cb4accee4ad2cbd
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xaf59a14428dc50b51e681cead9795e59
Finished request 5
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 72.33.52.18:1645, id=164,
length=196
User-Name = "DOMAIN\\testuser"
Framed-MTU = 1400
Called-Station-Id = "0012.014d.d511"
Calling-Station-Id = "001f.5bbe.f006"
Service-Type = Login-User
Message-Authenticator = 0x3c6cc76368bbd0064007012bd9a56286
EAP-Message = 0x0208003b19001703010030435e58e7bc3f43b1004d
NAS-Port-Type = Wireless-802.11
NAS-Port = 26830
State = 0xaf59a14428dc50b51e681cead9795e59
NAS-IP-Address = 72.33.52.18
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 6
modcall[authorize]: module "preprocess" returns ok for request 6
modcall[authorize]: module "chap" returns noop for request 6
modcall[authorize]: module "mschap" returns noop for request 6
rlm_realm: No '@' in User-Name = "DOMAIN\testuser", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 6
rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN
\testuser"
rlm_realm: Found realm "DOMAIN"
rlm_realm: Adding Stripped-User-Name = "testuser"
rlm_realm: Proxying request from user testuser to realm DOMAIN
rlm_realm: Adding Realm = "DOMAIN"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "DOMAIN" returns noop for request 6
rlm_eap: EAP packet type response id 8 length 59
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 6
users: Matched entry DEFAULT at line 153
modcall[authorize]: module "files" returns ok for request 6
rlm_opendirectory: The SACL group "com.apple.access_radius" does not
exist on this system.
rlm_opendirectory: The host 72.33.52.18 does not have an access group.
rlm_opendirectory: no access control groups, all users allowed.
modcall[authorize]: module "opendirectory" returns ok for request 6
modcall: leaving group authorize (returns updated) for request 6
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Identity - DOMAIN\testuser
rlm_eap_peap: Tunneled data is valid.
PEAP: Got tunneled EAP-Message
EAP-Message = 0x020800140142494f4348454d5c6b77746f62696e
PEAP: Got tunneled identity of DOMAIN\testuser
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to DOMAIN\testuser
PEAP: Sending tunneled request
EAP-Message = 0x020800140142494f4348454d5c6b77746f62696e
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "DOMAIN\\testuser"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 6
modcall[authorize]: module "preprocess" returns ok for request 6
modcall[authorize]: module "chap" returns noop for request 6
modcall[authorize]: module "mschap" returns noop for request 6
rlm_realm: No '@' in User-Name = "DOMAIN\testuser", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 6
rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN
\testuser"
rlm_realm: Found realm "DOMAIN"
rlm_realm: Adding Stripped-User-Name = "testuser"
rlm_realm: Proxying request from user testuser to realm DOMAIN
rlm_realm: Adding Realm = "DOMAIN"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "DOMAIN" returns noop for request 6
rlm_eap: EAP packet type response id 8 length 20
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 6
users: Matched entry DEFAULT at line 153
users: Matched entry DEFAULT at line 215
modcall[authorize]: module "files" returns ok for request 6
rlm_opendirectory: The SACL group "com.apple.access_radius" does not
exist on this system.
rlm_opendirectory: The host 127.0.0.1 does not have an access group.
rlm_opendirectory: no access control groups, all users allowed.
modcall[authorize]: module "opendirectory" returns ok for request 6
modcall: leaving group authorize (returns updated) for request 6
PEAP: Got tunneled reply RADIUS code 0
PEAP: Calling authenticate in order to initiate tunneled EAP session.
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
rlm_eap: EAP Identity
rlm_eap: processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
modcall[authenticate]: module "eap" returns handled for request 6
modcall: leaving group authenticate (returns handled) for request 6
PEAP: Cancelling proxy to realm DOMAIN2 until the tunneled EAP
session has been established
PEAP: Processing from tunneled session code 0x3d1130 11
EAP-Message = 0x010900291a010900241023e844fb299922328bcd9afb85
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2eccb033105fdb6a479a942749c87c81
PEAP: Got tunneled Access-Challenge
modcall[authenticate]: module "eap" returns handled for request 6
modcall: leaving group authenticate (returns handled) for request 6
Sending Access-Challenge of id 164 to 72.33.52.18 port 1645
EAP-Message = 0x0109004b190017030100407a57237c993df0b86a51e4e9d
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x297dcaf7b8e27012949b741e7450c53d
Finished request 6
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 72.33.52.18:1645, id=165,
length=244
User-Name = "DOMAIN\\testuser"
Framed-MTU = 1400
Called-Station-Id = "0012.014d.d511"
Calling-Station-Id = "001f.5bbe.f006"
Service-Type = Login-User
Message-Authenticator = 0x85fc0a7a6f33fd4e6ae3c878b1899924
EAP-Message = 0x0209006b190017030100608ff942023de3a18f37dcdd
NAS-Port-Type = Wireless-802.11
NAS-Port = 26830
State = 0x297dcaf7b8e27012949b741e7450c53d
NAS-IP-Address = 72.33.52.18
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 7
modcall[authorize]: module "preprocess" returns ok for request 7
modcall[authorize]: module "chap" returns noop for request 7
modcall[authorize]: module "mschap" returns noop for request 7
rlm_realm: No '@' in User-Name = "DOMAIN\testuser", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 7
rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN
\testuser"
rlm_realm: Found realm "DOMAIN"
rlm_realm: Adding Stripped-User-Name = "testuser"
rlm_realm: Proxying request from user testuser to realm DOMAIN
rlm_realm: Adding Realm = "DOMAIN"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "DOMAIN" returns noop for request 7
rlm_eap: EAP packet type response id 9 length 107
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 7
users: Matched entry DEFAULT at line 153
modcall[authorize]: module "files" returns ok for request 7
rlm_opendirectory: The SACL group "com.apple.access_radius" does not
exist on this system.
rlm_opendirectory: The host 72.33.52.18 does not have an access group.
rlm_opendirectory: no access control groups, all users allowed.
modcall[authorize]: module "opendirectory" returns ok for request 7
modcall: leaving group authorize (returns updated) for request 7
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 7
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: EAP type mschapv2
rlm_eap_peap: Tunneled data is valid.
PEAP: Got tunneled EAP-Message
EAP-Message = 0x0209004a1a02090045314473091d3995ad42145fd87434b
PEAP: Setting User-Name to DOMAIN\testuser
PEAP: Adding old state with 2e cc
PEAP: Sending tunneled request
EAP-Message = 0x0209004a1a02090045314473091d3995ad42145fd87434b
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "DOMAIN\\testuser"
State = 0x2eccb033105fdb6a479a942749c87c81
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 7
modcall[authorize]: module "preprocess" returns ok for request 7
modcall[authorize]: module "chap" returns noop for request 7
modcall[authorize]: module "mschap" returns noop for request 7
rlm_realm: No '@' in User-Name = "DOMAIN\testuser", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 7
rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN
\testuser"
rlm_realm: Found realm "DOMAIN"
rlm_realm: Adding Stripped-User-Name = "testuser"
rlm_realm: Proxying request from user testuser to realm DOMAIN
rlm_realm: Adding Realm = "DOMAIN"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "DOMAIN" returns noop for request 7
rlm_eap: EAP packet type response id 9 length 74
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 7
users: Matched entry DEFAULT at line 153
users: Matched entry DEFAULT at line 215
modcall[authorize]: module "files" returns ok for request 7
rlm_opendirectory: The SACL group "com.apple.access_radius" does not
exist on this system.
rlm_opendirectory: The host 127.0.0.1 does not have an access group.
rlm_opendirectory: no access control groups, all users allowed.
modcall[authorize]: module "opendirectory" returns ok for request 7
modcall: leaving group authorize (returns updated) for request 7
PEAP: Got tunneled reply RADIUS code 0
PEAP: Calling authenticate in order to initiate tunneled EAP session.
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 7
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
Not-EAP proxy set. Not composing EAP
modcall[authenticate]: module "eap" returns handled for request 7
modcall: leaving group authenticate (returns handled) for request 7
PEAP: Tunneled authentication will be proxied to DOMAIN2
PEAP: Remembering to do EAP-MS-CHAP-V2 post-proxy.
Tunneled session will be proxied. Not doing EAP.
modcall[authenticate]: module "eap" returns handled for request 7
modcall: leaving group authenticate (returns handled) for request 7
Sending Access-Request of id 0 to 128.104.117.22 port 1812
User-Name = "testuser"
NAS-IP-Address = 127.0.0.1
MS-CHAP-Challenge = 0x23e844fb299922328bcd9afb85604ade
MS-CHAP2-Response = 0x09494473091d3995ad42145fd87434bc693200000000
Proxy-State = 0x313635
Waking up in 6 seconds...
rad_recv: Access-Accept packet from host 128.104.117.22:1812, id=0,
length=76
MS-CHAP2-Success = 0x09533d46414634414241314436303436383634313932
Proxy-State = 0x313635
Processing the post-proxy section of radiusd.conf
modcall: entering group post-proxy for request 7
PEAP: Passing reply from proxy back into the tunnel.
PEAP: Passing reply back for EAP-MS-CHAP-V2 0x3d2d80 2
Processing the post-proxy section of radiusd.conf
modcall: entering group post-proxy for request 7
rlm_eap_mschapv2: Passing reply from proxy back into the tunnel
0x3d2d80 2.
rlm_eap_mschapv2: Authentication succeeded.
MSCHAP Success
modcall[post-proxy]: module "eap" returns ok for request 7
modcall: leaving group post-proxy (returns ok) for request 7
POST-PROXY 2
POST-AUTH 2
PEAP: Final reply from tunneled session code 11
Proxy-State = 0x313635
EAP-Message = 0x010a00331a0309002e533d46414634414241314436303
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x33ada0ae4018cfd21fc1676f5cde8477
PEAP: Got reply 11
PEAP: Processing from tunneled session code 0x3d2ca0 11
Proxy-State = 0x313635
EAP-Message = 0x010a00331a0309002e533d464146344142413144363
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x33ada0ae4018cfd21fc1676f5cde8477
PEAP: Got tunneled Access-Challenge
PEAP: Reply was handled
modcall[post-proxy]: module "eap" returns ok for request 7
modcall: leaving group post-proxy (returns ok) for request 7
Sending Access-Challenge of id 165 to 72.33.52.18 port 1645
EAP-Message = 0x010a005b19001703010050ab3d27c44ba17259fa4f5a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x3c06f6d9b33bbb14f5aa5d3120fdc7c6
Finished request 7
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 72.33.52.18:1645, id=166,
length=180
User-Name = "DOMAIN\\testuser"
Framed-MTU = 1400
Called-Station-Id = "0012.014d.d511"
Calling-Station-Id = "001f.5bbe.f006"
Service-Type = Login-User
Message-Authenticator = 0xcc902bdbb6da0a2113692c7cbe6f0e22
EAP-Message = 0x020a002b190017030100202fd67124633b5504682f
NAS-Port-Type = Wireless-802.11
NAS-Port = 26830
State = 0x3c06f6d9b33bbb14f5aa5d3120fdc7c6
NAS-IP-Address = 72.33.52.18
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 8
modcall[authorize]: module "preprocess" returns ok for request 8
modcall[authorize]: module "chap" returns noop for request 8
modcall[authorize]: module "mschap" returns noop for request 8
rlm_realm: No '@' in User-Name = "DOMAIN\testuser", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 8
rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN
\testuser"
rlm_realm: Found realm "DOMAIN"
rlm_realm: Adding Stripped-User-Name = "testuser"
rlm_realm: Proxying request from user testuser to realm DOMAIN
rlm_realm: Adding Realm = "DOMAIN"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "DOMAIN" returns noop for request 8
rlm_eap: EAP packet type response id 10 length 43
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 8
users: Matched entry DEFAULT at line 153
modcall[authorize]: module "files" returns ok for request 8
rlm_opendirectory: The SACL group "com.apple.access_radius" does not
exist on this system.
rlm_opendirectory: The host 72.33.52.18 does not have an access group.
rlm_opendirectory: no access control groups, all users allowed.
modcall[authorize]: module "opendirectory" returns ok for request 8
modcall: leaving group authorize (returns updated) for request 8
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 8
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: EAP type mschapv2
rlm_eap_peap: Tunneled data is valid.
PEAP: Got tunneled EAP-Message
EAP-Message = 0x020a00061a03
PEAP: Setting User-Name to DOMAIN\testuser
PEAP: Adding old state with 33 ad
PEAP: Sending tunneled request
EAP-Message = 0x020a00061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "DOMAIN\\testuser"
State = 0x33ada0ae4018cfd21fc1676f5cde8477
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 8
modcall[authorize]: module "preprocess" returns ok for request 8
modcall[authorize]: module "chap" returns noop for request 8
modcall[authorize]: module "mschap" returns noop for request 8
rlm_realm: No '@' in User-Name = "DOMAIN\testuser", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 8
rlm_realm: Looking up realm "DOMAIN" for User-Name = "DOMAIN
\testuser"
rlm_realm: Found realm "DOMAIN"
rlm_realm: Adding Stripped-User-Name = "testuser"
rlm_realm: Proxying request from user testuser to realm DOMAIN
rlm_realm: Adding Realm = "DOMAIN"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "DOMAIN" returns noop for request 8
rlm_eap: EAP packet type response id 10 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 8
users: Matched entry DEFAULT at line 153
users: Matched entry DEFAULT at line 215
modcall[authorize]: module "files" returns ok for request 8
rlm_opendirectory: The SACL group "com.apple.access_radius" does not
exist on this system.
rlm_opendirectory: The host 127.0.0.1 does not have an access group.
rlm_opendirectory: no access control groups, all users allowed.
modcall[authorize]: module "opendirectory" returns ok for request 8
modcall: leaving group authorize (returns updated) for request 8
PEAP: Got tunneled reply RADIUS code 0
PEAP: Calling authenticate in order to initiate tunneled EAP session.
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 8
rlm_eap: Request not found in the list
rlm_eap: Either EAP-request timed out OR EAP-response to an unknown
EAP-request
rlm_eap: Failed in handler
modcall[authenticate]: module "eap" returns invalid for request 8
modcall: leaving group authenticate (returns invalid) for request 8
PEAP: Can't handle the return code 4
rlm_eap: Handler failed in EAP/peap
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 8
modcall: leaving group authenticate (returns invalid) for request 8
auth: Failed to validate the user.
Login incorrect: [testuser] (from client BiochemWireless port 26830
cli 001f.5bbe.f006)
Delaying request 8 for 1 seconds
Finished request 8
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 72.33.52.18:1645, id=166,
length=180
Sending Access-Reject of id 166 to 72.33.52.18 port 1645
EAP-Message = 0x040a0004
Message-Authenticator = 0x00000000000000000000000000000000
--- Walking the entire request list ---
Cleaning up request 0 ID 158 with timestamp 49120210
Cleaning up request 1 ID 159 with timestamp 49120210
Cleaning up request 2 ID 160 with timestamp 49120210
Cleaning up request 3 ID 161 with timestamp 49120210
Cleaning up request 4 ID 162 with timestamp 49120210
Cleaning up request 5 ID 163 with timestamp 49120210
Cleaning up request 6 ID 164 with timestamp 49120210
Cleaning up request 7 ID 165 with timestamp 49120210
Cleaning up request 8 ID 166 with timestamp 49120210
Nothing to do. Sleeping until we see a request.
^C
sh-3.2#
Kerry Tobin
------------------------------
Message: 4
Date: Wed, 05 Nov 2008 16:24:44 +0100
From: <[EMAIL PROTECTED]>
Subject: Re: Freeradius-Users Digest, Vol 43, Issue 17
To: "FreeRadius users mailing list"
<freeradius-users@lists.freeradius.org>
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-2
OK, I think I'm another step closer now. I made the suggested change
and there was no change in the logs. EAP still was not being done on
the local machine and was failing on the proxy. However, I tried
creating a second domain, set the original domain to go to LOCAL and
the second domain to go to the proxy server. When I do that the
proxy
properly authenticates to Open Directory, step one. However,
eventually I get a failure in rlm_eap again.
modcall: entering group authenticate for request 8
rlm_eap: Request not found in the list
rlm_eap: Either EAP-request timed out OR EAP-response to an unknown
EAP-request
rlm_eap: Failed in handler
Am I on to the beginning of a solution by using two domains or do I
need to go back and then change something else?
Can you post both debugs from the server that is terminating eap.
You can
start with the request before it decides to proxy (you can leave out
eap-tls tunnel creation).
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html