On Thu, 2009-02-19 at 10:23 -0600, Mike Loosbrock wrote: > Tomas, it sounds like you want the following behavior: > > 1.) machine boots up > 2.) machine 802.1x authenticates, opening switch port for AD > communication > 3.) user enters credentials into OS login screen > 4.) machine authenticates user against AD > 5.) machine does a 802.1x re-auth with the user's credentials > > Windows does support this and (surprise) it actually works well. > Assuming you're using the native Windows 802.1x supplicant and have > the non-domain case working, you can get the above behavior by > enabling the following options in the supplicant: (how you do this > varies a bit across Windows versions) > > 'Authenticate as computer when computer information is available' > 'Automatically use my Windows logon name and password (and domain if > any)' Mike, Thanks for your mail, I was ticking all options and seeing what was on the output, now that you said it all makes sense. I was missing the step where machine authenticates to allow user to communicate with AD and then once user logged on it re authenticates using user credentials. I tried this option and radius does pick it up, this is the radiusd -X dump from when computer provides host credentials:
rad_recv: Access-Request packet from host 192.168.0.50 port 1024, id=69, length=241 Framed-MTU = 1480 NAS-IP-Address = 192.168.0.50 NAS-Identifier = "HP ProCurve Switch 2824" User-Name = "host/PC1.ad.lab.com" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = "1" Called-Station-Id = "00-11-0a-fe-a9-3f" Calling-Station-Id = "00-17-a4-4e-77-47" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" EAP-Message = 0x0202001801686f73742f5043312e61642e6c61622e636f6d Message-Authenticator = 0x776191bf1a6b8a58e704fcc7f112ed60 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/PC1.ad.lab.com", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 24 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 172 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 69 to 192.168.0.50 port 1024 Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0afa11ec0af9084d66de98b8605bce83 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.50 port 1024, id=70, length=315 Framed-MTU = 1480 NAS-IP-Address = 192.168.0.50 NAS-Identifier = "HP ProCurve Switch 2824" User-Name = "host/PC1.ad.lab.com" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = "1" Called-Station-Id = "00-11-0a-fe-a9-3f" Calling-Station-Id = "00-17-a4-4e-77-47" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" State = 0x0afa11ec0af9084d66de98b8605bce83 EAP-Message = 0x0203005019800000004616030100410100003d0301499d8a5a7d404fc4ab8f844caf1a6187a856c227b0377058d45002bbdd6e2c1000001600040005000a000900640062000300060013001200630100 Message-Authenticator = 0x241c09d55aa981883ee4362b927d07de +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/PC1.ad.lab.com", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 70 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0041], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 085e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 70 to 192.168.0.50 port 1024 EAP-Message = 0x0104040019c00000089b160301002a020000260301499d8a58bba910884add8b8f1fe3e14750cad38df17838aea2ce7022e4beb19900000400160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479 EAP-Message = 0x301e170d3039303131393134333032365a170d3130303131393134333032365a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100ad98162664ec45dd610f43757b3f3a8bb0b400ca026307492cf50ba142af109378da58248572a1236fa439be790fd3ef17c1b22b9503739d7c3bc56a2240 EAP-Message = 0xdf4fd855dfabba9ffe67ebc9ef0772e1036cc8fd8c275e0eae813442b6bf713746f7caa8af848002c6edfa5596eab50667945e95a7e7befaf1139d04ed6a453c062b1e4849b21597302c4c730ef9b69e6934d8336d607baf2c61b9cf544b58d2633d34804e705a1c675be9887f32e0d677317e3635c17f65c18bcd6c8b3033d351dfa77b36ea7feca91b41a707ca37452102f40a18a0832dcdc4cd8a5a2c01e4c8a62bdce1f0b886193c155ef4c8bbbf8ad66d51573c6eb0a21966d47ac9c1a5f4230203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000382010100352858d2b93777f989 EAP-Message = 0x37da2562908c3391559a6f1bd9b0e41adef4c2cfc393c0b9668ceaf6df7227112867a48853e921a9da6783fda2614d07cc0b011a11b4feacb4b61d43628e2d2c4e95e747fa03849decf26051807a9e51136df5f81f698fe88f6d1a8ad5a2151ed4f45a8385e02cb9e3d3b10cd6103212d488d27126e8e6a974cc5c282813abd411657bf5be22f91dbc7a58d08237b38915736ed1f01ebb384f91eadda353743ca7d4e62b23e85e60d04c58c280dbea9cd505bf234cfaee1a0a51754954c9e3e6f7960d0a9a9f85243199d986671a1db32e5fcca17b62ce9bb1ff312500f1ffd8874de9fe53c828ec2a3fdb8a2e186a28c5b59c53dcce9b0004ab308204 EAP-Message = 0xa73082038fa0030201020209 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0afa11ec0bfe084d66de98b8605bce83 Finished request 1. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.0.50 port 1024, id=71, length=241 Framed-MTU = 1480 NAS-IP-Address = 192.168.0.50 NAS-Identifier = "HP ProCurve Switch 2824" User-Name = "host/PC1.ad.lab.com" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = "1" Called-Station-Id = "00-11-0a-fe-a9-3f" Calling-Station-Id = "00-17-a4-4e-77-47" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" State = 0x0afa11ec0bfe084d66de98b8605bce83 EAP-Message = 0x020400061900 Message-Authenticator = 0x754b846a5d7bac3eca4db244a105c150 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/PC1.ad.lab.com", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 71 to 192.168.0.50 port 1024 EAP-Message = 0x010503fc19400094a001b5eb25441d300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3039303131393134333032365a170d3130303131393134333032365a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504 EAP-Message = 0x071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100a987d28b942573bad6f47cc07eed6c6dcdad586632c29f838248874e1ad78ef744cf491992803212afca36a03f2a06be90c1da8bca6032b677a48dd26e6449d498b3e83d5569dca2b7a743fa3d96007884ed81616e0ad61f51dca6814fac86c6120d71ceddc0dd9798711b36dd8005 EAP-Message = 0x85a94e3cd2ab01503bd1f2a702e10d06aa6c16c62c0cefe59f96c89307137c5e1d5fce113e0c0da426c435f454f1e83437c48b74f52a68e67ab0236e1f63bcce0289f57d98147134ec577b2faa50155611f8280bd7a5768e09c2fccb6b2ad0d7050d44292c988df7e1571ce10baa2105ca2e553deab5ea75728e7b090aaf2918540d48769fdb597d2df70d6b1855ebfb690203010001a381fb3081f8301d0603551d0e0416041472880f64c1fc1753474b579032ea3663716e23543081c80603551d230481c03081bd801472880f64c1fc1753474b579032ea3663716e2354a18199a48196308193310b3009060355040613024652310f300d06035504 EAP-Message = 0x0813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747982090094a001b5eb25441d300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100699e12dabf9c108ba7200bee0c69f2ff01ac37886fdd207b3ccde9311f7684959ed3dfda0936a2781ac286612ef24d987159c2b28e9d756b53701e15967b73c3f82c8517cbfefa2d3e9ac1275e180c97ccbb EAP-Message = 0x5f8391f0cafc40c7 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0afa11ec08ff084d66de98b8605bce83 Finished request 2. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.0.50 port 1024, id=72, length=241 Framed-MTU = 1480 NAS-IP-Address = 192.168.0.50 NAS-Identifier = "HP ProCurve Switch 2824" User-Name = "host/PC1.ad.lab.com" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = "1" Called-Station-Id = "00-11-0a-fe-a9-3f" Calling-Station-Id = "00-17-a4-4e-77-47" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" State = 0x0afa11ec08ff084d66de98b8605bce83 EAP-Message = 0x020500061900 Message-Authenticator = 0x7200ea239f30f92d11b58c76655ad4fb +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/PC1.ad.lab.com", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 72 to 192.168.0.50 port 1024 EAP-Message = 0x010600b51900290a8a1becaa5f95acd275a8b07d4ce8e2b56745877efd21ca5cee0c39bd7e66d625688c05a22f43c49f90c057109d12adf008cfe513d4219f84bcd4e123caf1548e368bff658efb2f8c8c674a2e5ec896136ea044eeef99fd52220ecb2ee8192aeacb6bac2e30b29b670e2532924a6cd60dae38584514d46c38e550a52dd719060d7468bc87833fc6e65fba911ee8610e5ca515ecf58705dee114e2954fced9276ff4e6356f16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0afa11ec09fc084d66de98b8605bce83 Finished request 3. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.0.50 port 1024, id=73, length=557 Framed-MTU = 1480 NAS-IP-Address = 192.168.0.50 NAS-Identifier = "HP ProCurve Switch 2824" User-Name = "host/PC1.ad.lab.com" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = "1" Called-Station-Id = "00-11-0a-fe-a9-3f" Calling-Station-Id = "00-17-a4-4e-77-47" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" State = 0x0afa11ec09fc084d66de98b8605bce83 EAP-Message = 0x0206014019800000013616030101061000010201002e446a1e1961458dd8e5acb4e19897d89de14c3158e19151e4509d6bb4dca4efa7e283033caa3019f9bf1afe77f99c1c536a8c2f75f2f8614e9e342c5a5e6dc0d029c80bfff7506597e02e0b3a0fe6f3fe046e7385c9b3e05051a35894ca657047a6062ad444a3f890fe9b1f9c7afbbe4d6a8433b3d559ce1b40d12f1f29011b37ef8e5cb8a414d3965aabc42e7de7ea728c9b22274dfaa023ab8b5ff86f6166afbbb7ce36e824718f0c3289ca940d0d14465ad08a78d0e766b230af25592c4598e26951d321c3d0fc0921eb108fa5199e534e226d4ae76ea264eedf266737c9232f6806b398a476 EAP-Message = 0xef755b865824774bb734b3c2f218a0ad56ae8eab81f7b98d1403010001011603010020c0f20daf8800695c5f253ff3ec26d5626dc59e775f59146cab0c6bc20acca753 Message-Authenticator = 0x3b50b4e11df88b6c16d59122cd3faaf9 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/PC1.ad.lab.com", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 310 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 73 to 192.168.0.50 port 1024 EAP-Message = 0x01070031190014030100010116030100202c741f5c88031ac271a7f0d07e7620d7d88bcd2ec486b8192b2c4819bfbe399d Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0afa11ec0efd084d66de98b8605bce83 Finished request 4. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.0.50 port 1024, id=74, length=241 Framed-MTU = 1480 NAS-IP-Address = 192.168.0.50 NAS-Identifier = "HP ProCurve Switch 2824" User-Name = "host/PC1.ad.lab.com" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = "1" Called-Station-Id = "00-11-0a-fe-a9-3f" Calling-Station-Id = "00-17-a4-4e-77-47" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" State = 0x0afa11ec0efd084d66de98b8605bce83 EAP-Message = 0x020700061900 Message-Authenticator = 0x836425394ba770ff12cb284673a5e7f4 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/PC1.ad.lab.com", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 74 to 192.168.0.50 port 1024 EAP-Message = 0x01080020190017030100158ddb5d04f12d39356ecbda6080235bad81d9d8ec7d Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0afa11ec0ff2084d66de98b8605bce83 Finished request 5. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 192.168.0.50 port 1024, id=75, length=282 Framed-MTU = 1480 NAS-IP-Address = 192.168.0.50 NAS-Identifier = "HP ProCurve Switch 2824" User-Name = "host/PC1.ad.lab.com" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = "1" Called-Station-Id = "00-11-0a-fe-a9-3f" Calling-Station-Id = "00-17-a4-4e-77-47" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" State = 0x0afa11ec0ff2084d66de98b8605bce83 EAP-Message = 0x0208002f19001703010024983cfbd91304532cb0b0939d4d772c3e6c3d20d8b69de28f1f3cf4924ea0a7693c322c6b Message-Authenticator = 0x7f75ae3a85f1a2bdace3ca4bc5464379 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/PC1.ad.lab.com", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 47 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Identity - host/PC1.ad.lab.com [peap] Got tunneled request EAP-Message = 0x0208001801686f73742f5043312e61642e6c61622e636f6d server { PEAP: Got tunneled identity of host/PC1.ad.lab.com PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to host/PC1.ad.lab.com Sending tunneled request EAP-Message = 0x0208001801686f73742f5043312e61642e6c61622e636f6d FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "host/PC1.ad.lab.com" server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "host/PC1.ad.lab.com", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 8 length 24 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x0109002d1a0109002810f5213060b5e6a38d27ae3961f3d34ee0686f73742f5043312e61642e6c61622e636f6d Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb08a8815b08392f63ecb6ffeec36b954 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x0109002d1a0109002810f5213060b5e6a38d27ae3961f3d34ee0686f73742f5043312e61642e6c61622e636f6d Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb08a8815b08392f63ecb6ffeec36b954 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 75 to 192.168.0.50 port 1024 EAP-Message = 0x0109004419001703010039f9c7f47443128903a5e5a22ede2d1aaec9668c2fd70d46c81b18a00c363273462985c798989290e6b211f69ff0403f525dafad780de72e1866 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0afa11ec0cf3084d66de98b8605bce83 Finished request 6. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 192.168.0.50 port 1024, id=76, length=336 Framed-MTU = 1480 NAS-IP-Address = 192.168.0.50 NAS-Identifier = "HP ProCurve Switch 2824" User-Name = "host/PC1.ad.lab.com" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = "1" Called-Station-Id = "00-11-0a-fe-a9-3f" Calling-Station-Id = "00-17-a4-4e-77-47" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" State = 0x0afa11ec0cf3084d66de98b8605bce83 EAP-Message = 0x020900651900170301005a1b964fc1f42dc9e5bb99bf5516c1b7c4ce78e5beb05a42e9b322057dae200118db520386410c1c57e55d502731a8ddffcc1c7afca094ae7e096e19937333c547200c1aa9b9ceee4a7bc0620d5f9abe3dcd83f9247522c611cfbc Message-Authenticator = 0x2fa9e102cac1e2270c3f4e400ae6843e +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/PC1.ad.lab.com", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 9 length 101 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x0209004e1a0209004931a17d769cab8bd37e3959ebc65ebb59660000000000000000559d2b1923d94810ff460021cedd68b8f7781c6897efa07200686f73742f5043312e61642e6c61622e636f6d server { PEAP: Setting User-Name to host/PC1.ad.lab.com Sending tunneled request EAP-Message = 0x0209004e1a0209004931a17d769cab8bd37e3959ebc65ebb59660000000000000000559d2b1923d94810ff460021cedd68b8f7781c6897efa07200686f73742f5043312e61642e6c61622e636f6d FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "host/PC1.ad.lab.com" State = 0xb08a8815b08392f63ecb6ffeec36b954 server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "host/PC1.ad.lab.com", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 9 length 78 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for host/PC1.ad.lab.com with NT-Password [mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [mschap] expand: --username=%{Stripped-User-Name:-%{User-Name:-None}} -> --username=host/PC1.ad.lab.com [mschap] mschap2: f5 [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=ef47e24d23623e97 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=559d2b1923d94810ff460021cedd68b8f7781c6897efa072 Exec-Program output: Logon failure (0xc000006d) Exec-Program-Wait: plaintext: Logon failure (0xc000006d) Exec-Program: returned: 1 [mschap] External script failed. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\tE=691 R=1" EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\tE=691 R=1" EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 76 to 192.168.0.50 port 1024 EAP-Message = 0x010a00261900170301001b0bfeccd328b5dc469dcf83e1b9d348eb615a7ac5bf99afb97bdc16 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0afa11ec0df0084d66de98b8605bce83 Finished request 7. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 192.168.0.50 port 1024, id=77, length=273 Framed-MTU = 1480 NAS-IP-Address = 192.168.0.50 NAS-Identifier = "HP ProCurve Switch 2824" User-Name = "host/PC1.ad.lab.com" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = "1" Called-Station-Id = "00-11-0a-fe-a9-3f" Calling-Station-Id = "00-17-a4-4e-77-47" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" State = 0x0afa11ec0df0084d66de98b8605bce83 EAP-Message = 0x020a00261900170301001b0e5f0e679c59798c9e65fd41ac3a3b0cf1fff77179ba6a12d58168 Message-Authenticator = 0x82b00465e77de1d0c986cc30f34fd571 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/PC1.ad.lab.com", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 10 length 38 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Had sent TLV failure. User was rejected earlier in this session. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> host/PC1.ad.lab.com attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 8 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 8 Sending Access-Reject of id 77 to 192.168.0.50 port 1024 EAP-Message = 0x040a0004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.7 seconds. Cleaning up request 0 ID 69 with timestamp +63 Waking up in 0.1 seconds. Cleaning up request 1 ID 70 with timestamp +63 Cleaning up request 2 ID 71 with timestamp +63 Cleaning up request 3 ID 72 with timestamp +63 Cleaning up request 4 ID 73 with timestamp +63 Cleaning up request 5 ID 74 with timestamp +63 Cleaning up request 6 ID 75 with timestamp +63 Cleaning up request 7 ID 76 with timestamp +63 Waking up in 0.9 seconds. Cleaning up request 8 ID 77 with timestamp +63 Ready to process requests. Do I need to change my modules/mschap config? Currently I have: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" Thanks ever so much for your help! Regards, Tomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html