On Fri, Sep 3, 2010 at 12:58 PM, Alan DeKok <al...@deployingradius.com> wrote: > Sion wrote: >> That's what I thought, but it my linelog log it shows it being empty. > > The MS-CHAP-Error is in the reply. > >> I've tried putting 'linelog' in the post-auth sections of both the >> default and inner-tunnel virtual servers but no joy. Am I missing >> something obvious here? > > See the "Post-Auth-Type Reject" block, too. >
Still no luck I'm afraid. Here's the output of radiusd -X in case it helps: rad_recv: Access-Request packet from host 192.168.196.13 port 32768, id=9, length=181 User-Name = "anonymous" Calling-Station-Id = "00-1B-77-94-57-72" Called-Station-Id = "00-0B-85-6D-BA-C0:eduroam" NAS-Port = 29 NAS-IP-Address = 192.168.196.13 NAS-Identifier = "llwacA105" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "115" EAP-Message = 0x0205000e01616e6f6e796d6f7573 Message-Authenticator = 0xe0aee197f906702cbcedda8c6fce7ab1 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 14 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 9 to 192.168.196.13 port 32768 EAP-Message = 0x010600061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x70163a6b70102318926cb2671448dd5c Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.196.13 port 32768, id=10, length=312 User-Name = "anonymous" Calling-Station-Id = "00-1B-77-94-57-72" Called-Station-Id = "00-0B-85-6D-BA-C0:eduroam" NAS-Port = 29 NAS-IP-Address = 192.168.196.13 NAS-Identifier = "llwacA105" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "115" EAP-Message = 0x0206007f19800000007516030100700100006c03014c80fc7750fabd6450dcb77c4605cbaab73a3c1e43bf175cfcee437c8275d0e1000018002f00350005000ac013c014c009c00a00320038001300040100002b00000017001500001264617573657268656c706465736b74657374000a0006000400170018000b00020100 State = 0x70163a6b70102318926cb2671448dd5c Message-Authenticator = 0x1b3669861698384d471a2c44b8a9fda0 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 127 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 117 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0070], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 06e5], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 10 to 192.168.196.13 port 32768 EAP-Message = 0x0107040019c000000722160301002a0200002603014c80fc77269f43ae3e8f7344872f86f6066a22b315bdeaa4d71d1033ca071d7200002f0016030106e50b0006e10006de0003c1308203bd30820326a0030201020210571735f114d0297747dec8e1dc855028300d06092a864886f70d01010505003081c4310b3009060355040613025a41311530130603550408130c5765737465726e204361706531123010060355040713094361706520546f776e311d301b060355040a131454686177746520436f6e73756c74696e6720636331283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e311930 EAP-Message = 0x1706035504031310546861777465205365727665722043413126302406092a864886f70d01090116177365727665722d6365727473407468617774652e636f6d301e170d3037303932383030303030305a170d3130303932373233353935395a3081d231293027060355040a132063656e7472616c69617330312e696e7465726e616c2e757769632e61632e756b313b3039060355040b1332476f20746f2068747470733a2f2f7777772e7468617774652e636f6d2f7265706f7369746f72792f696e6465782e68746d6c31223020060355040b13195468617774652053534c31323320636572746966696361746531193017060355040b1310446f6d EAP-Message = 0x61696e2056616c696461746564312930270603550403132063656e7472616c69617330312e696e7465726e616c2e757769632e61632e756b30819f300d06092a864886f70d010101050003818d0030818902818100bea4ab1bcde08208fc9823ce022556c90f5c3bfdc79c0a9ae2ba2aa110017a67c67fbd2fbd1e6304853e51cc8f7b3ce4d5ad36b6a420d028b7902935c9d14eb0f880839faf3509f1b23be0c6820e60e8dd4e35b1f3f6b57df2655f379468e63958406874dd2a19700be6638c73cc20eccb85863be0dcd8af40386f900835c88b0203010001a3819f30819c300c0603551d130101ff0402300030390603551d1f04323030302ea02c EAP-Message = 0xa02a8628687474703a2f2f63726c2e7468617774652e636f6d2f54686177746553657276657243412e63726c301d0603551d250416301406082b0601050507030106082b06010505070302303206082b0601050507010104263024302206082b060105050730018616687474703a2f2f6f6373702e7468617774652e636f6d300d06092a864886f70d0101050500038181002f4b29c37eb54ba62bd16de5c09a6f3f258c10fd90177df8f37186799e2ba3832bed398f85c2623d5568257c3df4225e49c4327704d7ec1393ee5e03ce7e5a53ae45e6d58b6752212544ea79baef771d921f39169dba3c0a219fea40fef8422456026a51942acbcb90d677 EAP-Message = 0x323d4fe9cf449ea6dc0def99 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x70163a6b71112318926cb2671448dd5c Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.196.13 port 32768, id=11, length=191 User-Name = "anonymous" Calling-Station-Id = "00-1B-77-94-57-72" Called-Station-Id = "00-0B-85-6D-BA-C0:eduroam" NAS-Port = 29 NAS-IP-Address = 192.168.196.13 NAS-Identifier = "llwacA105" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "115" EAP-Message = 0x020700061900 State = 0x70163a6b71112318926cb2671448dd5c Message-Authenticator = 0x3f0536adc88567e3fa2e7d68e8e685a1 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 11 to 192.168.196.13 port 32768 EAP-Message = 0x010803321900b2abee6bd1b7966fef000317308203133082027ca003020102020101300d06092a864886f70d01010405003081c4310b3009060355040613025a41311530130603550408130c5765737465726e204361706531123010060355040713094361706520546f776e311d301b060355040a131454686177746520436f6e73756c74696e6720636331283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e3119301706035504031310546861777465205365727665722043413126302406092a864886f70d01090116177365727665722d6365727473407468617774652e636f6d301e170d39 EAP-Message = 0x36303830313030303030305a170d3230313233313233353935395a3081c4310b3009060355040613025a41311530130603550408130c5765737465726e204361706531123010060355040713094361706520546f776e311d301b060355040a131454686177746520436f6e73756c74696e6720636331283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e3119301706035504031310546861777465205365727665722043413126302406092a864886f70d01090116177365727665722d6365727473407468617774652e636f6d30819f300d06092a864886f70d010101050003818d003081890281 EAP-Message = 0x8100d3a4506ec8ff566be6cf5db6ea0c687547a2aac2da8425fca8f44751da85b5207494861e0f75c9e90861f5066d306e151902e952c062db4d999ee26a0c4438cdfebee3640970c5feb16b29b62f49c83bd427042510972fe7906dc0284299d74c43dec3f5216d549f5dc358e1c0e4d95bb0b8dcb47bdf363ac2b5662212d6870d0203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010405000381810007fa4c695cfb95cc46ee85834d21308ecad9a86f491ae6da51e360706c846111a11ac8483e59437d4f953da18bb70b62987a758add884e4e9e40dba8cc3274b96f0dc6e3b3440bd98a6f9a299b99 EAP-Message = 0x18283bd1e340289a5a3cd5b5e7201b8bcaa4ab8de951d9e24c2c59a9dab9b2751bf642f2efc7f218f989bca3ff8a232e704716030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x70163a6b721e2318926cb2671448dd5c Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.196.13 port 32768, id=12, length=393 User-Name = "anonymous" Calling-Station-Id = "00-1B-77-94-57-72" Called-Station-Id = "00-0B-85-6D-BA-C0:eduroam" NAS-Port = 29 NAS-IP-Address = 192.168.196.13 NAS-Identifier = "llwacA105" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "115" EAP-Message = 0x020800d01980000000c616030100861000008200807f5ca792ca8945089c0a2b67189c4d8de67a35f4e0082ca10d5e39027cd248d3678879a0f9cc4b777993417be8ea1687e656c4e4dea6be0f8f523ef29df4c7f682ad83ddc3bb05f04463a2274720e393a61c5038a66c1b62848a0ae51515d86d21b5b29558ce7bf129764cfcfe38e4e82a6b8c6a67034add9b51844257af2e481403010001011603010030cc3bfd1b203852f6ef64ac8b1cf56dade3f27dd1b4e578c2287f9dec49fff5bf265106af0619f4fc139b7ceab9c7fce9 State = 0x70163a6b721e2318926cb2671448dd5c Message-Authenticator = 0xd3605cae4d3cdfcdb79fb31c4f77efaf +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 208 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 198 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 12 to 192.168.196.13 port 32768 EAP-Message = 0x01090041190014030100010116030100306d3b466552376c524f9d57acb4ef59fa8a5a82a64f242ad92194e8f1193b8f3fc3d1cbc55ad95dc6a4505a0e370e8389 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x70163a6b731f2318926cb2671448dd5c Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.196.13 port 32768, id=13, length=191 User-Name = "anonymous" Calling-Station-Id = "00-1B-77-94-57-72" Called-Station-Id = "00-0B-85-6D-BA-C0:eduroam" NAS-Port = 29 NAS-IP-Address = 192.168.196.13 NAS-Identifier = "llwacA105" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "115" EAP-Message = 0x020900061900 State = 0x70163a6b731f2318926cb2671448dd5c Message-Authenticator = 0x1f53ab50f68ee7219c995d840f27876e +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 9 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 13 to 192.168.196.13 port 32768 EAP-Message = 0x010a002b19001703010020d6d3ddbda2e15f5002501e18123dbf29e2f931ccce9e84466e3fcf5c38c4982b Message-Authenticator = 0x00000000000000000000000000000000 State = 0x70163a6b741c2318926cb2671448dd5c Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.196.13 port 32768, id=14, length=244 User-Name = "anonymous" Calling-Station-Id = "00-1B-77-94-57-72" Called-Station-Id = "00-0B-85-6D-BA-C0:eduroam" NAS-Port = 29 NAS-IP-Address = 192.168.196.13 NAS-Identifier = "llwacA105" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "115" EAP-Message = 0x020a003b190017030100303767555210c29944d549c0315be418183880d41e3b10753f2347ac68077538c53f95356c3d6e1ccfbbe46691ef85acdd State = 0x70163a6b741c2318926cb2671448dd5c Message-Authenticator = 0x38b94b464c83b45da9b75001bb686fb7 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 10 length 59 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Identity - daUserHelpdeskTest [peap] Got tunneled request EAP-Message = 0x020a00170164615573657248656c706465736b54657374 server { PEAP: Got tunneled identity of daUserHelpdeskTest PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to daUserHelpdeskTest Sending tunneled request EAP-Message = 0x020a00170164615573657248656c706465736b54657374 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "daUserHelpdeskTest" Calling-Station-Id = "00-1B-77-94-57-72" Called-Station-Id = "00-0B-85-6D-BA-C0:eduroam" NAS-Port = 29 NAS-IP-Address = 192.168.196.13 NAS-Identifier = "llwacA105" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "115" server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "daUserHelpdeskTest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 10 length 23 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010b002c1a010b002710acc43b6824a7b4882f1607c4f3f414ac64615573657248656c706465736b54657374 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1e88ea081e83f0086516d1bfc3ff692c [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010b002c1a010b002710acc43b6824a7b4882f1607c4f3f414ac64615573657248656c706465736b54657374 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1e88ea081e83f0086516d1bfc3ff692c [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 14 to 192.168.196.13 port 32768 EAP-Message = 0x010b004b190017030100409cbd93fb082834e5312d9e4e7e07b2fadc35f17d03ba94d6b4488d36a02ced807b1c816ed7ecd17c09f0e46b6db0a303330d4cba7a3ebdf7a4488bf7ec9fe660 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x70163a6b751d2318926cb2671448dd5c Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.196.13 port 32768, id=15, length=292 User-Name = "anonymous" Calling-Station-Id = "00-1B-77-94-57-72" Called-Station-Id = "00-0B-85-6D-BA-C0:eduroam" NAS-Port = 29 NAS-IP-Address = 192.168.196.13 NAS-Identifier = "llwacA105" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "115" EAP-Message = 0x020b006b19001703010060564c96a98610ddca81ab047cf49040cc25bbec1f15e7836a3ff4254b1b43391111bacebf925796803af1497774f5a869381948a58b170923920058e7776cc3a6e4c83132066f73a23e8b0f4106f7b9136f48fc8f7a1b5222bbe64ebc64dae94d State = 0x70163a6b751d2318926cb2671448dd5c Message-Authenticator = 0x8a5a9caddddcc8d8fef955471ac2c224 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 11 length 107 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020b004d1a020b004831ff6a3ce5d8969159b5028c63dcbdce3a0000000000000000119ada0d77457f3cf74b7aac600d9ac29c970352419456d90064615573657248656c706465736b54657374 server { PEAP: Setting User-Name to daUserHelpdeskTest Sending tunneled request EAP-Message = 0x020b004d1a020b004831ff6a3ce5d8969159b5028c63dcbdce3a0000000000000000119ada0d77457f3cf74b7aac600d9ac29c970352419456d90064615573657248656c706465736b54657374 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "daUserHelpdeskTest" State = 0x1e88ea081e83f0086516d1bfc3ff692c Calling-Station-Id = "00-1B-77-94-57-72" Called-Station-Id = "00-0B-85-6D-BA-C0:eduroam" NAS-Port = 29 NAS-IP-Address = 192.168.196.13 NAS-Identifier = "llwacA105" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "115" server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "daUserHelpdeskTest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 11 length 77 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for daUserHelpdeskTest with NT-Password [mschap] expand: %{Stripped-User-Name} -> [mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [mschap] expand: %{User-Name:-None} -> daUserHelpdeskTest [mschap] expand: --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} -> --username=daUserHelpdeskTest [mschap] mschap2: ac [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=99630d7d1b70ccb6 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=119ada0d77457f3cf74b7aac600d9ac29c970352419456d9 Exec-Program output: Logon failure (0xc000006d) Exec-Program-Wait: plaintext: Logon failure (0xc000006d) Exec-Program: returned: 1 [mschap] External script failed. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\013E=691 R=1" EAP-Message = 0x040b0004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\013E=691 R=1" EAP-Message = 0x040b0004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 15 to 192.168.196.13 port 32768 EAP-Message = 0x010c002b19001703010020e2ecfa9fe8a4bab6e0d189ee4afc63838d3039becf8c75642a188987d9f7efd4 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x70163a6b761a2318926cb2671448dd5c Finished request 6. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.196.13 port 32768, id=16, length=228 User-Name = "anonymous" Calling-Station-Id = "00-1B-77-94-57-72" Called-Station-Id = "00-0B-85-6D-BA-C0:eduroam" NAS-Port = 29 NAS-IP-Address = 192.168.196.13 NAS-Identifier = "llwacA105" Airespace-Wlan-Id = 2 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "115" EAP-Message = 0x020c002b19001703010020afeb09438ae8736bd4545752ecc17e1b5de36e4b8ca31c95fa6617432d9080d4 State = 0x70163a6b761a2318926cb2671448dd5c Message-Authenticator = 0x80361a22f6d1ad6492ba21f97229c16c +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 12 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Had sent TLV failure. User was rejected earlier in this session. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> anonymous attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated [testlinelog] expand: /var/log/radius/testlinelog -> /var/log/radius/testlinelog [testlinelog] expand: %S %{reply:Packet-Type} %{User-Name} %{Calling-Station-Id} %{Called-Station-Id} %{NAS-Identifier} %{Packet-Src-IP-Address} %{reply:Reply-Message} %{reply:MS-CHAP-Error} %{reply:Tunnel-Type} %{reply:Tunnel-Private-Group-Id} -> 2010-09-03 14:47:35 Access-Reject anonymous 00-1B-77-94-57-72 00-0B-85-6D-BA-C0:eduroam llwacA105 192.168.196.13 ++[testlinelog] returns ok Delaying reject of request 7 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 7 Sending Access-Reject of id 16 to 192.168.196.13 port 32768 EAP-Message = 0x040c0004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.8 seconds. Cleaning up request 0 ID 9 with timestamp +14 Cleaning up request 1 ID 10 with timestamp +14 Cleaning up request 2 ID 11 with timestamp +14 Cleaning up request 3 ID 12 with timestamp +14 Cleaning up request 4 ID 13 with timestamp +14 Cleaning up request 5 ID 14 with timestamp +14 Cleaning up request 6 ID 15 with timestamp +14 Waking up in 1.0 seconds. Cleaning up request 7 ID 16 with timestamp +14 Ready to process requests. > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html