Re: Error: User-Name is not the same as MS-CHAP name

[Francois Gaudreault]

Hi,

Here is the complete debug log :
rad_recv: Access-Request packet from host 10.220.30.5 port 29010, 
id=194, length=179
        User-Name = "STIC08862\\TechRMC"
        NAS-IP-Address = 10.220.30.5
        NAS-Port = 0
        Called-Station-Id = "58-16-26-AA-F7-A1:AVAYA-RESEAU"
        Calling-Station-Id = "00-16-EA-C5-78-9C"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 0Mbps 802.11a"
        EAP-Message = 0x02000016015354494330383836325c54656368524d43
        Message-Authenticator = 0xfa084ddf06908a03fe823772e3df038e
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
[suffix] No '@' in User-Name = "STIC08862\TechRMC", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] Looking up realm "STIC08862" for User-Name = "STIC08862\TechRMC"
[ntdomain] No such realm "STIC08862"
++[ntdomain] returns noop
++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/)
        expand: %{User-Name} -> STIC08862\TechRMC
? Evaluating ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE
++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE
++[preprocess] returns ok
[eap] EAP packet type response id 0 length 22
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[ldap] performing user authorization for STIC08862\TechRMC
[ldap]  expand: (uid=%{mschap:User-Name}) -> (uid=TechRMC)
[ldap]  expand: o=CSPI -> o=CSPI
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in o=CSPI, with filter (uid=TechRMC)
[ldap] Added the eDirectory password 1234567 in check items as 
Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
[ldap] user STIC08862\TechRMC authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 194 to 10.220.30.5 port 29010
        EAP-Message = 0x010100061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x309c14c6309d0dd14b00d913c56dbe3f
Finished request 78.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.220.30.5 port 29010, 
id=195, length=255
        User-Name = "STIC08862\\TechRMC"
        NAS-IP-Address = 10.220.30.5
        NAS-Port = 0
        Called-Station-Id = "58-16-26-AA-F7-A1:AVAYA-RESEAU"
        Calling-Station-Id = "00-16-EA-C5-78-9C"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 0Mbps 802.11a"
        EAP-Message = 
0x0201005019800000004616030100410100003d03014de118d0fb7ad90b86758750890c116038cb55d9c09e4f2b4228a03e019e3d4200001600040005000a000900640062000300060013001200630100 

        State = 0x309c14c6309d0dd14b00d913c56dbe3f
        Message-Authenticator = 0xbb36f856b12e7151d07b7f62bb8ac4d1
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
[suffix] No '@' in User-Name = "STIC08862\TechRMC", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] Looking up realm "STIC08862" for User-Name = "STIC08862\TechRMC"
[ntdomain] No such realm "STIC08862"
++[ntdomain] returns noop
++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/)
        expand: %{User-Name} -> STIC08862\TechRMC
? Evaluating ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE
++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE
++[preprocess] returns ok
[eap] EAP packet type response id 1 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 70
[peap] Length Included
[peap] eaptls_verify returned 11
[peap]     (other): before/accept initialization
[peap]     TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0041], ClientHello
[peap]     TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
[peap]     TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 085e], Certificate
[peap]     TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap]     TLS_accept: SSLv3 write server done A
[peap]     TLS_accept: SSLv3 flush data
[peap]     TLS_accept: Need to read more data: SSLv3 read client 
certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 195 to 10.220.30.5 port 29010
        EAP-Message = 
0x0102040019c00000089b160301002a0200002603014de118cc589bf7890a69fb3f645cbd3f8fb8e69b0de774081f186249cbb1fab400000400160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479 

        EAP-Message = 
0x301e170d3131303532363131323630315a170d3132303532353131323630315a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100abc6704165a82539a0386d451ff1ef7af0b77a030e0ece6ae83f509f03075fc22f4314bed080131a3f4ce4836d78b9f839e787dcf28407ebe4b4976a23b8 

        EAP-Message = 
0x99720c1bdeb4e3a97cb664364a74231a865f1c58f96afa6060b528500f2a570c488ba5d43c1898ec6b8ccb38f66ed46fcc83c824da13c885743ae1c2fac049de6d095b694a6144ab81d6b1ae9ade3ad472fa3c505c5aad28a7f878426c5625e844a9f8980f2d6b18a2820ddc4086ae123f1b58b76e1662d5df63ec1662d44f8c302fd0f0f56bf156e2b998558ffab4e9c5967adf434ed23e28b8500d13e12d72202880234fadf61dc578fd16f6a0e9b7e62fbc7d5e93195384c6a53388a357a7e8590203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010105050003820101009b9dae84aad1294971 

        EAP-Message = 
0x085bfc65eea37216552b3898f2164a56490b8e68d7d3b809b379f74c18b249611da68f59c6ded6c40673cfe5bc870d40e305eeb2da97d2550d804d6e75fd2a42bf35e2ee7abdeae22a33a2cd27c8e5cb26a30a10cd7b9a22bb936e09effc1323a9beb1b407f375a0f197b5ea4dab4dc9f5a131bd89d64b3e61ce79250659c86de853316f63cd62edcae9ffd2ea4bba902a02e38cbf2a483f2b723f6e87bc7092f6335730a0cb24c8ec74a1d21cc0e7aa0f9b4eb991a00e10f9c54fbbe950dd0252c7eb094e26888c8bd0cf38488755f2f64822923402e46c5578ab316d899076fcab91a140b32aa180e265e8e8df263e209233432482bf0004ab308204 

        EAP-Message = 0xa73082038fa0030201020209
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x309c14c6319e0dd14b00d913c56dbe3f
Finished request 79.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.220.30.5 port 29010, 
id=196, length=181
        User-Name = "STIC08862\\TechRMC"
        NAS-IP-Address = 10.220.30.5
        NAS-Port = 0
        Called-Station-Id = "58-16-26-AA-F7-A1:AVAYA-RESEAU"
        Calling-Station-Id = "00-16-EA-C5-78-9C"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 0Mbps 802.11a"
        EAP-Message = 0x020200061900
        State = 0x309c14c6319e0dd14b00d913c56dbe3f
        Message-Authenticator = 0xa462f5cd5ac6dd277077e9011fbf9c14
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
[suffix] No '@' in User-Name = "STIC08862\TechRMC", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] Looking up realm "STIC08862" for User-Name = "STIC08862\TechRMC"
[ntdomain] No such realm "STIC08862"
++[ntdomain] returns noop
++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/)
        expand: %{User-Name} -> STIC08862\TechRMC
? Evaluating ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE
++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE
++[preprocess] returns ok
[eap] EAP packet type response id 2 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 196 to 10.220.30.5 port 29010
        EAP-Message = 
0x010303fc194000cbce0215a96683a7300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3131303532363131323630315a170d3132303532353131323630315a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504 

        EAP-Message = 
0x071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100bc17ac5d732962b1d8b9930162674dbc7ed2c21a022847f8d0bbf631b90c4598a9f450824c1335d535b1a3bc06344b72429484af7f8a7470f387f9b3314ca14b85328e7ed7c94f40f821bc5b69b1828a4eb5ca30e4cb30668c7b8dada3769f20a61fa244d158eb43fa343001a80195 

        EAP-Message = 
0xb1b11e518865a45a3b1f8116ffc29a79de5bc4f72c54e53632a1c49f84aa523b39519bfdac4cf067f0bff3455f17f44c8e40b04b06ad175fcf5fcc9d88e047d95a35ee4581d243207a1c94f32aaa6ba8c59883944f8d2721493a52f0d18aa594cbaead171926e6a1f992b67ab93854a34f3d421cbe875e2909aafde2eb5bed79d233a20fa21fb9e378497d273e8f6ca14d0203010001a381fb3081f8301d0603551d0e04160414c4c3cc2ea4d081bbce0c80d92996e92cda9390dc3081c80603551d230481c03081bd8014c4c3cc2ea4d081bbce0c80d92996e92cda9390dca18199a48196308193310b3009060355040613024652310f300d06035504 

        EAP-Message = 
0x0813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900cbce0215a96683a7300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100022271f224357d78202aaecf9faca93ece45548fc74f4bed01bb6ad31badca58eb3d019ac1f2fcc323d33dcae04b84b6c2b443bca35258946c7f02eaa1bbeb550494b30648c47d83786b5f872facbb828d6f 

        EAP-Message = 0x3deb8931d600ea5e
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x309c14c6329f0dd14b00d913c56dbe3f
Finished request 80.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.220.30.5 port 29010, 
id=197, length=181
        User-Name = "STIC08862\\TechRMC"
        NAS-IP-Address = 10.220.30.5
        NAS-Port = 0
        Called-Station-Id = "58-16-26-AA-F7-A1:AVAYA-RESEAU"
        Calling-Station-Id = "00-16-EA-C5-78-9C"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 0Mbps 802.11a"
        EAP-Message = 0x020300061900
        State = 0x309c14c6329f0dd14b00d913c56dbe3f
        Message-Authenticator = 0xa5deb369fab7a8ab117e3a2d3a1bd99a
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
[suffix] No '@' in User-Name = "STIC08862\TechRMC", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] Looking up realm "STIC08862" for User-Name = "STIC08862\TechRMC"
[ntdomain] No such realm "STIC08862"
++[ntdomain] returns noop
++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/)
        expand: %{User-Name} -> STIC08862\TechRMC
? Evaluating ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE
++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE
++[preprocess] returns ok
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 197 to 10.220.30.5 port 29010
        EAP-Message = 
0x010400b519001c077a0c37c0021ebd5901d8710b97ad0f8565cbe4081f184c4f48d79500d781c789cd7e4fcb9ef1c0d85e8c0e2f79b33d98067a79636b7b18c212c6fa065393ead60ccbd66b1ee55415965798592390475c38b8f1d81a8372e7e1aafcb6563a44f0be0cb173c485b071d8f18a6d6c978b2a17fc24579a3a00c360a6b43efefc2ec4f0d73ab140ec5e5d9b591a5b29b0d3a7a096774771c16065b46160051a8d1e88f6aa261516030100040e000000 

        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x309c14c633980dd14b00d913c56dbe3f
Finished request 81.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.220.30.5 port 29010, 
id=198, length=497
        User-Name = "STIC08862\\TechRMC"
        NAS-IP-Address = 10.220.30.5
        NAS-Port = 0
        Called-Station-Id = "58-16-26-AA-F7-A1:AVAYA-RESEAU"
        Calling-Station-Id = "00-16-EA-C5-78-9C"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 0Mbps 802.11a"
        EAP-Message = 
0x0204014019800000013616030101061000010201000d5a7cfe5681de38952daa49b5a1f72a4406db283c1bdb0dbf56630552caba84d0ddd24cb5782d77a3b91ccbfbecc86a769bce2e367a77d13049c89aca7179224427b950971802c12e803af42ec507f6ded58f3ad883f4e774878bef3537d59d19e0e6697a98120a7cc029be2c20ca05e87ba0beb9376957afba29ab6bff97667ce389d9b8d5530f9456b4b6a77753596a1bd6caff20c5269203b2b6d51e70082f5592c2abb1a17235e2f1ccfe6110ea40a44f4b25b46b56eaae52ec6649d39bf5434b53b996821b1c68159f34d7695c4d0d21d6d138c62f5fa6eb7664bf2ab59facdbab3bf9eac9
        EAP-Message = 
0x2a59234d25f162d9c012c90c1b564c40f7a244ceb74fdbba1403010001011603010020105e724ee5343bc59dc34a12d5f6ae80cb30ee64b5e06ec66e794571315cee97 

        State = 0x309c14c633980dd14b00d913c56dbe3f
        Message-Authenticator = 0xa808596aff58e89c835ba408d22c8576
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
[suffix] No '@' in User-Name = "STIC08862\TechRMC", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] Looking up realm "STIC08862" for User-Name = "STIC08862\TechRMC"
[ntdomain] No such realm "STIC08862"
++[ntdomain] returns noop
++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/)
        expand: %{User-Name} -> STIC08862\TechRMC
? Evaluating ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE
++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE
++[preprocess] returns ok
[eap] EAP packet type response id 4 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 310
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[peap]     TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap]     TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap]     TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap]     TLS_accept: SSLv3 write finished A
[peap]     TLS_accept: SSLv3 flush data
[peap]     (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 198 to 10.220.30.5 port 29010
        EAP-Message = 
0x0105003119001403010001011603010020a7b524514b3cddffd4a8160f9eb6cc6a58975c324fe0d9ad042931b8bffb2bbd 

        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x309c14c634990dd14b00d913c56dbe3f
Finished request 82.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.220.30.5 port 29010, 
id=199, length=181
        User-Name = "STIC08862\\TechRMC"
        NAS-IP-Address = 10.220.30.5
        NAS-Port = 0
        Called-Station-Id = "58-16-26-AA-F7-A1:AVAYA-RESEAU"
        Calling-Station-Id = "00-16-EA-C5-78-9C"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 0Mbps 802.11a"
        EAP-Message = 0x020500061900
        State = 0x309c14c634990dd14b00d913c56dbe3f
        Message-Authenticator = 0xfbb387ec4960fce18fa01d5ff1c5e01e
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
[suffix] No '@' in User-Name = "STIC08862\TechRMC", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] Looking up realm "STIC08862" for User-Name = "STIC08862\TechRMC"
[ntdomain] No such realm "STIC08862"
++[ntdomain] returns noop
++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/)
        expand: %{User-Name} -> STIC08862\TechRMC
? Evaluating ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE
++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE
++[preprocess] returns ok
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] returns handled
Sending Access-Challenge of id 199 to 10.220.30.5 port 29010
        EAP-Message = 
0x010600201900170301001571c76260985f4c2cdee93f9c926ad4e44dbc5089bd
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x309c14c6359a0dd14b00d913c56dbe3f
Finished request 83.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.220.30.5 port 29010, 
id=200, length=220
        User-Name = "STIC08862\\TechRMC"
        NAS-IP-Address = 10.220.30.5
        NAS-Port = 0
        Called-Station-Id = "58-16-26-AA-F7-A1:AVAYA-RESEAU"
        Calling-Station-Id = "00-16-EA-C5-78-9C"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 0Mbps 802.11a"
        EAP-Message = 
0x0206002d1900170301002265afc9d83fb63b3df1fa050064293a1d5724034b497cd6917712aed52e33e5c50a93 

        State = 0x309c14c6359a0dd14b00d913c56dbe3f
        Message-Authenticator = 0x1d9a3ba6178e12c05cfd06e7b2a2c601
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
[suffix] No '@' in User-Name = "STIC08862\TechRMC", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] Looking up realm "STIC08862" for User-Name = "STIC08862\TechRMC"
[ntdomain] No such realm "STIC08862"
++[ntdomain] returns noop
++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/)
        expand: %{User-Name} -> STIC08862\TechRMC
? Evaluating ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE
++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE
++[preprocess] returns ok
[eap] EAP packet type response id 6 length 45
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - STIC08862\TechRMC
[peap] Got inner identity 'STIC08862\TechRMC'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
        EAP-Message = 0x02060016015354494330383836325c54656368524d43
server  {
  PEAP: Setting User-Name to STIC08862\TechRMC
Sending tunneled request
        EAP-Message = 0x02060016015354494330383836325c54656368524d43
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "STIC08862\\TechRMC"
server inner-tunnel {
# Executing section authorize from file 
/etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
[suffix] No '@' in User-Name = "STIC08862\TechRMC", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] Looking up realm "STIC08862" for User-Name = "STIC08862\TechRMC"
[ntdomain] No such realm "STIC08862"
++[ntdomain] returns noop
++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/)
        expand: %{User-Name} -> STIC08862\TechRMC
? Evaluating ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE
++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE
[eap] EAP packet type response id 6 length 22
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[ldap] performing user authorization for STIC08862\TechRMC
[ldap]  expand: (uid=%{mschap:User-Name}) -> (uid=TechRMC)
[ldap]  expand: o=CSPI -> o=CSPI
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in o=CSPI, with filter (uid=TechRMC)
[ldap] Added the eDirectory password 1234567 in check items as 
Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
[ldap] user STIC08862\TechRMC authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++? if (User-Name !~ /^host\/.*nw2.cspi.qc.ca$/)
? Evaluating (User-Name !~ /^host\/.*nw2.cspi.qc.ca$/) -> TRUE
++? if (User-Name !~ /^host\/.*nw2.cspi.qc.ca$/) -> TRUE
++- entering if (User-Name !~ /^host\/.*nw2.cspi.qc.ca$/) {...}
+++[control] returns ok
++- if (User-Name !~ /^host\/.*nw2.cspi.qc.ca$/) returns ok
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
        EAP-Message = 
0x0107002b1a010700261012b5c4c3a3dbd6a23fe3af6f3db81bc15354494330383836325c54656368524d43 

        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x510e2245510938eb25e1ac3222e20688
[peap] Got tunneled reply RADIUS code 11
        EAP-Message = 
0x0107002b1a010700261012b5c4c3a3dbd6a23fe3af6f3db81bc15354494330383836325c54656368524d43 

        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x510e2245510938eb25e1ac3222e20688
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 200 to 10.220.30.5 port 29010
        EAP-Message = 
0x0107004219001703010037421203ab26df0308676a4f2cb9e0fa8ff6e390152e6e971e94d31eda95d20b849007bca062f718e1d559e79b10a5b6a188768b6fe1907c 

        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x309c14c6369b0dd14b00d913c56dbe3f
Finished request 84.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.220.30.5 port 29010, 
id=201, length=264
        User-Name = "STIC08862\\TechRMC"
        NAS-IP-Address = 10.220.30.5
        NAS-Port = 0
        Called-Station-Id = "58-16-26-AA-F7-A1:AVAYA-RESEAU"
        Calling-Station-Id = "00-16-EA-C5-78-9C"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 0Mbps 802.11a"
        EAP-Message = 
0x020700591900170301004eb1f256aa2e900c41ef37f9d0933df166344a6edbc9356301e0fdc15cb87b6cbe03f6b07e54ccfd7fca446c7ce6cca1a742794be48c57b8e2ac735d7b2a2b38fe4483984103fc270b54d6c691b4c2 

        State = 0x309c14c6369b0dd14b00d913c56dbe3f
        Message-Authenticator = 0x8d693684ec5593182b54ce7c3d5e7d8f
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
[suffix] No '@' in User-Name = "STIC08862\TechRMC", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] Looking up realm "STIC08862" for User-Name = "STIC08862\TechRMC"
[ntdomain] No such realm "STIC08862"
++[ntdomain] returns noop
++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/)
        expand: %{User-Name} -> STIC08862\TechRMC
? Evaluating ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE
++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE
++[preprocess] returns ok
[eap] EAP packet type response id 7 length 89
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
        EAP-Message = 
0x020700421a0207003d3187ddf68b18fb1dce4cdd5b001c06abc000000000000000009a7812e4d4a1f425347de951e68fac50054fd8ff32d403fa0054656368524d43 

server  {
  PEAP: Setting User-Name to STIC08862\TechRMC
Sending tunneled request
        EAP-Message = 
0x020700421a0207003d3187ddf68b18fb1dce4cdd5b001c06abc000000000000000009a7812e4d4a1f425347de951e68fac50054fd8ff32d403fa0054656368524d43 

        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "STIC08862\\TechRMC"
        State = 0x510e2245510938eb25e1ac3222e20688
server inner-tunnel {
# Executing section authorize from file 
/etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
[suffix] No '@' in User-Name = "STIC08862\TechRMC", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] Looking up realm "STIC08862" for User-Name = "STIC08862\TechRMC"
[ntdomain] No such realm "STIC08862"
++[ntdomain] returns noop
++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/)
        expand: %{User-Name} -> STIC08862\TechRMC
? Evaluating ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE
++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE
[eap] EAP packet type response id 7 length 66
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[ldap] performing user authorization for STIC08862\TechRMC
[ldap]  expand: (uid=%{mschap:User-Name}) -> (uid=TechRMC)
[ldap]  expand: o=CSPI -> o=CSPI
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in o=CSPI, with filter (uid=TechRMC)
[ldap] Added the eDirectory password 1234567 in check items as 
Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
[ldap] user STIC08862\TechRMC authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++? if (User-Name !~ /^host\/.*nw2.cspi.qc.ca$/)
? Evaluating (User-Name !~ /^host\/.*nw2.cspi.qc.ca$/) -> TRUE
++? if (User-Name !~ /^host\/.*nw2.cspi.qc.ca$/) -> TRUE
++- entering if (User-Name !~ /^host\/.*nw2.cspi.qc.ca$/) {...}
+++[control] returns ok
++- if (User-Name !~ /^host\/.*nw2.cspi.qc.ca$/) returns ok
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file 
/etc/raddb/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] ERROR: User-Name (STIC08862\TechRMC) is not the same as MS-CHAP 
Name (TechRMC) from EAP-MSCHAPv2
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
        EAP-Message = 0x04070004
        Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
        EAP-Message = 0x04070004
        Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 201 to 10.220.30.5 port 29010
        EAP-Message = 
0x010800261900170301001bd9addceecce69a0bbcafd532787f06f03515b539bbb8c598213707 

        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x309c14c637940dd14b00d913c56dbe3f
Finished request 85.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.220.30.5 port 29010, 
id=202, length=213
        User-Name = "STIC08862\\TechRMC"
        NAS-IP-Address = 10.220.30.5
        NAS-Port = 0
        Called-Station-Id = "58-16-26-AA-F7-A1:AVAYA-RESEAU"
        Calling-Station-Id = "00-16-EA-C5-78-9C"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 0Mbps 802.11a"
        EAP-Message = 
0x020800261900170301001b5d49f3ad65771949521891ede66912ccf09cfa17c7d6a9965f229e
        State = 0x309c14c637940dd14b00d913c56dbe3f
        Message-Authenticator = 0xf8e78209cd1bbc051781ce0db38fb367
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
[suffix] No '@' in User-Name = "STIC08862\TechRMC", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] Looking up realm "STIC08862" for User-Name = "STIC08862\TechRMC"
[ntdomain] No such realm "STIC08862"
++[ntdomain] returns noop
++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/)
        expand: %{User-Name} -> STIC08862\TechRMC
? Evaluating ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE
++? if ("%{User-Name}" =~ /^host\/.*nw2.cspi.qc.ca$/) -> FALSE
++[preprocess] returns ok
[eap] EAP packet type response id 8 length 38
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state send tlv failure
[peap] Received EAP-TLV response.
[peap]  The users session was previously rejected: returning reject 
(again.)
[peap]  *** This means you need to read the PREVIOUS messages in the 
debug output
[peap]  *** to find out the reason why the user was rejected.
[peap]  *** Look for "reject" or "fail".  Those earlier messages will 
tell you.
[peap]  *** what went wrong, and how to fix the problem.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> STIC08862\TechRMC
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 86 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 86
Sending Access-Reject of id 202 to 10.220.30.5 port 29010
        EAP-Message = 0x04080004
        Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.7 seconds.

On 11-05-28 10:32 AM, Francois Gaudreault wrote:
Hi Phil, and Alan,

I will get you the debug output for Windows XP SP3 boxes (likely Monday).

I will summarise what we have.  Basically, this is a setup where the 
client is using eDirectory to authorize the users using the rlm_ldap 
module.  On the windows boxes, it is configured to do PEAP using 
MSCHAPv2.  When we send a host credential (ie. 
host/mycomputer.domain.tld) it will pass the authorization and during 
the authentication phase, it will use ntlm_auth to ensure that the 
machine is member of the domain.  That part is working fine, the 
mschap module does its job.  For the users, they have windows 7s and 
windows XPs.  Windows 7 appears to be working without problems since 
the username is sent without the computer name as the domain prefix.  
The problem comes with the windows XP boxes.  If we let windows send 
the credentials automatically (when novell logs in), the LDAP 
authorization will work properly, but the authentication will fail 
even if the Cleartext-Password attribute is set by the LDAP module.  
It will throw that MS-CHAP error.  We also ensure that everything that 
comes from something that is not matching host/something will use the 
MS-CHAP-NTLM-Auth = No.  The only way to make Windows XP work is to 
disable the "automatically send username" thing and only send the 
username without the domain name.  However, the user experience will 
definitely be terrible.

The NAS Client is an Avaya Access Point.

Thanks for your feedbacks guys, it is appreciated.  I will get you the 
debug information and the sites configuration as soon as I can.

Have a nice weekend.



--
Francois Gaudreault, ing. jr
fgaudrea...@inverse.ca  ::  +1.514.447.4918 (x130) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html