Anyone have any thoughts on where I need to poke at this thing? I'm about at the limits of my ability to figure out what's going wrong.
- Jacob On 29 Aug 2011, at 17:28, Jacob Dawson wrote: > We're having an odd problem here, and I just can't pin down quite where to > look to fix it. We use PEAP-MSCHAPv2 for authentication of our windows > domain users on wireless. This is accomplished by terminating the TLS > conversation at FreeRADIUS and sending along the MSCHAP conversation to an > IAS server. We've tested this in the past, and it's worked fine, and we're > doing a modified form of this in production, and it's working fine, but I've > lately been unable to get it to work in our pre-production 2.1.11 > environment. What's particularly odd is that it's only affecting the Windows > clients. My OS X client doing PEAP with the same credentials is happy. > > What we're doing in production, which continues to work, is this: > We terminate TLS at FreeRADIUS. This allows us to manage the wireless > service certificate there, keeps the IAS operators from having to keep up > with it. > We proxy the MSCHAP conversation to our OpenRADIUS server (which is also > running and interacting with TACACS). > OpenRADIUS proxies the CHAP stuff to IAS. It may be tinkering with the > MSCHAP fields from IAS to make them more compatible (basically changing out > the secrets because it's standing in the middle). > Successful authentication then percolates back through the chain and the user > is happy. > > In pre-production, it looks like this: > Request comes in from Windows client, is recognized to be a Domain > authentication request, gets proxied to an FR virtual server. > Said virtual server gets it, processes the TLS and terminates it, and proxies > the MSCHAP conversation to IAS. > IAS does its MSCHAP thing, accepts the user. > Access-Accept percolates back up through the chain. We send an access > challenge, the user sends an Access request, and FR says the user said > something weird, so it's rejecting them. > > Request comes in from non-windows client, is recognized to be Domain > authentication request, gets proxied to an FR virtual server > Said virtual server gets it, processes the TLS and terminates it, and proxies > the MSCHAP conversation to IAS. > IAS does its MSCHAP thing, accepts the user. > Access-Accept percolates back up through the chain. We send an access > challenge, the user sends an Access request, and FR says everything's fine, > user gets Access-Accept. > > Thoughts on where I need to look? I can't parse out what's happening to > cause a response to be invalid for Windows users but not for, say, Mac users. > Our initial guess here is that the Windows clients are looking at the MPPE > keys, and are unhappy about them, whereas the Mac clients are not, though we > suspect neither set of clients requires them. > > Posting relevant bits of debug output below. > > Thanks much, > Jacob M. Dawson > > --------- > > Pre-production failure: > rad_recv: Access-Request packet from host 198.82.171.153 port 32768, id=138, > length=293 > User-Name = "HOKIES\\dawson" > Calling-Station-Id = "00-1d-e0-90-5f-db" > Called-Station-Id = "00-21-55-4d-c4-40:CNS-Test" > NAS-Port = 29 > NAS-IP-Address = 198.82.171.153 > NAS-Identifier = "cas-6509-3.wsm8b" > Airespace-Wlan-Id = 17 > Service-Type = Framed-User > Framed-MTU = 1300 > NAS-Port-Type = Wireless-802.11 > Tunnel-Type:0 = VLAN > Tunnel-Medium-Type:0 = IEEE-802 > Tunnel-Private-Group-Id:0 = "1381" > EAP-Message = > 0x020b005f19001703010054bdd79574acfa8744908880dfa66a9e861f5fff5d2b3b7e387679b867704afa60476df6cc1ac0f30d92a4dc753cebb4bc4e71f4e0bc4db75534ab2403ec993619f05ad02497597deaa193debe78641e14b4718e84 > State = 0x5b4a8e485341972bae816e794759d3ea > Message-Authenticator = 0xc234d7f3f04c9d023687fd78e4d5c9da > (75) # Executing section authorize from file > /usr/local/freeradius-2.1.11/etc/raddb/sites-enabled/default > (75) group authorize { > (75) - entering group authorize {...} > (75) policy split_username_prefix { > (75) - entering policy split_username_prefix {...} > (75) ? if (request:User-Name =~ /^([a-z]+)[\\\/]+([-a-z0-9_.]+)$/i) > (75) ? Evaluating (request:User-Name =~ /^([a-z]+)[\\\/]+([-a-z0-9_.]+)$/i) > -> TRUE > (75) ? if (request:User-Name =~ /^([a-z]+)[\\\/]+([-a-z0-9_.]+)$/i) -> TRUE > (75) if (request:User-Name =~ /^([a-z]+)[\\\/]+([-a-z0-9_.]+)$/i) { > (75) - entering if (request:User-Name =~ > /^([a-z]+)[\\\/]+([-a-z0-9_.]+)$/i) {...} > (75) update request { > (75) expand: %{2} -> dawson > (75) expand: %{1} -> HOKIES > (75) } # update request = notfound > (75) [updated] = updated > (75) - if (request:User-Name =~ /^([a-z]+)[\\\/]+([-a-z0-9_.]+)$/i) > returns updated > (75) ... skipping else for request 75: Preceding "if" was taken > (75) - policy split_username_prefix returns updated > (75) policy split_username_suffix { > (75) - entering policy split_username_suffix {...} > (75) ? if (request:User-Name =~ > /^([^@]*)@([-[:alnum:]]+\.[-[:alnum:].]+)$/i) > (75) ? Evaluating (request:User-Name =~ > /^([^@]*)@([-[:alnum:]]+\.[-[:alnum:].]+)$/i) -> FALSE > (75) ? if (request:User-Name =~ > /^([^@]*)@([-[:alnum:]]+\.[-[:alnum:].]+)$/i) -> FALSE > (75) else else { > (75) - entering else else {...} > (75) [noop] = noop > (75) - else else returns noop > (75) - policy split_username_suffix returns noop > (75) [preprocess] = ok > (75) auth_log : expand: > /usr/local/freeradius-2.1.11/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d > -> > /usr/local/freeradius-2.1.11/var/log/radius/radacct/198.82.171.153/auth-detail-20110823 > (75) auth_log : > /usr/local/freeradius-2.1.11/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d > expands to > /usr/local/freeradius-2.1.11/var/log/radius/radacct/198.82.171.153/auth-detail-20110823 > (75) auth_log : expand: %t -> Tue Aug 23 10:40:16 2011 > (75) [auth_log] = ok > rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 > rlm_perl: Added pair Service-Type = Framed-User > rlm_perl: Added pair Tunnel-Type = VLAN > rlm_perl: Added pair State = 0x5b4a8e485341972bae816e794759d3ea > rlm_perl: Added pair Called-Station-Id = 00-21-55-4d-c4-40:CNS-Test > rlm_perl: Added pair Message-Authenticator = > 0xc234d7f3f04c9d023687fd78e4d5c9da > rlm_perl: Added pair Airespace-Wlan-Id = 17 > rlm_perl: Added pair Stripped-User-Domain = HOKIES > rlm_perl: Added pair NAS-IP-Address = 198.82.171.153 > rlm_perl: Added pair Tunnel-Private-Group-Id = 1381 > rlm_perl: Added pair Tunnel-Medium-Type = IEEE-802 > rlm_perl: Added pair Calling-Station-Id = 00-1d-e0-90-5f-db > rlm_perl: Added pair User-Name = HOKIES\\dawson > rlm_perl: Added pair NAS-Identifier = cas-6509-3.wsm8b > rlm_perl: Added pair EAP-Message = > 0x020b005f19001703010054bdd79574acfa8744908880dfa66a9e861f5fff5d2b3b7e387679b867704afa60476df6cc1ac0f30d92a4dc753cebb4bc4e71f4e0bc4db75534ab2403ec993619f05ad02497597deaa193debe78641e14b4718e84 > rlm_perl: Added pair Stripped-User-Name = dawson > rlm_perl: Added pair NAS-Port = 29 > rlm_perl: Added pair Framed-MTU = 1300 > (75) [perl] = noop > (75) ? if ("%{Stripped-User-Domain}" != "HOKIES") > (75) expand: %{Stripped-User-Domain} -> HOKIES > (75) ? Evaluating ("%{Stripped-User-Domain}" != "HOKIES") -> FALSE > (75) ? if ("%{Stripped-User-Domain}" != "HOKIES") -> FALSE > (75) eap : EAP packet type response id 11 length 95 > (75) eap : Continuing tunnel setup. > (75) [eap] = ok > (75) Found Auth-Type = ? > (75) # Executing group from file > /usr/local/freeradius-2.1.11/etc/raddb/sites-enabled/default > (75) group authenticate { > (75) - entering group authenticate {...} > (75) eap : Request found, released from the list > (75) eap : EAP/peap > (75) eap : processing type peap > (75) peap : processing EAP-TLS > (75) peap : eaptls_verify returned 7 > (75) peap : Done initial handshake > (75) peap : eaptls_process returned 7 > (75) peap : FR_TLS_OK > (75) peap : Session established. Decoding tunneled attributes. > (75) peap : Peap state phase2 > (75) peap : EAP type mschapv2 > (75) peap : Got tunneled request > EAP-Message = > 0x020b00481a020b004331bf4d439d3028cbdba8fff532c04f1cf60000000000000000bee44f94acbe708a682535adc0505e56a87462580576d06600484f4b4945535c646177736f6e > server { > (75) peap : Setting User-Name to HOKIES\dawson > Sending tunneled request > EAP-Message = > 0x020b00481a020b004331bf4d439d3028cbdba8fff532c04f1cf60000000000000000bee44f94acbe708a682535adc0505e56a87462580576d06600484f4b4945535c646177736f6e > FreeRADIUS-Proxied-To = 127.0.0.1 > User-Name = "HOKIES\\dawson" > State = 0x21ebcfee21e0d5ab22fbf5cfb29bfd25 > NAS-Port-Type = Wireless-802.11 > Service-Type = Framed-User > Tunnel-Type:0 = VLAN > Called-Station-Id = "00-21-55-4d-c4-40:CNS-Test" > NAS-IP-Address = 198.82.171.153 > Tunnel-Private-Group-Id:0 = "1381" > Tunnel-Medium-Type:0 = IEEE-802 > Calling-Station-Id = "00-1d-e0-90-5f-db" > NAS-Identifier = "cas-6509-3.wsm8b" > NAS-Port = 29 > Framed-MTU = 1300 > server proxy-inner-tunnel { > (75) # Executing section authorize from file > /usr/local/freeradius-2.1.11/etc/raddb/sites-enabled/proxy-inner-tunnel > (75) group authorize { > (75) - entering group authorize {...} > (75) ? if ("%{User-Name}" =~ /^(host\/.*)$/) > (75) expand: %{User-Name} -> HOKIES\dawson > (75) ? Evaluating ("%{User-Name}" =~ /^(host\/.*)$/) -> FALSE > (75) ? if ("%{User-Name}" =~ /^(host\/.*)$/) -> FALSE > (75) else else { > (75) - entering else else {...} > (75) update control { > (75) } # update control = notfound > (75) - else else returns notfound > } # server proxy-inner-tunnel > (75) peap : Got tunneled reply code 0 > PEAP: Calling authenticate in order to initiate tunneled EAP session. > (75) # Executing group from file > /usr/local/freeradius-2.1.11/etc/raddb/sites-enabled/proxy-inner-tunnel > (75) group authenticate { > (75) - entering group authenticate {...} > (75) eap : Request found, released from the list > (75) eap : EAP/mschapv2 > (75) eap : processing type mschapv2 > rlm_eap_mschapv2: cancelling authentication and letting it be proxied > (75) eap : Not-EAP proxy set. Not composing EAP > (75) [eap] = handled > PEAP: Tunneled authentication will be proxied to DomainUser > PEAP: Remembering to do EAP-MS-CHAP-V2 post-proxy. > (75) eap : Tunneled session will be proxied. Not doing EAP. > (75) [eap] = handled > (75) WARNING: Empty pre-proxy section. Using default return values. > Sending Access-Request of id 161 to 198.82.160.219 port 1812 > User-Name = "HOKIES\\dawson" > NAS-Port-Type = Wireless-802.11 > Service-Type = Framed-User > Tunnel-Type:0 = VLAN > Called-Station-Id = "00-21-55-4d-c4-40:CNS-Test" > NAS-IP-Address = 198.82.171.153 > Tunnel-Private-Group-Id:0 = "1381" > Tunnel-Medium-Type:0 = IEEE-802 > Calling-Station-Id = "00-1d-e0-90-5f-db" > NAS-Identifier = "cas-6509-3.wsm8b" > NAS-Port = 29 > Framed-MTU = 1300 > MS-CHAP-Challenge = 0xd3827513a357a99d4eb9a5c87a716418 > MS-CHAP2-Response = > 0x0b4fbf4d439d3028cbdba8fff532c04f1cf60000000000000000bee44f94acbe708a682535adc0505e56a87462580576d066 > Proxy-State = 0x313338 > (75) Proxying request to home server 198.82.160.219 port 1812 > Sending Access-Request of id 161 to 198.82.160.219 port 1812 > User-Name = "HOKIES\\dawson" > NAS-Port-Type = Wireless-802.11 > Service-Type = Framed-User > Tunnel-Type:0 = VLAN > Called-Station-Id = "00-21-55-4d-c4-40:CNS-Test" > NAS-IP-Address = 198.82.171.153 > Tunnel-Private-Group-Id:0 = "1381" > Tunnel-Medium-Type:0 = IEEE-802 > Calling-Station-Id = "00-1d-e0-90-5f-db" > NAS-Identifier = "cas-6509-3.wsm8b" > NAS-Port = 29 > Framed-MTU = 1300 > MS-CHAP-Challenge = 0xd3827513a357a99d4eb9a5c87a716418 > MS-CHAP2-Response = > 0x0b4fbf4d439d3028cbdba8fff532c04f1cf60000000000000000bee44f94acbe708a682535adc0505e56a87462580576d066 > Proxy-State = 0x313338 > Waking up in 0.2 seconds. > rad_recv: Access-Accept packet from host 198.82.160.219 port 1812, id=161, > length=219 > DEBUG: Compare b472204 to calculated digest f796ca40, secret temporaryS3CR3T > Proxy-State = 0x313338 > Framed-Protocol = PPP > Service-Type = Framed-User > Class = 0x6538078a000001370001c652a0db01cc5476fe414ece0000000000004586 > MS-MPPE-Recv-Key = 0x7208bb9a9555b125d123303ac3db12a1 > MS-MPPE-Send-Key = 0x0cd6218a695a558ade111bcd7b05cfc2 > MS-CHAP2-Success = > 0x0b533d32434230433038364541464632333233453842414534314643443231333130453939354641454134 > MS-CHAP-Domain = "\013HOKIES" > (75) # Executing section post-proxy from file > /usr/local/freeradius-2.1.11/etc/raddb/sites-enabled/default > (75) group post-proxy { > (75) - entering group post-proxy {...} > (75) eap : Doing post-proxy callback > (75) eap : Passing reply from proxy back into the tunnel. > server proxy-inner-tunnel { > (75) eap : Passing reply back for EAP-MS-CHAP-V2 > (75) # Executing section post-proxy from file > /usr/local/freeradius-2.1.11/etc/raddb/sites-enabled/proxy-inner-tunnel > (75) group post-proxy { > (75) - entering group post-proxy {...} > (75) [eap] = noop > (75) WARNING: Empty post-auth section. Using default return values. > } # server proxy-inner-tunnel > (75) eap : Final reply from tunneled session code 2 > Proxy-State = 0x313338 > Framed-Protocol = PPP > Service-Type = Framed-User > Class = 0x6538078a000001370001c652a0db01cc5476fe414ece0000000000004586 > MS-MPPE-Recv-Key = 0x7208bb9a9555b125d123303ac3db12a1 > MS-MPPE-Send-Key = 0x0cd6218a695a558ade111bcd7b05cfc2 > MS-CHAP2-Success = > 0x0b533d32434230433038364541464632333233453842414534314643443231333130453939354641454134 > MS-CHAP-Domain = "\013HOKIES" > (75) eap : Got reply 2 > (75) eap : Got tunneled reply RADIUS code 2 > Proxy-State = 0x313338 > Framed-Protocol = PPP > Service-Type = Framed-User > Class = 0x6538078a000001370001c652a0db01cc5476fe414ece0000000000004586 > MS-MPPE-Recv-Key = 0x7208bb9a9555b125d123303ac3db12a1 > MS-MPPE-Send-Key = 0x0cd6218a695a558ade111bcd7b05cfc2 > MS-CHAP2-Success = > 0x0b533d32434230433038364541464632333233453842414534314643443231333130453939354641454134 > MS-CHAP-Domain = "\013HOKIES" > (75) eap : Tunneled authentication was successful. > (75) eap : SUCCESS > (75) eap : Reply was handled > (75) [eap] = ok > (75) Found Auth-Type = ? > (75) Found Auth-Type = ? > (75) Warning: Found 2 auth-types on request for user 'HOKIES\dawson' > (75) Auth-Type = Accept, accepting the user > (75) Login OK: [HOKIES\\dawson] (from client 198.82.171.153 port 29 cli > 00-1d-e0-90-5f-db) > (75) # Executing section post-auth from file > /usr/local/freeradius-2.1.11/etc/raddb/sites-enabled/default > (75) group post-auth { > (75) - entering group post-auth {...} > (75) [exec] = noop > Sending Access-Challenge of id 138 to 198.82.171.153 port 32768 > EAP-Message = > 0x010c00261900170301001b0167b434a0313cb3f29b20e1f731efe3d173083c964cda1451135a > Message-Authenticator = 0x00000000000000000000000000000000 > State = 0x5b4a8e485246972bae816e794759d3ea > (75) Finished request 75. > Waking up in 0.2 seconds. > rad_recv: Access-Request packet from host 198.82.171.153 port 32768, id=139, > length=236 > User-Name = "HOKIES\\dawson" > Calling-Station-Id = "00-1d-e0-90-5f-db" > Called-Station-Id = "00-21-55-4d-c4-40:CNS-Test" > NAS-Port = 29 > NAS-IP-Address = 198.82.171.153 > NAS-Identifier = "cas-6509-3.wsm8b" > Airespace-Wlan-Id = 17 > Service-Type = Framed-User > Framed-MTU = 1300 > NAS-Port-Type = Wireless-802.11 > Tunnel-Type:0 = VLAN > Tunnel-Medium-Type:0 = IEEE-802 > Tunnel-Private-Group-Id:0 = "1381" > EAP-Message = > 0x020c00261900170301001b00dae368dd150e9d42e0c8888cb128e6ecc520b887a849a8a1d743 > State = 0x5b4a8e485246972bae816e794759d3ea > Message-Authenticator = 0x26b42d72271f1819599977a28920622f > (76) # Executing section authorize from file > /usr/local/freeradius-2.1.11/etc/raddb/sites-enabled/default > (76) group authorize { > (76) - entering group authorize {...} > (76) policy split_username_prefix { > (76) - entering policy split_username_prefix {...} > (76) ? if (request:User-Name =~ /^([a-z]+)[\\\/]+([-a-z0-9_.]+)$/i) > (76) ? Evaluating (request:User-Name =~ /^([a-z]+)[\\\/]+([-a-z0-9_.]+)$/i) > -> TRUE > (76) ? if (request:User-Name =~ /^([a-z]+)[\\\/]+([-a-z0-9_.]+)$/i) -> TRUE > (76) if (request:User-Name =~ /^([a-z]+)[\\\/]+([-a-z0-9_.]+)$/i) { > (76) - entering if (request:User-Name =~ > /^([a-z]+)[\\\/]+([-a-z0-9_.]+)$/i) {...} > (76) update request { > (76) expand: %{2} -> dawson > (76) expand: %{1} -> HOKIES > (76) } # update request = notfound > (76) [updated] = updated > (76) - if (request:User-Name =~ /^([a-z]+)[\\\/]+([-a-z0-9_.]+)$/i) > returns updated > (76) ... skipping else for request 76: Preceding "if" was taken > (76) - policy split_username_prefix returns updated > (76) policy split_username_suffix { > (76) - entering policy split_username_suffix {...} > (76) ? if (request:User-Name =~ > /^([^@]*)@([-[:alnum:]]+\.[-[:alnum:].]+)$/i) > (76) ? Evaluating (request:User-Name =~ > /^([^@]*)@([-[:alnum:]]+\.[-[:alnum:].]+)$/i) -> FALSE > (76) ? if (request:User-Name =~ > /^([^@]*)@([-[:alnum:]]+\.[-[:alnum:].]+)$/i) -> FALSE > (76) else else { > (76) - entering else else {...} > (76) [noop] = noop > (76) - else else returns noop > (76) - policy split_username_suffix returns noop > (76) [preprocess] = ok > (76) auth_log : expand: > /usr/local/freeradius-2.1.11/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d > -> > /usr/local/freeradius-2.1.11/var/log/radius/radacct/198.82.171.153/auth-detail-20110823 > (76) auth_log : > /usr/local/freeradius-2.1.11/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d > expands to > /usr/local/freeradius-2.1.11/var/log/radius/radacct/198.82.171.153/auth-detail-20110823 > (76) auth_log : expand: %t -> Tue Aug 23 10:40:16 2011 > (76) [auth_log] = ok > rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 > rlm_perl: Added pair Service-Type = Framed-User > rlm_perl: Added pair Tunnel-Type = VLAN > rlm_perl: Added pair State = 0x5b4a8e485246972bae816e794759d3ea > rlm_perl: Added pair Called-Station-Id = 00-21-55-4d-c4-40:CNS-Test > rlm_perl: Added pair Message-Authenticator = > 0x26b42d72271f1819599977a28920622f > rlm_perl: Added pair Airespace-Wlan-Id = 17 > rlm_perl: Added pair Stripped-User-Domain = HOKIES > rlm_perl: Added pair NAS-IP-Address = 198.82.171.153 > rlm_perl: Added pair Tunnel-Private-Group-Id = 1381 > rlm_perl: Added pair Tunnel-Medium-Type = IEEE-802 > rlm_perl: Added pair Calling-Station-Id = 00-1d-e0-90-5f-db > rlm_perl: Added pair User-Name = HOKIES\\dawson > rlm_perl: Added pair NAS-Identifier = cas-6509-3.wsm8b > rlm_perl: Added pair EAP-Message = > 0x020c00261900170301001b00dae368dd150e9d42e0c8888cb128e6ecc520b887a849a8a1d743 > rlm_perl: Added pair Stripped-User-Name = dawson > rlm_perl: Added pair NAS-Port = 29 > rlm_perl: Added pair Framed-MTU = 1300 > (76) [perl] = noop > (76) ? if ("%{Stripped-User-Domain}" != "HOKIES") > (76) expand: %{Stripped-User-Domain} -> HOKIES > (76) ? Evaluating ("%{Stripped-User-Domain}" != "HOKIES") -> FALSE > (76) ? if ("%{Stripped-User-Domain}" != "HOKIES") -> FALSE > (76) eap : EAP packet type response id 12 length 38 > (76) eap : Continuing tunnel setup. > (76) [eap] = ok > (76) Found Auth-Type = ? > (76) # Executing group from file > /usr/local/freeradius-2.1.11/etc/raddb/sites-enabled/default > (76) group authenticate { > (76) - entering group authenticate {...} > (76) eap : Request found, released from the list > (76) eap : EAP/peap > (76) eap : processing type peap > (76) peap : processing EAP-TLS > (76) peap : eaptls_verify returned 7 > (76) peap : Done initial handshake > (76) peap : eaptls_process returned 7 > (76) peap : FR_TLS_OK > (76) peap : Session established. Decoding tunneled attributes. > (76) peap : Peap state send tlv success > (76) peap : Received EAP-TLV response. > (76) peap : Client rejected our response. The password is probably incorrect. > (76) peap : We sent a success, but received something weird in return. > (76) eap : Handler failed in EAP/peap > (76) eap : Failed in EAP select > (76) [eap] = invalid > (76) Failed to authenticate the user. > (76) Login incorrect: [HOKIES\\dawson] (from client 198.82.171.153 port 29 > cli 00-1d-e0-90-5f-db) > (76) Using Post-Auth-Type Reject > (76) # Executing group from file > /usr/local/freeradius-2.1.11/etc/raddb/sites-enabled/default > (76) group REJECT { > (76) - entering group REJECT {...} > (76) attr_filter.access_reject : expand: %{User-Name} -> HOKIES\dawson > attr_filter: Matched entry DEFAULT at line 11 > (76) [attr_filter.access_reject] = updated > (76) Finished request 76. > Waking up in 0.2 seconds. > Waking up in 0.6 seconds. > (76) Sending delayed reject > Sending Access-Reject of id 139 to 198.82.171.153 port 32768 > EAP-Message = 0x040c0004 > Message-Authenticator = 0x00000000000000000000000000000000 > > ----- > > Production Success: > Waking up in 4.9 seconds. > User-Name = "HOKIES\\dawson" > Calling-Station-Id = "00-1d-e0-90-5f-db" > Called-Station-Id = "00-21-55-4d-c4-40:CNS-Test" > NAS-Port = 29 > NAS-IP-Address = 198.82.171.153 > NAS-Identifier = "cas-6509-3.wsm8b" > Airespace-Wlan-Id = 17 > Service-Type = Framed-User > Framed-MTU = 1300 > NAS-Port-Type = Wireless-802.11 > Tunnel-Type:0 = VLAN > Tunnel-Medium-Type:0 = IEEE-802 > Tunnel-Private-Group-Id:0 = "1381" > EAP-Message = > 0x020a005f1900170301005499a000fc4d08b0c067d3251047d61b836767466160c386b38d37d4b6c39b07ce3b09c85590c8a923419e6f0ae464ac472050214b71b4d641e06f8a439348319233d622cd7900f8f172726407b0010bcb54c6a1d6 > State = 0x764462057e4e7bc59f1c525ed4400d40 > Message-Authenticator = 0xd9566738adb17439ce7d7568c8bc8264 > +- entering group authorize > ++[mschap] returns noop > rlm_eap: EAP packet type response id 10 length 95 > rlm_eap: Continuing tunnel setup. > ++[eap] returns ok > rad_check_password: Found Auth-Type EAP > auth: type "EAP" > +- entering group EAP > rlm_eap: Request found, released from the list > rlm_eap: EAP/peap > rlm_eap: processing type peap > rlm_eap_peap: Authenticate > rlm_eap_tls: processing TLS > eaptls_verify returned 7 > rlm_eap_tls: Done initial handshake > eaptls_process returned 7 > rlm_eap_peap: EAPTLS_OK > rlm_eap_peap: Session established. Decoding tunneled attributes. > rlm_eap_peap: EAP type mschapv2 > PEAP: Setting User-Name to HOKIES\dawson > +- entering group authorize > ++? if ("%{User-Name}" =~ /^(host\/.*)$/) > expand: %{User-Name} -> HOKIES\dawson > ? Evaluating ("%{User-Name}" =~ /^(host\/.*)$/) -> FALSE > ++? if ("%{User-Name}" =~ /^(host\/.*)$/) -> FALSE > ++- entering else else > +++[control] returns notfound > ++- else else returns notfound > PEAP: Calling authenticate in order to initiate tunneled EAP session. > +- entering group authenticate > rlm_eap: Request found, released from the list > rlm_eap: EAP/mschapv2 > rlm_eap: processing type mschapv2 > Not-EAP proxy set. Not composing EAP > ++[eap] returns handled > PEAP: Tunneled authentication will be proxied to openradius > PEAP: Remembering to do EAP-MS-CHAP-V2 post-proxy. > Tunneled session will be proxied. Not doing EAP. > ++[eap] returns handled > +- entering group pre-proxy > preproxy_users: Matched entry DEFAULT at line 1 > ++[files] returns ok > User-Name = "HOKIES\\dawson" > Calling-Station-Id = "00-1d-e0-90-5f-db" > Called-Station-Id = "00-21-55-4d-c4-40:CNS-Test" > NAS-Port = 29 > NAS-IP-Address := 198.82.247.103 > NAS-Identifier = "cas-6509-3.wsm8b" > Airespace-Wlan-Id = 17 > Service-Type := Framed-User > Framed-MTU = 1300 > NAS-Port-Type := Wireless-802.11 > Tunnel-Type:0 = VLAN > Tunnel-Medium-Type:0 = IEEE-802 > Tunnel-Private-Group-Id:0 = "1381" > MS-CHAP-Challenge = 0x20760eb105e545d6a131f324c1d30464 > MS-CHAP2-Response = > 0x0a4f84e590f059f31dc3ca5b621b238582190000000000000000385984c78f91f816edb8f1b279838a0a890bdd6573bac9f7 > Proxy-State = 0x323433 > Proxying request 9 to home server 198.82.247.67 port 1812 > User-Name = "HOKIES\\dawson" > Calling-Station-Id = "00-1d-e0-90-5f-db" > Called-Station-Id = "00-21-55-4d-c4-40:CNS-Test" > NAS-Port = 29 > NAS-IP-Address := 198.82.247.103 > NAS-Identifier = "cas-6509-3.wsm8b" > Airespace-Wlan-Id = 17 > Service-Type := Framed-User > Framed-MTU = 1300 > NAS-Port-Type := Wireless-802.11 > Tunnel-Type:0 = VLAN > Tunnel-Medium-Type:0 = IEEE-802 > Tunnel-Private-Group-Id:0 = "1381" > MS-CHAP-Challenge = 0x20760eb105e545d6a131f324c1d30464 > MS-CHAP2-Response = > 0x0a4f84e590f059f31dc3ca5b621b238582190000000000000000385984c78f91f816edb8f1b279838a0a890bdd6573bac9f7 > Proxy-State = 0x323433 > Going to the next request > Waking up in 0.9 seconds. > Framed-Protocol = PPP > Service-Type = Framed-User > MS-MPPE-Recv-Key = 0xe32365fe45921738025084f44fd7822a > MS-MPPE-Send-Key = 0xf65c13fbcd70a80768ea868ec27085ff > MS-CHAP2-Success = > 0x0a533d46333146313034313438374339373131303542344546363341364339333146344135424141383434 > MS-CHAP-Domain = "\nHOKIES" > +- entering group post-proxy > rlm_eap: Doing post-proxy callback > PEAP: Passing reply from proxy back into the tunnel. > PEAP: Passing reply back for EAP-MS-CHAP-V2 > +- entering group post-proxy > rlm_eap: Doing post-proxy callback > rlm_eap_mschapv2: Passing reply from proxy back into the tunnel 0x1cd469a0 2. > rlm_eap_mschapv2: Authentication succeeded. > MSCHAP Success > ++[eap] returns ok > PEAP: Got reply 11 > PEAP: Got tunneled Access-Challenge > PEAP: Reply was handled > ++[eap] returns ok > EAP-Message = > 0x010b004a1900170301003f084cf62c48fb9b9e951aa3801c9a88bbe2078c7a667df320929296299bdff2863bf8572a744dac5d9409953cda9855feca24aa24b8205677fbf3f7e3767f36 > Message-Authenticator = 0x00000000000000000000000000000000 > State = 0x764462057f4f7bc59f1c525ed4400d40 > Finished request 9. > Going to the next request > Waking up in 4.9 seconds. > User-Name = "HOKIES\\dawson" > Calling-Station-Id = "00-1d-e0-90-5f-db" > Called-Station-Id = "00-21-55-4d-c4-40:CNS-Test" > NAS-Port = 29 > NAS-IP-Address = 198.82.171.153 > NAS-Identifier = "cas-6509-3.wsm8b" > Airespace-Wlan-Id = 17 > Service-Type = Framed-User > Framed-MTU = 1300 > NAS-Port-Type = Wireless-802.11 > Tunnel-Type:0 = VLAN > Tunnel-Medium-Type:0 = IEEE-802 > Tunnel-Private-Group-Id:0 = "1381" > EAP-Message = > 0x020b001d19001703010012091d2f1089b72dd14c76daf331c2dc4de167 > State = 0x764462057f4f7bc59f1c525ed4400d40 > Message-Authenticator = 0xee39bc3d804727c33f69fc7d8172d2bf > +- entering group authorize > ++[mschap] returns noop > rlm_eap: EAP packet type response id 11 length 29 > rlm_eap: Continuing tunnel setup. > ++[eap] returns ok > rad_check_password: Found Auth-Type EAP > auth: type "EAP" > +- entering group EAP > rlm_eap: Request found, released from the list > rlm_eap: EAP/peap > rlm_eap: processing type peap > rlm_eap_peap: Authenticate > rlm_eap_tls: processing TLS > eaptls_verify returned 7 > rlm_eap_tls: Done initial handshake > eaptls_process returned 7 > rlm_eap_peap: EAPTLS_OK > rlm_eap_peap: Session established. Decoding tunneled attributes. > rlm_eap_peap: EAP type mschapv2 > PEAP: Setting User-Name to HOKIES\dawson > +- entering group authorize > ++? if ("%{User-Name}" =~ /^(host\/.*)$/) > expand: %{User-Name} -> HOKIES\dawson > ? Evaluating ("%{User-Name}" =~ /^(host\/.*)$/) -> FALSE > ++? if ("%{User-Name}" =~ /^(host\/.*)$/) -> FALSE > ++- entering else else > +++[control] returns notfound > ++- else else returns notfound > PEAP: Calling authenticate in order to initiate tunneled EAP session. > +- entering group authenticate > rlm_eap: Request found, released from the list > rlm_eap: EAP/mschapv2 > rlm_eap: processing type mschapv2 > rlm_eap: Freeing handler > ++[eap] returns ok > PEAP: Tunneled authentication was successful. > rlm_eap_peap: SUCCESS > ++[eap] returns handled > EAP-Message = > 0x010c00261900170301001badffc5c8196273037ffc5ae8b421cb5a11d4cdbf3d67e521a2dd10 > Message-Authenticator = 0x00000000000000000000000000000000 > State = 0x764462057c487bc59f1c525ed4400d40 > Finished request 10. > Going to the next request > Waking up in 4.9 seconds. > User-Name = "HOKIES\\dawson" > Calling-Station-Id = "00-1d-e0-90-5f-db" > Called-Station-Id = "00-21-55-4d-c4-40:CNS-Test" > NAS-Port = 29 > NAS-IP-Address = 198.82.171.153 > NAS-Identifier = "cas-6509-3.wsm8b" > Airespace-Wlan-Id = 17 > Service-Type = Framed-User > Framed-MTU = 1300 > NAS-Port-Type = Wireless-802.11 > Tunnel-Type:0 = VLAN > Tunnel-Medium-Type:0 = IEEE-802 > Tunnel-Private-Group-Id:0 = "1381" > EAP-Message = > 0x020c00261900170301001be252b19386182f2a3d9b6255f0b51007da074f90f732568c1dfbb8 > State = 0x764462057c487bc59f1c525ed4400d40 > Message-Authenticator = 0xc04ab29e63cd60e30bfd3fed2ba3be09 > +- entering group authorize > ++[mschap] returns noop > rlm_eap: EAP packet type response id 12 length 38 > rlm_eap: Continuing tunnel setup. > ++[eap] returns ok > rad_check_password: Found Auth-Type EAP > auth: type "EAP" > +- entering group EAP > rlm_eap: Request found, released from the list > rlm_eap: EAP/peap > rlm_eap: processing type peap > rlm_eap_peap: Authenticate > rlm_eap_tls: processing TLS > eaptls_verify returned 7 > rlm_eap_tls: Done initial handshake > eaptls_process returned 7 > rlm_eap_peap: EAPTLS_OK > rlm_eap_peap: Session established. Decoding tunneled attributes. > rlm_eap_peap: Received EAP-TLV response. > rlm_eap_peap: Success > rlm_eap: Freeing handler > ++[eap] returns ok > perl_pool: item 0x17a6e7a0 asigned new request. Handled so far: 1 > found interpetator at address 0x17a6e7a0 > rlm_perl: no serial number; assuming non-TLS authentication > rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 > rlm_perl: Added pair Service-Type = Framed-User > rlm_perl: Added pair Tunnel-Type = VLAN > rlm_perl: Added pair State = 0x764462057c487bc59f1c525ed4400d40 > rlm_perl: Added pair Called-Station-Id = 00-21-55-4d-c4-40:CNS-Test > rlm_perl: Added pair Message-Authenticator = > 0xc04ab29e63cd60e30bfd3fed2ba3be09 > rlm_perl: Added pair Airespace-Wlan-Id = 17 > rlm_perl: Added pair EAP-Type = PEAP > rlm_perl: Added pair NAS-IP-Address = 198.82.171.153 > rlm_perl: Added pair Tunnel-Private-Group-Id = 1381 > rlm_perl: Added pair Tunnel-Medium-Type = IEEE-802 > rlm_perl: Added pair Calling-Station-Id = 00-1d-e0-90-5f-db > rlm_perl: Added pair User-Name = HOKIES\\dawson > rlm_perl: Added pair NAS-Identifier = cas-6509-3.wsm8b > rlm_perl: Added pair EAP-Message = > 0x020c00261900170301001be252b19386182f2a3d9b6255f0b51007da074f90f732568c1dfbb8 > rlm_perl: Added pair NAS-Port = 29 > rlm_perl: Added pair Framed-MTU = 1300 > rlm_perl: Added pair User-Name = HOKIES\\dawson > rlm_perl: Added pair MS-MPPE-Recv-Key = > 0x4e3e827b7fb173dbe293fadd607586b838cd55ae5261090fd483569509a070de > rlm_perl: Added pair EAP-Message = 0x030c0004 > rlm_perl: Added pair MS-MPPE-Send-Key = > 0xb43ef9e36d44d66d205184ee8ca81f0f14e3a52cd254bd27268c7c99f58a18b0 > rlm_perl: Added pair Message-Authenticator = > 0x00000000000000000000000000000000 > rlm_perl: Added pair Auth-Type = EAP > perl_pool total/active/spare [32/0/32] > Unreserve perl at address 0x17a6e7a0 > ++[perl] returns ok > Login OK: [HOKIES\\\\dawson/<via Auth-Type = EAP>] (from client > cas-6509-3.wsm8b port 29 cli 00-1d-e0-90-5f-db) > User-Name = "HOKIES\\\\dawson" > MS-MPPE-Recv-Key = > 0x4e3e827b7fb173dbe293fadd607586b838cd55ae5261090fd483569509a070de > EAP-Message = 0x030c0004 > MS-MPPE-Send-Key = > 0xb43ef9e36d44d66d205184ee8ca81f0f14e3a52cd254bd27268c7c99f58a18b0 > Message-Authenticator = 0x00000000000000000000000000000000 > Finished request 11. > Going to the next request > Waking up in 4.9 seconds. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html