Anyone have any thoughts on where I need to poke at this thing? I'm about at
the limits of my ability to figure out what's going wrong.
- Jacob
On 29 Aug 2011, at 17:28, Jacob Dawson wrote:
> We're having an odd problem here, and I just can't pin down quite where to
> look to fix it. We use PEAP-MSCHAPv2 for authentication of our windows
> domain users on wireless. This is accomplished by terminating the TLS
> conversation at FreeRADIUS and sending along the MSCHAP conversation to an
> IAS server. We've tested this in the past, and it's worked fine, and we're
> doing a modified form of this in production, and it's working fine, but I've
> lately been unable to get it to work in our pre-production 2.1.11
> environment. What's particularly odd is that it's only affecting the Windows
> clients. My OS X client doing PEAP with the same credentials is happy.
>
> What we're doing in production, which continues to work, is this:
> We terminate TLS at FreeRADIUS. This allows us to manage the wireless
> service certificate there, keeps the IAS operators from having to keep up
> with it.
> We proxy the MSCHAP conversation to our OpenRADIUS server (which is also
> running and interacting with TACACS).
> OpenRADIUS proxies the CHAP stuff to IAS. It may be tinkering with the
> MSCHAP fields from IAS to make them more compatible (basically changing out
> the secrets because it's standing in the middle).
> Successful authentication then percolates back through the chain and the user
> is happy.
>
> In pre-production, it looks like this:
> Request comes in from Windows client, is recognized to be a Domain
> authentication request, gets proxied to an FR virtual server.
> Said virtual server gets it, processes the TLS and terminates it, and proxies
> the MSCHAP conversation to IAS.
> IAS does its MSCHAP thing, accepts the user.
> Access-Accept percolates back up through the chain. We send an access
> challenge, the user sends an Access request, and FR says the user said
> something weird, so it's rejecting them.
>
> Request comes in from non-windows client, is recognized to be Domain
> authentication request, gets proxied to an FR virtual server
> Said virtual server gets it, processes the TLS and terminates it, and proxies
> the MSCHAP conversation to IAS.
> IAS does its MSCHAP thing, accepts the user.
> Access-Accept percolates back up through the chain. We send an access
> challenge, the user sends an Access request, and FR says everything's fine,
> user gets Access-Accept.
>
> Thoughts on where I need to look? I can't parse out what's happening to
> cause a response to be invalid for Windows users but not for, say, Mac users.
> Our initial guess here is that the Windows clients are looking at the MPPE
> keys, and are unhappy about them, whereas the Mac clients are not, though we
> suspect neither set of clients requires them.
>
> Posting relevant bits of debug output below.
>
> Thanks much,
> Jacob M. Dawson
>
> ---------
>
> Pre-production failure:
> rad_recv: Access-Request packet from host 198.82.171.153 port 32768, id=138,
> length=293
> User-Name = "HOKIES\\dawson"
> Calling-Station-Id = "00-1d-e0-90-5f-db"
> Called-Station-Id = "00-21-55-4d-c4-40:CNS-Test"
> NAS-Port = 29
> NAS-IP-Address = 198.82.171.153
> NAS-Identifier = "cas-6509-3.wsm8b"
> Airespace-Wlan-Id = 17
> Service-Type = Framed-User
> Framed-MTU = 1300
> NAS-Port-Type = Wireless-802.11
> Tunnel-Type:0 = VLAN
> Tunnel-Medium-Type:0 = IEEE-802
> Tunnel-Private-Group-Id:0 = "1381"
> EAP-Message =
> 0x020b005f19001703010054bdd79574acfa8744908880dfa66a9e861f5fff5d2b3b7e387679b867704afa60476df6cc1ac0f30d92a4dc753cebb4bc4e71f4e0bc4db75534ab2403ec993619f05ad02497597deaa193debe78641e14b4718e84
> State = 0x5b4a8e485341972bae816e794759d3ea
> Message-Authenticator = 0xc234d7f3f04c9d023687fd78e4d5c9da
> (75) # Executing section authorize from file
> /usr/local/freeradius-2.1.11/etc/raddb/sites-enabled/default
> (75) group authorize {
> (75) - entering group authorize {...}
> (75) policy split_username_prefix {
> (75) - entering policy split_username_prefix {...}
> (75) ? if (request:User-Name =~ /^([a-z]+)[\\\/]+([-a-z0-9_.]+)$/i)
> (75) ? Evaluating (request:User-Name =~ /^([a-z]+)[\\\/]+([-a-z0-9_.]+)$/i)
> -> TRUE
> (75) ? if (request:User-Name =~ /^([a-z]+)[\\\/]+([-a-z0-9_.]+)$/i) -> TRUE
> (75) if (request:User-Name =~ /^([a-z]+)[\\\/]+([-a-z0-9_.]+)$/i) {
> (75) - entering if (request:User-Name =~
> /^([a-z]+)[\\\/]+([-a-z0-9_.]+)$/i) {...}
> (75) update request {
> (75) expand: %{2} -> dawson
> (75) expand: %{1} -> HOKIES
> (75) } # update request = notfound
> (75) [updated] = updated
> (75) - if (request:User-Name =~ /^([a-z]+)[\\\/]+([-a-z0-9_.]+)$/i)
> returns updated
> (75) ... skipping else for request 75: Preceding "if" was taken
> (75) - policy split_username_prefix returns updated
> (75) policy split_username_suffix {
> (75) - entering policy split_username_suffix {...}
> (75) ? if (request:User-Name =~
> /^([^@]*)@([-[:alnum:]]+\.[-[:alnum:].]+)$/i)
> (75) ? Evaluating (request:User-Name =~
> /^([^@]*)@([-[:alnum:]]+\.[-[:alnum:].]+)$/i) -> FALSE
> (75) ? if (request:User-Name =~
> /^([^@]*)@([-[:alnum:]]+\.[-[:alnum:].]+)$/i) -> FALSE
> (75) else else {
> (75) - entering else else {...}
> (75) [noop] = noop
> (75) - else else returns noop
> (75) - policy split_username_suffix returns noop
> (75) [preprocess] = ok
> (75) auth_log : expand:
> /usr/local/freeradius-2.1.11/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
> ->
> /usr/local/freeradius-2.1.11/var/log/radius/radacct/198.82.171.153/auth-detail-20110823
> (75) auth_log :
> /usr/local/freeradius-2.1.11/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
> expands to
> /usr/local/freeradius-2.1.11/var/log/radius/radacct/198.82.171.153/auth-detail-20110823
> (75) auth_log : expand: %t -> Tue Aug 23 10:40:16 2011
> (75) [auth_log] = ok
> rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
> rlm_perl: Added pair Service-Type = Framed-User
> rlm_perl: Added pair Tunnel-Type = VLAN
> rlm_perl: Added pair State = 0x5b4a8e485341972bae816e794759d3ea
> rlm_perl: Added pair Called-Station-Id = 00-21-55-4d-c4-40:CNS-Test
> rlm_perl: Added pair Message-Authenticator =
> 0xc234d7f3f04c9d023687fd78e4d5c9da
> rlm_perl: Added pair Airespace-Wlan-Id = 17
> rlm_perl: Added pair Stripped-User-Domain = HOKIES
> rlm_perl: Added pair NAS-IP-Address = 198.82.171.153
> rlm_perl: Added pair Tunnel-Private-Group-Id = 1381
> rlm_perl: Added pair Tunnel-Medium-Type = IEEE-802
> rlm_perl: Added pair Calling-Station-Id = 00-1d-e0-90-5f-db
> rlm_perl: Added pair User-Name = HOKIES\\dawson
> rlm_perl: Added pair NAS-Identifier = cas-6509-3.wsm8b
> rlm_perl: Added pair EAP-Message =
> 0x020b005f19001703010054bdd79574acfa8744908880dfa66a9e861f5fff5d2b3b7e387679b867704afa60476df6cc1ac0f30d92a4dc753cebb4bc4e71f4e0bc4db75534ab2403ec993619f05ad02497597deaa193debe78641e14b4718e84
> rlm_perl: Added pair Stripped-User-Name = dawson
> rlm_perl: Added pair NAS-Port = 29
> rlm_perl: Added pair Framed-MTU = 1300
> (75) [perl] = noop
> (75) ? if ("%{Stripped-User-Domain}" != "HOKIES")
> (75) expand: %{Stripped-User-Domain} -> HOKIES
> (75) ? Evaluating ("%{Stripped-User-Domain}" != "HOKIES") -> FALSE
> (75) ? if ("%{Stripped-User-Domain}" != "HOKIES") -> FALSE
> (75) eap : EAP packet type response id 11 length 95
> (75) eap : Continuing tunnel setup.
> (75) [eap] = ok
> (75) Found Auth-Type = ?
> (75) # Executing group from file
> /usr/local/freeradius-2.1.11/etc/raddb/sites-enabled/default
> (75) group authenticate {
> (75) - entering group authenticate {...}
> (75) eap : Request found, released from the list
> (75) eap : EAP/peap
> (75) eap : processing type peap
> (75) peap : processing EAP-TLS
> (75) peap : eaptls_verify returned 7
> (75) peap : Done initial handshake
> (75) peap : eaptls_process returned 7
> (75) peap : FR_TLS_OK
> (75) peap : Session established. Decoding tunneled attributes.
> (75) peap : Peap state phase2
> (75) peap : EAP type mschapv2
> (75) peap : Got tunneled request
> EAP-Message =
> 0x020b00481a020b004331bf4d439d3028cbdba8fff532c04f1cf60000000000000000bee44f94acbe708a682535adc0505e56a87462580576d06600484f4b4945535c646177736f6e
> server {
> (75) peap : Setting User-Name to HOKIES\dawson
> Sending tunneled request
> EAP-Message =
> 0x020b00481a020b004331bf4d439d3028cbdba8fff532c04f1cf60000000000000000bee44f94acbe708a682535adc0505e56a87462580576d06600484f4b4945535c646177736f6e
> FreeRADIUS-Proxied-To = 127.0.0.1
> User-Name = "HOKIES\\dawson"
> State = 0x21ebcfee21e0d5ab22fbf5cfb29bfd25
> NAS-Port-Type = Wireless-802.11
> Service-Type = Framed-User
> Tunnel-Type:0 = VLAN
> Called-Station-Id = "00-21-55-4d-c4-40:CNS-Test"
> NAS-IP-Address = 198.82.171.153
> Tunnel-Private-Group-Id:0 = "1381"
> Tunnel-Medium-Type:0 = IEEE-802
> Calling-Station-Id = "00-1d-e0-90-5f-db"
> NAS-Identifier = "cas-6509-3.wsm8b"
> NAS-Port = 29
> Framed-MTU = 1300
> server proxy-inner-tunnel {
> (75) # Executing section authorize from file
> /usr/local/freeradius-2.1.11/etc/raddb/sites-enabled/proxy-inner-tunnel
> (75) group authorize {
> (75) - entering group authorize {...}
> (75) ? if ("%{User-Name}" =~ /^(host\/.*)$/)
> (75) expand: %{User-Name} -> HOKIES\dawson
> (75) ? Evaluating ("%{User-Name}" =~ /^(host\/.*)$/) -> FALSE
> (75) ? if ("%{User-Name}" =~ /^(host\/.*)$/) -> FALSE
> (75) else else {
> (75) - entering else else {...}
> (75) update control {
> (75) } # update control = notfound
> (75) - else else returns notfound
> } # server proxy-inner-tunnel
> (75) peap : Got tunneled reply code 0
> PEAP: Calling authenticate in order to initiate tunneled EAP session.
> (75) # Executing group from file
> /usr/local/freeradius-2.1.11/etc/raddb/sites-enabled/proxy-inner-tunnel
> (75) group authenticate {
> (75) - entering group authenticate {...}
> (75) eap : Request found, released from the list
> (75) eap : EAP/mschapv2
> (75) eap : processing type mschapv2
> rlm_eap_mschapv2: cancelling authentication and letting it be proxied
> (75) eap : Not-EAP proxy set. Not composing EAP
> (75) [eap] = handled
> PEAP: Tunneled authentication will be proxied to DomainUser
> PEAP: Remembering to do EAP-MS-CHAP-V2 post-proxy.
> (75) eap : Tunneled session will be proxied. Not doing EAP.
> (75) [eap] = handled
> (75) WARNING: Empty pre-proxy section. Using default return values.
> Sending Access-Request of id 161 to 198.82.160.219 port 1812
> User-Name = "HOKIES\\dawson"
> NAS-Port-Type = Wireless-802.11
> Service-Type = Framed-User
> Tunnel-Type:0 = VLAN
> Called-Station-Id = "00-21-55-4d-c4-40:CNS-Test"
> NAS-IP-Address = 198.82.171.153
> Tunnel-Private-Group-Id:0 = "1381"
> Tunnel-Medium-Type:0 = IEEE-802
> Calling-Station-Id = "00-1d-e0-90-5f-db"
> NAS-Identifier = "cas-6509-3.wsm8b"
> NAS-Port = 29
> Framed-MTU = 1300
> MS-CHAP-Challenge = 0xd3827513a357a99d4eb9a5c87a716418
> MS-CHAP2-Response =
> 0x0b4fbf4d439d3028cbdba8fff532c04f1cf60000000000000000bee44f94acbe708a682535adc0505e56a87462580576d066
> Proxy-State = 0x313338
> (75) Proxying request to home server 198.82.160.219 port 1812
> Sending Access-Request of id 161 to 198.82.160.219 port 1812
> User-Name = "HOKIES\\dawson"
> NAS-Port-Type = Wireless-802.11
> Service-Type = Framed-User
> Tunnel-Type:0 = VLAN
> Called-Station-Id = "00-21-55-4d-c4-40:CNS-Test"
> NAS-IP-Address = 198.82.171.153
> Tunnel-Private-Group-Id:0 = "1381"
> Tunnel-Medium-Type:0 = IEEE-802
> Calling-Station-Id = "00-1d-e0-90-5f-db"
> NAS-Identifier = "cas-6509-3.wsm8b"
> NAS-Port = 29
> Framed-MTU = 1300
> MS-CHAP-Challenge = 0xd3827513a357a99d4eb9a5c87a716418
> MS-CHAP2-Response =
> 0x0b4fbf4d439d3028cbdba8fff532c04f1cf60000000000000000bee44f94acbe708a682535adc0505e56a87462580576d066
> Proxy-State = 0x313338
> Waking up in 0.2 seconds.
> rad_recv: Access-Accept packet from host 198.82.160.219 port 1812, id=161,
> length=219
> DEBUG: Compare b472204 to calculated digest f796ca40, secret temporaryS3CR3T
> Proxy-State = 0x313338
> Framed-Protocol = PPP
> Service-Type = Framed-User
> Class = 0x6538078a000001370001c652a0db01cc5476fe414ece0000000000004586
> MS-MPPE-Recv-Key = 0x7208bb9a9555b125d123303ac3db12a1
> MS-MPPE-Send-Key = 0x0cd6218a695a558ade111bcd7b05cfc2
> MS-CHAP2-Success =
> 0x0b533d32434230433038364541464632333233453842414534314643443231333130453939354641454134
> MS-CHAP-Domain = "\013HOKIES"
> (75) # Executing section post-proxy from file
> /usr/local/freeradius-2.1.11/etc/raddb/sites-enabled/default
> (75) group post-proxy {
> (75) - entering group post-proxy {...}
> (75) eap : Doing post-proxy callback
> (75) eap : Passing reply from proxy back into the tunnel.
> server proxy-inner-tunnel {
> (75) eap : Passing reply back for EAP-MS-CHAP-V2
> (75) # Executing section post-proxy from file
> /usr/local/freeradius-2.1.11/etc/raddb/sites-enabled/proxy-inner-tunnel
> (75) group post-proxy {
> (75) - entering group post-proxy {...}
> (75) [eap] = noop
> (75) WARNING: Empty post-auth section. Using default return values.
> } # server proxy-inner-tunnel
> (75) eap : Final reply from tunneled session code 2
> Proxy-State = 0x313338
> Framed-Protocol = PPP
> Service-Type = Framed-User
> Class = 0x6538078a000001370001c652a0db01cc5476fe414ece0000000000004586
> MS-MPPE-Recv-Key = 0x7208bb9a9555b125d123303ac3db12a1
> MS-MPPE-Send-Key = 0x0cd6218a695a558ade111bcd7b05cfc2
> MS-CHAP2-Success =
> 0x0b533d32434230433038364541464632333233453842414534314643443231333130453939354641454134
> MS-CHAP-Domain = "\013HOKIES"
> (75) eap : Got reply 2
> (75) eap : Got tunneled reply RADIUS code 2
> Proxy-State = 0x313338
> Framed-Protocol = PPP
> Service-Type = Framed-User
> Class = 0x6538078a000001370001c652a0db01cc5476fe414ece0000000000004586
> MS-MPPE-Recv-Key = 0x7208bb9a9555b125d123303ac3db12a1
> MS-MPPE-Send-Key = 0x0cd6218a695a558ade111bcd7b05cfc2
> MS-CHAP2-Success =
> 0x0b533d32434230433038364541464632333233453842414534314643443231333130453939354641454134
> MS-CHAP-Domain = "\013HOKIES"
> (75) eap : Tunneled authentication was successful.
> (75) eap : SUCCESS
> (75) eap : Reply was handled
> (75) [eap] = ok
> (75) Found Auth-Type = ?
> (75) Found Auth-Type = ?
> (75) Warning: Found 2 auth-types on request for user 'HOKIES\dawson'
> (75) Auth-Type = Accept, accepting the user
> (75) Login OK: [HOKIES\\dawson] (from client 198.82.171.153 port 29 cli
> 00-1d-e0-90-5f-db)
> (75) # Executing section post-auth from file
> /usr/local/freeradius-2.1.11/etc/raddb/sites-enabled/default
> (75) group post-auth {
> (75) - entering group post-auth {...}
> (75) [exec] = noop
> Sending Access-Challenge of id 138 to 198.82.171.153 port 32768
> EAP-Message =
> 0x010c00261900170301001b0167b434a0313cb3f29b20e1f731efe3d173083c964cda1451135a
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x5b4a8e485246972bae816e794759d3ea
> (75) Finished request 75.
> Waking up in 0.2 seconds.
> rad_recv: Access-Request packet from host 198.82.171.153 port 32768, id=139,
> length=236
> User-Name = "HOKIES\\dawson"
> Calling-Station-Id = "00-1d-e0-90-5f-db"
> Called-Station-Id = "00-21-55-4d-c4-40:CNS-Test"
> NAS-Port = 29
> NAS-IP-Address = 198.82.171.153
> NAS-Identifier = "cas-6509-3.wsm8b"
> Airespace-Wlan-Id = 17
> Service-Type = Framed-User
> Framed-MTU = 1300
> NAS-Port-Type = Wireless-802.11
> Tunnel-Type:0 = VLAN
> Tunnel-Medium-Type:0 = IEEE-802
> Tunnel-Private-Group-Id:0 = "1381"
> EAP-Message =
> 0x020c00261900170301001b00dae368dd150e9d42e0c8888cb128e6ecc520b887a849a8a1d743
> State = 0x5b4a8e485246972bae816e794759d3ea
> Message-Authenticator = 0x26b42d72271f1819599977a28920622f
> (76) # Executing section authorize from file
> /usr/local/freeradius-2.1.11/etc/raddb/sites-enabled/default
> (76) group authorize {
> (76) - entering group authorize {...}
> (76) policy split_username_prefix {
> (76) - entering policy split_username_prefix {...}
> (76) ? if (request:User-Name =~ /^([a-z]+)[\\\/]+([-a-z0-9_.]+)$/i)
> (76) ? Evaluating (request:User-Name =~ /^([a-z]+)[\\\/]+([-a-z0-9_.]+)$/i)
> -> TRUE
> (76) ? if (request:User-Name =~ /^([a-z]+)[\\\/]+([-a-z0-9_.]+)$/i) -> TRUE
> (76) if (request:User-Name =~ /^([a-z]+)[\\\/]+([-a-z0-9_.]+)$/i) {
> (76) - entering if (request:User-Name =~
> /^([a-z]+)[\\\/]+([-a-z0-9_.]+)$/i) {...}
> (76) update request {
> (76) expand: %{2} -> dawson
> (76) expand: %{1} -> HOKIES
> (76) } # update request = notfound
> (76) [updated] = updated
> (76) - if (request:User-Name =~ /^([a-z]+)[\\\/]+([-a-z0-9_.]+)$/i)
> returns updated
> (76) ... skipping else for request 76: Preceding "if" was taken
> (76) - policy split_username_prefix returns updated
> (76) policy split_username_suffix {
> (76) - entering policy split_username_suffix {...}
> (76) ? if (request:User-Name =~
> /^([^@]*)@([-[:alnum:]]+\.[-[:alnum:].]+)$/i)
> (76) ? Evaluating (request:User-Name =~
> /^([^@]*)@([-[:alnum:]]+\.[-[:alnum:].]+)$/i) -> FALSE
> (76) ? if (request:User-Name =~
> /^([^@]*)@([-[:alnum:]]+\.[-[:alnum:].]+)$/i) -> FALSE
> (76) else else {
> (76) - entering else else {...}
> (76) [noop] = noop
> (76) - else else returns noop
> (76) - policy split_username_suffix returns noop
> (76) [preprocess] = ok
> (76) auth_log : expand:
> /usr/local/freeradius-2.1.11/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
> ->
> /usr/local/freeradius-2.1.11/var/log/radius/radacct/198.82.171.153/auth-detail-20110823
> (76) auth_log :
> /usr/local/freeradius-2.1.11/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
> expands to
> /usr/local/freeradius-2.1.11/var/log/radius/radacct/198.82.171.153/auth-detail-20110823
> (76) auth_log : expand: %t -> Tue Aug 23 10:40:16 2011
> (76) [auth_log] = ok
> rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
> rlm_perl: Added pair Service-Type = Framed-User
> rlm_perl: Added pair Tunnel-Type = VLAN
> rlm_perl: Added pair State = 0x5b4a8e485246972bae816e794759d3ea
> rlm_perl: Added pair Called-Station-Id = 00-21-55-4d-c4-40:CNS-Test
> rlm_perl: Added pair Message-Authenticator =
> 0x26b42d72271f1819599977a28920622f
> rlm_perl: Added pair Airespace-Wlan-Id = 17
> rlm_perl: Added pair Stripped-User-Domain = HOKIES
> rlm_perl: Added pair NAS-IP-Address = 198.82.171.153
> rlm_perl: Added pair Tunnel-Private-Group-Id = 1381
> rlm_perl: Added pair Tunnel-Medium-Type = IEEE-802
> rlm_perl: Added pair Calling-Station-Id = 00-1d-e0-90-5f-db
> rlm_perl: Added pair User-Name = HOKIES\\dawson
> rlm_perl: Added pair NAS-Identifier = cas-6509-3.wsm8b
> rlm_perl: Added pair EAP-Message =
> 0x020c00261900170301001b00dae368dd150e9d42e0c8888cb128e6ecc520b887a849a8a1d743
> rlm_perl: Added pair Stripped-User-Name = dawson
> rlm_perl: Added pair NAS-Port = 29
> rlm_perl: Added pair Framed-MTU = 1300
> (76) [perl] = noop
> (76) ? if ("%{Stripped-User-Domain}" != "HOKIES")
> (76) expand: %{Stripped-User-Domain} -> HOKIES
> (76) ? Evaluating ("%{Stripped-User-Domain}" != "HOKIES") -> FALSE
> (76) ? if ("%{Stripped-User-Domain}" != "HOKIES") -> FALSE
> (76) eap : EAP packet type response id 12 length 38
> (76) eap : Continuing tunnel setup.
> (76) [eap] = ok
> (76) Found Auth-Type = ?
> (76) # Executing group from file
> /usr/local/freeradius-2.1.11/etc/raddb/sites-enabled/default
> (76) group authenticate {
> (76) - entering group authenticate {...}
> (76) eap : Request found, released from the list
> (76) eap : EAP/peap
> (76) eap : processing type peap
> (76) peap : processing EAP-TLS
> (76) peap : eaptls_verify returned 7
> (76) peap : Done initial handshake
> (76) peap : eaptls_process returned 7
> (76) peap : FR_TLS_OK
> (76) peap : Session established. Decoding tunneled attributes.
> (76) peap : Peap state send tlv success
> (76) peap : Received EAP-TLV response.
> (76) peap : Client rejected our response. The password is probably incorrect.
> (76) peap : We sent a success, but received something weird in return.
> (76) eap : Handler failed in EAP/peap
> (76) eap : Failed in EAP select
> (76) [eap] = invalid
> (76) Failed to authenticate the user.
> (76) Login incorrect: [HOKIES\\dawson] (from client 198.82.171.153 port 29
> cli 00-1d-e0-90-5f-db)
> (76) Using Post-Auth-Type Reject
> (76) # Executing group from file
> /usr/local/freeradius-2.1.11/etc/raddb/sites-enabled/default
> (76) group REJECT {
> (76) - entering group REJECT {...}
> (76) attr_filter.access_reject : expand: %{User-Name} -> HOKIES\dawson
> attr_filter: Matched entry DEFAULT at line 11
> (76) [attr_filter.access_reject] = updated
> (76) Finished request 76.
> Waking up in 0.2 seconds.
> Waking up in 0.6 seconds.
> (76) Sending delayed reject
> Sending Access-Reject of id 139 to 198.82.171.153 port 32768
> EAP-Message = 0x040c0004
> Message-Authenticator = 0x00000000000000000000000000000000
>
> -----
>
> Production Success:
> Waking up in 4.9 seconds.
> User-Name = "HOKIES\\dawson"
> Calling-Station-Id = "00-1d-e0-90-5f-db"
> Called-Station-Id = "00-21-55-4d-c4-40:CNS-Test"
> NAS-Port = 29
> NAS-IP-Address = 198.82.171.153
> NAS-Identifier = "cas-6509-3.wsm8b"
> Airespace-Wlan-Id = 17
> Service-Type = Framed-User
> Framed-MTU = 1300
> NAS-Port-Type = Wireless-802.11
> Tunnel-Type:0 = VLAN
> Tunnel-Medium-Type:0 = IEEE-802
> Tunnel-Private-Group-Id:0 = "1381"
> EAP-Message =
> 0x020a005f1900170301005499a000fc4d08b0c067d3251047d61b836767466160c386b38d37d4b6c39b07ce3b09c85590c8a923419e6f0ae464ac472050214b71b4d641e06f8a439348319233d622cd7900f8f172726407b0010bcb54c6a1d6
> State = 0x764462057e4e7bc59f1c525ed4400d40
> Message-Authenticator = 0xd9566738adb17439ce7d7568c8bc8264
> +- entering group authorize
> ++[mschap] returns noop
> rlm_eap: EAP packet type response id 10 length 95
> rlm_eap: Continuing tunnel setup.
> ++[eap] returns ok
> rad_check_password: Found Auth-Type EAP
> auth: type "EAP"
> +- entering group EAP
> rlm_eap: Request found, released from the list
> rlm_eap: EAP/peap
> rlm_eap: processing type peap
> rlm_eap_peap: Authenticate
> rlm_eap_tls: processing TLS
> eaptls_verify returned 7
> rlm_eap_tls: Done initial handshake
> eaptls_process returned 7
> rlm_eap_peap: EAPTLS_OK
> rlm_eap_peap: Session established. Decoding tunneled attributes.
> rlm_eap_peap: EAP type mschapv2
> PEAP: Setting User-Name to HOKIES\dawson
> +- entering group authorize
> ++? if ("%{User-Name}" =~ /^(host\/.*)$/)
> expand: %{User-Name} -> HOKIES\dawson
> ? Evaluating ("%{User-Name}" =~ /^(host\/.*)$/) -> FALSE
> ++? if ("%{User-Name}" =~ /^(host\/.*)$/) -> FALSE
> ++- entering else else
> +++[control] returns notfound
> ++- else else returns notfound
> PEAP: Calling authenticate in order to initiate tunneled EAP session.
> +- entering group authenticate
> rlm_eap: Request found, released from the list
> rlm_eap: EAP/mschapv2
> rlm_eap: processing type mschapv2
> Not-EAP proxy set. Not composing EAP
> ++[eap] returns handled
> PEAP: Tunneled authentication will be proxied to openradius
> PEAP: Remembering to do EAP-MS-CHAP-V2 post-proxy.
> Tunneled session will be proxied. Not doing EAP.
> ++[eap] returns handled
> +- entering group pre-proxy
> preproxy_users: Matched entry DEFAULT at line 1
> ++[files] returns ok
> User-Name = "HOKIES\\dawson"
> Calling-Station-Id = "00-1d-e0-90-5f-db"
> Called-Station-Id = "00-21-55-4d-c4-40:CNS-Test"
> NAS-Port = 29
> NAS-IP-Address := 198.82.247.103
> NAS-Identifier = "cas-6509-3.wsm8b"
> Airespace-Wlan-Id = 17
> Service-Type := Framed-User
> Framed-MTU = 1300
> NAS-Port-Type := Wireless-802.11
> Tunnel-Type:0 = VLAN
> Tunnel-Medium-Type:0 = IEEE-802
> Tunnel-Private-Group-Id:0 = "1381"
> MS-CHAP-Challenge = 0x20760eb105e545d6a131f324c1d30464
> MS-CHAP2-Response =
> 0x0a4f84e590f059f31dc3ca5b621b238582190000000000000000385984c78f91f816edb8f1b279838a0a890bdd6573bac9f7
> Proxy-State = 0x323433
> Proxying request 9 to home server 198.82.247.67 port 1812
> User-Name = "HOKIES\\dawson"
> Calling-Station-Id = "00-1d-e0-90-5f-db"
> Called-Station-Id = "00-21-55-4d-c4-40:CNS-Test"
> NAS-Port = 29
> NAS-IP-Address := 198.82.247.103
> NAS-Identifier = "cas-6509-3.wsm8b"
> Airespace-Wlan-Id = 17
> Service-Type := Framed-User
> Framed-MTU = 1300
> NAS-Port-Type := Wireless-802.11
> Tunnel-Type:0 = VLAN
> Tunnel-Medium-Type:0 = IEEE-802
> Tunnel-Private-Group-Id:0 = "1381"
> MS-CHAP-Challenge = 0x20760eb105e545d6a131f324c1d30464
> MS-CHAP2-Response =
> 0x0a4f84e590f059f31dc3ca5b621b238582190000000000000000385984c78f91f816edb8f1b279838a0a890bdd6573bac9f7
> Proxy-State = 0x323433
> Going to the next request
> Waking up in 0.9 seconds.
> Framed-Protocol = PPP
> Service-Type = Framed-User
> MS-MPPE-Recv-Key = 0xe32365fe45921738025084f44fd7822a
> MS-MPPE-Send-Key = 0xf65c13fbcd70a80768ea868ec27085ff
> MS-CHAP2-Success =
> 0x0a533d46333146313034313438374339373131303542344546363341364339333146344135424141383434
> MS-CHAP-Domain = "\nHOKIES"
> +- entering group post-proxy
> rlm_eap: Doing post-proxy callback
> PEAP: Passing reply from proxy back into the tunnel.
> PEAP: Passing reply back for EAP-MS-CHAP-V2
> +- entering group post-proxy
> rlm_eap: Doing post-proxy callback
> rlm_eap_mschapv2: Passing reply from proxy back into the tunnel 0x1cd469a0 2.
> rlm_eap_mschapv2: Authentication succeeded.
> MSCHAP Success
> ++[eap] returns ok
> PEAP: Got reply 11
> PEAP: Got tunneled Access-Challenge
> PEAP: Reply was handled
> ++[eap] returns ok
> EAP-Message =
> 0x010b004a1900170301003f084cf62c48fb9b9e951aa3801c9a88bbe2078c7a667df320929296299bdff2863bf8572a744dac5d9409953cda9855feca24aa24b8205677fbf3f7e3767f36
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x764462057f4f7bc59f1c525ed4400d40
> Finished request 9.
> Going to the next request
> Waking up in 4.9 seconds.
> User-Name = "HOKIES\\dawson"
> Calling-Station-Id = "00-1d-e0-90-5f-db"
> Called-Station-Id = "00-21-55-4d-c4-40:CNS-Test"
> NAS-Port = 29
> NAS-IP-Address = 198.82.171.153
> NAS-Identifier = "cas-6509-3.wsm8b"
> Airespace-Wlan-Id = 17
> Service-Type = Framed-User
> Framed-MTU = 1300
> NAS-Port-Type = Wireless-802.11
> Tunnel-Type:0 = VLAN
> Tunnel-Medium-Type:0 = IEEE-802
> Tunnel-Private-Group-Id:0 = "1381"
> EAP-Message =
> 0x020b001d19001703010012091d2f1089b72dd14c76daf331c2dc4de167
> State = 0x764462057f4f7bc59f1c525ed4400d40
> Message-Authenticator = 0xee39bc3d804727c33f69fc7d8172d2bf
> +- entering group authorize
> ++[mschap] returns noop
> rlm_eap: EAP packet type response id 11 length 29
> rlm_eap: Continuing tunnel setup.
> ++[eap] returns ok
> rad_check_password: Found Auth-Type EAP
> auth: type "EAP"
> +- entering group EAP
> rlm_eap: Request found, released from the list
> rlm_eap: EAP/peap
> rlm_eap: processing type peap
> rlm_eap_peap: Authenticate
> rlm_eap_tls: processing TLS
> eaptls_verify returned 7
> rlm_eap_tls: Done initial handshake
> eaptls_process returned 7
> rlm_eap_peap: EAPTLS_OK
> rlm_eap_peap: Session established. Decoding tunneled attributes.
> rlm_eap_peap: EAP type mschapv2
> PEAP: Setting User-Name to HOKIES\dawson
> +- entering group authorize
> ++? if ("%{User-Name}" =~ /^(host\/.*)$/)
> expand: %{User-Name} -> HOKIES\dawson
> ? Evaluating ("%{User-Name}" =~ /^(host\/.*)$/) -> FALSE
> ++? if ("%{User-Name}" =~ /^(host\/.*)$/) -> FALSE
> ++- entering else else
> +++[control] returns notfound
> ++- else else returns notfound
> PEAP: Calling authenticate in order to initiate tunneled EAP session.
> +- entering group authenticate
> rlm_eap: Request found, released from the list
> rlm_eap: EAP/mschapv2
> rlm_eap: processing type mschapv2
> rlm_eap: Freeing handler
> ++[eap] returns ok
> PEAP: Tunneled authentication was successful.
> rlm_eap_peap: SUCCESS
> ++[eap] returns handled
> EAP-Message =
> 0x010c00261900170301001badffc5c8196273037ffc5ae8b421cb5a11d4cdbf3d67e521a2dd10
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x764462057c487bc59f1c525ed4400d40
> Finished request 10.
> Going to the next request
> Waking up in 4.9 seconds.
> User-Name = "HOKIES\\dawson"
> Calling-Station-Id = "00-1d-e0-90-5f-db"
> Called-Station-Id = "00-21-55-4d-c4-40:CNS-Test"
> NAS-Port = 29
> NAS-IP-Address = 198.82.171.153
> NAS-Identifier = "cas-6509-3.wsm8b"
> Airespace-Wlan-Id = 17
> Service-Type = Framed-User
> Framed-MTU = 1300
> NAS-Port-Type = Wireless-802.11
> Tunnel-Type:0 = VLAN
> Tunnel-Medium-Type:0 = IEEE-802
> Tunnel-Private-Group-Id:0 = "1381"
> EAP-Message =
> 0x020c00261900170301001be252b19386182f2a3d9b6255f0b51007da074f90f732568c1dfbb8
> State = 0x764462057c487bc59f1c525ed4400d40
> Message-Authenticator = 0xc04ab29e63cd60e30bfd3fed2ba3be09
> +- entering group authorize
> ++[mschap] returns noop
> rlm_eap: EAP packet type response id 12 length 38
> rlm_eap: Continuing tunnel setup.
> ++[eap] returns ok
> rad_check_password: Found Auth-Type EAP
> auth: type "EAP"
> +- entering group EAP
> rlm_eap: Request found, released from the list
> rlm_eap: EAP/peap
> rlm_eap: processing type peap
> rlm_eap_peap: Authenticate
> rlm_eap_tls: processing TLS
> eaptls_verify returned 7
> rlm_eap_tls: Done initial handshake
> eaptls_process returned 7
> rlm_eap_peap: EAPTLS_OK
> rlm_eap_peap: Session established. Decoding tunneled attributes.
> rlm_eap_peap: Received EAP-TLV response.
> rlm_eap_peap: Success
> rlm_eap: Freeing handler
> ++[eap] returns ok
> perl_pool: item 0x17a6e7a0 asigned new request. Handled so far: 1
> found interpetator at address 0x17a6e7a0
> rlm_perl: no serial number; assuming non-TLS authentication
> rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
> rlm_perl: Added pair Service-Type = Framed-User
> rlm_perl: Added pair Tunnel-Type = VLAN
> rlm_perl: Added pair State = 0x764462057c487bc59f1c525ed4400d40
> rlm_perl: Added pair Called-Station-Id = 00-21-55-4d-c4-40:CNS-Test
> rlm_perl: Added pair Message-Authenticator =
> 0xc04ab29e63cd60e30bfd3fed2ba3be09
> rlm_perl: Added pair Airespace-Wlan-Id = 17
> rlm_perl: Added pair EAP-Type = PEAP
> rlm_perl: Added pair NAS-IP-Address = 198.82.171.153
> rlm_perl: Added pair Tunnel-Private-Group-Id = 1381
> rlm_perl: Added pair Tunnel-Medium-Type = IEEE-802
> rlm_perl: Added pair Calling-Station-Id = 00-1d-e0-90-5f-db
> rlm_perl: Added pair User-Name = HOKIES\\dawson
> rlm_perl: Added pair NAS-Identifier = cas-6509-3.wsm8b
> rlm_perl: Added pair EAP-Message =
> 0x020c00261900170301001be252b19386182f2a3d9b6255f0b51007da074f90f732568c1dfbb8
> rlm_perl: Added pair NAS-Port = 29
> rlm_perl: Added pair Framed-MTU = 1300
> rlm_perl: Added pair User-Name = HOKIES\\dawson
> rlm_perl: Added pair MS-MPPE-Recv-Key =
> 0x4e3e827b7fb173dbe293fadd607586b838cd55ae5261090fd483569509a070de
> rlm_perl: Added pair EAP-Message = 0x030c0004
> rlm_perl: Added pair MS-MPPE-Send-Key =
> 0xb43ef9e36d44d66d205184ee8ca81f0f14e3a52cd254bd27268c7c99f58a18b0
> rlm_perl: Added pair Message-Authenticator =
> 0x00000000000000000000000000000000
> rlm_perl: Added pair Auth-Type = EAP
> perl_pool total/active/spare [32/0/32]
> Unreserve perl at address 0x17a6e7a0
> ++[perl] returns ok
> Login OK: [HOKIES\\\\dawson/<via Auth-Type = EAP>] (from client
> cas-6509-3.wsm8b port 29 cli 00-1d-e0-90-5f-db)
> User-Name = "HOKIES\\\\dawson"
> MS-MPPE-Recv-Key =
> 0x4e3e827b7fb173dbe293fadd607586b838cd55ae5261090fd483569509a070de
> EAP-Message = 0x030c0004
> MS-MPPE-Send-Key =
> 0xb43ef9e36d44d66d205184ee8ca81f0f14e3a52cd254bd27268c7c99f58a18b0
> Message-Authenticator = 0x00000000000000000000000000000000
> Finished request 11.
> Going to the next request
> Waking up in 4.9 seconds.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
