Thanks Alan, it worked like a charm!! But it worked using TTLS/PAP, now Windows OS natively supports PEAP, and when I tried it with TTLS/PEAP it didn't authenticate and gave the following debug:
I guess from the below what's important is this section . . . [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: pk [mschap] Told to do MS-CHAPv2 for pk with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect . . . Is there a way to configure radius to accept TTLS/PEAP and authenticate with LDAP? Below the full debug log. rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=232, length=139 NAS-IP-Address = 192.168.1.8 NAS-Port = 50023 NAS-Port-Type = Ethernet User-Name = "host/Lap-Top" Called-Station-Id = "00-15-F9-F8-4E-97" Calling-Station-Id = "00-1A-80-3F-F6-A1" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x0200001101686f73742f4c61702d546f70 Message-Authenticator = 0x393e8f392e9902b158ed1424675efc19 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "host/Lap-Top", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 17 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for host/Lap-Top [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> host/Lap-Top [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=host/Lap-Top) [ldap] expand: o=navbey.com, dc=navbey,dc=com -> o=navbey.com, dc=navbey,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to 192.168.1.40:389, authentication 0 [ldap] bind as /Hayalla5 to 192.168.1.40:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in o=navbey.com, dc=navbey,dc=com, with filter (uid=host/Lap-Top) [ldap] object not found [ldap] search failed [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 232 to 192.168.1.8 port 1645 EAP-Message = 0x010100160410fccd1139019e6857ddd78da6b684af3c Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd99dee93d99ceace8e5305bc8fdf726b Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=233, length=146 NAS-IP-Address = 192.168.1.8 NAS-Port = 50023 NAS-Port-Type = Ethernet User-Name = "host/Lap-Top" Called-Station-Id = "00-15-F9-F8-4E-97" Calling-Station-Id = "00-1A-80-3F-F6-A1" Service-Type = Framed-User Framed-MTU = 1500 State = 0xd99dee93d99ceace8e5305bc8fdf726b EAP-Message = 0x020100060319 Message-Authenticator = 0x80eabf367e08a9bd587fcbf4d36a0003 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "host/Lap-Top", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for host/Lap-Top [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> host/Lap-Top [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=host/Lap-Top) [ldap] expand: o=navbey.com, dc=navbey,dc=com -> o=navbey.com, dc=navbey,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in o=navbey.com, dc=navbey,dc=com, with filter (uid=host/Lap-Top) [ldap] object not found [ldap] search failed [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 233 to 192.168.1.8 port 1645 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd99dee93d89ff7ce8e5305bc8fdf726b Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=234, length=261 NAS-IP-Address = 192.168.1.8 NAS-Port = 50023 NAS-Port-Type = Ethernet User-Name = "host/Lap-Top" Called-Station-Id = "00-15-F9-F8-4E-97" Calling-Station-Id = "00-1A-80-3F-F6-A1" Service-Type = Framed-User Framed-MTU = 1500 State = 0xd99dee93d89ff7ce8e5305bc8fdf726b EAP-Message = 0x0202007919800000006f160301006a0100006603014f90e7644c403354e4e4b15decc0aeb b536d3363eb37876a26f4c3f9b77cb88c000018002f00350005000ac013c014c009c00a0032 003800 13000401000025ff010001000000000c000a0000076c61702d746f70000a000600040017001 8000b00020100 Message-Authenticator = 0xe4a963411850e8b5b37ab847329b06c6 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "host/Lap-Top", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 121 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 111 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 006a], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0031], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 085e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 234 to 192.168.1.8 port 1645 EAP-Message = 0x0103040019c0000008a216030100310200002d03014f90e754c928c34ff5dbd357df6597e a5e1d524fde068ccc2df5d94c9206ecde00002f000005ff01000100160301085e0b00085a00 085700 03a6308203a23082028aa003020102020101300d06092a864886f70d0101050500308193310 b3009060355040613024652310f300d06035504081306526164697573311230100603550407 1309536f6d657768657265311530 13060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d01090116116 1646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c65204365 727469666963617465204175 EAP-Message = 0x74686f72697479301e170d3132303431393035323632305a170d313230363138303532363 2305a307c310b3009060355040613024652310f300d06035504081306526164697573311530 130603 55040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c6520536 5727665722043657274696669636174653120301e06092a864886f70d010901161161646d69 6e406578616d706c652e636f6d30 820122300d06092a864886f70d01010105000382010f003082010a0282010100d8e5bb5cefd 0db1624fbbcbba0a02f4d2b23a12f9f0ea9d1f96dc0ef3a08536f4096b8cb434aac77b625bb 7610ea5eafdcba502cc3c094 EAP-Message = 0xf74c16743d6ec16f4a8104cc5b98ea30fb86287bf0906ed458604e63412a6339c8bf25fd7 f627131a6219db5e5d5f56460df027982eb5b1ca3b59a2fd27666fb7016df166162fe720c65 9f959c b04266ced87b083b6641a431d002b996fdb4c342b0205c9d2d70878caebee08fc19402b6867 af343fe3a43a740bc44c66fcf993bc6c9812377983bcee8f5562d0974abc6142d95c3d58240 3fcf5dd9d5403fca88bb28eaec1c ddafe9d23d1d17e804eb15da303e169756418be76cb204ce0c8bcbe428ceb75995cd2b02030 10001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d 010105050003820101009e6c EAP-Message = 0xc83de144237e09ce61668125af89da7f9d0dc727464fb50a1a8519ba3eed74c9553738541 642751ece1617a2f1f567741ce6ce7e2bec8a2dd7871058ec5c440fc9342fa040dff416cddd a61f48 137d54fcf6725f487093947b9a02697e2ebf41962618b94e2a4453a1b43f1eacd51657b5407 400d2404423f719e9b3779d6936d3b739599586f4ee8138bfac0cce760d17db9072576cea1a e391b95968c7ac2563f4f578a0db ee4750ef50e137a2e998ee6d9e7ea5050688e73a971905e1d468a04f8229c7fc1736cf8ee21 6f942a6a08790e49070f85fad784a5220f2ef9c99b0bd281d6486d5e8f699c843af9d57a10b c1a4a3d57bc470785d8736c7 EAP-Message = 0x860004ab308204a73082038f Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd99dee93db9ef7ce8e5305bc8fdf726b Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=235, length=146 NAS-IP-Address = 192.168.1.8 NAS-Port = 50023 NAS-Port-Type = Ethernet User-Name = "host/Lap-Top" Called-Station-Id = "00-15-F9-F8-4E-97" Calling-Station-Id = "00-1A-80-3F-F6-A1" Service-Type = Framed-User Framed-MTU = 1500 State = 0xd99dee93db9ef7ce8e5305bc8fdf726b EAP-Message = 0x020300061900 Message-Authenticator = 0xbae3ed10c923140fa6dfcfb1231cd7bf # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "host/Lap-Top", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 235 to 192.168.1.8 port 1645 EAP-Message = 0x010403fc1940a003020102020900bcccc1285b561d81300d06092a864886f70d010105050 0308193310b3009060355040613024652310f300d0603550408130652616469757331123010 060355 04071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e312 0301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406 03550403131d4578616d706c6520 436572746966696361746520417574686f72697479301e170d3132303431393035323632305 a170d3132303631383035323632305a308193310b3009060355040613024652310f300d0603 550408130652616469757331 EAP-Message = 0x12301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6 520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e63 6f6d31 2630240603550403131d4578616d706c6520436572746966696361746520417574686f72697 47930820122300d06092a864886f70d01010105000382010f003082010a0282010100c2000d e5769708aa73a3affa3ae2581583 c4882e26f16a18d443e29db8316192c28b219cbb097059526763db5440029da5f07038fb6a9 04f36e3a41dc25ee2d693730072613aaff090fd98e30623969bc0d43527de8a6e60ecbcfa66 72df1f278419f652471cc787 EAP-Message = 0xc882a134970210e501a5f008bce3abbcd4de1b5c5da2287cf6af098930a2a46f6c4c68f2d b00dc8b8289dfb961b00fb1b8cec26b996c69e2f2a4207cf29afc6e1e7a95599782388b5a5b 5a10f9 61d816e101fdf26cf6062274aef2b443a5c60787edcd755a986de269abf78fde55eae7f450b ca4434e6495b264e6db1bce418c8a417739b3bd52739f9ac134c2c9ed6b7bbf4ed479cb3369 0203010001a381fb3081f8301d06 03551d0e0416041410d684dcfea11dfdc1bb500b759373530aa6d64b3081c80603551d23048 1c03081bd801410d684dcfea11dfdc1bb500b759373530aa6d64ba18199a48196308193310b 300906035504061302465231 EAP-Message = 0x0f300d060355040813065261646975733112301006035504071309536f6d6577686572653 1153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901 161161 646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c652043657 2746966696361746520417574686f72697479820900bcccc1285b561d81300c0603551d1304 0530030101ff300d06092a864886 f70d010105050003820101002d0d028da27788c0e5d3623cdb4cf11f09216955fe7493bfa23 3ec62bb45d3cb9dd71d61a95ca6e1ddb8aa2f8b80fbfcea5b8b35776bc61c9acab1408bc31d af3cf0f27d531819b600d3ca EAP-Message = 0x7a7c33f4b1017102 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd99dee93da99f7ce8e5305bc8fdf726b Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=236, length=146 NAS-IP-Address = 192.168.1.8 NAS-Port = 50023 NAS-Port-Type = Ethernet User-Name = "host/Lap-Top" Called-Station-Id = "00-15-F9-F8-4E-97" Calling-Station-Id = "00-1A-80-3F-F6-A1" Service-Type = Framed-User Framed-MTU = 1500 State = 0xd99dee93da99f7ce8e5305bc8fdf726b EAP-Message = 0x020400061900 Message-Authenticator = 0xe12b82e1fc8c5ed35f4f3591f8f09111 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "host/Lap-Top", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 236 to 192.168.1.8 port 1645 EAP-Message = 0x010500bc1900971b6ff4eedeea77cbd7b846662c36009c223bb1dab20d1956c65d6dfdd68 e272a551fae0e5b9066339a0f279041f434256e4aa905eb8dbabc508c2a0771d29cb0810ff8 a278d3 2154413350d24a65e9c3cfb9e15e9057d0dce5f2cbd3d523586b6b7f60bf3a6d92c8772b862 711d539a2412abe6a6c4f79816985453331bc5f8661a99c795b6d6a92fd75d73273373be417 324e2b8696ff3d6cb180e1619343 b8bf9d39a193cf49a3f008a74e16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd99dee93dd98f7ce8e5305bc8fdf726b Finished request 4. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=237, length=157 NAS-IP-Address = 192.168.1.8 NAS-Port = 50023 NAS-Port-Type = Ethernet User-Name = "host/Lap-Top" Called-Station-Id = "00-15-F9-F8-4E-97" Calling-Station-Id = "00-1A-80-3F-F6-A1" Service-Type = Framed-User Framed-MTU = 1500 State = 0xd99dee93dd98f7ce8e5305bc8fdf726b EAP-Message = 0x0205001119800000000715030100020230 Message-Authenticator = 0x5ce3a9de35758d1c75450df5daaf1374 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "host/Lap-Top", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 17 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 7 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA TLS_accept: failed in SSLv3 read client certificate A rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca SSL: SSL_read failed inside of TLS (-1), TLS session fails. TLS receive handshake failed during operation [peap] eaptls_process returned 4 [peap] EAPTLS_OTHERS [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> host/Lap-Top attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 5 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 5 Sending Access-Reject of id 237 to 192.168.1.8 port 1645 EAP-Message = 0x04050004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.6 seconds. Cleaning up request 0 ID 232 with timestamp +33 Cleaning up request 1 ID 233 with timestamp +33 Cleaning up request 2 ID 234 with timestamp +33 Cleaning up request 3 ID 235 with timestamp +34 Cleaning up request 4 ID 236 with timestamp +34 Waking up in 1.2 seconds. Cleaning up request 5 ID 237 with timestamp +34 Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=238, length=119 NAS-IP-Address = 192.168.1.8 NAS-Port = 50023 NAS-Port-Type = Ethernet User-Name = "pk" Called-Station-Id = "00-15-F9-F8-4E-97" Calling-Station-Id = "00-1A-80-3F-F6-A1" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x0200000701706b Message-Authenticator = 0x8172bc6808678b8cc0050e18f292be5b # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "pk", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 7 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for pk [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> pk [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=pk) [ldap] expand: o=navbey.com, dc=navbey,dc=com -> o=navbey.com, dc=navbey,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in o=navbey.com, dc=navbey,dc=com, with filter (uid=pk) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user pk authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 238 to 192.168.1.8 port 1645 EAP-Message = 0x0101001604105907cf652b105257755a0a71aead1043 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xdf66a7f2df67a38e0e7c49ccf0790122 Finished request 6. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=239, length=136 NAS-IP-Address = 192.168.1.8 NAS-Port = 50023 NAS-Port-Type = Ethernet User-Name = "pk" Called-Station-Id = "00-15-F9-F8-4E-97" Calling-Station-Id = "00-1A-80-3F-F6-A1" Service-Type = Framed-User Framed-MTU = 1500 State = 0xdf66a7f2df67a38e0e7c49ccf0790122 EAP-Message = 0x020100060319 Message-Authenticator = 0x9e38985bc9352abd749655cef48fcabb # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "pk", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for pk [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> pk [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=pk) [ldap] expand: o=navbey.com, dc=navbey,dc=com -> o=navbey.com, dc=navbey,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in o=navbey.com, dc=navbey,dc=com, with filter (uid=pk) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user pk authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 239 to 192.168.1.8 port 1645 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xdf66a7f2de64be8e0e7c49ccf0790122 Finished request 7. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=240, length=246 NAS-IP-Address = 192.168.1.8 NAS-Port = 50023 NAS-Port-Type = Ethernet User-Name = "pk" Called-Station-Id = "00-15-F9-F8-4E-97" Calling-Station-Id = "00-1A-80-3F-F6-A1" Service-Type = Framed-User Framed-MTU = 1500 State = 0xdf66a7f2de64be8e0e7c49ccf0790122 EAP-Message = 0x0202007419800000006a16030100650100006103014f90e7b4d18bbe342796756b5150e42 2b34b841225b5fbf93254c2ea5f700171000018002f00350005000ac013c014c009c00a0032 003800 13000401000020ff01000100000000070005000002706b000a0006000400170018000b00020 100 Message-Authenticator = 0x83714ddb4c574e351f7e9852ebdf8365 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "pk", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 116 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 106 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0065], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0031], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 085e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 240 to 192.168.1.8 port 1645 EAP-Message = 0x0103040019c0000008a216030100310200002d03014f90e7a5e170c65318f315262fbacc1 b091ef134223260cf2d9000702878462600002f000005ff01000100160301085e0b00085a00 085700 03a6308203a23082028aa003020102020101300d06092a864886f70d0101050500308193310 b3009060355040613024652310f300d06035504081306526164697573311230100603550407 1309536f6d657768657265311530 13060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d01090116116 1646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c65204365 727469666963617465204175 EAP-Message = 0x74686f72697479301e170d3132303431393035323632305a170d313230363138303532363 2305a307c310b3009060355040613024652310f300d06035504081306526164697573311530 130603 55040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c6520536 5727665722043657274696669636174653120301e06092a864886f70d010901161161646d69 6e406578616d706c652e636f6d30 820122300d06092a864886f70d01010105000382010f003082010a0282010100d8e5bb5cefd 0db1624fbbcbba0a02f4d2b23a12f9f0ea9d1f96dc0ef3a08536f4096b8cb434aac77b625bb 7610ea5eafdcba502cc3c094 EAP-Message = 0xf74c16743d6ec16f4a8104cc5b98ea30fb86287bf0906ed458604e63412a6339c8bf25fd7 f627131a6219db5e5d5f56460df027982eb5b1ca3b59a2fd27666fb7016df166162fe720c65 9f959c b04266ced87b083b6641a431d002b996fdb4c342b0205c9d2d70878caebee08fc19402b6867 af343fe3a43a740bc44c66fcf993bc6c9812377983bcee8f5562d0974abc6142d95c3d58240 3fcf5dd9d5403fca88bb28eaec1c ddafe9d23d1d17e804eb15da303e169756418be76cb204ce0c8bcbe428ceb75995cd2b02030 10001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d 010105050003820101009e6c EAP-Message = 0xc83de144237e09ce61668125af89da7f9d0dc727464fb50a1a8519ba3eed74c9553738541 642751ece1617a2f1f567741ce6ce7e2bec8a2dd7871058ec5c440fc9342fa040dff416cddd a61f48 137d54fcf6725f487093947b9a02697e2ebf41962618b94e2a4453a1b43f1eacd51657b5407 400d2404423f719e9b3779d6936d3b739599586f4ee8138bfac0cce760d17db9072576cea1a e391b95968c7ac2563f4f578a0db ee4750ef50e137a2e998ee6d9e7ea5050688e73a971905e1d468a04f8229c7fc1736cf8ee21 6f942a6a08790e49070f85fad784a5220f2ef9c99b0bd281d6486d5e8f699c843af9d57a10b c1a4a3d57bc470785d8736c7 EAP-Message = 0x860004ab308204a73082038f Message-Authenticator = 0x00000000000000000000000000000000 State = 0xdf66a7f2dd65be8e0e7c49ccf0790122 Finished request 8. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=241, length=136 NAS-IP-Address = 192.168.1.8 NAS-Port = 50023 NAS-Port-Type = Ethernet User-Name = "pk" Called-Station-Id = "00-15-F9-F8-4E-97" Calling-Station-Id = "00-1A-80-3F-F6-A1" Service-Type = Framed-User Framed-MTU = 1500 State = 0xdf66a7f2dd65be8e0e7c49ccf0790122 EAP-Message = 0x020300061900 Message-Authenticator = 0x6d071271e3593761fab43b275fc890cf # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "pk", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 241 to 192.168.1.8 port 1645 EAP-Message = 0x010403fc1940a003020102020900bcccc1285b561d81300d06092a864886f70d010105050 0308193310b3009060355040613024652310f300d0603550408130652616469757331123010 060355 04071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e312 0301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406 03550403131d4578616d706c6520 436572746966696361746520417574686f72697479301e170d3132303431393035323632305 a170d3132303631383035323632305a308193310b3009060355040613024652310f300d0603 550408130652616469757331 EAP-Message = 0x12301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6 520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e63 6f6d31 2630240603550403131d4578616d706c6520436572746966696361746520417574686f72697 47930820122300d06092a864886f70d01010105000382010f003082010a0282010100c2000d e5769708aa73a3affa3ae2581583 c4882e26f16a18d443e29db8316192c28b219cbb097059526763db5440029da5f07038fb6a9 04f36e3a41dc25ee2d693730072613aaff090fd98e30623969bc0d43527de8a6e60ecbcfa66 72df1f278419f652471cc787 EAP-Message = 0xc882a134970210e501a5f008bce3abbcd4de1b5c5da2287cf6af098930a2a46f6c4c68f2d b00dc8b8289dfb961b00fb1b8cec26b996c69e2f2a4207cf29afc6e1e7a95599782388b5a5b 5a10f9 61d816e101fdf26cf6062274aef2b443a5c60787edcd755a986de269abf78fde55eae7f450b ca4434e6495b264e6db1bce418c8a417739b3bd52739f9ac134c2c9ed6b7bbf4ed479cb3369 0203010001a381fb3081f8301d06 03551d0e0416041410d684dcfea11dfdc1bb500b759373530aa6d64b3081c80603551d23048 1c03081bd801410d684dcfea11dfdc1bb500b759373530aa6d64ba18199a48196308193310b 300906035504061302465231 EAP-Message = 0x0f300d060355040813065261646975733112301006035504071309536f6d6577686572653 1153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901 161161 646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c652043657 2746966696361746520417574686f72697479820900bcccc1285b561d81300c0603551d1304 0530030101ff300d06092a864886 f70d010105050003820101002d0d028da27788c0e5d3623cdb4cf11f09216955fe7493bfa23 3ec62bb45d3cb9dd71d61a95ca6e1ddb8aa2f8b80fbfcea5b8b35776bc61c9acab1408bc31d af3cf0f27d531819b600d3ca EAP-Message = 0x7a7c33f4b1017102 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xdf66a7f2dc62be8e0e7c49ccf0790122 Finished request 9. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=242, length=136 NAS-IP-Address = 192.168.1.8 NAS-Port = 50023 NAS-Port-Type = Ethernet User-Name = "pk" Called-Station-Id = "00-15-F9-F8-4E-97" Calling-Station-Id = "00-1A-80-3F-F6-A1" Service-Type = Framed-User Framed-MTU = 1500 State = 0xdf66a7f2dc62be8e0e7c49ccf0790122 EAP-Message = 0x020400061900 Message-Authenticator = 0x406d4a98563e0a8815fc113633dc3e8a # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "pk", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 242 to 192.168.1.8 port 1645 EAP-Message = 0x010500bc1900971b6ff4eedeea77cbd7b846662c36009c223bb1dab20d1956c65d6dfdd68 e272a551fae0e5b9066339a0f279041f434256e4aa905eb8dbabc508c2a0771d29cb0810ff8 a278d3 2154413350d24a65e9c3cfb9e15e9057d0dce5f2cbd3d523586b6b7f60bf3a6d92c8772b862 711d539a2412abe6a6c4f79816985453331bc5f8661a99c795b6d6a92fd75d73273373be417 324e2b8696ff3d6cb180e1619343 b8bf9d39a193cf49a3f008a74e16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xdf66a7f2db63be8e0e7c49ccf0790122 Finished request 10. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=243, length=468 NAS-IP-Address = 192.168.1.8 NAS-Port = 50023 NAS-Port-Type = Ethernet User-Name = "pk" Called-Station-Id = "00-15-F9-F8-4E-97" Calling-Station-Id = "00-1A-80-3F-F6-A1" Service-Type = Framed-User Framed-MTU = 1500 State = 0xdf66a7f2db63be8e0e7c49ccf0790122 EAP-Message = 0x0205015019800000014616030101061000010201007ca92d4c46976b1b4221150302f3368 a83dc071c73eba660f726d5994829e44d05a151ec815b381e2f1eb51e1d7e81f8ac2a797d58 f37c72 a5d30c39f58e74bf270c9e620ca368a702cea648d9a6c858e1bc8f9be8157e00b757e33e7b1 ea20b39cf66fb4fbedaafc981939713c44fc8b997419eb479dff20f0eccb3079e7751e9153a c83d88bba33099f97c582edbc478 1d7f0639d32724524792b4d70ba65ac425016a23804a6df38154970bd73bc17932b394e1328 8de5e45c576d857438404c58e5db2a2665655983c6ad2be802d7429661f6cc331e4184efa28 9cdfa6fff8cd4b32ffcab948 EAP-Message = 0xd35111c89e339e4eb688cec3322076273345f6fd6c1060c51403010001011603010030260 8671e3f152141c25ed7c1fd386d33f3c6c2616d85f988fe98201fd0e76195009450561f33db 115953 d9cc0e0c6aad Message-Authenticator = 0xeddc39b94b6c9df9fa14274a3bd8d18c # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "pk", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 326 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 243 to 192.168.1.8 port 1645 EAP-Message = 0x010600411900140301000101160301003054457c3f14edfe37c380b20c93886c1ff0b063a 823224547618117156a0e9bdc597726c7d28ae5d8de455329b1dca06b Message-Authenticator = 0x00000000000000000000000000000000 State = 0xdf66a7f2da60be8e0e7c49ccf0790122 Finished request 11. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=244, length=136 NAS-IP-Address = 192.168.1.8 NAS-Port = 50023 NAS-Port-Type = Ethernet User-Name = "pk" Called-Station-Id = "00-15-F9-F8-4E-97" Calling-Station-Id = "00-1A-80-3F-F6-A1" Service-Type = Framed-User Framed-MTU = 1500 State = 0xdf66a7f2da60be8e0e7c49ccf0790122 EAP-Message = 0x020600061900 Message-Authenticator = 0x90ac28f0fcfd4d8b13135d7b4f586f9d # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "pk", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] returns handled Sending Access-Challenge of id 244 to 192.168.1.8 port 1645 EAP-Message = 0x0107002b19001703010020ef133c0aa7b038aca4ed631f4b2195d48ef9178b0563bcfa3bb a8e9949cfed99 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xdf66a7f2d961be8e0e7c49ccf0790122 Finished request 12. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=245, length=173 NAS-IP-Address = 192.168.1.8 NAS-Port = 50023 NAS-Port-Type = Ethernet User-Name = "pk" Called-Station-Id = "00-15-F9-F8-4E-97" Calling-Station-Id = "00-1A-80-3F-F6-A1" Service-Type = Framed-User Framed-MTU = 1500 State = 0xdf66a7f2d961be8e0e7c49ccf0790122 EAP-Message = 0x0207002b190017030100207a7bde6894f97bb470bde13772156dcb004886d42b2d42e6313 4dea574c74e6d Message-Authenticator = 0x4b4eecc47353757ee17f773ad9151172 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "pk", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - pk [peap] Got inner identity 'pk' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x0207000701706b server { PEAP: Setting User-Name to pk Sending tunneled request EAP-Message = 0x0207000701706b FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "pk" server inner-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "pk", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 7 length 7 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for pk [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> pk [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=pk) [ldap] expand: o=navbey.com, dc=navbey,dc=com -> o=navbey.com, dc=navbey,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in o=navbey.com, dc=navbey,dc=com, with filter (uid=pk) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user pk authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x0108001c1a0108001710e3de4c1bb91f06762905e9b9836d9b85706b Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcfa04815cfa85281f6375487a35aa0b0 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x0108001c1a0108001710e3de4c1bb91f06762905e9b9836d9b85706b Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcfa04815cfa85281f6375487a35aa0b0 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 245 to 192.168.1.8 port 1645 EAP-Message = 0x0108003b19001703010030f42bf53d46e5731b25dc206513c583ac3c3f439bde0a89c3c8d 00aefc27a0b56ce72596f7e08f227542c95bc96cbb520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xdf66a7f2d86ebe8e0e7c49ccf0790122 Finished request 13. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=246, length=221 NAS-IP-Address = 192.168.1.8 NAS-Port = 50023 NAS-Port-Type = Ethernet User-Name = "pk" Called-Station-Id = "00-15-F9-F8-4E-97" Calling-Station-Id = "00-1A-80-3F-F6-A1" Service-Type = Framed-User Framed-MTU = 1500 State = 0xdf66a7f2d86ebe8e0e7c49ccf0790122 EAP-Message = 0x0208005b1900170301005066c6dfd96844df1f54b9abd2cb5769f2ab008a7117dd2ba5c82 3dde826c56926114583d0721d7abf1eae649c62b3925c5dbaac9771b10b03d03b35615f53e7 6e20ca 99343df8e9867526f5826bcb5245 Message-Authenticator = 0x7b7a7a7f5055b2806626ed1c0e64a965 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "pk", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 91 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x0208003d1a02080038313441fe526c301512427b1f00e3121ca4000000000000000092d46 9509e834a4e7da586c7e3d50e367c01b7309d1b777d00706b server { PEAP: Setting User-Name to pk Sending tunneled request EAP-Message = 0x0208003d1a02080038313441fe526c301512427b1f00e3121ca4000000000000000092d46 9509e834a4e7da586c7e3d50e367c01b7309d1b777d00706b FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "pk" State = 0xcfa04815cfa85281f6375487a35aa0b0 server inner-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "pk", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 8 length 61 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for pk [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> pk [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=pk) [ldap] expand: o=navbey.com, dc=navbey,dc=com -> o=navbey.com, dc=navbey,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in o=navbey.com, dc=navbey,dc=com, with filter (uid=pk) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user pk authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: pk [mschap] Told to do MS-CHAPv2 for pk with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 246 to 192.168.1.8 port 1645 EAP-Message = 0x0109002b190017030100209b7b6546ac7dd0c6de4ab8352452dc4d5e0ef2a8fa9e346d035 d54f42f5e5617 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xdf66a7f2d76fbe8e0e7c49ccf0790122 Finished request 14. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 192.168.1.8 port 1645, id=247, length=173 NAS-IP-Address = 192.168.1.8 NAS-Port = 50023 NAS-Port-Type = Ethernet User-Name = "pk" Called-Station-Id = "00-15-F9-F8-4E-97" Calling-Station-Id = "00-1A-80-3F-F6-A1" Service-Type = Framed-User Framed-MTU = 1500 State = 0xdf66a7f2d76fbe8e0e7c49ccf0790122 EAP-Message = 0x0209002b19001703010020fdaefbe1bb82e8c918f2aea95051b6bcec4ded07a5388605472 7c83dd0233c9c Message-Authenticator = 0xeb10297e4e0ef47e8c1e7ba7c083ca48 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "pk", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 9 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv failure [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> pk attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 15 for 1 seconds Going to the next request On 4/19/12 6:53 PM, "alan buxey" <a.l.m.bu...@lboro.ac.uk> wrote: >hi, > >quick look seems to show that you dont have a suitable authorise >section in the inner tunnel. > >the tunnel gets started...your client rejects the default md5 >the server sent - and EAP-TTLS gets done...the username/password >gets sent but has nothing to go against.... so I suggest >you add > >'ldap' to the inner-tunnel virtual server (in same way that ldap and >LDAP are defined in default server...) > >alan >- >List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html