Hi Folks
I am still having problems with the eduroam authentication to our AD domain. I
am now getting rejected although the username and password are correct
Below are the radius logs for the test and was wondering if anyone could shed
some light on my problem
Thanks
Will Halsall
ap: Finished EAP session with state 0xdecad538decdcfad
(7) eap: Previous EAP request found for state 0xdecad538decdcfad, released from
the list
(7) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(7) eap: Calling submodule eap_mschapv2 to process data
(7) eap_mschapv2: # Executing group from file
/usr/local/pf/raddb/sites-enabled/packetfence-tunnel
(7) eap_mschapv2: Auth-Type MS-CHAP {
(7) packetfence: $RAD_REQUEST{'User-Name'} = &request:User-Name ->
'helpd...@farn-ct.ac.uk'
(7) packetfence: $RAD_REQUEST{'NAS-IP-Address'} = &request:NAS-IP-Address ->
'127.0.0.1'
(7) packetfence: $RAD_REQUEST{'Service-Type'} = &request:Service-Type ->
'Authenticate-Only'
(7) packetfence: $RAD_REQUEST{'Framed-MTU'} = &request:Framed-MTU -> '1400'
(7) packetfence: $RAD_REQUEST{'State'} = &request:State ->
'0xdecad538decdcfad2cf97d0726a24922'
(7) packetfence: $RAD_REQUEST{'Calling-Station-Id'} =
&request:Calling-Station-Id -> '02:00:00:00:00:01'
(7) packetfence: $RAD_REQUEST{'NAS-Identifier'} = &request:NAS-Identifier ->
'eduroamUK-test'
(7) packetfence: $RAD_REQUEST{'NAS-Port-Type'} = &request:NAS-Port-Type ->
'Wireless-802.11'
(7) packetfence: $RAD_REQUEST{'Event-Timestamp'} = &request:Event-Timestamp
-> 'May 2 2018 00:06:23 BST'
(7) packetfence: $RAD_REQUEST{'Connect-Info'} = &request:Connect-Info ->
'eduroam UK test'
(7) packetfence: $RAD_REQUEST{'EAP-Message'} = &request:EAP-Message ->
'0x020700511a0207004c319f14a65ad77f1546d8aca5f2196626db0000000000000000ff9d32e6c1679c7f27c071374f109360595818fb0202de960068656c706465736b406661726e2d63742e61632e756b'
(7) packetfence: $RAD_REQUEST{'Operator-Name'} = &request:Operator-Name ->
'1eduroam.uk'
(7) packetfence: $RAD_REQUEST{'FreeRADIUS-Proxied-To'} =
&request:FreeRADIUS-Proxied-To -> '127.0.0.1'
(7) packetfence: $RAD_REQUEST{'MS-CHAP-Challenge'} =
&request:MS-CHAP-Challenge -> '0xc7f5b2bc7fe7c7b528641a052426ae7a'
(7) packetfence: $RAD_REQUEST{'MS-CHAP2-Response'} =
&request:MS-CHAP2-Response ->
'0x07659f14a65ad77f1546d8aca5f2196626db0000000000000000ff9d32e6c1679c7f27c071374f109360595818fb0202de96'
(7) packetfence: $RAD_REQUEST{'EAP-Type'} = &request:EAP-Type -> 'MSCHAPv2'
(7) packetfence: $RAD_REQUEST{'Realm'} = &request:Realm -> 'farn-ct.ac.uk'
(7) packetfence: $RAD_REQUEST{'MS-CHAP-User-Name'} =
&request:MS-CHAP-User-Name -> 'helpd...@farn-ct.ac.uk'
(7) packetfence: $RAD_REQUEST{'PacketFence-Domain'} =
&request:PacketFence-Domain -> 'RadiusAD'
(7) packetfence: $RAD_CHECK{'Auth-Type'} = &control:Auth-Type -> 'eap'
(7) packetfence: $RAD_CHECK{'Proxy-To-Realm'} = &control:Proxy-To-Realm ->
'LOCAL'
(7) packetfence: $RAD_CHECK{'Tmp-Integer-2'} = &control:Tmp-Integer-2 -> '0'
(7) packetfence: $RAD_CONFIG{'Auth-Type'} = &control:Auth-Type -> 'eap'
(7) packetfence: $RAD_CONFIG{'Proxy-To-Realm'} = &control:Proxy-To-Realm ->
'LOCAL'
(7) packetfence: $RAD_CONFIG{'Tmp-Integer-2'} = &control:Tmp-Integer-2 -> '0'
(7) packetfence: &request:NAS-Port-Type = $RAD_REQUEST{'NAS-Port-Type'} ->
'Wireless-802.11'
(7) packetfence: &request:Service-Type = $RAD_REQUEST{'Service-Type'} ->
'Authenticate-Only'
(7) packetfence: &request:Operator-Name = $RAD_REQUEST{'Operator-Name'} ->
'1eduroam.uk'
(7) packetfence: &request:State = $RAD_REQUEST{'State'} ->
'0xdecad538decdcfad2cf97d0726a24922'
(7) packetfence: &request:FreeRADIUS-Proxied-To =
$RAD_REQUEST{'FreeRADIUS-Proxied-To'} -> '127.0.0.1'
(7) packetfence: &request:Connect-Info = $RAD_REQUEST{'Connect-Info'} ->
'eduroam UK test'
(7) packetfence: &request:Realm = $RAD_REQUEST{'Realm'} -> 'farn-ct.ac.uk'
(7) packetfence: &request:EAP-Type = $RAD_REQUEST{'EAP-Type'} -> 'MSCHAPv2'
(7) packetfence: &request:NAS-IP-Address = $RAD_REQUEST{'NAS-IP-Address'} ->
'127.0.0.1'
(7) packetfence: &request:Calling-Station-Id =
$RAD_REQUEST{'Calling-Station-Id'} -> '02:00:00:00:00:01'
(7) packetfence: &request:MS-CHAP-User-Name = $RAD_REQUEST{'MS-CHAP-User-Name'}
-> 'helpd...@farn-ct.ac.uk'
(7) packetfence: &request:MS-CHAP-Challenge = $RAD_REQUEST{'MS-CHAP-Challenge'}
-> '0xc7f5b2bc7fe7c7b528641a052426ae7a'
(7) packetfence: &request:PacketFence-Domain =
$RAD_REQUEST{'PacketFence-Domain'} -> 'RadiusAD'
(7) packetfence: &request:User-Name = $RAD_REQUEST{'User-Name'} ->
'helpd...@farn-ct.ac.uk'
(7) packetfence: &request:NAS-Identifier = $RAD_REQUEST{'NAS-Identifier'} ->
'eduroamUK-test'
(7) packetfence: &request:Event-Timestamp = $RAD_REQUEST{'Event-Timestamp'} ->
'May 2 2018 00:06:23 BST'
(7) packetfence: &request:EAP-Message = $RAD_REQUEST{'EAP-Message'} ->
'0x020700511a0207004c319f14a65ad77f1546d8aca5f2196626db0000000000000000ff9d32e6c1679c7f27c071374f109360595818fb0202de960068656c706465736b406661726e2d63742e61632e756b'
(7) packetfence: &request:MS-CHAP2-Response = $RAD_REQUEST{'MS-CHAP2-Response'}
->
'0x07659f14a65ad77f1546d8aca5f2196626db0000000000000000ff9d32e6c1679c7f27c071374f109360595818fb0202de96'
(7) packetfence: &request:Framed-MTU = $RAD_REQUEST{'Framed-MTU'} -> '1400'
(7) packetfence: &control:Auth-Type = $RAD_CHECK{'Auth-Type'} -> 'eap'
(7) packetfence: &control:Tmp-Integer-2 = $RAD_CHECK{'Tmp-Integer-2'} -> '0'
(7) packetfence: &control:Proxy-To-Realm = $RAD_CHECK{'Proxy-To-Realm'} ->
'LOCAL'
(7) [packetfence] = noop
(7) if (&control:NT-Password && &control:NT-Password != "") {
(7) if (&control:NT-Password && &control:NT-Password != "") -> FALSE
(7) else {
(7) policy packetfence-mschap-authenticate {
(7) if (PacketFence-Domain) {
(7) if (PacketFence-Domain) -> TRUE
(7) if (PacketFence-Domain) {
(7) if ( "%{User-Name}" =~ /^host\/.*/) {
(7) EXPAND %{User-Name}
(7) --> helpd...@farn-ct.ac.uk<mailto:helpd...@farn-ct.ac.uk>
(7) if ( "%{User-Name}" =~ /^host\/.*/) -> FALSE
(7) else {
(7) chrooted_mschap: Creating challenge hash with username:
helpd...@farn-ct.ac.uk<mailto:helpd...@farn-ct.ac.uk>
(7) chrooted_mschap: Client is using MS-CHAPv2
(7) chrooted_mschap: Executing: /usr/bin/sudo /usr/sbin/chroot
/chroots/%{PacketFence-Domain} /usr/local/pf/bin/ntlm_auth_wrapper --
--request-nt-key --username=%{%{Stripped-User-Name}:-%{mschap:User-Name:-None}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}:
(7) chrooted_mschap: EXPAND /chroots/%{PacketFence-Domain}
(7) chrooted_mschap: --> /chroots/RadiusAD
(7) chrooted_mschap: EXPAND
--username=%{%{Stripped-User-Name}:-%{mschap:User-Name:-None}}
(7) chrooted_mschap: -->
--username=helpd...@farn-ct.ac.uk<mailto:--username=helpd...@farn-ct.ac.uk>
(7) chrooted_mschap: Creating challenge hash with username:
helpd...@farn-ct.ac.uk<mailto:helpd...@farn-ct.ac.uk>
(7) chrooted_mschap: EXPAND --challenge=%{mschap:Challenge:-00}
(7) chrooted_mschap: --> --challenge=3c45509edd2101f9
(7) chrooted_mschap: EXPAND --nt-response=%{mschap:NT-Response:-00}
(7) chrooted_mschap: -->
--nt-response=ff9d32e6c1679c7f27c071374f109360595818fb0202de96
(7) chrooted_mschap: ERROR: Program returned code (1) and output 'Logon failure
(0xc000006d)'
(7) chrooted_mschap: External script failed
(7) chrooted_mschap: ERROR: External script says: Logon failure (0xc000006d)
(7) chrooted_mschap: ERROR: MS-CHAP2-Response is incorrect
(7) [chrooted_mschap] = reject
(7) } # else = reject
(7) } # if (PacketFence-Domain) = reject
(7) } # policy packetfence-mschap-authenticate = reject
(7) } # else = reject
(7) } # Auth-Type MS-CHAP = reject
(7) eap: Sending EAP Failure (code 4) ID 7 length 4
(7) eap: Freeing handler
(7) [eap] = reject
(7) } # authenticate = reject
[http://fcot5.farn-ct.ac.uk/Email_Signature_Open_Events.jpg]
<https://www.farn-ct.ac.uk/about/Events>
This message is intended only for the use of the person(s) to
whom it is addressed, and may contain privileged and confidential information.
If it has come to you in error, please contact the sender as soon as possible,
and note that you must take no action based on the content, nor must you copy,
distribute, or show the content to any other person.
In accordance with its legal obligations, Farnborough College of
Technology reserves the right to monitor the content of e-mails sent and
received, but will not do so routinely.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
