In a nutshell:
I'm unable to get LEAP to properly authenticate a user with an NT-hashed
password - if I change the password in the database to cleartext, it works
fine. My users are stored in an openLDAP database with their passwords
stored in two different attributes. One password attribute is MD5 and the
other is NT-hashed. As I understand it, the NT-hashed passwords should work
for LEAP:
<from the default radiusd.conf>
# Cisco LEAP
#
# Cisco LEAP uses the MS-CHAP algorithm (but not
# the MS-CHAP attributes) to perform it's authentication.
#
# As a result, LEAP *requires* access to the plain-text
# User-Password, or the NT-Password attributes.
# 'System' authentication is impossible with LEAP.
#
I'm reading the "or the NT-Password attributes" to mean that the MS-CHAP
algorithm can take the password as either plain-text or NT-hashed. Others
on this listserve have agreed with me on this.
Unfortunately, this hasn't worked for me yet. If I change the 'ntpassword'
attribute of one of my LDAP-based users from '8846F7EAEE...' to 'password'
the LEAP connection works properly. Alternatively, I can leave the
'ntpassword' attribute alone and enter '8846F7EAEE...' as the password from
the LEAP client. This works too. So the easy solution would be to just
change the password in our LDAP to clear-text, right? Probably not a good
idea from a security standpoint... So I really need to keep these passwords
the way they are - MD5 and NT-hashed. The problem I'm having is telling the
LEAP/MS-CHAP modules to recognize that the password is NT-hashed and handle
it as such.
I've included a bunch of additional details below for those of you who have
an idea as to how I can resolve this.
Much thanks,
Bryan Woods
Pomona Unified School District
Pomona, California
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~
My setup is configured as such:
1. server hardware: quad p3 compaq proliant 5500
2. server OS: a slackware-based distro called LUISA from I-Silver
(www.isilver-inc.com). The kernel is 2.4.21.
3. freeRADIUS: version 0.9.1 compiled from source. Relevant sections of
the config file:
RELEVANT SECTIONS OF radiusd.conf
==========================================
.
.
.
modules {
unix { ... }
ldap {
server = "127.0.0.1"
basedn = "o=PUSD,c=US"
filter = "(uid=%u)"
start_tls = no
dictionary_mapping = /usr/local/etc/raddb/ldap.attrmap
password_attribute = ntpassword
timeout = 4
timelimit = 3
net_timeout = 1
}
#
eap {
default_eap_type = leap
leap {
}
}
.
.
.
authorize {
ldap {
notfound = return
}
preprocess
files
eap
}
.
.
.
4. Wireless AP: Cisco Aironet 1200 running firmware 12.03T
5. Client: ultimately, we need to use Macintosh iBooks with built-in
AirPort cards and running Mac OS 10.2.8. I've also tested with a second
slackware-based server (fr 0.8.1) and a Win2k laptop with a Cisco Aironet
350 & Cisco client v5.01.001.
STARTUP OF FREERADIUS 0.9.1
==========================================
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/port.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
main: prefix = "/usr/local"
main: localstatedir = "/usr/local/var"
main: logdir = "/usr/local/var/log/radius"
main: libdir = "/usr/local/lib"
main: radacctdir = "/usr/local/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 1645
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/usr/local/var/log/radius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/usr/local/var/run/radiusd.pid"
main: user = "root"
main: group = "root"
main: usercollide = no
main: lower_user = "yes"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
Using deprecated clients file. Support for this will go away soon.
read_config_files: reading realms
Using deprecated realms file. Support for this will go away soon.
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded LDAP
ldap: server = "127.0.0.1"
ldap: port = 389
ldap: net_timeout = 1
ldap: timeout = 4
ldap: timelimit = 3
ldap: identity = ""
ldap: start_tls = no
ldap: password = ""
ldap: basedn = "o=PUSD,c=US"
ldap: filter = "(uid=%u)"
ldap: default_profile = "(null)"
ldap: profile_attribute = "(null)"
ldap: password_header = "(null)"
ldap: password_attribute = "ntpassword"
ldap: access_attr = "(null)"
ldap: groupname_attribute = "cn"
ldap: groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupO
fUniqueNames)(uniquemember=%{Ldap-UserDn})))"
ldap: groupmembership_attribute = "(null)"
ldap: dictionary_mapping = "/usr/local/etc/raddb/ldap.attrmap"
ldap: ldap_debug = 0
ldap: ldap_connections_number = 5
ldap: compare_check_items = no
ldap: access_attr_used_for_allow = yes
conns: (nil)
rlm_ldap: reading ldap<->radius mappings from file
/usr/local/etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntpassword mapped to RADIUS NT-Password
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS
Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS
Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS
Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
conns: 0x80fb030
Module: Instantiated ldap (ldap)
Module: Loaded eap
eap: default_eap_type = "leap"
eap: timer_expire = 60
rlm_eap: Loaded and initialized the type leap
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups"
preprocess: hints = "/usr/local/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded files
files: usersfile = "/usr/local/etc/raddb/users"
files: acctusersfile = "/usr/local/etc/raddb/acct_users"
files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
Module: Instantiated realm (suffix)
Module: Loaded detail
detail: detailfile =
"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded System
unix: cache = no
unix: passwd = "/etc/passwd"
unix: shadow = "(null)"
unix: group = "/etc/group"
unix: radwtmp = "/usr/local/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded radutmp
radutmp: filename = "/usr/local/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on IP address *, ports 1645/udp and 1646/udp.
Ready to process requests.
Debug trace #1
=====================
[ linux client ]
[ 10.32.1.94 ]
=====================
|
|
| /|
|/ |
|
|
=====================
[ radius / ldap box ]
[ 10.32.1.94 ]
=====================
1. The linux client is running the same slackware distro as the server
(kernel 2.4.21). The freeRADIUS packages are 0.8.1 (no radiusd server is
running on this box).
2. The radius / ldap box (10.32.1.94) is the one described above.
3. These systems are on two different IP subnets at two different campuses
(not that this should matter.)
The debug trace below shows radtest from the command prompt of the linux
client:
radtest leap_test password 10.32.1.94:1645 0 testing123
RADTEST FROM LINUX HOST 10.1.1.102
==========================================
rad_recv: Access-Request packet from host 10.1.1.102:32994, id=44, length=61
User-Name = "leap_test"
User-Password = "password"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
modcall: entering group authorize
rlm_ldap: - authorize
rlm_ldap: performing user authorization for leap_test
radius_xlat: '(uid=leap_test)'
radius_xlat: 'o=PUSD,c=US'
ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0
rlm_ldap: bind as / to 127.0.0.1:389
rlm_ldap: waiting for bind result ...
rlm_ldap: performing search in o=PUSD,c=US, with filter (uid=leap_test)
rlm_ldap: Added password password in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding ntpassword as NT-Password, value password & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user leap_test authorized to use remote access
ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok
modcall[authorize]: module "preprocess" returns ok
modcall[authorize]: module "files" returns notfound
rlm_eap: EAP-Message not found
modcall[authorize]: module "eap" returns noop
modcall: group authorize returns ok
rad_check_password: Found Auth-Type LDAP
auth: type "LDAP"
modcall: entering group authenticate
rlm_ldap: - authenticate
rlm_ldap: login attempt by "leap_test" with password "password"
rlm_ldap: user DN: uid=leap_test,ou=Fremont_MS-341,o=PUSD,c=US
rlm_ldap: (re)connect to 127.0.0.1:389, authentication 1
rlm_ldap: bind as uid=leap_test,ou=Fremont_MS-341,o=PUSD,c=US/password to
127.0.0.1:389
rlm_ldap: waiting for bind result ...
rlm_ldap: user leap_test authenticated succesfully
modcall[authenticate]: module "ldap" returns ok
modcall: group authenticate returns ok
Sending Access-Accept of id 44 to 10.1.1.102:32994
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 44 with timestamp 3f954e03
Nothing to do. Sleeping until we see a request.
Debug trace #2
=====================
[ macintosh client ]
[ OS 10.2.8 ]
=====================
|
|
| /|
|/ |
|
|
=====================
[cisco aironet 1200 ]
[ 10.32.3.253 ]
=====================
|
|
| /|
|/ |
|
|
=====================
[ radius / ldap box ]
[ 10.32.1.94 ]
=====================
1. The macintosh client is an iBook with a built-in airport card. The
client is running Mac OS 10.2.8 with no special drivers or client software
installed... just the basic out-of-the-box OS.
2. The Cisco AP _is_ configured properly to handle LEAP. It points to the
radius / ldap box for it's EAP authentication.
3. The user that I'm authenticating is 'leap_test' with a password of
'password'.
4. In the debug trace labeled 'WORKS" I have stuck the word 'password'
(clear-text) into the 'ntpassword' LDAP attribute for this user. This is
the scenario that works, but is not what I want (remember, I need to store
the 'ntpassword' field as an NT-hash).
4. The last section (labeled 'BREAKS'), shows what happens when I try to
authenticate from the macintosh client without sticking 'password'
(clear-text) into the 'ntpassword' LDAP attribute. The password is left as
an NT-hash.
LEAP CONNECT FROM MACINTOSH OS 10.2.8 CLIENT - WORKS
==========================================
rad_recv: Access-Request packet from host 10.32.3.253:1060, id=30,
length=158
User-Name = "leap_test"
Cisco-AVPair = "ssid=tsunami"
NAS-IP-Address = 10.32.3.253
Called-Station-Id = "000d653d6940"
Calling-Station-Id = "0030650d5ce6"
NAS-Identifier = "AP1200-3d6940"
NAS-Port = 37
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Service-Type = Login-User
EAP-Message = 0x0206000e016c6561705f74657374
Message-Authenticator = 0x44fae6d7ae79fafe7ae10c9c7d9d6699
modcall: entering group authorize
rlm_ldap: - authorize
rlm_ldap: performing user authorization for leap_test
radius_xlat: '(uid=leap_test)'
radius_xlat: 'o=PUSD,c=US'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=PUSD,c=US, with filter (uid=leap_test)
rlm_ldap: Added password password in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding ntpassword as NT-Password, value password & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user leap_test authorized to use remote access
ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok
modcall[authorize]: module "preprocess" returns ok
modcall[authorize]: module "files" returns notfound
rlm_eap: EAP packet type notification id 6 length 14
rlm_eap: EAP Start not found
modcall[authorize]: module "eap" returns updated
modcall: group authorize returns updated
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate
rlm_eap: EAP packet type notification id 6 length 14
rlm_eap: EAP Start not found
rlm_eap: EAP Identity
rlm_eap: processing type leap
rlm_eap_leap: Stage 2
rlm_eap_leap: Issuing AP Challenge
rlm_eap_leap: Successfully initiated
modcall[authenticate]: module "eap" returns ok
modcall: group authenticate returns ok
Sending Access-Challenge of id 30 to 10.32.3.253:1060
EAP-Message = 0x0107001911010008fdfdbec984675f256c6561705f74657374
Message-Authenticator = 0x00000000000000000000000000000000
State =
0xe30b788838bcdea98a38151effe2bea5d24e953fce73df6dc5bafd78b56990fba65d073e
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.32.3.253:1061, id=31,
length=223
User-Name = "leap_test"
Cisco-AVPair = "ssid=tsunami"
NAS-IP-Address = 10.32.3.253
Called-Station-Id = "000d653d6940"
Calling-Station-Id = "0030650d5ce6"
NAS-Identifier = "AP1200-3d6940"
NAS-Port = 37
Framed-MTU = 1400
State =
0xe30b788838bcdea98a38151effe2bea5d24e953fce73df6dc5bafd78b56990fba65d073e
NAS-Port-Type = Wireless-802.11
Service-Type = Login-User
EAP-Message =
0x020700291101001883de03d3747fb6b46ce0a748a66e6ee425360941d2fec40d6c6561705f
74657374
Message-Authenticator = 0xcc1cbc2b9a37d879e5553e7a350d07c0
modcall: entering group authorize
rlm_ldap: - authorize
rlm_ldap: performing user authorization for leap_test
radius_xlat: '(uid=leap_test)'
radius_xlat: 'o=PUSD,c=US'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=PUSD,c=US, with filter (uid=leap_test)
rlm_ldap: Added password password in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding ntpassword as NT-Password, value password & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user leap_test authorized to use remote access
ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok
modcall[authorize]: module "preprocess" returns ok
modcall[authorize]: module "files" returns notfound
rlm_eap: EAP packet type notification id 7 length 41
rlm_eap: EAP Start not found
modcall[authorize]: module "eap" returns updated
modcall: group authorize returns updated
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate
rlm_eap: EAP packet type notification id 7 length 41
rlm_eap: EAP Start not found
rlm_eap: Request found, released from the list
rlm_eap: EAP_TYPE - leap
rlm_eap: processing type leap
rlm_eap_leap: Stage 4
rlm_eap_leap: NtChallengeResponse from AP is valid
rlm_eap: Underlying EAP-Type set EAP ID to 8
rlm_eap: Saving LEAP state
modcall[authenticate]: module "eap" returns ok
modcall: group authenticate returns ok
Sending Access-Challenge of id 31 to 10.32.3.253:1061
EAP-Message = 0x03080004
Message-Authenticator = 0x00000000000000000000000000000000
State =
0xe30b788838bcdea98a38151effe2bea5d24e953fce73df6dc5bafd78b56990fba65d073e
Finished request 2
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.32.3.253:1062, id=32,
length=207
User-Name = "leap_test"
Cisco-AVPair = "ssid=tsunami"
NAS-IP-Address = 10.32.3.253
Called-Station-Id = "000d653d6940"
Calling-Station-Id = "0030650d5ce6"
NAS-Identifier = "AP1200-3d6940"
NAS-Port = 37
Framed-MTU = 1400
State =
0xe30b788838bcdea98a38151effe2bea5d24e953fce73df6dc5bafd78b56990fba65d073e
NAS-Port-Type = Wireless-802.11
Service-Type = Login-User
EAP-Message = 0x0108001911010008ce89432ec37c89fe6c6561705f74657374
Message-Authenticator = 0x98d6712b4271076d212f901fdc700fa9
modcall: entering group authorize
rlm_ldap: - authorize
rlm_ldap: performing user authorization for leap_test
radius_xlat: '(uid=leap_test)'
radius_xlat: 'o=PUSD,c=US'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=PUSD,c=US, with filter (uid=leap_test)
rlm_ldap: Added password password in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding ntpassword as NT-Password, value password & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user leap_test authorized to use remote access
ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok
modcall[authorize]: module "preprocess" returns ok
modcall[authorize]: module "files" returns notfound
rlm_eap: EAP packet type identity id 8 length 25
rlm_eap: EAP Start not found
modcall[authorize]: module "eap" returns updated
modcall: group authorize returns updated
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate
rlm_eap: EAP packet type identity id 8 length 25
rlm_eap: EAP Start not found
rlm_eap: Request found, released from the list
rlm_eap: EAP_TYPE - leap
rlm_eap: processing type leap
rlm_eap_leap: Stage 6
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns ok
modcall: group authenticate returns ok
Sending Access-Accept of id 32 to 10.32.3.253:1062
Cisco-AVPair +=
"leap:session-key=\206m\312\332\033"\035\271Z\nD\014\244\262k\275\001\207\\P
\311p\223]\352\271hN\031\3055\375\351A"
EAP-Message =
0x0209002911010018f249dd69ba2c27ac7cc2fdf7f92e1dbbc460ccaaba2b08696c6561705f
74657374
Message-Authenticator = 0x00000000000000000000000000000000
Finished request 3
Going to the next request
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 30 with timestamp 3f954ed2
Cleaning up request 2 ID 31 with timestamp 3f954ed2
Cleaning up request 3 ID 32 with timestamp 3f954ed2
Nothing to do. Sleeping until we see a request.
LEAP CONNECT FROM MACINTOSH OS 10.2.8 CLIENT - BREAKS
==========================================
rad_recv: Access-Request packet from host 10.32.3.253:1064, id=34,
length=223
User-Name = "leap_test"
Cisco-AVPair = "ssid=tsunami"
NAS-IP-Address = 10.32.3.253
Called-Station-Id = "000d653d6940"
Calling-Station-Id = "0030650d5ce6"
NAS-Identifier = "AP1200-3d6940"
NAS-Port = 37
Framed-MTU = 1400
State =
0xe30b788838bcdea98a38151effe2bea5fb5f953fd3d1c2ff602662ec05e89b80ec1c3355
NAS-Port-Type = Wireless-802.11
Service-Type = Login-User
EAP-Message =
0x020300291101001883de03d3747fb6b46ce0a748a66e6ee425360941d2fec40d6c6561705f
74657374
Message-Authenticator = 0x7341090922e2e21d8f59bf04760a80e6
modcall: entering group authorize
rlm_ldap: - authorize
rlm_ldap: performing user authorization for leap_test
radius_xlat: '(uid=leap_test)'
radius_xlat: 'o=PUSD,c=US'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=PUSD,c=US, with filter (uid=leap_test)
rlm_ldap: Added password 8846F7EAEE8FB117AD06BDD830B7586C in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding ntpassword as NT-Password, value
8846F7EAEE8FB117AD06BDD830B7586C & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user leap_test authorized to use remote access
ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok
modcall[authorize]: module "preprocess" returns ok
modcall[authorize]: module "files" returns notfound
rlm_eap: EAP packet type notification id 3 length 41
rlm_eap: EAP Start not found
modcall[authorize]: module "eap" returns updated
modcall: group authorize returns updated
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate
rlm_eap: EAP packet type notification id 3 length 41
rlm_eap: EAP Start not found
rlm_eap: Request found, released from the list
rlm_eap: EAP_TYPE - leap
rlm_eap: processing type leap
rlm_eap_leap: Stage 4
rlm_eap_leap: FAILED incorrect NtChallengeResponse from AP
modcall[authenticate]: module "eap" returns invalid
modcall: group authenticate returns invalid
auth: Failed to validate the user.
Sending Access-Reject of id 34 to 10.32.3.253:1064
EAP-Message = 0x04030004
Message-Authenticator = 0x00000000000000000000000000000000
Finished request 1
Going to the next request
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 33 with timestamp 3f955ffb
Cleaning up request 1 ID 34 with timestamp 3f955ffb
Nothing to do. Sleeping until we see a request.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
