Thanks again Allan,
As instructed, I tried changing:
test Auth-Type = Local, Password = "testing"
In my users file to:
test User-Password == "testing", MS-CHAP-Use-NTLM-Auth = No
Unfortunately it didn't work. Users who exist in the Active Directory
backend are still properly authenticated, but local users are rejected.
Here is a radtest output:
houston:/etc/raddb # radtest test testing localhost 43.191.112.164 SECRET
Sending Access-Request of id 128 to 127.0.0.1:1812
User-Name = "test"
User-Password = "testing"
NAS-IP-Address = houston
NAS-Port = 43
Re-sending Access-Request of id 128 to 127.0.0.1:1812
User-Name = "test"
User-Password = "\t\333=\037\212\340M_{\264\rU\263\203n\024"
NAS-IP-Address = houston
NAS-Port = 43
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=128, length=20
Debug output from auth attempt using mschap client at bottom of message:
-----Original Message-----
From: Alan DeKok [mailto:[EMAIL PROTECTED]
Sent: Friday, February 04, 2005 11:00 AM
To: [email protected]
Subject: Re: MSCHAP V2 local
"DeYoung, Brandon" <[EMAIL PROTECTED]> wrote:
> I've tried this and a few other things in the users file.
> test Auth-Type = Local, Password = "testing"
Don't set Auth-Type.
> Authentication against the AD backend works from my clients with mschap
v2.
> But my local users still don't work when sent through mschap.
Because the mschap module is calling ntlm_auth.
> Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=AM
> --username=test --challenge=4cd9c1a15948bb64
> --nt-response=0f8afe37aac4a6d8c1f42aae8f2c4582f90e8f33e07877cd
> Exec-Program output: Account locked out (0xc0000234)
> Exec-Program-Wait: plaintext: Account locked out (0xc0000234)
> Exec-Program: returned: 1
> rlm_mschap: External script failed.
Hmm... looking at the module source, it could be a little more
forgiving.
In the mean time, try:
#---
test User-Password == "testing", MS-CHAP-Use-NTLM-Auth = No
#---
Alan DeKok.
rad_recv: Access-Request packet from host 43.191.112.162:1979, id=65,
length=146
User-Name = "test"
Cisco-AVPair = "ssid=sdb5-3"
NAS-IP-Address = 43.191.112.162
Called-Station-Id = "00409641c15f"
Calling-Station-Id = "000d28d00217"
NAS-Identifier = "AP350-41c15f"
NAS-Port = 40
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Service-Type = Login-User
EAP-Message = 0x020200090174657374
Message-Authenticator = 0x19f06c74c00e54e8f3af694162b0163e
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_realm: No '\' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "ntdomain" returns noop for request 0
rlm_eap: EAP packet type response id 2 length 9
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
modcall[authorize]: module "files" returns notfound for request 0
modcall: group authorize returns updated for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 0
modcall: group authenticate returns handled for request 0
Sending Access-Challenge of id 65 to 43.191.112.162:1979
EAP-Message = 0x010300061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa2890794a2292655f8bce466af2510a9
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 43.191.112.162:1980, id=66,
length=235
User-Name = "test"
Cisco-AVPair = "ssid=sdb5-3"
NAS-IP-Address = 43.191.112.162
Called-Station-Id = "00409641c15f"
Calling-Station-Id = "000d28d00217"
NAS-Identifier = "AP350-41c15f"
NAS-Port = 40
Framed-MTU = 1400
State = 0xa2890794a2292655f8bce466af2510a9
NAS-Port-Type = Wireless-802.11
Service-Type = Login-User
EAP-Message =
0x0203005019800000004616030100410100003d03014207dbdc7c9bd2370564fe9ce888d5d1
89066284fff49ae679837a07dfb7295500001600040005000a00090064006200030006001300
1200630100
Message-Authenticator = 0x8efa6ecb8cede9d4050eee367d1f3bf5
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
modcall[authorize]: module "chap" returns noop for request 1
modcall[authorize]: module "mschap" returns noop for request 1
rlm_realm: No '@' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1
rlm_realm: No '\' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "ntdomain" returns noop for request 1
rlm_eap: EAP packet type response id 3 length 80
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1
modcall[authorize]: module "files" returns notfound for request 1
modcall: group authorize returns updated for request 1
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0637], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
TLS_accept: SSLv3 write server done A
TLS_accept: SSLv3 flush data
TLS_accept:error in SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 1
modcall: group authenticate returns handled for request 1
Sending Access-Challenge of id 66 to 43.191.112.162:1980
EAP-Message =
0x0104040a19c000000694160301004a0200004603014207dc1168932e60ddcbb2a27cf32a88
d635bf0070fa7a862da99b7ed7c177a420af19a89de9e5aacd3cf7355ba550fa6fb22da5de34
dd8f26fcd4688809ff3e6200040016030106370b0006330006300002a9308202a53082020ea0
03020102020101300d06092a864886f70d010104050030818c310b3009060355040613025553
311330110603550408130a43616c69666f726e6961311230100603550407130953616e204469
65676f310d300b060355040a1304536f6e79310c300a060355040b13034954443111300f0603
5504031408536f6e795f4541503124302206092a864886f70d01
EAP-Message =
0x090116156272616e646f6e407370616365736869702e636f6d301e170d3035303230313031
353931375a170d3036303230313031353931375a30818a310b30090603550406130255533113
30110603550408130a43616c69666f726e6961311230100603550407130953616e2044696567
6f310d300b060355040a1304536f6e79310c300a060355040b13034954443111300f06035504
031408536f6e795f4541503122302006092a864886f70d01090116136272616e646f6e40616d
2e736f6e792e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100
cff880c77b3b192f90b5d2e6e079933e65cb2b11c2076c7244aa
EAP-Message =
0x3746940e8dfbd4406cc03c8911c8dead7ee430958579000d68edf45dffd3bf073a0cd9e99e
0c20872a12bccb18d41cb8d951b1aa7db78ada709f9d0ccf7094425c869ed235e2dd4e53882f
a25d337572d148937469ea1049c73a50a9a5c6cc800361ff9fcd190203010001a31730153013
0603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003818100
30c111767ec620b960ca8a7cc92d4be99a17dd0f96eb3d21ac637543afd774eb845c10ee6c19
e01526b51c4ab83745841c529d72d8251e919f4871194080e54137b0a640420f4ad7e2632a57
4688115c4edcb3fa6f562952e8700d8dacd53f9ab62f5f38e1bc
EAP-Message =
0x3109cf00e665810674502fa7243c4c1f10e4d892ed60a60a65940003813082037d308202e6
a003020102020100300d06092a864886f70d010104050030818c310b30090603550406130255
53311330110603550408130a43616c69666f726e6961311230100603550407130953616e2044
6965676f310d300b060355040a1304536f6e79310c300a060355040b13034954443111300f06
035504031408536f6e795f4541503124302206092a864886f70d01090116156272616e646f6e
407370616365736869702e636f6d301e170d3035303230313031353135325a170d3037303230
313031353135325a30818c310b30090603550406130255533113
EAP-Message = 0x30110603550408130a43616c69666f726e6961311230
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xfb90e1de0b707c58e621ae8f887e37c1
Finished request 1
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 43.191.112.162:1981, id=67,
length=161
User-Name = "test"
Cisco-AVPair = "ssid=sdb5-3"
NAS-IP-Address = 43.191.112.162
Called-Station-Id = "00409641c15f"
Calling-Station-Id = "000d28d00217"
NAS-Identifier = "AP350-41c15f"
NAS-Port = 40
Framed-MTU = 1400
State = 0xfb90e1de0b707c58e621ae8f887e37c1
NAS-Port-Type = Wireless-802.11
Service-Type = Login-User
EAP-Message = 0x020400061900
Message-Authenticator = 0x9c62edf339e55a1d50ff6742423ea1cf
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
modcall[authorize]: module "preprocess" returns ok for request 2
modcall[authorize]: module "chap" returns noop for request 2
modcall[authorize]: module "mschap" returns noop for request 2
rlm_realm: No '@' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 2
rlm_realm: No '\' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "ntdomain" returns noop for request 2
rlm_eap: EAP packet type response id 4 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 2
modcall[authorize]: module "files" returns notfound for request 2
modcall: group authorize returns updated for request 2
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 2
modcall: group authenticate returns handled for request 2
Sending Access-Challenge of id 67 to 43.191.112.162:1981
EAP-Message =
0x0105029a1900100603550407130953616e20446965676f310d300b060355040a1304536f6e
79310c300a060355040b13034954443111300f06035504031408536f6e795f45415031243022
06092a864886f70d01090116156272616e646f6e407370616365736869702e636f6d30819f30
0d06092a864886f70d010101050003818d0030818902818100e5f9a38d67253c64d05c264223
d2828bb9d3689c0fcc9c6e61cbc8576586f5e676232fd0538c974a9c6a1ba4bfcb91146c7c82
0c8146055f63e38a173060e00ea9bc075d85ded168e741b0be0e074d9bf359f22de543a9fde6
9adfd7827ebc94699f6e4036e80c27c6c864c45924d2c720ae52
EAP-Message =
0x2e05fd832339964708d21489010203010001a381ec3081e9301d0603551d0e0416041485fb
bbfb314ac8b44c8e3c8b4c66a868364cfa993081b90603551d230481b13081ae801485fbbbfb
314ac8b44c8e3c8b4c66a868364cfa99a18192a4818f30818c310b3009060355040613025553
311330110603550408130a43616c69666f726e6961311230100603550407130953616e204469
65676f310d300b060355040a1304536f6e79310c300a060355040b13034954443111300f0603
5504031408536f6e795f4541503124302206092a864886f70d01090116156272616e646f6e40
7370616365736869702e636f6d820100300c0603551d13040530
EAP-Message =
0x030101ff300d06092a864886f70d01010405000381810097286e55190d5c64c73d5332219e
e9b55783833caf0322c65337bb7d9a1e1e150daf6c11d0382ed94671835475ce36596715d09e
57cb50f6eafd8bce70b503a94fe3d58d8e4eaf9714a245273ebd6684b76dcbac71d3ade6cc67
ada63668aee6e76851f30d5aff97a2e2e29030ef966904b50b35badf8640f79d60114dfb6813
16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x584c7a06fdd77680d9e370be8c53cb21
Finished request 2
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 43.191.112.162:1982, id=68,
length=347
User-Name = "test"
Cisco-AVPair = "ssid=sdb5-3"
NAS-IP-Address = 43.191.112.162
Called-Station-Id = "00409641c15f"
Calling-Station-Id = "000d28d00217"
NAS-Identifier = "AP350-41c15f"
NAS-Port = 40
Framed-MTU = 1400
State = 0x584c7a06fdd77680d9e370be8c53cb21
NAS-Port-Type = Wireless-802.11
Service-Type = Login-User
EAP-Message =
0x020500c01980000000b616030100861000008200805e7312f341414182501e734887abd487
f6492b6a955017f8e0e9ced96233b80638a132ab78588e0f3482ce3bc6c6067d9ca6bc0432d4
6601dae6485e70b9c820a6427cf45114a662214b9da8aa72faaf67551658c534d9f0e8d41b33
c37cda61181d1d16a83b957fe3414c8fb2d2bfac4b14f890a20345cbdb2f68e30045b5211403
01000101160301002058c912fc735ae3124f49fe8fdae719deb321979ffd6b9bcaa9b8cd0b45
2fb0f5
Message-Authenticator = 0x98b895907f709fe26684007a4f41d887
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
modcall[authorize]: module "preprocess" returns ok for request 3
modcall[authorize]: module "chap" returns noop for request 3
modcall[authorize]: module "mschap" returns noop for request 3
rlm_realm: No '@' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 3
rlm_realm: No '\' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "ntdomain" returns noop for request 3
rlm_eap: EAP packet type response id 5 length 192
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 3
modcall[authorize]: module "files" returns notfound for request 3
modcall: group authorize returns updated for request 3
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
TLS_accept: SSLv3 read client key exchange A
rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 read finished A
rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
TLS_accept: SSLv3 write change cipher spec A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 write finished A
TLS_accept: SSLv3 flush data
(other): SSL negotiation finished successfully
SSL Connection Established
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 3
modcall: group authenticate returns handled for request 3
Sending Access-Challenge of id 68 to 43.191.112.162:1982
EAP-Message =
0x0106003119001403010001011603010020e14df3f29bc37c49ade69b195ee5fe35204a7988
5da87005cca23727bec4c2c3
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x95e558bf10568d55c821f2b1f05f1734
Finished request 3
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 43.191.112.162:1983, id=69,
length=161
User-Name = "test"
Cisco-AVPair = "ssid=sdb5-3"
NAS-IP-Address = 43.191.112.162
Called-Station-Id = "00409641c15f"
Calling-Station-Id = "000d28d00217"
NAS-Identifier = "AP350-41c15f"
NAS-Port = 40
Framed-MTU = 1400
State = 0x95e558bf10568d55c821f2b1f05f1734
NAS-Port-Type = Wireless-802.11
Service-Type = Login-User
EAP-Message = 0x020600061900
Message-Authenticator = 0x16c3c46aac59973c44622ddf568b68fd
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
modcall[authorize]: module "preprocess" returns ok for request 4
modcall[authorize]: module "chap" returns noop for request 4
modcall[authorize]: module "mschap" returns noop for request 4
rlm_realm: No '@' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 4
rlm_realm: No '\' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "ntdomain" returns noop for request 4
rlm_eap: EAP packet type response id 6 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 4
modcall[authorize]: module "files" returns notfound for request 4
modcall: group authorize returns updated for request 4
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake is finished
eaptls_verify returned 3
eaptls_process returned 3
rlm_eap_peap: EAPTLS_SUCCESS
modcall[authenticate]: module "eap" returns handled for request 4
modcall: group authenticate returns handled for request 4
Sending Access-Challenge of id 69 to 43.191.112.162:1983
EAP-Message =
0x01070020190017030100159d0fae58fab37a48569ffd1cb131c2f82a943fdaf2
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x80e451161f163716381f2be14f8b7beb
Finished request 4
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 43.191.112.162:1984, id=70,
length=187
User-Name = "test"
Cisco-AVPair = "ssid=sdb5-3"
NAS-IP-Address = 43.191.112.162
Called-Station-Id = "00409641c15f"
Calling-Station-Id = "000d28d00217"
NAS-Identifier = "AP350-41c15f"
NAS-Port = 40
Framed-MTU = 1400
State = 0x80e451161f163716381f2be14f8b7beb
NAS-Port-Type = Wireless-802.11
Service-Type = Login-User
EAP-Message =
0x0207002019001703010015ca1b5180a627a52e494b5a928968495d123c53bd67
Message-Authenticator = 0xfd9f6421c13b5929ce65c90406a5bbf7
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
modcall[authorize]: module "preprocess" returns ok for request 5
modcall[authorize]: module "chap" returns noop for request 5
modcall[authorize]: module "mschap" returns noop for request 5
rlm_realm: No '@' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 5
rlm_realm: No '\' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "ntdomain" returns noop for request 5
rlm_eap: EAP packet type response id 7 length 32
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 5
modcall[authorize]: module "files" returns notfound for request 5
modcall: group authorize returns updated for request 5
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Identity - test
rlm_eap_peap: Tunneled data is valid.
PEAP: Got tunneled identity of test
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to test
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
modcall[authorize]: module "preprocess" returns ok for request 5
modcall[authorize]: module "chap" returns noop for request 5
modcall[authorize]: module "mschap" returns noop for request 5
rlm_realm: No '@' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 5
rlm_realm: No '\' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "ntdomain" returns noop for request 5
rlm_eap: EAP packet type response id 7 length 9
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 5
modcall[authorize]: module "files" returns notfound for request 5
modcall: group authorize returns updated for request 5
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
rlm_eap: EAP Identity
rlm_eap: processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
modcall[authenticate]: module "eap" returns handled for request 5
modcall: group authenticate returns handled for request 5
PEAP: Got tunneled Access-Challenge
modcall[authenticate]: module "eap" returns handled for request 5
modcall: group authenticate returns handled for request 5
Sending Access-Challenge of id 70 to 43.191.112.162:1984
EAP-Message =
0x010800351900170301002a9e5f48864d2b3af13a3d97d61ae7dda5a437faa67efbea825777
a1a47972ccdd96f89824157c56a4a042
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x840ea3fb971fae7268375407f5dacb87
Finished request 5
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 43.191.112.162:1985, id=71,
length=241
User-Name = "test"
Cisco-AVPair = "ssid=sdb5-3"
NAS-IP-Address = 43.191.112.162
Called-Station-Id = "00409641c15f"
Calling-Station-Id = "000d28d00217"
NAS-Identifier = "AP350-41c15f"
NAS-Port = 40
Framed-MTU = 1400
State = 0x840ea3fb971fae7268375407f5dacb87
NAS-Port-Type = Wireless-802.11
Service-Type = Login-User
EAP-Message =
0x020800561900170301004b9b4f0ae40d1e1e015dd76a577c6e09839606d3544853bcf57065
2c60813e413baf68443a44ba98469aeccf1bec53d070c1b665e9cec1c7b62129fdc8738add4c
af6085b1307e6bb6aa296d
Message-Authenticator = 0x0a39135aa8c5f3cfd285cb624fcaf4e0
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 6
modcall[authorize]: module "preprocess" returns ok for request 6
modcall[authorize]: module "chap" returns noop for request 6
modcall[authorize]: module "mschap" returns noop for request 6
rlm_realm: No '@' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 6
rlm_realm: No '\' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "ntdomain" returns noop for request 6
rlm_eap: EAP packet type response id 8 length 86
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 6
modcall[authorize]: module "files" returns notfound for request 6
modcall: group authorize returns updated for request 6
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: EAP type mschapv2
rlm_eap_peap: Tunneled data is valid.
PEAP: Setting User-Name to test
PEAP: Adding old state with 7f 7f
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 6
modcall[authorize]: module "preprocess" returns ok for request 6
modcall[authorize]: module "chap" returns noop for request 6
modcall[authorize]: module "mschap" returns noop for request 6
rlm_realm: No '@' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 6
rlm_realm: No '\' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "ntdomain" returns noop for request 6
rlm_eap: EAP packet type response id 8 length 63
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 6
modcall[authorize]: module "files" returns notfound for request 6
modcall: group authorize returns updated for request 6
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 6
rlm_mschap: No User-Password configured. Cannot create LM-Password.
rlm_mschap: No User-Password configured. Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for test with NT-Password
radius_xlat: Running registered xlat function of module mschap for string
'Challenge'
mschap2: 54
radius_xlat: Running registered xlat function of module mschap for string
'NT-Response'
radius_xlat: '/usr/bin/ntlm_auth --request-nt-key --domain=AM
--username=test --challenge=3bd0073085e4d775
--nt-response=234cecc51ec8ddd4d97b6001868b761e236c27b874cf71fc'
Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=AM
--username=test --challenge=3bd0073085e4d775
--nt-response=234cecc51ec8ddd4d97b6001868b761e236c27b874cf71fc
Exec-Program output: Account locked out (0xc0000234)
Exec-Program-Wait: plaintext: Account locked out (0xc0000234)
Exec-Program: returned: 1
rlm_mschap: External script failed.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
modcall[authenticate]: module "mschap" returns reject for request 6
modcall: group Auth-Type returns reject for request 6
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns reject for request 6
modcall: group authenticate returns reject for request 6
auth: Failed to validate the user.
PEAP: Tunneled authentication was rejected.
rlm_eap_peap: FAILURE
modcall[authenticate]: module "eap" returns handled for request 6
modcall: group authenticate returns handled for request 6
Sending Access-Challenge of id 71 to 43.191.112.162:1985
EAP-Message =
0x010900261900170301001b87fe3c9b3b80cafcfb98754097b46ddc8ee714aea2de062722a3
76
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x828c8674f3a7a7370a5da70ff10a6fae
Finished request 6
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 43.191.112.162:1986, id=72,
length=193
User-Name = "test"
Cisco-AVPair = "ssid=sdb5-3"
NAS-IP-Address = 43.191.112.162
Called-Station-Id = "00409641c15f"
Calling-Station-Id = "000d28d00217"
NAS-Identifier = "AP350-41c15f"
NAS-Port = 40
Framed-MTU = 1400
State = 0x828c8674f3a7a7370a5da70ff10a6fae
NAS-Port-Type = Wireless-802.11
Service-Type = Login-User
EAP-Message =
0x020900261900170301001b22ad96a51e593df191149f4daa19e18c5e3a72b0b79a2f84ad7c
9f
Message-Authenticator = 0xa63aa331f7c4b6f94416660666c6f6bd
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 7
modcall[authorize]: module "preprocess" returns ok for request 7
modcall[authorize]: module "chap" returns noop for request 7
modcall[authorize]: module "mschap" returns noop for request 7
rlm_realm: No '@' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 7
rlm_realm: No '\' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "ntdomain" returns noop for request 7
rlm_eap: EAP packet type response id 9 length 38
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 7
modcall[authorize]: module "files" returns notfound for request 7
modcall: group authorize returns updated for request 7
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 7
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Tunneled data is valid.
rlm_eap_peap: Had sent TLV failure, rejecting.
rlm_eap: Handler failed in EAP/peap
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 7
modcall: group authenticate returns invalid for request 7
auth: Failed to validate the user.
Delaying request 7 for 1 seconds
Finished request 7
Going to the next request
Waking up in 6 seconds...
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
