In follow up to 'FreeRadius 2.0.3 setup help' on Jul 27. We have tested using the certificate creation scripts and WinCA signed certificates with the same result of an access challenge. We have tested with both a Windows XP and Linux client with the same result. We are using Cisco switches. What am I missing? We have provided debug and radius.conf and eap.conf files
FreeRADIUS Version 2.0.5, for host i386-redhat-linux-gnu, built on Jul 30 2008 at 10:41:14 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including configuration file /etc/raddb/snmp.conf including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/inner-tunnel including configuration file /etc/raddb/sites-enabled/default group = root user = root including dictionary file /etc/raddb/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/radius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 10.0.1.9 { require_message_authenticator = no secret = "c3750test" shortname = "switch-man-lan" nastype = "cisco" } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth+acct" secret = "testing123" response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_check = "none" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm ads.****.org { authhost = LOCAL accthost = LOCAL } realm **** { authhost = LOCAL accthost = LOCAL } realm LOCAL { } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = no require_encryption = yes require_strong = no with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=**** --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no } Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/raddb/certs/server.pem" certificate_file = "/etc/raddb/certs/server.pem" CA_file = "/etc/raddb/certs/ca.pem" private_key_password = "cnsradius" dh_file = "/etc/raddb/certs/dh" random_file = "/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "gtc" copy_request_to_tunnel = yes use_tunneled_reply = no virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/etc/raddb/users" acctusersfile = "/etc/raddb/acct_users" preproxy_usersfile = "/etc/raddb/preproxy_users" compat = "no" } Module: Linked to module rlm_ldap Module: Instantiating ldap ldap { server = "cnsad.ads.****.org" port = 3268 password = "3MFmqw_6f" identity = "[EMAIL PROTECTED]" net_timeout = 1 timeout = 4 timelimit = 3 tls_mode = no start_tls = no tls_require_cert = "allow" tls { start_tls = no require_cert = "allow" } basedn = "dc=ads,dc=****,dc=org" filter = "(&(samaccountName=%{mschap:User-Name}))" base_filter = "(objectclass=radiusprofile)" auto_header = no access_attr_used_for_allow = yes groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=Gr oupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" groupmembership_attribute = "memberOf" dictionary_mapping = "/etc/raddb/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes set_auth_type = yes } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: Over-riding set_auth_type, as there is no module ldap listed in the "authenticate" section. rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message conns: 0x9b846b0 Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } } server { modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/etc/raddb/huntgroups" hints = "/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } } radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } main { snmp = no smux_password = "" snmp_write_access = no } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.0.1.9 port 1645, id=143, length=135 User-Name = "bradbrookc" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-13-19-EE-6F-03" Calling-Station-Id = "00-12-3F-7F-5C-04" EAP-Message = 0x028a000f016272616462726f6f6b63 Message-Authenticator = 0xb0b894efc68bbcc34ff27f2d91c75d2b NAS-Port-Type = Ethernet NAS-Port = 50103 NAS-IP-Address = 10.0.1.9 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "bradbrookc", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 138 length 15 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound rlm_ldap: Entering ldap_groupcmp() expand: dc=ads,dc=****,dc=org -> dc=ads,dc=****,dc=org expand: (&(samaccountName=%{mschap:User-Name})) -> (&(samaccountName=bradbrookc)) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to cnsad.ads.****.org:3268, authentication 0 rlm_ldap: bind as [EMAIL PROTECTED]/3MFmqw_6f to cnsad.ads.****.org:3268 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=ads,dc=****,dc=org, with filter (&(samaccountName=bradbrookc)) rlm_ldap: ldap_release_conn: Release Id: 0 expand: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=Gro upOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueName s)(uniquemember=))) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=ads,dc=****,dc=org, with filter (&(cn=RCNS-Group)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass= GroupOfUniqueNames)(uniquemember=)))) rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in CN=Bradbrooke\, Charles,OU=CNS,OU=SupportGrp,DC=ads,DC=****,DC=org, with filter (objectclass=*) rlm_ldap: performing search in CN=RCNS-Group,OU=CNS,OU=SupportGrp,DC=ads,DC=****,DC=org, with filter (cn=RCNS-Group) rlm_ldap::ldap_groupcmp: User found in group RCNS-Group rlm_ldap: ldap_release_conn: Release Id: 0 users: Matched entry DEFAULT at line 203 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 143 to 10.0.1.9 port 1645 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN Tunnel-Private-Group-Id:0 = "254" EAP-Message = 0x018b00061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5cf8051f5c731c7cb75d3413cdb392a6 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.1.9 port 1645, id=144, length=231 User-Name = "bradbrookc" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-13-19-EE-6F-03" Calling-Station-Id = "00-12-3F-7F-5C-04" EAP-Message = 0x028b005d190016030100520100004e030148a43cc9f896abde9b7d71450c10c37c2be3 0121f136d9348559c14ecffb0ed600002600390038003500160013000a00330032002f00 05000400150012000900140011000800060003020100 Message-Authenticator = 0xbe78ac8d63ad8a6efb21e2118aad45c7 NAS-Port-Type = Ethernet NAS-Port = 50103 State = 0x5cf8051f5c731c7cb75d3413cdb392a6 NAS-IP-Address = 10.0.1.9 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "bradbrookc", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 139 length 93 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0052], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 081f], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange TLS_accept: SSLv3 write key exchange A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 144 to 10.0.1.9 port 1645 EAP-Message = 0x018c040019c000000a8e160301004a02000046030148a43caa449ef77ad477974fbe9b 7b860df9b8e0fbd2b2c5cbd1f00dfa86a30720f5f9c4c259241c6687264f0fafe922821d 99a377f1d49093dfab4d669132e8e7003901160301081f0b00081b00081800038e308203 8a30820272a003020102020101300d06092a864886f70d0101040500308186310b300906 0355040613024341310b30090603550408130241423111300f0603550407130845646d6f 6e746f6e310d300b060355040a13044e494e543120301e06092a864886f70d0109011611 61646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520 4365 EAP-Message = 0x72746966696361746520417574686f72697479301e170d303830383133313833303533 5a170d3039303831333138333035335a3071310b3009060355040613024341310b300906 0355040813024142310d300b060355040a13044e494e54311430120603550403130b636e 7372616469757330323130302e06092a864886f70d0109011621436861726c65732e4272 616462726f6f6b65406e72632d636e72632e67632e636130820122300d06092a864886f7 0d01010105000382010f003082010a0282010100c57ab80d08bdc0ca54b7545f240b4cc0 a2166402a93b8e578a2136da9fd3749df72fddbbc22a6e1b40d1e44631fb755849d5fa46 2cd5 EAP-Message = 0x01835196ab0bd72e7d6e07dabbffc24bfc00f73af318eeeccdb2e5c099af4134e9e543 6e4e06695b66c29957768971327b282e47b2a6faf5020f0dca1bdabaf258059f730843ac 8de91f3fc12d3291d181b19afeed7bf8e8f9b70b0110956582798e330f2809ecbba54109 defc30042f3f5f7ce6da188fc41e3c24e3da978c0d08255384fc1e02075c8ebf180dd79e 2dad38fc6dbb30caf54f96528fafea44506e6740ada51d659b2ac6bed389cce7f1f50782 4f343fe555cba46703e00440cc3d67b2162c87e9b7dba50203010001a317301530130603 551d25040c300a06082b06010505070301300d06092a864886f70d010104050003820101 0083 EAP-Message = 0xc40faab28bad5cc1c60c4dd066cc11beb1b42643d81ad4f0cc2a42f95b013d146fe581 29632e76877f82d87affc875de8b80f3180ccedfa083a1b5c561faea5c3537fcfc7cfe76 90f7b233d48bbb2069197a56cc39d764ebc830c8479c4a9c468922acac9b5e6088f4057b f4960d3e4cfbbd949c14e6ce22ea20d91486c3f41f6d8f59ebd6cae90ef68e791e424793 d16cee554857e8fc9e8caf5b68b93fd039ecb8e3dbe62bbcfbf162383a2a8116b12dc744 12768d2d61192fc0462c93cdf00797e97f666ed27b7ce3aaa42f7d6a473767dc8d29dbd9 b723aa0b4ba377b5ca35dcd700c58f7e37ec1610f9fd1c65e4713a8d2e19e4d38e33a100 adf0 EAP-Message = 0x41c300048430820480308203 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5cf8051f5d741c7cb75d3413cdb392a6 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.1.9 port 1645, id=145, length=144 User-Name = "bradbrookc" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-13-19-EE-6F-03" Calling-Station-Id = "00-12-3F-7F-5C-04" EAP-Message = 0x028c00061900 Message-Authenticator = 0xe44235d5f951628eb87fba1604cedccd NAS-Port-Type = Ethernet NAS-Port = 50103 State = 0x5cf8051f5d741c7cb75d3413cdb392a6 NAS-IP-Address = 10.0.1.9 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "bradbrookc", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 140 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 145 to 10.0.1.9 port 1645 EAP-Message = 0x018d03fc194068a003020102020900f4b9b2ef3de44dfe300d06092a864886f70d0101 050500308186310b3009060355040613024341310b30090603550408130241423111300f 0603550407130845646d6f6e746f6e310d300b060355040a13044e494e543120301e0609 2a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406035504 03131d4578616d706c6520436572746966696361746520417574686f72697479301e170d 3038303831333138333035335a170d3038303931323138333035335a308186310b300906 0355040613024341310b30090603550408130241423111300f0603550407130845646d6f 6e74 EAP-Message = 0x6f6e310d300b060355040a13044e494e543120301e06092a864886f70d010901161161 646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c652043 6572746966696361746520417574686f7269747930820122300d06092a864886f70d0101 0105000382010f003082010a0282010100d29105b3d7fc51a9c7d98e0b5c177d7905a464 677a17f9fc2858a6143289f73384bfd87de5b4f809b4bfc9d3a18d2822b835c0708151e1 e22ec35cc3f90e03db24fb5b13fe3cb38d821c125db42e615c2d3b647f77123a268eea47 04dfe893242ddff5db3530cce2370975a519e1bd0a221062da59a22ba9066f03d775a489 4daa EAP-Message = 0xdbfc9f026e2aaeeac3c74f9a67439ce416228c3aa71c276c7458621c547a727a67e7a5 387e2ff87c314f4c466478d11399e1201b04d6e482d4047b33f4783a67fa6e54c4b607ce 89b5d5e2f44ff9eed48897cd8c40b49b147ae1b875f2b802bb2509fb410079a8cfbdbb82 3cff3db4adc4b57867900f6510aab632ef0040ad0203010001a381ee3081eb301d060355 1d0e0416041491a79064dca6caafd9eca4feb23ec538946597383081bb0603551d230481 b33081b0801491a79064dca6caafd9eca4feb23ec53894659738a1818ca4818930818631 0b3009060355040613024341310b30090603550408130241423111300f06035504071308 4564 EAP-Message = 0x6d6f6e746f6e310d300b060355040a13044e494e543120301e06092a864886f70d0109 01161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d70 6c6520436572746966696361746520417574686f72697479820900f4b9b2ef3de44dfe30 0c0603551d13040530030101ff300d06092a864886f70d01010505000382010100bfc74d ef2a575a64195a7339a20f437c1e35472f31468bb932ef2fea64b713c430a45546dac8ac d3f182aeb33b282342fcd96376f02eeddfc9630d61a5db664a99b90aabcda8bf77d14797 dace0dfdb524714b43b6188e7d48b67fed7f03ba88fd275d8dd0b22b2508c62cd0fdc83c 4c82 EAP-Message = 0x153901ede4159d53 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5cf8051f5e751c7cb75d3413cdb392a6 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.1.9 port 1645, id=146, length=144 User-Name = "bradbrookc" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-13-19-EE-6F-03" Calling-Station-Id = "00-12-3F-7F-5C-04" EAP-Message = 0x028d00061900 Message-Authenticator = 0x23e3dd8f009687ee99c8bcbf0fd46215 NAS-Port-Type = Ethernet NAS-Port = 50103 State = 0x5cf8051f5e751c7cb75d3413cdb392a6 NAS-IP-Address = 10.0.1.9 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "bradbrookc", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 141 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 146 to 10.0.1.9 port 1645 EAP-Message = 0x018e02a81900e1b75b6faa7c88dad6b3e62540575b9a78c81727403426b6c2421e2dac 4d75ea2e7ca267fdc0b837d7fc638fda3cfd04640368538c5eb68729161be53d3e805e03 20a7ab84e785de8caff26b40fbba358f2dd1a5a072798f948fb2d3fce302a8e06e19829a 5c7a7530b04793b02014fff7742ebb9d493478cd09e0fb8beaca7699694c77492bc11603 01020d0c0002090080afa9699bb948224d23912763c0ba347734b56a9d657c7def80ecf8 a632911af0a8e733d6a9e211fda817981da44b5fb369519cb7ee82f442cb5132b2baf4a0 db056f68adf026afefbb1a7ad74433aeae8203a8dd709b80e935aad155c1d3d1bdb7615d 3f90 EAP-Message = 0xd81bb1b1c6b533da114b242f7ae20de085e7ef7970ec914c4de01b0001020080aee726 6211cfb1b1c2de5229ff1965f4dfd4a5ec4a88bf981a440b81b1e35d35c3ffaaf7ac1c17 c436c8f31150f80374c864ce8902d5fc10b912e5b670c5186b55f34c37b78e091885cc13 2def7465c367f65ef074967db6d73c7b2ac8b6308b2a9bd12432c34ac7b553e1c7b38691 3e2f524a5c7629e199bbc139a95e33a530010025c966932e245809cc99114c9b6006ecf3 45a19e0b3eb075f671d80524eb4796ebc9f4335e20dccbbb1efbab6914afca7276a8b884 01fd7a643511b96d6c37746fa777d93b8e9bd0454ddd30170ddfaa4d38229946ee377caf 3f2e EAP-Message = 0x44c10c17c69d72eecdd4cd86e4370eb90b8670c9fffb2b886aaf4d868b0deb87b50cc9 b1c1940536c65e952c8c43a1f6307331bc5365b9ffd6dbd75ec553ed942587da7733ea7a a0da0f26bcc92e75320ad0d64eb825ff5eb4773eb321ed16294c6c00ac326ad5897f5753 1040743401aa524455a2f9158265537a2ab7ac4b0fa7e5cb29724e433783fbaafd30701a 65604b88312d7e2b5ab8278671235a55bab4f969afd116030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5cf8051f5f761c7cb75d3413cdb392a6 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.1.9 port 1645, id=147, length=342 User-Name = "bradbrookc" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-13-19-EE-6F-03" Calling-Station-Id = "00-12-3F-7F-5C-04" EAP-Message = 0x028e00cc1900160301008610000082008091b63d950e11c91046e3f725dcd7d304492f 57c1dadf1e7495681b43529b362c499841ba71597055f5654c3ca98c27b7e03a177199dd 3057a5d5b21e5e783b4216b943a1ab23387e6cc064a9829979da98770f1b07b55b2e6007 3e842666d6e4af3d4d6ff0ed8beadef6a2e2301f9a0d88a0f6dd6afa3370d1747cc776c4 4c0214030100010116030100300e7f8ffdf9dd3e9051c8572c21adb963d53260c49c98f1 418f7950444848770f7ad731dc389fcefdd65e0914b7c56a16 Message-Authenticator = 0xae09db613bd97099219416d6c598a6a2 NAS-Port-Type = Ethernet NAS-Port = 50103 State = 0x5cf8051f5f761c7cb75d3413cdb392a6 NAS-IP-Address = 10.0.1.9 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "bradbrookc", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 142 length 204 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 147 to 10.0.1.9 port 1645 EAP-Message = 0x018f004119001403010001011603010030bc7b1f21090f1bdaa4abcf797903113688aa 47a3094114ee3d638c1617c37d0ca4f9b1dbec7a967007ecb6c13bffb21d Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5cf8051f58771c7cb75d3413cdb392a6 Finished request 4. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.0.1.9 port 1645, id=148, length=144 User-Name = "bradbrookc" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-13-19-EE-6F-03" Calling-Station-Id = "00-12-3F-7F-5C-04" EAP-Message = 0x028f00061900 Message-Authenticator = 0x2104a6c0ee38a2bd3fe9b6bb57211e28 NAS-Port-Type = Ethernet NAS-Port = 50103 State = 0x5cf8051f58771c7cb75d3413cdb392a6 NAS-IP-Address = 10.0.1.9 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "bradbrookc", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 143 length 6 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap_peap: EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 148 to 10.0.1.9 port 1645 EAP-Message = 0x0190002b19001703010020e2b7a169db2e1f8d75824f92cfed7c6cadf098286227525b 6627d0963e6dbe34 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5cf8051f59681c7cb75d3413cdb392a6 Finished request 5. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.0.1.9 port 1645, id=149, length=234 User-Name = "bradbrookc" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-13-19-EE-6F-03" Calling-Station-Id = "00-12-3F-7F-5C-04" EAP-Message = 0x02900060190017030100207693f88474ff4aaaefd99931f7ffdf4bfc4fdf19d23453e1 916222bb6beb9a0f17030100307d33a13faa21e5f630826e553a455593e65c4c2fb4a10d 88e516a3299d40afd58468e6a62f79618ecfa3b14bc0295a3d Message-Authenticator = 0x4d6137af4ebd3f0f3000bf316473cb6b NAS-Port-Type = Ethernet NAS-Port = 50103 State = 0x5cf8051f59681c7cb75d3413cdb392a6 NAS-IP-Address = 10.0.1.9 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "bradbrookc", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 144 length 96 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - bradbrookc PEAP: Got tunneled EAP-Message EAP-Message = 0x0290000f016272616462726f6f6b63 PEAP: Got tunneled identity of bradbrookc PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to bradbrookc PEAP: Sending tunneled request EAP-Message = 0x0290000f016272616462726f6f6b63 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "bradbrookc" server inner-tunnel { +- entering group authorize ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound rlm_realm: No '@' in User-Name = "bradbrookc", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop ++[control] returns noop rlm_eap: EAP packet type response id 144 length 15 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated rlm_ldap: Entering ldap_groupcmp() expand: dc=ads,dc=****,dc=org -> dc=ads,dc=****,dc=org expand: (&(samaccountName=%{mschap:User-Name})) -> (&(samaccountName=bradbrookc)) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=ads,dc=****,dc=org, with filter (&(samaccountName=bradbrookc)) rlm_ldap: ldap_release_conn: Release Id: 0 expand: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=Gro upOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueName s)(uniquemember=))) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=ads,dc=****,dc=org, with filter (&(cn=RCNS-Group)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass= GroupOfUniqueNames)(uniquemember=)))) rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in CN=Bradbrooke\, Charles,OU=CNS,OU=SupportGrp,DC=ads,DC=****,DC=org, with filter (objectclass=*) rlm_ldap: performing search in CN=RCNS-Group,OU=CNS,OU=SupportGrp,DC=ads,DC=****,DC=org, with filter (cn=RCNS-Group) rlm_ldap::ldap_groupcmp: User found in group RCNS-Group rlm_ldap: ldap_release_conn: Release Id: 0 users: Matched entry DEFAULT at line 203 ++[files] returns ok rlm_ldap: - authorize rlm_ldap: performing user authorization for bradbrookc expand: (&(samaccountName=%{mschap:User-Name})) -> (&(samaccountName=bradbrookc)) expand: dc=ads,dc=****,dc=org -> dc=ads,dc=****,dc=org rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=ads,dc=****,dc=org, with filter (&(samaccountName=bradbrookc)) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? rlm_ldap: user bradbrookc authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel PEAP: Got tunneled reply RADIUS code 11 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN Tunnel-Private-Group-Id:0 = "254" EAP-Message = 0x019100241a0191001f10bca484b2a5e1f5483e9740469841cd066272616462726f6f6b 63 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xdf7495b4dfe58f4948b665ba90c853df PEAP: Processing from tunneled session code 0x9bbaff0 11 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN Tunnel-Private-Group-Id:0 = "254" EAP-Message = 0x019100241a0191001f10bca484b2a5e1f5483e9740469841cd066272616462726f6f6b 63 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xdf7495b4dfe58f4948b665ba90c853df PEAP: Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 149 to 10.0.1.9 port 1645 EAP-Message = 0x0191004b19001703010040cb9a244436d27cd878af3574f9810e43f9b62173c3ec951e 4b1e9e9fce8f1f718767449092ed5b011ebdf60d1eb89cfdc8a89b0f0f5dcec691a83037 85c87b7f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5cf8051f5a691c7cb75d3413cdb392a6 Finished request 6. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.0.1.9 port 1645, id=150, length=282 User-Name = "bradbrookc" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-13-19-EE-6F-03" Calling-Station-Id = "00-12-3F-7F-5C-04" EAP-Message = 0x02910090190017030100205e1f6a8f5e21e3242cc251cc76bb1d38a571a67fb9cfc0e9 4d601720d34c508e1703010060b3267c099baeef90e14bdf7b6674745b1c3a2a732413a0 b36843e7dc59239dcb33bec8a8318a33078dbef9f0bd4b0a7f5199be207f42ec01a7ccce 79a125ca8a7cef0a47036e31b6ea76bbcfee284b2273d8eeab6b7aee10f2459459f10b1a 14 Message-Authenticator = 0x936b24e5e67b6078b7f8796275532377 NAS-Port-Type = Ethernet NAS-Port = 50103 State = 0x5cf8051f5a691c7cb75d3413cdb392a6 NAS-IP-Address = 10.0.1.9 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "bradbrookc", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 145 length 144 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 PEAP: Got tunneled EAP-Message EAP-Message = 0x029100451a0291004031b03934b274ed47570a4fc25d067bc51d0000000000000000da 0e34697f0cff1a9e0fc5be2411176a21a23fe4c55e03e2006272616462726f6f6b63 PEAP: Setting User-Name to bradbrookc PEAP: Sending tunneled request EAP-Message = 0x029100451a0291004031b03934b274ed47570a4fc25d067bc51d0000000000000000da 0e34697f0cff1a9e0fc5be2411176a21a23fe4c55e03e2006272616462726f6f6b63 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "bradbrookc" State = 0xdf7495b4dfe58f4948b665ba90c853df server inner-tunnel { +- entering group authorize ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound rlm_realm: No '@' in User-Name = "bradbrookc", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop ++[control] returns noop rlm_eap: EAP packet type response id 145 length 69 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated rlm_ldap: Entering ldap_groupcmp() expand: dc=ads,dc=****,dc=org -> dc=ads,dc=****,dc=org expand: (&(samaccountName=%{mschap:User-Name})) -> (&(samaccountName=bradbrookc)) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=ads,dc=****,dc=org, with filter (&(samaccountName=bradbrookc)) rlm_ldap: ldap_release_conn: Release Id: 0 expand: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=Gro upOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueName s)(uniquemember=))) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=ads,dc=****,dc=org, with filter (&(cn=RCNS-Group)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass= GroupOfUniqueNames)(uniquemember=)))) rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in CN=Bradbrooke\, Charles,OU=CNS,OU=SupportGrp,DC=ads,DC=****,DC=org, with filter (objectclass=*) rlm_ldap: performing search in CN=RCNS-Group,OU=CNS,OU=SupportGrp,DC=ads,DC=****,DC=org, with filter (cn=RCNS-Group) rlm_ldap::ldap_groupcmp: User found in group RCNS-Group rlm_ldap: ldap_release_conn: Release Id: 0 users: Matched entry DEFAULT at line 203 ++[files] returns ok rlm_ldap: - authorize rlm_ldap: performing user authorization for bradbrookc expand: (&(samaccountName=%{mschap:User-Name})) -> (&(samaccountName=bradbrookc)) expand: dc=ads,dc=****,dc=org -> dc=ads,dc=****,dc=org rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=ads,dc=****,dc=org, with filter (&(samaccountName=bradbrookc)) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? rlm_ldap: user bradbrookc authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for bradbrookc with NT-Password expand: --username=%{mschap:User-Name} -> --username=bradbrookc mschap2: bc expand: --challenge=%{mschap:Challenge:-00} -> --challenge=8f745c0c9417c51d expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=da0e34697f0cff1a9e0fc5be2411176a21a23fe4c55e03e2 Exec-Program output: NT_KEY: 42207E9FF1BBB532486C8C59D014F7AA Exec-Program-Wait: plaintext: NT_KEY: 42207E9FF1BBB532486C8C59D014F7AA Exec-Program: returned: 0 ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server inner-tunnel PEAP: Got tunneled reply RADIUS code 11 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN Tunnel-Private-Group-Id:0 = "254" EAP-Message = 0x019200331a0391002e533d393344414646324336354533353533383635353131413838 39324537373946334642464230383734 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xdf7495b4dee68f4948b665ba90c853df PEAP: Processing from tunneled session code 0x9bbaff0 11 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN Tunnel-Private-Group-Id:0 = "254" EAP-Message = 0x019200331a0391002e533d393344414646324336354533353533383635353131413838 39324537373946334642464230383734 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xdf7495b4dee68f4948b665ba90c853df PEAP: Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 150 to 10.0.1.9 port 1645 EAP-Message = 0x0192005b190017030100502648c6639d8e11269cab8d17c667d1fbfd193feeb88cd647 3b7aa7ac33da7112db432c81e25a1e0e5486b2f0989d556f3dc20291a73e4e1c951b7d98 1974aafe78efa247b31f910a7fc8d421a6050163 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5cf8051f5b6a1c7cb75d3413cdb392a6 Finished request 7. Going to the next request Waking up in 4.7 seconds. Cleaning up request 0 ID 143 with timestamp +23 Cleaning up request 1 ID 144 with timestamp +23 Cleaning up request 2 ID 145 with timestamp +23 Cleaning up request 3 ID 146 with timestamp +23 Cleaning up request 4 ID 147 with timestamp +23 Cleaning up request 5 ID 148 with timestamp +23 Cleaning up request 6 ID 149 with timestamp +23 Cleaning up request 7 ID 150 with timestamp +23 Ready to process requests. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html