I've now enabled ntdomain in sites-available/inner-tunnel and
after that modification, authorization of Vista user succeeded.
Thank you very much.
I would to like to add MAC address authorization. For this purpose
I've added MAC address to users file like this:
oreshkin Cleartext-Password := "some_password", Calling-Station-Id ==
"00-16-EA-8A-DE-38"
However authorization failed, the result of /usr/local/sbin/radiusd -fX
is provided below.
---------------------------------
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.14.240 port 1072, id=0,
length=235
Message-Authenticator = 0xab90b4e8f45b2157028e895bf7f9ffdc
Service-Type = Framed-User
User-Name = "csd-notebook\\oreshkin"
Framed-MTU = 1488
Called-Station-Id = "00-18-6E-8F-73-40:200901azk71And"
Calling-Station-Id = "00-16-EA-8A-DE-38"
NAS-Identifier = "3Com Access Point 7760"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x0200001a016373642d6e6f7465626f6f6b5c6f726573686b696e
NAS-IP-Address = 192.168.14.240
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "csd-notebook\oreshkin", looking up realm NULL
[suffix] Found realm "DEFAULT"
[suffix] Adding Stripped-User-Name = "csd-notebook\oreshkin"
[suffix] Adding Realm = "DEFAULT"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied. Ignoring.
++[ntdomain] returns ok
[eap] EAP packet type response id 0 length 26
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 159
[files] users: Matched entry DEFAULT at line 178
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may
fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.14.240 port 1072
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
EAP-Message = 0x010100061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x1cd845841cd95ccb36bc9cf89bd12b63
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.14.240 port 1072, id=1,
length=359
Message-Authenticator = 0xe9dc83dc1457486ee19d0330fcb4e25e
Service-Type = Framed-User
User-Name = "csd-notebook\\oreshkin"
Framed-MTU = 1488
State = 0x1cd845841cd95ccb36bc9cf89bd12b63
Called-Station-Id = "00-18-6E-8F-73-40:200901azk71And"
Calling-Station-Id = "00-16-EA-8A-DE-38"
NAS-Identifier = "3Com Access Point 7760"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message =
0x0201008419800000007a16030100750100007103014a5b3da7091178c5ce612e30c36477888f6351b2a4ec4d31d47d537d05a18634000018002f00350005000ac009c00ac013c0140032003800130004010000300000001a00180000156373642d6e6f7465626f6f6b5c6f726573686b696e000a00080006001700180019000b00020100
NAS-IP-Address = 192.168.14.240
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "csd-notebook\oreshkin", looking up realm NULL
[suffix] Found realm "DEFAULT"
[suffix] Adding Stripped-User-Name = "csd-notebook\oreshkin"
[suffix] Adding Realm = "DEFAULT"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied. Ignoring.
++[ntdomain] returns ok
[eap] EAP packet type response id 1 length 132
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 122
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0075], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 084e], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 1 to 192.168.14.240 port 1072
EAP-Message =
0x0102040019c00000088b160301002a0200002603014a5b3d483bb3aa596d4ba334157d9f6cdf6639eaf9a88abe2eb765ab6255c24a00002f00160301084e0b00084a0008470003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479
EAP-Message =
0x301e170d3039303632353038343934325a170d3130303632353038343934325a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100afa137c1faa18184c11783fd931dbf08e3b3aab700e05e2d16471c85e470302c6d9db3068b833e463ff3cdaa6b2140447d2b7d151704863ad7439873ea51
EAP-Message =
0xe98c8abecfdd6268e021a8a17fb6966857f052859cef7a6bdcec12d2127ab2bc72c2b785a25f33c61aec0ff80079a53fb35cdbaebbfa29de9b24841a9a6c46a08073d66b09f3149fc840696c56ef61943d5e2679be18fc2733a012e261b9e9e6ae20c7ba01e2c6e4bfb3ce39325000bc51a2230319e4f8b16bffa46deb80631149f3e97333105b307b101958e9b83407c4398deb9cb32f7c23bdba70c091e79258f0c191edd239290beb26d0aaa8adf6f5ece5f633aef45ef0d4fea2c52b56fc39110203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000382010100973882c5663e2d6b29
EAP-Message =
0xf37acb064274e515f88c05490e81fcb594b8678a665ae9d17134a3e3fdb2df801547f84071730fa696eef58f5c1d73841e52aa2c9a4074cf288ef7158e4f3ae68db182c1798f3da6d86bda0a8a9c54de39f2d94d3e0687a8fa46faedcd36bcc64fd9f2cd74055682782684f674d377c0e2457f5ad4efa4ec460c7527c80769a270128e0a6d12cb79d0bb12fe0a1bb81f6c20b98873ac6718cd0d02ebb7de1cdd720360252cc736c2e84bfe1c87a695dcb7e2b4d982f0736305017d65ec72506bed1578f806479bedc2b5bfa83f0e15ccc03bbe908e734351e5843806e9dcb659b98056909aeed953e9e24d7e0e1f8163deb5f4f5076e5c00049b308204
EAP-Message = 0x973082037fa0030201020201
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x1cd845841dda5ccb36bc9cf89bd12b63
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.14.240 port 1072, id=2,
length=233
Message-Authenticator = 0x6e4c448152aff4fd62c9fa4cb4908f2c
Service-Type = Framed-User
User-Name = "csd-notebook\\oreshkin"
Framed-MTU = 1488
State = 0x1cd845841dda5ccb36bc9cf89bd12b63
Called-Station-Id = "00-18-6E-8F-73-40:200901azk71And"
Calling-Station-Id = "00-16-EA-8A-DE-38"
NAS-Identifier = "3Com Access Point 7760"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x020200061900
NAS-IP-Address = 192.168.14.240
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "csd-notebook\oreshkin", looking up realm NULL
[suffix] Found realm "DEFAULT"
[suffix] Adding Stripped-User-Name = "csd-notebook\oreshkin"
[suffix] Adding Realm = "DEFAULT"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied. Ignoring.
++[ntdomain] returns ok
[eap] EAP packet type response id 2 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 2 to 192.168.14.240 port 1072
EAP-Message =
0x010303fc194000300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3039303632353038343934325a170d3130303632353038343934325a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d6577
EAP-Message =
0x6865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100a056d1cfe5b95120cfb2ad67638c20cceb3feca1d22665f5d0379648340127cf5ffe26f48f46c04a1132b032d93b7f49417851f2e110fee7b457fbe2f99b47d3389b630dd2f78acf290b4ecb6d43466a19cb17063f1b2a1eefe1e6f34e1b0a20fa92fa17809a58e7120bc1a87db8865230df04775af5e1
EAP-Message =
0x16b46a471819383d8be674378c3d33bdc0a8d6686542a3ba1c32a97249786aea2c38a22a49992fcfaf54806b50415060a433e9dc013696f9c0240657098f46782b1d0536f691d9667f6c153a4d2982cb2f75a3a9ebfa4831caea445f4bff1ae6fe4ad8eec82213b2a20d02dd1b6cb2dc425698f21ede7c2917aa6f103749084b755046bb83a3746e2f0203010001a381f33081f0301d0603551d0e04160414d64b150fdb7f312ac6c3982680da07466046ab9f3081c00603551d230481b83081b58014d64b150fdb7f312ac6c3982680da07466046ab9fa18199a48196308193310b3009060355040613024652310f300d060355040813065261646975
EAP-Message =
0x733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d010104050003820101008d3084a08170518ab145f6969d1e61d2a228d5ffa21a60c154ab30774674df42fb32f5a22dad55d75ef2c7f44c93bb3e52c92763901b1299530780e1f195a85ccbbd78d8b527b3263bfa340a459ac472b90360b4408e11c10e81afbc325c10ec91fa
EAP-Message = 0xde231ca42761b9ba
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x1cd845841edb5ccb36bc9cf89bd12b63
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.14.240 port 1072, id=3,
length=233
Message-Authenticator = 0x80e476011f2a99d8957c70f5b74469e6
Service-Type = Framed-User
User-Name = "csd-notebook\\oreshkin"
Framed-MTU = 1488
State = 0x1cd845841edb5ccb36bc9cf89bd12b63
Called-Station-Id = "00-18-6E-8F-73-40:200901azk71And"
Calling-Station-Id = "00-16-EA-8A-DE-38"
NAS-Identifier = "3Com Access Point 7760"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x020300061900
NAS-IP-Address = 192.168.14.240
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "csd-notebook\oreshkin", looking up realm NULL
[suffix] Found realm "DEFAULT"
[suffix] Adding Stripped-User-Name = "csd-notebook\oreshkin"
[suffix] Adding Realm = "DEFAULT"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied. Ignoring.
++[ntdomain] returns ok
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 3 to 192.168.14.240 port 1072
EAP-Message =
0x010400a51900504fbacfc37f212076882bd7b098391319a08e59fc4d3dee5493579716c999ee20be7eed64f3b465e8ff5b718e9751b2c4ca5d1cd6700ccf0341f6a270aed40707094b7b6c39c78c581fa330b26bfb74042202fde6398f0fa591d0e164f5980d197175a49c7b9769cebfa4eef1f5527383f230b4df20935fa3903e171a05d038c6effefc1bf76e95dd86d637a53fc8ae83bdc13ea56d16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x1cd845841fdc5ccb36bc9cf89bd12b63
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.14.240 port 1072, id=4,
length=565
Message-Authenticator = 0x772a2a7cde5ab90adf1339ea4504e5a4
Service-Type = Framed-User
User-Name = "csd-notebook\\oreshkin"
Framed-MTU = 1488
State = 0x1cd845841fdc5ccb36bc9cf89bd12b63
Called-Station-Id = "00-18-6E-8F-73-40:200901azk71And"
Calling-Station-Id = "00-16-EA-8A-DE-38"
NAS-Identifier = "3Com Access Point 7760"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message =
0x0204015019800000014616030101061000010201007e0ad7dd41a084eb878c4e68afb68bf014a9f7c1f3e239845a2d3c683d0e0768d016e78891c09881ee0d7a8e7ce2c36d2eb9bc120fa3f3f00e461919d881829dd800ee1056bcb575feb18dcaa3c737fe5d8dad26192d39ae4b2db88d753420e750780d180f65253a3e72a72e54aeedd754966ed6727bbfb7ea1d07b5e63b5b96477f2ade51a4b385bbf7cf60eb3ea4f2fdddd13d595230ac701c5995c3097270174cbbf06f73b892f450df27c09267dd250fa560e2e09fef12a49588199615e49944cdbc198e99c327b6366201bd2604f6754d8558edb48d38e1becdcdd34da54fb942d5467276a2
EAP-Message =
0x979f449ded68c732c69107cb0cc5831df7865a7b971f99c91403010001011603010030448cc2e576a615f1026d6e6ca6882439eb3bbfe1802a7c536aae7e8a58dd488073b99646cf5ff348715aff4d7636efff
NAS-IP-Address = 192.168.14.240
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "csd-notebook\oreshkin", looking up realm NULL
[suffix] Found realm "DEFAULT"
[suffix] Adding Stripped-User-Name = "csd-notebook\oreshkin"
[suffix] Adding Realm = "DEFAULT"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied. Ignoring.
++[ntdomain] returns ok
[eap] EAP packet type response id 4 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 326
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 4 to 192.168.14.240 port 1072
EAP-Message =
0x01050041190014030100010116030100309b044cc51fa4953a63d076b0bf983a8da597f4a0c74479ca71ebd2d725e0a9175492362068f5b0af5ac669b952d43946
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x1cd8458418dd5ccb36bc9cf89bd12b63
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.14.240 port 1072, id=5,
length=233
Message-Authenticator = 0x368d297a7de5efd4ecf20c5609bdeec9
Service-Type = Framed-User
User-Name = "csd-notebook\\oreshkin"
Framed-MTU = 1488
State = 0x1cd8458418dd5ccb36bc9cf89bd12b63
Called-Station-Id = "00-18-6E-8F-73-40:200901azk71And"
Calling-Station-Id = "00-16-EA-8A-DE-38"
NAS-Identifier = "3Com Access Point 7760"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x020500061900
NAS-IP-Address = 192.168.14.240
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "csd-notebook\oreshkin", looking up realm NULL
[suffix] Found realm "DEFAULT"
[suffix] Adding Stripped-User-Name = "csd-notebook\oreshkin"
[suffix] Adding Realm = "DEFAULT"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied. Ignoring.
++[ntdomain] returns ok
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 5 to 192.168.14.240 port 1072
EAP-Message =
0x0106002b19001703010020c6fb5d7268ec78ef1f9d3671de356278fd67065c9cf012d0c1de36c6afbd70b4
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x1cd8458419de5ccb36bc9cf89bd12b63
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.14.240 port 1072, id=6,
length=286
Message-Authenticator = 0x550e2114fae741954504321d47da07bd
Service-Type = Framed-User
User-Name = "csd-notebook\\oreshkin"
Framed-MTU = 1488
State = 0x1cd8458419de5ccb36bc9cf89bd12b63
Called-Station-Id = "00-18-6E-8F-73-40:200901azk71And"
Calling-Station-Id = "00-16-EA-8A-DE-38"
NAS-Identifier = "3Com Access Point 7760"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message =
0x0206003b19001703010030805ecc8cfaac3addedb0a50794219e83a270716f48eeb8e60a0c3ab3fed53c5198b105fbb713b908f6f8d93e6d536622
NAS-IP-Address = 192.168.14.240
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "csd-notebook\oreshkin", looking up realm NULL
[suffix] Found realm "DEFAULT"
[suffix] Adding Stripped-User-Name = "csd-notebook\oreshkin"
[suffix] Adding Realm = "DEFAULT"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied. Ignoring.
++[ntdomain] returns ok
[eap] EAP packet type response id 6 length 59
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Identity - csd-notebook\oreshkin
[peap] Got tunneled request
EAP-Message = 0x0206001a016373642d6e6f7465626f6f6b5c6f726573686b696e
server {
PEAP: Got tunneled identity of csd-notebook\oreshkin
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to csd-notebook\oreshkin
Sending tunneled request
EAP-Message = 0x0206001a016373642d6e6f7465626f6f6b5c6f726573686b696e
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "csd-notebook\\oreshkin"
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[ntdomain] Looking up realm "csd-notebook" for User-Name =
"csd-notebook\oreshkin"
[ntdomain] Found realm "DEFAULT"
[ntdomain] Adding Stripped-User-Name = "oreshkin"
[ntdomain] Adding Realm = "DEFAULT"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
++[control] returns ok
[eap] EAP packet type response id 6 length 26
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 159
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message =
0x0107002f1a0107002a100251dc4f5cece54da2b8881378dd444c6373642d6e6f7465626f6f6b5c6f726573686b696e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x86b209f786b51352b3578e7a38b869c7
[peap] Got tunneled reply RADIUS code 11
EAP-Message =
0x0107002f1a0107002a100251dc4f5cece54da2b8881378dd444c6373642d6e6f7465626f6f6b5c6f726573686b696e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x86b209f786b51352b3578e7a38b869c7
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 6 to 192.168.14.240 port 1072
EAP-Message =
0x0107004b1900170301004026664765ea523fba2ed015d3248195d02b335d7579ca0921452aaa563aa2c3a3a50bb02aca55a3cb8db677961421a3580157bbdb57a56a1ac143c69282ad8133
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x1cd845841adf5ccb36bc9cf89bd12b63
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.14.240 port 1072, id=7,
length=334
Message-Authenticator = 0x65f839b7d5eac06c3a75e2138584465b
Service-Type = Framed-User
User-Name = "csd-notebook\\oreshkin"
Framed-MTU = 1488
State = 0x1cd845841adf5ccb36bc9cf89bd12b63
Called-Station-Id = "00-18-6E-8F-73-40:200901azk71And"
Calling-Station-Id = "00-16-EA-8A-DE-38"
NAS-Identifier = "3Com Access Point 7760"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message =
0x0207006b1900170301006009cf68bc35f1789bb629f7cc6d1dc521f8abe45174ee9ec287237f97a3bad789635c92bc033059ac8e946446e7e0b324748de27694f96a2bf214b2d76e6c826eda7b897c26ed974ed4d2dd73c6c6058942661082dbb9d5a4388f32a96d14348c
NAS-IP-Address = 192.168.14.240
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "csd-notebook\oreshkin", looking up realm NULL
[suffix] Found realm "DEFAULT"
[suffix] Adding Stripped-User-Name = "csd-notebook\oreshkin"
[suffix] Adding Realm = "DEFAULT"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied. Ignoring.
++[ntdomain] returns ok
[eap] EAP packet type response id 7 length 107
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message =
0x020700431a0207003e31543b42e36c388e9b55a8ddbfeb34b90a0000000000000000e406ca6b04ef491b2ef4d0b1d86507ad62c94c09492ed747006f726573686b696e
server {
PEAP: Setting User-Name to csd-notebook\oreshkin
Sending tunneled request
EAP-Message =
0x020700431a0207003e31543b42e36c388e9b55a8ddbfeb34b90a0000000000000000e406ca6b04ef491b2ef4d0b1d86507ad62c94c09492ed747006f726573686b696e
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "csd-notebook\\oreshkin"
State = 0x86b209f786b51352b3578e7a38b869c7
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[ntdomain] Looking up realm "csd-notebook" for User-Name =
"csd-notebook\oreshkin"
[ntdomain] Found realm "DEFAULT"
[ntdomain] Adding Stripped-User-Name = "oreshkin"
[ntdomain] Adding Realm = "DEFAULT"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
++[control] returns ok
[eap] EAP packet type response id 7 length 67
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 159
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for oreshkin with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
MS-CHAP-Error = "\007E=691 R=1"
EAP-Message = 0x04070004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
MS-CHAP-Error = "\007E=691 R=1"
EAP-Message = 0x04070004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 7 to 192.168.14.240 port 1072
EAP-Message =
0x0108002b19001703010020f53ff8fc7bf5c304bfca89826b65c7d28c735a30e86689c6af72a02d870916b7
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x1cd845841bd05ccb36bc9cf89bd12b63
Finished request 7.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.14.240 port 1072, id=8,
length=270
Message-Authenticator = 0xd5b9303bee9ed637d8fa83cd14602a75
Service-Type = Framed-User
User-Name = "csd-notebook\\oreshkin"
Framed-MTU = 1488
State = 0x1cd845841bd05ccb36bc9cf89bd12b63
Called-Station-Id = "00-18-6E-8F-73-40:200901azk71And"
Calling-Station-Id = "00-16-EA-8A-DE-38"
NAS-Identifier = "3Com Access Point 7760"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message =
0x0208002b1900170301002054077a731a80335cfc0c20507b5d608c8d3c489203490c87691ccfdcda252bd5
NAS-IP-Address = 192.168.14.240
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "csd-notebook\oreshkin", looking up realm NULL
[suffix] Found realm "DEFAULT"
[suffix] Adding Stripped-User-Name = "csd-notebook\oreshkin"
[suffix] Adding Realm = "DEFAULT"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied. Ignoring.
++[ntdomain] returns ok
[eap] EAP packet type response id 8 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Had sent TLV failure. User was rejected earlier in this session.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> csd-notebook\oreshkin
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 8 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 8
Sending Access-Reject of id 8 to 192.168.14.240 port 1072
EAP-Message = 0x04080004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
------------------------------------------
What's wrong ? Is there any other ways of performing such authorization ?
Thanks.
On Mon, 13 Jul 2009, Ivan Kalik wrote:
Date: Mon, 13 Jul 2009 12:08:42 +0100 (BST)
From: Ivan Kalik <[email protected]>
To: Anatoly Oreshkin <[email protected]>
Subject: Re: FreeRadius 2.1.6 + EAP-PEAP issue
I've configured realm DEFAULT in proxy.conf again:
realm DEFAULT {
type = radius
authhost = LOCAL
accthost = LOCAL
}
and deleted realm csd-notebook because csd-notebook is notebook name
rather than domain name.
Also I 've disabled suffix in sites-available/inner-tunnel
But didn't enable ntdomain there (you have enabled it in default virtual
server).
On the other hand, if you configure XP supplicant properly (ie. not to
send Windows logon name) you won't need any of this.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
