Greetings!
I did read the "mschap" module file and I did see that in order to use a
cleartext password, I need to set "MS-CHAP-Use-NTLM-Auth := No" however
I don't know where to set it.
I tried to set it in "hints" file like the following. I added it to the
beginning of the file and the rest is just default.
enseo_stb
MS-CHAP-Use-NTLM-Auth := No
The "enseo_stb" is the username. I do see that it matched the line in
the preprocess in the debug however the authentication still failed. I
don't have this user account set in Windows AD. I do have it set in my
users file.
Enseo_stb Cleartext-Password := "password"
Any advice?? Thank you!!
Difan Zhao
Network Engineer
[email protected]
www.guest-tek.com <http://www.guest-tek.com/>
Office: 403-509-1010 ext 3048
Cell: 403-689-7514
<<image002.jpg>>
rad_recv: Access-Request packet from host 172.17.254.100 port 1645, id=30,
length=152
User-Name = "enseo_stb"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-1D-E5-9C-29-05"
Calling-Station-Id = "00-21-F8-00-24-B3"
EAP-Message = 0x0202000e01656e73656f5f737462
Message-Authenticator = 0x8ba26525d2f95b1d79a0c62d87f854de
NAS-Port-Type = Ethernet
NAS-Port = 50103
NAS-Port-Id = "FastEthernet1/0/3"
NAS-IP-Address = 172.17.254.100
+- entering group authorize {...}
[preprocess] hints: Matched enseo_stb at 36
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "enseo_stb", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry enseo_stb at line 34
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
++- entering policy rewrite_calling_station_id {...}
+++? if (request:Calling-Station-Id =~
/00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i)
? Evaluating (request:Calling-Station-Id =~
/00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) -> FALSE
+++? if (request:Calling-Station-Id =~
/00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) -> FALSE
+++- entering else else {...}
++++[noop] returns noop
+++- else else returns noop
++- policy rewrite_calling_station_id returns noop
++? if ((Service-Type == 'Call-Check') && (User-Name =~
/^%{Calling-Station-ID}$/i))
?? Evaluating (Service-Type == 'Call-Check') -> FALSE
?? Skipping (User-Name =~ /^%{Calling-Station-ID}$/i)
++? if ((Service-Type == 'Call-Check') && (User-Name =~
/^%{Calling-Station-ID}$/i)) -> FALSE
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 30 to 172.17.254.100 port 1645
EAP-Message = 0x010300061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf13fdb9cf13cc2e40d991f43b28399d7
Finished request 1.
Going to the next request
Waking up in 3.9 seconds.
rad_recv: Access-Request packet from host 172.17.254.100 port 1645, id=31,
length=370
User-Name = "enseo_stb"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-1D-E5-9C-29-05"
Calling-Station-Id = "00-21-F8-00-24-B3"
EAP-Message =
0x020300d6190016030100cb010000c70301386d438ca276cc49f14dfbd77fc35c74edf79c4fb7a13e77365d80e4db3ff4e100005ac014c00a0039003800880087c00fc00500350084c012c00800160013c00dc003000ac013c00900330032009a009900450044c00ec004002f009600410007c011c007c00cc002000500040015001200090014001100080006000301000044000b000403000102000a00340032000100020003000400050006000700080009000a000b000c000d000e000f001000110012001300140015001600170018001900230000
Message-Authenticator = 0xf22b9ef298b95a509e7aa414d6bda163
NAS-Port-Type = Ethernet
NAS-Port = 50103
NAS-Port-Id = "FastEthernet1/0/3"
State = 0xf13fdb9cf13cc2e40d991f43b28399d7
NAS-IP-Address = 172.17.254.100
+- entering group authorize {...}
[preprocess] hints: Matched enseo_stb at 36
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "enseo_stb", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 214
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 00cb], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 0570], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 018d], ServerKeyExchange
[peap] TLS_accept: SSLv3 write key exchange A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 31 to 172.17.254.100 port 1645
EAP-Message =
0x0104040019c00000073f160301002a0200002603014b4619a28fdeeb857552f4771e638a5398d84d95d23dbbeb4c37d272573580110000390016030105700b00056c00056900027630820272308201dba003020102020102300d06092a864886f70d0101040500305d310b30090603550406130243413110300e06035504081307416c62657274613110300e0603550407130743616c67617279310c300a060355040a130347544b311c301a060355040b13134e6574776f726b20456e67696e656572696e67301e170d3039313231363231343830375a170d3130313231363231343830375a308187310b3009060355040613025553310b3009060355
EAP-Message =
0x040813024e593110300e060355040a13074d617272696f74310e300c060355040b1305486f74656c3121301f060355040313184d617272696f7420576174657266726f6e7420686f74656c3126302406092a864886f70d01090116176e6f5f656d61696c4074657374646f6d61696e2e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ebade0c361c4de76e7379805d5f0def78a63b90f450063113e87af7cebd53dbfab9eda47be2bf0ccea8a794b1f4ecf7a108a732d8cd4b497b705df4c91c87c0c50314fb37ed98934e3ca0ec5c0f1e55e260665486b453f5ecbb9522a767e4bbdb165caac535a29c95c21b1c9e1
EAP-Message =
0x16f1ec5694635d5aadca7896192141224094d50203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003818100cc0a61cd0ac682e8724d9b957ad5b59e9b8bffc9e22596c8b7149c73b3091d5eadde2c30472adccedd21ec3c6573b1ff6ba91dfd25d4f22888a7d4441b563071921454154787887b35141f5681bc9864973ebb84a04b2dcaafc2647bfe704d00a6f535259285eff1e4763d16d6b6e80d4ca40401dc2551c971c679eb0315d8ce0002ed308202e930820252a003020102020100300d06092a864886f70d0101040500305d310b30090603550406130243413110300e06035504
EAP-Message =
0x081307416c62657274613110300e0603550407130743616c67617279310c300a060355040a130347544b311c301a060355040b13134e6574776f726b20456e67696e656572696e67301e170d3039313231353138303730385a170d3130313231353138303730385a305d310b30090603550406130243413110300e06035504081307416c62657274613110300e0603550407130743616c67617279310c300a060355040a130347544b311c301a060355040b13134e6574776f726b20456e67696e656572696e6730819f300d06092a864886f70d010101050003818d0030818902818100f1c0706701bf4b6fda38d20709e3c1ade9e688ff04654a61b6
EAP-Message = 0x5f7c59c68725c7b7acbbf015
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf13fdb9cf03bc2e40d991f43b28399d7
Finished request 2.
Going to the next request
Waking up in 3.8 seconds.
rad_recv: Access-Request packet from host 172.17.254.100 port 1645, id=32,
length=162
User-Name = "enseo_stb"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-1D-E5-9C-29-05"
Calling-Station-Id = "00-21-F8-00-24-B3"
EAP-Message = 0x020400061900
Message-Authenticator = 0x1608b541209c944913895591ee90bff3
NAS-Port-Type = Ethernet
NAS-Port = 50103
NAS-Port-Id = "FastEthernet1/0/3"
State = 0xf13fdb9cf03bc2e40d991f43b28399d7
NAS-IP-Address = 172.17.254.100
+- entering group authorize {...}
[preprocess] hints: Matched enseo_stb at 36
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "enseo_stb", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 32 to 172.17.254.100 port 1645
EAP-Message =
0x0105034f1900a9436986382fbc2402b6a2da0e277bd9320827c29963a21fe04c6aece34cd1392cf9c8f908a7284affb4a78c33cace009effea1c5d3ce2d1ff2ef2564ac8d351ef6ab89a762296a01bb37cacdeb67660138ef664a6abc3d7cef8770203010001a381b83081b5301d0603551d0e041604143e2c207773c8e329da07d1ffba19e56486bfd0a53081850603551d23047e307c80143e2c207773c8e329da07d1ffba19e56486bfd0a5a161a45f305d310b30090603550406130243413110300e06035504081307416c62657274613110300e0603550407130743616c67617279310c300a060355040a130347544b311c301a060355040b1313
EAP-Message =
0x4e6574776f726b20456e67696e656572696e67820100300c0603551d13040530030101ff300d06092a864886f70d0101040500038181008136eb3fa3dd3091a1a2294f5cc7f507947de5a8c08cfa439fe6d7360dc342dd44b0c64f9d39806559435c6fd1d803fe9f4bd7b411323cccdd6347659286dee89bb8e3c31fc8d4b0c61a17289036680d06977ffa54468d53153054572cdefd98ff10d4497cebd88423fbd1a93f8b8e2eadbbedf57000e2618c11c115724d746c160301018d0c000189008082f3d2bfbda368fdc7aa04b247120394ecfdd76d1bbbed4153485712c5cd2db1081240badbf5e6b70062aca3583261af7c8b94680094f8eedd4ed5
EAP-Message =
0x129f4454369d216cd7e33f5c0661fcc20092383652a8e0681b4f43b89b8cb16e5c520cc0bb3a6bcc5eefdc7b677c445b85ac4f0c3e1a24cc2dc2a2e3c7f1243f89133b6803000102008045721daeee13687a2a2e5b2773e5884966d2364db39535aba746c609f1451e10a8e2ce5502728647c870b47dcba3eb9ce175aa0bbd05b673170f6717fa935fa88c517bbd585c691b462b2c4d3ca4e62baf43bb0ab53bedca0e203a88885b575e1efbfd6e19c2e6453241031f50f9771492ddc44e45ad4710fca68a173096a61e008035c9fc8527f0ac3bad43baff4f41cc59bfff751016c6d7a9c32235972ead862bce37f5ebd399ee409ddc62410e80e647ad
EAP-Message =
0x881ea47c36688c298a722effceef42822e9c63ff861d3c1a5d05c7eacb29db89e666c151585db82ba96f463c20f4cea3585a19831e46f50b49207498938b1af61514320589d4293aee26cc5604366316030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf13fdb9cf33ac2e40d991f43b28399d7
Finished request 3.
Going to the next request
Waking up in 3.8 seconds.
rad_recv: Access-Request packet from host 172.17.254.100 port 1645, id=33,
length=360
User-Name = "enseo_stb"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-1D-E5-9C-29-05"
Calling-Station-Id = "00-21-F8-00-24-B3"
EAP-Message =
0x020500cc1900160301008610000082008038f5681145cd0f7ef3bfc1fd75cab2a23e280d74c18c497872e3b98a417cfd7f4c30557f88d11a5dd4734c67b5bed8991d0f93e6ac0cc0afd29b82c439c4652d054adc8a67c308e209f929f786685befc41ca0f13de8bd997f0ca078ee94072a9bd4aed8054765cc2b9ddfd0ebd669b8f9ce2a86a043c5c72fd06dcdc65634bd140301000101160301003021f202942dce4870f7297d226785b7432db88a83ab65dc2fac64b117804cba30d227cc80782c0206c6dda7c694775620
Message-Authenticator = 0xb4c26f425c6b0cb5f5da57f0f0ed2a1b
NAS-Port-Type = Ethernet
NAS-Port = 50103
NAS-Port-Id = "FastEthernet1/0/3"
State = 0xf13fdb9cf33ac2e40d991f43b28399d7
NAS-IP-Address = 172.17.254.100
+- entering group authorize {...}
[preprocess] hints: Matched enseo_stb at 36
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "enseo_stb", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 204
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 33 to 172.17.254.100 port 1645
EAP-Message =
0x0106004119001403010001011603010030de7cff041afd48187c703ba2f6c9eec16e205bf663dad9a281e9a5da225a699afc389b141d8618bf7373322245ed3c10
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf13fdb9cf239c2e40d991f43b28399d7
Finished request 4.
Going to the next request
Waking up in 3.4 seconds.
rad_recv: Access-Request packet from host 172.17.254.100 port 1645, id=34,
length=162
User-Name = "enseo_stb"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-1D-E5-9C-29-05"
Calling-Station-Id = "00-21-F8-00-24-B3"
EAP-Message = 0x020600061900
Message-Authenticator = 0x7276b13bff26e5ee7c6941547b8fab6c
NAS-Port-Type = Ethernet
NAS-Port = 50103
NAS-Port-Id = "FastEthernet1/0/3"
State = 0xf13fdb9cf239c2e40d991f43b28399d7
NAS-IP-Address = 172.17.254.100
+- entering group authorize {...}
[preprocess] hints: Matched enseo_stb at 36
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "enseo_stb", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 34 to 172.17.254.100 port 1645
EAP-Message =
0x0107002b19001703010020a16a838465fe7ab02400cd3ba33c384f8be3add45ee546fb15847acd5b98ff7d
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf13fdb9cf538c2e40d991f43b28399d7
Finished request 5.
Going to the next request
Waking up in 3.3 seconds.
rad_recv: Access-Request packet from host 172.17.254.100 port 1645, id=35,
length=236
User-Name = "enseo_stb"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-1D-E5-9C-29-05"
Calling-Station-Id = "00-21-F8-00-24-B3"
EAP-Message =
0x0207005019001703010020e5b2276a265697048943aadb8c9a9bf20cfbca421587d2b4badb49e44a2bd2ad1703010020abdd13bfd09fdebf360b0e7d2aa98eb6589f7977b007d32361481ffa59c73c67
Message-Authenticator = 0x0857f2df65db634902f25b620a6641f9
NAS-Port-Type = Ethernet
NAS-Port = 50103
NAS-Port-Id = "FastEthernet1/0/3"
State = 0xf13fdb9cf538c2e40d991f43b28399d7
NAS-IP-Address = 172.17.254.100
+- entering group authorize {...}
[preprocess] hints: Matched enseo_stb at 36
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "enseo_stb", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Identity - enseo_stb
[peap] Got tunneled request
EAP-Message = 0x0207000e01656e73656f5f737462
server {
PEAP: Got tunneled identity of enseo_stb
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to enseo_stb
Sending tunneled request
EAP-Message = 0x0207000e01656e73656f5f737462
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "enseo_stb"
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "enseo_stb", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 7 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry enseo_stb at line 34
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message =
0x010800231a0108001e10cfc4c67360ee63531d076f5a832be6fe656e73656f5f737462
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xbfae7aa2bfa6609c8d1b7c7d4057ea4d
[peap] Got tunneled reply RADIUS code 11
EAP-Message =
0x010800231a0108001e10cfc4c67360ee63531d076f5a832be6fe656e73656f5f737462
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xbfae7aa2bfa6609c8d1b7c7d4057ea4d
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 35 to 172.17.254.100 port 1645
EAP-Message =
0x0108004b190017030100405bf7b901ce7d0b6acd122259f6603440892669352933675ff17239de05887425b24ed5c016ef04d1d124f7449f8ff7afe8156c8fe73fba2db2a31127872f64be
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf13fdb9cf437c2e40d991f43b28399d7
Finished request 6.
Going to the next request
Waking up in 3.3 seconds.
rad_recv: Access-Request packet from host 172.17.254.100 port 1645, id=36,
length=300
User-Name = "enseo_stb"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-1D-E5-9C-29-05"
Calling-Station-Id = "00-21-F8-00-24-B3"
EAP-Message =
0x020800901900170301002063e3d0217e7a7f69f4a6ee49e9f64d2da607f5c204d797a1d79b276898ae2ff717030100605a1855de63f7b173606862b681aff67dd46ae1a4064888790061e6c262bdd1a3f784378c7fe7ee5583c8e28cdb5f0390b4cda363c51c5a47ca630f49b75731a070353ec04bcf7e3c1c139c6d3f0849a0ab6b1dc5be4ef15b2a8008b87879b46e
Message-Authenticator = 0x7c7db11b9687b18347d5b3df310b5398
NAS-Port-Type = Ethernet
NAS-Port = 50103
NAS-Port-Id = "FastEthernet1/0/3"
State = 0xf13fdb9cf437c2e40d991f43b28399d7
NAS-IP-Address = 172.17.254.100
+- entering group authorize {...}
[preprocess] hints: Matched enseo_stb at 36
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "enseo_stb", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 144
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message =
0x020800441a0208003f31ac5277b3f4f1656b6bd430da666da40b0000000000000000d51e8107e092941350494bec1867b087b285ffd5bf2f3a4300656e73656f5f737462
server {
PEAP: Setting User-Name to enseo_stb
Sending tunneled request
EAP-Message =
0x020800441a0208003f31ac5277b3f4f1656b6bd430da666da40b0000000000000000d51e8107e092941350494bec1867b087b285ffd5bf2f3a4300656e73656f5f737462
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "enseo_stb"
State = 0xbfae7aa2bfa6609c8d1b7c7d4057ea4d
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "enseo_stb", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 8 length 68
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry enseo_stb at line 34
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv2 for enseo_stb with NT-Password
[mschap] No NT-Domain was found in the User-Name.
[mschap] expand: --domain=%{mschap:NT-Domain} -> --domain=
[mschap] expand: --username=%{mschap:User-Name} -> --username=enseo_stb
[mschap] mschap2: cf
[mschap] expand: --challenge=%{mschap:Challenge:-00} ->
--challenge=7e61828ad9b02d32
[mschap] expand: --nt-response=%{mschap:NT-Response:-00} ->
--nt-response=d51e8107e092941350494bec1867b087b285ffd5bf2f3a43
Exec-Program output: No such user (0xc0000064)
Exec-Program-Wait: plaintext: No such user (0xc0000064)
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
Login incorrect: [enseo_stb/<via Auth-Type = EAP>] (from client switches port 0
via TLS tunnel)
} # server inner-tunnel
[peap] Got tunneled reply code 3
MS-CHAP-Error = "\010E=691 R=1"
EAP-Message = 0x04080004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
MS-CHAP-Error = "\010E=691 R=1"
EAP-Message = 0x04080004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 36 to 172.17.254.100 port 1645
EAP-Message =
0x0109002b190017030100208bf383d0327980fb513577e7d7f206be0ce9dae4bc35d80d587e2783d6d9a682
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf13fdb9cf736c2e40d991f43b28399d7
Finished request 7.
Going to the next request
Waking up in 3.3 seconds.
rad_recv: Access-Request packet from host 172.17.254.100 port 1645, id=37,
length=236
User-Name = "enseo_stb"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-1D-E5-9C-29-05"
Calling-Station-Id = "00-21-F8-00-24-B3"
EAP-Message =
0x02090050190017030100209afe200d4d90d2f10a3521c32bec7190a947b2a5b2d40d2dcc5ec79aea3f2f151703010020ef2dbd7373e2664b41554cf78f206b78fb064cf58b25370b00b06d9d08f3ab07
Message-Authenticator = 0x087077f7c982e953d1ffc528e3b6bcf9
NAS-Port-Type = Ethernet
NAS-Port = 50103
NAS-Port-Id = "FastEthernet1/0/3"
State = 0xf13fdb9cf736c2e40d991f43b28399d7
NAS-IP-Address = 172.17.254.100
+- entering group authorize {...}
[preprocess] hints: Matched enseo_stb at 36
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "enseo_stb", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 9 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Had sent TLV failure. User was rejected earlier in this session.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [enseo_stb/<via Auth-Type = EAP>] (from client switches port
50103 cli 00-21-F8-00-24-B3)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> enseo_stb
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 8 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 8
Sending Access-Reject of id 37 to 172.17.254.100 port 1645
EAP-Message = 0x04090004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 2.3 seconds.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
