On 24/06/10 11:03, Alan DeKok wrote: > Neil Prockter wrote: >> I have a working config for PAP with LDAP against AD and a working >> config for PEAP/MSCHANPv2 with ntlm_auth. >> >> I need the server to do both but when I combine the configs one thing or >> another breaks. > > And debug output says... ?
this is a config that works for PAP/LDAP but not PEAP/MSCHANPv2 Info: FreeRADIUS Version 2.1.8, for host x86_64-pc-linux-gnu, built on Jan 5 2010 at 02:56:18 Info: Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. Info: There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A Info: PARTICULAR PURPOSE. Info: You may redistribute copies of FreeRADIUS under the terms of the Info: GNU General Public License v2. Info: Starting - reading configuration files ... Debug: including configuration file /etc/freeradius/radiusd.conf Debug: including configuration file /etc/freeradius/proxy.conf Debug: including configuration file /etc/freeradius/clients.conf Debug: including files in directory /etc/freeradius/modules/ Debug: including configuration file /etc/freeradius/modules/exec Debug: including configuration file /etc/freeradius/modules/radutmp Debug: including configuration file /etc/freeradius/modules/expiration Debug: including configuration file /etc/freeradius/modules/files Debug: including configuration file /etc/freeradius/modules/attr_filter Debug: including configuration file /etc/freeradius/modules/ippool Debug: including configuration file /etc/freeradius/modules/etc_group Debug: including configuration file /etc/freeradius/modules/counter Debug: including configuration file /etc/freeradius/modules/realm Debug: including configuration file /etc/freeradius/modules/detail.log Debug: including configuration file /etc/freeradius/modules/wimax Debug: including configuration file /etc/freeradius/modules/policy Debug: including configuration file /etc/freeradius/modules/detail.example.com Debug: including configuration file /etc/freeradius/modules/linelog Debug: including configuration file /etc/freeradius/modules/passwd Debug: including configuration file /etc/freeradius/modules/preprocess Debug: including configuration file /etc/freeradius/modules/perl Debug: including configuration file /etc/freeradius/modules/mac2vlan Debug: including configuration file /etc/freeradius/modules/sql_log Debug: including configuration file /etc/freeradius/modules/acct_unique Debug: including configuration file /etc/freeradius/modules/smbpasswd Debug: including configuration file /etc/freeradius/modules/pap Debug: including configuration file /etc/freeradius/modules/cui Debug: including configuration file /etc/freeradius/modules/smsotp Debug: including configuration file /etc/freeradius/modules/sradutmp Debug: including configuration file /etc/freeradius/modules/always Debug: including configuration file /etc/freeradius/modules/inner-eap Debug: including configuration file /etc/freeradius/modules/attr_rewrite Debug: including configuration file /etc/freeradius/modules/expr Debug: including configuration file /etc/freeradius/modules/krb5 Debug: including configuration file /etc/freeradius/modules/chap Debug: including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login Debug: including configuration file /etc/freeradius/modules/checkval Debug: including configuration file /etc/freeradius/modules/otp Debug: including configuration file /etc/freeradius/modules/digest Debug: including configuration file /etc/freeradius/modules/ldap Debug: including configuration file /etc/freeradius/modules/ntlm_auth Debug: including configuration file /etc/freeradius/modules/mschap Debug: including configuration file /etc/freeradius/modules/echo Debug: including configuration file /etc/freeradius/modules/logintime Debug: including configuration file /etc/freeradius/modules/detail Debug: including configuration file /etc/freeradius/modules/pam Debug: including configuration file /etc/freeradius/modules/mac2ip Debug: including configuration file /etc/freeradius/modules/unix Debug: including configuration file /etc/freeradius/eap.conf Debug: including configuration file /etc/freeradius/policy.conf Debug: including files in directory /etc/freeradius/sites-enabled/ Debug: including configuration file /etc/freeradius/sites-enabled/inner-tunnel Debug: including configuration file /etc/freeradius/sites-enabled/default Debug: main { Debug: user = "freerad" Debug: group = "freerad" Debug: allow_core_dumps = no Debug: } Debug: including dictionary file /etc/freeradius/dictionary Debug: main { Debug: prefix = "/usr" Debug: localstatedir = "/var" Debug: logdir = "/var/log/freeradius" Debug: libdir = "/usr/lib/freeradius" Debug: radacctdir = "/var/log/freeradius/radacct" Debug: hostname_lookups = no Debug: max_request_time = 30 Debug: cleanup_delay = 5 Debug: max_requests = 1024 Debug: pidfile = "/var/run/freeradius/freeradius.pid" Debug: checkrad = "/usr/sbin/checkrad" Debug: debug_level = 0 Debug: proxy_requests = yes Debug: log { Debug: stripped_names = no Debug: auth = no Debug: auth_badpass = no Debug: auth_goodpass = no Debug: } Debug: security { Debug: max_attributes = 200 Debug: reject_delay = 1 Debug: status_server = yes Debug: } Debug: } Debug: radiusd: #### Loading Realms and Home Servers #### Debug: proxy server { Debug: retry_delay = 5 Debug: retry_count = 3 Debug: default_fallback = no Debug: dead_time = 120 Debug: wake_all_if_all_dead = no Debug: } Debug: home_server localhost { Debug: ipaddr = 127.0.0.1 Debug: port = 1812 Debug: type = "auth" Debug: secret = "testing123" Debug: response_window = 20 Debug: max_outstanding = 65536 Debug: require_message_authenticator = no Debug: zombie_period = 40 Debug: status_check = "status-server" Debug: ping_interval = 30 Debug: check_interval = 30 Debug: num_answers_to_alive = 3 Debug: num_pings_to_alive = 3 Debug: revive_interval = 120 Debug: status_check_timeout = 4 Debug: irt = 2 Debug: mrt = 16 Debug: mrc = 5 Debug: mrd = 30 Debug: } Debug: home_server_pool my_auth_failover { Debug: type = fail-over Debug: home_server = localhost Debug: } Debug: realm example.com { Debug: auth_pool = my_auth_failover Debug: } Debug: realm LOCAL { Debug: } Debug: radiusd: #### Loading Clients #### Debug: client localhost { Debug: ipaddr = 127.0.0.1 Debug: require_message_authenticator = no Debug: secret = "testing123" Debug: nastype = "other" Debug: } Debug: client wism.net { Debug: require_message_authenticator = no Debug: secret = "police" Debug: } Debug: radiusd: #### Instantiating modules #### Debug: instantiate { Debug: (Loaded rlm_exec, checking if it's valid) Debug: Module: Linked to module rlm_exec Debug: Module: Instantiating exec Debug: exec { Debug: wait = no Debug: input_pairs = "request" Debug: shell_escape = yes Debug: } Debug: (Loaded rlm_expr, checking if it's valid) Debug: Module: Linked to module rlm_expr Debug: Module: Instantiating expr Debug: (Loaded rlm_expiration, checking if it's valid) Debug: Module: Linked to module rlm_expiration Debug: Module: Instantiating expiration Debug: expiration { Debug: reply-message = "Password Has Expired " Debug: } Debug: (Loaded rlm_logintime, checking if it's valid) Debug: Module: Linked to module rlm_logintime Debug: Module: Instantiating logintime Debug: logintime { Debug: reply-message = "You are calling outside your allowed timespan " Debug: minimum-timeout = 60 Debug: } Debug: } Debug: radiusd: #### Loading Virtual Servers #### Debug: server inner-tunnel { Debug: modules { Debug: Module: Checking authenticate {...} for more modules to load Debug: (Loaded rlm_pap, checking if it's valid) Debug: Module: Linked to module rlm_pap Debug: Module: Instantiating pap Debug: pap { Debug: encryption_scheme = "auto" Debug: auto_header = no Debug: } Debug: (Loaded rlm_chap, checking if it's valid) Debug: Module: Linked to module rlm_chap Debug: Module: Instantiating chap Debug: (Loaded rlm_mschap, checking if it's valid) Debug: Module: Linked to module rlm_mschap Debug: Module: Instantiating mschap Debug: mschap { Debug: use_mppe = yes Debug: require_encryption = no Debug: require_strong = no Debug: with_ntdomain_hack = yes Debug: ntlm_auth = "/usr/local/bin/mschap-ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" Debug: } Debug: (Loaded rlm_unix, checking if it's valid) Debug: Module: Linked to module rlm_unix Debug: Module: Instantiating unix Debug: unix { Debug: radwtmp = "/var/log/freeradius/radwtmp" Debug: } Debug: (Loaded rlm_eap, checking if it's valid) Debug: Module: Linked to module rlm_eap Debug: Module: Instantiating eap Debug: eap { Debug: default_eap_type = "md5" Debug: timer_expire = 60 Debug: ignore_unknown_eap_types = no Debug: cisco_accounting_username_bug = no Debug: max_sessions = 4096 Debug: } Debug: Module: Linked to sub-module rlm_eap_md5 Debug: Module: Instantiating eap-md5 Debug: Module: Linked to sub-module rlm_eap_leap Debug: Module: Instantiating eap-leap Debug: Module: Linked to sub-module rlm_eap_gtc Debug: Module: Instantiating eap-gtc Debug: gtc { Debug: challenge = "Password: " Debug: auth_type = "PAP" Debug: } Debug: Module: Linked to sub-module rlm_eap_tls Debug: Module: Instantiating eap-tls Debug: tls { Debug: rsa_key_exchange = no Debug: dh_key_exchange = yes Debug: rsa_key_length = 512 Debug: dh_key_length = 512 Debug: verify_depth = 0 Debug: pem_file_type = yes Debug: private_key_file = "/etc/freeradius/certs/server.key" Debug: certificate_file = "/etc/freeradius/certs/server.pem" Debug: CA_file = "/etc/freeradius/certs/ca.pem" Debug: private_key_password = "whatever" Debug: dh_file = "/etc/freeradius/certs/dh" Debug: random_file = "/etc/freeradius/certs/random" Debug: fragment_size = 1024 Debug: include_length = yes Debug: check_crl = no Debug: cipher_list = "DEFAULT" Debug: make_cert_command = "/etc/freeradius/certs/bootstrap" Debug: cache { Debug: enable = no Debug: lifetime = 24 Debug: max_entries = 255 Debug: } Debug: } Debug: Module: Linked to sub-module rlm_eap_ttls Debug: Module: Instantiating eap-ttls Debug: ttls { Debug: default_eap_type = "md5" Debug: copy_request_to_tunnel = no Debug: use_tunneled_reply = no Debug: virtual_server = "inner-tunnel" Debug: include_length = yes Debug: } Debug: Module: Linked to sub-module rlm_eap_peap Debug: Module: Instantiating eap-peap Debug: peap { Debug: default_eap_type = "mschapv2" Debug: copy_request_to_tunnel = no Debug: use_tunneled_reply = no Debug: proxy_tunneled_request_as_eap = yes Debug: virtual_server = "inner-tunnel" Debug: } Debug: Module: Linked to sub-module rlm_eap_mschapv2 Debug: Module: Instantiating eap-mschapv2 Debug: mschapv2 { Debug: with_ntdomain_hack = no Debug: } Debug: Module: Checking authorize {...} for more modules to load Debug: (Loaded rlm_realm, checking if it's valid) Debug: Module: Linked to module rlm_realm Debug: Module: Instantiating suffix Debug: realm suffix { Debug: format = "suffix" Debug: delimiter = "@" Debug: ignore_default = no Debug: ignore_null = no Debug: } Debug: (Loaded rlm_files, checking if it's valid) Debug: Module: Linked to module rlm_files Debug: Module: Instantiating files Debug: files { Debug: usersfile = "/etc/freeradius/users" Debug: acctusersfile = "/etc/freeradius/acct_users" Debug: preproxy_usersfile = "/etc/freeradius/preproxy_users" Debug: compat = "no" Debug: } Debug: Module: Checking session {...} for more modules to load Debug: (Loaded rlm_radutmp, checking if it's valid) Debug: Module: Linked to module rlm_radutmp Debug: Module: Instantiating radutmp Debug: radutmp { Debug: filename = "/var/log/freeradius/radutmp" Debug: username = "%{User-Name}" Debug: case_sensitive = yes Debug: check_with_nas = yes Debug: perm = 384 Debug: callerid = yes Debug: } Debug: Module: Checking post-proxy {...} for more modules to load Debug: Module: Checking post-auth {...} for more modules to load Debug: (Loaded rlm_attr_filter, checking if it's valid) Debug: Module: Linked to module rlm_attr_filter Debug: Module: Instantiating attr_filter.access_reject Debug: attr_filter attr_filter.access_reject { Debug: attrsfile = "/etc/freeradius/attrs.access_reject" Debug: key = "%{User-Name}" Debug: } Debug: } # modules Debug: } # server Debug: server { Debug: modules { Debug: Module: Checking authenticate {...} for more modules to load Debug: (Loaded rlm_ldap, checking if it's valid) Debug: Module: Linked to module rlm_ldap Debug: Module: Instantiating ldap Debug: ldap { Debug: server = "ad.net" Debug: port = 389 Debug: password = "UNKNOWN" Debug: identity = "cn=UNKNOWN,cn=Users,dc=net" Debug: net_timeout = 1 Debug: timeout = 4 Debug: timelimit = 3 Debug: tls_mode = no Debug: start_tls = no Debug: tls_require_cert = "allow" Debug: tls { Debug: start_tls = no Debug: require_cert = "allow" Debug: } Debug: basedn = "cn=Users,dc=net" Debug: filter = "(cn=%{%{Stripped-User-Name}:-%{User-Name}})" Debug: base_filter = "(objectclass=radiusprofile)" Debug: auto_header = no Debug: access_attr_used_for_allow = yes Debug: groupname_attribute = "cn" Debug: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" Debug: dictionary_mapping = "/etc/freeradius/ldap.attrmap" Debug: ldap_debug = 0 Debug: ldap_connections_number = 5 Debug: compare_check_items = no Debug: do_xlat = yes Debug: edir_account_policy_check = no Debug: set_auth_type = yes Debug: } Debug: rlm_ldap: Registering ldap_groupcmp for Ldap-Group Debug: rlm_ldap: Registering ldap_xlat with xlat_name ldap Debug: rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap Debug: rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ Debug: rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ Debug: rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type Debug: rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use Debug: rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id Debug: rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id Debug: rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password Debug: rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password Debug: rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password Debug: rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password Debug: rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password Debug: rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT Debug: rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration Debug: rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address Debug: rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type Debug: rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol Debug: rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address Debug: rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask Debug: rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route Debug: rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing Debug: rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id Debug: rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU Debug: rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression Debug: rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host Debug: rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service Debug: rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port Debug: rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number Debug: rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id Debug: rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network Debug: rlm_ldap: LDAP radiusClass mapped to RADIUS Class Debug: rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout Debug: rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout Debug: rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action Debug: rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service Debug: rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node Debug: rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group Debug: rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link Debug: rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network Debug: rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone Debug: rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit Debug: rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port Debug: rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message Debug: rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type Debug: rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type Debug: rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id Debug: conns: 0x1663c00 Debug: Module: Checking authorize {...} for more modules to load Debug: (Loaded rlm_preprocess, checking if it's valid) Debug: Module: Linked to module rlm_preprocess Debug: Module: Instantiating preprocess Debug: preprocess { Debug: huntgroups = "/etc/freeradius/huntgroups" Debug: hints = "/etc/freeradius/hints" Debug: with_ascend_hack = no Debug: ascend_channels_per_line = 23 Debug: with_ntdomain_hack = no Debug: with_specialix_jetstream_hack = no Debug: with_cisco_vsa_hack = no Debug: with_alvarion_vsa_hack = no Debug: } Debug: Module: Checking preacct {...} for more modules to load Debug: (Loaded rlm_acct_unique, checking if it's valid) Debug: Module: Linked to module rlm_acct_unique Debug: Module: Instantiating acct_unique Debug: acct_unique { Debug: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Debug: } Debug: Module: Checking accounting {...} for more modules to load Debug: (Loaded rlm_detail, checking if it's valid) Debug: Module: Linked to module rlm_detail Debug: Module: Instantiating detail Debug: detail { Debug: detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" Debug: header = "%t" Debug: detailperm = 384 Debug: dirperm = 493 Debug: locking = no Debug: log_packet_header = no Debug: } Debug: Module: Instantiating attr_filter.accounting_response Debug: attr_filter attr_filter.accounting_response { Debug: attrsfile = "/etc/freeradius/attrs.accounting_response" Debug: key = "%{User-Name}" Debug: } Debug: Module: Checking session {...} for more modules to load Debug: Module: Checking post-proxy {...} for more modules to load Debug: Module: Checking post-auth {...} for more modules to load Debug: } # modules Debug: } # server Debug: radiusd: #### Opening IP addresses and Ports #### Debug: listen { Debug: type = "auth" Debug: ipaddr = * Debug: port = 0 Debug: } Debug: listen { Debug: type = "acct" Debug: ipaddr = * Debug: port = 0 Debug: } Debug: Listening on authentication address * port 1812 Debug: Listening on accounting address * port 1813 Debug: Listening on proxy address * port 1814 Info: Ready to process requests. rad_recv: Access-Request packet from host WI.SM.IP.AD port 32769, id=228, length=181 User-Name = "anonymous" Calling-Station-Id = "00-de-ad-be-ef-00" Called-Station-Id = "00-de-ad-be-ef-00:300s71" NAS-Port = 29 NAS-IP-Address = WI.SM.IP.AD NAS-Identifier = "wism" Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "224" EAP-Message = 0x0202000e01616e6f6e796d6f7573 Message-Authenticator = 0x3b9fe0ba7bf891b5ca19f03e42078be3 Info: +- entering group authorize {...} Info: ++[preprocess] returns ok Info: ++[chap] returns noop Info: ++[mschap] returns noop Info: [suffix] No '@' in User-Name = "anonymous", looking up realm NULL Info: [suffix] No such realm "NULL" Info: ++[suffix] returns noop Info: [eap] EAP packet type response id 2 length 14 Info: [eap] No EAP Start, assuming it's an on-going EAP conversation Info: ++[eap] returns updated Info: ++[unix] returns notfound Info: ++[files] returns noop Info: [ldap] performing user authorization for anonymous Info: [ldap] expand: %{Stripped-User-Name} -> Info: [ldap] ... expanding second conditional Info: [ldap] expand: %{User-Name} -> anonymous Info: [ldap] expand: (cn=%{%{Stripped-User-Name}:-%{User-Name}}) -> (cn=anonymous) Info: [ldap] expand: cn=Users,dc=net -> cn=Users,dc=net Debug: [ldap] ldap_get_conn: Checking Id: 0 Debug: [ldap] ldap_get_conn: Got Id: 0 Debug: [ldap] attempting LDAP reconnection Debug: [ldap] (re)connect to ad1.net:389, authentication 0 Debug: [ldap] bind as cn=UNKNOWN,cn=Users,dc=net/UNKNOWN to ad.net:389 Debug: [ldap] waiting for bind result ... Debug: [ldap] Bind was successful Debug: [ldap] performing search in cn=Users,dc=net, with filter (cn=anonymous) Debug: [ldap] object not found Info: [ldap] search failed Debug: [ldap] ldap_release_conn: Release Id: 0 Info: ++[ldap] returns notfound Info: ++[expiration] returns noop Info: ++[logintime] returns noop Info: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. Info: ++[pap] returns noop Info: Found Auth-Type = EAP Info: +- entering group authenticate {...} Info: [eap] EAP Identity Info: [eap] processing type md5 Debug: rlm_eap_md5: Issuing Challenge Info: ++[eap] returns handled Sending Access-Challenge of id 228 to WI.SM.IP.AD port 32769 EAP-Message = 0x0103001604101efb6c5b449907ded101f79bf4da4ea1 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x65f0ad2d65f3a9e6f4a939a01468bf34 Info: Finished request 0. Debug: Going to the next request Debug: Waking up in 4.9 seconds. rad_recv: Access-Request packet from host WI.SM.IP.AD port 32769, id=229, length=191 User-Name = "anonymous" Calling-Station-Id = "00-de-ad-be-ef-00" Called-Station-Id = "00-de-ad-be-ef-00:300s71" NAS-Port = 29 NAS-IP-Address = WI.SM.IP.AD NAS-Identifier = "wism-s-7-1" Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "224" EAP-Message = 0x020300060319 State = 0x65f0ad2d65f3a9e6f4a939a01468bf34 Message-Authenticator = 0x179fef7f379024051186e7de60beed29 Info: +- entering group authorize {...} Info: ++[preprocess] returns ok Info: ++[chap] returns noop Info: ++[mschap] returns noop Info: [suffix] No '@' in User-Name = "anonymous", looking up realm NULL Info: [suffix] No such realm "NULL" Info: ++[suffix] returns noop Info: [eap] EAP packet type response id 3 length 6 Info: [eap] No EAP Start, assuming it's an on-going EAP conversation Info: ++[eap] returns updated Info: ++[unix] returns notfound Info: ++[files] returns noop Info: [ldap] performing user authorization for anonymous Info: [ldap] expand: %{Stripped-User-Name} -> Info: [ldap] ... expanding second conditional Info: [ldap] expand: %{User-Name} -> anonymous Info: [ldap] expand: (cn=%{%{Stripped-User-Name}:-%{User-Name}}) -> (cn=anonymous) Info: [ldap] expand: cn=Users,dc=net -> cn=Users,dc=net Debug: [ldap] ldap_get_conn: Checking Id: 0 Debug: [ldap] ldap_get_conn: Got Id: 0 Debug: [ldap] performing search in cn=Users,dc=net, with filter (cn=anonymous) Debug: [ldap] object not found Info: [ldap] search failed Debug: [ldap] ldap_release_conn: Release Id: 0 Info: ++[ldap] returns notfound Info: ++[expiration] returns noop Info: ++[logintime] returns noop Info: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. Info: ++[pap] returns noop Info: Found Auth-Type = EAP Info: +- entering group authenticate {...} Info: [eap] Request found, released from the list Info: [eap] EAP NAK Info: [eap] EAP-NAK asked for EAP-Type/peap Info: [eap] processing type tls Info: [tls] Initiate Info: [tls] Start returned 1 Info: ++[eap] returns handled Sending Access-Challenge of id 229 to WI.SM.IP.AD port 32769 EAP-Message = 0x010400061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x65f0ad2d64f4b4e6f4a939a01468bf34 Info: Finished request 1. Debug: Going to the next request Debug: Waking up in 4.9 seconds. rad_recv: Access-Request packet from host WI.SM.IP.AD port 32769, id=230, length=296 User-Name = "anonymous" Calling-Station-Id = "00-de-ad-be-ef-00" Called-Station-Id = "00-de-ad-be-ef-00:300s71" NAS-Port = 29 NAS-IP-Address = WI.SM.IP.AD NAS-Identifier = "wism-s-7-1" Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "224" EAP-Message = 0x0204006f19800000006516030100600100005c03014c24d1d07d00bac9bd661d741d6ae192350e5909eef304731ccd40d53c94d014000018002f00350005000ac013c014c009c00a00320038001300040100001b0000000700050000026e70000a0006000400170018000b00020100 State = 0x65f0ad2d64f4b4e6f4a939a01468bf34 Message-Authenticator = 0xb9fa17ba1dd694d52f755de2848888af Info: +- entering group authorize {...} Info: ++[preprocess] returns ok Info: ++[chap] returns noop Info: ++[mschap] returns noop Info: [suffix] No '@' in User-Name = "anonymous", looking up realm NULL Info: [suffix] No such realm "NULL" Info: ++[suffix] returns noop Info: [eap] EAP packet type response id 4 length 111 Info: [eap] Continuing tunnel setup. Info: ++[eap] returns ok Info: Found Auth-Type = EAP Info: +- entering group authenticate {...} Info: [eap] Request found, released from the list Info: [eap] EAP/peap Info: [eap] processing type peap Info: [peap] processing EAP-TLS Debug: TLS Length 101 Info: [peap] Length Included Info: [peap] eaptls_verify returned 11 Info: [peap] (other): before/accept initialization Info: [peap] TLS_accept: before/accept initialization Info: [peap] <<< TLS 1.0 Handshake [length 0060], ClientHello Info: [peap] TLS_accept: SSLv3 read client hello A Info: [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello Info: [peap] TLS_accept: SSLv3 write server hello A Info: [peap] >>> TLS 1.0 Handshake [length 0cda], Certificate Info: [peap] TLS_accept: SSLv3 write certificate A Info: [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone Info: [peap] TLS_accept: SSLv3 write server done A Info: [peap] TLS_accept: SSLv3 flush data Info: [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A Debug: In SSL Handshake Phase Debug: In SSL Accept mode Info: [peap] eaptls_process returned 13 Info: [peap] EAPTLS_HANDLED Info: ++[eap] returns handled Sending Access-Challenge of id 230 to WI.SM.IP.AD port 32769 EAP-Message = 0x0105040019c000000d17160301002a0200002603014c24d1d006fa8d9e6c749e35db4ddbcbedfaf6b78f769ca0752f8ceaffbe99b100002f001603010cda0b000cd6000cd30004e6308204e2308203caa003020102020b0100000000012844ee0d1d300d06092a864886f70d0101050500306a31233021060355040b131a4f7267616e697a6174696f6e2056616c69646174696f6e20434131133011060355040a130a476c6f62616c5369676e312e302c06035504031325476c6f62616c5369676e204f7267616e697a6174696f6e2056616c69646174696f6e204341301e170d3130303432383134333132335a170d3131303630383133303733335a EAP-Message = 0x3081a4310b3009060355040613024742310f300d060355040813064c6f6e646f6e311730150603550407130e47726561746572204c6f6e646f6e31143012060355040b130b495420536572766963657331393037060355040a13304c6f6e646f6e205363686f6f6c206f662045636f6e6f6d69637320616e6420506f6c69746963616c20536369656e6365311a301806035504031311656475726f616d2e6c73652e61632e756b30819f300d06092a864886f70d010101050003818d00308189028181009f9500d90219202add368b016711abcfab55f84eaa69adc4d3ccf669c09eeecd7d76b692fb6e7b3a7e6b84e40b7be76e086482dccda0c8855a EAP-Message = 0x7b444cdeebfd9c9cda99a42bef38c976248ef45b0c9fbe84fd12c1688164b28e239af8b8c057fe458b8340c971e3bea93e322ce8ae3ea334775779f5ede7f19d042004c1e27e570203010001a38201d0308201cc301f0603551d230418301680147d6d2aec66aba75136ab0269f1708fc4590b9a1f304906082b06010505070101043d303b303906082b06010505073002862d687474703a2f2f7365637572652e676c6f62616c7369676e2e6e65742f6361636572742f6f726776312e637274303f0603551d1f043830363034a032a030862e687474703a2f2f63726c2e676c6f62616c7369676e2e6e65742f4f7267616e697a6174696f6e56616c31 EAP-Message = 0x2e63726c301d0603551d0e04160414c5fc054d4b6b0ba0e21afa6eb952a250d7632aea30090603551d1304023000300e0603551d0f0101ff0404030205a030290603551d250422302006082b0601050507030106082b06010505070302060a2b0601040182370a0303304b0603551d2004443042304006092b06010401a03201143033303106082b060105050702011625687474703a2f2f7777772e676c6f62616c7369676e2e6e65742f7265706f7369746f72792f301106096086480186f84201010404030206c030580603551d110451304f8211656475726f616d2e6c73652e61632e756b820d7273312e6c73652e61632e756b820d7273322e6c EAP-Message = 0x73652e61632e756b820d7273 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x65f0ad2d67f5b4e6f4a939a01468bf34 Info: Finished request 2. Debug: Going to the next request Debug: Waking up in 4.9 seconds. rad_recv: Access-Request packet from host WI.SM.IP.AD port 32769, id=231, length=191 User-Name = "anonymous" Calling-Station-Id = "00-de-ad-be-ef-00" Called-Station-Id = "00-de-ad-be-ef-00:300s71" NAS-Port = 29 NAS-IP-Address = WI.SM.IP.AD NAS-Identifier = "wism-s-7-1" Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "224" EAP-Message = 0x020500061900 State = 0x65f0ad2d67f5b4e6f4a939a01468bf34 Message-Authenticator = 0xf4969c9017799f7479e44f9583f56894 Info: +- entering group authorize {...} Info: ++[preprocess] returns ok Info: ++[chap] returns noop Info: ++[mschap] returns noop Info: [suffix] No '@' in User-Name = "anonymous", looking up realm NULL Info: [suffix] No such realm "NULL" Info: ++[suffix] returns noop Info: [eap] EAP packet type response id 5 length 6 Info: [eap] Continuing tunnel setup. Info: ++[eap] returns ok Info: Found Auth-Type = EAP Info: +- entering group authenticate {...} Info: [eap] Request found, released from the list Info: [eap] EAP/peap Info: [eap] processing type peap Info: [peap] processing EAP-TLS Info: [peap] Received TLS ACK Info: [peap] ACK handshake fragment handler Info: [peap] eaptls_verify returned 1 Info: [peap] eaptls_process returned 13 Info: [peap] EAPTLS_HANDLED Info: ++[eap] returns handled Sending Access-Challenge of id 231 to WI.SM.IP.AD port 32769 EAP-Message = 0x010603fc1940332e6c73652e61632e756b820d7273342e6c73652e61632e756b300d06092a864886f70d0101050500038201010027faff9eebc23c415ced88bed1607744abbb405c3fbae2d0eed6f00348e4160cf7c27a2ceb01c22aee506f517cc406685d278a6636f434ae7fad62cb8ba24e28b106f042435beb20864a34f17405fd19546fda3a3a7daa3985650f278a5894d9f617f99542c62d0ceadffe6ae739553d3324cbe64fa93f82e6fd5582f4f49457ccbc24458e223c5e37c9e68eb592f66417eb4500c2410fe49754b5a3dff7ccc322bdfd1f95a9d5b2f4a25aefd6f2cd8ba3813ea0eb47855719c79a7eb5324d6e431b7e6caa2867bb03 EAP-Message = 0x107d6aeb021036bae51c99ec23ee0cfe6fe7d7e0618c0d36edf250203e987e9ddfd195331895c6ad5dbbfbef7b5d452a1345619550a76400046b308204673082034fa003020102020b04000000000111dfe86c66300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3037303431313132303030305a170d3134303132373131303030305a306a31233021060355040b131a4f7267616e697a6174696f6e2056616c69646174 EAP-Message = 0x696f6e20434131133011060355040a130a476c6f62616c5369676e312e302c06035504031325476c6f62616c5369676e204f7267616e697a6174696f6e2056616c69646174696f6e20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100a12fc4bcce8703e967c189c8e593fc7db4ad9ef6634e6ae89c2c7389a201f48f21f8fd259d58166d86f6ee4957757e75ea22117e3dfbc74241dcfcc50c9155807beb64331d9bf9ca38e9abc62543512540f4e47e18556aa98f103a401ed65783ef7f2f342f2dd2f653c2190db7edc981f5462cb423425e9d130375ecea6afc577cc936973b98dc1313ecec41fa5d34eab9 EAP-Message = 0x93e7101665cc9c92fdf5c59d3e4ab909fce45f1e695f4df4567244b11d2303c836f66588c8bf3916458e1e266c5116c52a0038c5a41369957dab013ba8c414b480daac1a4420d5fea9067b1427afe03021dd90f4a9d523192e1e03e6c1df9529e4c19443dd3e90aacb4bc9be8ad3390203010001a382011f3082011b300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020100301d0603551d0e041604147d6d2aec66aba75136ab0269f1708fc4590b9a1f304b0603551d2004443042304006092b06010401a03201143033303106082b060105050702011625687474703a2f2f7777772e676c6f62616c7369676e2e EAP-Message = 0x6e65742f7265706f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x65f0ad2d66f6b4e6f4a939a01468bf34 Info: Finished request 3. Debug: Going to the next request Debug: Waking up in 4.9 seconds. rad_recv: Access-Request packet from host WI.SM.IP.AD port 32769, id=232, length=191 User-Name = "anonymous" Calling-Station-Id = "00-de-ad-be-ef-00" Called-Station-Id = "00-de-ad-be-ef-00:300s71" NAS-Port = 29 NAS-IP-Address = WI.SM.IP.AD NAS-Identifier = "wism-s-7-1" Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "224" EAP-Message = 0x020600061900 State = 0x65f0ad2d66f6b4e6f4a939a01468bf34 Message-Authenticator = 0xe8d49e3a50281578c82514ef251d91b5 Info: +- entering group authorize {...} Info: ++[preprocess] returns ok Info: ++[chap] returns noop Info: ++[mschap] returns noop Info: [suffix] No '@' in User-Name = "anonymous", looking up realm NULL Info: [suffix] No such realm "NULL" Info: ++[suffix] returns noop Info: [eap] EAP packet type response id 6 length 6 Info: [eap] Continuing tunnel setup. Info: ++[eap] returns ok Info: Found Auth-Type = EAP Info: +- entering group authenticate {...} Info: [eap] Request found, released from the list Info: [eap] EAP/peap Info: [eap] processing type peap Info: [peap] processing EAP-TLS Info: [peap] Received TLS ACK Info: [peap] ACK handshake fragment handler Info: [peap] eaptls_verify returned 1 Info: [peap] eaptls_process returned 13 Info: [peap] EAPTLS_HANDLED Info: ++[eap] returns handled Sending Access-Challenge of id 232 to WI.SM.IP.AD port 32769 EAP-Message = 0x010703fc19407369746f72792f30330603551d1f042c302a3028a026a0248622687474703a2f2f63726c2e676c6f62616c7369676e2e6e65742f726f6f742e63726c301106096086480186f842010104040302020430200603551d2504193017060a2b0601040182370a030306096086480186f8420401301f0603551d23041830168014607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d0101050500038201010037a88f3679003c18e81ac5f27b22286bbf198f179aeda6c4d6a1d6632d7bfb045b28daccf9b6ee025419de6c91f2610dfd7f2820cc8f36d16187a05949aa0796def9b32cf9b5ee152933cdb4139dc790ce EAP-Message = 0x4d7cf25a11877bfad48dd12f55991a5fef1608b13dd23d1ecbb5f05797523a126362b6f2bccde2a69c17ce28e0c60f5aecbf70bd5ae754bef1cfc63d9f5f7adab72e65eac2d3e9c7babe4dcbda33ae559dae14f6320862e189e4342a753c2a05a92b5038bb5986a6845a84c3bd43ba9f1f1505ceb5770dd4dd2f49c8fe58954bbc4e9613001e9cb82777711dc461cbf41e8c33b300670db7b2ac8c3d3adc382f642d00818935d8e2b93117fe3a5fd1000379308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369 EAP-Message = 0x676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d89 EAP-Message = 0x8e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101 EAP-Message = 0xff301d0603551d0e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x65f0ad2d61f7b4e6f4a939a01468bf34 Info: Finished request 4. Debug: Going to the next request Debug: Waking up in 4.9 seconds. rad_recv: Access-Request packet from host WI.SM.IP.AD port 32769, id=233, length=191 User-Name = "anonymous" Calling-Station-Id = "00-de-ad-be-ef-00" Called-Station-Id = "00-de-ad-be-ef-00:300s71" NAS-Port = 29 NAS-IP-Address = WI.SM.IP.AD NAS-Identifier = "wism-s-7-1" Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "224" EAP-Message = 0x020700061900 State = 0x65f0ad2d61f7b4e6f4a939a01468bf34 Message-Authenticator = 0xed02f88c28a03f52688f377358f999c3 Info: +- entering group authorize {...} Info: ++[preprocess] returns ok Info: ++[chap] returns noop Info: ++[mschap] returns noop Info: [suffix] No '@' in User-Name = "anonymous", looking up realm NULL Info: [suffix] No such realm "NULL" Info: ++[suffix] returns noop Info: [eap] EAP packet type response id 7 length 6 Info: [eap] Continuing tunnel setup. Info: ++[eap] returns ok Info: Found Auth-Type = EAP Info: +- entering group authenticate {...} Info: [eap] Request found, released from the list Info: [eap] EAP/peap Info: [eap] processing type peap Info: [peap] processing EAP-TLS Info: [peap] Received TLS ACK Info: [peap] ACK handshake fragment handler Info: [peap] eaptls_verify returned 1 Info: [peap] eaptls_process returned 13 Info: [peap] EAPTLS_HANDLED Info: ++[eap] returns handled Sending Access-Challenge of id 233 to WI.SM.IP.AD port 32769 EAP-Message = 0x0108013b190004160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe EAP-Message = 0x3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e016030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x65f0ad2d60f8b4e6f4a939a01468bf34 Info: Finished request 5. Debug: Going to the next request Debug: Waking up in 4.9 seconds. rad_recv: Access-Request packet from host WI.SM.IP.AD port 32769, id=234, length=393 User-Name = "anonymous" Calling-Station-Id = "00-de-ad-be-ef-00" Called-Station-Id = "00-de-ad-be-ef-00:300s71" NAS-Port = 29 NAS-IP-Address = WI.SM.IP.AD NAS-Identifier = "wism-s-7-1" Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "224" EAP-Message = 0x020800d01980000000c6160301008610000082008016ef2214088be1cdd7eb700a74658c482c2a64f206405c889bea11be679a688f8e2deefe319300dbddcf5e9251d92d8e231cf7048ea52fe0e2245e13d0c6938f1f66f441f596653f04870273b80424fb4cf836d05ade39a5b22667e0dc5bf3b19da39a7c3fe44ce5ee9be4f17f5e653632c92dc130f05dbfa8164773fa53194014030100010116030100300ae47b27b1177d1659e0878d3bf4f5050f55838c717c41146053493be212d0487d67adcde2edaf024724891ba5005ceb State = 0x65f0ad2d60f8b4e6f4a939a01468bf34 Message-Authenticator = 0x9558017ea83d954d2f4675a7a977c12d Info: +- entering group authorize {...} Info: ++[preprocess] returns ok Info: ++[chap] returns noop Info: ++[mschap] returns noop Info: [suffix] No '@' in User-Name = "anonymous", looking up realm NULL Info: [suffix] No such realm "NULL" Info: ++[suffix] returns noop Info: [eap] EAP packet type response id 8 length 208 Info: [eap] Continuing tunnel setup. Info: ++[eap] returns ok Info: Found Auth-Type = EAP Info: +- entering group authenticate {...} Info: [eap] Request found, released from the list Info: [eap] EAP/peap Info: [eap] processing type peap Info: [peap] processing EAP-TLS Debug: TLS Length 198 Info: [peap] Length Included Info: [peap] eaptls_verify returned 11 Info: [peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange Info: [peap] TLS_accept: SSLv3 read client key exchange A Info: [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] Info: [peap] <<< TLS 1.0 Handshake [length 0010], Finished Info: [peap] TLS_accept: SSLv3 read finished A Info: [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] Info: [peap] TLS_accept: SSLv3 write change cipher spec A Info: [peap] >>> TLS 1.0 Handshake [length 0010], Finished Info: [peap] TLS_accept: SSLv3 write finished A Info: [peap] TLS_accept: SSLv3 flush data Info: [peap] (other): SSL negotiation finished successfully Debug: SSL Connection Established Info: [peap] eaptls_process returned 13 Info: [peap] EAPTLS_HANDLED Info: ++[eap] returns handled Sending Access-Challenge of id 234 to WI.SM.IP.AD port 32769 EAP-Message = 0x01090041190014030100010116030100308712947469621f0a7daa7cda1509647b52efa024cba3a8f8f28a57041acc7e2f0ce3e17e2ac1fd892c98e39693086987 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x65f0ad2d63f9b4e6f4a939a01468bf34 Info: Finished request 6. Debug: Going to the next request Debug: Waking up in 4.9 seconds. rad_recv: Access-Request packet from host WI.SM.IP.AD port 32769, id=235, length=191 User-Name = "anonymous" Calling-Station-Id = "00-de-ad-be-ef-00" Called-Station-Id = "00-de-ad-be-ef-00:300s71" NAS-Port = 29 NAS-IP-Address = WI.SM.IP.AD NAS-Identifier = "wism-s-7-1" Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "224" EAP-Message = 0x020900061900 State = 0x65f0ad2d63f9b4e6f4a939a01468bf34 Message-Authenticator = 0x8c90905c54913a7d02dc49be82d7748d Info: +- entering group authorize {...} Info: ++[preprocess] returns ok Info: ++[chap] returns noop Info: ++[mschap] returns noop Info: [suffix] No '@' in User-Name = "anonymous", looking up realm NULL Info: [suffix] No such realm "NULL" Info: ++[suffix] returns noop Info: [eap] EAP packet type response id 9 length 6 Info: [eap] Continuing tunnel setup. Info: ++[eap] returns ok Info: Found Auth-Type = EAP Info: +- entering group authenticate {...} Info: [eap] Request found, released from the list Info: [eap] EAP/peap Info: [eap] processing type peap Info: [peap] processing EAP-TLS Info: [peap] Received TLS ACK Info: [peap] ACK handshake is finished Info: [peap] eaptls_verify returned 3 Info: [peap] eaptls_process returned 3 Info: [peap] EAPTLS_SUCCESS Info: ++[eap] returns handled Sending Access-Challenge of id 235 to WI.SM.IP.AD port 32769 EAP-Message = 0x010a002b1900170301002034fbfc1f5fed6e9d753ac4f78861a6413a13a95fd0161198ee26e6808ab4052c Message-Authenticator = 0x00000000000000000000000000000000 State = 0x65f0ad2d62fab4e6f4a939a01468bf34 Info: Finished request 7. Debug: Going to the next request Debug: Waking up in 4.9 seconds. rad_recv: Access-Request packet from host WI.SM.IP.AD port 32769, id=236, length=228 User-Name = "anonymous" Calling-Station-Id = "00-de-ad-be-ef-00" Called-Station-Id = "00-de-ad-be-ef-00:300s71" NAS-Port = 29 NAS-IP-Address = WI.SM.IP.AD NAS-Identifier = "wism-s-7-1" Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "224" EAP-Message = 0x020a002b19001703010020d6176f7b410617c4dfe15778edd548db125e4d05835fcf78d1db8c28f9cc9883 State = 0x65f0ad2d62fab4e6f4a939a01468bf34 Message-Authenticator = 0xc7b49dfac47ceb1d898fa94ebfca2f73 Info: +- entering group authorize {...} Info: ++[preprocess] returns ok Info: ++[chap] returns noop Info: ++[mschap] returns noop Info: [suffix] No '@' in User-Name = "anonymous", looking up realm NULL Info: [suffix] No such realm "NULL" Info: ++[suffix] returns noop Info: [eap] EAP packet type response id 10 length 43 Info: [eap] Continuing tunnel setup. Info: ++[eap] returns ok Info: Found Auth-Type = EAP Info: +- entering group authenticate {...} Info: [eap] Request found, released from the list Info: [eap] EAP/peap Info: [eap] processing type peap Info: [peap] processing EAP-TLS Info: [peap] eaptls_verify returned 7 Info: [peap] Done initial handshake Info: [peap] eaptls_process returned 7 Info: [peap] EAPTLS_OK Info: [peap] Session established. Decoding tunneled attributes. PEAP tunnel data in 0000: 01 6e 70 Info: [peap] Identity - np Info: [peap] Got tunneled request EAP-Message = 0x020a0007016e70 server { Debug: PEAP: Got tunneled identity of np Debug: PEAP: Setting default EAP type for tunneled EAP session. Debug: PEAP: Setting User-Name to np Sending tunneled request EAP-Message = 0x020a0007016e70 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "np" server inner-tunnel { Info: +- entering group authorize {...} Info: ++[chap] returns noop Info: ++[mschap] returns noop Info: ++[unix] returns notfound Info: [suffix] No '@' in User-Name = "np", looking up realm NULL Info: [suffix] No such realm "NULL" Info: ++[suffix] returns noop Info: ++[control] returns noop Info: [eap] EAP packet type response id 10 length 7 Info: [eap] No EAP Start, assuming it's an on-going EAP conversation Info: ++[eap] returns updated Info: ++[files] returns noop Info: ++[expiration] returns noop Info: ++[logintime] returns noop Info: ++[pap] returns noop Info: Found Auth-Type = EAP Info: +- entering group authenticate {...} Info: [eap] EAP Identity Info: [eap] processing type mschapv2 Debug: rlm_eap_mschapv2: Issuing Challenge Info: ++[eap] returns handled } # server inner-tunnel Info: [peap] Got tunneled reply code 11 EAP-Message = 0x010b001c1a010b001710028ad2ebffffa9625538cea34a3e243a6e70 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb39c7d1cb397675a0ab86daaede9146a Info: [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010b001c1a010b001710028ad2ebffffa9625538cea34a3e243a6e70 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb39c7d1cb397675a0ab86daaede9146a Info: [peap] Got tunneled Access-Challenge PEAP tunnel data out 0000: 1a 01 0b 00 17 10 02 8a d2 eb ff ff a9 62 55 38 PEAP tunnel data out 0010: ce a3 4a 3e 24 3a 6e 70 Info: ++[eap] returns handled Sending Access-Challenge of id 236 to WI.SM.IP.AD port 32769 EAP-Message = 0x010b003b19001703010030eaa27cae66bfc42920b049aec687d64b1b4723650fc4fb58ee1f1158979cd93c4abfec16d8f27668812c89ea17e12da3 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x65f0ad2d6dfbb4e6f4a939a01468bf34 Info: Finished request 8. Debug: Going to the next request Debug: Waking up in 4.9 seconds. rad_recv: Access-Request packet from host WI.SM.IP.AD port 32769, id=237, length=276 User-Name = "anonymous" Calling-Station-Id = "00-de-ad-be-ef-00" Called-Station-Id = "00-de-ad-be-ef-00:300s71" NAS-Port = 29 NAS-IP-Address = WI.SM.IP.AD NAS-Identifier = "wism-s-7-1" Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "224" EAP-Message = 0x020b005b190017030100508c3e82cfb3e4e5eaa0bf0f51ff541b1bbd13c7457596eefda104cc8f94b266604b7a5918f62b7ffee66b21ff7b1c990c16524efab5a171da3e9afcf675b856ef080c9a9e6d0ec5cb065dddc005074049 State = 0x65f0ad2d6dfbb4e6f4a939a01468bf34 Message-Authenticator = 0xb5ccd9d2be70c7df6cf6c778fefb6bd2 Info: +- entering group authorize {...} Info: ++[preprocess] returns ok Info: ++[chap] returns noop Info: ++[mschap] returns noop Info: [suffix] No '@' in User-Name = "anonymous", looking up realm NULL Info: [suffix] No such realm "NULL" Info: ++[suffix] returns noop Info: [eap] EAP packet type response id 11 length 91 Info: [eap] Continuing tunnel setup. Info: ++[eap] returns ok Info: Found Auth-Type = EAP Info: +- entering group authenticate {...} Info: [eap] Request found, released from the list Info: [eap] EAP/peap Info: [eap] processing type peap Info: [peap] processing EAP-TLS Info: [peap] eaptls_verify returned 7 Info: [peap] Done initial handshake Info: [peap] eaptls_process returned 7 Info: [peap] EAPTLS_OK Info: [peap] Session established. Decoding tunneled attributes. PEAP tunnel data in 0000: 1a 02 0b 00 38 31 e3 29 3a 5b fc 38 b6 ff d2 d9 PEAP tunnel data in 0010: 4a 90 e0 ed 79 66 00 00 00 00 00 00 00 00 56 3e PEAP tunnel data in 0020: 33 2d 28 c1 22 b4 4a 66 0a 02 8d a5 31 b4 c4 8c PEAP tunnel data in 0030: 6b 0e c7 1c f6 e8 00 6e 70 Info: [peap] EAP type mschapv2 Info: [peap] Got tunneled request EAP-Message = 0x020b003d1a020b003831e3293a5bfc38b6ffd2d94a90e0ed79660000000000000000563e332d28c122b44a660a028da531b4c48c6b0ec71cf6e8006e70 server { Debug: PEAP: Setting User-Name to np Sending tunneled request EAP-Message = 0x020b003d1a020b003831e3293a5bfc38b6ffd2d94a90e0ed79660000000000000000563e332d28c122b44a660a028da531b4c48c6b0ec71cf6e8006e70 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "np" State = 0xb39c7d1cb397675a0ab86daaede9146a server inner-tunnel { Info: +- entering group authorize {...} Info: ++[chap] returns noop Info: ++[mschap] returns noop Info: ++[unix] returns notfound Info: [suffix] No '@' in User-Name = "np", looking up realm NULL Info: [suffix] No such realm "NULL" Info: ++[suffix] returns noop Info: ++[control] returns noop Info: [eap] EAP packet type response id 11 length 61 Info: [eap] No EAP Start, assuming it's an on-going EAP conversation Info: ++[eap] returns updated Info: ++[files] returns noop Info: ++[expiration] returns noop Info: ++[logintime] returns noop Info: ++[pap] returns noop Info: Found Auth-Type = EAP Info: +- entering group authenticate {...} Info: [eap] Request found, released from the list Info: [eap] EAP/mschapv2 Info: [eap] processing type mschapv2 Info: [mschapv2] +- entering group MS-CHAP {...} Info: [mschap] Told to do MS-CHAPv2 for np with NT-Password Info: [mschap] expand: %{Stripped-User-Name} -> Info: [mschap] ... expanding second conditional Info: [mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details Info: [mschap] expand: %{User-Name:-None} -> np Info: [mschap] expand: --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} -> --username=np Info: [mschap] mschap2: 02 Info: [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=e70378161b70bec1 Info: [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=563e332d28c122b44a660a028da531b4c48c6b0ec71cf6e8 Debug: Exec-Program output: NT_KEY: E92808F4B14A0ABEEBC125A12E908546 Debug: Exec-Program-Wait: plaintext: NT_KEY: E92808F4B14A0ABEEBC125A12E908546 Debug: Exec-Program: returned: 0 Info: [mschap] adding MS-CHAPv2 MPPE keys Info: ++[mschap] returns ok Debug: MSCHAP Success Info: ++[eap] returns handled } # server inner-tunnel Info: [peap] Got tunneled reply code 11 EAP-Message = 0x010c00331a030b002e533d37303232433143333645413945374241383346433837353537363541373131324243373937324132 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb39c7d1cb290675a0ab86daaede9146a Info: [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010c00331a030b002e533d37303232433143333645413945374241383346433837353537363541373131324243373937324132 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb39c7d1cb290675a0ab86daaede9146a Info: [peap] Got tunneled Access-Challenge PEAP tunnel data out 0000: 1a 03 0b 00 2e 53 3d 37 30 32 32 43 31 43 33 36 PEAP tunnel data out 0010: 45 41 39 45 37 42 41 38 33 46 43 38 37 35 35 37 PEAP tunnel data out 0020: 36 35 41 37 31 31 32 42 43 37 39 37 32 41 32 Info: ++[eap] returns handled Sending Access-Challenge of id 237 to WI.SM.IP.AD port 32769 EAP-Message = 0x010c005b19001703010050b38e016e1d1c4a26834e93a2c9d27528caf14a8686c1052589683f903485d2a27542951f5bbbc2efabcbb4d46866c159feee98b49a134f5effa4fd89fc696c2200726e3f59ff1ef7b8d230ca3f21dc74 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x65f0ad2d6cfcb4e6f4a939a01468bf34 Info: Finished request 9. Debug: Going to the next request Debug: Waking up in 4.8 seconds. Info: Cleaning up request 0 ID 228 with timestamp +39 Info: Cleaning up request 1 ID 229 with timestamp +39 Info: Cleaning up request 2 ID 230 with timestamp +39 Info: Cleaning up request 3 ID 231 with timestamp +39 Info: Cleaning up request 4 ID 232 with timestamp +39 Info: Cleaning up request 5 ID 233 with timestamp +39 Info: Cleaning up request 6 ID 234 with timestamp +39 Info: Cleaning up request 7 ID 235 with timestamp +39 Info: Cleaning up request 8 ID 236 with timestamp +39 Info: Cleaning up request 9 ID 237 with timestamp +39 Info: Ready to process requests. > >> Does anyone have such a setup working or know if it is possible/impossible. > > It's possible. > >> Would it be simpler to use a virtual server for one or the other? > > There's already a two virtual servers: default, and inner-tunnel. You > can use those. > > Step 1: start with default config > Step 2: get LDAP to work with PAP > Step 3: configure "ntlm_auth" for the MSCHAP module. > > After that, both will work. > > The *usual* cause of problems is that you're forcing Auth-Type. Don't > do that. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Please access the attached hyperlink for an important electronic communications disclaimer: http://www.lse.ac.uk/collections/planningAndCorporatePolicy/legalandComplianceTeam/legal/disclaimer.htm - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html