I'm having a problem with XP (and windows 7) machine authentication from a Procurve switch (802.1x and eap-radius) and the supplicant using PEAP to an AD domain. The FreeRadius version is 2.1.7.
My configuration works for the following style authentication requests: jmct...@htc.com horry\jmctest but doesn't work for the machine login of the following form: host/pcname.htc.com >From the output of "radiusd -X", it thinks the domain is "htc" and the authentication fails since there is no "htc" domain (there is a "htc.com"). I verified that the "HTC" domain doesn't work using ntlm_auth. "horry" and "htc.com" do work. Our AD (2003) setup has the domain name as "htc.com". The pre-windows 2000 domain name is "HORRY". As a test, I changed the mschap ntlm_auth "--domain" parameter from "--domain=%{mschap:NT-Domain}" to "--domain=HORRY" and it worked in all three cases. I'm not comfortable with this fix. How can I make the "htc" one work without hard-coding the HORRY domain? If the mschap module would have returned the full domain name, I wouldn't have this problem. Thanks for any assistance! My smb.conf file: [global] workgroup = HORRY server string = Samba Server Version %v log file = /var/log/samba/log.%m max log size = 50 security = ads realm = HTC.COM load printers = yes cups options = raw [homes] comment = Home Directories browseable = no writable = yes [printers] comment = All Printers path = /var/spool/samba browseable = no guest ok = no writable = no printable = yes My krb5.conf file: [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = HTC.COM dns_lookup_realm = false dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes [realms] HTC.COM = { admin_server = htcaddc01.htc.com:749 default_domain = htc.com } [domain_realm] .htc.com = HTC.COM htc.com = HTC.COM htc = HTC.COM [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } pkinit = { allow_pkinit = false } Radiusd -x output: including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/krb5 including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/ldap including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/inner-tunnel including configuration file /etc/raddb/sites-enabled/control-socket group = radiusd user = radiusd including dictionary file /etc/raddb/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/radius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = yes auth_goodpass = yes } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = no zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 irt = 2 mrt = 16 mrc = 5 mrd = 30 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } realm HORRY { } realm htc.com { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 172.24.8.101 { require_message_authenticator = no secret = "thisisasecret" shortname = "LocalHostETH0" } client 172.21.17.59 { require_message_authenticator = no secret = "thisisasecret" shortname = "MikeDeskSwitch" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} --challenge=%{m schap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/var/log/radius/radwtmp" } Module: Instantiating ntlm_auth exec ntlm_auth { wait = yes program = "/usr/bin/ntlm_auth --request-nt-key --domain=htc.com --username=%{mschap:User-Name} --password=%{User-Password}" input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/raddb/certs/server.pem" certificate_file = "/etc/raddb/certs/server.pem" CA_file = "/etc/raddb/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/raddb/certs/dh" random_file = "/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/raddb/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = yes } Module: Instantiating ntdomain realm ntdomain { format = "prefix" delimiter = "\" ignore_default = no ignore_null = yes } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/etc/raddb/users" acctusersfile = "/etc/raddb/acct_users" preproxy_usersfile = "/etc/raddb/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } # modules } # server server { modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/etc/raddb/huntgroups" hints = "/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "control" listen { socket = "/var/run/radiusd/radiusd.sock" } } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 172.21.17.59 port 1025, id=44, length=251 Framed-MTU = 1480 NAS-IP-Address = 172.21.17.59 NAS-Identifier = "BareFtComs_BO_HP2" User-Name = "host/IS-MCANNADY-L.htc.com" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 17 NAS-Port-Type = Ethernet NAS-Port-Id = "17" Called-Station-Id = "00-14-c2-25-f9-00" Calling-Station-Id = "00-1e-e5-87-61-d6" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "221" EAP-Message = 0x0201001f01686f73742f49532d4d43414e4e4144592d4c2e6874632e636f6d Message-Authenticator = 0x0f9937d73fb2934ff54cf78a7ddb611d +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/IS-MCANNADY-L.htc.com", skipping NULL due to config. ++[suffix] returns noop [ntdomain] No '\' in User-Name = "host/IS-MCANNADY-L.htc.com", skipping NULL due to config. ++[ntdomain] returns noop [eap] EAP packet type response id 1 length 31 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 171 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 44 to 172.21.17.59 port 1025 Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP EAP-Message = 0x010200160410994fcad22261d405da18727f5688f5b5 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x29be35a429bc31776aa21593a54d8f6e Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.21.17.59 port 1025, id=45, length=244 Framed-MTU = 1480 NAS-IP-Address = 172.21.17.59 NAS-Identifier = "BareFtComs_BO_HP2" User-Name = "host/IS-MCANNADY-L.htc.com" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 17 NAS-Port-Type = Ethernet NAS-Port-Id = "17" Called-Station-Id = "00-14-c2-25-f9-00" Calling-Station-Id = "00-1e-e5-87-61-d6" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "221" State = 0x29be35a429bc31776aa21593a54d8f6e EAP-Message = 0x020200060319 Message-Authenticator = 0xc1df97187bc217466fbb7ec9427803d5 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/IS-MCANNADY-L.htc.com", skipping NULL due to config. ++[suffix] returns noop [ntdomain] No '\' in User-Name = "host/IS-MCANNADY-L.htc.com", skipping NULL due to config. ++[ntdomain] returns noop [eap] EAP packet type response id 2 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 171 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 45 to 172.21.17.59 port 1025 Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x29be35a428bd2c776aa21593a54d8f6e Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.21.17.59 port 1025, id=46, length=325 Framed-MTU = 1480 NAS-IP-Address = 172.21.17.59 NAS-Identifier = "BareFtComs_BO_HP2" User-Name = "host/IS-MCANNADY-L.htc.com" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 17 NAS-Port-Type = Ethernet NAS-Port-Id = "17" Called-Station-Id = "00-14-c2-25-f9-00" Calling-Station-Id = "00-1e-e5-87-61-d6" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "221" State = 0x29be35a428bd2c776aa21593a54d8f6e EAP-Message = 0x0203005719800000004d16030100480100004403014cbe046105f5f2421a34386c77b6 32020675b50cf26e04e2f79b5d451d701f5300 001600040005000a0009006400620003000600130012006301000005ff01000100 Message-Authenticator = 0x244ca5136f7b517770eae24421b83cbd +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/IS-MCANNADY-L.htc.com", skipping NULL due to config. ++[suffix] returns noop [ntdomain] No '\' in User-Name = "host/IS-MCANNADY-L.htc.com", skipping NULL due to config. ++[ntdomain] returns noop [eap] EAP packet type response id 3 length 87 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 77 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0048], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0031], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 085e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 46 to 172.21.17.59 port 1025 EAP-Message = 0x0104040019c0000008a216030100310200002d03014cbe04613b0be068a3764765b5db 764af1debdf0f9d1970a489f1046b8ae428800 0004000005ff01000100160301085e0b00085a0008570003a6308203a23082028aa00302 0102020101300d06092a864886f70d0101040500308193310b3009060355 040613024652310f300d060355040813065261646975733112301006035504071309536f 6d65776865726531153013060355040a130c4578616d706c6520496e632e 3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126 30240603550403131d4578616d706c652043657274696669636174652041 75 EAP-Message = 0x74686f72697479301e170d3130313031353139343934385a170d313131303135313934 3934385a307c310b3009060355040613024652 310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520 496e632e312330210603550403131a4578616d706c652053657276657220 43657274696669636174653120301e06092a864886f70d010901161161646d696e406578 616d706c652e636f6d30820122300d06092a864886f70d01010105000382 010f003082010a02820101009ea0b19e4c765c3e13ae4054d728857225c87317b90147a6 f6ef4eef0e2056d9a3185b0fcb913bc682cca14d7d5c0ef2eda777a0d396 95 EAP-Message = 0x11e80ff8e3e2d3ee01aa34b020c847c7713e27dd38eaf6b59b740d7a84445ba82c84b6 83e3102546e3bae2bb7be082831de6fbd569ed f716782e7ed05f0cb36c031a617850297e496aca128513b6825fb0520d6d96eac8d2e178 b940c30d3e723fdd194533e50b562a0df9cbd6583c40d391167392de57a6 150704684e8032dd95cc1214e668c16959fc505fa08a6c9ff6a78398ad67365730836e7c cca239378a6085fca7b5ede5d0d65b1b22a45b4e715a490cda69d775ab9a 12efc8c6a51f21c60158979fba4f1b0203010001a317301530130603551d25040c300a06 082b06010505070301300d06092a864886f70d010104050003820101002e 32 EAP-Message = 0xb8dc5509c5cbe66233a5d8cfeece55cc9298490c3a6d22b3d2ddb8bd17009077f5d116 be633fa8c9658c08080fd4d742efa1458917ba 981d0d1c0d29e568e82ed0c9aa931e154989d98ad292e18fcec24db460e709e539fde9d1 3fa06ccb75ed581f08a807fdf489519c60e840eb6c82efb67af35ed5c2c4 2ee48ec6d17b920f2079b0d56d2330d956cd1971b519748cb1ce0467e22553ae62ca23f9 dc80a331e20bdad1944cc0a10e3ea5abfafa60984909ac3ae989ee93e530 621666226747e8ba7f411897bb6cba36727ec432c9696222a6f4df0089be6b1db33d4a90 2c69b9fc5f5e57c4439b68f6240ba856b41289d3421f992eba0d4ca45926 ac EAP-Message = 0xcf0004ab308204a73082038f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x29be35a42bba2c776aa21593a54d8f6e Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.21.17.59 port 1025, id=47, length=244 Framed-MTU = 1480 NAS-IP-Address = 172.21.17.59 NAS-Identifier = "BareFtComs_BO_HP2" User-Name = "host/IS-MCANNADY-L.htc.com" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 17 NAS-Port-Type = Ethernet NAS-Port-Id = "17" Called-Station-Id = "00-14-c2-25-f9-00" Calling-Station-Id = "00-1e-e5-87-61-d6" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "221" State = 0x29be35a42bba2c776aa21593a54d8f6e EAP-Message = 0x020400061900 Message-Authenticator = 0x33cf19aacee3d06143712441a4ecf162 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/IS-MCANNADY-L.htc.com", skipping NULL due to config. ++[suffix] returns noop [ntdomain] No '\' in User-Name = "host/IS-MCANNADY-L.htc.com", skipping NULL due to config. ++[ntdomain] returns noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 47 to 172.21.17.59 port 1025 EAP-Message = 0x010503fc1940a003020102020900c9423449815faac7300d06092a864886f70d010105 0500308193310b300906035504061302465231 0f300d060355040813065261646975733112301006035504071309536f6d657768657265 31153013060355040a130c4578616d706c6520496e632e3120301e06092a 864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403 131d4578616d706c6520436572746966696361746520417574686f726974 79301e170d3130313031353139343934385a170d3131313031353139343934385a308193 310b3009060355040613024652310f300d06035504081306526164697573 31 EAP-Message = 0x12301006035504071309536f6d65776865726531153013060355040a130c4578616d70 6c6520496e632e3120301e06092a864886f70d 010901161161646d696e406578616d706c652e636f6d312630240603550403131d457861 6d706c6520436572746966696361746520417574686f7269747930820122 300d06092a864886f70d01010105000382010f003082010a0282010100dec5bc115fc8f9 d0eea46821d85a9483d8a616663e4e05650d3dd3e92dd1ac181fccef1039 7f10f422834d70dcc22e8c52638217c3281db3ebde1a9a032a4d08e5769da008068db756 c4838264036da3307e595782d17f0187d3ed29419ec0c2c120ea91c2acb6 8e EAP-Message = 0xe5c9844536a4a7f0a44a65b23f9331c5c4acddc334091289a214958b50af9c10349b8c 6e56cd1deecc52ba2d7b09cfc2672f01003793 90eb9221dd3068f1d02a5b85d3a39d803c847a5736b8c34d8162e127534a4d8356c9e6be 4f1f177e6fcca3763a263307b14cc93760058a0f4f043461740a755161a5 6afcd8d1f5a8c72e6f99dec168694552ad5f35406e52dd8968d7afb8c64bb98502030100 01a381fb3081f8301d0603551d0e0416041401c36ebe0273ff8e54a2b42e 816f9b2071b4fba83081c80603551d230481c03081bd801401c36ebe0273ff8e54a2b42e 816f9b2071b4fba8a18199a48196308193310b3009060355040613024652 31 EAP-Message = 0x0f300d060355040813065261646975733112301006035504071309536f6d6577686572 6531153013060355040a130c4578616d706c65 20496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e 636f6d312630240603550403131d4578616d706c65204365727469666963 61746520417574686f72697479820900c9423449815faac7300c0603551d130405300301 01ff300d06092a864886f70d010105050003820101008ac0e2f9448b980a c2eb95d7060f9916fdc5d0b81fb21118cb2fb8ce106b0f4d6c33ea460a802b7ec376961d a85d66162d4717c8c377f3423d02a3350ae8cfe63f7e07b4e534e0409ffd 32 EAP-Message = 0xf6b164de0d3b3253 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x29be35a42abb2c776aa21593a54d8f6e Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.21.17.59 port 1025, id=48, length=244 Framed-MTU = 1480 NAS-IP-Address = 172.21.17.59 NAS-Identifier = "BareFtComs_BO_HP2" User-Name = "host/IS-MCANNADY-L.htc.com" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 17 NAS-Port-Type = Ethernet NAS-Port-Id = "17" Called-Station-Id = "00-14-c2-25-f9-00" Calling-Station-Id = "00-1e-e5-87-61-d6" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "221" State = 0x29be35a42abb2c776aa21593a54d8f6e EAP-Message = 0x020500061900 Message-Authenticator = 0x03a0e65b83c6778a88ce8d82850c0ee0 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/IS-MCANNADY-L.htc.com", skipping NULL due to config. ++[suffix] returns noop [ntdomain] No '\' in User-Name = "host/IS-MCANNADY-L.htc.com", skipping NULL due to config. ++[ntdomain] returns noop [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 48 to 172.21.17.59 port 1025 EAP-Message = 0x010600bc1900b63e21fba0bf519e938c61d3436188d2fa9bf57cb906e980a46fd18230 b3a84244a3618940c39ae4c8893344845128f0 ec51514e9fe274c9386fb82b38d1734112b181552e0b0e4f6c815e51a3f561fb37a928b5 3a1eebc95b58da30b099571268319ea1b17bec64f9c2577d7cdf721d80a9 90911b9a02887d2ec2695bfe54f34041994e515e33235e9f2175cf27df6e5cae78e6e95f 7c3d0e08617f1ecf6d9a78f3ce9fc05ac074f7e7bdca9e16030100040e00 0000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x29be35a42db82c776aa21593a54d8f6e Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.21.17.59 port 1025, id=49, length=560 Framed-MTU = 1480 NAS-IP-Address = 172.21.17.59 NAS-Identifier = "BareFtComs_BO_HP2" User-Name = "host/IS-MCANNADY-L.htc.com" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 17 NAS-Port-Type = Ethernet NAS-Port-Id = "17" Called-Station-Id = "00-14-c2-25-f9-00" Calling-Station-Id = "00-1e-e5-87-61-d6" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "221" State = 0x29be35a42db82c776aa21593a54d8f6e EAP-Message = 0x020601401980000001361603010106100001020100230f537a95be1090728d4e7c3c44 fb588ae5ac048f6e2e050542b4f46006cfaf12 76595ae8ce60101206c520e5575e2814712249742eec0397de9d2340f09af0f418885b7c 28ef80801c1d2108df4effb1b59c37ea1452be2606edc5e01b1f7e478385 c0fcb26f53e2bef482224406052f1c99f47bc94a72e0926497c2df989bc5eaa35aded4c4 7e42bfa11d894410d8d42a0543091c200ed96106089242e3ffa3ab94b1c1 0ed97c0c84d18c96c73a805854bb66a326f30aefc8b1813152dc66443b0231616fb4ee85 f12b738e2eaa525a54a4fb0cdfe06af3c2af46fde74f8583e394b22c57be 96 EAP-Message = 0x2c0ce2956fde903f4f14ddb4a01a760576b36cd86e32d9f71403010001011603010020 b67e77a6dde2037cbb27c797f82fdc47e7725c 97cb4bc975ff59958024c8609d Message-Authenticator = 0x7562cd533469cc7e3454a807126c7757 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/IS-MCANNADY-L.htc.com", skipping NULL due to config. ++[suffix] returns noop [ntdomain] No '\' in User-Name = "host/IS-MCANNADY-L.htc.com", skipping NULL due to config. ++[ntdomain] returns noop [eap] EAP packet type response id 6 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 310 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 49 to 172.21.17.59 port 1025 EAP-Message = 0x01070031190014030100010116030100204fc8145013c734a36979325c3d0404a31fed 3079fd89de557c2651934ee8f103 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x29be35a42cb92c776aa21593a54d8f6e Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.21.17.59 port 1025, id=50, length=244 Framed-MTU = 1480 NAS-IP-Address = 172.21.17.59 NAS-Identifier = "BareFtComs_BO_HP2" User-Name = "host/IS-MCANNADY-L.htc.com" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 17 NAS-Port-Type = Ethernet NAS-Port-Id = "17" Called-Station-Id = "00-14-c2-25-f9-00" Calling-Station-Id = "00-1e-e5-87-61-d6" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "221" State = 0x29be35a42cb92c776aa21593a54d8f6e EAP-Message = 0x020700061900 Message-Authenticator = 0xf1636cb76cd28098587cbf6ced6a92ae +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/IS-MCANNADY-L.htc.com", skipping NULL due to config. ++[suffix] returns noop [ntdomain] No '\' in User-Name = "host/IS-MCANNADY-L.htc.com", skipping NULL due to config. ++[ntdomain] returns noop [eap] EAP packet type response id 7 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 50 to 172.21.17.59 port 1025 EAP-Message = 0x01080020190017030100156482e5906cba353c9abf3a4b646082b4d75974cd48 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x29be35a42fb62c776aa21593a54d8f6e Finished request 6. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.21.17.59 port 1025, id=51, length=292 Framed-MTU = 1480 NAS-IP-Address = 172.21.17.59 NAS-Identifier = "BareFtComs_BO_HP2" User-Name = "host/IS-MCANNADY-L.htc.com" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 17 NAS-Port-Type = Ethernet NAS-Port-Id = "17" Called-Station-Id = "00-14-c2-25-f9-00" Calling-Station-Id = "00-1e-e5-87-61-d6" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "221" State = 0x29be35a42fb62c776aa21593a54d8f6e EAP-Message = 0x020800361900170301002bec85cc7cdc603d78049eb88fbed7da736628173316308e2e 4ef5a9aa5855f5b97511a2182324f467ab1bdb Message-Authenticator = 0x55e15d853fc0ee308bec4cbbef2a1aa7 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/IS-MCANNADY-L.htc.com", skipping NULL due to config. ++[suffix] returns noop [ntdomain] No '\' in User-Name = "host/IS-MCANNADY-L.htc.com", skipping NULL due to config. ++[ntdomain] returns noop [eap] EAP packet type response id 8 length 54 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Identity - host/IS-MCANNADY-L.htc.com [peap] Got tunneled request EAP-Message = 0x0208001f01686f73742f49532d4d43414e4e4144592d4c2e6874632e636f6d server { PEAP: Got tunneled identity of host/IS-MCANNADY-L.htc.com PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to host/IS-MCANNADY-L.htc.com Sending tunneled request EAP-Message = 0x0208001f01686f73742f49532d4d43414e4e4144592d4c2e6874632e636f6d FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "host/IS-MCANNADY-L.htc.com" server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "host/IS-MCANNADY-L.htc.com", skipping NULL due to config. ++[suffix] returns noop [ntdomain] No '\' in User-Name = "host/IS-MCANNADY-L.htc.com", skipping NULL due to config. ++[ntdomain] returns noop ++[control] returns noop [eap] EAP packet type response id 8 length 31 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010900341a0109002f10b63a43c6b16bc4276a3f62fdd54ea58b686f73742f49532d4d 43414e4e4144592d4c2e6874632e636f6d Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa67b01cba6721b6f289ad37074bdf4d3 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010900341a0109002f10b63a43c6b16bc4276a3f62fdd54ea58b686f73742f49532d4d 43414e4e4144592d4c2e6874632e636f6d Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa67b01cba6721b6f289ad37074bdf4d3 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 51 to 172.21.17.59 port 1025 EAP-Message = 0x0109004b190017030100400c3efceaeceed14785f589ebae969a62f2a6b99e8d01f960 9b6cc661619ba3fcd48729c257e8ae05e16aa8 7f28a4e53b094e816084b7316397258d746c133a82 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x29be35a42eb72c776aa21593a54d8f6e Finished request 7. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.21.17.59 port 1025, id=52, length=346 Framed-MTU = 1480 NAS-IP-Address = 172.21.17.59 NAS-Identifier = "BareFtComs_BO_HP2" User-Name = "host/IS-MCANNADY-L.htc.com" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 17 NAS-Port-Type = Ethernet NAS-Port-Id = "17" Called-Station-Id = "00-14-c2-25-f9-00" Calling-Station-Id = "00-1e-e5-87-61-d6" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "221" State = 0x29be35a42eb72c776aa21593a54d8f6e EAP-Message = 0x0209006c1900170301006167a4215a3dbc1305e25e143c01edb40ff92b9284464a0698 cf478e307f2b2a38d394d32012e5293d19ec02 8427a45ed21394e7492741809b6a91f5f4ab87c08d5389bf9b787a9eade9e5d122da9256 b8bedec42e52c003b70fb743e8ba7d318f6d Message-Authenticator = 0xc384357caf39604b6cdcf7ca09233a2c +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/IS-MCANNADY-L.htc.com", skipping NULL due to config. ++[suffix] returns noop [ntdomain] No '\' in User-Name = "host/IS-MCANNADY-L.htc.com", skipping NULL due to config. ++[ntdomain] returns noop [eap] EAP packet type response id 9 length 108 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020900551a02090050312448ca723266ded3fa1704b03d55766a00000000000000002e 7c3d2146332065d255b7f853aecb601d00e050 82badb1000686f73742f49532d4d43414e4e4144592d4c2e6874632e636f6d server { PEAP: Setting User-Name to host/IS-MCANNADY-L.htc.com Sending tunneled request EAP-Message = 0x020900551a02090050312448ca723266ded3fa1704b03d55766a00000000000000002e 7c3d2146332065d255b7f853aecb601d00e050 82badb1000686f73742f49532d4d43414e4e4144592d4c2e6874632e636f6d FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "host/IS-MCANNADY-L.htc.com" State = 0xa67b01cba6721b6f289ad37074bdf4d3 server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = "host/IS-MCANNADY-L.htc.com", skipping NULL due to config. ++[suffix] returns noop [ntdomain] No '\' in User-Name = "host/IS-MCANNADY-L.htc.com", skipping NULL due to config. ++[ntdomain] returns noop ++[control] returns noop [eap] EAP packet type response id 9 length 85 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for host/IS-MCANNADY-L.htc.com with NT-Password [mschap] expand: --domain=%{mschap:NT-Domain} -> --domain=htc [mschap] expand: --username=%{mschap:User-Name} -> --username=IS-MCANNADY-L$ [mschap] mschap2: b6 [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=11e08bdff9a35b3f [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=2e7c3d2146332065d255b7f853aecb601d00e05082badb10 Exec-Program output: Logon failure (0xc000006d) Exec-Program-Wait: plaintext: Logon failure (0xc000006d) Exec-Program: returned: 1 [mschap] External script failed. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. Login incorrect: [host/IS-MCANNADY-L.htc.com/<via Auth-Type = EAP>] (from client MikeDeskSwitch port 0 via TLS tunnel) } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\tE=691 R=1" EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\tE=691 R=1" EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 52 to 172.21.17.59 port 1025 EAP-Message = 0x010a00261900170301001b3533c7101e632bc436b65822b9b7bb11e5d9f923547accf9 5234e0 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x29be35a421b42c776aa21593a54d8f6e Finished request 8. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.21.17.59 port 1025, id=53, length=276 Framed-MTU = 1480 NAS-IP-Address = 172.21.17.59 NAS-Identifier = "BareFtComs_BO_HP2" User-Name = "host/IS-MCANNADY-L.htc.com" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 17 NAS-Port-Type = Ethernet NAS-Port-Id = "17" Called-Station-Id = "00-14-c2-25-f9-00" Calling-Station-Id = "00-1e-e5-87-61-d6" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "221" State = 0x29be35a421b42c776aa21593a54d8f6e EAP-Message = 0x020a00261900170301001bb9ad6307193ba51867e2ddc8c1bf3bff13a3e96d71fcce70 12c592 Message-Authenticator = 0xd7b1be5082f5a55d993d5de076606a4c +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/IS-MCANNADY-L.htc.com", skipping NULL due to config. ++[suffix] returns noop [ntdomain] No '\' in User-Name = "host/IS-MCANNADY-L.htc.com", skipping NULL due to config. ++[ntdomain] returns noop [eap] EAP packet type response id 10 length 38 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Had sent TLV failure. User was rejected earlier in this session. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [host/IS-MCANNADY-L.htc.com/<via Auth-Type = EAP>] (from client MikeDeskSwitch port 17 cli 00-1e-e5-87-61-d6) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> host/IS-MCANNADY-L.htc.com attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 9 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 9 Sending Access-Reject of id 53 to 172.21.17.59 port 1025 EAP-Message = 0x040a0004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.8 seconds. Cleaning up request 0 ID 44 with timestamp +110 Cleaning up request 1 ID 45 with timestamp +110 Cleaning up request 2 ID 46 with timestamp +110 Cleaning up request 3 ID 47 with timestamp +110 Cleaning up request 4 ID 48 with timestamp +110 Cleaning up request 5 ID 49 with timestamp +110 Cleaning up request 6 ID 50 with timestamp +110 Cleaning up request 7 ID 51 with timestamp +110 Cleaning up request 8 ID 52 with timestamp +110 Waking up in 1.0 seconds. Cleaning up request 9 ID 53 with timestamp +110 Ready to process requests. [r...@htcradius1 etc]# Mike Cannady Information Services Horry Telephone Cooperative (HTC) Phone: (843)369-8212 Fax..: (843)369-7195 Pager: (843)828-5899 Email: mike.cann...@htcinc.net ********************************************************************** HTC Disclaimer: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. ********************************************************************** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html