Hi all I have a problem on my Packetfence 6.0.0 when I when to authenticate an
AD user I got this 3 specifics errors,please I need help :
(16) mschap: ERROR: Program returned code (1) and output 'Logon failure
(0xc000006d)'
(16) mschap: External script failed
(16) mschap: ERROR: External script says: Logon failure (0xc000006d)
(16) mschap: ERROR: MS-CHAP2-Response is incorrect
Ans this is my full radius debug file
FreeRADIUS-Proxied-To = 127.0.0.1
(21) User-Name = "Administrateur"
(21) State = 0x42fe33fd42f7296034bd9bd88f2ca30f
(21) Service-Type = Framed-User
(21) Framed-MTU = 1500
(21) Calling-Station-Id := "00:40:d0:67:d0:b1"
(21) Cisco-AVPair = "audit-session-id=C0A801050000003200BCDD37"
(21) NAS-Port-Type = Ethernet
(21) NAS-Port = 50003
(21) NAS-Port-Id = "FastEthernet0/3"
(21) NAS-IP-Address = 192.168.1.5
(21) Called-Station-Id := "ec:44:76:87:f0:83"
(21) Event-Timestamp = "May 10 2016 16:57:28 CEST"
(21) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(21) server packetfence-tunnel {
(21) session-state: No cached attributes
(21) # Executing section authorize from file
/usr/local/pf/raddb//sites-enabled/packetfence-tunnel
(21) authorize {
(21) policy filter_username {
(21) if (&User-Name) {
(21) if (&User-Name) -> TRUE
(21) if (&User-Name) {
(21) if (&User-Name =~ / /) {
(21) if (&User-Name =~ / /) -> FALSE
(21) if (&User-Name =~ /@[^@]*@/ ) {
(21) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(21) if (&User-Name =~ /\.\./ ) {
(21) if (&User-Name =~ /\.\./ ) -> FALSE
(21) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(21) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(21) if (&User-Name =~ /\.$/) {
(21) if (&User-Name =~ /\.$/) -> FALSE
(21) if (&User-Name =~ /@\./) {
(21) if (&User-Name =~ /@\./) -> FALSE
(21) } # if (&User-Name) = notfound
(21) } # policy filter_username = notfound
(21) [mschap] = noop
(21) suffix: Checking for suffix after "@"
(21) suffix: No '@' in User-Name = "Administrateur", skipping NULL due to
config.
(21) [suffix] = noop
(21) ntdomain: Checking for prefix before "\"
(21) ntdomain: No '\' in User-Name = "Administrateur", looking up realm NULL
(21) ntdomain: No such realm "NULL"
(21) [ntdomain] = noop
(21) update control {
(21) &Proxy-To-Realm := LOCAL
(21) } # update control = noop
(21) eap: Peer sent EAP Response (code 2) ID 9 length 73
(21) eap: No EAP Start, assuming it's an on-going EAP conversation
(21) [eap] = updated
(21) policy rewrite_called_station_id {
(21) if ((&Called-Station-Id) && (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
{
(21) if ((&Called-Station-Id) && (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
-> TRUE
(21) if ((&Called-Station-Id) && (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
{
(21) update request {
(21) &Called-Station-Id !* ANY
(21) EXPAND %{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(21) --> ec:44:76:87:f0:83
(21) &Called-Station-Id := ec:44:76:87:f0:83
(21) } # update request = noop
(21) if ("%{8}") {
(21) EXPAND %{8}
(21) -->
(21) if ("%{8}") -> FALSE
(21) elsif ( (Colubris-AVPair) && "%{Colubris-AVPair}" =~
/^ssid=(.*)$/i) {
(21) elsif ( (Colubris-AVPair) && "%{Colubris-AVPair}" =~
/^ssid=(.*)$/i) -> FALSE
(21) elsif (Aruba-Essid-Name) {
(21) elsif (Aruba-Essid-Name) -> FALSE
(21) elsif ( (Cisco-AVPair) && "%{Cisco-AVPair}" =~ /^ssid=(.*)$/i) {
(21) EXPAND %{Cisco-AVPair}
(21) --> audit-session-id=C0A801050000003200BCDD37
(21) elsif ( (Cisco-AVPair) && "%{Cisco-AVPair}" =~ /^ssid=(.*)$/i)
-> FALSE
(21) [updated] = updated
(21) } # if ((&Called-Station-Id) && (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
= updated
(21) ... skipping else for request 21: Preceding "if" was taken
(21) } # policy rewrite_called_station_id = updated
(21) [pap] = noop
(21) } # authorize = updated
(21) Found Auth-Type = eap
(21) # Executing group from file
/usr/local/pf/raddb//sites-enabled/packetfence-tunnel
(21) authenticate {
(21) eap: Expiring EAP session with state 0x42fe33fd42f72960
(21) eap: Finished EAP session with state 0x42fe33fd42f72960
(21) eap: Previous EAP request found for state 0x42fe33fd42f72960, released
from the list
(21) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(21) eap: Calling submodule eap_mschapv2 to process data
(21) eap_mschapv2: # Executing group from file
/usr/local/pf/raddb//sites-enabled/packetfence-tunnel
(21) eap_mschapv2: Auth-Type MS-CHAP {
(21) packetfence: $RAD_REQUEST{'User-Name'} = &request:User-Name ->
'Administrateur'
(21) packetfence: $RAD_REQUEST{'NAS-IP-Address'} = &request:NAS-IP-Address ->
'192.168.1.5'
(21) packetfence: $RAD_REQUEST{'NAS-Port'} = &request:NAS-Port -> '50003'
(21) packetfence: $RAD_REQUEST{'Service-Type'} = &request:Service-Type ->
'Framed-User'
(21) packetfence: $RAD_REQUEST{'Framed-MTU'} = &request:Framed-MTU -> '1500'
(21) packetfence: $RAD_REQUEST{'State'} = &request:State ->
'0x42fe33fd42f7296034bd9bd88f2ca30f'
(21) packetfence: $RAD_REQUEST{'Called-Station-Id'} =
&request:Called-Station-Id -> 'ec:44:76:87:f0:83'
(21) packetfence: $RAD_REQUEST{'Calling-Station-Id'} =
&request:Calling-Station-Id -> '00:40:d0:67:d0:b1'
(21) packetfence: $RAD_REQUEST{'NAS-Port-Type'} = &request:NAS-Port-Type ->
'Ethernet'
(21) packetfence: $RAD_REQUEST{'Event-Timestamp'} = &request:Event-Timestamp
-> 'May 10 2016 16:57:28 CEST'
(21) packetfence: $RAD_REQUEST{'EAP-Message'} = &request:EAP-Message ->
'0x020900491a0209004431eb4ca34aee1ad514b736c229c9e0798a0000000000000000fa1cb5436a574339be984a38670c37bd8554f4e5afe4a1410041646d696e697374726174657572'
(21) packetfence: $RAD_REQUEST{'NAS-Port-Id'} = &request:NAS-Port-Id ->
'FastEthernet0/3'
(21) packetfence: $RAD_REQUEST{'Cisco-AVPair'} = &request:Cisco-AVPair ->
'audit-session-id=C0A801050000003200BCDD37'
(21) packetfence: $RAD_REQUEST{'FreeRADIUS-Proxied-To'} =
&request:FreeRADIUS-Proxied-To -> '127.0.0.1'
(21) packetfence: $RAD_REQUEST{'MS-CHAP-Challenge'} =
&request:MS-CHAP-Challenge -> '0xc3bbd40002f9ff77a7078554def335eb'
(21) packetfence: $RAD_REQUEST{'MS-CHAP2-Response'} =
&request:MS-CHAP2-Response ->
'0x0964eb4ca34aee1ad514b736c229c9e0798a0000000000000000fa1cb5436a574339be984a38670c37bd8554f4e5afe4a141'
(21) packetfence: $RAD_REQUEST{'EAP-Type'} = &request:EAP-Type -> 'MSCHAPv2'
(21) packetfence: $RAD_REQUEST{'MS-CHAP-User-Name'} =
&request:MS-CHAP-User-Name -> 'Administrateur'
(21) packetfence: $RAD_CHECK{'Auth-Type'} = &control:Auth-Type -> 'eap'
(21) packetfence: $RAD_CHECK{'Proxy-To-Realm'} = &control:Proxy-To-Realm ->
'LOCAL'
(21) packetfence: $RAD_CONFIG{'Auth-Type'} = &control:Auth-Type -> 'eap'
(21) packetfence: $RAD_CONFIG{'Proxy-To-Realm'} = &control:Proxy-To-Realm ->
'LOCAL'
(21) packetfence: &request:NAS-Port-Type = $RAD_REQUEST{'NAS-Port-Type'} ->
'Ethernet'
(21) packetfence: &request:Service-Type = $RAD_REQUEST{'Service-Type'} ->
'Framed-User'
(21) packetfence: &request:Called-Station-Id =
$RAD_REQUEST{'Called-Station-Id'} -> 'ec:44:76:87:f0:83'
(21) packetfence: &request:State = $RAD_REQUEST{'State'} ->
'0x42fe33fd42f7296034bd9bd88f2ca30f'
(21) packetfence: &request:FreeRADIUS-Proxied-To =
$RAD_REQUEST{'FreeRADIUS-Proxied-To'} -> '127.0.0.1'
(21) packetfence: &request:EAP-Type = $RAD_REQUEST{'EAP-Type'} -> 'MSCHAPv2'
(21) packetfence: &request:NAS-IP-Address = $RAD_REQUEST{'NAS-IP-Address'} ->
'192.168.1.5'
(21) packetfence: &request:NAS-Port-Id = $RAD_REQUEST{'NAS-Port-Id'} ->
'FastEthernet0/3'
(21) packetfence: &request:Calling-Station-Id =
$RAD_REQUEST{'Calling-Station-Id'} -> '00:40:d0:67:d0:b1'
(21) packetfence: &request:MS-CHAP-User-Name =
$RAD_REQUEST{'MS-CHAP-User-Name'} -> 'Administrateur'
(21) packetfence: &request:MS-CHAP-Challenge =
$RAD_REQUEST{'MS-CHAP-Challenge'} -> '0xc3bbd40002f9ff77a7078554def335eb'
(21) packetfence: &request:Cisco-AVPair = $RAD_REQUEST{'Cisco-AVPair'} ->
'audit-session-id=C0A801050000003200BCDD37'
(21) packetfence: &request:User-Name = $RAD_REQUEST{'User-Name'} ->
'Administrateur'
(21) packetfence: &request:Event-Timestamp = $RAD_REQUEST{'Event-Timestamp'} ->
'May 10 2016 16:57:28 CEST'
(21) packetfence: &request:EAP-Message = $RAD_REQUEST{'EAP-Message'} ->
'0x020900491a0209004431eb4ca34aee1ad514b736c229c9e0798a0000000000000000fa1cb5436a574339be984a38670c37bd8554f4e5afe4a1410041646d696e697374726174657572'
(21) packetfence: &request:MS-CHAP2-Response =
$RAD_REQUEST{'MS-CHAP2-Response'} ->
'0x0964eb4ca34aee1ad514b736c229c9e0798a0000000000000000fa1cb5436a574339be984a38670c37bd8554f4e5afe4a141'
(21) packetfence: &request:NAS-Port = $RAD_REQUEST{'NAS-Port'} -> '50003'
(21) packetfence: &request:Framed-MTU = $RAD_REQUEST{'Framed-MTU'} -> '1500'
(21) packetfence: &control:Auth-Type = $RAD_CHECK{'Auth-Type'} -> 'eap'
(21) packetfence: &control:Proxy-To-Realm = $RAD_CHECK{'Proxy-To-Realm'} ->
'LOCAL'
(21) [packetfence] = noop
(21) if (PacketFence-Domain) {
(21) if (PacketFence-Domain) -> FALSE
(21) else {
(21) mschap: Creating challenge hash with username: Administrateur
(21) mschap: Client is using MS-CHAPv2
(21) mschap: Executing: /usr/local/pf/bin/ntlm_auth_wrapper --
--request-nt-key --username=%{%{Stripped-User-Name}:-%{mschap:User-Name:-None}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}:
(21) mschap: EXPAND
--username=%{%{Stripped-User-Name}:-%{mschap:User-Name:-None}}
(21) mschap: --> --username=Administrateur
(21) mschap: Creating challenge hash with username: Administrateur
(21) mschap: EXPAND --challenge=%{mschap:Challenge:-00}
(21) mschap: --> --challenge=c330d9e5a3d1ecdf
(21) mschap: EXPAND --nt-response=%{mschap:NT-Response:-00}
(21) mschap: -->
--nt-response=fa1cb5436a574339be984a38670c37bd8554f4e5afe4a141
(21) mschap: ERROR: Abnormal child exit: No error
(21) mschap: External script failed
(21) mschap: ERROR: External script says: Logon failure (0xc000006d)
(21) mschap: ERROR: MS-CHAP2-Response is incorrect
(21) [mschap] = reject
(21) } # else = reject
(21) } # Auth-Type MS-CHAP = reject
(21) eap: Sending EAP Failure (code 4) ID 9 length 4
(21) eap: Freeing handler
(21) [eap] = reject
(21) } # authenticate = reject
(21) Failed to authenticate the user
(21) Login incorrect (mschap: Abnormal child exit: No error):
[Administrateur] (from client 192.168.1.5 port 50003 cli 00:40:d0:67:d0:b1 via
TLS tunnel)
(21) Using Post-Auth-Type Reject
(21) # Executing group from file
/usr/local/pf/raddb//sites-enabled/packetfence-tunnel
(21) Post-Auth-Type REJECT {
(21) policy request-timing {
(21) if (control:PacketFence-Request-Time != 0) {
(21) ERROR: Failed retrieving values required to evaluate condition
(21) } # policy request-timing = noop
(21) sql_reject: EXPAND type.reject.query
(21) sql_reject: --> type.reject.query
(21) sql_reject: Using query template 'query'
rlm_sql (sql): Reserved connection (6)
(21) sql_reject: EXPAND %{User-Name}
(21) sql_reject: --> Administrateur
(21) sql_reject: SQL-User-Name set to 'Administrateur'
(21) sql_reject: EXPAND INSERT INTO radius_audit_log ( mac, ip,
computer_name, user_name, stripped_user_name, realm,
event_type, switch_id, switch_mac, switch_ip_address,
radius_source_ip_address, called_station_id, calling_station_id,
nas_port_type, ssid, nas_port_id, ifindex, nas_port,
connection_type, nas_ip_address, nas_identifier, auth_status,
reason, auth_type, eap_type, role, node_status,
profile, source, auto_reg, is_phone, pf_domain,
uuid, radius_request, radius_reply, request_time)
VALUES ( '%{request:Calling-Station-Id}',
'%{request:Framed-IP-Address}', '%{%{control:PacketFence-Computer-Name}:-N/A}',
'%{request:User-Name}', '%{request:Stripped-User-Name}',
'%{request:Realm}', 'Radius-Access-Request',
'%{%{control:PacketFence-Switch-Id}:-N/A}',
'%{%{control:PacketFence-Switch-Mac}:-N/A}',
'%{%{control:PacketFence-Switch-Ip-Address}:-N/A}',
'%{Packet-Src-IP-Address}', '%{request:Called-Station-Id}',
'%{request:Calling-Station-Id}', '%{request:NAS-Port-Type}',
'%{request:Called-Station-SSID}', '%{request:NAS-Port-Id}',
'%{%{control:PacketFence-IfIndex}:-N/A}', '%{request:NAS-Port}',
'%{%{control:PacketFence-Connection-Type}:-N/A}',
'%{request:NAS-IP-Address}', '%{request:NAS-Identifier}', 'Reject',
'%{request:Module-Failure-Message}', '%{control:Auth-Type}',
'%{request:EAP-Type}', '%{%{control:PacketFence-Role}:-N/A}',
'%{%{control:PacketFence-Status}:-N/A}',
'%{%{control:PacketFence-Profile}:-N/A}',
'%{%{control:PacketFence-Source}:-N/A}',
'%{%{control:PacketFence-AutoReg}:-N/A}',
'%{%{control:PacketFence-IsPhone}:-N/A}',
'%{request:PacketFence-Domain}', '',
'%{pairs:&request:[*]}','%{pairs:&reply:[*]}',
'%{%{control:PacketFence-Request-Time}:-N/A}')
(21) sql_reject: --> INSERT INTO radius_audit_log ( mac, ip,
computer_name, user_name, stripped_user_name, realm,
event_type, switch_id, switch_mac, switch_ip_address,
radius_source_ip_address, called_station_id, calling_station_id,
nas_port_type, ssid, nas_port_id, ifindex, nas_port,
connection_type, nas_ip_address, nas_identifier, auth_status,
reason, auth_type, eap_type, role, node_status,
profile, source, auto_reg, is_phone, pf_domain,
uuid, radius_request, radius_reply, request_time)
VALUES ( '00:40:d0:67:d0:b1', '', 'N/A', 'Administrateur',
'', '', 'Radius-Access-Request', 'N/A', 'N/A', 'N/A',
'192.168.1.5', 'ec:44:76:87:f0:83', '00:40:d0:67:d0:b1',
'Ethernet', '', 'FastEthernet0/3', 'N/A', '50003', 'N/A',
'192.168.1.5', '', 'Reject', 'mschap: Abnormal
child exit: No error', 'eap', 'MSCHAPv2', 'N/A', 'N/A', 'N/A',
'N/A', 'N/A', 'N/A', '', '', 'NAS-Port-Type =3D
Ethernet=2C Service-Type =3D Framed-User=2C Called-Station-Id =3D
=22ec:44:76:87:f0:83=22=2C State =3D 0x42fe33fd42f7296034bd9bd88f2ca30f=2C
FreeRADIUS-Proxied-To =3D 127.0.0.1=2C EAP-Type =3D MSCHAPv2=2C NAS-IP-Address
=3D 192.168.1.5=2C NAS-Port-Id =3D =22FastEthernet0/3=22=2C Calling-Station-Id
=3D =2200:40:d0:67:d0:b1=22=2C MS-CHAP-User-Name =3D =22Administrateur=22=2C
MS-CHAP-Challenge =3D 0xc3bbd40002f9ff77a7078554def335eb=2C Cisco-AVPair =3D
=22audit-session-id=3DC0A801050000003200BCDD37=22=2C User-Name =3D
=22Administrateur=22=2C Event-Timestamp =3D =22May 10 2016 16:57:28 CEST=22=2C
EAP-Message =3D
0x020900491a0209004431eb4ca34aee1ad514b736c229c9e0798a0000000000000000fa1cb5436a574339be984a38670c37bd8554f4e5afe4a1410041646d696e697374726174657572=2C
MS-CHAP2-Response =3D
0x0964eb4ca34aee1ad514b736c229c9e0798a0000000000000000fa1cb5436a574339be984a38670c37bd8554f4e5afe4a141=2C
NAS-Port =3D 50003=2C Framed-MTU =3D 1500=2C Module-Failure-Message =3D
=22mschap: Abnormal child exit: No error=22=2C Module-Failure-Message =3D
=22mschap: External script says: Logon failure =280xc000006d=29=22=2C
Module-Failure-Message =3D =22mschap: MS-CHAP2-Response is incorrect=22=2C
Module-Failure-Message =3D =22Failed retrieving values required to evaluate
condition=22=2C SQL-User-Name =3D =22Administrateur=22','MS-CHAP-Error =3D
=22=5CtE=3D691 R=3D0 C=3D45ea37e23aa1e0bb6635a42ede246a62 V=3D3
M=3DAuthentication failed=22=2C EAP-Message =3D 0x04090004=2C
Message-Authenticator =3D 0x00000000000000000000000000000000', 'N/A')
(21) sql_reject: Executing query: INSERT INTO radius_audit_log (
mac, ip, computer_name, user_name, stripped_user_name, realm,
event_type, switch_id, switch_mac, switch_ip_address,
radius_source_ip_address, called_station_id, calling_station_id,
nas_port_type, ssid, nas_port_id, ifindex, nas_port,
connection_type, nas_ip_address, nas_identifier, auth_status,
reason, auth_type, eap_type, role, node_status,
profile, source, auto_reg, is_phone, pf_domain,
uuid, radius_request, radius_reply, request_time)
VALUES ( '00:40:d0:67:d0:b1', '', 'N/A', 'Administrateur',
'', '', 'Radius-Access-Request', 'N/A', 'N/A', 'N/A',
'192.168.1.5', 'ec:44:76:87:f0:83', '00:40:d0:67:d0:b1',
'Ethernet', '', 'FastEthernet0/3', 'N/A', '50003', 'N/A',
'192.168.1.5', '', 'Reject', 'mschap: Abnormal
child exit: No error', 'eap', 'MSCHAPv2', 'N/A', 'N/A', 'N/A',
'N/A', 'N/A', 'N/A', '', '', 'NAS-Port-Type =3D
Ethernet=2C Service-Type =3D Framed-User=2C Called-Station-Id =3D
=22ec:44:76:87:f0:83=22=2C State =3D 0x42fe33fd42f7296034bd9bd88f2ca30f=2C
FreeRADIUS-Proxied-To =3D 127.0.0.1=2C EAP-Type =3D MSCHAPv2=2C NAS-IP-Address
=3D 192.168.1.5=2C NAS-Port-Id =3D =22FastEthernet0/3=22=2C Calling-Station-Id
=3D =2200:40:d0:67:d0:b1=22=2C MS-CHAP-User-Name =3D =22Administrateur=22=2C
MS-CHAP-Challenge =3D 0xc3bbd40002f9ff77a7078554def335eb=2C Cisco-AVPair =3D
=22audit-session-id=3DC0A801050000003200BCDD37=22=2C User-Name =3D
=22Administrateur=22=2C Event-Timestamp =3D =22May 10 2016 16:57:28 CEST=22=2C
EAP-Message =3D
0x020900491a0209004431eb4ca34aee1ad514b736c229c9e0798a0000000000000000fa1cb5436a574339be984a38670c37bd8554f4e5afe4a1410041646d696e697374726174657572=2C
MS-CHAP2-Response =3D
0x0964eb4ca34aee1ad514b736c229c9e0798a0000000000000000fa1cb5436a574339be984a38670c37bd8554f4e5afe4a141=2C
NAS-Port =3D 50003=2C Framed-MTU =3D 1500=2C Module-Failure-Message =3D
=22mschap: Abnormal child exit: No error=22=2C Module-Failure-Message =3D
=22mschap: External script says: Logon failure =280xc000006d=29=22=2C
Module-Failure-Message =3D =22mschap: MS-CHAP2-Response is incorrect=22=2C
Module-Failure-Message =3D =22Failed retrieving values required to evaluate
condition=22=2C SQL-User-Name =3D =22Administrateur=22','MS-CHAP-Error =3D
=22=5CtE=3D691 R=3D0 C=3D45ea37e23aa1e0bb6635a42ede246a62 V=3D3
M=3DAuthentication failed=22=2C EAP-Message =3D 0x04090004=2C
Message-Authenticator =3D 0x00000000000000000000000000000000', 'N/A')
(21) sql_reject: SQL query returned: success
(21) sql_reject: 1 record(s) updated
rlm_sql (sql): Released connection (6)
rlm_sql (sql): Need 1 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (8), 1 of 62 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'pf' on Localhost via UNIX socket, server
version 5.1.73, protocol version 10
(21) [sql_reject] = ok
(21) attr_filter.access_reject: EXPAND %{User-Name}
(21) attr_filter.access_reject: --> Administrateur
(21) attr_filter.access_reject: Matched entry DEFAULT at line 11
(21) [attr_filter.access_reject] = updated
(21) update outer.session-state {
(21) &Module-Failure-Message := &request:Module-Failure-Message ->
'mschap: Abnormal child exit: No error'
(21) } # update outer.session-state = noop
(21) } # Post-Auth-Type REJECT = updated
(21) } # server packetfence-tunnel
(21) Virtual server sending reply
(21) MS-CHAP-Error = "\tE=691 R=0 C=45ea37e23aa1e0bb6635a42ede246a62 V=3
M=Authentication failed"
(21) EAP-Message = 0x04090004
(21) Message-Authenticator = 0x00000000000000000000000000000000
(21) eap_peap: Got tunneled reply code 3
(21) eap_peap: MS-CHAP-Error = "\tE=691 R=0
C=45ea37e23aa1e0bb6635a42ede246a62 V=3 M=Authentication failed"
(21) eap_peap: EAP-Message = 0x04090004
(21) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(21) eap_peap: Got tunneled reply RADIUS code 3
(21) eap_peap: MS-CHAP-Error = "\tE=691 R=0
C=45ea37e23aa1e0bb6635a42ede246a62 V=3 M=Authentication failed"
(21) eap_peap: EAP-Message = 0x04090004
(21) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(21) eap_peap: Tunneled authentication was rejected
(21) eap_peap: FAILURE
(21) eap: Sending EAP Request (code 1) ID 10 length 43
(21) eap: EAP session adding &reply:State = 0x951d7ff092176631
(21) [eap] = handled
(21) } # authenticate = handled
(21) Using Post-Auth-Type Challenge
(21) Post-Auth-Type sub-section not found. Ignoring.
(21) # Executing group from file /usr/local/pf/raddb//sites-enabled/packetfence
(21) session-state: Saving cached attributes
(21) Module-Failure-Message := "mschap: Abnormal child exit: No error"
(21) Sent Access-Challenge Id 232 from 192.168.10.1:1812 to 192.168.1.5:1645
length 0
(21) EAP-Message =
0x010a002b190017030100201ed3bed6b95fc062e4214f5873237f64dd93b7c3d63baf0b3d3f4768bb2e1c53
(21) Message-Authenticator = 0x00000000000000000000000000000000
(21) State = 0x951d7ff092176631b7716540afc4a8a1
(21) Finished request
Waking up in 4.8 seconds.
(22) Received Access-Request Id 233 from 192.168.1.5:1645 to 192.168.10.1:1812
length 251
(22) User-Name = "Administrateur"
(22) Service-Type = Framed-User
(22) Framed-MTU = 1500
(22) Called-Station-Id = "EC-44-76-87-F0-83"
(22) Calling-Station-Id = "00-40-D0-67-D0-B1"
(22) EAP-Message =
0x020a002b190017030100208dd4569e8656380cf464c8a46b0823720880d6c90e1207ec982375a8254bc4ff
(22) Message-Authenticator = 0xaae91e23d504d18abb24df64cae111ce
(22) Cisco-AVPair = "audit-session-id=C0A801050000003200BCDD37"
(22) NAS-Port-Type = Ethernet
(22) NAS-Port = 50003
(22) NAS-Port-Id = "FastEthernet0/3"
(22) State = 0x951d7ff092176631b7716540afc4a8a1
(22) NAS-IP-Address = 192.168.1.5
(22) Restoring &session-state
(22) &session-state:Module-Failure-Message := "mschap: Abnormal child exit:
No error"
(22) # Executing section authorize from file
/usr/local/pf/raddb//sites-enabled/packetfence
(22) authorize {
(22) update {
(22) EXPAND %{Packet-Src-IP-Address}
(22) --> 192.168.1.5
(22) &request:FreeRADIUS-Client-IP-Address := 192.168.1.5
(22) &control:PacketFence-RPC-Server = 127.0.0.1
(22) &control:PacketFence-RPC-Port = 7070
(22) &control:PacketFence-RPC-User =
(22) &control:PacketFence-RPC-Pass =
(22) &control:PacketFence-RPC-Proto = http
(22) EXPAND %l
(22) --> 1462892248
(22) &control:Tmp-Integer-0 := 1462892248
(22) &control:PacketFence-Request-Time := 0
(22) } # update = noop
(22) policy rewrite_calling_station_id {
(22) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(22) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
-> TRUE
(22) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(22) update request {
(22) EXPAND %{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(22) --> 00:40:d0:67:d0:b1
(22) &Calling-Station-Id := 00:40:d0:67:d0:b1
(22) } # update request = noop
(22) [updated] = updated
(22) } # if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
= updated
(22) ... skipping else for request 22: Preceding "if" was taken
(22) } # policy rewrite_calling_station_id = updated
(22) policy rewrite_called_station_id {
(22) if ((&Called-Station-Id) && (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
{
(22) if ((&Called-Station-Id) && (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
-> TRUE
(22) if ((&Called-Station-Id) && (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
{
(22) update request {
(22) &Called-Station-Id !* ANY
(22) EXPAND %{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(22) --> ec:44:76:87:f0:83
(22) &Called-Station-Id := ec:44:76:87:f0:83
(22) } # update request = noop
(22) if ("%{8}") {
(22) EXPAND %{8}
(22) -->
(22) if ("%{8}") -> FALSE
(22) elsif ( (Colubris-AVPair) && "%{Colubris-AVPair}" =~
/^ssid=(.*)$/i) {
(22) elsif ( (Colubris-AVPair) && "%{Colubris-AVPair}" =~
/^ssid=(.*)$/i) -> FALSE
(22) elsif (Aruba-Essid-Name) {
(22) elsif (Aruba-Essid-Name) -> FALSE
(22) elsif ( (Cisco-AVPair) && "%{Cisco-AVPair}" =~ /^ssid=(.*)$/i) {
(22) EXPAND %{Cisco-AVPair}
(22) --> audit-session-id=C0A801050000003200BCDD37
(22) elsif ( (Cisco-AVPair) && "%{Cisco-AVPair}" =~ /^ssid=(.*)$/i)
-> FALSE
(22) [updated] = updated
(22) } # if ((&Called-Station-Id) && (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
= updated
(22) ... skipping else for request 22: Preceding "if" was taken
(22) } # policy rewrite_called_station_id = updated
(22) policy filter_username {
(22) if (&User-Name) {
(22) if (&User-Name) -> TRUE
(22) if (&User-Name) {
(22) if (&User-Name =~ / /) {
(22) if (&User-Name =~ / /) -> FALSE
(22) if (&User-Name =~ /@[^@]*@/ ) {
(22) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(22) if (&User-Name =~ /\.\./ ) {
(22) if (&User-Name =~ /\.\./ ) -> FALSE
(22) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(22) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(22) if (&User-Name =~ /\.$/) {
(22) if (&User-Name =~ /\.$/) -> FALSE
(22) if (&User-Name =~ /@\./) {
(22) if (&User-Name =~ /@\./) -> FALSE
(22) } # if (&User-Name) = updated
(22) } # policy filter_username = updated
(22) policy filter_password {
(22) if (&User-Password && (&User-Password !=
"%{string:User-Password}")) {
(22) if (&User-Password && (&User-Password !=
"%{string:User-Password}")) -> FALSE
(22) } # policy filter_password = updated
(22) [preprocess] = ok
(22) suffix: Checking for suffix after "@"
(22) suffix: No '@' in User-Name = "Administrateur", skipping NULL due to
config.
(22) [suffix] = noop
(22) ntdomain: Checking for prefix before "\"
(22) ntdomain: No '\' in User-Name = "Administrateur", looking up realm NULL
(22) ntdomain: No such realm "NULL"
(22) [ntdomain] = noop
(22) eap: Peer sent EAP Response (code 2) ID 10 length 43
(22) eap: Continuing tunnel setup
(22) [eap] = ok
(22) } # authorize = ok
(22) Found Auth-Type = eap
(22) # Executing group from file /usr/local/pf/raddb//sites-enabled/packetfence
(22) authenticate {
(22) eap: Expiring EAP session with state 0x951d7ff092176631
(22) eap: Finished EAP session with state 0x951d7ff092176631
(22) eap: Previous EAP request found for state 0x951d7ff092176631, released
from the list
(22) eap: Peer sent packet with method EAP PEAP (25)
(22) eap: Calling submodule eap_peap to process data
(22) eap_peap: Continuing EAP-TLS
(22) eap_peap: [eaptls verify] = ok
(22) eap_peap: Done initial handshake
(22) eap_peap: [eaptls process] = ok
(22) eap_peap: Session established. Decoding tunneled attributes
(22) eap_peap: PEAP state send tlv failure
(22) eap_peap: Received EAP-TLV response
(22) eap_peap: The users session was previously rejected: returning reject
(again.)
(22) eap_peap: This means you need to read the PREVIOUS messages in the debug
output
(22) eap_peap: to find out the reason why the user was rejected
(22) eap_peap: Look for "reject" or "fail". Those earlier messages will tell
you
(22) eap_peap: what went wrong, and how to fix the problem
(22) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed
(22) eap: Sending EAP Failure (code 4) ID 10 length 4
(22) eap: Failed in EAP select
(22) [eap] = invalid
(22) } # authenticate = invalid
(22) Failed to authenticate the user
(22) Login incorrect (eap: Failed continuing EAP PEAP (25) session. EAP
sub-module failed): [Administrateur] (from client 192.168.1.5 port 50003 cli
00:40:d0:67:d0:b1)
(22) Using Post-Auth-Type Reject
(22) # Executing group from file /usr/local/pf/raddb//sites-enabled/packetfence
(22) Post-Auth-Type REJECT {
(22) if (! EAP-Type || (EAP-Type != TTLS && EAP-Type != PEAP) ) {
(22) if (! EAP-Type || (EAP-Type != TTLS && EAP-Type != PEAP) ) -> FALSE
(22) attr_filter.access_reject: EXPAND %{User-Name}
(22) attr_filter.access_reject: --> Administrateur
(22) attr_filter.access_reject: Matched entry DEFAULT at line 11
(22) [attr_filter.access_reject] = updated
(22) attr_filter.packetfence_post_auth: EXPAND %{User-Name}
(22) attr_filter.packetfence_post_auth: --> Administrateur
(22) attr_filter.packetfence_post_auth: Matched entry DEFAULT at line 10
(22) [attr_filter.packetfence_post_auth] = updated
(22) [eap] = noop
(22) policy remove_reply_message_if_eap {
(22) if (&reply:EAP-Message && &reply:Reply-Message) {
(22) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(22) else {
(22) [noop] = noop
(22) } # else = noop
(22) } # policy remove_reply_message_if_eap = noop
(22) linelog: EXPAND messages.%{%{reply:Packet-Type}:-default}
(22) linelog: --> messages.Access-Reject
(22) linelog: EXPAND %t : [mac:%{Calling-Station-Id}] Rejected user:
%{User-Name}
(22) linelog: --> Tue May 10 16:57:28 2016 : [mac:00:40:d0:67:d0:b1]
Rejected user: Administrateur
(22) linelog: EXPAND /usr/local/pf/logs/radius.log
(22) linelog: --> /usr/local/pf/logs/radius.log
(22) [linelog] = ok
(22) } # Post-Auth-Type REJECT = updated
(22) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(22) Sending delayed response
(22) Sent Access-Reject Id 233 from 192.168.10.1:1812 to 192.168.1.5:1645
length 44
(22) EAP-Message = 0x040a0004
(22) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.7 seconds.
(14) Cleaning up request packet ID 225 with timestamp +160
(15) Cleaning up request packet ID 226 with timestamp +160
(16) Cleaning up request packet ID 227 with timestamp +160
(17) Cleaning up request packet ID 228 with timestamp +160
(18) Cleaning up request packet ID 229 with timestamp +160
(19) Cleaning up request packet ID 230 with timestamp +160
(20) Cleaning up request packet ID 231 with timestamp +160
Waking up in 0.1 seconds.
(21) Cleaning up request packet ID 232 with timestamp +160
(22) Cleaning up request packet ID 233 with timestamp +160
Ready to process requests
Envoyé depuis Yahoo Mail pour Android------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
