Issues using EAP/peap with LDAP

classic Classic list List threaded Threaded
2 messages Options
| Threaded
Open this post in threaded view
|

Issues using EAP/peap with LDAP

sparrow-2
Hi,

I am currently running into an issue using FreeRadius with a client
doing EAP/peap and a LDAP backend, and hoping someone may be able to
help me.  I am using FreeRadius 1.0.4, OpenSSL 0.9.7g, and SunOne
Directory 5.2 as the LDAP (With passwords stored in clear text.)

Thanks for your time,
Steven O'Reilly

The last few lines of my radius out put are (With the whole output at
the end of the file):

Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.101.250:2048, id=190,
length=171
        NAS-IP-Address = 192.168.101.250
        NAS-Port-Type = Ethernet
        Service-Type = Framed-User
        Message-Authenticator = 0x1a5f7c6946f75f67fede6eea4c31cd67
        NAS-Port = 2
        Framed-MTU = 1490
        User-Name = "WH-NAPDOM\\Administrator"
        Calling-Station-Id = "00-04-AC-5D-19-F6"
        State = 0x9764183b6394f9c7eea9391ab09ef362
        EAP-Message =
0x020b00261900170301001bca06a5f4ff78c2954ca5b40d3d078c5c70e8c203e6a8ec2f8c8f25
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 7
  modcall[authorize]: module "preprocess" returns ok for request 7
  modcall[authorize]: module "chap" returns noop for request 7
  modcall[authorize]: module "mschap" returns noop for request 7
    rlm_realm: Looking up realm "WH-NAPDOM" for User-Name = "WH-NAPDOM
\Administrator"
    rlm_realm: Found realm "WH-NAPDOM"
    rlm_realm: Adding Stripped-User-Name = "Administrator"
    rlm_realm: Proxying request from user Administrator to realm
WH-NAPDOM
    rlm_realm: Adding Realm = "WH-NAPDOM"
    rlm_realm: Authentication realm is LOCAL.
  modcall[authorize]: module "WH-NAPDOM" returns noop for request 7
rlm_ldap: - authorize
rlm_ldap: performing user authorization for Administrator
radius_xlat:  '(uid=Administrator)'
radius_xlat:  'dc=nwtel,dc=ca'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=nwtel,dc=ca, with filter
(uid=Administrator)
rlm_ldap: Added password supp0rt in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user Administrator authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 7
  rlm_eap: EAP packet type response id 11 length 38
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 7
modcall: group authorize returns updated for request 7
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 7
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_peap: Received EAP-TLV response.
  rlm_eap_peap: Tunneled data is valid.
  rlm_eap_peap:  Had sent TLV failure, rejecting.
 rlm_eap: Handler failed in EAP/peap
  rlm_eap: Failed in EAP select
  modcall[authenticate]: module "eap" returns invalid for request 7
modcall: group authenticate returns invalid for request 7
auth: Failed to validate the user.
Delaying request 7 for 1 seconds
Finished request 7
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.101.250:2048, id=190,
length=171
Sending Access-Reject of id 190 to 192.168.101.250:2048
        EAP-Message = 0x040b0004
        Message-Authenticator = 0x00000000000000000000000000000000
--- Walking the entire request list ---
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 6 ID 189 with timestamp 43191e2f
Cleaning up request 7 ID 190 with timestamp 43191e2f
Nothing to do.  Sleeping until we see a request.

My eap.conf is as follows (with the comments removed):
        eap {
                default_eap_type = peap
                timer_expire     = 60
                ignore_unknown_eap_types = no
                cisco_accounting_username_bug = no
                tls {
                     private_key_password = whatever
                     private_key_file = ${raddbdir}/certs/cert-srv.pem
                     certificate_file = ${raddbdir}/certs/cert-srv.pem
                     CA_file = ${raddbdir}/certs/demoCA/cacert.pem
                     dh_file = ${raddbdir}/certs/dh
                     random_file = ${raddbdir}/certs/random
                     fragment_size = 1024
                     include_length = yes
                     check_crl = yes
                }
                 peap {
                        default_eap_type = mschapv2
                }
                mschapv2 {
                }
        }

My radiusd.conf is as follows (Comments removed):
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid

max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0

hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = no
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = yes
lower_pass = yes
nospace_user = no
nospace_pass = no

checkrad = ${sbindir}/checkrad
security {
        max_attributes = 200
        reject_delay = 1
        status_server = no
}

proxy_requests  = yes
$INCLUDE  ${confdir}/proxy.conf
$INCLUDE  ${confdir}/clients.conf
snmp = no
$INCLUDE  ${confdir}/snmp.conf

thread pool {
        start_servers = 5
        max_servers = 32
        min_spare_servers = 3
        max_spare_servers = 10
        max_requests_per_server = 0
}

modules {
        pap {
                encryption_scheme = crypt
        }
        chap {
                authtype = CHAP
        }
        pam {
                pam_auth = radiusd
        }
        unix {
                cache = no
                cache_reload = 600
                radwtmp = ${logdir}/radwtmp
        }

$INCLUDE ${confdir}/eap.conf

        mschap {
                authtype = MS-CHAP
                use_mppe = no
                require_encryption = yes
                require_strong = yes
                with_ntdomain_hack = no
        }
        ldap {
                server = "localhost"
                 identity = "cn=Directory Manager"
                 password = <removed>
                basedn = "dc=nwtel,dc=ca"
                filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
                start_tls = no
                dictionary_mapping = ${raddbdir}/ldap.attrmap
                ldap_connections_number = 5
                 password_attribute = userpassword
                timeout = 4
                timelimit = 3
                net_timeout = 1
        }
        realm IPASS {
                format = prefix
                delimiter = "/"
                ignore_default = no
                ignore_null = no
        }
        realm suffix {
                format = suffix
                delimiter = "@"
                ignore_default = no
                ignore_null = no
        }
        realm realmpercent {
                format = suffix
                delimiter = "%"
                ignore_default = no
                ignore_null = no
        }
        realm WH-NAPDOM {
                format = prefix
                delimiter = "\\"
                ignore_default = no
                ignore_null = no
        }
        realm default {
                format = prefix
                delimiter = "\\"
                ignore_default = no
                ignore_null = no
        }
        checkval {
                item-name = Calling-Station-Id
                check-name = Calling-Station-Id
                data-type = string
        }
        preprocess {
                huntgroups = ${confdir}/huntgroups
                hints = ${confdir}/hints
                with_ascend_hack = no
                ascend_channels_per_line = 23
                with_ntdomain_hack = no
                with_specialix_jetstream_hack = no
                with_cisco_vsa_hack = no
        }

        files {
                usersfile = ${confdir}/users
                acctusersfile = ${confdir}/acct_users
                compat = no
        }
        detail {
                detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
                detailperm = 0600
        }

        acct_unique {
                key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
        }

        $INCLUDE  ${confdir}/sql.conf
        radutmp {
                filename = ${logdir}/radutmp
                username = %{User-Name}
                case_sensitive = yes
                check_with_nas = yes
                perm = 0600
                callerid = "yes"
        }
        radutmp sradutmp {
                filename = ${logdir}/sradutmp
                perm = 0644
                callerid = "no"
        }
        attr_filter {
                attrsfile = ${confdir}/attrs
        }
        counter daily {
                filename = ${raddbdir}/db.daily
                key = User-Name
                count-attribute = Acct-Session-Time
                reset = daily
                counter-name = Daily-Session-Time
                check-name = Max-Daily-Session
                allowed-servicetype = Framed-User
                cache-size = 5000
        }
        always fail {
                rcode = fail
        }
        always reject {
                rcode = reject
        }
        always ok {
                rcode = ok
                simulcount = 0
                mpp = no
        }
        digest {
        }
        exec echo {
                wait = yes
                program = "/bin/echo %{User-Name}"
                input_pairs = request
                output_pairs = reply
        }
        ippool main_pool {
                range-start = 192.168.1.1
                range-stop = 192.168.3.254
                netmask = 255.255.255.0
                cache-size = 800
                session-db = ${raddbdir}/db.ippool
                ip-index = ${raddbdir}/db.ipindex
                override = no
                maximum-timeout = 0
        }
}
instantiate {
}
authorize {
        preprocess
        chap
        mschap
        WH-NAPDOM
        ldap
        eap
}
authenticate {
        Auth-Type LDAP {
                ldap
        }
        eap
}
preacct {
        preprocess
        acct_unique
        suffix
        files
}
accounting {
        detail
        radutmp
}
session {
        radutmp
}
post-auth {
}

pre-proxy {
}
post-proxy {
        eap
}

Full radius output:

Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /usr/local/etc/raddb/proxy.conf
Config:   including file: /usr/local/etc/raddb/clients.conf
Config:   including file: /usr/local/etc/raddb/snmp.conf
Config:   including file: /usr/local/etc/raddb/eap.conf
Config:   including file: /usr/local/etc/raddb/sql.conf
 main: prefix = "/usr/local"
 main: localstatedir = "/usr/local/var"
 main: logdir = "/usr/local/var/log/radius"
 main: libdir = "/usr/local/lib"
 main: radacctdir = "/usr/local/var/log/radius/radacct"
 main: hostname_lookups = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = no
 main: log_file = "/usr/local/var/log/radius/radius.log"
 main: log_auth = no
 main: log_auth_badpass = no
 main: log_auth_goodpass = no
 main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
 main: user = "(null)"
 main: group = "(null)"
 main: usercollide = no
 main: lower_user = "yes"
 main: lower_pass = "yes"
 main: nospace_user = "no"
 main: nospace_pass = "no"
 main: checkrad = "/usr/local/sbin/checkrad"
 main: proxy_requests = yes
 proxy: retry_delay = 5
 proxy: retry_count = 3
 proxy: synchronous = no
 proxy: default_fallback = yes
 proxy: dead_time = 120
 proxy: post_proxy_authorize = yes
 proxy: wake_all_if_all_dead = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded LDAP
 ldap: server = "localhost"
 ldap: port = 389
 ldap: net_timeout = 1
 ldap: timeout = 4
 ldap: timelimit = 3
 ldap: identity = "cn=Directory Manager"
 ldap: tls_mode = no
 ldap: start_tls = no
 ldap: tls_cacertfile = "(null)"
 ldap: tls_cacertdir = "(null)"
 ldap: tls_certfile = "(null)"
 ldap: tls_keyfile = "(null)"
 ldap: tls_randfile = "(null)"
 ldap: tls_require_cert = "allow"
 ldap: password = "directory"
 ldap: basedn = "dc=nwtel,dc=ca"
 ldap: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
 ldap: base_filter = "(objectclass=radiusprofile)"
 ldap: default_profile = "(null)"
 ldap: profile_attribute = "(null)"
 ldap: password_header = "(null)"
 ldap: password_attribute = "userpassword"
 ldap: access_attr = "(null)"
 ldap: groupname_attribute = "cn"
 ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
 ldap: groupmembership_attribute = "(null)"
 ldap: dictionary_mapping = "/usr/local/etc/raddb/ldap.attrmap"
 ldap: ldap_debug = 0
 ldap: ldap_connections_number = 5
 ldap: compare_check_items = no
 ldap: access_attr_used_for_allow = yes
 ldap: do_xlat = yes
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap<->radius mappings from file /usr/local/etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id
conns: 41fe8
Module: Instantiated ldap (ldap)
Module: Loaded eap
 eap: default_eap_type = "peap"
 eap: timer_expire = 60
 eap: ignore_unknown_eap_types = no
 eap: cisco_accounting_username_bug = no
 tls: rsa_key_exchange = no
 tls: dh_key_exchange = yes
 tls: rsa_key_length = 512
 tls: dh_key_length = 512
 tls: verify_depth = 0
 tls: CA_path = "(null)"
 tls: pem_file_type = yes
 tls: private_key_file = "/usr/local/etc/raddb/certs/cert-srv.pem"
 tls: certificate_file = "/usr/local/etc/raddb/certs/cert-srv.pem"
 tls: CA_file = "/usr/local/etc/raddb/certs/demoCA/cacert.pem"
 tls: private_key_password = "whatever"
 tls: dh_file = "/usr/local/etc/raddb/certs/dh"
 tls: random_file = "/usr/local/etc/raddb/certs/random"
 tls: fragment_size = 1024
 tls: include_length = yes
 tls: check_crl = yes
 tls: check_cert_cn = "(null)"
rlm_eap: Loaded and initialized type tls
 peap: default_eap_type = "mschapv2"
 peap: copy_request_to_tunnel = no
 peap: use_tunneled_reply = no
 peap: proxy_tunneled_request_as_eap = yes
rlm_eap: Loaded and initialized type peap
 mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
 preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups"
 preprocess: hints = "/usr/local/etc/raddb/hints"
 preprocess: with_ascend_hack = no
 preprocess: ascend_channels_per_line = 23
 preprocess: with_ntdomain_hack = no
 preprocess: with_specialix_jetstream_hack = no
 preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
 mschap: use_mppe = no
 mschap: require_encryption = yes
 mschap: require_strong = yes
 mschap: with_ntdomain_hack = no
 mschap: passwd = "(null)"
 mschap: authtype = "MS-CHAP"
 mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded realm
 realm: format = "prefix"
 realm: delimiter = "\"
 realm: ignore_default = no
 realm: ignore_null = no
Module: Instantiated realm (WH-NAPDOM)
Module: Loaded Acct-Unique-Session-Id
 acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
 realm: format = "suffix"
 realm: delimiter = "@"
 realm: ignore_default = no
 realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
 files: usersfile = "/usr/local/etc/raddb/users"
 files: acctusersfile = "/usr/local/etc/raddb/acct_users"
 files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
 files: compat = "no"
Module: Instantiated files (files)
Module: Loaded detail
 detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
 detail: detailperm = 384
 detail: dirperm = 493
 detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
 radutmp: filename = "/usr/local/var/log/radius/radutmp"
 radutmp: username = "%{User-Name}"
 radutmp: case_sensitive = yes
 radutmp: check_with_nas = yes
 radutmp: perm = 384
 radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.101.250:2048, id=183, length=143
        NAS-IP-Address = 192.168.101.250
        NAS-Port-Type = Ethernet
        Service-Type = Framed-User
        Message-Authenticator = 0x1a666892897ba0cf98cc1bce477d3ec5
        NAS-Port = 2
        Framed-MTU = 1490
        User-Name = "WH-NAPDOM\\Administrator"
        Calling-Station-Id = "00-04-AC-5D-19-F6"
        EAP-Message = 0x0204001c0157482d4e4150444f4d5c41646d696e6973747261746f72
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
    rlm_realm: Looking up realm "WH-NAPDOM" for User-Name = "WH-NAPDOM\Administrator"
    rlm_realm: Found realm "WH-NAPDOM"
    rlm_realm: Adding Stripped-User-Name = "Administrator"
    rlm_realm: Proxying request from user Administrator to realm WH-NAPDOM
    rlm_realm: Adding Realm = "WH-NAPDOM"
    rlm_realm: Authentication realm is LOCAL.
  modcall[authorize]: module "WH-NAPDOM" returns noop for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for Administrator
radius_xlat:  '(uid=Administrator)'
radius_xlat:  'dc=nwtel,dc=ca'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as cn=Directory Manager/directory to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=nwtel,dc=ca, with filter (uid=Administrator)
rlm_ldap: Added password password in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user Administrator authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 0
  rlm_eap: EAP packet type response id 4 length 28
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 0
modcall: group authorize returns updated for request 0
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
  rlm_eap: EAP Identity
  rlm_eap: processing type tls
  rlm_eap_tls: Initiate
  rlm_eap_tls: Start returned 1
  modcall[authenticate]: module "eap" returns handled for request 0
modcall: group authenticate returns handled for request 0
Sending Access-Challenge of id 183 to 192.168.101.250:2048
        EAP-Message = 0x010500061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x6b1f35003563be72723112935854df49
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.101.250:2048, id=184, length=213
        NAS-IP-Address = 192.168.101.250
        NAS-Port-Type = Ethernet
        Service-Type = Framed-User
        Message-Authenticator = 0x62b3cfcf67c478d77d46464791ec2685
        NAS-Port = 2
        Framed-MTU = 1490
        User-Name = "WH-NAPDOM\\Administrator"
        Calling-Station-Id = "00-04-AC-5D-19-F6"
        State = 0x6b1f35003563be72723112935854df49
        EAP-Message = 0x0205005019800000004616030100410100003d030143191f93898c2441686a4745cd95f80682a75cf9294d29d34ad531fb4e3fc60c00001600040005000a000900640062000300060013001200630100
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
  modcall[authorize]: module "preprocess" returns ok for request 1
  modcall[authorize]: module "chap" returns noop for request 1
  modcall[authorize]: module "mschap" returns noop for request 1
    rlm_realm: Looking up realm "WH-NAPDOM" for User-Name = "WH-NAPDOM\Administrator"
    rlm_realm: Found realm "WH-NAPDOM"
    rlm_realm: Adding Stripped-User-Name = "Administrator"
    rlm_realm: Proxying request from user Administrator to realm WH-NAPDOM
    rlm_realm: Adding Realm = "WH-NAPDOM"
    rlm_realm: Authentication realm is LOCAL.
  modcall[authorize]: module "WH-NAPDOM" returns noop for request 1
rlm_ldap: - authorize
rlm_ldap: performing user authorization for Administrator
radius_xlat:  '(uid=Administrator)'
radius_xlat:  'dc=nwtel,dc=ca'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=nwtel,dc=ca, with filter (uid=Administrator)
rlm_ldap: Added password password in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user Administrator authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 1
  rlm_eap: EAP packet type response id 5 length 80
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 1
modcall: group authorize returns updated for request 1
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
  eaptls_verify returned 11
    (other): before/accept initialization
    TLS_accept: before/accept initialization
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello  
    TLS_accept: SSLv3 read client hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello  
    TLS_accept: SSLv3 write server hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0694], Certificate  
    TLS_accept: SSLv3 write certificate A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone  
    TLS_accept: SSLv3 write server done A
    TLS_accept: SSLv3 flush data
    TLS_accept:error in SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode  
  eaptls_process returned 13
  rlm_eap_peap: EAPTLS_HANDLED
  modcall[authenticate]: module "eap" returns handled for request 1
modcall: group authenticate returns handled for request 1
Sending Access-Challenge of id 184 to 192.168.101.250:2048
        EAP-Message = 0x0106040a19c0000006f1160301004a02000046030143191e102583319fb3baf835a350f1b454a8ae120a63904d6ae2dc4c45314b092080fac3e87756ef8ab9bf75274bae8016d331382b5835613fd5bf182e5f4e019100040016030106940b00069000068d0002cd308202c930820232a003020102020102300d06092a864886f70d010104050030819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e74206365
        EAP-Message = 0x7274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d301e170d3034303132353133323631305a170d3035303132343133323631305a30819b310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f73743119301706035504031310526f6f74206365727469666963617465311f301d06092a864886f70d0109011610726f6f74406578616d706c652e636f6d30819f300d06092a864886f70d010101050003
        EAP-Message = 0x818d0030818902818100dac525422bfedb082629a2cba44b3449c90d0ab462fb72c8434a782098863d7eb7d7e70028c2b7ad555a51cc756cf4fa1d7091615ab450d5289553ae6616aff014a55085d6b8fb4aee98638e426175cdd36c665c63cda177d34920eb30585edc8773999c2980f81ad4638bbbea1c82d054023db7ef24a3ec1c3f6241a903d7f30203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038181007a2d921b1cf13bf2982a9178ec9ede6d88edc178a2e8bd40a0a06fb6f0769957884cd7084537083496fd184165293f583c8e8240eb68e042c94b15752e4c07e80d09
        EAP-Message = 0x779afa3dd55c24fa54ac292d77205d1c2477ed30d59f57caf9bd21ff2a8d16cc0911c50e4f295763fcb60efa3c3d2d0e43850f6e6fbe284902f6e83503650003ba308203b63082031fa003020102020100300d06092a864886f70d010104050030819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c
        EAP-Message = 0x652e636f6d301e170d3034303132353133323630375a
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x64ba85b38a22b7f68c4e48a0ddbfbc09
Finished request 1
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.101.250:2048, id=185, length=139
        NAS-IP-Address = 192.168.101.250
        NAS-Port-Type = Ethernet
        Service-Type = Framed-User
        Message-Authenticator = 0x77294043bb599c907b21b5b8d3b661a1
        NAS-Port = 2
        Framed-MTU = 1490
        User-Name = "WH-NAPDOM\\Administrator"
        Calling-Station-Id = "00-04-AC-5D-19-F6"
        State = 0x64ba85b38a22b7f68c4e48a0ddbfbc09
        EAP-Message = 0x020600061900
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
  modcall[authorize]: module "preprocess" returns ok for request 2
  modcall[authorize]: module "chap" returns noop for request 2
  modcall[authorize]: module "mschap" returns noop for request 2
    rlm_realm: Looking up realm "WH-NAPDOM" for User-Name = "WH-NAPDOM\Administrator"
    rlm_realm: Found realm "WH-NAPDOM"
    rlm_realm: Adding Stripped-User-Name = "Administrator"
    rlm_realm: Proxying request from user Administrator to realm WH-NAPDOM
    rlm_realm: Adding Realm = "WH-NAPDOM"
    rlm_realm: Authentication realm is LOCAL.
  modcall[authorize]: module "WH-NAPDOM" returns noop for request 2
rlm_ldap: - authorize
rlm_ldap: performing user authorization for Administrator
radius_xlat:  '(uid=Administrator)'
radius_xlat:  'dc=nwtel,dc=ca'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=nwtel,dc=ca, with filter (uid=Administrator)
rlm_ldap: Added password password in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user Administrator authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 2
  rlm_eap: EAP packet type response id 6 length 6
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 2
modcall: group authorize returns updated for request 2
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake fragment handler
  eaptls_verify returned 1
  eaptls_process returned 13
  rlm_eap_peap: EAPTLS_HANDLED
  modcall[authenticate]: module "eap" returns handled for request 2
modcall: group authenticate returns handled for request 2
Sending Access-Challenge of id 185 to 192.168.101.250:2048
        EAP-Message = 0x010702f71900170d3036303132343133323630375a30819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100d4c5b19724f164acf1ffb189db1c8fbff4f14396ea7cb1e90f78d69451725377895dfe52ccb99b41e8
        EAP-Message = 0x0ddeb58b127a943f4f58cbc562878192fbdc6fece9f871e7c130d35cf5188817e9b133249edd2a1c75d31043ae87553cec7a77ef26aa7d74281db9b77e17c6446c5dd9b188b43250ca0229963722a123a726b00b4027fd0203010001a381ff3081fc301d0603551d0e0416041468d36d3e1ee7bc9d5a057021c363da1365d1ade33081cc0603551d230481c43081c1801468d36d3e1ee7bc9d5a057021c363da1365d1ade3a181a5a481a230819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010
        EAP-Message = 0x060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d820100300c0603551d13040530030101ff300d06092a864886f70d01010405000381810033c00b66b1e579ef73a06798252dab8d5e5511fc00fd276d80d12f834777c6743fdc2743fca1507704e4bc0979e4f60ac3ad9ee83e6f347369229d1f77229ba2e982359da563024a00163dba6d6c986c0bad28af85132ff8f0d76501bf1b7c2dff658ce1e62c01997b6e64e3e8d4373354ce9912847651539063b85bbc5485c516030100040e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xf1ce0f34ed39f8771721b79c08e55cfa
Finished request 2
Going to the next request
--- Walking the entire request list ---
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 192.168.101.250:2048, id=186, length=325
        NAS-IP-Address = 192.168.101.250
        NAS-Port-Type = Ethernet
        Service-Type = Framed-User
        Message-Authenticator = 0xdc9a16cb80388150d1c5f77ff50ee8b2
        NAS-Port = 2
        Framed-MTU = 1490
        User-Name = "WH-NAPDOM\\Administrator"
        Calling-Station-Id = "00-04-AC-5D-19-F6"
        State = 0xf1ce0f34ed39f8771721b79c08e55cfa
        EAP-Message = 0x020700c01980000000b61603010086100000820080bfdbb106a2811ab59439639a87a42a2eeca5b07bbc4d5a11769ac32db520414df100a819362dec4d2a8e9b191b7acc1d89146af126a404c19f5d8d022af1f3f4c21bfdd2f9c915303c66153f96de7137abbbc472b3c8d87c94d15eec00754913bc084092a2ebd3b3d3ea62697c9f3739037a56bebdb3f21fc220e2a4d59d4ae61403010001011603010020ce8ac3187b6df1b5c656c9ef9645b0161668683bdc22ca2483c5e52623cf0be9
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
  modcall[authorize]: module "preprocess" returns ok for request 3
  modcall[authorize]: module "chap" returns noop for request 3
  modcall[authorize]: module "mschap" returns noop for request 3
    rlm_realm: Looking up realm "WH-NAPDOM" for User-Name = "WH-NAPDOM\Administrator"
    rlm_realm: Found realm "WH-NAPDOM"
    rlm_realm: Adding Stripped-User-Name = "Administrator"
    rlm_realm: Proxying request from user Administrator to realm WH-NAPDOM
    rlm_realm: Adding Realm = "WH-NAPDOM"
    rlm_realm: Authentication realm is LOCAL.
  modcall[authorize]: module "WH-NAPDOM" returns noop for request 3
rlm_ldap: - authorize
rlm_ldap: performing user authorization for Administrator
radius_xlat:  '(uid=Administrator)'
radius_xlat:  'dc=nwtel,dc=ca'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=nwtel,dc=ca, with filter (uid=Administrator)
rlm_ldap: Added password password in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user Administrator authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 3
  rlm_eap: EAP packet type response id 7 length 192
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 3
modcall: group authorize returns updated for request 3
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
  eaptls_verify returned 11
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange  
    TLS_accept: SSLv3 read client key exchange A
  rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]  
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished  
    TLS_accept: SSLv3 read finished A
  rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]  
    TLS_accept: SSLv3 write change cipher spec A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished  
    TLS_accept: SSLv3 write finished A
    TLS_accept: SSLv3 flush data
    (other): SSL negotiation finished successfully
SSL Connection Established
  eaptls_process returned 13
  rlm_eap_peap: EAPTLS_HANDLED
  modcall[authenticate]: module "eap" returns handled for request 3
modcall: group authenticate returns handled for request 3
Sending Access-Challenge of id 186 to 192.168.101.250:2048
        EAP-Message = 0x0108003119001403010001011603010020a9403766c44c8e40583524e9973f7843197385a2198b6ec26c079b5f83445357
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x5d990deb70612c8a90e3cec27ce1c43f
Finished request 3
Going to the next request
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 192.168.101.250:2048, id=187, length=139
        NAS-IP-Address = 192.168.101.250
        NAS-Port-Type = Ethernet
        Service-Type = Framed-User
        Message-Authenticator = 0x7ad9b7af853c27463d2a954e9634172e
        NAS-Port = 2
        Framed-MTU = 1490
        User-Name = "WH-NAPDOM\\Administrator"
        Calling-Station-Id = "00-04-AC-5D-19-F6"
        State = 0x5d990deb70612c8a90e3cec27ce1c43f
        EAP-Message = 0x020800061900
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
  modcall[authorize]: module "preprocess" returns ok for request 4
  modcall[authorize]: module "chap" returns noop for request 4
  modcall[authorize]: module "mschap" returns noop for request 4
    rlm_realm: Looking up realm "WH-NAPDOM" for User-Name = "WH-NAPDOM\Administrator"
    rlm_realm: Found realm "WH-NAPDOM"
    rlm_realm: Adding Stripped-User-Name = "Administrator"
    rlm_realm: Proxying request from user Administrator to realm WH-NAPDOM
    rlm_realm: Adding Realm = "WH-NAPDOM"
    rlm_realm: Authentication realm is LOCAL.
  modcall[authorize]: module "WH-NAPDOM" returns noop for request 4
rlm_ldap: - authorize
rlm_ldap: performing user authorization for Administrator
radius_xlat:  '(uid=Administrator)'
radius_xlat:  'dc=nwtel,dc=ca'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=nwtel,dc=ca, with filter (uid=Administrator)
rlm_ldap: Added password password in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user Administrator authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 4
  rlm_eap: EAP packet type response id 8 length 6
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 4
modcall: group authorize returns updated for request 4
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake is finished
  eaptls_verify returned 3
  eaptls_process returned 3
  rlm_eap_peap: EAPTLS_SUCCESS
  modcall[authenticate]: module "eap" returns handled for request 4
modcall: group authenticate returns handled for request 4
Sending Access-Challenge of id 187 to 192.168.101.250:2048
        EAP-Message = 0x0109002019001703010015851f902b1d46f6e1fca410781f3498d853c35018f8
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x2aad7d893568391f2a63d56f863b85b1
Finished request 4
Going to the next request
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 192.168.101.250:2048, id=188, length=184
        NAS-IP-Address = 192.168.101.250
        NAS-Port-Type = Ethernet
        Service-Type = Framed-User
        Message-Authenticator = 0x47f37c1d8f7337d57936df3e017bdcfc
        NAS-Port = 2
        Framed-MTU = 1490
        User-Name = "WH-NAPDOM\\Administrator"
        Calling-Station-Id = "00-04-AC-5D-19-F6"
        State = 0x2aad7d893568391f2a63d56f863b85b1
        EAP-Message = 0x0209003319001703010028a76b6b181ab38f047fc9f16fbc3e26bfafc7c2ac6f76fab9b0e04a96b097dabf0e93c7998b512f8e
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
  modcall[authorize]: module "preprocess" returns ok for request 5
  modcall[authorize]: module "chap" returns noop for request 5
  modcall[authorize]: module "mschap" returns noop for request 5
    rlm_realm: Looking up realm "WH-NAPDOM" for User-Name = "WH-NAPDOM\Administrator"
    rlm_realm: Found realm "WH-NAPDOM"
    rlm_realm: Adding Stripped-User-Name = "Administrator"
    rlm_realm: Proxying request from user Administrator to realm WH-NAPDOM
    rlm_realm: Adding Realm = "WH-NAPDOM"
    rlm_realm: Authentication realm is LOCAL.
  modcall[authorize]: module "WH-NAPDOM" returns noop for request 5
rlm_ldap: - authorize
rlm_ldap: performing user authorization for Administrator
radius_xlat:  '(uid=Administrator)'
radius_xlat:  'dc=nwtel,dc=ca'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=nwtel,dc=ca, with filter (uid=Administrator)
rlm_ldap: Added password password in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user Administrator authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 5
  rlm_eap: EAP packet type response id 9 length 51
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 5
modcall: group authorize returns updated for request 5
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_peap: Identity - WH-NAPDOM\Administrator
  rlm_eap_peap: Tunneled data is valid.
  PEAP: Got tunneled identity of WH-NAPDOM\Administrator
  PEAP: Setting default EAP type for tunneled EAP session.
  PEAP: Setting User-Name to WH-NAPDOM\Administrator
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
  modcall[authorize]: module "preprocess" returns ok for request 5
  modcall[authorize]: module "chap" returns noop for request 5
  modcall[authorize]: module "mschap" returns noop for request 5
    rlm_realm: Looking up realm "WH-NAPDOM" for User-Name = "WH-NAPDOM\Administrator"
    rlm_realm: Found realm "WH-NAPDOM"
    rlm_realm: Adding Stripped-User-Name = "Administrator"
    rlm_realm: Proxying request from user Administrator to realm WH-NAPDOM
    rlm_realm: Adding Realm = "WH-NAPDOM"
    rlm_realm: Authentication realm is LOCAL.
  modcall[authorize]: module "WH-NAPDOM" returns noop for request 5
rlm_ldap: - authorize
rlm_ldap: performing user authorization for Administrator
radius_xlat:  '(uid=Administrator)'
radius_xlat:  'dc=nwtel,dc=ca'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=nwtel,dc=ca, with filter (uid=Administrator)
rlm_ldap: Added password password in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user Administrator authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 5
  rlm_eap: EAP packet type response id 9 length 28
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 5
modcall: group authorize returns updated for request 5
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
  rlm_eap: EAP Identity
  rlm_eap: processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
  modcall[authenticate]: module "eap" returns handled for request 5
modcall: group authenticate returns handled for request 5
  PEAP: Got tunneled Access-Challenge
  modcall[authenticate]: module "eap" returns handled for request 5
modcall: group authenticate returns handled for request 5
Sending Access-Challenge of id 188 to 192.168.101.250:2048
        EAP-Message = 0x010a00481900170301003dbb59d54e0550b693880303685feb347de0db1f9d1a679ca68e2a0f1cf3ab09dcd4b0dec06df9dbc3f9a1695e2acfb0afd1aead92f43f87e8973bcdfc54
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x524736a44cbab0c3fb187d738a94ccac
Finished request 5
Going to the next request
Waking up in 5 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 183 with timestamp 43191e10
Cleaning up request 1 ID 184 with timestamp 43191e10
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 2 ID 185 with timestamp 43191e11
Cleaning up request 3 ID 186 with timestamp 43191e11
Cleaning up request 4 ID 187 with timestamp 43191e11
Cleaning up request 5 ID 188 with timestamp 43191e11
Nothing to do.  Sleeping until we see a request.
rad_recv: Access-Request packet from host 192.168.101.250:2048, id=189, length=228
        NAS-IP-Address = 192.168.101.250
        NAS-Port-Type = Ethernet
        Service-Type = Framed-User
        Message-Authenticator = 0xc7b37ad96e283e990d4806356e2cc875
        NAS-Port = 2
        Framed-MTU = 1490
        User-Name = "WH-NAPDOM\\Administrator"
        Calling-Station-Id = "00-04-AC-5D-19-F6"
        State = 0x524736a44cbab0c3fb187d738a94ccac
        EAP-Message = 0x020a005f1900170301005412a18e20937d7ab2b6d807437f36fd15cc8e33ac011d902e61510ccad067e0b2cb19bcf39b50e53bceabeddfcfe581535b9e5e603cf4c8a409968dcd38dc13806ac383c5317e551e0b76b21e7e50f5c553458d1b
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 6
  modcall[authorize]: module "preprocess" returns ok for request 6
  modcall[authorize]: module "chap" returns noop for request 6
  modcall[authorize]: module "mschap" returns noop for request 6
    rlm_realm: Looking up realm "WH-NAPDOM" for User-Name = "WH-NAPDOM\Administrator"
    rlm_realm: Found realm "WH-NAPDOM"
    rlm_realm: Adding Stripped-User-Name = "Administrator"
    rlm_realm: Proxying request from user Administrator to realm WH-NAPDOM
    rlm_realm: Adding Realm = "WH-NAPDOM"
    rlm_realm: Authentication realm is LOCAL.
  modcall[authorize]: module "WH-NAPDOM" returns noop for request 6
rlm_ldap: - authorize
rlm_ldap: performing user authorization for Administrator
radius_xlat:  '(uid=Administrator)'
radius_xlat:  'dc=nwtel,dc=ca'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=nwtel,dc=ca, with filter (uid=Administrator)
rlm_ldap: Added password password in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user Administrator authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 6
  rlm_eap: EAP packet type response id 10 length 95
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 6
modcall: group authorize returns updated for request 6
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_peap: EAP type mschapv2
  rlm_eap_peap: Tunneled data is valid.
  PEAP: Setting User-Name to WH-NAPDOM\Administrator
  PEAP: Adding old state with c2 19
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 6
  modcall[authorize]: module "preprocess" returns ok for request 6
  modcall[authorize]: module "chap" returns noop for request 6
  modcall[authorize]: module "mschap" returns noop for request 6
    rlm_realm: Looking up realm "WH-NAPDOM" for User-Name = "WH-NAPDOM\Administrator"
    rlm_realm: Found realm "WH-NAPDOM"
    rlm_realm: Adding Stripped-User-Name = "Administrator"
    rlm_realm: Proxying request from user Administrator to realm WH-NAPDOM
    rlm_realm: Adding Realm = "WH-NAPDOM"
    rlm_realm: Authentication realm is LOCAL.
  modcall[authorize]: module "WH-NAPDOM" returns noop for request 6
rlm_ldap: - authorize
rlm_ldap: performing user authorization for Administrator
radius_xlat:  '(uid=Administrator)'
radius_xlat:  'dc=nwtel,dc=ca'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=nwtel,dc=ca, with filter (uid=Administrator)
rlm_ldap: Added password password in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user Administrator authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 6
  rlm_eap: EAP packet type response id 10 length 72
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 6
modcall: group authorize returns updated for request 6
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/mschapv2
  rlm_eap: processing type mschapv2
  ERROR: Unknown value specified for Auth-Type.  Cannot perform requested action.
  rlm_eap: Freeing handler
  modcall[authenticate]: module "eap" returns reject for request 6
modcall: group authenticate returns reject for request 6
auth: Failed to validate the user.
  PEAP: Tunneled authentication was rejected.
  rlm_eap_peap: FAILURE
  modcall[authenticate]: module "eap" returns handled for request 6
modcall: group authenticate returns handled for request 6
Sending Access-Challenge of id 189 to 192.168.101.250:2048
        EAP-Message = 0x010b00261900170301001bdb1b489686611e04644aa40ee1532bca2bce245433e1c6c489ded8
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x9764183b6394f9c7eea9391ab09ef362
Finished request 6
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.101.250:2048, id=190, length=171
        NAS-IP-Address = 192.168.101.250
        NAS-Port-Type = Ethernet
        Service-Type = Framed-User
        Message-Authenticator = 0x1a5f7c6946f75f67fede6eea4c31cd67
        NAS-Port = 2
        Framed-MTU = 1490
        User-Name = "WH-NAPDOM\\Administrator"
        Calling-Station-Id = "00-04-AC-5D-19-F6"
        State = 0x9764183b6394f9c7eea9391ab09ef362
        EAP-Message = 0x020b00261900170301001bca06a5f4ff78c2954ca5b40d3d078c5c70e8c203e6a8ec2f8c8f25
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 7
  modcall[authorize]: module "preprocess" returns ok for request 7
  modcall[authorize]: module "chap" returns noop for request 7
  modcall[authorize]: module "mschap" returns noop for request 7
    rlm_realm: Looking up realm "WH-NAPDOM" for User-Name = "WH-NAPDOM\Administrator"
    rlm_realm: Found realm "WH-NAPDOM"
    rlm_realm: Adding Stripped-User-Name = "Administrator"
    rlm_realm: Proxying request from user Administrator to realm WH-NAPDOM
    rlm_realm: Adding Realm = "WH-NAPDOM"
    rlm_realm: Authentication realm is LOCAL.
  modcall[authorize]: module "WH-NAPDOM" returns noop for request 7
rlm_ldap: - authorize
rlm_ldap: performing user authorization for Administrator
radius_xlat:  '(uid=Administrator)'
radius_xlat:  'dc=nwtel,dc=ca'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=nwtel,dc=ca, with filter (uid=Administrator)
rlm_ldap: Added password password in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user Administrator authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 7
  rlm_eap: EAP packet type response id 11 length 38
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 7
modcall: group authorize returns updated for request 7
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 7
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_peap: Received EAP-TLV response.
  rlm_eap_peap: Tunneled data is valid.
  rlm_eap_peap:  Had sent TLV failure, rejecting.
 rlm_eap: Handler failed in EAP/peap
  rlm_eap: Failed in EAP select
  modcall[authenticate]: module "eap" returns invalid for request 7
modcall: group authenticate returns invalid for request 7
auth: Failed to validate the user.
Delaying request 7 for 1 seconds
Finished request 7
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.101.250:2048, id=190, length=171
Sending Access-Reject of id 190 to 192.168.101.250:2048
        EAP-Message = 0x040b0004
        Message-Authenticator = 0x00000000000000000000000000000000
--- Walking the entire request list ---
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 6 ID 189 with timestamp 43191e2f
Cleaning up request 7 ID 190 with timestamp 43191e2f
Nothing to do.  Sleeping until we see a request.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Issues using EAP/peap with LDAP

Alan DeKok
sparrow <[hidden email]> wrote:
> The last few lines of my radius out put are (With the whole output at
> the end of the file):
...
>   rlm_eap_peap:  Had sent TLV failure, rejecting.

  Read the PREVIOUS messages to see why it was rejected.

  Alan Dekok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html