Trouble With Eap-TTLS - PAP - LDAP - Azure AD DS
Locked
|
Threaded
Open this post in threaded view
|
♦
♦
Trouble With Eap-TTLS - PAP - LDAP - Azure AD DS
 
|
Hello! I am trying to use azure ad through Azure Domain services as an auth
for our wifi. I have read several posts from people on this forum and have been thru all the instructions in the config files for freeradius and the freewebsite. I'm new to all this and I know I'm missing something. I can get Pap to work per the setup and I think Eap to work as well (Not sure here?) My ldap bind works when I use rad test but anything else fails I've also looked at the error messages and warnings in the debug but I'm still missing something in a config somewhere. Please help! here is my debug log ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on auth address * port 1812 bound to server default Listening on acct address * port 1813 bound to server default Listening on auth address :: port 1812 bound to server default Listening on acct address :: port 1813 bound to server default Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel Listening on proxy address * port 45825 Listening on proxy address :: port 41484 Ready to process requests (0) Received Access-Request Id 114 from 68.45.161.30:1824 to 10.0.1.5:1812 length 123 (0) User-Name = "dtown" (0) NAS-IP-Address = 68.45.161.30 (0) Called-Station-Id = "7823aed64a00" (0) Calling-Station-Id = "a483e742cff0" (0) NAS-Identifier = "7823aed64a00" (0) NAS-Port = 125 (0) Framed-MTU = 1400 (0) NAS-Port-Type = Wireless-802.11 (0) EAP-Message = 0x0200000a0164746f776e (0) Message-Authenticator = 0xc4b316926a530a22a2915e885854b423 (0) # Executing section authorize from file /etc/freeradius/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "dtown", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: Peer sent EAP Response (code 2) ID 0 length 10 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /etc/freeradius/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_md5 to process data (0) eap_md5: Issuing MD5 Challenge (0) eap: Sending EAP Request (code 1) ID 1 length 22 (0) eap: EAP session adding &reply:State = 0x749ecc9b749fc856 (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) # Executing group from file /etc/freeradius/sites-enabled/default (0) Challenge { ... } # empty sub-section is ignored (0) Sent Access-Challenge Id 114 from 10.0.1.5:1812 to 68.45.161.30:1824 length 0 (0) EAP-Message = 0x0101001604105b9005bc07e64ece96b8e8753b9faa7d (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x749ecc9b749fc8560d9a9245bf7c0b3d (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 115 from 68.45.161.30:1824 to 10.0.1.5:1812 length 139 (1) User-Name = "dtown" (1) NAS-IP-Address = 68.45.161.30 (1) Called-Station-Id = "7823aed64a00" (1) Calling-Station-Id = "a483e742cff0" (1) NAS-Identifier = "7823aed64a00" (1) NAS-Port = 125 (1) Framed-MTU = 1400 (1) State = 0x749ecc9b749fc8560d9a9245bf7c0b3d (1) NAS-Port-Type = Wireless-802.11 (1) EAP-Message = 0x020100080319152b (1) Message-Authenticator = 0x0ffdac48427e34cb2a5461df93be7d94 (1) session-state: No cached attributes (1) # Executing section authorize from file /etc/freeradius/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "dtown", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: Peer sent EAP Response (code 2) ID 1 length 8 (1) eap: No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) } # authorize = updated (1) Found Auth-Type = eap (1) # Executing group from file /etc/freeradius/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0x749ecc9b749fc856 (1) eap: Finished EAP session with state 0x749ecc9b749fc856 (1) eap: Previous EAP request found for state 0x749ecc9b749fc856, released from the list (1) eap: Peer sent packet with method EAP NAK (3) (1) eap: Found mutually acceptable type PEAP (25) (1) eap: Calling submodule eap_peap to process data (1) eap_peap: Initiating new TLS session (1) eap_peap: [eaptls start] = request (1) eap: Sending EAP Request (code 1) ID 2 length 6 (1) eap: EAP session adding &reply:State = 0x749ecc9b759cd556 (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) # Executing group from file /etc/freeradius/sites-enabled/default (1) Challenge { ... } # empty sub-section is ignored (1) Sent Access-Challenge Id 115 from 10.0.1.5:1812 to 68.45.161.30:1824 length 0 (1) EAP-Message = 0x010200061920 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x749ecc9b759cd5560d9a9245bf7c0b3d (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 116 from 68.45.161.30:1824 to 10.0.1.5:1812 length 292 (2) User-Name = "dtown" (2) NAS-IP-Address = 68.45.161.30 (2) Called-Station-Id = "7823aed64a00" (2) Calling-Station-Id = "a483e742cff0" (2) NAS-Identifier = "7823aed64a00" (2) NAS-Port = 125 (2) Framed-MTU = 1400 (2) State = 0x749ecc9b759cd5560d9a9245bf7c0b3d (2) NAS-Port-Type = Wireless-802.11 (2) EAP-Message = 0x020200a119800000009716030100920100008e03035fd3baf05c37c33a4fc237ff3e32630f58d2c0662e8ca4f4eae0445c4427bf5600002c00ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009d009c003d003c0035002f000a01000039000a00080006001700180019000b00020100000d00120010040102010501060104030203050306030005000501000000000012000000170000 (2) Message-Authenticator = 0xb050e9f9e27e2b66aa11cfe13f1bb1f2 (2) session-state: No cached attributes (2) # Executing section authorize from file /etc/freeradius/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: No '@' in User-Name = "dtown", looking up realm NULL (2) suffix: No such realm "NULL" (2) [suffix] = noop (2) eap: Peer sent EAP Response (code 2) ID 2 length 161 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = eap (2) # Executing group from file /etc/freeradius/sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0x749ecc9b759cd556 (2) eap: Finished EAP session with state 0x749ecc9b759cd556 (2) eap: Previous EAP request found for state 0x749ecc9b759cd556, released from the list (2) eap: Peer sent packet with method EAP PEAP (25) (2) eap: Calling submodule eap_peap to process data (2) eap_peap: Continuing EAP-TLS (2) eap_peap: Peer indicated complete TLS record size will be 151 bytes (2) eap_peap: Got complete TLS record (151 bytes) (2) eap_peap: [eaptls verify] = length included (2) eap_peap: (other): before SSL initialization (2) eap_peap: TLS_accept: before SSL initialization (2) eap_peap: TLS_accept: before SSL initialization (2) eap_peap: <<< recv TLS 1.3 [length 0092] (2) eap_peap: TLS_accept: SSLv3/TLS read client hello (2) eap_peap: >>> send TLS 1.2 [length 003d] (2) eap_peap: TLS_accept: SSLv3/TLS write server hello (2) eap_peap: >>> send TLS 1.2 [length 0903] (2) eap_peap: TLS_accept: SSLv3/TLS write certificate (2) eap_peap: >>> send TLS 1.2 [length 014d] (2) eap_peap: TLS_accept: SSLv3/TLS write key exchange (2) eap_peap: >>> send TLS 1.2 [length 0004] (2) eap_peap: TLS_accept: SSLv3/TLS write server done (2) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done (2) eap_peap: TLS - In Handshake Phase (2) eap_peap: TLS - got 2725 bytes of data (2) eap_peap: [eaptls process] = handled (2) eap: Sending EAP Request (code 1) ID 3 length 1004 (2) eap: EAP session adding &reply:State = 0x749ecc9b769dd556 (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) # Executing group from file /etc/freeradius/sites-enabled/default (2) Challenge { ... } # empty sub-section is ignored (2) Sent Access-Challenge Id 116 from 10.0.1.5:1812 to 68.45.161.30:1824 length 0 (2) EAP-Message = 0x010303ec19c000000aa5160303003d0200003903034149d7c0d850734fb7c49763ac77e8ca484976d6c3a6b0a286a0ab601b1b7b0100c030000011ff01000100000b0004030001020017000016030309030b0008ff0008fc0003f8308203f4308202dca003020102020101300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f72697479301e170d3230313231303133343331395a170d3231303230383133343331395a307c310b3009060355040613024652310f300d06035504080c0652616469757331153013060355040a0c0c4578616d706c6520496e632e3123302106035504030c1a4578616d70 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0x749ecc9b769dd5560d9a9245bf7c0b3d (2) Finished request Waking up in 4.8 seconds. (3) Received Access-Request Id 117 from 68.45.161.30:1824 to 10.0.1.5:1812 length 137 (3) User-Name = "dtown" (3) NAS-IP-Address = 68.45.161.30 (3) Called-Station-Id = "7823aed64a00" (3) Calling-Station-Id = "a483e742cff0" (3) NAS-Identifier = "7823aed64a00" (3) NAS-Port = 125 (3) Framed-MTU = 1400 (3) State = 0x749ecc9b769dd5560d9a9245bf7c0b3d (3) NAS-Port-Type = Wireless-802.11 (3) EAP-Message = 0x020300061900 (3) Message-Authenticator = 0x834c6579fac00cffba174a77e16bba33 (3) session-state: No cached attributes (3) # Executing section authorize from file /etc/freeradius/sites-enabled/default (3) authorize { (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = notfound (3) } # policy filter_username = notfound (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix: Checking for suffix after "@" (3) suffix: No '@' in User-Name = "dtown", looking up realm NULL (3) suffix: No such realm "NULL" (3) [suffix] = noop (3) eap: Peer sent EAP Response (code 2) ID 3 length 6 (3) eap: Continuing tunnel setup (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = eap (3) # Executing group from file /etc/freeradius/sites-enabled/default (3) authenticate { (3) eap: Expiring EAP session with state 0x749ecc9b769dd556 (3) eap: Finished EAP session with state 0x749ecc9b769dd556 (3) eap: Previous EAP request found for state 0x749ecc9b769dd556, released from the list (3) eap: Peer sent packet with method EAP PEAP (25) (3) eap: Calling submodule eap_peap to process data (3) eap_peap: Continuing EAP-TLS (3) eap_peap: Peer ACKed our handshake fragment (3) eap_peap: [eaptls verify] = request (3) eap_peap: [eaptls process] = handled (3) eap: Sending EAP Request (code 1) ID 4 length 1000 (3) eap: EAP session adding &reply:State = 0x749ecc9b779ad556 (3) [eap] = handled (3) } # authenticate = handled (3) Using Post-Auth-Type Challenge (3) # Executing group from file /etc/freeradius/sites-enabled/default (3) Challenge { ... } # empty sub-section is ignored (3) Sent Access-Challenge Id 117 from 10.0.1.5:1812 to 68.45.161.30:1824 length 0 (3) EAP-Message = 0x010403e819404acb7e8c4c92936c99a480a4072d09ccc9b96cde7a13be01677daa723ad5ece4655d938f50df53e1cf39ec11da750c2ab652c02d26b8ca68f1bca4e3b898bacf34d9d52f87d1aa9acd39f67bb63b563469d4325ecb5b14d5480bb83a40804c59dab2bc4bf4d6820004fe308204fa308203e2a00302010202147efb48f4d14f992a5c09aee2b04dc6dc6f4771a0300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f72697479301e170d3230313231303133343331395a170d3231303230383133343331395a308193310b3009060355040613024652310f300d06035504080c0652616469 (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0x749ecc9b779ad5560d9a9245bf7c0b3d (3) Finished request Waking up in 4.7 seconds. (4) Received Access-Request Id 118 from 68.45.161.30:1824 to 10.0.1.5:1812 length 137 (4) User-Name = "dtown" (4) NAS-IP-Address = 68.45.161.30 (4) Called-Station-Id = "7823aed64a00" (4) Calling-Station-Id = "a483e742cff0" (4) NAS-Identifier = "7823aed64a00" (4) NAS-Port = 125 (4) Framed-MTU = 1400 (4) State = 0x749ecc9b779ad5560d9a9245bf7c0b3d (4) NAS-Port-Type = Wireless-802.11 (4) EAP-Message = 0x020400061900 (4) Message-Authenticator = 0x60af64804bd551969cbdeee1ccc4c597 (4) session-state: No cached attributes (4) # Executing section authorize from file /etc/freeradius/sites-enabled/default (4) authorize { (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = notfound (4) } # policy filter_username = notfound (4) [preprocess] = ok (4) [chap] = noop (4) [mschap] = noop (4) [digest] = noop (4) suffix: Checking for suffix after "@" (4) suffix: No '@' in User-Name = "dtown", looking up realm NULL (4) suffix: No such realm "NULL" (4) [suffix] = noop (4) eap: Peer sent EAP Response (code 2) ID 4 length 6 (4) eap: Continuing tunnel setup (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = eap (4) # Executing group from file /etc/freeradius/sites-enabled/default (4) authenticate { (4) eap: Expiring EAP session with state 0x749ecc9b779ad556 (4) eap: Finished EAP session with state 0x749ecc9b779ad556 (4) eap: Previous EAP request found for state 0x749ecc9b779ad556, released from the list (4) eap: Peer sent packet with method EAP PEAP (25) (4) eap: Calling submodule eap_peap to process data (4) eap_peap: Continuing EAP-TLS (4) eap_peap: Peer ACKed our handshake fragment (4) eap_peap: [eaptls verify] = request (4) eap_peap: [eaptls process] = handled (4) eap: Sending EAP Request (code 1) ID 5 length 743 (4) eap: EAP session adding &reply:State = 0x749ecc9b709bd556 (4) [eap] = handled (4) } # authenticate = handled (4) Using Post-Auth-Type Challenge (4) # Executing group from file /etc/freeradius/sites-enabled/default (4) Challenge { ... } # empty sub-section is ignored (4) Sent Access-Challenge Id 118 from 10.0.1.5:1812 to 68.45.161.30:1824 length 0 (4) EAP-Message = 0x010502e7190072746966696361746520417574686f7269747982147efb48f4d14f992a5c09aee2b04dc6dc6f4771a0300f0603551d130101ff040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b05000382010100293909cda29461712f345f76b29b939188d76ce0c6ab57d7fa11cc01ac150394f75923c9e0bafdeb86edd65e493998ee8c269d523d5aebeab7360d4d64429477ab372d945b09bb64a381987a6626d07daf88f684eb5a95ffdfb2f52a8ccdc684ba9b2150653f1688a6b65bec50ddab6c4a49db720049b77310b628303806547b7a1952e5574f5f4239b8f0f8944a6c4df15a7a491e21fc3ec8663588c379a3c09e5e5e34dec122ddf1c6f2c881342fac4de71c7e1c9f910537770099bf811a60ceea205253591fd66893499dbb89ae8dab773afbdad3f3c196c3593a69180d5156040029fe86ee13cbe88d (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0x749ecc9b709bd5560d9a9245bf7c0b3d (4) Finished request Waking up in 4.6 seconds. (5) Received Access-Request Id 119 from 68.45.161.30:1824 to 10.0.1.5:1812 length 267 (5) User-Name = "dtown" (5) NAS-IP-Address = 68.45.161.30 (5) Called-Station-Id = "7823aed64a00" (5) Calling-Station-Id = "a483e742cff0" (5) NAS-Identifier = "7823aed64a00" (5) NAS-Port = 125 (5) Framed-MTU = 1400 (5) State = 0x749ecc9b709bd5560d9a9245bf7c0b3d (5) NAS-Port-Type = Wireless-802.11 (5) EAP-Message = 0x0205008819800000007e1603030046100000424104a28febeb0bb5f0922c97a95a5811f1696d6f4c2d375be0e34172007a28356a1068e9734682743ae0ae572000372fc2df84b48af1a34607c1f7703210b33f7f691403030001011603030028e3277115802d5ed3e247c8b34b1b3e062cf33600daf2c24d78ae457b1ade2f852f97aa0aaff65dd4 (5) Message-Authenticator = 0xac005f74adeffb71241ac5773458d9b3 (5) session-state: No cached attributes (5) # Executing section authorize from file /etc/freeradius/sites-enabled/default (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [preprocess] = ok (5) [chap] = noop (5) [mschap] = noop (5) [digest] = noop (5) suffix: Checking for suffix after "@" (5) suffix: No '@' in User-Name = "dtown", looking up realm NULL (5) suffix: No such realm "NULL" (5) [suffix] = noop (5) eap: Peer sent EAP Response (code 2) ID 5 length 136 (5) eap: Continuing tunnel setup (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = eap (5) # Executing group from file /etc/freeradius/sites-enabled/default (5) authenticate { (5) eap: Expiring EAP session with state 0x749ecc9b709bd556 (5) eap: Finished EAP session with state 0x749ecc9b709bd556 (5) eap: Previous EAP request found for state 0x749ecc9b709bd556, released from the list (5) eap: Peer sent packet with method EAP PEAP (25) (5) eap: Calling submodule eap_peap to process data (5) eap_peap: Continuing EAP-TLS (5) eap_peap: Peer indicated complete TLS record size will be 126 bytes (5) eap_peap: Got complete TLS record (126 bytes) (5) eap_peap: [eaptls verify] = length included (5) eap_peap: TLS_accept: SSLv3/TLS write server done (5) eap_peap: <<< recv TLS 1.2 [length 0046] (5) eap_peap: TLS_accept: SSLv3/TLS read client key exchange (5) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec (5) eap_peap: <<< recv TLS 1.2 [length 0010] (5) eap_peap: TLS_accept: SSLv3/TLS read finished (5) eap_peap: >>> send TLS 1.2 [length 0001] (5) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec (5) eap_peap: >>> send TLS 1.2 [length 0010] (5) eap_peap: TLS_accept: SSLv3/TLS write finished (5) eap_peap: (other): SSL negotiation finished successfully (5) eap_peap: TLS - Connection Established (5) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (5) eap_peap: TLS-Session-Version = "TLS 1.2" (5) eap_peap: TLS - got 51 bytes of data (5) eap_peap: [eaptls process] = handled (5) eap: Sending EAP Request (code 1) ID 6 length 57 (5) eap: EAP session adding &reply:State = 0x749ecc9b7198d556 (5) [eap] = handled (5) } # authenticate = handled (5) Using Post-Auth-Type Challenge (5) # Executing group from file /etc/freeradius/sites-enabled/default (5) Challenge { ... } # empty sub-section is ignored (5) session-state: Saving cached attributes (5) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (5) TLS-Session-Version = "TLS 1.2" (5) Sent Access-Challenge Id 119 from 10.0.1.5:1812 to 68.45.161.30:1824 length 0 (5) EAP-Message = 0x0106003919001403030001011603030028ab6860cd676579b8791ad027b85f2cc62cef4b5e2398c38a789b83ee466bb6216435f7b2d366eadb (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0x749ecc9b7198d5560d9a9245bf7c0b3d (5) Finished request Waking up in 4.6 seconds. (6) Received Access-Request Id 120 from 68.45.161.30:1824 to 10.0.1.5:1812 length 137 (6) User-Name = "dtown" (6) NAS-IP-Address = 68.45.161.30 (6) Called-Station-Id = "7823aed64a00" (6) Calling-Station-Id = "a483e742cff0" (6) NAS-Identifier = "7823aed64a00" (6) NAS-Port = 125 (6) Framed-MTU = 1400 (6) State = 0x749ecc9b7198d5560d9a9245bf7c0b3d (6) NAS-Port-Type = Wireless-802.11 (6) EAP-Message = 0x020600061900 (6) Message-Authenticator = 0xe9cc34f3ffc2b01148aadd11d1488c75 (6) Restoring &session-state (6) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (6) &session-state:TLS-Session-Version = "TLS 1.2" (6) # Executing section authorize from file /etc/freeradius/sites-enabled/default (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) [preprocess] = ok (6) [chap] = noop (6) [mschap] = noop (6) [digest] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "dtown", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) eap: Peer sent EAP Response (code 2) ID 6 length 6 (6) eap: Continuing tunnel setup (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = eap (6) # Executing group from file /etc/freeradius/sites-enabled/default (6) authenticate { (6) eap: Expiring EAP session with state 0x749ecc9b7198d556 (6) eap: Finished EAP session with state 0x749ecc9b7198d556 (6) eap: Previous EAP request found for state 0x749ecc9b7198d556, released from the list (6) eap: Peer sent packet with method EAP PEAP (25) (6) eap: Calling submodule eap_peap to process data (6) eap_peap: Continuing EAP-TLS (6) eap_peap: Peer ACKed our handshake fragment. handshake is finished (6) eap_peap: [eaptls verify] = success (6) eap_peap: [eaptls process] = success (6) eap_peap: Session established. Decoding tunneled attributes (6) eap_peap: PEAP state TUNNEL ESTABLISHED (6) eap: Sending EAP Request (code 1) ID 7 length 40 (6) eap: EAP session adding &reply:State = 0x749ecc9b7299d556 (6) [eap] = handled (6) } # authenticate = handled (6) Using Post-Auth-Type Challenge (6) # Executing group from file /etc/freeradius/sites-enabled/default (6) Challenge { ... } # empty sub-section is ignored (6) session-state: Saving cached attributes (6) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (6) TLS-Session-Version = "TLS 1.2" (6) Sent Access-Challenge Id 120 from 10.0.1.5:1812 to 68.45.161.30:1824 length 0 (6) EAP-Message = 0x010700281900170303001dab6860cd676579b9c9c7c6538c84a36bb004ad177a41505c31ef35af47 (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0x749ecc9b7299d5560d9a9245bf7c0b3d (6) Finished request Waking up in 4.5 seconds. (7) Received Access-Request Id 121 from 68.45.161.30:1824 to 10.0.1.5:1812 length 172 (7) User-Name = "dtown" (7) NAS-IP-Address = 68.45.161.30 (7) Called-Station-Id = "7823aed64a00" (7) Calling-Station-Id = "a483e742cff0" (7) NAS-Identifier = "7823aed64a00" (7) NAS-Port = 125 (7) Framed-MTU = 1400 (7) State = 0x749ecc9b7299d5560d9a9245bf7c0b3d (7) NAS-Port-Type = Wireless-802.11 (7) EAP-Message = 0x020700291900170303001ee3277115802d5ed4bc164f722798531c9d7f02629fac47c95c8e628766ff (7) Message-Authenticator = 0x48b8d15b4c4f0070c13caeba3c46ccfe (7) Restoring &session-state (7) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (7) &session-state:TLS-Session-Version = "TLS 1.2" (7) # Executing section authorize from file /etc/freeradius/sites-enabled/default (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) [preprocess] = ok (7) [chap] = noop (7) [mschap] = noop (7) [digest] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "dtown", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) eap: Peer sent EAP Response (code 2) ID 7 length 41 (7) eap: Continuing tunnel setup (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = eap (7) # Executing group from file /etc/freeradius/sites-enabled/default (7) authenticate { (7) eap: Expiring EAP session with state 0x749ecc9b7299d556 (7) eap: Finished EAP session with state 0x749ecc9b7299d556 (7) eap: Previous EAP request found for state 0x749ecc9b7299d556, released from the list (7) eap: Peer sent packet with method EAP PEAP (25) (7) eap: Calling submodule eap_peap to process data (7) eap_peap: Continuing EAP-TLS (7) eap_peap: [eaptls verify] = ok (7) eap_peap: Done initial handshake (7) eap_peap: [eaptls process] = ok (7) eap_peap: Session established. Decoding tunneled attributes (7) eap_peap: PEAP state WAITING FOR INNER IDENTITY (7) eap_peap: Identity - dtown (7) eap_peap: Got inner identity 'dtown' (7) eap_peap: Setting default EAP type for tunneled EAP session (7) eap_peap: Got tunneled request (7) eap_peap: EAP-Message = 0x0207000a0164746f776e (7) eap_peap: Setting User-Name to dtown (7) eap_peap: Sending tunneled request to inner-tunnel (7) eap_peap: EAP-Message = 0x0207000a0164746f776e (7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (7) eap_peap: User-Name = "dtown" (7) Virtual server inner-tunnel received request (7) EAP-Message = 0x0207000a0164746f776e (7) FreeRADIUS-Proxied-To = 127.0.0.1 (7) User-Name = "dtown" (7) WARNING: Outer and inner identities are the same. User privacy is compromised. (7) server inner-tunnel { (7) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) [chap] = noop (7) [mschap] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "dtown", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) update control { (7) &Proxy-To-Realm := LOCAL (7) } # update control = noop (7) eap: Peer sent EAP Response (code 2) ID 7 length 10 (7) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = eap (7) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (7) authenticate { (7) eap: Peer sent packet with method EAP Identity (1) (7) eap: Calling submodule eap_mschapv2 to process data (7) eap_mschapv2: Issuing Challenge (7) eap: Sending EAP Request (code 1) ID 8 length 43 (7) eap: EAP session adding &reply:State = 0x5daed4a35da6ce1f (7) [eap] = handled (7) } # authenticate = handled (7) } # server inner-tunnel (7) Virtual server sending reply (7) EAP-Message = 0x0108002b1a0108002610fda36be34d5835d4e5707f95f7ba61ad667265657261646975732d332e302e3231 (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0x5daed4a35da6ce1f5d1d1b40ddc30e5a (7) eap_peap: Got tunneled reply code 11 (7) eap_peap: EAP-Message = 0x0108002b1a0108002610fda36be34d5835d4e5707f95f7ba61ad667265657261646975732d332e302e3231 (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: State = 0x5daed4a35da6ce1f5d1d1b40ddc30e5a (7) eap_peap: Got tunneled reply RADIUS code 11 (7) eap_peap: EAP-Message = 0x0108002b1a0108002610fda36be34d5835d4e5707f95f7ba61ad667265657261646975732d332e302e3231 (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_peap: State = 0x5daed4a35da6ce1f5d1d1b40ddc30e5a (7) eap_peap: Got tunneled Access-Challenge (7) eap: Sending EAP Request (code 1) ID 8 length 74 (7) eap: EAP session adding &reply:State = 0x749ecc9b7396d556 (7) [eap] = handled (7) } # authenticate = handled (7) Using Post-Auth-Type Challenge (7) # Executing group from file /etc/freeradius/sites-enabled/default (7) Challenge { ... } # empty sub-section is ignored (7) session-state: Saving cached attributes (7) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (7) TLS-Session-Version = "TLS 1.2" (7) Sent Access-Challenge Id 121 from 10.0.1.5:1812 to 68.45.161.30:1824 length 0 (7) EAP-Message = 0x0108004a1900170303003fab6860cd676579ba5da69c46a36a4ada177ebb9815838a7895cedb20e47336c0ff9a6b1fc50076ed429c2c0e6c4d08099cb3ce1588e996659cfa9f474edf48 (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0x749ecc9b7396d5560d9a9245bf7c0b3d (7) Finished request Waking up in 4.4 seconds. (8) Received Access-Request Id 122 from 68.45.161.30:1824 to 10.0.1.5:1812 length 226 (8) User-Name = "dtown" (8) NAS-IP-Address = 68.45.161.30 (8) Called-Station-Id = "7823aed64a00" (8) Calling-Station-Id = "a483e742cff0" (8) NAS-Identifier = "7823aed64a00" (8) NAS-Port = 125 (8) Framed-MTU = 1400 (8) State = 0x749ecc9b7396d5560d9a9245bf7c0b3d (8) NAS-Port-Type = Wireless-802.11 (8) EAP-Message = 0x0208005f19001703030054e3277115802d5ed51cdae37d534fb40d32faa53975c2112f2a8f3d0a0f1c6ebcabebc6adf24a91f72cdf023696db57b08f8e0384bedaebf5435e68d77469eefc4adf89749b0906e476d06cb27319d180252acdda (8) Message-Authenticator = 0xb9d5b39508bd6f731e5e6668a92603dd (8) Restoring &session-state (8) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (8) &session-state:TLS-Session-Version = "TLS 1.2" (8) # Executing section authorize from file /etc/freeradius/sites-enabled/default (8) authorize { (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = notfound (8) } # policy filter_username = notfound (8) [preprocess] = ok (8) [chap] = noop (8) [mschap] = noop (8) [digest] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "dtown", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) eap: Peer sent EAP Response (code 2) ID 8 length 95 (8) eap: Continuing tunnel setup (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = eap (8) # Executing group from file /etc/freeradius/sites-enabled/default (8) authenticate { (8) eap: Expiring EAP session with state 0x5daed4a35da6ce1f (8) eap: Finished EAP session with state 0x749ecc9b7396d556 (8) eap: Previous EAP request found for state 0x749ecc9b7396d556, released from the list (8) eap: Peer sent packet with method EAP PEAP (25) (8) eap: Calling submodule eap_peap to process data (8) eap_peap: Continuing EAP-TLS (8) eap_peap: [eaptls verify] = ok (8) eap_peap: Done initial handshake (8) eap_peap: [eaptls process] = ok (8) eap_peap: Session established. Decoding tunneled attributes (8) eap_peap: PEAP state phase2 (8) eap_peap: EAP method MSCHAPv2 (26) (8) eap_peap: Got tunneled request (8) eap_peap: EAP-Message = 0x020800401a0208003b31b3a561282461f972e08f36d0073a340300000000000000006cfd5c6a2d438860eef9631da70a0cf093cc39f0a06598a60064746f776e (8) eap_peap: Setting User-Name to dtown (8) eap_peap: Sending tunneled request to inner-tunnel (8) eap_peap: EAP-Message = 0x020800401a0208003b31b3a561282461f972e08f36d0073a340300000000000000006cfd5c6a2d438860eef9631da70a0cf093cc39f0a06598a60064746f776e (8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (8) eap_peap: User-Name = "dtown" (8) eap_peap: State = 0x5daed4a35da6ce1f5d1d1b40ddc30e5a (8) Virtual server inner-tunnel received request (8) EAP-Message = 0x020800401a0208003b31b3a561282461f972e08f36d0073a340300000000000000006cfd5c6a2d438860eef9631da70a0cf093cc39f0a06598a60064746f776e (8) FreeRADIUS-Proxied-To = 127.0.0.1 (8) User-Name = "dtown" (8) State = 0x5daed4a35da6ce1f5d1d1b40ddc30e5a (8) WARNING: Outer and inner identities are the same. User privacy is compromised. (8) server inner-tunnel { (8) session-state: No cached attributes (8) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel (8) authorize { (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = notfound (8) } # policy filter_username = notfound (8) [chap] = noop (8) [mschap] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "dtown", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) update control { (8) &Proxy-To-Realm := LOCAL (8) } # update control = noop (8) eap: Peer sent EAP Response (code 2) ID 8 length 64 (8) eap: No EAP Start, assuming it's an on-going EAP conversation (8) [eap] = updated (8) [files] = noop rlm_ldap (ldap): Closing connection (0): Hit idle_timeout, was idle for 65 seconds rlm_ldap (ldap): Closing connection (1): Hit idle_timeout, was idle for 65 seconds rlm_ldap (ldap): Closing connection (2): Hit idle_timeout, was idle for 65 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): Closing connection (3): Hit idle_timeout, was idle for 65 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): Closing connection (4): Hit idle_timeout, was idle for 65 seconds rlm_ldap (ldap): You probably need to lower "min" rlm_ldap (ldap): 0 of 0 connections in use. You may need to increase "spare" rlm_ldap (ldap): Opening additional connection (5), 1 of 32 pending slots used rlm_ldap (ldap): Connecting to ldap://developertown.com:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Reserved connection (5) (8) ldap: EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}}) (8) ldap: --> (cn=dtown) (8) ldap: Performing search in "OU=AADDC Users, DC=developertown,dc=com" with filter "(cn=dtown)", scope "sub" (8) ldap: Waiting for search result... (8) ldap: User object found at DN "CN=dtown,OU=AADDC Users,DC=developertown,DC=com" (8) ldap: Processing user attributes (8) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute (8) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure) rlm_ldap (ldap): Released connection (5) Need 2 more connections to reach min connections (3) rlm_ldap (ldap): Opening additional connection (6), 1 of 31 pending slots used rlm_ldap (ldap): Connecting to ldap://developertown.com:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (8) [ldap] = ok (8) [expiration] = noop (8) [logintime] = noop (8) [pap] = noop (8) } # authorize = updated (8) Found Auth-Type = eap (8) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (8) authenticate { (8) eap: Expiring EAP session with state 0x5daed4a35da6ce1f (8) eap: Finished EAP session with state 0x5daed4a35da6ce1f (8) eap: Previous EAP request found for state 0x5daed4a35da6ce1f, released from the list (8) eap: Peer sent packet with method EAP MSCHAPv2 (26) (8) eap: Calling submodule eap_mschapv2 to process data (8) eap_mschapv2: # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (8) eap_mschapv2: authenticate { (8) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password (8) mschap: Creating challenge hash with username: dtown (8) mschap: Client is using MS-CHAPv2 (8) mschap: ERROR: FAILED: No NT-Password. Cannot perform authentication (8) mschap: ERROR: MS-CHAP2-Response is incorrect (8) eap_mschapv2: [mschap] = reject (8) eap_mschapv2: } # authenticate = reject (8) eap: Sending EAP Failure (code 4) ID 8 length 4 (8) eap: Freeing handler (8) [eap] = reject (8) } # authenticate = reject (8) Failed to authenticate the user (8) Using Post-Auth-Type Reject (8) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (8) Post-Auth-Type REJECT { (8) attr_filter.access_reject: EXPAND %{User-Name} (8) attr_filter.access_reject: --> dtown (8) attr_filter.access_reject: Matched entry DEFAULT at line 11 (8) [attr_filter.access_reject] = updated (8) update outer.session-state { (8) &Module-Failure-Message := &request:Module-Failure-Message -> 'mschap: FAILED: No NT-Password. Cannot perform authentication' (8) } # update outer.session-state = noop (8) } # Post-Auth-Type REJECT = updated (8) } # server inner-tunnel (8) Virtual server sending reply (8) MS-CHAP-Error = "\010E=691 R=1 C=3470efc6beebf4771fe9b420897b9c03 V=3 M=Authentication rejected" (8) EAP-Message = 0x04080004 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: Got tunneled reply code 3 (8) eap_peap: MS-CHAP-Error = "\010E=691 R=1 C=3470efc6beebf4771fe9b420897b9c03 V=3 M=Authentication rejected" (8) eap_peap: EAP-Message = 0x04080004 (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: Got tunneled reply RADIUS code 3 (8) eap_peap: MS-CHAP-Error = "\010E=691 R=1 C=3470efc6beebf4771fe9b420897b9c03 V=3 M=Authentication rejected" (8) eap_peap: EAP-Message = 0x04080004 (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: Tunneled authentication was rejected (8) eap_peap: FAILURE (8) eap: Sending EAP Request (code 1) ID 9 length 46 (8) eap: EAP session adding &reply:State = 0x749ecc9b7c97d556 (8) [eap] = handled (8) } # authenticate = handled (8) Using Post-Auth-Type Challenge (8) # Executing group from file /etc/freeradius/sites-enabled/default (8) Challenge { ... } # empty sub-section is ignored (8) session-state: Saving cached attributes (8) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (8) TLS-Session-Version = "TLS 1.2" (8) Module-Failure-Message := "mschap: FAILED: No NT-Password. Cannot perform authentication" (8) Sent Access-Challenge Id 122 from 10.0.1.5:1812 to 68.45.161.30:1824 length 0 (8) EAP-Message = 0x0109002e19001703030023ab6860cd676579bbf8e24db65e3b3ad7c73a183632753492b3bcd66ede043aa9335aa9 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) State = 0x749ecc9b7c97d5560d9a9245bf7c0b3d (8) Finished request Waking up in 4.3 seconds. (9) Received Access-Request Id 123 from 68.45.161.30:1824 to 10.0.1.5:1812 length 177 (9) User-Name = "dtown" (9) NAS-IP-Address = 68.45.161.30 (9) Called-Station-Id = "7823aed64a00" (9) Calling-Station-Id = "a483e742cff0" (9) NAS-Identifier = "7823aed64a00" (9) NAS-Port = 125 (9) Framed-MTU = 1400 (9) State = 0x749ecc9b7c97d5560d9a9245bf7c0b3d (9) NAS-Port-Type = Wireless-802.11 (9) EAP-Message = 0x0209002e19001703030023e3277115802d5ed625e1da95b903138f9d2c1b64790aaef5e83488b5236ccedd4b6283 (9) Message-Authenticator = 0xe96dd63632d387be9f2c5cfb51fd45d3 (9) Restoring &session-state (9) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (9) &session-state:TLS-Session-Version = "TLS 1.2" (9) &session-state:Module-Failure-Message := "mschap: FAILED: No NT-Password. Cannot perform authentication" (9) # Executing section authorize from file /etc/freeradius/sites-enabled/default (9) authorize { (9) policy filter_username { (9) if (&User-Name) { (9) if (&User-Name) -> TRUE (9) if (&User-Name) { (9) if (&User-Name =~ / /) { (9) if (&User-Name =~ / /) -> FALSE (9) if (&User-Name =~ /@[^@]*@/ ) { (9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (9) if (&User-Name =~ /\.\./ ) { (9) if (&User-Name =~ /\.\./ ) -> FALSE (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (9) if (&User-Name =~ /\.$/) { (9) if (&User-Name =~ /\.$/) -> FALSE (9) if (&User-Name =~ /@\./) { (9) if (&User-Name =~ /@\./) -> FALSE (9) } # if (&User-Name) = notfound (9) } # policy filter_username = notfound (9) [preprocess] = ok (9) [chap] = noop (9) [mschap] = noop (9) [digest] = noop (9) suffix: Checking for suffix after "@" (9) suffix: No '@' in User-Name = "dtown", looking up realm NULL (9) suffix: No such realm "NULL" (9) [suffix] = noop (9) eap: Peer sent EAP Response (code 2) ID 9 length 46 (9) eap: Continuing tunnel setup (9) [eap] = ok (9) } # authorize = ok (9) Found Auth-Type = eap (9) # Executing group from file /etc/freeradius/sites-enabled/default (9) authenticate { (9) eap: Expiring EAP session with state 0x749ecc9b7c97d556 (9) eap: Finished EAP session with state 0x749ecc9b7c97d556 (9) eap: Previous EAP request found for state 0x749ecc9b7c97d556, released from the list (9) eap: Peer sent packet with method EAP PEAP (25) (9) eap: Calling submodule eap_peap to process data (9) eap_peap: Continuing EAP-TLS (9) eap_peap: [eaptls verify] = ok (9) eap_peap: Done initial handshake (9) eap_peap: [eaptls process] = ok (9) eap_peap: Session established. Decoding tunneled attributes (9) eap_peap: PEAP state send tlv failure (9) eap_peap: Received EAP-TLV response (9) eap_peap: ERROR: The users session was previously rejected: returning reject (again.) (9) eap_peap: This means you need to read the PREVIOUS messages in the debug output (9) eap_peap: to find out the reason why the user was rejected (9) eap_peap: Look for "reject" or "fail". Those earlier messages will tell you (9) eap_peap: what went wrong, and how to fix the problem (9) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (9) eap: Sending EAP Failure (code 4) ID 9 length 4 (9) eap: Failed in EAP select (9) [eap] = invalid (9) } # authenticate = invalid (9) Failed to authenticate the user (9) Using Post-Auth-Type Reject (9) # Executing group from file /etc/freeradius/sites-enabled/default (9) Post-Auth-Type REJECT { (9) attr_filter.access_reject: EXPAND %{User-Name} (9) attr_filter.access_reject: --> dtown (9) attr_filter.access_reject: Matched entry DEFAULT at line 11 (9) [attr_filter.access_reject] = updated (9) [eap] = noop (9) policy remove_reply_message_if_eap { (9) if (&reply:EAP-Message && &reply:Reply-Message) { (9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (9) else { (9) [noop] = noop (9) } # else = noop (9) } # policy remove_reply_message_if_eap = noop (9) } # Post-Auth-Type REJECT = updated (9) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (9) Sending delayed response (9) Sent Access-Reject Id 123 from 10.0.1.5:1812 to 68.45.161.30:1824 length 44 (9) EAP-Message = 0x04090004 (9) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.2 seconds. (0) Cleaning up request packet ID 114 with timestamp +65 (1) Cleaning up request packet ID 115 with timestamp +65 (2) Cleaning up request packet ID 116 with timestamp +65 (3) Cleaning up request packet ID 117 with timestamp +65 (4) Cleaning up request packet ID 118 with timestamp +65 (5) Cleaning up request packet ID 119 with timestamp +65 (6) Cleaning up request packet ID 120 with timestamp +65 (7) Cleaning up request packet ID 121 with timestamp +65 Waking up in 0.1 seconds. (8) Cleaning up request packet ID 122 with timestamp +65 (9) Cleaning up request packet ID 123 with timestamp +65 Ready to process requests - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
|
Threaded
Open this post in threaded view
|
♦
♦
Re: Trouble With Eap-TTLS - PAP - LDAP - Azure AD DS
|
|
hi,
http://deployingradius.com/documents/protocols/oracles.html http://deployingradius.com/documents/protocols/compatibility.html what are you trying to pull from the LDAP for the user? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
|
Threaded
Open this post in threaded view
|
♦
♦
Re: Trouble With Eap-TTLS - PAP - LDAP - Azure AD DS
|
|
I'm guessing the password as the auth mechanism?
I was just now reading from another post that I only really have 2 choices: I either have to store the passwords somewhere for mschap to work or I have to set the server to use ttls and pap? On Fri, Dec 11, 2020 at 1:58 PM Alan Buxey <[hidden email]> wrote: > hi, > > > http://deployingradius.com/documents/protocols/oracles.html > http://deployingradius.com/documents/protocols/compatibility.html > > what are you trying to pull from the LDAP for the user? > > alan > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
|
Threaded
Open this post in threaded view
|
♦
♦
Re: Trouble With Eap-TTLS - PAP - LDAP - Azure AD DS
|
|
On 11.12.20 20:06, Bryce Long wrote:
> I was just now reading from another post that I only really have 2 choices: > I either have to store the passwords somewhere for mschap to work or I have > to set the server to use ttls and pap? First choice: Yes, the one with the most compatibility. Second choice: Problematic. The Client drives the conversation and if the Client says "I wann do PEAP-MSCHAPv2!" then there is nothing the RADIUS server can do to convince him otherwise. Since PEAP-MSCHAPv2 is still the most compatible protocol for WiFi you really have no other choice than the first choice. Unless you want to drown in support requests. (Ask me how I know.) Grüße, Sven. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
|
Threaded
Open this post in threaded view
|
♦
♦
Re: Trouble With Eap-TTLS - PAP - LDAP - Azure AD DS
|
|
That makes sense lol
Thank you for responding! Could you guide me or tell me how I can best store those passwords? I don't have a lot of experience in this area Is this done in the free radius config files or somewhere else? I read somewhere about changing the attributes for nt-password or pointing that that attribute but I couldn't find anything that really explained it in detail Again thank you to everyone who responds been banging my head against this for a little while On Fri, Dec 11, 2020 at 3:24 PM Sven Hartge <[hidden email]> wrote: > On 11.12.20 20:06, Bryce Long wrote: > > > I was just now reading from another post that I only really have 2 > choices: > > I either have to store the passwords somewhere for mschap to work or I > have > > to set the server to use ttls and pap? > > First choice: Yes, the one with the most compatibility. > > Second choice: Problematic. The Client drives the conversation and if > the Client says "I wann do PEAP-MSCHAPv2!" then there is nothing the > RADIUS server can do to convince him otherwise. > > Since PEAP-MSCHAPv2 is still the most compatible protocol for WiFi you > really have no other choice than the first choice. > > Unless you want to drown in support requests. (Ask me how I know.) > > Grüße, > Sven. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
|
Threaded
Open this post in threaded view
|
♦
♦
Re: Trouble With Eap-TTLS - PAP - LDAP - Azure AD DS
|
|
On 11.12.20 21:36, Bryce Long wrote:
> Could you guide me or tell me how I can best store those passwords? I don't > have a lot of experience in this area In my case, using a normal OpenLDAP directory for authentication, I just created an additional attribute in my existing schema which holds the password. The users have a web interface which they use to set said password. In the configuration for the ldap module I then just pull that attribute into the control list update { control:Cleartext-Password += 'gifb-NetzPassword' } That takes care of everything, all the other modules will find it and use it. How to do this with Azure AD: No idea. Grüße, Sven. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
|
Threaded
Open this post in threaded view
|
♦
♦
Re: Trouble With Eap-TTLS - PAP - LDAP - Azure AD DS
|
|
hi,
> How to do this with Azure AD: No idea. currently,same here. AzureAD is something I am currently working on alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
«
Return to Users
|
1 view|%1 views
| Free forum by Nabble | Edit this page |