Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

Freeradius problem, EAP-TTLS works fine, EAP-PEAP does not

1,247 views

Skip to first unread message

Jean-Yves Avenard

unread,

Aug 26, 2010, 8:48:51 AM8/26/10

Following on an earlier thread:
http://lists.freeradius.org/pipermail/freeradius-users/2010-June/msg00116.html

Of which I couldn't get any answer unfortunately..

I am experiencing a similar problem.

I am running freeradius that comes installed and configured with MacOS
10.6 server.

A Windows XP can connect just fine using Microsoft Protected EAP.
iPhone, mac os client connect just fine using EAP-TTLS

Windows 7 will connect fine using Securew2 EAP-TTLS supplicant ; but
not with the default build-in PEAP.

I have modified module/mschap as followed, as per various instructions:

# Microsoft CHAP authentication
#
# This module supports MS-CHAP and MS-CHAPv2 authentication.
# It also enforces the SMB-Account-Ctrl attribute.
#
mschap {
#
# If you are using /etc/smbpasswd, see the 'passwd'
# module for an example of how to use /etc/smbpasswd
authtype = MS-CHAP

# if use_mppe is not set to no mschap will
# add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
# MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
#
use_mppe = yes

# if mppe is enabled require_encryption makes
# encryption moderate
#
require_encryption = yes

# require_strong always requires 128 bit key
# encryption
#
require_strong = yes

# Windows sends us a username in the form of
# DOMAIN\user, but sends the challenge response
# based on only the user portion. This hack
# corrects for that incorrect behavior.
#
with_ntdomain_hack = yes

# The module can perform authentication itself, OR
# use a Windows Domain Controller. This configuration
# the "best" user name for the request.
#
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
}

In the log, when connecting using Windows XP I would see:

Thu Aug 26 02:04:20 2010 : Info: rlm_sql_sqlite: sqlite3_open() = 0
Thu Aug 26 02:04:20 2010 : Info: rlm_sql_sqlite: Opening sqlite
database /private/etc/raddb/sqlite_radius_client_database for #4
Thu Aug 26 02:04:20 2010 : Info: rlm_sql_sqlite: sqlite3_open() = 0
Thu Aug 26 02:04:20 2010 : Info: Ready to process requests.
Thu Aug 26 02:07:43 2010 : Auth: rlm_opendirectory: User
<jean-yves.avenard> is authorized.

When connecting with Windows 7, I would read:

Thu Aug 26 02:21:52 2010 : Auth: rlm_opendirectory: Could not get the
user's uuid.
Thu Aug 26 02:21:53 2010 : Error: rlm_mschap: getUserNodeRef():
dsGetRecordList() status = 0, recCount=0

Any hint about what I should be looking at?
Mind new, I'm a complete noob when it comes to radius, I only started
playing with it 2 days ago.

Thank you for your help troubleshooting this matter.

Regards
Jean-Yves
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Alan DeKok

unread,

Aug 26, 2010, 9:35:17 AM8/26/10

Jean-Yves Avenard wrote:
> I am running freeradius that comes installed and configured with MacOS
> 10.6 server.
>
> A Windows XP can connect just fine using Microsoft Protected EAP.
> iPhone, mac os client connect just fine using EAP-TTLS
>
> Windows 7 will connect fine using Securew2 EAP-TTLS supplicant ; but
> not with the default build-in PEAP.

The log you posted shows a clear issue:

> When connecting with Windows 7, I would read:
>
> Thu Aug 26 02:21:52 2010 : Auth: rlm_opendirectory: Could not get the
> user's uuid.
> Thu Aug 26 02:21:53 2010 : Error: rlm_mschap: getUserNodeRef():
> dsGetRecordList() status = 0, recCount=0
>
>
> Any hint about what I should be looking at?

Run the server in debugging mode (radiusd -X). Look for the above
errors, and *read* the lines of text around them.

Then use the information from the debug output to look the user up in
OpenDirectory. Odds are that the user doesn't exist, which is why it
can't get the UUID.

> Mind new, I'm a complete noob when it comes to radius, I only started
> playing with it 2 days ago.

This isn't much of a RADIUS error. The user lookup in OpenDirectory
fails, and the UUID wasn't found. The only issue is *who* was being
looked up, and *why* the UUID wasn't found.

Alan DeKok.

Jean-Yves Avenard

unread,

Aug 26, 2010, 2:44:50 PM8/26/10

On Thursday, August 26, 2010, Alan DeKok <al...@deployingradius.com> wrote:
> Jean-Yves Avenard wrote:
>> I am running freeradius that comes installed and configured with MacOS
>> 10.6 server.
>>
>> A Windows XP can connect just fine using Microsoft Protected EAP.
>> iPhone, mac os client connect just fine using EAP-TTLS
>>
>> Windows 7 will connect fine using Securew2 EAP-TTLS supplicant ; but
>> not with the default build-in PEAP.
>
> The log you posted shows a clear issue:
>
>> When connecting with Windows 7, I would read:
>>
>> Thu Aug 26 02:21:52 2010 : Auth: rlm_opendirectory: Could not get the
>> user's uuid.
>> Thu Aug 26 02:21:53 2010 : Error: rlm_mschap: getUserNodeRef():
>> dsGetRecordList() status = 0, recCount=0
>>
>>
>> Any hint about what I should be looking at?
>
> Run the server in debugging mode (radiusd -X). Look for the above
> errors, and *read* the lines of text around them.
>
> Then use the information from the debug output to look the user up in
> OpenDirectory. Odds are that the user doesn't exist, which is why it
> can't get the UUID.

I was the one doing the testing. Username/password are identical in all tests.

>
>> Mind new, I'm a complete noob when it comes to radius, I only started
>> playing with it 2 days ago.
>
> This isn't much of a RADIUS error. The user lookup in OpenDirectory
> fails, and the UUID wasn't found. The only issue is *who* was being
> looked up, and *why* the UUID wasn't found.
>

Will run radius in debug mode and report back. I'm still puzzled why
there would be a difference between 7 and XP in the way they are
transmitting the user name

Nolan King

unread,

Aug 26, 2010, 3:19:05 PM8/26/10

check the capitalization of username. I have seen instances where xp clients sends all lower, and win7 capitalised the first two characters.

nolan
--

Nolan King
Moulton Niguel Water District
27500 La Paz Rd.
Laguna Niguel, CA 92677
(949) 425-3542
24hr: (949) 831-2500

>>> On 8/26/2010 at 11:44 AM, in message
<AANLkTikVfX7SynjsO3-nan1EVjTSL6vVKJs=HCTf...@mail.gmail.com>, Jean-Yves

Jean-Yves Avenard

unread,

Aug 26, 2010, 3:28:40 PM8/26/10

On 27 August 2010 05:19, Nolan King <nk...@mnwd.com> wrote:
> check the capitalization of username. I have seen instances where xp clients sends all lower, and win7 capitalised the first two characters.
>

What do you do in this case then?

Have a script run by freeradius putting all characters as lower case?

Jean-Yves Avenard

unread,

Aug 27, 2010, 4:34:44 AM8/27/10

On 26 August 2010 23:35, Alan DeKok <al...@deployingradius.com> wrote:
> Jean-Yves Avenard wrote:
>> I am running freeradius that comes installed and configured with MacOS
>> 10.6 server.
>>
>> A Windows XP can connect just fine using Microsoft Protected EAP.
>> iPhone, mac os client connect just fine using EAP-TTLS
>>
>> Windows 7 will connect fine using Securew2 EAP-TTLS supplicant ; but
>> not with the default build-in PEAP.
>
> The log you posted shows a clear issue:
>
>> When connecting with Windows 7, I would read:
>>
>> Thu Aug 26 02:21:52 2010 : Auth: rlm_opendirectory: Could not get the
>> user's uuid.
>> Thu Aug 26 02:21:53 2010 : Error: rlm_mschap: getUserNodeRef():
>> dsGetRecordList() status = 0, recCount=0
>>
>>
>> Any hint about what I should be looking at?
>
> Run the server in debugging mode (radiusd -X). Look for the above
> errors, and *read* the lines of text around them.
>
> Then use the information from the debug output to look the user up in
> OpenDirectory. Odds are that the user doesn't exist, which is why it
> can't get the UUID.
>

>> Mind new, I'm a complete noob when it comes to radius, I only started
>> playing with it 2 days ago.
>
> This isn't much of a RADIUS error. The user lookup in OpenDirectory
> fails, and the UUID wasn't found. The only issue is *who* was being
> looked up, and *why* the UUID wasn't found.
>

> Alan DeKok.

> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

Allright...

Here are some logs...

rad_recv: Access-Request packet from host 192.168.0.20 port 65513,
id=51, length=163
User-Name = "host/ramon"
NAS-IP-Address = 192.168.0.20
NAS-Port = 0
Called-Station-Id = "00-1C-B3-AD-13-5F:HYDRIX-TEST"
Calling-Station-Id = "C4-46-19-25-31-52"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11"
EAP-Message = 0x027e000f01686f73742f72616d6f6e
Message-Authenticator = 0x4f4536256e97a2b596511e8560ef07ca
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "host/ramon", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 126 length 15
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
rlm_opendirectory: The host 192.168.0.20 does not have an access group.

rlm_opendirectory: Could not get the user's uuid.

++[opendirectory] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[snip]

By default it tries to connect with the computer name rather than the
user name..
Going into the Advanced option, I can force the type of authentication
use to "User Authentication"...

>From there it worked ...

Alan DeKok

unread,

Aug 27, 2010, 6:46:12 AM8/27/10

Jean-Yves Avenard wrote:
> Here are some logs...
...

> rlm_opendirectory: The host 192.168.0.20 does not have an access group.

And... what does this message mean? It's an OpenDirectory error
message, so find out what it means, and how to fix it.

> rlm_opendirectory: Could not get the user's uuid.

Which looks like a direct consequence of the previous message.

> By default it tries to connect with the computer name rather than the
> user name..

Because that's what's in the RADIUS packet. If you want it to use
something *other* than what's in the packet, you will need to configure
the server to use the correct field.

So which field do you want to use?

Jean-Yves Avenard

unread,

Aug 27, 2010, 8:38:25 AM8/27/10

On 27 August 2010 20:46, Alan DeKok <al...@deployingradius.com> wrote:
> Jean-Yves Avenard wrote:
>> Here are some logs...
> ...
>> rlm_opendirectory: The host 192.168.0.20 does not have an access group.
>
> And... what does this message mean? It's an OpenDirectory error
> message, so find out what it means, and how to fix it.
>

192.168.0.20 is the wireless access point

>> rlm_opendirectory: Could not get the user's uuid.
>
> Which looks like a direct consequence of the previous message.
>

no, this is a consequence of it trying to lookup the machine name
instead of the user name

>> By default it tries to connect with the computer name rather than the
>> user name..
>
> Because that's what's in the RADIUS packet. If you want it to use
> something *other* than what's in the packet, you will need to configure
> the server to use the correct field.
>
> So which field do you want to use?

As mentioned before; the username.

You seem to miss the point that the issue occurs *only* with Win 7
clients. All other clients are fine.

Phil Mayers

unread,

Aug 27, 2010, 8:43:52 AM8/27/10

On 27/08/10 13:38, Jean-Yves Avenard wrote:

>
> You seem to miss the point that the issue occurs *only* with Win 7
> clients. All other clients are fine.

Please post the debug output of freeradius, obtained by running:

radiusd -X

...for a working and failing case.

Alan DeKok

unread,

Aug 27, 2010, 9:06:28 AM8/27/10

Jean-Yves Avenard wrote:
> You seem to miss the point that the issue occurs *only* with Win 7
> clients. All other clients are fine.

I don't really care which client it is. All that matters is:

a) what data is in the packet

b) what you configure the server to do with that data

You have posted output from (a). That's nice. You *also* need (as I
said already) to configure the server for (b).

Unfortunately, the OpenDirectory module does not take any
configuration. This means that you will need to edit the "User-Name"
attribute *before* it is used by the opendirectory module.

So... what *should* the User-Name look like? This is for you to decide.

Alan DeKok.

Jean-Yves Avenard

unread,

Aug 30, 2010, 10:25:45 AM8/30/10

On 27 August 2010 23:06, Alan DeKok <al...@deployingradius.com> wrote:
> Jean-Yves Avenard wrote:
>> You seem to miss the point that the issue occurs *only* with Win 7
>> clients. All other clients are fine.
>
> I don't really care which client it is. All that matters is:
>
> a) what data is in the packet
>
> b) what you configure the server to do with that data
>
>
> You have posted output from (a). That's nice. You *also* need (as I
> said already) to configure the server for (b).

Okay..
As requested.
Here is the log from the Win 7 client, when it is configured in
Advanced Settings -> 802.11X Settings -> Specify authentication mode:
user authentication

I've preceded each line with > so if like me you are using gmail, it's
easier to skip through

> rad_recv: Access-Request packet from host 192.168.0.20 port 65513, id=103, length=177
> User-Name = "jean-yves.avenard"

> NAS-IP-Address = 192.168.0.20
> NAS-Port = 0
> Called-Station-Id = "00-1C-B3-AD-13-5F:HYDRIX-TEST"
> Calling-Station-Id = "C4-46-19-25-31-52"
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-802.11
> Connect-Info = "CONNECT 0Mbps 802.11"

> EAP-Message = 0x02d40016016a65616e2d797665732e6176656e617264
> Message-Authenticator = 0xd617293cc36f9d2934e4364c48696da2

> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop

> [suffix] No '@' in User-Name = "jean-yves.avenard", looking up realm NULL

> [suffix] No such realm "NULL"
> ++[suffix] returns noop

> [eap] EAP packet type response id 212 length 22

> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated

> ++[unix] returns updated
> ++[files] returns noop

> rlm_opendirectory: The host 192.168.0.20 does not have an access group.

> rlm_opendirectory: User <jean-yves.avenard> is authorized.

> ++[opendirectory] returns ok

> ++[expiration] returns noop
> ++[logintime] returns noop

> [pap] Found existing Auth-Type, not changing it.

> ++[pap] returns noop
> Found Auth-Type = EAP
> +- entering group authenticate {...}

> [eap] EAP Identity
> [eap] processing type tls
> [tls] Initiate
> [tls] Start returned 1
> ++[eap] returns handled
> Sending Access-Challenge of id 103 to 192.168.0.20 port 65513
> EAP-Message = 0x01d500061920
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x56ebca49563ed3c34eaeaec5306add89
> Finished request 0.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.0.20 port 65513, id=104, length=304
> User-Name = "jean-yves.avenard"

> EAP-Message = 0x02d5008319800000007916030100740100007003014c7bbc6f1988ef8942fd2a91e0d171c08e57e6f23dbce06bfb570dc2a39ee7b2000018002f00350005000ac013c014c009c00a00320038001300040100002fff010001000000001600140000116a65616e2d797665732e6176656e617264000a0006000400170018000b00020100
> State = 0x56ebca49563ed3c34eaeaec5306add89
> Message-Authenticator = 0xdc87572842154eda0af298bfad361a81

> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop

> [suffix] No '@' in User-Name = "jean-yves.avenard", looking up realm NULL

> [suffix] No such realm "NULL"
> ++[suffix] returns noop

> [eap] EAP packet type response id 213 length 131
> [eap] Continuing tunnel setup.
> ++[eap] returns ok

> Found Auth-Type = EAP
> +- entering group authenticate {...}

> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> TLS Length 121
> [peap] Length Included
> [peap] eaptls_verify returned 11
> [peap] (other): before/accept initialization
> [peap] TLS_accept: before/accept initialization
> [peap] <<< TLS 1.0 Handshake [length 0074], ClientHello
> [peap] TLS_accept: SSLv3 read client hello A
> [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
> [peap] TLS_accept: SSLv3 write server hello A
> [peap] >>> TLS 1.0 Handshake [length 068a], Certificate
> [peap] TLS_accept: SSLv3 write certificate A
> [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
> [peap] TLS_accept: SSLv3 write server done A
> [peap] TLS_accept: SSLv3 flush data
> [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
> In SSL Handshake Phase
> In SSL Accept mode
> [peap] eaptls_process returned 13
> [peap] EAPTLS_HANDLED
> ++[eap] returns handled
> Sending Access-Challenge of id 104 to 192.168.0.20 port 65513
> EAP-Message = 0x01d6040019c0000006c7160301002a0200002603014c7bbc638660cb91c478e7233be221fa9048c65948c4c27d19bd88e7929394d500002f00160301068a0b00068600068300035930820355308202bea003020102020310adba300d06092a864886f70d0101050500304e310b30090603550406130255533110300e060355040a130745717569666178312d302b060355040b1324457175696661782053656375726520436572746966696361746520417574686f72697479301e170d3130303431333134353235365a170d3132303631333039353833315a3081df3129302706035504051320746c43354c615a425030302f657a714b566677455a63
> EAP-Message = 0x63762d45315673313930310b300906035504061302415531153013060355040a140c2a2e6879647269782e636f6d31133011060355040b130a475438313233373633343131302f060355040b1328536565207777772e726170696473736c2e636f6d2f7265736f75726365732f637073202863293130312f302d060355040b1326446f6d61696e20436f6e74726f6c2056616c696461746564202d20526170696453534c285229311530130603550403140c2a2e6879647269782e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100dfe086b6803479d87cf9f96937d58d42cf97af5d9edeb9c490d0cabb200c6030fc1b
> EAP-Message = 0x0b0b158d736b5205d8d769004bf9afabe7ff51b3ce3b00be1584bfa56660d8082ad02b47d3c85f64920342d33833bf9258e6c28d35a4c2f8dbec5db493f05683e08e74daedcc64544f09619008df99cdc2324c6d5853f244feb3b0c3cca90203010001a381ae3081ab300e0603551d0f0101ff0404030204f0301d0603551d0e041604147612da889e2204ca3467cd2b5ea70e1fc3f674f1303a0603551d1f04333031302fa02da02b8629687474703a2f2f63726c2e67656f74727573742e636f6d2f63726c732f73656375726563612e63726c301f0603551d2304183016801448e668f92bd2b295d747d82320104f3398909fd4301d0603551d2504
> EAP-Message = 0x16301406082b0601050507030106082b06010505070302300d06092a864886f70d0101050500038181006908f00a8df2c62e7579a020b6502c4c719ccc84ee9a7b0c9f291e3ee5af018f20427ea856275fea68d22077d6db2c921f2ec0be3777b0bb59e454ed4eb2c69fd197b9e539aea8472e6b3a5b4ef731ccbebf8a4549e005d1268e298b2a8d331170db1f99bfc7edba01cf733d902174d55480437e4d47580e6edafaee58ea72b20003243082032030820289a003020102020435def4cf300d06092a864886f70d0101050500304e310b30090603550406130255533110300e060355040a130745717569666178312d302b060355040b13244571
> EAP-Message = 0x756966617820536563757265
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x56ebca49573dd3c34eaeaec5306add89
> Finished request 1.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.0.20 port 65513, id=105, length=179
> User-Name = "jean-yves.avenard"

> EAP-Message = 0x02d600061900
> State = 0x56ebca49573dd3c34eaeaec5306add89
> Message-Authenticator = 0xba5d2001604fd40f63be2a0066f39618

> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop

> [suffix] No '@' in User-Name = "jean-yves.avenard", looking up realm NULL

> [suffix] No such realm "NULL"
> ++[suffix] returns noop

> [eap] EAP packet type response id 214 length 6
> [eap] Continuing tunnel setup.
> ++[eap] returns ok

> Found Auth-Type = EAP
> +- entering group authenticate {...}

> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] Received TLS ACK
> [peap] ACK handshake fragment handler
> [peap] eaptls_verify returned 1
> [peap] eaptls_process returned 13
> [peap] EAPTLS_HANDLED
> ++[eap] returns handled
> Sending Access-Challenge of id 105 to 192.168.0.20 port 65513
> EAP-Message = 0x01d702d7190020436572746966696361746520417574686f72697479301e170d3938303832323136343135315a170d3138303832323136343135315a304e310b30090603550406130255533110300e060355040a130745717569666178312d302b060355040b1324457175696661782053656375726520436572746966696361746520417574686f7269747930819f300d06092a864886f70d010101050003818d0030818902818100c15db158670862eea09a2d1f086d911468980a1efeda046f13846221c3d17cce9f05e0b801f04e34ece28a950464acf16b535f05b3cb6780bf42028efedd0109ece100144ffcfbf00cdd43ba5b2be11f80709915
> EAP-Message = 0x579316f10f976ab7c268231ccc4d5930ac511e3baf2bd6ee63457bc5d95f50d2e3500f3a88e7bf14fde0c7b90203010001a38201093082010530700603551d1f046930673065a063a061a45f305d310b30090603550406130255533110300e060355040a130745717569666178312d302b060355040b1324457175696661782053656375726520436572746966696361746520417574686f72697479310d300b0603550403130443524c31301a0603551d1004133011810f32303138303832323136343135315a300b0603551d0f040403020106301f0603551d2304183016801448e668f92bd2b295d747d82320104f3398909fd4301d0603551d0e04
> EAP-Message = 0x16041448e668f92bd2b295d747d82320104f3398909fd4300c0603551d13040530030101ff301a06092a864886f67d074100040d300b1b0556332e3063030206c0300d06092a864886f70d01010505000381810058ce29eafcf7deb5ce02b917b585d1b9e3e095cc25310d00a6926e7fb692639e5095d19a6fe411de63856e98eea8ff5ac8d355b2667157dec021eb3d2aa72349010486427bfcee7fa21652b56767d340db3b2658b228773dae147761d6fa2a6627a00dfaa7735cea70f1942165445ffafcef2968a9a28779ef79ef4fac07773816030100040e000000
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x56ebca49543cd3c34eaeaec5306add89
> Finished request 2.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.0.20 port 65513, id=106, length=381
> User-Name = "jean-yves.avenard"

> EAP-Message = 0x02d700d01980000000c61603010086100000820080c6238de17d3505d52f67e05190dda102bac42ce3dda3f1160dc48fdf0f030dc3bd75a41e8ba6fd4345b6d97d6213f2e8e6395d0e762ac64543d790409d7b050d898adbc615a1efd4a7a4280e782d9d1b63d4ba3c56ad0c6350564d937cfcbc2896901cf4908f615daff21b72cf0b6d15dc6076af070c1a42f4f9c060c279df24140301000101160301003008a5f1ed66228073f1e8d76de392579a7b1dd1743f79c127b429f1022eb9ed92d457ca0541ec88dd5443b24612555521
> State = 0x56ebca49543cd3c34eaeaec5306add89
> Message-Authenticator = 0xa844fe6f8705aa634490d82244ca6717

> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop

> [suffix] No '@' in User-Name = "jean-yves.avenard", looking up realm NULL

> [suffix] No such realm "NULL"
> ++[suffix] returns noop

> [eap] EAP packet type response id 215 length 208
> [eap] Continuing tunnel setup.
> ++[eap] returns ok

> Found Auth-Type = EAP
> +- entering group authenticate {...}

> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> TLS Length 198
> [peap] Length Included
> [peap] eaptls_verify returned 11
> [peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
> [peap] TLS_accept: SSLv3 read client key exchange A
> [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
> [peap] <<< TLS 1.0 Handshake [length 0010], Finished
> [peap] TLS_accept: SSLv3 read finished A
> [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
> [peap] TLS_accept: SSLv3 write change cipher spec A
> [peap] >>> TLS 1.0 Handshake [length 0010], Finished
> [peap] TLS_accept: SSLv3 write finished A
> [peap] TLS_accept: SSLv3 flush data
> [peap] (other): SSL negotiation finished successfully
> SSL Connection Established
> [peap] eaptls_process returned 13
> [peap] EAPTLS_HANDLED
> ++[eap] returns handled
> Sending Access-Challenge of id 106 to 192.168.0.20 port 65513
> EAP-Message = 0x01d8004119001403010001011603010030871e1d85c5e7a6f2dc2b24b6f380deb7162c192558a035576389cb6516c5c1b554cf47031c40173be061ca8c37a86476
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x56ebca495533d3c34eaeaec5306add89
> Finished request 3.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.0.20 port 65513, id=107, length=179
> User-Name = "jean-yves.avenard"

> EAP-Message = 0x02d800061900
> State = 0x56ebca495533d3c34eaeaec5306add89
> Message-Authenticator = 0x58d3f7836001e4de5c66b0f0690293fc

> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop

> [suffix] No '@' in User-Name = "jean-yves.avenard", looking up realm NULL

> [suffix] No such realm "NULL"
> ++[suffix] returns noop

> [eap] EAP packet type response id 216 length 6
> [eap] Continuing tunnel setup.
> ++[eap] returns ok

> Found Auth-Type = EAP
> +- entering group authenticate {...}

> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] Received TLS ACK
> [peap] ACK handshake is finished
> [peap] eaptls_verify returned 3
> [peap] eaptls_process returned 3
> [peap] EAPTLS_SUCCESS
> ++[eap] returns handled
> Sending Access-Challenge of id 107 to 192.168.0.20 port 65513
> EAP-Message = 0x01d9002b190017030100201558a359dbf74ae6fc65f62583f774446eb7b95973a80ed47ccc32b5510dc40c
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x56ebca495232d3c34eaeaec5306add89
> Finished request 4.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.0.20 port 65513, id=108, length=232
> User-Name = "jean-yves.avenard"

> EAP-Message = 0x02d9003b190017030100308c7db30e12a98adde5eea9d84f120dddd6423d6524e2292cc307630e7548484a7bf50c77624ed1615fb9d458a6b4b93e
> State = 0x56ebca495232d3c34eaeaec5306add89
> Message-Authenticator = 0x43696038a9644d24ae76625f007a23d8

> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop

> [suffix] No '@' in User-Name = "jean-yves.avenard", looking up realm NULL

> [suffix] No such realm "NULL"
> ++[suffix] returns noop

> [eap] EAP packet type response id 217 length 59
> [eap] Continuing tunnel setup.
> ++[eap] returns ok

> Found Auth-Type = EAP
> +- entering group authenticate {...}

> +- entering group authorize {...}

> ++[chap] returns noop
> ++[mschap] returns noop

> ++[unix] returns updated
> [suffix] No '@' in User-Name = "jean-yves.avenard", looking up realm NULL

> [suffix] No such realm "NULL"
> ++[suffix] returns noop

> ++[control] returns noop
> [eap] EAP packet type response id 217 length 22

> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated

> ++[files] returns noop

> ++[expiration] returns noop
> ++[logintime] returns noop

> [pap] Found existing Auth-Type, not changing it.

> ++[pap] returns noop
> Found Auth-Type = EAP
> +- entering group authenticate {...}

> [eap] EAP Identity
> [eap] processing type mschapv2
> rlm_eap_mschapv2: Issuing Challenge
> ++[eap] returns handled
> } # server inner-tunnel
> [peap] Got tunneled reply code 11
> EAP-Message = 0x01da002b1a01da00261043ab8b6696518e3d977d7e43cfbbe4556a65616e2d797665732e6176656e617264
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x4fa813f74f7209c552ff372f4aeadb16
> [peap] Got tunneled reply RADIUS code 11
> EAP-Message = 0x01da002b1a01da00261043ab8b6696518e3d977d7e43cfbbe4556a65616e2d797665732e6176656e617264
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x4fa813f74f7209c552ff372f4aeadb16
> [peap] Got tunneled Access-Challenge
> ++[eap] returns handled
> Sending Access-Challenge of id 108 to 192.168.0.20 port 65513
> EAP-Message = 0x01da004b19001703010040fe03996117bf5d58930069397a6f4274e1fe6de21db623b4da95c09b068614931d91f318dab53ffe9da4f6f7f2b51e946241a04ea19b98858ae5f8719ede8c41
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x56ebca495331d3c34eaeaec5306add89
> Finished request 5.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.0.20 port 65513, id=109, length=280
> User-Name = "jean-yves.avenard"

> EAP-Message = 0x02da006b190017030100606a6800fadb31147345321c0441ded410513b8acbff36d2111ec021f0ce54e3ce36806865010d19b9b86a8309b0feccfa44db665feb586e4ca932fb0dd79cd61fc8600f6ac45ddd775ea4de0d3815f737d4469bfb1de8108d97db27c1609e1c30
> State = 0x56ebca495331d3c34eaeaec5306add89
> Message-Authenticator = 0xf90ce475234bb39e5904bf9f3fcbee00

> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop

> [suffix] No '@' in User-Name = "jean-yves.avenard", looking up realm NULL

> [suffix] No such realm "NULL"
> ++[suffix] returns noop

> [eap] EAP packet type response id 218 length 107
> [eap] Continuing tunnel setup.
> ++[eap] returns ok

> Found Auth-Type = EAP
> +- entering group authenticate {...}

> +- entering group authorize {...}

> ++[chap] returns noop
> ++[mschap] returns noop

> ++[unix] returns updated
> [suffix] No '@' in User-Name = "jean-yves.avenard", looking up realm NULL

> [suffix] No such realm "NULL"
> ++[suffix] returns noop

> ++[control] returns noop
> [eap] EAP packet type response id 218 length 76

> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated

> ++[files] returns noop

> ++[expiration] returns noop
> ++[logintime] returns noop

> [pap] Found existing Auth-Type, not changing it.

> ++[pap] returns noop
> Found Auth-Type = EAP
> +- entering group authenticate {...}

> [eap] Request found, released from the list
> [eap] EAP/mschapv2
> [eap] processing type mschapv2
> [mschapv2] +- entering group MS-CHAP {...}
> [mschap] No Cleartext-Password configured. Cannot create LM-Password.
> [mschap] No Cleartext-Password configured. Cannot create NT-Password.
> [mschap] No NT-Password configured. Trying OpenDirectory Authentication.
> [mschap] OD username_string = jean-yves.avenard, OD shortUserName=jean-yves.avenard (length = 17)
> [mschap] dsDoDirNodeAuth returns stepbuff: S=E8966B7B7AFD6594A863C42AA12032861CE2F8345616e2298f0000?I0??"????????? (len=40)
> ++[mschap] returns ok
> MSCHAP Success
> ++[eap] returns handled
> } # server inner-tunnel
> [peap] Got tunneled reply code 11
> EAP-Message = 0x01db00331a03da002e533d45383936364237423741464436353934413836334334324141313230333238363143453246383334
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x4fa813f74e7309c552ff372f4aeadb16
> [peap] Got tunneled reply RADIUS code 11
> EAP-Message = 0x01db00331a03da002e533d45383936364237423741464436353934413836334334324141313230333238363143453246383334
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x4fa813f74e7309c552ff372f4aeadb16
> [peap] Got tunneled Access-Challenge
> ++[eap] returns handled
> Sending Access-Challenge of id 109 to 192.168.0.20 port 65513
> EAP-Message = 0x01db005b19001703010050af77e16588bd1a0669684b744b7386bbccdca1d8a0c554b94ce6fa65b3e404b652546af93c89b1779e6ed50ca043c0fc675638201f09f07336e1f5890ccc375ca6b0a82585461517f3efa7d0607be02c
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x56ebca495030d3c34eaeaec5306add89
> Finished request 6.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.0.20 port 65513, id=110, length=216
> User-Name = "jean-yves.avenard"

> EAP-Message = 0x02db002b19001703010020a698915f58535a61ac9e89cd7d8b67c249930e37a6dc9f3ac6a24cc17a496c05
> State = 0x56ebca495030d3c34eaeaec5306add89
> Message-Authenticator = 0x1d75c784913c112a990a8338c6569695

> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop

> [suffix] No '@' in User-Name = "jean-yves.avenard", looking up realm NULL

> [suffix] No such realm "NULL"
> ++[suffix] returns noop

> [eap] EAP packet type response id 219 length 43
> [eap] Continuing tunnel setup.
> ++[eap] returns ok

> Found Auth-Type = EAP
> +- entering group authenticate {...}

> +- entering group authorize {...}

> ++[chap] returns noop
> ++[mschap] returns noop

> ++[unix] returns updated
> [suffix] No '@' in User-Name = "jean-yves.avenard", looking up realm NULL

> [suffix] No such realm "NULL"
> ++[suffix] returns noop

> ++[control] returns noop
> [eap] EAP packet type response id 219 length 6

> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated

> ++[files] returns noop

> ++[expiration] returns noop
> ++[logintime] returns noop

> [pap] Found existing Auth-Type, not changing it.

> ++[pap] returns noop
> Found Auth-Type = EAP
> +- entering group authenticate {...}

> [eap] Request found, released from the list
> [eap] EAP/mschapv2
> [eap] processing type mschapv2
> [eap] Freeing handler
> ++[eap] returns ok
> } # server inner-tunnel
> [peap] Got tunneled reply code 2
> EAP-Message = 0x03db0004
> Message-Authenticator = 0x00000000000000000000000000000000
> User-Name = "jean-yves.avenard"
> [peap] Got tunneled reply RADIUS code 2
> EAP-Message = 0x03db0004
> Message-Authenticator = 0x00000000000000000000000000000000
> User-Name = "jean-yves.avenard"
> [peap] Tunneled authentication was successful.
> [peap] SUCCESS
> ++[eap] returns handled
> Sending Access-Challenge of id 110 to 192.168.0.20 port 65513
> EAP-Message = 0x01dc002b190017030100203e47a88e8ae2f4b63f9dd0d78a10db0b899d41f2966124be7a8e31aca594282a
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x56ebca495137d3c34eaeaec5306add89
> Finished request 7.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.0.20 port 65513, id=111, length=216
> User-Name = "jean-yves.avenard"

> EAP-Message = 0x02dc002b19001703010020bbb1b1cb33d1827663c63b0f1e128d63d8b06d4658eb690c80d4916c8dc1646a
> State = 0x56ebca495137d3c34eaeaec5306add89
> Message-Authenticator = 0x57111afa6e1374748e54800df1147e8a

> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop

> [suffix] No '@' in User-Name = "jean-yves.avenard", looking up realm NULL

> [suffix] No such realm "NULL"
> ++[suffix] returns noop

> [eap] EAP packet type response id 220 length 43
> [eap] Continuing tunnel setup.
> ++[eap] returns ok

> Found Auth-Type = EAP
> +- entering group authenticate {...}

> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] eaptls_verify returned 7
> [peap] Done initial handshake
> [peap] eaptls_process returned 7
> [peap] EAPTLS_OK
> [peap] Session established. Decoding tunneled attributes.
> [peap] Received EAP-TLV response.
> [peap] Success
> [eap] Freeing handler
> ++[eap] returns ok
> +- entering group post-auth {...}
> ++[exec] returns noop
> Sending Access-Accept of id 111 to 192.168.0.20 port 65513
> MS-MPPE-Recv-Key = 0x6b7c57469ccfdccfa399fc3d20b47021bb81c6f71d05ed2d2f085306f06ce8a1
> MS-MPPE-Send-Key = 0xe1d0265f9a991b9030206da68cf419b6fd84d3fb9e4e2d9345402fe9eba57440
> EAP-Message = 0x03dc0004
> Message-Authenticator = 0x00000000000000000000000000000000
> User-Name = "jean-yves.avenard"
> Finished request 8.
> Going to the next request
> Waking up in 4.9 seconds.
> Cleaning up request 0 ID 103 with timestamp +28
> Cleaning up request 1 ID 104 with timestamp +28
> Cleaning up request 2 ID 105 with timestamp +28
> Cleaning up request 3 ID 106 with timestamp +28
> Cleaning up request 4 ID 107 with timestamp +28
> Cleaning up request 5 ID 108 with timestamp +28
> Cleaning up request 6 ID 109 with timestamp +28
> Cleaning up request 7 ID 110 with timestamp +28
> Cleaning up request 8 ID 111 with timestamp +28
> Ready to process requests.

This is from a Win 7 client, using default configuration settings that
is just username / password and that Authentication is PEAP:MSCHAPv2

> rad_recv: Access-Request packet from host 192.168.0.20 port 65513, id=112, length=163

> User-Name = "host/ramon"
> NAS-IP-Address = 192.168.0.20
> NAS-Port = 0
> Called-Station-Id = "00-1C-B3-AD-13-5F:HYDRIX-TEST"
> Calling-Station-Id = "C4-46-19-25-31-52"
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-802.11
> Connect-Info = "CONNECT 0Mbps 802.11"

> EAP-Message = 0x0272000f01686f73742f72616d6f6e
> Message-Authenticator = 0xafc736013ac7d55d3093782b7d03d604

> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "host/ramon", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop

> [eap] EAP packet type response id 114 length 15

> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> ++[unix] returns notfound
> ++[files] returns noop

> rlm_opendirectory: The host 192.168.0.20 does not have an access group.

> rlm_opendirectory: Could not get the user's uuid.

> ++[opendirectory] returns notfound
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
> ++[pap] returns noop
> Found Auth-Type = EAP
> +- entering group authenticate {...}

> [eap] EAP Identity
> [eap] processing type tls
> [tls] Initiate
> [tls] Start returned 1
> ++[eap] returns handled
> Sending Access-Challenge of id 112 to 192.168.0.20 port 65513
> EAP-Message = 0x017300061920
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x2901333729722a271ee22a85a9879908
> Finished request 9.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.0.20 port 65513, id=113, length=285

> EAP-Message = 0x0273007719800000006d16030100680100006403014c7bbde9787032bb1126f5fce5f22fd277f962afa64bce2d5bf8407c4319fc04000018002f00350005000ac013c014c009c00a003200380013000401000023ff010001000000000a000800000572616d6f6e000a0006000400170018000b00020100
> State = 0x2901333729722a271ee22a85a9879908
> Message-Authenticator = 0xd82e921b4c981a07c773647fc0786b91

> [eap] EAP packet type response id 115 length 119
> [eap] Continuing tunnel setup.
> ++[eap] returns ok

> Found Auth-Type = EAP
> +- entering group authenticate {...}

> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> TLS Length 109
> [peap] Length Included
> [peap] eaptls_verify returned 11
> [peap] (other): before/accept initialization
> [peap] TLS_accept: before/accept initialization
> [peap] <<< TLS 1.0 Handshake [length 0068], ClientHello
> [peap] TLS_accept: SSLv3 read client hello A
> [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
> [peap] TLS_accept: SSLv3 write server hello A
> [peap] >>> TLS 1.0 Handshake [length 068a], Certificate
> [peap] TLS_accept: SSLv3 write certificate A
> [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
> [peap] TLS_accept: SSLv3 write server done A
> [peap] TLS_accept: SSLv3 flush data
> [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
> In SSL Handshake Phase
> In SSL Accept mode
> [peap] eaptls_process returned 13
> [peap] EAPTLS_HANDLED
> ++[eap] returns handled
> Sending Access-Challenge of id 113 to 192.168.0.20 port 65513
> EAP-Message = 0x0174040019c0000006c7160301002a0200002603014c7bbde9f613a30decd1cdeac197e2ec339769a8d7bcb28291d2ac2e12e6971300002f00160301068a0b00068600068300035930820355308202bea003020102020310adba300d06092a864886f70d0101050500304e310b30090603550406130255533110300e060355040a130745717569666178312d302b060355040b1324457175696661782053656375726520436572746966696361746520417574686f72697479301e170d3130303431333134353235365a170d3132303631333039353833315a3081df3129302706035504051320746c43354c615a425030302f657a714b566677455a63
> EAP-Message = 0x63762d45315673313930310b300906035504061302415531153013060355040a140c2a2e6879647269782e636f6d31133011060355040b130a475438313233373633343131302f060355040b1328536565207777772e726170696473736c2e636f6d2f7265736f75726365732f637073202863293130312f302d060355040b1326446f6d61696e20436f6e74726f6c2056616c696461746564202d20526170696453534c285229311530130603550403140c2a2e6879647269782e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100dfe086b6803479d87cf9f96937d58d42cf97af5d9edeb9c490d0cabb200c6030fc1b
> EAP-Message = 0x0b0b158d736b5205d8d769004bf9afabe7ff51b3ce3b00be1584bfa56660d8082ad02b47d3c85f64920342d33833bf9258e6c28d35a4c2f8dbec5db493f05683e08e74daedcc64544f09619008df99cdc2324c6d5853f244feb3b0c3cca90203010001a381ae3081ab300e0603551d0f0101ff0404030204f0301d0603551d0e041604147612da889e2204ca3467cd2b5ea70e1fc3f674f1303a0603551d1f04333031302fa02da02b8629687474703a2f2f63726c2e67656f74727573742e636f6d2f63726c732f73656375726563612e63726c301f0603551d2304183016801448e668f92bd2b295d747d82320104f3398909fd4301d0603551d2504
> EAP-Message = 0x16301406082b0601050507030106082b06010505070302300d06092a864886f70d0101050500038181006908f00a8df2c62e7579a020b6502c4c719ccc84ee9a7b0c9f291e3ee5af018f20427ea856275fea68d22077d6db2c921f2ec0be3777b0bb59e454ed4eb2c69fd197b9e539aea8472e6b3a5b4ef731ccbebf8a4549e005d1268e298b2a8d331170db1f99bfc7edba01cf733d902174d55480437e4d47580e6edafaee58ea72b20003243082032030820289a003020102020435def4cf300d06092a864886f70d0101050500304e310b30090603550406130255533110300e060355040a130745717569666178312d302b060355040b13244571
> EAP-Message = 0x756966617820536563757265
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x2901333728752a271ee22a85a9879908
> Finished request 10.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.0.20 port 65513, id=114, length=172

> EAP-Message = 0x027400061900
> State = 0x2901333728752a271ee22a85a9879908
> Message-Authenticator = 0x90c632ba5132116016e8d8feb31e52fe

> [eap] EAP packet type response id 116 length 6
> [eap] Continuing tunnel setup.
> ++[eap] returns ok

> Found Auth-Type = EAP
> +- entering group authenticate {...}

> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] Received TLS ACK
> [peap] ACK handshake fragment handler
> [peap] eaptls_verify returned 1
> [peap] eaptls_process returned 13
> [peap] EAPTLS_HANDLED
> ++[eap] returns handled
> Sending Access-Challenge of id 114 to 192.168.0.20 port 65513
> EAP-Message = 0x017502d7190020436572746966696361746520417574686f72697479301e170d3938303832323136343135315a170d3138303832323136343135315a304e310b30090603550406130255533110300e060355040a130745717569666178312d302b060355040b1324457175696661782053656375726520436572746966696361746520417574686f7269747930819f300d06092a864886f70d010101050003818d0030818902818100c15db158670862eea09a2d1f086d911468980a1efeda046f13846221c3d17cce9f05e0b801f04e34ece28a950464acf16b535f05b3cb6780bf42028efedd0109ece100144ffcfbf00cdd43ba5b2be11f80709915
> EAP-Message = 0x579316f10f976ab7c268231ccc4d5930ac511e3baf2bd6ee63457bc5d95f50d2e3500f3a88e7bf14fde0c7b90203010001a38201093082010530700603551d1f046930673065a063a061a45f305d310b30090603550406130255533110300e060355040a130745717569666178312d302b060355040b1324457175696661782053656375726520436572746966696361746520417574686f72697479310d300b0603550403130443524c31301a0603551d1004133011810f32303138303832323136343135315a300b0603551d0f040403020106301f0603551d2304183016801448e668f92bd2b295d747d82320104f3398909fd4301d0603551d0e04
> EAP-Message = 0x16041448e668f92bd2b295d747d82320104f3398909fd4300c0603551d13040530030101ff301a06092a864886f67d074100040d300b1b0556332e3063030206c0300d06092a864886f70d01010505000381810058ce29eafcf7deb5ce02b917b585d1b9e3e095cc25310d00a6926e7fb692639e5095d19a6fe411de63856e98eea8ff5ac8d355b2667157dec021eb3d2aa72349010486427bfcee7fa21652b56767d340db3b2658b228773dae147761d6fa2a6627a00dfaa7735cea70f1942165445ffafcef2968a9a28779ef79ef4fac07773816030100040e000000
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x290133372b742a271ee22a85a9879908
> Finished request 11.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.0.20 port 65513, id=115, length=374

> EAP-Message = 0x027500d01980000000c61603010086100000820080c92305f633ebb13d1146dac01d43c19047e5326b42434518e7daf6b6623a19eb1cd877ea3efc03f68c6e2614e424aa04bfc5f953155573bc9ce818f3d2c890a0986847a5ef8733880fb1451c8ba1b4b36120c346e9e9050d6eb253a78a737fd68aca89bf2f45fa6572741c52ff660419e9117178a9109ccf7bc8764a62b64277140301000101160301003073f845987a3f1b2b628142eed10e04383a69c24f9d047c9b032610d8757b0747ee669a44da75dee822ffd2a21e838ef2
> State = 0x290133372b742a271ee22a85a9879908
> Message-Authenticator = 0x9bb5cc74512ad0bdceaaaf921164c7a8

> [eap] EAP packet type response id 117 length 208
> [eap] Continuing tunnel setup.
> ++[eap] returns ok

> Found Auth-Type = EAP
> +- entering group authenticate {...}

> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> TLS Length 198
> [peap] Length Included
> [peap] eaptls_verify returned 11
> [peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
> [peap] TLS_accept: SSLv3 read client key exchange A
> [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
> [peap] <<< TLS 1.0 Handshake [length 0010], Finished
> [peap] TLS_accept: SSLv3 read finished A
> [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
> [peap] TLS_accept: SSLv3 write change cipher spec A
> [peap] >>> TLS 1.0 Handshake [length 0010], Finished
> [peap] TLS_accept: SSLv3 write finished A
> [peap] TLS_accept: SSLv3 flush data
> [peap] (other): SSL negotiation finished successfully
> SSL Connection Established
> [peap] eaptls_process returned 13
> [peap] EAPTLS_HANDLED
> ++[eap] returns handled
> Sending Access-Challenge of id 115 to 192.168.0.20 port 65513
> EAP-Message = 0x0176004119001403010001011603010030614cc88b6f7fd4b02100d31466fed38c2cfe56fa4efb2ce43875c82841816c33f1e706863ce88f5c5af738f47c5e1fa0
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x290133372a772a271ee22a85a9879908
> Finished request 12.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.0.20 port 65513, id=116, length=172

> EAP-Message = 0x027600061900
> State = 0x290133372a772a271ee22a85a9879908
> Message-Authenticator = 0xca39a76697f59adcaa15916a78e16ed2

> [eap] EAP packet type response id 118 length 6
> [eap] Continuing tunnel setup.
> ++[eap] returns ok

> Found Auth-Type = EAP
> +- entering group authenticate {...}

> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] Received TLS ACK
> [peap] ACK handshake is finished
> [peap] eaptls_verify returned 3
> [peap] eaptls_process returned 3
> [peap] EAPTLS_SUCCESS
> ++[eap] returns handled
> Sending Access-Challenge of id 116 to 192.168.0.20 port 65513
> EAP-Message = 0x0177002b19001703010020c3009d54f21929eb7ee0043e7771df5f0a7cbf6ebd66def03565bb4aaa4cb41b
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x290133372d762a271ee22a85a9879908
> Finished request 13.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.0.20 port 65513, id=117, length=209

> EAP-Message = 0x0277002b190017030100201dd6103b6d0f86c6ac33fe86888f5a13b10970a1ef222f1e83ce55a94db4d942
> State = 0x290133372d762a271ee22a85a9879908
> Message-Authenticator = 0xf6428db91fea81a03c903f8278eff0d5

> [eap] EAP packet type response id 119 length 43
> [eap] Continuing tunnel setup.
> ++[eap] returns ok

> Found Auth-Type = EAP
> +- entering group authenticate {...}

> +- entering group authorize {...}

> ++[chap] returns noop
> ++[mschap] returns noop

> ++[unix] returns notfound

> [suffix] No '@' in User-Name = "host/ramon", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop

> ++[control] returns noop
> [eap] EAP packet type response id 119 length 15

> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated

> ++[files] returns noop

> ++[expiration] returns noop
> ++[logintime] returns noop

> ++[pap] returns noop
> Found Auth-Type = EAP
> +- entering group authenticate {...}

> [eap] EAP Identity
> [eap] processing type mschapv2
> rlm_eap_mschapv2: Issuing Challenge
> ++[eap] returns handled
> } # server inner-tunnel
> [peap] Got tunneled reply code 11
> EAP-Message = 0x017800241a0178001f107ea40ec7760d14474dee0b4e6b9d640c686f73742f72616d6f6e
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xfbc0fc99fbb8e6c1acf79e9f2cef3e77
> [peap] Got tunneled reply RADIUS code 11
> EAP-Message = 0x017800241a0178001f107ea40ec7760d14474dee0b4e6b9d640c686f73742f72616d6f6e
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xfbc0fc99fbb8e6c1acf79e9f2cef3e77
> [peap] Got tunneled Access-Challenge
> ++[eap] returns handled
> Sending Access-Challenge of id 117 to 192.168.0.20 port 65513
> EAP-Message = 0x0178004b190017030100403251f76d20afd9bd1be50ca770e4ef315fcdfa3f286f641d8b2749d8d76da28e8e70a4806aa2896c655c5546437e2c2060ac44ca854f654f8f54c2d99e35fbbf
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x290133372c792a271ee22a85a9879908
> Finished request 14.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.0.20 port 65513, id=118, length=273

> EAP-Message = 0x0278006b190017030100608c8234cfe2ebd7ca29c77661768564cafeaff5313f126a180cf96473c6f51f73ab881585286f454f4f1ed6a8600f1b593ca21d6a787532921d6579661db9d2387e25bf325b263313892981bfb3128d7b30389ebd7ecd5abf3c6051142047e407
> State = 0x290133372c792a271ee22a85a9879908
> Message-Authenticator = 0x6f9193d476c9b00a3e44db300044fe8d

> [eap] EAP packet type response id 120 length 107
> [eap] Continuing tunnel setup.
> ++[eap] returns ok

> Found Auth-Type = EAP
> +- entering group authenticate {...}

> +- entering group authorize {...}

> ++[chap] returns noop
> ++[mschap] returns noop

> ++[unix] returns notfound

> [suffix] No '@' in User-Name = "host/ramon", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop

> ++[control] returns noop
> [eap] EAP packet type response id 120 length 69

> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated

> ++[files] returns noop

> ++[expiration] returns noop
> ++[logintime] returns noop

> ++[pap] returns noop
> Found Auth-Type = EAP
> +- entering group authenticate {...}

> rlm_mschap: getUserNodeRef(): dsGetRecordList() status = 0, recCount=0

> [mschap] od_mschap_auth: getUserNodeRef() failed
> ++[mschap] returns fail
> [eap] Freeing handler
> ++[eap] returns reject
> Failed to authenticate the user.
> } # server inner-tunnel
> [peap] Got tunneled reply code 3
> EAP-Message = 0x04780004
> Message-Authenticator = 0x00000000000000000000000000000000
> [peap] Got tunneled reply RADIUS code 3
> EAP-Message = 0x04780004
> Message-Authenticator = 0x00000000000000000000000000000000
> [peap] Tunneled authentication was rejected.
> [peap] FAILURE
> ++[eap] returns handled
> Sending Access-Challenge of id 118 to 192.168.0.20 port 65513
> EAP-Message = 0x0179002b190017030100201d0da92cec780afeb07d044ae3bec2d0bbae6f756cb641bf7afb941c603d3bfb
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x290133372f782a271ee22a85a9879908
> Finished request 15.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.0.20 port 65513, id=119, length=209

> EAP-Message = 0x0279002b19001703010020c105223815949c87f20ddf78237c265be8030e828d278b2f87db880eadcd2bf8
> State = 0x290133372f782a271ee22a85a9879908
> Message-Authenticator = 0xe5350e69dd68ba1c0ab8e39eaed51b5e

> [eap] EAP packet type response id 121 length 43
> [eap] Continuing tunnel setup.
> ++[eap] returns ok

> Found Auth-Type = EAP
> +- entering group authenticate {...}

> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] eaptls_verify returned 7
> [peap] Done initial handshake
> [peap] eaptls_process returned 7
> [peap] EAPTLS_OK
> [peap] Session established. Decoding tunneled attributes.
> [peap] Received EAP-TLV response.
> [peap] Had sent TLV failure. User was rejected earlier in this session.
> [eap] Handler failed in EAP/peap
> [eap] Failed in EAP select
> ++[eap] returns invalid
> Failed to authenticate the user.
> Using Post-Auth-Type Reject
> +- entering group REJECT {...}
> [attr_filter.access_reject] expand: %{User-Name} -> host/ramon
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Delaying reject of request 16 for 1 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> Sending delayed reject for request 16
> Sending Access-Reject of id 119 to 192.168.0.20 port 65513
> EAP-Message = 0x04790004
> Message-Authenticator = 0x00000000000000000000000000000000
> Waking up in 3.9 seconds.
> Cleaning up request 9 ID 112 with timestamp +418
> Cleaning up request 10 ID 113 with timestamp +418
> Cleaning up request 11 ID 114 with timestamp +418
> Cleaning up request 12 ID 115 with timestamp +418
> Cleaning up request 13 ID 116 with timestamp +418
> Cleaning up request 14 ID 117 with timestamp +418
> Cleaning up request 15 ID 118 with timestamp +418
> Waking up in 1.0 seconds.
> Cleaning up request 16 ID 119 with timestamp +418
> Ready to process requests.

>
> Unfortunately, the OpenDirectory module does not take any
> configuration. This means that you will need to edit the "User-Name"
> attribute *before* it is used by the opendirectory module.
>
> So... what *should* the User-Name look like? This is for you to decide.

I'm not sure I follow what you re saying here...
I am only interested at this stage by the user name, not the computer
name as part of the "User-Name"

If you could point me to directions on how to configure the server for
(b), it would be greatly appreciated.

Kind regards
Jean-Yves

Fajar A. Nugraha

unread,

Aug 30, 2010, 12:04:57 PM8/30/10

On Mon, Aug 30, 2010 at 9:25 PM, Jean-Yves Avenard <jyav...@gmail.com> wrote:
> This is from a Win 7 client, using default configuration settings that
> is just username / password and that Authentication is PEAP:MSCHAPv2
>
>> rad_recv: Access-Request packet from host 192.168.0.20 port 65513, id=112, length=163
>> User-Name = "host/ramon"

>> So... what *should* the User-Name look like? This is for you to decide.
>
> I'm not sure I follow what you re saying here...
> I am only interested at this stage by the user name, not the computer
> name as part of the "User-Name"
>
> If you could point me to directions on how to configure the server for
> (b), it would be greatly appreciated.

I think what Alan is saying is look at what User-Name being sent by
the CLIENT. Your Win7 client log says the client is sending "User-Name
= "host/ramon"". If you want it to be something like, change the
client configuration. At this point, it has nothing to do with server
configuration.

There might be some checkbox somewhere on your Win7 that says
"Authenticate as computer when computer information is available" or
something like that. Uncheck it. Windows 7 user might be able to help
you more (or you could ask MS).

--
Fajar

Jean-Yves Avenard

unread,

Aug 30, 2010, 12:19:24 PM8/30/10

On 31 August 2010 02:04, Fajar A. Nugraha <fa...@fajar.net> wrote:
> I think what Alan is saying is look at what User-Name being sent by
> the CLIENT. Your Win7 client log says the client is sending "User-Name
> = "host/ramon"". If you want it to be something like, change the
> client configuration. At this point, it has nothing to do with server
> configuration.
>
> There might be some checkbox somewhere on your Win7 that says
> "Authenticate as computer when computer information is available" or
> something like that. Uncheck it. Windows 7 user might be able to help
> you more (or you could ask MS).

Allright, so this is what I thought it was and I have provided the
solution already.
On Windows 7, you go into Advanced Settings -> 802.11X Settings ->
Specify authentication mode:
and select "user authentication"

Alan DeKok

unread,

Aug 30, 2010, 4:27:59 PM8/30/10

Jean-Yves Avenard wrote:
> As requested.
> Here is the log from the Win 7 client, when it is configured in

> Advanced Settings -> 802.11X Settings -> Specify authentication mode:

> user authentication

The first debug log shows the user being found by the "unix" module.
i.e. the User-Name has an entry in /etc/passwd, or the Apple equivalent.

The second debug log shows that the user is *not* found by the "unix"
module.

> I'm not sure I follow what you re saying here...
> I am only interested at this stage by the user name, not the computer
> name as part of the "User-Name"

I'm aware of that. I'm saying that *you* need to figure out which is
which, and edit the configuration to use the right one.

> If you could point me to directions on how to configure the server for
> (b), it would be greatly appreciated.

Edit raddb/sites-enabled/inner-tunnel, the "authorize" section:

authorize {
...

if (User-Name =~ /\/(.*)/) {
update request {
Stripped-User-Name := "%{1}"
}
}
...

0 new messages