Menu
▾
▴
Re: [PacketFence-users] Windows machine auth, proxying inner tunnel
|
From: Tim D. <tim...@mc...> - 2013-07-31 15:18:46
|
I wish I still had the config for you. We opted out of doing machine auth, so i dont have it in there. I know it worked on everything except Windows 8. Windows XP didnt work until I had a real FQDN cert instead of our wildcard cert. Windows 7 worked fine on the wildcard if you told it not to check validity. On Wed, Jul 31, 2013 at 11:06 AM, Palmer, Tim <Tim...@ma...>wrote: > Thanks for the input. I tried quickly and this didn't work for me, but > I'll need to revisit and test in more detail > > tim > > On 7/30/13 11:32 AM, "Tim DeNike" <tim...@mc...> wrote: > > >I created a second auth source in PF authing against userprincipalname > >(I think) instead of samaccount. Then it works like a champ. > > > >Sent from my iPhone > > > >On Jul 30, 2013, at 11:21 AM, "Palmer, Tim" <Tim...@ma...> > >wrote: > > > >> A fine day to all, > >> > >> Still on a 4.02 build. > >> Aruba 3600 based wireless > >> Windows NPS authentication > >> Samba/winbind configured and working > >> EAP-EAP generally functioning by proxing inner tunnel through PF > >> > >> My current problem is machine auth for windows any username" with > >>"host/" does not get the inner tunnel proxies. Tcpdump and radius debug > >>do not show any traffic between PF and our NPSsystem. If I set > >>proxy.com to proxy the requests direct to the NPS system, machine auth > >>works, but of course I get no benefit from Packetfence. > >> > >> Any thoughts? > >> > >> > >> Relevant radiusd X > >> 10.10.30.60 is Aruba 3600 controller > >> 10.10.30.100 is PF > >> Assuming I'm reading this properly, the tunnel sets up correctly, but > >>ten fails in MS-CHAP: > >> This is a the final result picked out of the full debug. Full debug > >>follows: > >> Exec-Program output: Logon failure (0xc000006d) > >> Exec-Program-Wait: plaintext: Logon failure (0xc000006d) > >> Exec-Program: returned: 1 > >> [mschap] External script failed. > >> [mschap] FAILED: MS-CHAP2-Response is incorrect > >> ++[mschap] returns reject > >> [eap] Freeing handler > >> ++[eap] returns reject > >> Failed to authenticate the user. > >> Login incorrect (mschap: External script says Logon failure > >>(0xc000006d)): [host/2013techtest.hemastersschool.com] (from client > >>10.10.30.60 port 0 cli B4B676559F06 via TLS tunel) > >> } # server packetfence-tunnel > >> [peap] Got tunneled reply code 3 > >> MS-CHAP-Error = "\021E=691 R=1" > >> EAP-Message = 0x04110004 > >> Message-Authenicator = 0x00000000000000000000000000000000 > >> [peap] Got tunneled reply RADIUS code 3 > >> MS-CHAP-Error = "\021E=691 R=1" > >> EAP-Message = 0x04110004 > >> Message-Authenticator = 0x00000000000000000000000000000000 > >> [peap] Tunneled authentication was rejected. > >> [peap] FAILUE > >> > >> > >> FULL DEBUG > >> ########## > >> > >> Listening on authentication address 10.10.30.100 port 1812 as server > >>packetfence > >>Listening on accounting address 10.10.30.100 port 1813 as server > >>packetfence > >> Listening on command file /usr/local/pf/var/run/radiusd.sock > >> Listening on authentication address 127.0.0.1 port 18120 as server > >>inner-tunnel > >> Listening on proxy address 10.10.30.100 port 1814 > >> Ready to process requests. > >> rad_recv: Access-Request packet from host 10.10.30.60 port 32859, > >>id=74, length=278 > >> User-Name = "host/2013techtest.themastersschool.com" > >> NAS-IP-Address = 10.10.30.60 > >> NAS-IPv6-Address = ::1 > >> NAS-Port = 0 > >> NAS-Identifier = "10.10.30.60" > >> NAS-Port-Type = Wireless-802.11 > >> Calling-Station-Id = "B4B676559F06" > >> Called-Station-Id = "000B866E00F4" > >> Service-Type = Login-User > >> Framed-MTU = 1100 > >> EAP-Message = > >>0x020b002b01686f73742f3230313374656368746573742e7468656d61737465727373636 > >>86f6f6c2e636f6d > >> Aruba-Essid-Name = "pfsecure" > >> Aruba-Location-Id = "SPARE" > >> Aruba-AP-Group = "PacketFenceGroup" > >> Aruba-Attr-12 = 0x57696e2037 > >> Message-Authenticator = 0xfd0f3c71d4446ba027730df220180e15 > >> server packetfence { > >> # Executing section authorize from file > >>/usr/local/pf/raddb//sitesenabled/packetfence > >> +- entering group authorize {...} > >> [suffix] No '@' in User-Name = > >>"host/2013techtest.themastersschool.com", looking up realm NULL > >> [suffix] Found realm "NULL" > >> [suffix] Adding Stripped-User-Name = > >>"host/2013techtest.themastersschool.com" > >> [suffix] Adding Realm = "NULL" > >> [suffix] Authentication realm is LOCAL. > >> ++[suffix] returns ok > >> ++[preprocess] returns ok > >> [eap] EAP packet type response id 11 length 43 > >> [eap] No EAP Start, assuming it's an on-going EAP conversation > >> ++[eap] returns updated > >> ++[files] returns noop > >> ++[expiration] returns noop > >> ++[logintime] returns noop > >> rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 > >> rlm_perl: Added pair Service-Tye = Login-User > >> rlm_perl: Added pair Called-Station-Id = 000B866E00F4 > >> rlm_perl: Added pair Message-Authenticator = > >0xfd0f3c71d4446ba027730df220180e15 > >> rlm_perl: Added pair Realm = NULL > >> rlm_perl: Added pair EAP-Type = Identity > >> rlm_perl: Added pir NAS-IP-Address = 10.10.30.60 > >> rlm_perl: Added pair Calling-Station-Id = B4B676559F06 > >> rlm_perl: Added pair Aruba-Essid-Name = pfsecure > >> rlm_perl: Added pair Aruba-AP-Group = PacketFenceGroup > >> rlm_perl: Added pair User-Name = host/2013techtest.themastersschool.com > >> rlm_perl: Added pair Aruba-Location-Id = SPARE > >> rlm_perl: Added pair NAS-Identifier = 10.10.30.60 > >> rlm_perl: Added pair EAP-Message = > >>0x020b002b01686f73742f3230313374656368746573742e7468656d61737465727373636 > >>86f6f6c2e636f6d > >> rlm_perl: Added pair Aruba-Attr-12 = 0x57696e2037 > >> rlm_perl: Added pair NAS-Port = 0 > >> rlm_perl: Aded pair NAS-IPv6-Address = ::1 > >> rlm_perl: Added pair Stripped-User-Name = > >>host/2013techtest.themastersschool.com > >> rlm_perl: Added pair Framed-MTU = 1100 > >> rlm_perl: Added pair Auth-Type = EAP > >> ++[packetfence] returns noop > >> Found Auth-Type = EAP > >> # Executing group from file > >>/usr/local/pf/raddb//sites-enabled/packetfence > >> +- entering group authenticate {...} > >> [eap] EAP Identity > >> [eap] processing type tls > >> [tls] Initiate > >> [tls] Start returned 1 > >> ++[eap] returns handled > >> } # server packetfence > >> Sending Access-Challenge ofid 74 to 10.10.30.60 port 32859 > >> EAP-Message = 0x010c00061920 > >> Message-Authenticator = 0x00000000000000000000000000000000 > >> State = 0x73a2794173ae608c1f1706e856c029f2 > >> Finished request 0. > >> Going to the next request > >> Waking up in 4.9 seconds. > >> rad_recv: Access-Reqest packet from host 10.10.30.60 port 32859, > >>id=75, length=358 > >> User-Name = "host/2013techtest.themastersschool.com" > >> NAS-IP-Address = 10.10.30.60 > >> NAS-IPv6-Address = ::1 > >> NAS-Port = 0 > >> NAS-Identifie = "10.10.30.60" > >> NAS-Port-Type = Wireless-802.11 > >> Calling-Station-Id = "B4B676559F06" > >> Called-Station-Id = "000B866E00F4" > >> Service-Type = Login-User > >> Framed-MTU = 1100 > >> EAP-Message = > >>0x020c006919800000005f160301005a01000056030151f7d6826b6f04a2708b61c25e21a > >>26f7aa4f9158160012a2bb58dc7b8137f86000018002f00350005000ac013c014c009c00a > >>003200380013000401000015ff01000100000a0006000400170018000b00020100 > >> State = 0x73a2794173ae608c1f1706e856c029f2 > >> Aruba-Essid-Name = "pfsecure" > >> Aruba-Location-Id = "SPARE" > >> Aruba-AP-Group = "PacketFenceGroup" > >> Aruba-Attr-12 = 0x5766e2037 > >> Message-Authenticator = 0xc7926577ad0d4277a923fbf047b08834 > >> server packetfence { > >> # Executing section authorize from file > >>/usr/local/pf/raddb//sites-enabled/packetfence > >> +- entering group authorize {...} > >> [suffix] No '@' in User-Name = > >>"host/2013techtest.themastersschool.com", looking up realm NULL > >> [suffix] Found realm "NULL" > >> [suffix] Adding Stripped-User-Name = > >>"host/2013techtest.themastersschool.com" > >> [suffix] Adding Realm = "NULL" > >> [suffix] Authentication realm is LOCAL. > >> ++[suffix] returns ok > >> ++[preprocess] returns ok > >> [eap] EAP packet type response id 12 length 105 > >> [eap] Continuing tunnel setup. > >> ++[eap] returns ok > >> Found Auth-Type = EAP > >> # Executing group from file > >>/usr/local/pf/raddb//sites-enabled/packetfence > >> +- entering group authenticate {...} > >> [eap] Request found, released from the list > >> [eap] EAP/peap > >> [eap] prcessing type peap > >> [peap] processing EAP-TLS > >> TLS Length 95 > >> [peap] Length Included > >> [peap] eaptls_verify retuned 11 > >> [peap] (other): before/accept initialization > >> [peap] TLS_accept: before/accept initialization > >> [peap] <<< TLS 1.0 Hndshake [length 005a], ClientHello > >> [peap] TLS_accept: SSLv3 read client hello A > >> [peap] >>> TLS 1.0 Handshake [length 0031], ServerHello > >> [peap] TLS_accept: SSLv3 write server hello A > >> [peap] >>> TLS 1.0 Handshake [length 0680], Certificate > >> [peap] TLS_accept: SSLv3 write certificate A > >> [peap] >>> TLS 1.0 Handhake [length 0004], ServerHelloDone > >> [peap] TLS_accept: SSLv3 write server done A > >> [peap] TLS_accept: SSLv3 flush data > >> [peap] TLS_accept: Need to read more data: SSLv3 read client > >>certificate A > >> In SSL Handshake Phase > >> In SSL Accept mode > >> [peap] eaptls_process returned 13 > >> [peap] EAPTLS_HANDLED > >> ++[eap] returns handled > >> } # server packetfence > >> Sending Access-Challenge of id 75 to 10.10.30.60 port 32859 > >> EAP-Message = > >>0x010d040019c0000006c416030100310200002d030151f7d6827bbf89d1c42b151ea8051 > >>d0bdd3c86cf8d76cc4c01d01c5b0f794b8500002f000005ff0100010016030106800b0006 > >>7c000679000676308206723082055aa003020102020a60359859000000000036300d06092 > >>a864886f70d0101050500304c31133011060a0992268993f22c6401191603636f6d312030 > >>1e060a0992268993f22c64011916107468656d6173746572737363686f6f6c31133011060 > >>3550403130a626c6164657368617265301e170d3133303732343137343130325a170d3135 > >>303732343137343130325a3081b0310b3009060355046130255533111300f06035504 > >> EAP-Message = > >>0x0813084e657720596f726b311330110603550407130a446f6273204665727279311b301 > >>9060355040a1312546865204d617374657273205363686f6f6c310b3009060355040b1302 > >>495431293027060355040313207061636b657466656e63652e7468656d617374657273736 > >>3686f6f6c2e636f6d3124302206092a864886f70d0109011615737570706f7274406d6173 > >>746572736e792e6f726730820122300d06092a864886f70d01010105000382010f0030820 > >>10a0282010100aec751cffa76d18a78a902a6992e0de618c02aff4864b39fdd6a907e0698 > >>483c29dabe043636879f1d962009c9d646fca85f1faa910d8cec6a1c2d138b7b1d8e7f > >> EAP-Message = > >>0x4faa65a7c4bdf82b80ca72b6a2de0a86d31b7895adbfc41462a41e831f836d1eeb2ab67 > >>d978abbc07b39f97dad2511f37a3e04b7a32adafd9a89b464de41f1f956ea2ef077ff6784 > >>33d6e76412898d5ab928dc8e73c2743567cd6341d4d2191096a9c6eaca1b58eb297a986be > >>6d0908314f2198eb9a27082792c95e9ffe63611e393855534acc6c771291a6cbcf95ed9fb > >>f2df2bb92817aa723ed9e3688c199e5f282de0fca48bc6c29a22f777037882c3c9daa5854 > >>8305e083132dcf8ba4b0203010001a38202ef308202eb301d0603551d0e041604145b1bc3 > >>0e7fd7e38cdb9be87b6647369d1318c95b301f0603551d2304183016801419cea519e2 > >> EAP-Message = > >>0xedae91bfd145710bab8663b8840d3f3082011b0603551d1f048201123082010e3082010 > >>aa0820106a08201028681bd6c6461703a2f2f2f434e3d626c61646573686172652c434e3d > >>626c61646573686172652c434e3d4344502c434e3d5075626c69632532304b65792532305 > >>3657276696365732c434e3d53657276696365732c434e3d436f6e66696775726174696f6e > >>2c44433d7468656d6173746572737363686f6f6c2c44433d636f6d3f63657274696669636 > >>174655265766f636174696f6e4c6973743f626173653f6f626a656374436c6173733d6352 > >>4c446973747269627574696f6e506f696e748640687474703a2f2f626c616465736861 > >> EAP-Message = 0x72652e7468656d6173746572 > >> Message-Authenticator = 0x00000000000000000000000000000000 > >> State = 0x73a2794172af608c1f1706e856c029f2 > >> Finished request 1. > >> Going to the next request > >> Waking up in 4.9 seconds. > >> rad_recv: Access-Request packet from host 10.10.30.60 port 32859, > >>id=76, length=259 > >> User-Name = "host/2013techtest.themastersschool.com" > >> NAS-IP-Address = 10.10.30.60 > >> NAS-IPv6-Address = ::1 > >> NAS-Port = 0 > >> NAS-Identifier = "10.10.30.60" > >> NAS-Port-Type = Wireless-802.11 > >> Calling-Station-Id = "B4B676559F06" > >> Called-Station-Id = "000B866E00F4" > >> Service-Type = Login-User > >> Framed-MTU = 1100 > >> EAP-Message = 0x020d00061900 > >> State = 0x73a2794172af608c1f1706e856c029f2 > >> Aruba-Essid-Name = "pfsecure" > >> Aruba-Location-Id = "SPARE" > >> Aruba-AP-Group = "PacketFenceGroup" > >> Aruba-Attr-12 = 0x57696e2037 > >> Message-Authenticator = 0xca7fa7952d2867aceee1a217969d62ed > >> server packetfence { > >> # Executing section authorize from file > >>/usr/local/pf/raddb//sites-enabled/packetfence > >> +- entering group authorze {...} > >> [suffix] No '@' in User-Name = > >>"host/2013techtest.themastersschool.com", looking up realm NULL > >> [suffix] Found realm "NULL" > >> [suffix] Adding Stripped-User-Name = > >>"host/2013techtest.themastersschool.com" > >> [suffix] Adding Realm = "NULL" > >> [suffix] Authentication realm is LOCAL. > >> ++[suffix] returns ok > >> ++[preprocess] returns ok > >> [eap] EAP packet type response id 13 length 6 > >> [eap] Continuing tunnel setup. > >> ++[eap] returns ok > >> Found Auth-Type = EAP > >> # Executing group from file > >>/usr/local/pf/raddb//sites-enabled/packetfence > >> +- entering group authenticate {...} > >> [eap] Request found, released from the list > >> [eap] EAP/peap > >> [eap] processingtype peap > >> [peap] processing EAP-TLS > >> [peap] Received TLS ACK > >> [peap] ACK handshake fragment handler > >> [peap] eapls_verify returned 1 > >> [peap] eaptls_process returned 13 > >> [peap] EAPTLS_HANDLED > >> ++[eap] returns handled > >> } # server packetfence > > Sending Access-Challenge of id 76 to 10.10.30.60 port 32859 > >> EAP-Message = > >>0x010e02d41900737363686f6f6c2e636f6d2f43657274456e726f6c6c2f626c616465736 > >>86172652e63726c3082013506082b0601050507010104820127308201233081b206082b06 > >>0105050730028681a56c6461703a2f2f2f434e3d626c61646573686172652c434e3d41494 > >>12c434e3d5075626c6963253204b657925323053657276696365732c434e3d5365727669 > >>6365732c434e3d436f6e66696775726174696f6e2c44433d7468656d61737465727373636 > >>86f6f6c2c44433d636f6d3f634143657274696669636174653f626173653f6f626a656374 > >>436c6173733d63657274696669636174696f6e417574686f72697479306c06082b0601 > >> EAP-Message = > >>0x05050730028660687474703a2f2f626c61646573686172652e7468656d6173746572737 > >>363686f6f6c2e636f6d2f43657274456e726f6c6c2f626c61646573686172652e7468656d > >>6173746572737363686f6f6c2e636f6d5f626c61646573686172652e637274302106092b0 > >>60104018237140204141e12005700650062005300650072007600650072300c0603551d13 > >>0101ff04023000300b0603551d0f0404030205a030130603551d25040c300a06082b06010 > >>505070301300d06092a864886f70d010105050003820101005514e840159f844671a3cce3 > >>ec81f2642493554f7e006bdf0d178990aaeffbbd75aa442e7800218e1da664b67da25a > >> EAP-Message = > >>0x8d8a5e0de032ede49c3b0f8c131cb23ff6236151bd0e2dfcd9fa09fed05d132fc1084c5 > >>b40400a1126736839595ab1eeae2e3e18120144e43f305c1d6dbe866dd5b5f84a04b9038a > >>4822b07941427477ec744fd5951946fa57a5b04231c87f201f3fc15d8677dbdafe8e5231c > >>9187e5332729740a7de7ce30b8d23fe036a9853f4be911ef1786e3f6f6bc7af76a0b4fe72 > >>befc2b4a21271b31812fa2bb5251e5207a905c108ffecc3dde75d28c2b76db67746784294 > >>9175f0582de1543d8646a906aa457fbbe85785db4909f0eb3457f1f16030100040e000000 > >> Message-Authenticator = 0x00000000000000000000000000000000 > >> State = 0x73a2794171ac608c1f1706e856c029f2 > >> Finished request 2. > >> Going to the next request > >> Waking up in 4.9 seconds. > >> rad_recv: Access-Request packet from host 10.10.30.60 port 32859, > >>id=77, length=591 > >> User-Name = "host/2013techtest.themastersschool.com" > >> NAS-IP-Address = 10.10.30.60 > >> NAS-IPv6-Address = ::1 > >> NAS-Port = 0 > >> NAS-Identifier = "10.10.30.60" > >> NAS-Port-Type = Wireless-802.11 > >> Calling-Station-Id = "B4B676559F06" > >> Called-Station-Id = "000B866E00F4" > >> Service-Type = Login-User > >> Framed-MTU = 1100 > >> EAP-Message = > >>0x020e01501980000001461603010106100001020100973f8bbc68aa6891195c17fad8073 > >>2f844f39beb8fed0a06850b3c520b1f6af1dad8aa41b196e0ff68ad63d2e21ff3e1def6cb > >>d02424eea9703f961769fd7596bf292d78879b05529d87f9ff50c10b74675289b57e628bf > >>10673a0b69cec3bb686130cb2b579c0cd961679a7bbd74ff6aaf0621419438a943486b15b > >>8545f626cb4c6898f072256b7fbef937c028888260a9418de2f2532a167b7312aab15149d > >>3fc5b4ebd834b05b094fbed7cc66a6aedb3b6a39e4ae86ac525195e25192d00080ac7669 > >>8acdaa7fdd6ec1a769c7236e47881b91bdb585d3c8bf94551f42472c1b121264be646f > >> EAP-Message = > >>0x91cded45ebc860fc77e4626111ab5ee20b6b71d77ad1d3cd1403010001011603010030b > >>e049eb6f25ec8f3f9a51b0bcfe4ef726239fb4fe7f7fe48e25e1ced468abef81336d6873b > >>e3a5a71d52b04ae0240148 > >> State = 0x73a2794171ac608c1f1706e856c029f2 > >> Aruba-Essid-Name = "pfsecure" > >> Aruba-Location-Id = "SPARE" > >> Aruba-AP-Group = "PacketFenceGroup" > >> Aruba-Attr-12 = 0x57696e2037 > >> Message-Authenticator = 0xaa3903ce6743ac74762b378a9bcd4200 > >> server packetfence { > >> # Executing section authorize from file > >>/usr/local/pf/raddb//sites-enabled/packetfence > >> +- entering group authorize {...} > >> [suffix] No '@' in User-Name = > >>"host/2013techtest.themastersschool.com", looking up realm NULL > >> [suffix] Found realm "NULL" > >> [suffix] Adding Stripped-User-Name = > >>"host/2013techtest.themastersschool.com" > >> [suffix] Adding Realm = "NULL" > >> [suffix] Authentication realm is LOCAL. > >> ++[suffix] returns ok > >> ++[preprocess] returns ok > >> [eap] EAP packet type response id 14 length 253 > >> [eap] Continuing tunnel setup. > >> ++[eap] returns ok > >> Found Auth-Type = EAP > >> # Executing group from file > >>/usr/local/pf/raddb//sites-enabled/packetfence > >> +- entering group authenticate {...} > >> [eap] Request found, released from the list > >> [eap] EAP/peap > >> [eap] processing tye peap > >> [peap] processing EAP-TLS > >> TLS Length 326 > >> [peap] Length Included > >> [peap] eaptls_verify returned 11 > >>[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange > >> [peap] TLS_accept: SSLv3 read client key exchange A > >> [peap] <<< TL 1.0 ChangeCipherSpec [length 0001] > >> [peap] <<< TLS 1.0 Handshake [length 0010], Finished > >> [peap] TLS_accept: SSLv3 read finished A > >> [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] > >> [peap] TLS_accept: SSLv3 write change cipher spec A > >> [peap] >>> TLS 1.0 Handshake [length 0010], Finished > >> [peap] TLS_accept: SSv3 write finished A > >> [peap] TLS_accept: SSLv3 flush data > >> [peap] (other): SSL negotiation finished successfully > >> SSL Connection Established > >> [peap] eaptls_process returned 13 > >> [peap] EAPTLS_HANDLED > >> ++[eap] returns handled > >> } # server packetfence > >> Sending Access-Challenge of id 77 to 10.10.30.60 port 32859 > >> EAP-Message = > >>0x010f0041190014030100010116030100301255f1f99100bb0c8c0ad191bc089973fd1fe > >>bbe2a9a502ee1fdf29721a5d3051da6d0618857d16e4c510dfb6bb68a92 > >> Message-Authenticator = 0x00000000000000000000000000000000 > >> State = 0x73a2794170ad608c1f1706e856c029f2 > >> Finished request 3. > >> Going to the next request > >> Waking up in 4.9 seconds. > >> rad_recv: Access-Request packet from host 10.10.30.60 port 32859, > >>id=78, length=259 > >> User-Name = "host/2013techtest.themastersschool.com" > >> NAS-IP-Address = 10.10.30.60 > >> NAS-IPv6-Address = ::1 > >> NAS-Port = 0 > >> NAS-Identifier = "10.10.30.60" > >> NAS-Port-Type = Wireless-802.11 > >> Calling-Station-Id = "B4B676559F06" > >> Called-Station-Id = "000B866E00F4" > >> Service-Type = Login-User > >> Framed-MTU = 1100 > >> EAP-Message = 0x020f00061900 > >> State = 0x73a2794170ad608c1f1706e856c029f2 > >> Aruba-Essid-Name = "pfsecure" > >> Aruba-Location-Id = "SPARE" > >> Aruba-AP-Group = "PacketFenceGroup" > >> Aruba-Attr-12 = 0x57696e2037 > >> Message-Authenticator = 0xe42f71ccfbda95e8a9333236a461cf1c > >> server packetfence { > >> # Executing section authorize from file > >>/usr/local/pf/raddb//sites-enabled/packetfence > >> +- entering group authorize {...} > > [suffix] No '@' in User-Name = > >>"host/2013techtest.themastersschool.com", looking up realm NULL > >> [suffix] Found realm "NULL" > >> [suffix] Adding Stripped-User-Name = > >>"host/2013techtest.themastersschool.com" > >> [suffix] Adding Realm = "NULL" > >> [suffix] Authentication realm is LOCAL. > >> ++[suffix] returns ok > >> ++[preprocess] returns ok > >> [eap] EAP packet type response id 15 length 6 > >> [eap] Continuing tunnel setup. > >> ++[eap] returns ok > >> Found Auth-Type = EAP > >> # Executing group from file > >>/usr/local/pf/raddb//sites-enabled/packetfence > >> +- entering group authenticate {...} > >> [eap] Request found, released from the list > >> [eap] EAP/peap > >> [eap] processing type peap>> [peap] processing EAP-TLS > >> [peap] Received TLS ACK > >> [peap] ACK handshake is finished > >> [peap] eaptls_verify retuned 3 > >> [peap] eaptls_process returned 3 > >> [peap] EAPTLS_SUCCESS > >> [peap] Session established. Decoding tunneled attributes. > >> [peap Peap state TUNNEL ESTABLISHED > >> ++[eap] returns handled > >> } # server packetfence > >> Sending Access-Challenge of id 78 to 10.10.30.60 port 32859 > >> EAP-Message = > >>0x0110002b19001703010020f861ca2632755d82fd4007e9c2375baedb90a14574bdf53f2 > >>8b1f541967b5ef0 > >> Message-Authenticator = 0x00000000000000000000000000000000 > >> State = 0x3a2794177b2608c1f1706e856c029f2 > >> Finished request 4. > >> Going to the next request > >> Waking up in 4.9 seconds. > >> rad_recv: Access-Request packet from host 10.10.30.60 port 32859, > >>id=79, length=328 > >> User-Name = "host/2013techtest.themastersschool.com" > >> NAS-IP-Address = 10.10.30.60 > >> NAS-IPv6-Address = ::1 > >> NAS-Port = 0 > >> NAS-Identifier = "10.10.30.60" > >> NAS-Port-Type = Wireless-802.11 > >> Calling-Station-Id = "B4B676559F06" > >> Called-Station-Id = "000B866E00F4" > >> Service-Type = Login-User > >> Framed-MTU = 1100 > >> EAP-Message = > >>0x0210004b190017030100402e67aeff26a0c054fdeabef446824562d931891a11492caf4 > >>745149131933708446882ac5d56041d2f61cb72f050daa8c0a490d458dc135ad5ac451245 > >>bfeef7 > >> State = 0x73a2794177b2608c1f1706e856c029f2 > >> Aruba-Essid-Name = "pfsecure" > >> Aruba-Location-Id = "SPARE" > >> Aruba-AP-Group = "PacketFenceGroup" > >> Aruba-Attr-12 = 0x57696e2037 > >> Message-Authenticator = 0x68200b59534ea0e79cb5e12aa8951572 > >> server pcketfence { > >> # Executing section authorize from file > >>/usr/local/pf/raddb//sites-enabled/packetfence > >> +- entering group authorize {...} > >> [suffix] No '@' in User-Name = > >>"host/2013techtest.themastersschool.com", looking up realm NULL > >> [suffix] Found realm "NULL" > >> [suffix] Adding Stripped-User-Name = > >>"host/2013techtest.themastersschool.com" > >> [suffix] Adding Realm = "NULL" > >> [suffix] Authentication realm is LOCAL. > >> ++[suffix] returns ok > >> ++[preprocess] returns ok > >> [eap] EAP packet type response id 16 length 75 > >> [eap] Continuing tunnel setup. > >> ++[eap] returns ok > >> Found Auth-Type = EAP > >> # Executing group from file > >>/usr/local/pf/raddb//sites-enabled/packetfence > >> +- entering group authenticate {...} > >> [eap] Request found, released from the list > >> [eap] EAP/peap > >> [eap] processing type peap > >> peap] processing EAP-TLS > >> [peap] eaptls_verify returned 7 > >> [peap] Done initial handshake > >> [peap] eaptls_process reurned 7 > >> [peap] EAPTLS_OK > >> [peap] Session established. Decoding tunneled attributes. > >> [peap] Peap state WAITING FOR INNER IDENTITY>> [peap] Identity - host/ > 2013techtest.themastersschool.com > >> [peap] Got inner identity 'host/2013techtest.themastersschool.com' > >> [peap] Setting default EAP type for tunneled EAP session. > >> [peap] Got tunneled request > >> EAP-Message = > >>0x0210002b01686f73742f3230313374656368746573742e7468656d61737465727373636 > >>86f6f6c2e636f6d > > server packetfence { > >> [peap] Setting User-Name to host/2013techtest.themastersschool.com > >> Sending tunneled request > >> EAP-Message = > >>0x0210002b01686f73742f3230313374656368746573742e7468656d61737465727373636 > >>86f6f6c2e636f6d > >> FreeRADIUS-Proxied-To = 127.0.0.1 > >> User-Name = "host/2013techtest.themastersschool.com" > >> NAS-IP-Address = 10.10.30.60 > >> NAS-IPv6-Address = ::1 > >> NAS-Port = 0 > >> NAS-Identifier = "10.10.30.60" > >> NAS-Port-Type = Wireless-802.11 > >> Calling-Station-Id = "B4B676559F06" > >> Called-Station-Id = "000B866E00F4" > >> Service-Type = Login-User > >> Framed-MTU = 1100 > >> Aruba-Essid-Name = "pfsecure" > >> Aruba-Location-Id = "SPARE" > >> Aruba-AP-Group = "PacketFenceGroup" > >> Aruba-Attr-12 = 0x57696e2037 > >> server packetfence-tunnel { > >> # Executing section authorize from file > >>/usr/local/pf/raddb//sites-enabled/packetfence-tunnel > >> +- entering group authorize {...} > >> [suffix] No '@' in User-Name = > >>"host/2013techtest.themastersschool.com", looking up realm NULL > >> [suffix] Found realm "NULL" > >> [suffix] Adding Stripped-User-Name = > >>"host/2013techtest.themastersschool.com" > >> [suffix] Adding Realm = "NULL" > >> [suffix] Authentication realm is LOCAL. > >> ++[suffix] returns ok > >> [ntdomain] Request already proxied. Ignoring. > >> ++[ntdomain] returns ok > >> [eap] EAP packet type response id 16 length 43 > >> [eap] No EAP Start, assuming it's an on-going EAP conversation > >> ++[eap] returns updated > >> ++[files] returns noop > >> ++[expiration] returns noop > >> ++[logintime] returns noop > >> Found Auth-Type = EAP > >> # Executing group from file > >>/usr/loca/pf/raddb//sites-enabled/packetfence-tunnel > >> +- entering group authenticate {...} > >> [eap] EAP Identity > >> [eap] processing tpe mschapv2 > >> rlm_eap_mschapv2: Issuing Challenge > >> ++[eap] returns handled > >> } # server packetfence-tunnel > >> [peap] Got tunneled repy code 11 > >> EAP-Message = > >>0x011100401a0111003b10b1baa89b97df2996be0005f0594922b4686f73742f323031337 > >>4656368746573742e7468656d6173746572737363686f6f6c2e636f6d > >> Message-Authenticator = 0x00000000000000000000000000000000 > >> State = 0x10ac25c510bd3f4d19dedffb39730f36 > >> [peap] Got tunneled reply RADIUS code 11 > >> EAP-Message = > >>0x011100401a0111003b10b1baa89b97df2996be0005f0594922b4686f73742f323031337 > >>4656368746573742e7468656d6173746572737363686f6f6c2e636f6d > >> Message-Authenticator = 0x0000000000000000000000000000000 > >> State = 0x10ac25c510bd3f4d19dedffb39730f36 > >> [peap] Got tunneled Access-Challenge > >> ++[eap] returns handled > >> } # server packetfence > >> Sending Access-Challenge of id 79 to 10.10.30.60 port 32859 > >> EAP-Message = > >>0x0111006b190017030100600bef7b25858e231351c6aa33b2b53a79b434101646a1f6b9d > >>7cf497b5e2c1aa2e984cd5ef1aceac6ff937fdf1d515342e9242d33ec22441853d0a5d545 > >>e1d25e3e1fea8c02c057782535451e8899d8f4d42b9a4539c8f6c3e4fc299f36e4be27 > >> Message-Authenticator = 0x00000000000000000000000000000000 > >> State = 0x73a2794176b3608c1f1706e856c029f2 > >> Finished request 5. > >> Going to the next request > >> Waking up in 4.9 seconds. > >> rad_recv: Access-Request packet from host 10.10.30.60 port 32859, > >>id=80, length=392 > >> User-Name = "host/2013techtest.themastersschool.com" > >> NAS-IP-Address = 10.10.30.60 > >> NAS-IPv6-Address = ::1 > >> NAS-Port = 0 > >> NAS-Identifier = "10.10.30.60" > >> NAS-Port-Type = Wireless-802.11 > >> Calling-Station-Id = "B4B676559F06" > >> Called-Station-Id = "000B866E00F4" > >> Service-Type = Login-User > >> Framed-MTU = 1100 > >> EAP-Message = > >>0x0211008b19001703010080dbac9e911ec2af06a918e842c9c7b27dacb020aa71b8891cb > >>16705ae92e91449b2cfbd71ad92e246615c1f3bbac83fa8289d56b363437c6a9bebbfbc29 > >>147ceb6b56efb0f633438845300e32ff60e96ba484831ab6f2a7f0813f96fe7011d3c7377 > >>401d34d98ed5b7932c75374178215dbf8090f33c2ccb14e8f14ca775f01f8 > >> State = 0x73a2794176b3608c1f1706e856c029f2 > >> Aruba-Essid-Name = "pfsecure" > >> Aruba-Location-Id = "SPARE" > >> Aruba-AP-Group = "acketFenceGroup" > >> Aruba-Attr-12 = 0x57696e2037 > >> Message-Authenticator = 0xeb03dfdf8d56677674c92847d916bd46 > >> server packetfence { > >> # Executing section authorize from file > >>/usr/local/pf/raddb//sites-enabled/packetfence > >> +- entering group authorize {...} > >> [suffix] No '@' in User-Name = > >>"host/2013techtest.themastersschool.com", looking up realm NULL > >> [suffix] Found realm "NULL" > >> [suffix] Adding Stripped-User-Name = > >>"host/2013techtest.themastersschool.com" > >> [suffix] Adding Realm = "NULL" > >> [suffix] Authentication realm is LOCAL. > >> ++[suffix] returns ok > >> ++[preprocess] returns ok > >> [eap] EAP packet type response id 17 length 139 > >> [eap] Continuing tunnel setup. > >> ++[eap] returns ok > >> Found Auth-Type = EAP > >> # Executing group from file > >>/usr/local/pf/raddb//sites-enabled/packetfence > >> +- entering group authenticate {...} > >> [eap] Request found, released from the list > >> [eap] EAP/peap > >> [eap] processing type peap > >> [peap] rocessing EAP-TLS > >> [peap] eaptls_verify returned 7 > >> [peap] Done initial handshake > >> [peap] eaptls_process returned > >> [peap] EAPTLS_OK > >> [peap] Session established. Decoding tunneled attributes. > >> [peap] Peap state phase2 > >> [peap] EAP type mschapv > >> [peap] Got tunneled request > >> EAP-Message = > >>0x021100611a0211005c31e92bd9b29e030c31375a9538787dc7330000000000000000595 > >>2b8387957fda46ae0cd1ae6d8a4b4b8f630c06f20738600686f73742f3230313374656368 > >>746573742e7468656d6173746572737363686f6f6c2e636f6d > >> server packetfence { > >> [peap] Setting User-Name to host/2013techtest.themastesschool.com > >> Sending tunneled request > >> EAP-Message = > >>0x021100611a0211005c31e92bd9b29e030c31375a9538787dc7330000000000000000595 > >>2b8387957fda46ae0cd1ae6d8a4b4b8f630c06f20738600686f73742f3230313374656368 > >>746573742e7468656d6173746572737363686f6f6c2e636f6d > >> FreeRADIUS-Proxied-To = 127.0.0.1 > >> User-Name = "host/2013techtest.themastersschool.com" > >> State = 0x10ac25c510bd3f4d19dedffb39730f36 > >> NAS-IP-Address = 10.10.30.60 > >> NAS-IPv6-Address = ::1 > >> NAS-Port = 0 > >> NAS-Identifier = "10.10.30.60" > >> NAS-Port-Type = Wireless-802.11 > >> Calling-Station-Id = "B4B676559F06" > >> Called-Station-Id = "000B866E00F4" > >> Service-Type = Login-User > >> Framed-MTU = 1100 > >> Aruba-Essid-Name = "pfsecure" > >> Aruba-Location-Id = "SPARE" > >> Aruba-AP-Group = "PacketFenceGroup" > >> Aruba-Attr-12 = 0x57696e2037 > >> server packetfence-tunnel { > >> # Executing section authorize from file > >>/usr/local/pf/raddb//sites-enabled/packetfence-tunnel > >> +- entering group authorize {...} > >> [suffix] No '@' in User-Name = > >>"host/2013techtest.themastersschool.com", looking up realm NULL > >> [suffix] Found realm "NULL" > >> [suffix] Adding Stripped-User-Name = > >>"host/2013techtest.themastersschool.com" > >> [suffix] Adding Realm = "NULL" > >> [suffix] Authentication realm is LOCAL. > >> ++[suffix] returns ok > >> [ntdomain] Request already proxied. Ignoring. > >> ++[ntdomain] returns ok > >> [eap] EAP packet type response id 17 length 97 > >> [eap] No EAP Start, assuming it's an on-going EAP conversation > >> ++[eap] returns updated > >> ++[files] returns noop > >> ++[expiration] returns noop > >> ++[logintime] returns noop > >> Found Auth-Type = EAP > >> # Executing group from file > >>/usr/local/pf/radb//sites-enabled/packetfence-tunnel > >> +- entering group authenticate {...} > >> [eap] Request found, released from the list > >> [ap] EAP/mschapv2 > >> [eap] processing type mschapv2 > >> [mschapv2] # Executing group from file > >>/usr/local/pf/raddb//sites-enabled/packetfnce-tunnel > >> [mschapv2] +- entering group MS-CHAP {...} > >> [mschap] Creating challenge hash with username: > >>host/2013techtest.themastersschool.com > >> [mschap] Client is using MS-CHAPv2 for > >>host/2013techtest.themastersschool.com, we need NT-Password > >> [mschap] expand: %{Stripped-User-Name} -> > >>host/2013techtest.themastersschool.com > >> [mschap] expand: > >>--username=%{%{Stripped-User-Name}:-%{mschap:User-Name:-None}} -> > >>--username=host/2013techtest.themastersschool.com > >> [mschap] expand: --domain%{mschap:NT-Domain} -> > >>--domain=themastersschool > >> [mschap] Creating challenge hash with username: > >>host/2013techtest.themastersschool.com > >> [mschap] expand: --challenge=%{mschap:Challenge:-00} -> > >>--challenge=efebaa4bf701fb6c > >> [mschp] expand: --nt-response=%{mschap:NT-Response:-00} -> > >>--nt-response=5952b8387957fda46ae0cd1ae6d8a4b4b8f630c06f207386 > >> Exec-Program output: Logon failre (0xc000006d) > >> Exec-Program-Wait: plaintext: Logon failure (0xc000006d) > >> ExecProgram: returned: 1 > >> [mschap] External script failed. > >> [mschap] FAILED: MS-CHAP2-Response is incorrect>> ++[mschap] returns > reject > >> [eap] Freeing handler > >> ++[ep] returns reject > >> Failed to authenticate the user. > >> Login incorect (mschap: External script says Logon failure > >>(0xc000006d)): [host/2013techtest.themastersschool.com (from client > >>10.10.30.60 port 0 cli B4B676559F06 via TLS tunnel) > >> } # servr packetfence-tunnel > >> [peap] Got tunneled reply code 3 > >> MS-CHAP-Error = "\021E=691 R=1" > >> EAP-Mssage = 0x04110004 > >> Message-Authenticator = 0x00000000000000000000000000000000 > >> [peap] Gottunneled reply RADIUS code 3 > >> MS-CHAP-Error = "\021E=691 R=1" > >> EAP-Message = 0x04110004 > >> Message-Authenticator = 0x00000000000000000000000000000000 > >> [peap] Tunneled authentication was rejected. > >> [peap] FAILURE > >> ++[eap] returns handled > >> } # server packetfence > >> Sending Access-Challenge of id 80 to 10.10.30.60 port 32859 > >> EAP-Message = > >>0x0112002b1900170301002011f6a9641937f158c8d742a57072b27cbaad8594a832644b9 > >>ecb49d2df2ccbeb > >> Message-Authenticato = 0x00000000000000000000000000000000 > >> State = 0x73a2794175b0608c1f176e856c029f2 > >> Finished request 6. > >> Going to the next request > >> Waking up in 4.9 seconds. > >> rad_recv: Access-Request packet from host 10.10.30.60 port 32859, > >>id=81, length=296 > >> User-Name = "host/2013techtest.themastersschool.com" > >> NAS-IP-Address = 10.10.30.60 > >> NAS-IPv6-Address = ::1 > >> NAS-Port = 0 > >> NAS-Identifier = "10.10.30.60" > >> NAS-Port-Type = Wireless-802.11 > >> Calling-Station-Id = "B4B676559F06" > >> Called-Station-Id = "000B866E00F4" > >> Service-Type = Login-User > >> Framed-MTU = 1100 > >> EAP-Message = > >>0x0212002b19001703010020581472f80a0edd9c2ea52bf29a5e1468085c61c84e5ac04aa > >>c7ad5dc0de0b61f > >> State = 0x73a2794175b0608c1f1706e856c029f2 > >> Aruba-Essid-Name = "pfsecure" > >> Aruba-Location-Id = "SPARE" > >> Aruba-AP-Group = "PacketFenceGroup" > >> Aruba-Attr-12 = 0x57696e2037 > >> Message-Authenticator = 0xd84925633e64fa38bbf6b7bc77f2542f > >> server packetfence { > >> # Executing section authorize from file > >>/usr/local/pf/raddb//sites-enabled/packetfence > >> +- entering group authorize {...} > >> [suffix] No '@' in User-Name = > >>"host/2013techtest.themastersschool.com", looking up realm NULL > >> [suffix] Found realm "NULL" > >> [suffix] Adding Stripped-User-Name = > >>"host/2013techtest.themastersschool.com" > >> [suffix] Adding Realm = "NULL" > >> [suffix] Authentication realm is LOCAL. > >> ++[suffix] returns ok > >> ++[preprocess] returns ok > >> [eap] EAP packet type response id 18 length 43 > >> [eap] Continuing tunnel setup. > >> ++[eap] returns ok > >> Found Auth-Type = EAP > >> # Executing group from file > >>/usr/local/pf/raddb//sites-enabled/packetfence > >> +- entering group authenticate {...} > >> [eap] Request found, released from the list > >> [eap] EAP/peap > >> [eap] processing type peap > >> [peap] processing EAP-TLS > >> [peap] eaptls_verify returned 7 > >> [peap] Done initial handshake > >> [peap] eaptls_process returned 7 > >> [peap] EAPTLS_OK > >> [peap] Session established. Decoding tunneled attributes. > >> [peap] Peap state send tlv failure > >> [peap] Received EAP-TLV response. > >> [peap] The users session was previously rejected: returning reject > >>(again.) > >> [peap] *** This means you need to read the PREVIOUS messages in the > >>debug output > >> [peap] *** to find out the reason why the user was rejected. > >> [peap] *** Look for "reject" or "fail". Those earlier messages will > >>tell you. > >> [peap] *** what went wrong, and how to fix the problem. > >> [eap] Handler failed in EAP/peap > >> [eap] Failed in EAP select > >> ++[eap] returns invalid > >> Failed to authenticate the user. > >> Login incorrect: [host/2013techtest.themastersschool.com] (from client > >>10.10.30.60 port 0 cli B4B676559F06) > >> } # server packetfence > >> Using Post-Auth-Type REJECT > >> # Executing group from file > >>/usr/local/pf/raddb//sites-enabled/packetfence > >> +- entering group REJECT {...} > >> [attr_filter.access_reject] > >> expand: %{User-Name} -> host/2013techtest.themastersschool.com > >> attr_filter: Matched entry DEFAULT at line 11 > >> ++[attr_filter.access_reject] returns updated > >> Delaying reject of request 7 for 1 seconds > >> Going to the next request > >> Waking up in 0.9 seconds. > >> Sending delayed reject for request 7 > >> Sending Access-Reject of id 81 to 10.10.30.60 port 32859 > >> EAP-Message = 0x04120004 > >> Message-Authenticator = 0x00000000000000000000000000000000 > >> Waking up in 3.9 seconds. > >> rad_recv: Access-Request packet from host 10.10.30.60 port 32859, > >>id=82, length=278 > >> User-Name = "host/2013techtest.themastersschool.com" > >> NAS-IP-Address = 10.10.30.60 > >> NAS-IPv6-Address = ::1 > >> NAS-Port = 0 > >> NAS-Identifier = "10.10.30.60" > >> NAS-Port-Type = Wireless-802.11 > >> Calling-Station-Id = "B4B676559F06" > >> Called-Station-Id = "000B866E00F4" > >> Service-Type = Login-User > >> Framed-MTU = 1100 > >> EAP-Message = > >>0x0201002b01686f73742f3230313374656368746573742e7468656d61737465727373636 > >>86f6f6c2e636f6d > >> Aruba-Essid-Name = "pfsecure" > >> Aruba-Location-Id = "SPARE" > >> Aruba-AP-Group = "PacketFenceGroup" > >> Aruba-Attr-12 = 0x57696e2037 > >> Message-Authenticator = 0x8215409e23c268a308db7ed34d198890 > >> server packetfence { > >> # Executing section authorize from file > >>/usr/local/pf/raddb//sites-enabled/packetfence > >> +- entering group authorize {...} > >> [suffix] No '@' in User-Name = > >>"host/2013techtest.themastersschool.com", looking up realm NULL > >> [suffix] Found realm "NULL" > >> [suffix] Adding Stripped-User-Name = > >>"host/2013techtest.themastersschool.com" > >> [suffix] Adding Realm = "NULL" > >> [suffix] Authentication realm is LOCAL. > >> ++[suffix] returns ok > >> ++[preprocess] returns ok > >> [eap] EAP packet type response id 1 length 43 > >> [eap] No EAP Start, assuming it's an on-going EAP conversation > >> ++[eap] returns updated > >> ++[files] returns noop > >> ++[expiration] returns noop > >> ++[logintime] returns noop > >> rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 > >> rlm_perl: Added pair Service-Type = Login-User > >> rlm_perl: Added pair Called-Station-Id = 000B866E00F4 > >> rlm_perl: Added pair Message-Authenticator = > >>0x8215409e23c268a308db7ed34d198890 > >> rlm_perl: Added pair Realm = NULL > >> rlm_perl: Added pair EAP-Type = Identity > >> rlm_perl: Added pair NAS-IP-Address = 10.10.30.60 > >> rlm_perl: Added pair Calling-Station-Id = B4B676559F06 > >> rlm_perl: Added pair Aruba-Essid-Name = pfsecure > >> rlm_perl: Added pair Aruba-AP-Group = PacketFenceGroup > >> rlm_perl: Added pair User-Name = host/2013techtest.themastersschool.com > >> rlm_perl: Added pair Aruba-Location-Id = SPARE > >> rlm_perl: Added pair NAS-Identifier = 10.10.30.60 > >> rlm_perl: Added pair EAP-Message = > >>0x0201002b01686f73742f3230313374656368746573742e7468656d61737465727373636 > >>86f6f6c2e636f6d > >> rlm_perl: Added pair Aruba-Attr-12 = 0x57696e2037 > >> rlm_perl: Added pair NAS-Port = 0 > >> rlm_perl: Added pair NAS-IPv6-Address = ::1 > >> rlm_perl: Added pair Stripped-User-Name = > >>host/2013techtest.themastersschool.com > >> rlm_perl: Added pair Framed-MTU = 1100 > >> rlm_perl: Added pair Auth-Type = EAP > >> ++[packetfence] returns noop > >> Found Auth-Type = EAP > >> # Executing group from file > >>/usr/local/pf/raddb//sites-enabled/packetfence > >> +- entering group authenticate {...} > >> [eap] EAP Identity > >> [eap] processing type tls > >> [tls] Initiate > >> [tls] Start returned 1 > >> ++[eap] returns handled > >> } # server packetfence > >> Sending Access-Challenge of id 82 to 10.10.30.60 port 32859 > >> EAP-Message = 0x010200061920 > >> Message-Authenticator = 0x00000000000000000000000000000000 > >> State = 0xb86575b0b8676c6805cd99bb40366fb0 > >> Finished request 8. > >> Going to the next request > >> Waking up in 0.1 seconds. > >> rad_recv: Access-Request packet from host 10.10.30.60 port 32859, > >>id=83, length=358 > >> User-Name = "host/2013techtest.themastersschool.com" > >> NAS-IP-Address = 10.10.30.60 > >> NAS-IPv6-Address = ::1 > >> NAS-Port = 0 > >> NAS-Identifier = "10.10.30.60" > >> NAS-Port-Type = Wireless-802.11 > >> Calling-Station-Id = "B4B676559F06" > >> Called-Station-Id = "000B866E00F4" > >> Service-Type = Login-User > >> Framed-MTU = 1100 > >> EAP-Message = > >>0x0202006919800000005f160301005a01000056030151f7d68787a3ca49ae908a89e33d6 > >>47f2e1035cbcfde28e04a7a75a43a116d6b000018002f00350005000ac013c014c009c00a > >>003200380013000401000015ff01000100000a0006000400170018000b00020100 > >> State = 0xb86575b0b8676c6805cd99bb40366fb0 > >> Aruba-Essid-Name = "pfsecure" > >> Aruba-Location-Id = "SPARE" > >> Aruba-AP-Group = "PacketFenceGroup" > >> Aruba-Attr-12 = 0x57696e2037 > >> Message-Authenticator = 0x8ae5ff9add669876d59bd499dc983c8e > >> server packetfence { > >> # Executing section authorize from file > >>/usr/local/pf/raddb//sites-enabled/packetfence > >> +- entering group authorize {...} > >> [suffix] No '@' in User-Name = > >>"host/2013techtest.themastersschool.com", looking up realm NULL > >> [suffix] Found realm "NULL" > >> [suffix] Adding Stripped-User-Name = > >>"host/2013techtest.themastersschool.com" > >> [suffix] Adding Realm = "NULL" > >> [suffix] Authentication realm is LOCAL. > >> ++[suffix] returns ok > >> ++[preprocess] returns ok > >> [eap] EAP packet type response id 2 length 105 > >> [eap] Continuing tunnel setup. > >> ++[eap] returns ok > >> Found Auth-Type = EAP > >> # Executing group from file > >>/usr/local/pf/raddb//sites-enabled/packetfence > >> +- entering group authenticate {...} > >> [eap] Request found, released from the list > >> [eap] EAP/peap > >> [eap] processing type peap > >> [peap] processing EAP-TLS > >> TLS Length 95 > >> [peap] Length Included > >> [peap] eaptls_verify returned 11 > >> [peap] (other): before/accept initialization > >> [peap] TLS_accept: before/accept initialization > >> [peap] <<< TLS 1.0 Handshake [length 005a], ClientHello > >> [peap] TLS_accept: SSLv3 read client hello A > >> [peap] >>> TLS 1.0 Handshake [length 0031], ServerHello > >> [peap] TLS_accept: SSLv3 write server hello A > >> [peap] >>> TLS 1.0 Handshake [length 0680], Certificate > >> [peap] TLS_accept: SSLv3 write certificate A > >> [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone > >> [peap] TLS_accept: SSLv3 write server done A > >> [peap] TLS_accept: SSLv3 flush data > >> [peap] TLS_accept: Need to read more data: SSLv3 read client > >>certificate A > >> In SSL Handshake Phase > >> In SSL Accept mode > >> [peap] eaptls_process returned 13 > >> [peap] EAPTLS_HANDLED > >> ++[eap] returns handled > >> } # server packetfence > >> Sending Access-Challenge of id 83 to 10.10.30.60 port 32859 > >> EAP-Message = > >>0x0103040019c0000006c416030100310200002d030151f7d6865156bbe9455f22d7567b4 > >>bb8b212ff7384473ac2d9f207dcc749426a00002f000005ff0100010016030106800b0006 > >>7c000679000676308206723082055aa003020102020a60359859000000000036300d06092 > >>a864886f70d0101050500304c31133011060a0992268993f22c6401191603636f6d312030 > >>1e060a0992268993f22c64011916107468656d6173746572737363686f6f6c31133011060 > >>3550403130a626c6164657368617265301e170d3133303732343137343130325a170d3135 > >>303732343137343130325a3081b0310b30090603550406130255533111300f06035504 > >> EAP-Message = > >>0x0813084e657720596f726b311330110603550407130a446f6273204665727279311b301 > >>9060355040a1312546865204d617374657273205363686f6f6c310b3009060355040b1302 > >>495431293027060355040313207061636b657466656e63652e7468656d617374657273736 > >>3686f6f6c2e636f6d3124302206092a864886f70d0109011615737570706f7274406d6173 > >>746572736e792e6f726730820122300d06092a864886f70d01010105000382010f0030820 > >>10a0282010100aec751cffa76d18a78a902a6992e0de618c02aff4864b39fdd6a907e0698 > >>483c29dabe043636879f1d962009c9d646fca85f1faa910d8cec6a1c2d138b7b1d8e7f > >> EAP-Message = > >>0x4faa65a7c4bdf82b80ca72b6a2de0a86d31b7895adbfc41462a41e831f836d1eeb2ab67 > >>d978abbc07b39f97dad2511f37a3e04b7a32adafd9a89b464de41f1f956ea2ef077ff6784 > >>33d6e76412898d5ab928dc8e73c2743567cd6341d4d2191096a9c6eaca1b58eb297a986be > >>6d0908314f2198eb9a27082792c95e9ffe63611e393855534acc6c771291a6cbcf95ed9fb > >>f2df2bb92817aa723ed9e3688c199e5f282de0fca48bc6c29a22f777037882c3c9daa5854 > >>8305e083132dcf8ba4b0203010001a38202ef308202eb301d0603551d0e041604145b1bc3 > >>0e7fd7e38cdb9be87b6647369d1318c95b301f0603551d2304183016801419cea519e2 > >> EAP-Message = > >>0xedae91bfd145710bab8663b8840d3f3082011b0603551d1f048201123082010e3082010 > >>aa0820106a08201028681bd6c6461703a2f2f2f434e3d626c61646573686172652c434e3d > >>626c61646573686172652c434e3d4344502c434e3d5075626c69632532304b65792532305 > >>3657276696365732c434e3d53657276696365732c434e3d436f6e66696775726174696f6e > >>2c44433d7468656d6173746572737363686f6f6c2c44433d636f6d3f63657274696669636 > >>174655265766f636174696f6e4c6973743f626173653f6f626a656374436c6173733d6352 > >>4c446973747269627574696f6e506f696e748640687474703a2f2f626c616465736861 > >> EAP-Message = 0x72652e7468656d6173746572 > >> Message-Authenticator = 0x00000000000000000000000000000000 > >> State = 0xb86575b0b9666c6805cd99bb40366fb0 > >> Finished request 9. > >> Going to the next request > >> Waking up in 0.1 seconds. > >> rad_recv: Access-Request packet from host 10.10.30.60 port 32859, > >>id=84, length=259 > >> User-Name = "host/2013techtest.themastersschool.com" > >> NAS-IP-Address = 10.10.30.60 > >> NAS-IPv6-Address = ::1 > >> NAS-Port = 0 > >> NAS-Identifier = "10.10.30.60" > >> NAS-Port-Type = Wireless-802.11 > >> Calling-Station-Id = "B4B676559F06" > >> Called-Station-Id = "000B866E00F4" > >> Service-Type = Login-User > >> Framed-MTU = 1100 > >> EAP-Message = 0x020300061900 > >> State = 0xb86575b0b9666c6805cd99bb40366fb0 > >> Aruba-Essid-Name = "pfsecure" > >> Aruba-Location-Id = "SPARE" > >> Aruba-AP-Group = "PacketFenceGroup" > >> Aruba-Attr-12 = 0x57696e2037 > >> Message-Authenticator = 0x04fe9112b06a6314fc3d68f6ffe857b7 > >> server packetfence { > >> # Executing section authorize from file > >>/usr/local/pf/raddb//sites-enabled/packetfence > >> +- entering group authorize {...} > >> [suffix] No '@' in User-Name = > >>"host/2013techtest.themastersschool.com", looking up realm NULL > >> [suffix] Found realm "NULL" > >> [suffix] Adding Stripped-User-Name = > >>"host/2013techtest.themastersschool.com" > >> [suffix] Adding Realm = "NULL" > >> [suffix] Authentication realm is LOCAL. > >> ++[suffix] returns ok > >> ++[preprocess] returns ok > >> [eap] EAP packet type response id 3 length 6 > >> [eap] Continuing tunnel setup. > >> ++[eap] returns ok > >> Found Auth-Type = EAP > >> # Executing group from file > >>/usr/local/pf/raddb//sites-enabled/packetfence > >> +- entering group authenticate {...} > >> [eap] Request found, released from the list > >> [eap] EAP/peap > >> [eap] processing type peap > >> [peap] processing EAP-TLS > >> [peap] Received TLS ACK > >> [peap] ACK handshake fragment handler > >> [peap] eaptls_verify returned 1 > >> [peap] eaptls_process returned 13 > >> [peap] EAPTLS_HANDLED > >> ++[eap] returns handled > >> } # server packetfence > >> Sending Access-Challenge of id 84 to 10.10.30.60 port 32859 > >> EAP-Message = > >>0x010402d41900737363686f6f6c2e636f6d2f43657274456e726f6c6c2f626c616465736 > >>86172652e63726c3082013506082b0601050507010104820127308201233081b206082b06 > >>0105050730028681a56c6461703a2f2f2f434e3d626c61646573686172652c434e3d41494 > >>12c434e3d5075626c69632532304b657925323053657276696365732c434e3d5365727669 > >>6365732c434e3d436f6e66696775726174696f6e2c44433d7468656d61737465727373636 > >>86f6f6c2c44433d636f6d3f634143657274696669636174653f626173653f6f626a656374 > >>436c6173733d63657274696669636174696f6e417574686f72697479306c06082b0601 > >> EAP-Message = > >>0x05050730028660687474703a2f2f626c61646573686172652e7468656d6173746572737 > >>363686f6f6c2e636f6d2f43657274456e726f6c6c2f626c61646573686172652e7468656d > >>6173746572737363686f6f6c2e636f6d5f626c61646573686172652e637274302106092b0 > >>60104018237140204141e12005700650062005300650072007600650072300c0603551d13 > >>0101ff04023000300b0603551d0f0404030205a030130603551d25040c300a06082b06010 > >>505070301300d06092a864886f70d010105050003820101005514e840159f844671a3cce3 > >>ec81f2642493554f7e006bdf0d178990aaeffbbd75aa442e7800218e1da664b67da25a > >> EAP-Message = > >>0x8d8a5e0de032ede49c3b0f8c131cb23ff6236151bd0e2dfcd9fa09fed05d132fc1084c5 > >>b40400a1126736839595ab1eeae2e3e18120144e43f305c1d6dbe866dd5b5f84a04b9038a > >>4822b07941427477ec744fd5951946fa57a5b04231c87f201f3fc15d8677dbdafe8e5231c > >>9187e5332729740a7de7ce30b8d23fe036a9853f4be911ef1786e3f6f6bc7af76a0b4fe72 > >>befc2b4a21271b31812fa2bb5251e5207a905c108ffecc3dde75d28c2b76db67746784294 > >>9175f0582de1543d8646a906aa457fbbe85785db4909f0eb3457f1f16030100040e000000 > >> Message-Authenticator = 0x00000000000000000000000000000000 > >> State = 0xb86575b0ba616c6805cd99bb40366fb0 > >> Finished request 10. > >> Going to the next request > >> Waking up in 0.1 seconds. > >> rad_recv: Access-Request packet from host 10.10.30.60 port 32859, > >>id=85, length=591 > >> User-Name = "host/2013techtest.themastersschool.com" > >> NAS-IP-Address = 10.10.30.60 > >> NAS-IPv6-Address = ::1 > >> NAS-Port = 0 > >> NAS-Identifier = "10.10.30.60" > >> NAS-Port-Type = Wireless-802.11 > >> Calling-Station-Id = "B4B676559F06" > >> Called-Station-Id = "000B866E00F4" > >> Service-Type = Login-User > >> Framed-MTU = 1100 > >> EAP-Message = > >>0x0204015019800000014616030101061000010201004fb654b731530ca869747da9f9ca8 > >>ebaac47c5c36fbd9921ddcd5345241e76c5e2300480dd8ea90f80149922a1ff1eae1b49c3 > >>5e75ec55490c3c95136dca919faf454c78f244c6dd2c62c2c019227d2fd6337a4f76217c9 > >>240cd9ba83b0c749099955f7d3015fd350b2bcd0c849b92210451eba46bfe15f755ae2164 > >>2ee620d9074bc5c9b31717d5444fb0f48c2e30562b8606065d76632f22855e01c67652d5b > >>369bdf6492ad9b629e3dda1bf2fa712a0bb49bf77f95a74d099f0325c726ebd7da62c07ba > >>949f6952d9d9acf2088829e1e132f0524584eff18fcebad90b45dfbaea53d79968c352 > >> EAP-Message = > >>0xd3287d18f3ce67f2e201032811901a6d92dfefc6806f147a1403010001011603010030f > >>5f3ef7a0678674f1207e4de864b663eb58d16fae2ae94bb8056fb32d5b2b9fc22f3526035 > >>3d41e52ad00c1f59fc6ec4 > >> State = 0xb86575b0ba616c6805cd99bb40366fb0 > >> Aruba-Essid-Name = "pfsecure" > >> Aruba-Location-Id = "SPARE" > >> Aruba-AP-Group = "PacketFenceGroup" > >> Aruba-Attr-12 = 0x57696e2037 > >> Message-Authenticator = 0x378048a35e06626c4c97d204d46267e6 > >> server packetfence { > >> # Executing section authorize from file > >>/usr/local/pf/raddb//sites-enabled/packetfence > >> +- entering group authorize {...} > >> [suffix] No '@' in User-Name = > >>"host/2013techtest.themastersschool.com", looking up realm NULL > >> [suffix] Found realm "NULL" > >> [suffix] Adding Stripped-User-Name = > >>"host/2013techtest.themastersschool.com" > >> [suffix] Adding Realm = "NULL" > >> [suffix] Authentication realm is LOCAL. > >> ++[suffix] returns ok > >> ++[preprocess] returns ok > >> [eap] EAP packet type response id 4 length 253 > >> [eap] Continuing tunnel setup. > >> ++[eap] returns ok > >> Found Auth-Type = EAP > >> # Executing group from file > >>/usr/local/pf/raddb//sites-enabled/packetfence > >> +- entering group authenticate {...} > >> [eap] Request found, released from the list > >> [eap] EAP/peap > >> [eap] processing type peap > >> [peap] processing EAP-TLS > >> TLS Length 326 > >> [peap] Length Included > >> [peap] eaptls_verify returned 11 > >> [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange > >> [peap] TLS_accept: SSLv3 read client key exchange A > >> [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] > >> [peap] <<< TLS 1.0 Handshake [length 0010], Finished > >> [peap] TLS_accept: SSLv3 read finished A > >> [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] > >> [peap] TLS_accept: SSLv3 write change cipher spec A > >> [peap] >>> TLS 1.0 Handshake [length 0010], Finished > >> [peap] TLS_accept: SSLv3 write finished A > >> [peap] TLS_accept: SSLv3 flush data > >> [peap] (other): SSL negotiation finished successfully > >> SSL Connection Established > >> [peap] eaptls_process returned 13 > >> [peap] EAPTLS_HANDLED > >> ++[eap] returns handled > >> } # server packetfence > >> Sending Access-Challenge of id 85 to 10.10.30.60 port 32859 > >> EAP-Message = > >>0x0105004119001403010001011603010030adc969f0c0a637311f945a11cb98826dc3686 > >>b997e47a324cdd5538568493af1274fb0e12b5dfe467beaccde126d7be7 > >> Message-Authenticator = 0x00000000000000000000000000000000 > >> State = 0xb86575b0bb606c6805cd99bb40366fb0 > >> Finished request 11. > >> Going to the next request > >> Waking up in 0.1 seconds. > >> rad_recv: Access-Request packet from host 10.10.30.60 port 32859, > >>id=86, length=259 > >> User-Name = "host/2013techtest.themastersschool.com" > >> NAS-IP-Address = 10.10.30.60 > >> NAS-IPv6-Address = ::1 > >> NAS-Port = 0 > >> NAS-Identifier = "10.10.30.60" > >> NAS-Port-Type = Wireless-802.11 > >> Calling-Station-Id = "B4B676559F06" > >> Called-Station-Id = "000B866E00F4" > >> Service-Type = Login-User > >> Framed-MTU = 1100 > >> EAP-Message = 0x020500061900 > >> State = 0xb86575b0bb606c6805cd99bb40366fb0 > >> Aruba-Essid-Name = "pfsecure" > >> Aruba-Location-Id = "SPARE" > >> Aruba-AP-Group = "PacketFenceGroup" > >> Aruba-Attr-12 = 0x57696e2037 > >> Message-Authenticator = 0xca8aee5e769b6884dd9237cd862e84e5 > >> server packetfence { > >> # Executing section authorize from file > >>/usr/local/pf/raddb//sites-enabled/packetfence > >> +- entering group authorize {...} > >> [suffix] No '@' in User-Name = > >>"host/2013techtest.themastersschool.com", looking up realm NULL > >> [suffix] Found realm "NULL" > >> [suffix] Adding Stripped-User-Name = > >>"host/2013techtest.themastersschool.com" > >> [suffix] Adding Realm = "NULL" > >> [suffix] Authentication realm is LOCAL. > >> ++[suffix] returns ok > >> ++[preprocess] returns ok > >> [eap] EAP packet type response id 5 length 6 > >> [eap] Continuing tunnel setup. > >> ++[eap] returns ok > >> Found Auth-Type = EAP > >> # Executing group from file > >>/usr/local/pf/raddb//sites-enabled/packetfence > >> +- entering group authenticate {...} > >> [eap] Request found, released from the list > >> [eap] EAP/peap > >> [eap] processing type peap > >> [peap] processing EAP-TLS > >> [peap] Received TLS ACK > >> [peap] ACK handshake is finished > >> [peap] eaptls_verify returned 3 > >> [peap] eaptls_process returned 3 > >> [peap] EAPTLS_SUCCESS > >> [peap] Session established. Decoding tunneled attributes. > >> [peap] Peap state TUNNEL ESTABLISHED > >> ++[eap] returns handled > >> } # server packetfence > >> Sending Access-Challenge of id 86 to 10.10.30.60 port 32859 > >> EAP-Message = > >>0x0106002b190017030100202bca483e8d5b92dae059b9d13cbb41ead6d871cfa10801332 > >>b2cfb81d3d35f4d > >> Message-Authenticator = 0x00000000000000000000000000000000 > >> State = 0xb86575b0bc636c6805cd99bb40366fb0 > >> Finished request 12. > >> Going to the next request > >> Waking up in 0.1 seconds. > >> rad_recv: Access-Request packet from host 10.10.30.60 port 32859, > >>id=87, length=328 > >> User-Name = "host/2013techtest.themastersschool.com" > >> NAS-IP-Address = 10.10.30.60 > >> NAS-IPv6-Address = ::1 > >> NAS-Port = 0 > >> NAS-Identifier = "10.10.30.60" > >> NAS-Port-Type = Wireless-802.11 > >> Calling-Station-Id = "B4B676559F06" > >> Called-Station-Id = "000B866E00F4" > >> Service-Type = Login-User > >> Framed-MTU = 1100 > >> EAP-Message = > >>0x0206004b19001703010040962c5d66e8c2f1ae1ee757c00636b0de755c342b4beb4f4ab > >>7e1147e50eeac7518c86995f021f46537e7662f6f9ab07303463aebc1cb460af668e47ce2 > >>a3ee2e > >> State = 0xb86575b0bc636c6805cd99bb40366fb0 > >> Aruba-Essid-Name = "pfsecure" > >> Aruba-Location-Id = "SPARE" > >> Aruba-AP-Group = "PacketFenceGroup" > >> Aruba-Attr-12 = 0x57696e2037 > >> Message-Authenticator = 0x63afe002a5b7043526f698f321b5f9ae > >> server packetfence { > >> # Executing section authorize from file > >>/usr/local/pf/raddb//sites-enabled/packetfence > >> +- entering group authorize {...} > >> [suffix] No '@' in User-Name = > >>"host/2013techtest.themastersschool.com", looking up realm NULL > >> [suffix] Found realm "NULL" > >> [suffix] Adding Stripped-User-Name = > >>"host/2013techtest.themastersschool.com" > >> [suffix] Adding Realm = "NULL" > >> [suffix] Authentication realm is LOCAL. > >> ++[suffix] returns ok > >> ++[preprocess] returns ok > >> [eap] EAP packet type response id 6 length 75 > >> [eap] Continuing tunnel setup. > >> ++[eap] returns ok > >> Found Auth-Type = EAP > >> # Executing group from file > >>/usr/local/pf/raddb//sites-enabled/packetfence > >> +- entering group authenticate {...} > >> [eap] Request found, released from the list > >> [eap] EAP/peap > >> [eap] processing type peap > >> [peap] processing EAP-TLS > >> [peap] eaptls_verify returned 7 > >> [peap] Done initial handshake > >> [peap] eaptls_process returned 7 > >> [peap] EAPTLS_OK > >> [peap] Session established. Decoding tunneled attributes. > >> [peap] Peap state WAITING FOR INNER IDENTITY > >> [peap] Identity - host/2013techtest.themastersschool.com > >> [peap] Got inner identity 'host/2013techtest.themastersschool.com' > >> [peap] Setting default EAP type for tunneled EAP session. > >> [peap] Got tunneled request > >> EAP-Message = > >>0x0206002b01686f73742f3230313374656368746573742e7468656d61737465727373636 > >>86f6f6c2e636f6d > >> server packetfence { > >> [peap] Setting User-Name to host/2013techtest.themastersschool.com > >> Sending tunneled request > >> EAP-Message = > >>0x0206002b01686f73742f3230313374656368746573742e7468656d61737465727373636 > >>86f6f6c2e636f6d > >> FreeRADIUS-Proxied-To = 127.0.0.1 > >> User-Name = "host/2013techtest.themastersschool.com" > >> NAS-IP-Address = 10.10.30.60 > >> NAS-IPv6-Address = ::1 > >> NAS-Port = 0 > >> NAS-Identifier = "10.10.30.60" > >> NAS-Port-Type = Wireless-802.11 > >> Calling-Station-Id = "B4B676559F06" > >> Called-Station-Id = "000B866E00F4" > >> Service-Type = Login-User > >> Framed-MTU = 1100 > >> Aruba-Essid-Name = "pfsecure" > >> Aruba-Location-Id = "SPARE" > >> Aruba-AP-Group = "PacketFenceGroup" > >> Aruba-Attr-12 = 0x57696e2037 > >> server packetfence-tunnel { > >> # Executing section authorize from file > >>/usr/local/pf/raddb//sites-enabled/packetfence-tunnel > >> +- entering group authorize {...} > >> [suffix] No '@' in User-Name = > >>"host/2013techtest.themastersschool.com", looking up realm NULL > >> [suffix] Found realm "NULL" > >> [suffix] Adding Stripped-User-Name = > >>"host/2013techtest.themastersschool.com" > >> [suffix] Adding Realm = "NULL" > >> [suffix] Authentication realm is LOCAL. > >> ++[suffix] returns ok > >> [ntdomain] Request already proxied. Ignoring. > >> ++[ntdomain] returns ok > >> [eap] EAP packet type response id 6 length 43 > >> [eap] No EAP Start, assuming it's an on-going EAP conversation > >> ++[eap] returns updated > >> ++[files] returns noop > >> ++[expiration] returns noop > >> ++[logintime] returns noop > >> Found Auth-Type = EAP > >> # Executing group from file > >>/usr/local/pf/raddb//sites-enabled/packetfence-tunnel > >> +- entering group authenticate {...} > >> [eap] EAP Identity > >> [eap] processing type mschapv2 > >> rlm_eap_mschapv2: Issuing Challenge > >> ++[eap] returns handled > >> } # server packetfence-tunnel > >> [peap] Got tunneled reply code 11 > >> EAP-Message = > >>0x010700401a0107003b1078bfbe40d730c55a17342e56f55af51e686f73742f323031337 > >>4656368746573742e7468656d6173746572737363686f6f6c2e636f6d > >> Message-Authenticator = 0x0000000000000000000000... [truncated message content] |