WPA2 und Serverzertifikat

Ja, habe ich, ich glaube das Problem sind einfach die openssl Zertifikate. Verwendest du Server und Client Zertifikate oder MSCHAP2 zur Client Authentifizierung? Ich muss ja zugeben ich war gestern ein wenig voreilig, aus Verzweiflung habe ich mal einen IAS genommen und mit dem hat natürlich wieder einmal alles gleich funktioniert. Was mich dabei stört ist ja das ich das ganze mit der Intel Proset Software zum laufen bringe egal ob freeradius oder IAS, Zertifikat vertrauen oder nicht, nur wenn ich die Verbindung mit den Windows Boardmitteln konfiguriere bekomme ich es einfach nicht hin, dabei würde ich mir das genau so vorstellen, weil ich dann die WLAN Richtlinien per GPO verteilen kann. Es gibt ja einen Artikel von Microsoft "http://support.microsoft.com/kb/885453", ist zwar für XP SP2 aber der ist irgendwie schwer verdächtig für mich. Ich weis nämlich ganz genau das ich mich mit XP SP2 Verbinden konnte, habe dann SP3 draufgespielt und konnte mich nicht mehr verbinden.
Was hast du spezielles in deiner freeradius Konfiguration für mschap2 konfiguriert, im Fall das du eine User gegen das AD prüfst?

Bin an ganz andere Seite gescheitert offensichtlich. Mein WLAN ist zentral gemanaget über einen Controller, dort ist der Radius Server zu hinterlegen und dort habe ich "mschap" als Authentifizierungsmethode hinterlegt gehabt, muss auch sagen das habe ich sicher schon einmal auf "mschapv2" gehabt und hat trotzdem nicht funktioniert, war aber in meinen Anfangszeiten mit Freeradius, damals lags sicher an einem Konfigurationsfehler. Ich muss auch zugeben das mir das nicht so bewusst war das sich diese Einstellung am Controller so auswirkt, man lernt halt nie aus, Zeit ist da aber genug reingeflossen.

Naja, so klar hätte ich das nicht gesehen, der Controller macht ja nur einen Proxy, darum war ich der Meinung das das keine Rolle spielt. Das Ding ärgert mich schon ziemlich, es hat gestern definitiv alles funktioniert, habe ich des öfteren ausprobiert, heute verweigert es den Dienst wieder, habe aber nichts mehr umkonfiguriert. Die User werden bei mir mittels "ntlm_auth" direkt am AD authentifiziert, weiters habe ich noch "ldap" in der "sites-enabled/default" - "authorize" Sektion um eine bestimmte Gruppenmitgliedschaft zu prüfen, das funktioniert alles wunderbar, wie gesagt auch mit der Proset Software, aber jetzt wieder nicht mit dem Windows Boardmitteln.

Mein "freeradius -X" sagt folgendes, ich kann keinen Fehler darin finden, was mir aufgefallen ist ist das die Zeile "MSCHAP Success " fast am Ende der Ausgabe bei der Prosetsoftware "MSCHAP noop" lautet.

rad_recv: Access-Request packet from host 172.21.254.100 port 32775, id=117, length=365
Acct-Multi-Session-Id = "00-0F-61-BE-57-61-00-0E-35-41-3F-62-4C-2C-75-F3-00-06-C4-9C"
Acct-Session-Id = "127b7ea3-000000b0"
NAS-Port = 171
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "msm710"
NAS-IP-Address = 172.21.254.101
Framed-MTU = 1496
User-Name = "MyDomain\\user01"
Calling-Station-Id = "00-0E-35-41-3F-62"
Called-Station-Id = "00-0F-61-BE-57-61"
Service-Type = Framed-User
EAP-Message = 0x02e900061900
State = 0x0c8338940d6a21365ce44cb56d848e45
Colubris-AVPair = "ssid=office"
Colubris-AVPair = "incoming-vlan-id=153"
Colubris-AVPair = "group=SYSADMIN"
Colubris-AVPair = "vsc-unique-id=2"
Colubris-AVPair = "phytype=IEEE802dot11b"
Colubris-Attr-250 = 0x00000001
Colubris-Attr-249 = 0xac15790d
Message-Authenticator = 0xbb38fc0e6b4e5456e50120c5fec13ca0
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "MyDomain\user01", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 233 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 117 to 172.21.254.100 port 32775
EAP-Message = 0x01ea03fc19400404030205a0301d0603551d250416301406082b0601050507030206082b06010505070301300d06092a864886f70d01010505000382010100603437abc9144cf717217706110c5eba60026d3d6f999338f3b4693f12effe89fa1fed86af76e8a20acd3f8a5eaabb817ec0281949ccd624cda6fc4e3eb91d8a0a6932bdde375d3a904f7a277e5b0e05718c27e18eb3efa720058e3c4fc2d0bad6bee3ea1f533a401ba97d6088b7223ce45c3e4f4e36dce4f80a19cb55a38fe41b75bef268227a06eaa860fc41fb2e587829a9239316028f1f34668405157e68cfd1a3928c887ccdb2ec6ae2b3b301c6036ee366450c1cb9ee9ff835deb3
EAP-Message = 0x538085ffb70ccb96f045a952eedf2c3fd2feeddf11671a9d324c49db00fed4d85cf347c301375f7978644268887a574a3d50d608b3c3e3db822701efe6eabdb581b40004bb308204b73082039fa0030201020209009dead64eafdef288300d06092a864886f70d0101050500308198310b3009060355040613024154311630140603550408130d55707065722041757374726961312d302b060355040a1324536f66747761726520436f6d706574656e63652043656e74657220486167656e62657267310b3009060355040b13024954311430120603550403130b5343434820526f6f744341311f301d06092a864886f70d010901161073797361646d
EAP-Message = 0x696e40736363682e6174301e170d3130303632393131353033355a170d3230303632363131353033355a308198310b3009060355040613024154311630140603550408130d55707065722041757374726961312d302b060355040a1324536f66747761726520436f6d706574656e63652043656e74657220486167656e62657267310b3009060355040b13024954311430120603550403130b5343434820526f6f744341311f301d06092a864886f70d010901161073797361646d696e40736363682e617430820122300d06092a864886f70d01010105000382010f003082010a0282010100d7abb9999cf8056fb99c7894dfa801425149348ec18753
EAP-Message = 0xb66348dc3103a548f47e9d2d122d91e6edd9b2d92bc42e70b502752da6ba36382ba6a2d3e6a531eb21350fea51b3949ab9259d4ee6135a03ba6fde86e72f4754e44a7bc27d3a9e46a7b1742e6c8dfc45cde59439c52e18da4b81e70767becdd0fabe647aec74db2b2ad77df3e455f54c2ed45d77766eab4fe49e096ff913be4f4ba13d1d72a68706d68e4a9b3b5ceef7690609dfe57ad55d49f5196c6b6dbdd8e33f7049695d1000f74e701585890cc1400e42e914972d8ee608be14762ec12c6832477a706d1b9b6bb7e0b4073c5330dc420b446f71e1db4376ea4e264087c77190cb2fcf5fdc6cab0203010001a38201003081fd301d0603551d0e04
EAP-Message = 0x160414c25b1e3e25
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0c8338940e6921365ce44cb56d848e45
Finished request 18.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 172.21.254.100 port 32775, id=113, length=365
Acct-Multi-Session-Id = "00-0F-61-BE-57-61-00-0E-35-41-3F-62-4C-2C-75-F3-00-06-C4-9C"
Acct-Session-Id = "127b7ea3-000000b0"
NAS-Port = 171
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "msm710"
NAS-IP-Address = 172.21.254.101
Framed-MTU = 1496
User-Name = "MyDomain\\user01"
Calling-Station-Id = "00-0E-35-41-3F-62"
Called-Station-Id = "00-0F-61-BE-57-61"
Service-Type = Framed-User
EAP-Message = 0x02ea00061900
State = 0x0c8338940e6921365ce44cb56d848e45
Colubris-AVPair = "ssid=office"
Colubris-AVPair = "incoming-vlan-id=153"
Colubris-AVPair = "group=SYSADMIN"
Colubris-AVPair = "vsc-unique-id=2"
Colubris-AVPair = "phytype=IEEE802dot11b"
Colubris-Attr-250 = 0x00000001
Colubris-Attr-249 = 0xac15790d
Message-Authenticator = 0x34718dac27d696188b8b5eff8d128f72
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "MyDomain\user01", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 234 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 113 to 172.21.254.100 port 32775
EAP-Message = 0x01eb021019004dd696bcb471355984a8b0de33adcc3081cd0603551d230481c53081c28014c25b1e3e254dd696bcb471355984a8b0de33adcca1819ea4819b308198310b3009060355040613024154311630140603550408130d55707065722041757374726961312d302b060355040a1324536f66747761726520436f6d706574656e63652043656e74657220486167656e62657267310b3009060355040b13024954311430120603550403130b5343434820526f6f744341311f301d06092a864886f70d010901161073797361646d696e40736363682e61748209009dead64eafdef288300c0603551d13040530030101ff300d06092a864886f70d
EAP-Message = 0x010105050003820101006443aaf5c9028967a866429fac73c9665a5409aee0fe127049b9c7ac2c7a4aac77ef46603ce93df9b55545e74fb7e14ef1adf39b4f863f45a49a195e5615ca067155b161cb95ab73bcefbdc4c0c70fa8b7b897c6fd12dbfb9c99ebddad44544928552bd9d1202bcf0ccfcb25e18545eff7aebdc51a68facc624fa64bbe31f6d4461cc3795ac2f57390f247aa788ee968486f4627b763e5283010b1cfed034f8667de1523362d72d6ed72f6a9c771625ad1e5f8b2f6810f3fcfb7eeb36bca0731d6c57bd32a31d5a11afeac345f39ac88d00f5268c2e96364b81c4d48f2ce5535fa657a5d910caf13c35aa50f64d7d8a50241de
EAP-Message = 0x6f90df06ec156499cf49c4182d16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0c8338940f6821365ce44cb56d848e45
Finished request 19.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 172.21.254.100 port 32775, id=56, length=681
Acct-Multi-Session-Id = "00-0F-61-BE-57-61-00-0E-35-41-3F-62-4C-2C-75-F3-00-06-C4-9C"
Acct-Session-Id = "127b7ea3-000000b0"
NAS-Port = 171
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "msm710"
NAS-IP-Address = 172.21.254.101
Framed-MTU = 1496
User-Name = "MyDomain\\user01"
Calling-Station-Id = "00-0E-35-41-3F-62"
Called-Station-Id = "00-0F-61-BE-57-61"
Service-Type = Framed-User
EAP-Message = 0x02eb014019800000013616030101061000010201009ed486646c5e995a2ec43ebedfc045a2ec25923dc6f9eda6f47c0c307d7227ef4b1fea64e9b2215f92cb5eece93d6be07f6e667bb5fb8b63c249d2474c535316db1c2f509711d97cbefe34bdb9c0f4c42baf5ac2cc603f4db1fbcb0b747feca95e8ec4527e70c1ce90dc95dac980b00a43f3a5ad6781553691ff00d9cd69b5f816e066b41c9a255a2a1a43986a71b8d6852d8617f077781a2aebc34eb3cd77c3868f321d183bc9dbee88c732c326ffdaa53faa493804a6b8453f9ad58e9570c18d7a39c88bde55e32bb55ea9c157051eabf7e74bc6740b96f56e763de13c970e2679df6d60dc4207
EAP-Message = 0x63d5416dd049b205b9f2c151d20ba7bc4234d455925e78f41403010001011603010020809824767191f4d2a3251b74261a632f6e7e5574c201078b0c074ee5c685e81f
State = 0x0c8338940f6821365ce44cb56d848e45
Colubris-AVPair = "ssid=office"
Colubris-AVPair = "incoming-vlan-id=153"
Colubris-AVPair = "group=SYSADMIN"
Colubris-AVPair = "vsc-unique-id=2"
Colubris-AVPair = "phytype=IEEE802dot11b"
Colubris-Attr-250 = 0x00000001
Colubris-Attr-249 = 0xac15790d
Message-Authenticator = 0x371e270993fc1b40a5441c73550cb944
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "MyDomain\user01", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 235 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 310
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 56 to 172.21.254.100 port 32775
EAP-Message = 0x01ec0031190014030100010116030100208ed5ff000eeecd10a0177d923328d625d391bf1e1387438619745daf587d4a95
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0c833894086f21365ce44cb56d848e45
Finished request 20.
Going to the next request
Waking up in 4.6 seconds.
rad_recv: Access-Request packet from host 172.21.254.100 port 32775, id=111, length=365
Acct-Multi-Session-Id = "00-0F-61-BE-57-61-00-0E-35-41-3F-62-4C-2C-75-F3-00-06-C4-9C"
Acct-Session-Id = "127b7ea3-000000b0"
NAS-Port = 171
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "msm710"
NAS-IP-Address = 172.21.254.101
Framed-MTU = 1496
User-Name = "MyDomain\\user01"
Calling-Station-Id = "00-0E-35-41-3F-62"
Called-Station-Id = "00-0F-61-BE-57-61"
Service-Type = Framed-User
EAP-Message = 0x02ec00061900
State = 0x0c833894086f21365ce44cb56d848e45
Colubris-AVPair = "ssid=office"
Colubris-AVPair = "incoming-vlan-id=153"
Colubris-AVPair = "group=SYSADMIN"
Colubris-AVPair = "vsc-unique-id=2"
Colubris-AVPair = "phytype=IEEE802dot11b"
Colubris-Attr-250 = 0x00000001
Colubris-Attr-249 = 0xac15790d
Message-Authenticator = 0x6035d5394ec15d1ee39ecd4f9dde407e
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "MyDomain\user01", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 236 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 111 to 172.21.254.100 port 32775
EAP-Message = 0x01ed002019001703010015b7f32ee41d58fbe33d71ff2f64d880c00de6f1d313
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0c833894096e21365ce44cb56d848e45
Finished request 21.
Going to the next request
Waking up in 4.6 seconds.
rad_recv: Access-Request packet from host 172.21.254.100 port 32775, id=234, length=404
Acct-Multi-Session-Id = "00-0F-61-BE-57-61-00-0E-35-41-3F-62-4C-2C-75-F3-00-06-C4-9C"
Acct-Session-Id = "127b7ea3-000000b0"
NAS-Port = 171
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "msm710"
NAS-IP-Address = 172.21.254.101
Framed-MTU = 1496
User-Name = "MyDomain\\user01"
Calling-Station-Id = "00-0E-35-41-3F-62"
Called-Station-Id = "00-0F-61-BE-57-61"
Service-Type = Framed-User
EAP-Message = 0x02ed002d19001703010022b4db0c4c5a2487358cb1cfcf7c16d6a41c012113e2771880bbe053ddefd74291f6cd
State = 0x0c833894096e21365ce44cb56d848e45
Colubris-AVPair = "ssid=office"
Colubris-AVPair = "incoming-vlan-id=153"
Colubris-AVPair = "group=SYSADMIN"
Colubris-AVPair = "vsc-unique-id=2"
Colubris-AVPair = "phytype=IEEE802dot11b"
Colubris-Attr-250 = 0x00000001
Colubris-Attr-249 = 0xac15790d
Message-Authenticator = 0xa406b2ad0fd42103b84bd636e9e9128d
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "MyDomain\user01", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 237 length 45
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Identity - MyDomain\user01
[peap] Got tunneled request
EAP-Message = 0x02ed001601534343482e41545c417474656e65646572
server {
PEAP: Got tunneled identity of MyDomain\user01
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to MyDomain\user01
Sending tunneled request
EAP-Message = 0x02ed001601534343482e41545c417474656e65646572
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "MyDomain\\user01"
Acct-Multi-Session-Id = "00-0F-61-BE-57-61-00-0E-35-41-3F-62-4C-2C-75-F3-00-06-C4-9C"
Acct-Session-Id = "127b7ea3-000000b0"
NAS-Port = 171
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "msm710"
NAS-IP-Address = 172.21.254.101
Framed-MTU = 1496
Calling-Station-Id = "00-0E-35-41-3F-62"
Called-Station-Id = "00-0F-61-BE-57-61"
Service-Type = Framed-User
Colubris-AVPair = "ssid=office"
Colubris-AVPair = "incoming-vlan-id=153"
Colubris-AVPair = "group=SYSADMIN"
Colubris-AVPair = "vsc-unique-id=2"
Colubris-AVPair = "phytype=IEEE802dot11b"
Colubris-Attr-250 = 0x00000001
Colubris-Attr-249 = 0xac15790d
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "MyDomain\user01", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 237 length 22
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[ldap] Entering ldap_groupcmp()
[files] expand: dc=myDomain,dc=at -> dc=myDomain,dc=at
[files] expand: %{Stripped-User-Name} ->
[files] ... expanding second conditional
[files] expand: %{mschap:User-Name} -> user01
[files] expand: %{%{mschap:User-Name}:-None} -> user01
[files] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{%{mschap:User-Name}:-None}}) -> (sAMAccountName=user01)
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=myDomain,dc=at, with filter (sAMAccountName=user01)
[ldap] ldap_release_conn: Release Id: 0
[files] expand: (|(&(objectClass=group)(member=%{check:LDAP-UserDn}))(&(objectClass=GroupOfNames)(member=%{check:Ldap-UserDn}))) -> (|(&(objectClass=group)(member=CN\ user01\2cOU\3dSystem_Administration\2cOU\3dEmployees\2cOU\3dAccounts\2cDC\3d\2cDC\3dat))(&(objectClass=GroupOfNames)(member=CN\ user01\2cOU\3dSystem_Administration\2cOU\3dEmployees\2cOU\3dAccounts\2cDC\3d\2cDC\3dat)))
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=myDomain,dc=at, with filter (&(cn=staff)(|(&(objectClass=group)(member=CN\ user01\2cOU\3dSystem_Administration\2cOU\3dEmployees\2cOU\3dAccounts\2cDC\3d\2cDC\3dat))(&(objectClass=GroupOfNames)(member=CN\ user01\2cOU\3dSystem_Administration\2cOU\3dEmployees\2cOU\3dAccounts\2cDC\3d\2cDC\3dat))))
rlm_ldap::ldap_groupcmp: User found in group staff
[ldap] ldap_release_conn: Release Id: 0
[files] users: Matched entry DEFAULT at line 1
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
Reply-Message = "Group Staff in Administration VLAN"
Framed-Protocol = PPP
Service-Type = Framed-User
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "151"
EAP-Message = 0x01ee002b1a01ee002610bd9d9df15879d3cbd52a655349877427534343482e41545c417474656e65646572
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x59ba362259542c24ba9c3bcd7856543c
[peap] Got tunneled reply RADIUS code 11
Reply-Message = "Group Staff in Administration VLAN"
Framed-Protocol = PPP
Service-Type = Framed-User
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "151"
EAP-Message = 0x01ee002b1a01ee002610bd9d9df15879d3cbd52a655349877427534343482e41545c417474656e65646572
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x59ba362259542c24ba9c3bcd7856543c
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 234 to 172.21.254.100 port 32775
EAP-Message = 0x01ee00421900170301003719ad1e77b8033a71048a0f573e0a27b1d2e66b53bc3afce946fc4e5dba49958c35f7ec946499c1d3f71c1ec7f56063aca2506c75f44975
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0c8338940a6d21365ce44cb56d848e45
Finished request 22.
Going to the next request
Waking up in 4.2 seconds.
rad_recv: Access-Request packet from host 172.21.254.100 port 32775, id=130, length=458
Acct-Multi-Session-Id = "00-0F-61-BE-57-61-00-0E-35-41-3F-62-4C-2C-75-F3-00-06-C4-9C"
Acct-Session-Id = "127b7ea3-000000b0"
NAS-Port = 171
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "msm710"
NAS-IP-Address = 172.21.254.101
Framed-MTU = 1496
User-Name = "MyDomain\\user01"
Calling-Station-Id = "00-0E-35-41-3F-62"
Called-Station-Id = "00-0F-61-BE-57-61"
Service-Type = Framed-User
EAP-Message = 0x02ee00631900170301005859fca98043f6f161b4012962550df766b0484707b0ab65aac6a96380d4b1a6f28c56ca904d42c2443d458e9c638db185d07d5b275f32f799e1fa09d5a978fcc4712373de9d3c2078579ae2ccfc2dbabf77168460333e703b
State = 0x0c8338940a6d21365ce44cb56d848e45
Colubris-AVPair = "ssid=office"
Colubris-AVPair = "incoming-vlan-id=153"
Colubris-AVPair = "group=SYSADMIN"
Colubris-AVPair = "vsc-unique-id=2"
Colubris-AVPair = "phytype=IEEE802dot11b"
Colubris-Attr-250 = 0x00000001
Colubris-Attr-249 = 0xac15790d
Message-Authenticator = 0x7c7eff700ffe03dba7f78cbeac5a8e88
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "MyDomain\user01", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 238 length 99
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x02ee004c1a02ee004731c28bd417bee750e3dd6332d632b423c600000000000000006a1e965b5f9347b61b2a70828b6744570a7b2817ce4dfde500534343482e41545c417474656e65646572
server {
PEAP: Setting User-Name to MyDomain\user01
Sending tunneled request
EAP-Message = 0x02ee004c1a02ee004731c28bd417bee750e3dd6332d632b423c600000000000000006a1e965b5f9347b61b2a70828b6744570a7b2817ce4dfde500534343482e41545c417474656e65646572
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "MyDomain\\user01"
State = 0x59ba362259542c24ba9c3bcd7856543c
Acct-Multi-Session-Id = "00-0F-61-BE-57-61-00-0E-35-41-3F-62-4C-2C-75-F3-00-06-C4-9C"
Acct-Session-Id = "127b7ea3-000000b0"
NAS-Port = 171
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "msm710"
NAS-IP-Address = 172.21.254.101
Framed-MTU = 1496
Calling-Station-Id = "00-0E-35-41-3F-62"
Called-Station-Id = "00-0F-61-BE-57-61"
Service-Type = Framed-User
Colubris-AVPair = "ssid=office"
Colubris-AVPair = "incoming-vlan-id=153"
Colubris-AVPair = "group=SYSADMIN"
Colubris-AVPair = "vsc-unique-id=2"
Colubris-AVPair = "phytype=IEEE802dot11b"
Colubris-Attr-250 = 0x00000001
Colubris-Attr-249 = 0xac15790d
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "MyDomain\user01", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 238 length 76
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[ldap] Entering ldap_groupcmp()
[files] expand: dc=myDomain,dc=at -> dc=myDomain,dc=at
[files] expand: %{Stripped-User-Name} ->
[files] ... expanding second conditional
[files] expand: %{mschap:User-Name} -> user01
[files] expand: %{%{mschap:User-Name}:-None} -> user01
[files] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{%{mschap:User-Name}:-None}}) -> (sAMAccountName=user01)
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=myDomain,dc=at, with filter (sAMAccountName=user01)
[ldap] ldap_release_conn: Release Id: 0
[files] expand: (|(&(objectClass=group)(member=%{check:LDAP-UserDn}))(&(objectClass=GroupOfNames)(member=%{check:Ldap-UserDn}))) -> (|(&(objectClass=group)(member=CN\ user01\2cOU\3dSystem_Administration\2cOU\3dEmployees\2cOU\3dAccounts\2cDC\3d\2cDC\3dat))(&(objectClass=GroupOfNames)(member=CN\ user01\2cOU\3dSystem_Administration\2cOU\3dEmployees\2cOU\3dAccounts\2cDC\3d\2cDC\3dat)))
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=myDomain,dc=at, with filter (&(cn=staff)(|(&(objectClass=group)(member=CN\ user01\2cOU\3dSystem_Administration\2cOU\3dEmployees\2cOU\3dAccounts\2cDC\3d\2cDC\3dat))(&(objectClass=GroupOfNames)(member=CN\ user01\2cOU\3dSystem_Administration\2cOU\3dEmployees\2cOU\3dAccounts\2cDC\3d\2cDC\3dat))))
rlm_ldap::ldap_groupcmp: User found in group staff
[ldap] ldap_release_conn: Release Id: 0
[files] users: Matched entry DEFAULT at line 1
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv2 for user01 with NT-Password
[mschap] expand: --username=%{mschap:User-Name:-None} -> --username=user01
[mschap] expand: --domain=%{mschap:NT-Domain:-MyDomain} -> --domain=MyDomain
[mschap] mschap2: bd
[mschap] expand: --challenge=%{mschap:Challenge0} -> --challenge=d2da6badd9ff26d6
[mschap] expand: --nt-response=%{mschap:NT-Response0} -> --nt-response=6a1e965b5f9347b61b2a70828b6744570a7b2817ce4dfde5
Exec-Program output: NT_KEY: CF43F15A6983B44804BD2D08FF03801F
Exec-Program-Wait: plaintext: NT_KEY: CF43F15A6983B44804BD2D08FF03801F
Exec-Program: returned: 0
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
Reply-Message = "Group Staff in Administration VLAN"
Framed-Protocol = PPP
Service-Type = Framed-User
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "151"
EAP-Message = 0x01ef00331a03ee002e533d38453244383934343244333838453943383945393642383346434430304242313834323936363844
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x59ba362258552c24ba9c3bcd7856543c
[peap] Got tunneled reply RADIUS code 11
Reply-Message = "Group Staff in Administration VLAN"
Framed-Protocol = PPP
Service-Type = Framed-User
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "151"
EAP-Message = 0x01ef00331a03ee002e533d38453244383934343244333838453943383945393642383346434430304242313834323936363844
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x59ba362258552c24ba9c3bcd7856543c
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 130 to 172.21.254.100 port 32775
EAP-Message = 0x01ef004a1900170301003f17863e4b39420abe1bdd307fc864d5f78951114d30cfb3e898cc25fd18d1d0ac17310498921d7152af37dd593889402ae01619793068e332e6b1959cd7c6ac
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0c8338940b6c21365ce44cb56d848e45
Finished request 23.
Going to the next request
Waking up in 3.8 seconds.
Cleaning up request 16 ID 17 with timestamp +21
Cleaning up request 17 ID 12 with timestamp +21
Cleaning up request 18 ID 117 with timestamp +21
Cleaning up request 19 ID 113 with timestamp +21
Waking up in 0.1 seconds.
Cleaning up request 20 ID 56 with timestamp +21
Cleaning up request 21 ID 111 with timestamp +22
Waking up in 0.3 seconds.
Cleaning up request 22 ID 234 with timestamp +22
Waking up in 0.4 seconds.
Cleaning up request 23 ID 130 with timestamp +22
Ready to process requests.