On my new job I have inherited a service wpa2-enterprice with peap+freeradius+openldap. As NAS we use ArubaIAP with enabled function “eap-termination”. And this bundle works well!

Little deep: In openldap client’s passwords are stored in base64 form of SSHA hash (e.g. e1NIQX**** ). But as is written in [this document][1], PEAP and SSHA is not compatible. Then I may assume that in my case the user’s NT-hash pass to compare with NT-hash from OpenLdap for pass authentication user.

I see in wireshark, how the client negotiate EAP and TLS with the NAS (aruba). After that, NAS (aruba) sent a UDP packet to radiusServer which contains:

User-Name = "noc.noc"
1) NAS-IP-Address = 172.16.98.9
2) NAS-Port = 0
3) NAS-Port-Type = Wireless-802.11
4) Calling-Station-Id = "0088653dc372"
5) Called-Station-Id = "24f27fcef196"
6) Service-Type = Framed-User
7) Aruba-Essid-Name = "NOC"
8) Aruba-Location-Id = "leo-lv10-ap09-sw0168"
9) Aruba-AP-Group = "leo-lv10-cluster-aps"
10) MS-CHAP-Challenge = f3f68430d3da8d4c0c4af**********************
11) MS-CHAP2-Responsse = 0a4eced1541ebb4e7224b50fda0000008********
12) Message-Authenticator = 0x81ae3c61e25ed97fb37caf82c448cb29

As you see authType is MSCHAP, this is confirmed by receipt MS attributes (message 10,11 above) and logs from radius:

++[auth_log] = ok
++[chap] = noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because
of this.
++[pap] = noop
**[mschap] Found MS-CHAP attributes. Setting
'Auth-Type = mschap'**
++[mschap] = ok

Now Freeradius must compare NT-hash from NAS and NT-hash from openldap. How is it doing this? How does freeradius extract NT-hash from MS-CHAP attributes? How does freeradius extract NT-hash from LDAP base? Because ldap stored user’s password in base64 hash.

And the most interesting, if if turns off eap-termination on aruba, the authentication breaks. Why is that?

Logs success auth:

  rad_recv: Access-Request packet from host 172.16.33.72 port 56487, id=5, length=241
            User-Name = "noc.noc"
            NAS-IP-Address = 172.16.33.72
            NAS-Port = 0
            NAS-Port-Type = Wireless-802.11
            Calling-Station-Id = "0088653dc372"
            Called-Station-Id = "484ae9c6512c"
            Service-Type = Framed-User
            Aruba-Essid-Name = "noc"
            Aruba-Location-Id = "48:4a:e9:c6:51:2c"
            Aruba-AP-Group = "SetMeUp-C6:51:2C"
            MS-CHAP-Challenge = 0xae3be5fcae160d60bead13769b211a22
            MS-CHAP2-Response = 0x00000d55669b03000012910d0850d18988
            Message-Authenticator = 0x9ac4997bf5f00
        server auth-ldap-dzento 
        # Executing section authorize from file /etc/freeradius/sites-enabled/auth-ldap-dzento
        +group authorize 
        ++[preprocess] = ok
        [auth_log]  expand: %Packet-Src-IP-Address -> 172.16.33.72
        [auth_log]  expand: /var/log/freeradius/radacct/%%Packet-Src-IP-Address:-%Packet-Src-IPv6-Address/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/172.16.33.72/auth-detail-20191205
        [auth_log] /var/log/freeradius/radacct/%%Packet-Src-IP-Address:-%Packet-Src-IPv6-Address/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/172.16.33.72/auth-detail-20191205
        [auth_log]  expand: %t -> Thu Dec  5 15:11:57 2019
        ++[auth_log] = ok
        ++[chap] = noop
        [pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
        ++[pap] = noop
        [mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
        ++[mschap] = ok
        [suffix] No '@' in User-Name = "noc.noc", looking up realm NULL
        [suffix] No such realm "NULL"
        ++[suffix] = noop
        [eap] No EAP-Message, not doing EAP
        ++[eap] = noop
        ++policy redundant 
        [ldapIpa01dzento] performing user authorization for noc.noc
        [ldapIpa01dzento]   expand: (uid=%User-Name) -> (uid=noc.noc)
        [ldapIpa01dzento]   expand: cn=users,cn=accounts,dc=dzento,dc=com -> cn=users,cn=accounts,dc=dzento,dc=com
          [ldapIpa01dzento] ldap_get_conn: Checking Id: 0
          [ldapIpa01dzento] ldap_get_conn: Got Id: 0
          [ldapIpa01dzento] attempting LDAP reconnection
          [ldapIpa01dzento] (re)connect to ldaps://10.150.44.3, authentication 0
          [ldapIpa01dzento] bind as uid=svc-user-reader,cn=users,cn=accounts,dc=dzento,dc=com/FmVzT8c80D to ldaps://10.150.44.3
          [ldapIpa01dzento] waiting for bind result ...
          [ldapIpa01dzento] Bind was successful
          [ldapIpa01dzento] performing search in cn=users,cn=accounts,dc=dzento,dc=com, with filter (uid=noc.noc)
        [ldapIpa01dzento] checking if remote access for noc.noc is allowed by uid
        [ldapIpa01dzento] Added User-Password = SHAeyGE8OFGTTbhCA= in check items
        [ldapIpa01dzento] No default NMAS login sequence
        [ldapIpa01dzento] looking for check items in directory...
          [ldapIpa01dzento] userPassword -> Cleartext-Password == "SHAeyGEisrnGTTbhCA="
          [ldapIpa01dzento] ipaNTHash -> NT-Password == 0xe9fceff7841e874f2
        [ldapIpa01dzento] looking for reply items in directory...
        [ldapIpa01dzento] user noc.noc authorized to use remote access
          [ldapIpa01dzento] ldap_release_conn: Release Id: 0
        +++[ldapIpa01dzento] = ok
        ++ # policy redundant = ok
        ++[expiration] = noop
        ++[logintime] = noop
        + # group authorize = ok
        Found Auth-Type = MSCHAP
        # Executing group from file /etc/freeradius/sites-enabled/auth-ldap-dzento
        +group MS-CHAP 
        [mschap] Found NT-Password
        [mschap] Creating challenge hash with username: noc.noc
        [mschap] Client is using MS-CHAPv2 for noc.noc, we need NT-Password
        ++[mschap] = ok
        + # group MS-CHAP = ok
        Login OK: [noc.noc/<via Auth-Type = MSCHAP>] (from client iap315 port 0 cli 0088653dc372)
         # server auth-ldap-dzento
        # Executing section post-auth from file /etc/freeradius/sites-enabled/auth-ldap-dzento
        +group post-auth 
        [reply_log]     expand: %Packet-Src-IP-Address -> 172.16.33.72
        [reply_log]     expand: /var/log/freeradius/radacct/%%Packet-Src-IP-Address:-%Packet-Src-IPv6-Address/reply-detail-%Y%m%d -> /var/log/freeradius/radacct/172.16.33.72/reply-detail-20191205
        [reply_log] /var/log/freeradius/radacct/%%Packet-Src-IP-Address:-%Packet-Src-IPv6-Address/reply-detail-%Y%m%d expands to /var/log/freeradius/radacct/172.16.33.72/reply-detail-20191205
        [reply_log]     expand: %t -> Thu Dec  5 15:11:57 2019
        ++[reply_log] = ok
        + # group post-auth = ok
        Sending Access-Accept of id 5 to 172.16.33.72 port 56487
            MS-CHAP2-Success = 0x00533d313845463393139344353646434537303338383339
        Finished request 0.
        Going to the next request
        Waking up in 4.9 seconds.

Auth without enabled eap-termination:

ad_recv: Access-Request packet from host 172.16.33.72 port 60255, id=163, length=193
    User-Name = "noc.noc"
    NAS-IP-Address = 172.16.33.72
    NAS-Port = 0
    NAS-Identifier = "172.16.33.72"
    NAS-Port-Type = Wireless-802.11
    Calling-Station-Id = "0088653dc372"
    Called-Station-Id = "484ae9c6512c"
    Service-Type = Framed-User
    Framed-MTU = 1100
    EAP-Message = 0x0201000c016e6f632e6e6f63
    Aruba-Essid-Name = "noc"
    Aruba-Location-Id = "48:4a:e9:c6:51:2c"
    Aruba-AP-Group = "SetMeUp-C6:51:2C"
    Message-Authenticator = 0xd8b8175a5d3ec0f3b3271e6d81a6840c
server auth-ldap-dzento 
# Executing section authorize from file /etc/freeradius/sites-enabled/auth-ldap-dzento
+group authorize 
++[preprocess] = ok
[auth_log]  expand: %Packet-Src-IP-Address -> 172.16.33.72
[auth_log]  expand: /var/log/freeradius/radacct/%%Packet-Src-IP-Address:-%Packet-Src-IPv6-Address/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/172.16.33.72/auth-detail-20191205
[auth_log] /var/log/freeradius/radacct/%%Packet-Src-IP-Address:-%Packet-Src-IPv6-Address/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/172.16.33.72/auth-detail-20191205
[auth_log]  expand: %t -> Thu Dec  5 15:22:26 2019
++[auth_log] = ok
++[chap] = noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] = noop
++[mschap] = noop
[suffix] No '@' in User-Name = "noc.noc", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 1 length 12
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++policy redundant 
[ldapIpa01dzento] performing user authorization for noc.noc
[ldapIpa01dzento]   expand: (uid=%User-Name) -> (uid=noc.noc)
[ldapIpa01dzento]   expand: cn=users,cn=accounts,dc=dzento,dc=com -> cn=users,cn=accounts,dc=dzento,dc=com
  [ldapIpa01dzento] ldap_get_conn: Checking Id: 0
  [ldapIpa01dzento] ldap_get_conn: Got Id: 0
  [ldapIpa01dzento] performing search in cn=users,cn=accounts,dc=dzento,dc=com, with filter (uid=noc.noc)
[ldapIpa01dzento] checking if remote access for noc.noc is allowed by uid
[ldapIpa01dzento] Added User-Password = SHAeyGOFGTTbhCA= in check items
[ldapIpa01dzento] No default NMAS login sequence
[ldapIpa01dzento] looking for check items in directory...
  [ldapIpa01dzento] userPassword -> Cleartext-Password == "SHAeyGEiGTTbhCA="
  [ldapIpa01dzento] ipaNTHash -> NT-Password == 0xe9fceff7358f841e874f2
[ldapIpa01dzento] looking for reply items in directory...
[ldapIpa01dzento] user noc.noc authorized to use remote access
  [ldapIpa01dzento] ldap_release_conn: Release Id: 0
+++[ldapIpa01dzento] = ok
++ # policy redundant = ok
++[expiration] = noop
++[logintime] = noop
+ # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/auth-ldap-dzento
+group authenticate 
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] = handled
+ # group authenticate = handled
 # server auth-ldap-dzento
Sending Access-Challenge of id 163 to 172.16.33.72 port 60255
    EAP-Message = 0x010200211a0102001c10a5302a6a9d17e987b99876e608c9d16c6e6f632e6e6f63
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0xc2101931c21203ae4e6b44862e58d21c
Finished request 11.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.16.33.72 port 60255, id=164, length=207
    User-Name = "noc.noc"
    NAS-IP-Address = 172.16.33.72
    NAS-Port = 0
    NAS-Identifier = "172.16.33.72"
    NAS-Port-Type = Wireless-802.11
    Calling-Station-Id = "0088653dc372"
    Called-Station-Id = "484ae9c6512c"
    Service-Type = Framed-User
    Framed-MTU = 1100
    EAP-Message = 0x020200080319152b
    State = 0xc2101931c21203ae4e6b44862e58d21c
    Aruba-Essid-Name = "noc"
    Aruba-Location-Id = "48:4a:e9:c6:51:2c"
    Aruba-AP-Group = "SetMeUp-C6:51:2C"
    Message-Authenticator = 0x24c670e24ec1d9c8e40ed318ded7d670
server auth-ldap-dzento 
# Executing section authorize from file /etc/freeradius/sites-enabled/auth-ldap-dzento
+group authorize 
++[preprocess] = ok
[auth_log]  expand: %Packet-Src-IP-Address -> 172.16.33.72
[auth_log]  expand: /var/log/freeradius/radacct/%%Packet-Src-IP-Address:-%Packet-Src-IPv6-Address/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/172.16.33.72/auth-detail-20191205
[auth_log] /var/log/freeradius/radacct/%%Packet-Src-IP-Address:-%Packet-Src-IPv6-Address/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/172.16.33.72/auth-detail-20191205
[auth_log]  expand: %t -> Thu Dec  5 15:22:26 2019
++[auth_log] = ok
++[chap] = noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] = noop
++[mschap] = noop
[suffix] No '@' in User-Name = "noc.noc", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 2 length 8
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++policy redundant 
[ldapIpa01dzento] performing user authorization for noc.noc
[ldapIpa01dzento]   expand: (uid=%User-Name) -> (uid=noc.noc)
[ldapIpa01dzento]   expand: cn=users,cn=accounts,dc=dzento,dc=com -> cn=users,cn=accounts,dc=dzento,dc=com
  [ldapIpa01dzento] ldap_get_conn: Checking Id: 0
  [ldapIpa01dzento] ldap_get_conn: Got Id: 0
  [ldapIpa01dzento] performing search in cn=users,cn=accounts,dc=dzento,dc=com, with filter (uid=noc.noc)
[ldapIpa01dzento] checking if remote access for noc.noc is allowed by uid
[ldapIpa01dzento] Added User-Password = SHAeyGEisOFGTTbhCA= in check items
[ldapIpa01dzento] No default NMAS login sequence
[ldapIpa01dzento] looking for check items in directory...
  [ldapIpa01dzento] userPassword -> Cleartext-Password == "SHAeyGEismvGTTbhCA="
  [ldapIpa01dzento] ipaNTHash -> NT-Password == 0xe9fceff7358fe874f2
[ldapIpa01dzento] looking for reply items in directory...
[ldapIpa01dzento] user noc.noc authorized to use remote access
  [ldapIpa01dzento] ldap_release_conn: Release Id: 0
+++[ldapIpa01dzento] = ok
++ # policy redundant = ok
++[expiration] = noop
++[logintime] = noop
+ # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/auth-ldap-dzento
+group authenticate 
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+ # group authenticate = handled
 # server auth-ldap-dzento
Sending Access-Challenge of id 164 to 172.16.33.72 port 60255
    EAP-Message = 0x010300061920
    Message-Authenticator = 0x0000000000000000000000000
    State = 0xc2101931c31300ae4e6b44862e58d21c
Finished request 12.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 172.16.33.72 port 60255, id=165, length=360
    User-Name = "noc.noc"
    NAS-IP-Address = 172.16.33.72
    NAS-Port = 0
    NAS-Identifier = "172.16.33.72"
    NAS-Port-Type = Wireless-802.11
    Calling-Station-Id = "0088653dc372"
    Called-Station-Id = "484ae9c6512c"
    Service-Type = Framed-User
    Framed-MTU = 1100
    EAP-Message = 0x020300a1198000000097
    State = 0xc2101931c31300ae4e6b44862e58d21c
    Aruba-Essid-Name = "noc"
    Aruba-Location-Id = "48:4a:e9:c6:51:2c"
    Aruba-AP-Group = "SetMeUp-C6:51:2C"
    Message-Authenticator = 0x280d5ae70a1e4b1ef55e049166b9f492
server auth-ldap-dzento 
# Executing section authorize from file /etc/freeradius/sites-enabled/auth-ldap-dzento
+group authorize 
++[preprocess] = ok
[auth_log]  expand: %Packet-Src-IP-Address -> 172.16.33.72
[auth_log]  expand: /var/log/freeradius/radacct/%%Packet-Src-IP-Address:-%Packet-Src-IPv6-Address/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/172.16.33.72/auth-detail-20191205
[auth_log] /var/log/freeradius/radacct/%%Packet-Src-IP-Address:-%Packet-Src-IPv6-Address/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/172.16.33.72/auth-detail-20191205
[auth_log]  expand: %t -> Thu Dec  5 15:22:26 2019
++[auth_log] = ok
++[chap] = noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] = noop
++[mschap] = noop
[suffix] No '@' in User-Name = "noc.noc", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 3 length 161
[eap] Continuing tunnel setup.
++[eap] = ok
+ # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/auth-ldap-dzento
+group authenticate 
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 151
[peap] Length Included
[peap] eaptls_verify returned 11
[peap]     (other): before/accept initialization
[peap]     TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0092], ClientHello
[peap]     TLS_accept: unknown state
[peap] >>> TLS 1.0 Handshake [length 0039], ServerHello
[peap]     TLS_accept: unknown state
[peap] >>> TLS 1.0 Handshake [length 02ee], Certificate
[peap]     TLS_accept: unknown state
[peap] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
[peap]     TLS_accept: unknown state
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap]     TLS_accept: unknown state
[peap]     TLS_accept: unknown state
[peap]     TLS_accept: Need to read more data: unknown state
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+ # group authenticate = handled
 # server auth-ldap-dzento
Sending Access-Challenge of id 165 to 172.16.33.72 port 60255
    EAP-Message = 0x0104040019c02b
    EAP-Message = 0x528f1cb4a15af6f7a3
    EAP-Message = 0x88317889560dbe2b6e9ac611
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0xc2101931c01400ae4e6b44862e58d21c
Finished request 13.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 172.16.33.72 port 60255, id=166, length=205
    User-Name = "noc.noc"
    NAS-IP-Address = 172.16.33.72
    NAS-Port = 0
    NAS-Identifier = "172.16.33.72"
    NAS-Port-Type = Wireless-802.11
    Calling-Station-Id = "0088653dc372"
    Called-Station-Id = "484ae9c6512c"
    Service-Type = Framed-User
    Framed-MTU = 1100
    EAP-Message = 0x020400061900
    State = 0xc2101931c01400ae4e6b44862e58d21c
    Aruba-Essid-Name = "noc"
    Aruba-Location-Id = "48:4a:e9:c6:51:2c"
    Aruba-AP-Group = "SetMeUp-C6:51:2C"
    Message-Authenticator = 0x6b05061fd68d2a2f909e8a655ed2283c
server auth-ldap-dzento 
# Executing section authorize from file /etc/freeradius/sites-enabled/auth-ldap-dzento
+group authorize 
++[preprocess] = ok
++[chap] = noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] = noop
++[mschap] = noop
[suffix] No '@' in User-Name = "noc.noc", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+ # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/auth-ldap-dzento
+group authenticate 
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+ # group authenticate = handled
 # server auth-ldap-dzento
Sending Access-Challenge of id 166 to 172.16.33.72 port 60255
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0xc2101931c11500ae4e6b44862e58d21c
Finished request 14.
Going to the next request
Waking up in 4.6 seconds.
rad_recv: Access-Request packet from host 172.16.33.72 port 60255, id=167, length=343
    User-Name = "noc.noc"
    NAS-IP-Address = 172.16.33.72
    NAS-Port = 0
    NAS-Identifier = "172.16.33.72"
    NAS-Port-Type = Wireless-802.11
    Calling-Station-Id = "0088653dc372"
    Called-Station-Id = "484ae9c6512c"
    Service-Type = Framed-User
    Framed-MTU = 1100
    EAP-Message = 0x020500b60808
    State = 0xc2104e6b44862e58d21c
    Aruba-Essid-Name = "noc"
    Aruba-Location-Id = "48:4a:e9:c6:51:2c"
    Aruba-AP-Group = "SetMeUp-C6:51:2C"
    Message-Authenticator = 0xcf38448121548de9ee9657a82a66620d
server auth-ldap-dzento 
# Executing section authorize from file /etc/freeradius/sites-enabled/auth-ldap-dzento
+group authorize 
++[preprocess] = ok
[auth_log]  expand: %Packet-Src-IP-Address -> 172.16.33.72
[auth_log]  expand: /var/log/freeradius/radacct/%%Packet-Src-IP-Address:-%Packet-Src-IPv6-Address/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/172.16.33.72/auth-detail-20191205
[auth_log] /var/log/freeradius/radacct/%%Packet-Src-IP-Address:-%Packet-Src-IPv6-Address/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/172.16.33.72/auth-detail-20191205
[auth_log]  expand: %t -> Thu Dec  5 15:22:26 2019
++[auth_log] = ok
++[chap] = noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] = noop
++[mschap] = noop
[suffix] No '@' in User-Name = "noc.noc", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 5 length 144
[eap] Continuing tunnel setup.
++[eap] = ok
+ # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/auth-ldap-dzento
+group authenticate 
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 134
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
[peap]     TLS_accept: unknown state
[peap]     TLS_accept: unknown state
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap]     TLS_accept: unknown state
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap]     TLS_accept: unknown state
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap]     TLS_accept: unknown state
[peap]     TLS_accept: unknown state
[peap]     (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+ # group authenticate = handled
 # server auth-ldap-dzento
Sending Access-Challenge of id 167 to 172.16.33.72 port 60255
    EAP-Message = 0x010600411900140301000101160301003010de8cbd8c217d40b702c4a6f49f79f1b66de897d7c4ce7736809627eb0f7b8151cc198864583af240b7d3604ed20d9c
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0xc2101931c61600ae4e6b44862e58d21c
Finished request 15.
Going to the next request
Waking up in 4.5 seconds.
rad_recv: Access-Request packet from host 172.16.33.72 port 60255, id=168, length=205
    User-Name = "noc.noc"
    NAS-IP-Address = 172.16.33.72
    NAS-Port = 0
    NAS-Identifier = "172.16.33.72"
    NAS-Port-Type = Wireless-802.11
    Calling-Station-Id = "0088653dc372"
    Called-Station-Id = "484ae9c6512c"
    Service-Type = Framed-User
    Framed-MTU = 1100
    EAP-Message = 0x020600061900
    State = 0xc2101931c61600ae4e6b44862e58d21c
    Aruba-Essid-Name = "noc"
    Aruba-Location-Id = "48:4a:e9:c6:51:2c"
    Aruba-AP-Group = "SetMeUp-C6:51:2C"
    Message-Authenticator = 0xa4f9154f371ea14fb792329a6be23503
server auth-ldap-dzento 
# Executing section authorize from file /etc/freeradius/sites-enabled/auth-ldap-dzento
+group authorize 
++[preprocess] = ok
[auth_log]  expand: %Packet-Src-IP-Address -> 172.16.33.72
[auth_log]  expand: /var/log/freeradius/radacct/%%Packet-Src-IP-Address:-%Packet-Src-IPv6-Address/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/172.16.33.72/auth-detail-20191205
[auth_log] /var/log/freeradius/radacct/%%Packet-Src-IP-Address:-%Packet-Src-IPv6-Address/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/172.16.33.72/auth-detail-20191205
[auth_log]  expand: %t -> Thu Dec  5 15:22:26 2019
++[auth_log] = ok
++[chap] = noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] = noop
++[mschap] = noop
[suffix] No '@' in User-Name = "noc.noc", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 6 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+ # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/auth-ldap-dzento
+group authenticate 
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] = handled
+ # group authenticate = handled
 # server auth-ldap-dzento
Sending Access-Challenge of id 168 to 172.16.33.72 port 60255
    EAP-Message = 0x0107002b19001703010020b9515de1f6e3d751dc3e78be2907b593457773205bade16b2e03d9e3b509d3ff
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0xc2101931c71700ae4e6b44862e58d21c
Finished request 16.
Going to the next request
Waking up in 4.4 seconds.
rad_recv: Access-Request packet from host 172.16.33.72 port 60255, id=169, length=242
    User-Name = "noc.noc"
    NAS-IP-Address = 172.16.33.72
    NAS-Port = 0
    NAS-Identifier = "172.16.33.72"
    NAS-Port-Type = Wireless-802.11
    Calling-Station-Id = "0088653dc372"
    Called-Station-Id = "484ae9c6512c"
    Service-Type = Framed-User
    Framed-MTU = 1100
    EAP-Message = 0x0207002b19001703010020a5346815d787b1e1609f6a27991658c1155e347693d18cc7bd458aed50852628
    State = 0xc2101931c71700ae4e6b44862e58d21c
    Aruba-Essid-Name = "noc"
    Aruba-Location-Id = "48:4a:e9:c6:51:2c"
    Aruba-AP-Group = "SetMeUp-C6:51:2C"
    Message-Authenticator = 0x1662699eaee4c765bad0483a5ab7b46a
server auth-ldap-dzento {
# Executing section authorize from file /etc/freeradius/sites-enabled/auth-ldap-dzento
+group authorize 
++[preprocess] = ok
[auth_log]  expand: %Packet-Src-IP-Address -> 172.16.33.72
[auth_log]  expand: /var/log/freeradius/radacct/%%Packet-Src-IP-Address:-%Packet-Src-IPv6-Address/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/172.16.33.72/auth-detail-20191205
[auth_log] /var/log/freeradius/radacct/%%Packet-Src-IP-Address:-%Packet-Src-IPv6-Address/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/172.16.33.72/auth-detail-20191205
[auth_log]  expand: %t -> Thu Dec  5 15:22:26 2019
++[auth_log] = ok
++[chap] = noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] = noop
++[mschap] = noop
[suffix] No '@' in User-Name = "noc.noc", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 7 length 43
[eap] Continuing tunnel setup.
++[eap] = ok
+ # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/auth-ldap-dzento
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - noc.noc
[peap] Got inner identity 'noc.noc'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
    EAP-Message = 0x0207000c016e6f632e6e6f63
server auth-ldap-dzento {
[peap] Setting User-Name to noc.noc
Sending tunneled request
    EAP-Message = 0x0207000c016e6f632e6e6f63
    FreeRADIUS-Proxied-To = 127.0.0.1
    User-Name = "noc.noc"
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
++[chap] = noop
++[mschap] = noop
++[unix] = notfound
[suffix] No '@' in User-Name = "noc.noc", looking up realm NULL

Leave a Reply

Your email address will not be published. Required fields are marked *