FreeRADIUS won't authenticate users, LDAP issue?

Hi all, I’m trying to use FreeRADIUS for wifi authentication, but I’m running into a strange issue. Basically, while FreeRADIUS is trying to check my password, I see some output on the console concerning univention-radius-ntlm-auth having some sort of issue:

Traceback (most recent call last): File "/usr/bin/univention-radius-ntlm-auth", line 87, in <module> sys.exit(main()) File "/usr/bin/univention-radius-ntlm-auth", line 69, in main stationId = stationId.decode('hex') File "/usr/lib/python2.7/encodings/hex_codec.py", line 42, in hex_decode output = binascii.a2b_hex(input) TypeError: Non-hexadecimal digit found

Whatever this is seems to be preventing FreeRADIUS from proceeding. It loops through two or three times before finally giving up.

I see this error several times in the FreeRADIUS output:

WARNING: No "known good" password was found in LDAP.  Are you sure that the user is configured correctly?

I’m out of troubleshooting ideas at the moment, I’d appreciate any help!

Complete output of freeradius -X:

[code]FreeRADIUS Version 2.1.12, for host x86_64-pc-linux-gnu, built on Sep 29 2014 at 09:45:28

Removed excess startup info

… adding new socket proxy address * port 35632
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.1.99.201 port 1645, id=11, length=120
User-Name = “dan”
Framed-MTU = 1400
Called-Station-Id = “0026.9921.f3c1”
Calling-Station-Id = “100d.7fb5.a5ec”
Service-Type = Login-User
Message-Authenticator = 0xbbc100dc012ac14896f5501cf78c9e4c
EAP-Message = 0x020200080164616e
NAS-Port-Type = Wireless-802.11
NAS-Port = 340
NAS-Port-Id = “340”
NAS-IP-Address = 10.1.99.201

Executing section authorize from file /etc/freeradius/sites-enabled/default

± entering group authorize {…}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[ntdomain] No ‘’ in User-Name = “dan”, looking up realm NULL
[ntdomain] No such realm “NULL”
++[ntdomain] returns noop
[eap] EAP packet type response id 2 length 8
[eap] No EAP Start, assuming it’s an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for dan
[ldap] expand: (uid=%{mschap:User-Name:-%{User-Name}}) -> (uid=dan)
[ldap] expand: dc=t4dlab,dc=home -> dc=t4dlab,dc=home
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to xs1-ucsdc.t4dlab.home:7389, authentication 0
[ldap] starting TLS
[ldap] bind as cn=xs1-ucsdc,cn=dc,cn=computers,dc=t4dlab,dc=home/Izgbnxjc5vKwLfyUGbUF to xs1-ucsdc.t4dlab.home:7389
[ldap] waiting for bind result …
[ldap] Bind was successful
[ldap] performing search in dc=t4dlab,dc=home, with filter (uid=dan)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory…
[ldap] sambaNTPassword -> NT-Password == 0x4537333338354538414337453538453843464232314334424243344244423738
[ldap] looking for reply items in directory…
WARNING: No “known good” password was found in LDAP. Are you sure that the user is configured correctly?
[ldap] user dan authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing NT-Password from hex encoding
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP

Executing group from file /etc/freeradius/sites-enabled/default

± entering group authenticate {…}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 11 to 10.1.99.201 port 1645
EAP-Message = 0x010300061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0237ac640234b545256f9a5bd2d69184
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.1.99.201 port 1645, id=12, length=239
User-Name = “dan”
Framed-MTU = 1400
Called-Station-Id = “0026.9921.f3c1”
Calling-Station-Id = “100d.7fb5.a5ec”
Service-Type = Login-User
Message-Authenticator = 0x9e62c502dedd0a252dac4acf87346814
EAP-Message = 0x0203006d198000000063160301005e0100005a0301580688807fb3a674a58258e7325bcd94cde59e86eb5837e4e91479957f533746000018c014c0130035002fc00ac00900380032000a00130005000401000019000a0006000400170018000b0002010000170000ff01000100
NAS-Port-Type = Wireless-802.11
NAS-Port = 340
NAS-Port-Id = “340”
State = 0x0237ac640234b545256f9a5bd2d69184
NAS-IP-Address = 10.1.99.201

Executing section authorize from file /etc/freeradius/sites-enabled/default

± entering group authorize {…}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[ntdomain] No ‘’ in User-Name = “dan”, looking up realm NULL
[ntdomain] No such realm “NULL”
++[ntdomain] returns noop
[eap] EAP packet type response id 3 length 109
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP

Executing group from file /etc/freeradius/sites-enabled/default

± entering group authenticate {…}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 99
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< Unknown TLS version [length 0005]
[peap] <<< TLS 1.0 Handshake [length 005e], ClientHello
[peap] TLS_accept: unknown state
[peap] >>> Unknown TLS version [length 0005]
[peap] >>> TLS 1.0 Handshake [length 0039], ServerHello
[peap] TLS_accept: unknown state
[peap] >>> Unknown TLS version [length 0005]
[peap] >>> TLS 1.0 Handshake [length 0b41], Certificate
[peap] TLS_accept: unknown state
[peap] >>> Unknown TLS version [length 0005]
[peap] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
[peap] TLS_accept: unknown state
[peap] >>> Unknown TLS version [length 0005]
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: unknown state
[peap] TLS_accept: unknown state
[peap] TLS_accept: unknown state
[peap] TLS_accept: Need to read more data: unknown state
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 12 to 10.1.99.201 port 1645
EAP-Message = 0x0104040019c000000cdd16030100390200003503013f2da2e4d50610150953f95b9cd2cfd65d14326a46c3a9da9ea2efa9b5dec79a00c01400000dff01000100000b0004030001021603010b410b000b3d000b3a000559308205553082043da003020102020102300d06092a864886f70d01010b05003081c6310b3009060355040613025553310b3009060355040813025553310b3009060355040713025553311b3019060355040a131241636d6520526f636b657473686f6520436f31243022060355040b131b556e6976656e74696f6e20436f72706f7261746520536572766572313a303806035504031331556e6976656e74696f6e20436f7270
EAP-Message = 0x6f726174652053657276657220526f6f74204341202849443d4a61636b4178467729311e301c06092a864886f70d010901160f73736c407434646c61622e686f6d65301e170d3136313031373138313330375a170d3231313031363138313330375a3081aa310b3009060355040613025553310b3009060355040813025553310b3009060355040713025553311b3019060355040a131241636d6520526f636b657473686f6520436f31243022060355040b131b556e6976656e74696f6e20436f72706f7261746520536572766572311e301c060355040313157873312d75637364632e7434646c61622e686f6d65311e301c06092a864886f70d0109
EAP-Message = 0x01160f73736c407434646c61622e686f6d6530820122300d06092a864886f70d01010105000382010f003082010a0282010100b1a5d2bc6b8e1a9a188bc11f502070a99651eabd3d43080430f8995c21778fcccca84a85a75822305f26b487a28de06675a1c616a6e53334f69f924c39336660561423dd02d31e6a4f63980cfb7e59fc4b7a8882a6c6e46d7a47050b9add423a9347d157356cd0715775016070ae16f768af8f15626a7887e33806e4a5a8ae2e25366be113d839e0a931d6eda28627784ea7c47abfcd89fd9f0f2d40579c0caf2807dd11d186296b24de1b8dcb317ac3aefc54dd216131aaa265f752980753e90a35c40f8c28fdaff7c0
EAP-Message = 0xb46e72ec39da6059b2661ae08aa661c9fcd34316dcc64fda463ad158d60dbc672d1f70fee30ddd2bfee41188534775a298ff5a607a7f0203010001a38201663082016230090603551d1304023000301d0603551d0e0416041433ce89e756d123677281678b38bee41def4b4c7e3081fb0603551d230481f33081f080146958911f63a354fe1f5a3af4438e8836da104b80a181cca481c93081c6310b3009060355040613025553310b3009060355040813025553310b3009060355040713025553311b3019060355040a131241636d6520526f636b657473686f6520436f31243022060355040b131b556e6976656e74696f6e20436f72706f72617465
EAP-Message = 0x20536572766572313a303806
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0237ac640333b545256f9a5bd2d69184
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.1.99.201 port 1645, id=13, length=136
User-Name = “dan”
Framed-MTU = 1400
Called-Station-Id = “0026.9921.f3c1”
Calling-Station-Id = “100d.7fb5.a5ec”
Service-Type = Login-User
Message-Authenticator = 0x6e722b76c3b7cfafdf2aa59c1a4ffdf4
EAP-Message = 0x020400061900
NAS-Port-Type = Wireless-802.11
NAS-Port = 340
NAS-Port-Id = “340”
State = 0x0237ac640333b545256f9a5bd2d69184
NAS-IP-Address = 10.1.99.201

Executing section authorize from file /etc/freeradius/sites-enabled/default

± entering group authorize {…}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[ntdomain] No ‘’ in User-Name = “dan”, looking up realm NULL
[ntdomain] No such realm “NULL”
++[ntdomain] returns noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP

Executing group from file /etc/freeradius/sites-enabled/default

± entering group authenticate {…}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 13 to 10.1.99.201 port 1645
EAP-Message = 0x010503fc1940035504031331556e6976656e74696f6e20436f72706f726174652053657276657220526f6f74204341202849443d4a61636b4178467729311e301c06092a864886f70d010901160f73736c407434646c61622e686f6d65820900d43fa77fd3bb18ed300b0603551d0f0404030205e0302b0603551d110424302282157873312d75637364632e7434646c61622e686f6d6582097873312d7563736463300d06092a864886f70d01010b05000382010100a8b173c37025a405a287ed05afb3fdf6a2dad2bf3a1c49203924d95ca222bf2317b7fa684bec9c8d7cfae14c37aade7b4fa905975971cb07b63979a5ce14735a868c7402fd02ff
EAP-Message = 0x8a9d16998f23c0e947b3dc3416e788ead54c0fedbe51a4ee0a6b7cab47b9592b565dcd0fcd3c0d0400a55e60d5b8dc235a1a83b7713c35f6cca6e8d9be71a65cbd10c0d1afac1fb0960617503cf34ef44cd1ac9d47df0e98a015e67d8ddd62b5a66ce96d80bbd5483b462c7b5e46bd7cabf6f3c0b67e883a2bb892298512fa4083af94cc0f17b4b0f68eb4bd50e1be4cbff7afcb3fde5800f6d9c781a499887ae5a9948e8623452a18f048971c831c97a10b240dc69c7191c50005db308205d7308204bfa003020102020900d43fa77fd3bb18ed300d06092a864886f70d01010b05003081c6310b3009060355040613025553310b3009060355040813
EAP-Message = 0x025553310b3009060355040713025553311b3019060355040a131241636d6520526f636b657473686f6520436f31243022060355040b131b556e6976656e74696f6e20436f72706f7261746520536572766572313a303806035504031331556e6976656e74696f6e20436f72706f726174652053657276657220526f6f74204341202849443d4a61636b4178467729311e301c06092a864886f70d010901160f73736c407434646c61622e686f6d65301e170d3136313031373138313235355a170d3231313031363138313235355a3081c6310b3009060355040613025553310b3009060355040813025553310b3009060355040713025553311b3019
EAP-Message = 0x060355040a131241636d6520526f636b657473686f6520436f31243022060355040b131b556e6976656e74696f6e20436f72706f7261746520536572766572313a303806035504031331556e6976656e74696f6e20436f72706f726174652053657276657220526f6f74204341202849443d4a61636b4178467729311e301c06092a864886f70d010901160f73736c407434646c61622e686f6d6530820122300d06092a864886f70d01010105000382010f003082010a0282010100b7551096a746121bc665c89b5ce92970ab0d0a5b4137925e21237332c2983adacee258ce7a14c1eeae2997123cc4a2618a2f07173795c3e23203bace644dff7e73
EAP-Message = 0x21d313cdb9ae663d
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0237ac640032b545256f9a5bd2d69184
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.1.99.201 port 1645, id=14, length=136
User-Name = “dan”
Framed-MTU = 1400
Called-Station-Id = “0026.9921.f3c1”
Calling-Station-Id = “100d.7fb5.a5ec”
Service-Type = Login-User
Message-Authenticator = 0xf1ff56d215e01776e84ef5977697eacb
EAP-Message = 0x020500061900
NAS-Port-Type = Wireless-802.11
NAS-Port = 340
NAS-Port-Id = “340”
State = 0x0237ac640032b545256f9a5bd2d69184
NAS-IP-Address = 10.1.99.201

Executing section authorize from file /etc/freeradius/sites-enabled/default

± entering group authorize {…}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[ntdomain] No ‘’ in User-Name = “dan”, looking up realm NULL
[ntdomain] No such realm “NULL”
++[ntdomain] returns noop
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP

Executing group from file /etc/freeradius/sites-enabled/default

± entering group authenticate {…}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 14 to 10.1.99.201 port 1645
EAP-Message = 0x010603fc194087cb475c25856754e0718cf11e13fa7c8ec180c2034a2498c36de85e603701b170bf2c78230f1c17228280fcc0666508f4c20439aca337db30029be6c145d1cb2ab78c513d87cd69418b56128512bb2c1ac955d8e753951cd02a842b9d13ad2022da7183d6384095986fea4f51f0a6565e970a5e8707d4a94cd652d1cd35ee17521d75e0e09790b13a4668443946f235bfe9d80826742cf35c9c1c7ecb95561d098c0c6a45c0378bb383b1347d09a24bfa7cd11efe62fb0203010001a38201c4308201c0300f0603551d130101ff040530030101ff301d0603551d0e041604146958911f63a354fe1f5a3af4438e8836da104b803081fb
EAP-Message = 0x0603551d230481f33081f080146958911f63a354fe1f5a3af4438e8836da104b80a181cca481c93081c6310b3009060355040613025553310b3009060355040813025553310b3009060355040713025553311b3019060355040a131241636d6520526f636b657473686f6520436f31243022060355040b131b556e6976656e74696f6e20436f72706f7261746520536572766572313a303806035504031331556e6976656e74696f6e20436f72706f726174652053657276657220526f6f74204341202849443d4a61636b4178467729311e301c06092a864886f70d010901160f73736c407434646c61622e686f6d65820900d43fa77fd3bb18ed300b
EAP-Message = 0x0603551d0f040403020106301106096086480186f8420101040403020007301a0603551d1104133011810f73736c407434646c61622e686f6d65301a0603551d1204133011810f73736c407434646c61622e686f6d65303806096086480186f842010d042b162954686973206365727469666963617465206973206120526f6f74204341204365727469666963617465300d06092a864886f70d01010b0500038201010023cda36bfa9c95b5283224462a069637e5073bf1058d0f92cff1b9a3196224361990bb97b881613722306438a0494e31114e3eae72a8f23609ef596e8865a305b1a4ee497d606a79403a92b51e4a00c457cbaccb10d1ce655f
EAP-Message = 0x3714b8463739979c712a31f2755a234f1f9a082d4c8c23f56e9f4501c566ee98fe18b053a65dfb5f302623c89799bbacbff94b8bdf69f0d45b3fdade34b946ceaa2ccc28910e73a04ba87ed4e9c96c0d63a244a49ee62f93364da1b40ff31e3c136c516bc52938944354cbfacda7b9ec39c394754e8c56d440629a66a015615b820d880e1ab1fea800f090989f1896dfa433a9b95192d135305cd77bb5cbe5cc3bea30096c370a160301014b0c0001470300174104aa17f7a45cbde533678b6c67620d6f252e1f2adad9540474a027bbe7ee6f9cb971746b74588a071c87940865c31954c3778bc958c29f7e077a95049a4d94355c0100ac04a7e8348c
EAP-Message = 0x21fd9041e4b01b32
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0237ac640131b545256f9a5bd2d69184
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.1.99.201 port 1645, id=15, length=136
User-Name = “dan”
Framed-MTU = 1400
Called-Station-Id = “0026.9921.f3c1”
Calling-Station-Id = “100d.7fb5.a5ec”
Service-Type = Login-User
Message-Authenticator = 0xd20d50c5aa87f553a890a12040684386
EAP-Message = 0x020600061900
NAS-Port-Type = Wireless-802.11
NAS-Port = 340
NAS-Port-Id = “340”
State = 0x0237ac640131b545256f9a5bd2d69184
NAS-IP-Address = 10.1.99.201

Executing section authorize from file /etc/freeradius/sites-enabled/default

± entering group authorize {…}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[ntdomain] No ‘’ in User-Name = “dan”, looking up realm NULL
[ntdomain] No such realm “NULL”
++[ntdomain] returns noop
[eap] EAP packet type response id 6 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP

Executing group from file /etc/freeradius/sites-enabled/default

± entering group authenticate {…}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 15 to 10.1.99.201 port 1645
EAP-Message = 0x010701011900636e341b41849ac7a280bceb0935d38f8b2b3d9cf5a77bbdfbf4fc3a91e7f5c5dfc8371da99198fb9c84cb2c85958b01c12949d926ec5b5defe7ce6ffc380ab5eb6b339f24173c073a1ff6ea1bc6555da2764d7381939a837147737e7a237c452f6086a1522fd5f57b421ecd2de62ebe8d90eb029890a15fd458f1b3423afc8d028c14f793c136ed946d5fdb62f65e79f4cc201fa92e5fe52b330ac044c944bd7e98a94fb4ca37431d94dc12e550e9d27e148480369c2d900cc4978e1362031181ab16f299c7c787f0a1d9064afb59c21bc975c211f42ea36cf06bdfe2b8d8d555aae81bb14dfc1e2dd38b1f55d4a09f08fe1603010004
EAP-Message = 0x0e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0237ac640630b545256f9a5bd2d69184
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.1.99.201 port 1645, id=16, length=274
User-Name = “dan”
Framed-MTU = 1400
Called-Station-Id = “0026.9921.f3c1”
Calling-Station-Id = “100d.7fb5.a5ec”
Service-Type = Login-User
Message-Authenticator = 0x448c6647bd91f2f5f0c5ee94fbdb805e
EAP-Message = 0x0207009019800000008616030100461000004241041b1fb775bf35f11f07fdbe65fe58352c44553344bb4717ed7b1e29fab35558689bc0118fe460460a59ddff70a7c432fa7d27ba08ff0aef73abf7dd2adf753b1c14030100010116030100307465407958ede0ed2b74931daf1903ac2bfdfc690599f65fc92a4ff68f17a81eb8c318561b247dab9e30adfa890311fe
NAS-Port-Type = Wireless-802.11
NAS-Port = 340
NAS-Port-Id = “340”
State = 0x0237ac640630b545256f9a5bd2d69184
NAS-IP-Address = 10.1.99.201

Executing section authorize from file /etc/freeradius/sites-enabled/default

± entering group authorize {…}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[ntdomain] No ‘’ in User-Name = “dan”, looking up realm NULL
[ntdomain] No such realm “NULL”
++[ntdomain] returns noop
[eap] EAP packet type response id 7 length 144
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP

Executing group from file /etc/freeradius/sites-enabled/default

± entering group authenticate {…}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 134
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< Unknown TLS version [length 0005]
[peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
[peap] TLS_accept: unknown state
[peap] TLS_accept: unknown state
[peap] <<< Unknown TLS version [length 0005]
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< Unknown TLS version [length 0005]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: unknown state
[peap] >>> Unknown TLS version [length 0005]
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: unknown state
[peap] >>> Unknown TLS version [length 0005]
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: unknown state
[peap] TLS_accept: unknown state
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 16 to 10.1.99.201 port 1645
EAP-Message = 0x0108004119001403010001011603010030488d6b86f3d8013c2e84d1b19e78fd833bca1d2a69610f12e4735c747feb710eb14fec9f36b5303620a92bd4bc574d88
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0237ac64073fb545256f9a5bd2d69184
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.1.99.201 port 1645, id=17, length=136
User-Name = “dan”
Framed-MTU = 1400
Called-Station-Id = “0026.9921.f3c1”
Calling-Station-Id = “100d.7fb5.a5ec”
Service-Type = Login-User
Message-Authenticator = 0x7a79c61f603e5fe338388e586db7598f
EAP-Message = 0x020800061900
NAS-Port-Type = Wireless-802.11
NAS-Port = 340
NAS-Port-Id = “340”
State = 0x0237ac64073fb545256f9a5bd2d69184
NAS-IP-Address = 10.1.99.201

Executing section authorize from file /etc/freeradius/sites-enabled/default

± entering group authorize {…}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[ntdomain] No ‘’ in User-Name = “dan”, looking up realm NULL
[ntdomain] No such realm “NULL”
++[ntdomain] returns noop
[eap] EAP packet type response id 8 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP

Executing group from file /etc/freeradius/sites-enabled/default

± entering group authenticate {…}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
[peap] >>> Unknown TLS version [length 0005]
++[eap] returns handled
Sending Access-Challenge of id 17 to 10.1.99.201 port 1645
EAP-Message = 0x0109002b19001703010020bc7bed89e5abfaf617ddafe960943b218baebeddc1f865581a95f40fb8b7bb09
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0237ac64043eb545256f9a5bd2d69184
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.1.99.201 port 1645, id=18, length=173
User-Name = “dan”
Framed-MTU = 1400
Called-Station-Id = “0026.9921.f3c1”
Calling-Station-Id = “100d.7fb5.a5ec”
Service-Type = Login-User
Message-Authenticator = 0xe2599492ccff510101b865b08f742b84
EAP-Message = 0x0209002b19001703010020489bde3b7c0d3f663a548f9ece0c4e55eb4e8fc08d6d66d9d1c3ea829a768720
NAS-Port-Type = Wireless-802.11
NAS-Port = 340
NAS-Port-Id = “340”
State = 0x0237ac64043eb545256f9a5bd2d69184
NAS-IP-Address = 10.1.99.201

Executing section authorize from file /etc/freeradius/sites-enabled/default

± entering group authorize {…}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[ntdomain] No ‘’ in User-Name = “dan”, looking up realm NULL
[ntdomain] No such realm “NULL”
++[ntdomain] returns noop
[eap] EAP packet type response id 9 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP

Executing group from file /etc/freeradius/sites-enabled/default

± entering group authenticate {…}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] <<< Unknown TLS version [length 0005]
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - dan
[peap] Got inner identity ‘dan’
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
EAP-Message = 0x020900080164616e
server {
[peap] Setting User-Name to dan
Sending tunneled request
EAP-Message = 0x020900080164616e
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = “dan”
server {

Executing section authorize from file /etc/freeradius/sites-enabled/default

± entering group authorize {…}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[ntdomain] No ‘’ in User-Name = “dan”, looking up realm NULL
[ntdomain] No such realm “NULL”
++[ntdomain] returns noop
[eap] EAP packet type response id 9 length 8
[eap] No EAP Start, assuming it’s an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for dan
[ldap] expand: (uid=%{mschap:User-Name:-%{User-Name}}) -> (uid=dan)
[ldap] expand: dc=t4dlab,dc=home -> dc=t4dlab,dc=home
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=t4dlab,dc=home, with filter (uid=dan)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory…
[ldap] sambaNTPassword -> NT-Password == 0x4537333338354538414337453538453843464232314334424243344244423738
[ldap] looking for reply items in directory…
WARNING: No “known good” password was found in LDAP. Are you sure that the user is configured correctly?
[ldap] user dan authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing NT-Password from hex encoding
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP

Executing group from file /etc/freeradius/sites-enabled/default

± entering group authenticate {…}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server
[peap] Got tunneled reply code 11
EAP-Message = 0x010a001d1a010a0018108bc2d033cb728514c788e2b1b04d70d164616e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc2f07df1c2fa67a378dae0616461cf56
[peap] Got tunneled reply RADIUS code 11
EAP-Message = 0x010a001d1a010a0018108bc2d033cb728514c788e2b1b04d70d164616e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc2f07df1c2fa67a378dae0616461cf56
[peap] Got tunneled Access-Challenge
[peap] >>> Unknown TLS version [length 0005]
++[eap] returns handled
Sending Access-Challenge of id 18 to 10.1.99.201 port 1645
EAP-Message = 0x010a003b19001703010030a2194119c9bdca0664ee420b0133e663aaf2fdbe012972e7747d3789f92c4b2f121ee0100bd5a9b12bcfcacb1a87c225
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0237ac64053db545256f9a5bd2d69184
Finished request 7.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.1.99.201 port 1645, id=19, length=221
User-Name = “dan”
Framed-MTU = 1400
Called-Station-Id = “0026.9921.f3c1”
Calling-Station-Id = “100d.7fb5.a5ec”
Service-Type = Login-User
Message-Authenticator = 0x3a619f7588e2d019c1d1eba38851427f
EAP-Message = 0x020a005b1900170301005007526d41e509d7dce5454c5b431ebd50d334f5d0009656088dbc5acd3b72b021e3d5e2a1effbd4924316f17a665d4f83b835af2e0927e4d4169e8719257b3184a6391284b9750db7cabf0b0b60449764
NAS-Port-Type = Wireless-802.11
NAS-Port = 340
NAS-Port-Id = “340”
State = 0x0237ac64053db545256f9a5bd2d69184
NAS-IP-Address = 10.1.99.201

Executing section authorize from file /etc/freeradius/sites-enabled/default

± entering group authorize {…}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[ntdomain] No ‘’ in User-Name = “dan”, looking up realm NULL
[ntdomain] No such realm “NULL”
++[ntdomain] returns noop
[eap] EAP packet type response id 10 length 91
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP

Executing group from file /etc/freeradius/sites-enabled/default

± entering group authenticate {…}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] <<< Unknown TLS version [length 0005]
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x020a003e1a020a00393190c63eaaab6e59cce2346a85ef61f06d000000000000000093ac9428e3fe263afdc0fae3c1ca1e4a888136257b1f6c6f0064616e
server {
[peap] Setting User-Name to dan
Sending tunneled request
EAP-Message = 0x020a003e1a020a00393190c63eaaab6e59cce2346a85ef61f06d000000000000000093ac9428e3fe263afdc0fae3c1ca1e4a888136257b1f6c6f0064616e
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = “dan”
State = 0xc2f07df1c2fa67a378dae0616461cf56
server {

Executing section authorize from file /etc/freeradius/sites-enabled/default

± entering group authorize {…}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[ntdomain] No ‘’ in User-Name = “dan”, looking up realm NULL
[ntdomain] No such realm “NULL”
++[ntdomain] returns noop
[eap] EAP packet type response id 10 length 62
[eap] No EAP Start, assuming it’s an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for dan
[ldap] expand: (uid=%{mschap:User-Name:-%{User-Name}}) -> (uid=dan)
[ldap] expand: dc=t4dlab,dc=home -> dc=t4dlab,dc=home
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=t4dlab,dc=home, with filter (uid=dan)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory…
[ldap] sambaNTPassword -> NT-Password == 0x4537333338354538414337453538453843464232314334424243344244423738
[ldap] looking for reply items in directory…
WARNING: No “known good” password was found in LDAP. Are you sure that the user is configured correctly?
[ldap] user dan authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing NT-Password from hex encoding
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP

Executing group from file /etc/freeradius/sites-enabled/default

± entering group authenticate {…}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/freeradius/sites-enabled/default
[mschapv2] ± entering group MS-CHAP {…}
[mschap] Found NT-Password
[mschap] Creating challenge hash with username: dan
[mschap] Told to do MS-CHAPv2 for dan with NT-Password
[mschap] expand: %{Stripped-User-Name} ->
[mschap] … expanding second conditional
[mschap] expand: %{User-Name} -> dan
[mschap] expand: %{%{User-Name}:-None} -> dan
[mschap] expand: --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} -> --username=dan
[mschap] Creating challenge hash with username: dan
[mschap] expand: %{mschap:Challenge} -> 57b1bc3b5f4c9daa
[mschap] expand: --challenge=%{%{mschap:Challenge}:-00} -> --challenge=57b1bc3b5f4c9daa
[mschap] expand: %{mschap:NT-Response} -> 93ac9428e3fe263afdc0fae3c1ca1e4a888136257b1f6c6f
[mschap] expand: --nt-response=%{%{mschap:NT-Response}:-00} -> --nt-response=93ac9428e3fe263afdc0fae3c1ca1e4a888136257b1f6c6f
[mschap] expand: --station-id=%{outer.request:Calling-Station-Id} -> --station-id=100d.7fb5.a5ec
Exec-Program output:
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
Login incorrect (mschap: External script says ): [dan/] (from client Ci1142n-bsmt port 0 via TLS tunnel)
} # server
[peap] Got tunneled reply code 3
MS-CHAP-Error = “\nE=691 R=1”
EAP-Message = 0x040a0004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
MS-CHAP-Error = “\nE=691 R=1”
EAP-Message = 0x040a0004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
[peap] >>> Unknown TLS version [length 0005]
++[eap] returns handled
Sending Access-Challenge of id 19 to 10.1.99.201 port 1645
EAP-Message = 0x010b002b190017030100204d30e4b91f4725572d1bcbfac0424018860698d798948702d259757a4f9ba1b4
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0237ac640a3cb545256f9a5bd2d69184
Finished request 8.
Going to the next request
Waking up in 4.6 seconds.
rad_recv: Access-Request packet from host 10.1.99.201 port 1645, id=20, length=173
User-Name = “dan”
Framed-MTU = 1400
Called-Station-Id = “0026.9921.f3c1”
Calling-Station-Id = “100d.7fb5.a5ec”
Service-Type = Login-User
Message-Authenticator = 0xe87745c28d433b8c121bb26ec1676709
EAP-Message = 0x020b002b19001703010020e11d20052688a50ed06d539cbdef7e870fd8c9a8ccb61d780ffe519a8ac3eb78
NAS-Port-Type = Wireless-802.11
NAS-Port = 340
NAS-Port-Id = “340”
State = 0x0237ac640a3cb545256f9a5bd2d69184
NAS-IP-Address = 10.1.99.201

Executing section authorize from file /etc/freeradius/sites-enabled/default

± entering group authorize {…}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[ntdomain] No ‘’ in User-Name = “dan”, looking up realm NULL
[ntdomain] No such realm “NULL”
++[ntdomain] returns noop
[eap] EAP packet type response id 11 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP

Executing group from file /etc/freeradius/sites-enabled/default

± entering group authenticate {…}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] <<< Unknown TLS version [length 0005]
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv failure
[peap] Received EAP-TLV response.
[peap] The users session was previously rejected: returning reject (again.)
[peap] *** This means you need to read the PREVIOUS messages in the debug output
[peap] *** to find out the reason why the user was rejected.
[peap] *** Look for “reject” or “fail”. Those earlier messages will tell you.
[peap] *** what went wrong, and how to fix the problem.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [dan/] (from client Ci1142n-bsmt port 340 cli 100d.7fb5.a5ec)
Delaying reject of request 9 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 9
Sending Access-Reject of id 20 to 10.1.99.201 port 1645
EAP-Message = 0x040b0004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.6 seconds.
Cleaning up request 0 ID 11 with timestamp +20
Cleaning up request 1 ID 12 with timestamp +20
Cleaning up request 2 ID 13 with timestamp +20
Cleaning up request 3 ID 14 with timestamp +20
Cleaning up request 4 ID 15 with timestamp +20
Cleaning up request 5 ID 16 with timestamp +20
Cleaning up request 6 ID 17 with timestamp +20
Cleaning up request 7 ID 18 with timestamp +20
Waking up in 0.2 seconds.
Cleaning up request 8 ID 19 with timestamp +20
Waking up in 1.0 seconds.
Cleaning up request 9 ID 20 with timestamp +20
Ready to process requests.[/code]

Hey,

first of all please make sure that the user may actually authenticate via RADIUS. This can be done with “univention-radius-check-access --username=”. The output should look something like this:

[code][0 root@master ~] univention-radius-check-access --username=mbunkus
ALLOW ‘uid=mbunkus,cn=users,dc=mbu-test,dc=intranet’
‘uid=mbunkus,cn=users,dc=mbu-test,dc=intranet’
-> DENY ‘cn=Domain Users,cn=groups,dc=mbu-test,dc=intranet’
-> ‘cn=Domain Users,cn=groups,dc=mbu-test,dc=intranet’
-> -> DENY ‘cn=Users,cn=Builtin,dc=mbu-test,dc=intranet’
-> -> ‘cn=Users,cn=Builtin,dc=mbu-test,dc=intranet’

Thus access for user is ALLOWED.[/code]

Next make sure you’ve configured your client correctly. It’s important to use PEAP in phase 1 and MSCHAPv2 in phase 2. See this Wiki entry for how to configure this on Android devices.

If you’re 100% sure then try to use a different user — but make sure that (s)he may use RADIUS by checking “univention-radius-check-access” again!

Kind regards,
mosu

1 Like

Hey,

ok scratch that. I’ve taken a look at the script “/usr/bin/univention-radius-ntlm-auth” you’ve mentioned. The place where the excetion occurs has nothing to do with the user account or his/her password, but with the station ID. The station ID is supposed to be the MAC address of the wireless device trying to authenticate. For some reason it isn’t in your case.

I’ll attach a slightly modified version of the “univention-radius-ntlm-auth” script which will write the station ID to the file “/tmp/radius-debug.txt”. Please move the original “/usr/bin/univention-radius-ntlm-auth” to e.g. “/root/”, then replace “/usr/bin/univention-radius-ntlm-auth” with my attachment (remove the “.txt” extesion, please; I’ve only used to it circumvent the forum’s upload rules). Make sure to run “chmod 0755 /usr/bin/univention-radius-ntlm-auth” afterwards.

Now try connecting. As soon as you see that “No “known good” password” warning the debug file “/tmp/radius-debug.txt” should show up. Please paste its content here. It should look something like this:

Supplied station ID: >C0-EE-FB-D8-46-52<

Kind regards,
mosu
univention-radius-ntlm-auth.txt (3.39 KB)

Thanks mosu, I copied in your modified script and found this to be the output:

Supplied station ID: >100d.7fb5.a5ec<

Is the script sensitive about formatting? The station in this case is a Cisco wireless access point, and I’ve found they tend to use that odd looking dotted-quad notation for MAC addresses.

Hey,

yeah, that explains it. The script is indeed sensitive and expects a format of “aa-bb-cc-dd-ee-ff” — or at least exactly one char between each pair of hex digits. If you look at the script you’ll see all the substring access in line 39 which won’t work with an ID such as yours.

I haven’t found an entry in Univention’s Bugzilla with this particular problem yet. I’ll open one in a moment.

Here’s how you can circumvent the problem for the time being: use my newly attached version of “univention-radius-ntlm-auth”. It changes two things:

[ul][li]It inserts “import re” near the top[/li]
[li]It replaces the following line and its predecessor…

stationId = stationId[0:2] + stationId[3:5] + stationId[6:8] + stationId[9:11] + stationId[12:14] + stationId[15:17]

…with this one:

stationId = re.sub('[^0-9a-f]', '', options.stationId)

which basically states “throw everything away that’s not a potential hex digit”.[/li][/ul]

This fix should work both for the Cisco format and the more common one.

Kind regards,
mosu
univention-radius-ntlm-auth.txt (3.17 KB)

And here’s the bug I’ve filed for this problem.

Ahh, you’re awesome! It worked! If I wasn’t on a different continent I’d buy you a beer!

Thank you very much!

You’re quite welcome :slight_smile: And no worries, have one on me :slight_smile:

Mastodon