eap-tls authentication with free radius 1.1.5

anoop_c at sifycorp.com anoop_c at sifycorp.com
Thu May 10 11:36:54 CEST 2007


Dear all
  With free radius 1.1.6 i am getting the following debug messages.Still authnticationi is not happenig

 [root at anoop raddb]# radiusd -X
Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /etc/raddb/proxy.conf
Config:   including file: /etc/raddb/clients.conf
Config:   including file: /etc/raddb/snmp.conf
Config:   including file: /etc/raddb/eap.conf
Config:   including file: /etc/raddb/sql.conf
 main: prefix = \"/usr/local\"
 main: localstatedir = \"/usr/local/var\"
 main: logdir = \"/usr/local/var/log/radius\"
 main: libdir = \"/usr/local/lib\"
 main: radacctdir = \"/usr/local/var/log/radius/radacct\"
 main: hostname_lookups = no
 main: snmp = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = no
 main: log_file = \"/usr/local/var/log/radius/radius.log\"
 main: log_auth = no
 main: log_auth_badpass = no
 main: log_auth_goodpass = no
 main: pidfile = \"/usr/local/var/run/radiusd/radiusd.pid\"
 main: user = \"(null)\"
 main: group = \"(null)\"
 main: usercollide = no
 main: lower_user = \"no\"
 main: lower_pass = \"no\"
 main: nospace_user = \"no\"
 main: nospace_pass = \"no\"
 main: checkrad = \"/usr/local/sbin/checkrad\"
 main: proxy_requests = yes
 proxy: retry_delay = 5
 proxy: retry_count = 3
 proxy: synchronous = no
 proxy: default_fallback = yes
 proxy: dead_time = 120
 proxy: post_proxy_authorize = no
 proxy: wake_all_if_all_dead = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
 exec: wait = yes
 exec: program = \"(null)\"
 exec: input_pairs = \"request\"
 exec: output_pairs = \"(null)\"
 exec: packet_type = \"(null)\"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded System
 unix: cache = no
 unix: passwd = \"(null)\"
 unix: shadow = \"(null)\"
 unix: group = \"(null)\"
 unix: radwtmp = \"/usr/local/var/log/radius/radwtmp\"
 unix: usegroup = no
 unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
 eap: default_eap_type = \"tls\"
 eap: timer_expire = 60
 eap: ignore_unknown_eap_types = no
 eap: cisco_accounting_username_bug = no
 tls: rsa_key_exchange = no
 tls: dh_key_exchange = yes
 tls: rsa_key_length = 512
 tls: dh_key_length = 512
 tls: verify_depth = 0
 tls: CA_path = \"(null)\"
 tls: pem_file_type = yes
 tls: private_key_file = \"/etc/1x/07xwifi.pem\"
 tls: certificate_file = \"/etc/1x/07xwifi.pem\"
 tls: CA_file = \"/etc/1x/root.pem\"
 tls: private_key_password = \"password\"
 tls: dh_file = \"/etc/1x/DH\"
 tls: random_file = \"/etc/1x/random\"
 tls: fragment_size = 1024
 tls: include_length = yes
 tls: check_crl = no
 tls: check_cert_cn = \"(null)\"
 tls: cipher_list = \"(null)\"
 tls: check_cert_issuer = \"(null)\"
rlm_eap_tls: Loading the certificate file as a chain
rlm_eap: Loaded and initialized type tls
Module: Instantiated eap (eap)
Module: Loaded preprocess
 preprocess: huntgroups = \"/etc/raddb/huntgroups\"
 preprocess: hints = \"/etc/raddb/hints\"
 preprocess: with_ascend_hack = no
 preprocess: ascend_channels_per_line = 23
 preprocess: with_ntdomain_hack = no
 preprocess: with_specialix_jetstream_hack = no
 preprocess: with_cisco_vsa_hack = no
 preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
 realm: format = \"suffix\"
 realm: delimiter = \"@\"
 realm: ignore_default = no
 realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
 files: usersfile = \"/etc/raddb/users\"
 files: acctusersfile = \"/etc/raddb/acct_users\"
 files: preproxy_usersfile = \"/etc/raddb/preproxy_users\"
 files: compat = \"no\"
Module: Instantiated files (files)
Module: Loaded PAP
 pap: encryption_scheme = \"crypt\"
 pap: auto_header = yes
Module: Instantiated pap (pap)
Module: Loaded Acct-Unique-Session-Id
 acct_unique: key = \"User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Addre ss, NAS-Port\"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
 detail: detailfile = \"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/de tail-%Y%m%d\"
 detail: detailperm = 384
 detail: dirperm = 493
 detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
 radutmp: filename = \"/usr/local/var/log/radius/radutmp\"
 radutmp: username = \"%{User-Name}\"
 radutmp: case_sensitive = yes
 radutmp: check_with_nas = yes
 radutmp: perm = 384
 radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.0.50:1026, id=0, length=197
        Message-Authenticator = 0x58682b62b2334fb6e661df414bc30e61
        Service-Type = Framed-User
        User-Name = \"anoop07\"
        Framed-MTU = 1488
        Called-Station-Id = \"00-0F-3D-AF-DD-C2:default\"
        Calling-Station-Id = \"00-0E-35-F3-A1-67\"
        NAS-Identifier = \"D-Link Access Point\"
        NAS-Port-Type = Wireless-802.11
        Connect-Info = \"CONNECT 54Mbps 802.11g\"
        EAP-Message = 0x0200000c01616e6f6f703037
        NAS-IP-Address = 192.168.0.50
        NAS-Port = 1
        NAS-Port-Id = \"STA port # 1\"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module \"preprocess\" returns ok for request 0
    rlm_realm: No \'@\' in User-Name = \"anoop07\", looking up realm NULL
    rlm_realm: No such realm \"NULL\"
  modcall[authorize]: module \"suffix\" returns noop for request 0
  rlm_eap: EAP packet type response id 0 length 12
  rlm_eap: No EAP Start, assuming it\'s an on-going EAP conversation
  modcall[authorize]: module \"eap\" returns updated for request 0
    users: Matched entry DEFAULT at line 153
    users: Matched entry DEFAULT at line 172
  modcall[authorize]: module \"files\" returns ok for request 0
rlm_pap: WARNING! No \"known good\" password found for the user.  Authentication m ay fail because of this.
  modcall[authorize]: module \"pap\" returns noop for request 0
modcall: leaving group authorize (returns updated) for request 0
  rad_check_password:  Found Auth-Type EAP
auth: type \"EAP\"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
  rlm_eap: EAP Identity
  rlm_eap: processing type tls
 rlm_eap_tls: Requiring client certificate
  rlm_eap_tls: Initiate
  rlm_eap_tls: Start returned 1
  modcall[authenticate]: module \"eap\" returns handled for request 0
modcall: leaving group authenticate (returns handled) for request 0
Sending Access-Challenge of id 0 to 192.168.0.50 port 1026
        Framed-IP-Address = 255.255.255.254
        Framed-MTU = 576
        Service-Type = Framed-User
        EAP-Message = 0x010100060d20
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xf149907fc590a6e39f01cbbd9619107b
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.0.50:1026, id=1, length=299
        Message-Authenticator = 0x4fd5a9fe11d848f8f7a1324997be4a8e
        Service-Type = Framed-User
        User-Name = \"anoop07\"
        Framed-MTU = 1488
        State = 0xf149907fc590a6e39f01cbbd9619107b
        Called-Station-Id = \"00-0F-3D-AF-DD-C2:default\"
        Calling-Station-Id = \"00-0E-35-F3-A1-67\"
        NAS-Identifier = \"D-Link Access Point\"
        NAS-Port-Type = Wireless-802.11
        Connect-Info = \"CONNECT 54Mbps 802.11g\"
        EAP-Message = 0x020100600d800000005616030100510100004d03014642cb0590f008 20866efd284d568c69cde48b6530bced71bd7a674a2a46e36e103102d6b9e079cbcf0242e2192803 fe40001600040005000a000900640062000300060013001200630100
        NAS-IP-Address = 192.168.0.50
        NAS-Port = 1
        NAS-Port-Id = \"STA port # 1\"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
  modcall[authorize]: module \"preprocess\" returns ok for request 1
    rlm_realm: No \'@\' in User-Name = \"anoop07\", looking up realm NULL
    rlm_realm: No such realm \"NULL\"
  modcall[authorize]: module \"suffix\" returns noop for request 1
  rlm_eap: EAP packet type response id 1 length 96
  rlm_eap: No EAP Start, assuming it\'s an on-going EAP conversation
  modcall[authorize]: module \"eap\" returns updated for request 1
    users: Matched entry DEFAULT at line 153
    users: Matched entry DEFAULT at line 172
  modcall[authorize]: module \"files\" returns ok for request 1
rlm_pap: WARNING! No \"known good\" password found for the user.  Authentication m ay fail because of this.
  modcall[authorize]: module \"pap\" returns noop for request 1
modcall: leaving group authorize (returns updated) for request 1
  rad_check_password:  Found Auth-Type EAP
auth: type \"EAP\"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/tls
  rlm_eap: processing type tls
  rlm_eap_tls: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
  eaptls_verify returned 11
    (other): before/accept initialization
    TLS_accept: before/accept initialization
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0051], ClientHello
    TLS_accept: SSLv3 read client hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
    TLS_accept: SSLv3 write server hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 04bf], Certificate
    TLS_accept: SSLv3 write certificate A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 004c], CertificateRequest
    TLS_accept: SSLv3 write certificate request A
    TLS_accept: SSLv3 flush data
    TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
  eaptls_process returned 13
  modcall[authenticate]: module \"eap\" returns handled for request 1
modcall: leaving group authenticate (returns handled) for request 1
Sending Access-Challenge of id 1 to 192.168.0.50 port 1026
        Framed-IP-Address = 255.255.255.254
        Framed-MTU = 576
        Service-Type = Framed-User
        EAP-Message = 0x0102040a0dc000000564160301004a0200004603014642cb066051eb 4f14285a58bcd1249829d97ad27f846524d57f7a25b0a3981720143a0cfecdd12ac8ec78c09d87f3 05ba498dcfe95c07b2b76e9b8510cfc644fd00040016030104bf0b0004bb0004b800022c30820228 30820191a003020102020101300d06092a864886f70d0101040500303b310b300906035504061302 494e310b300906035504081302544e310d300b060355040a1304536966793110300e060355040313 0730377877696669301e170d3037303131323135333533305a170d3038303131323135333533305a 3060310b300906035504061302494e310b3009060355040813
        EAP-Message = 0x02544e310d300b060355040a1304536966793110300e060355040313 07303778776966693123302106092a864886f70d0109011614616e6f6f705f634073696679636f72 702e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100d2bbbe35bc8a 47709632284aff484695385e69c3522f63da46834f9586a420bda380889693fa77fedd9ed4290e6f 9ff4436721775294fc65a38fea098f18975b34b5063de27220e18a07d433cbb6e19aeb3f84b012f7 c20071dd280457a932634bbe50f438cc2ee6f4d65fa395a10bdecc4bf9087979ec45af000940e186 ed290203010001a317301530130603551d25040c300a06082b
        EAP-Message = 0x06010505070301300d06092a864886f70d0101040500038181000afe a7f2a8a9cffe60baa8f779353c523457f8237faeff81ba5f2c22664c70b6b2fb58c8967ca4a4c847 b80e1d5a6cc4558ffa1d161614f374d8b5efd565aa66045b192b3ac3da82c81c4a99fc10cfe473f9 ac258ef99b16cbd335004677694a05addae48c6a9dcdb26b86ddb56c635266c33c7de75865435326 92e5220d30b100028630820282308201eba003020102020100300d06092a864886f70d0101040500 303b310b300906035504061302494e310b300906035504081302544e310d300b060355040a130453 6966793110300e0603550403130730377877696669301e170d
        EAP-Message = 0x3037303131323135333435305a170d3038303131323135333435305a 303b310b300906035504061302494e310b300906035504081302544e310d300b060355040a130453 6966793110300e060355040313073037787769666930819f300d06092a864886f70d010101050003 818d0030818902818100ba8b07a479bb6ce9adf2d8bc6ac9cf214506dfc039cb10c3b4d27d1bbc08 2caff0bb77424819728977f04b32e231a3c4755a65823b366f1a604f15ce6c499883ab7d2757a5a2 c07a11e75b7a00d6c55a8fb7443b202a25a3cdaad39579b2d8f4c09c974056f0c8666fff754d5748 36fcaf105200fcd5df5158e2b387310c4ed90203010001a381
        EAP-Message = 0x95308192301d0603551d0e041604149eda6f69065423
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x2fdcf333629491d0e1c1ee647458de64
Finished request 1
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.0.50:1026, id=2, length=209
        Message-Authenticator = 0x4ad9312009d92ce8a0efb591a5179928
        Service-Type = Framed-User
        User-Name = \"anoop07\"
        Framed-MTU = 1488
        State = 0x2fdcf333629491d0e1c1ee647458de64
        Called-Station-Id = \"00-0F-3D-AF-DD-C2:default\"
        Calling-Station-Id = \"00-0E-35-F3-A1-67\"
        NAS-Identifier = \"D-Link Access Point\"
        NAS-Port-Type = Wireless-802.11
        Connect-Info = \"CONNECT 54Mbps 802.11g\"
        EAP-Message = 0x020200060d00
        NAS-IP-Address = 192.168.0.50
        NAS-Port = 1
        NAS-Port-Id = \"STA port # 1\"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
  modcall[authorize]: module \"preprocess\" returns ok for request 2
    rlm_realm: No \'@\' in User-Name = \"anoop07\", looking up realm NULL
    rlm_realm: No such realm \"NULL\"
  modcall[authorize]: module \"suffix\" returns noop for request 2
  rlm_eap: EAP packet type response id 2 length 6
  rlm_eap: No EAP Start, assuming it\'s an on-going EAP conversation
  modcall[authorize]: module \"eap\" returns updated for request 2
    users: Matched entry DEFAULT at line 153
    users: Matched entry DEFAULT at line 172
  modcall[authorize]: module \"files\" returns ok for request 2
rlm_pap: WARNING! No \"known good\" password found for the user.  Authentication m ay fail because of this.
  modcall[authorize]: module \"pap\" returns noop for request 2
modcall: leaving group authorize (returns updated) for request 2
  rad_check_password:  Found Auth-Type EAP
auth: type \"EAP\"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/tls
  rlm_eap: processing type tls
  rlm_eap_tls: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake fragment handler
  eaptls_verify returned 1
  eaptls_process returned 13
  modcall[authenticate]: module \"eap\" returns handled for request 2
modcall: leaving group authenticate (returns handled) for request 2
Sending Access-Challenge of id 2 to 192.168.0.50 port 1026
        Framed-IP-Address = 255.255.255.254
        Framed-MTU = 576
        Service-Type = Framed-User
        EAP-Message = 0x0103016e0d80000005647ec1c9e4d07a608e0e6dcd730f3063060355 1d23045c305a80149eda6f690654237ec1c9e4d07a608e0e6dcd730fa13fa43d303b310b30090603 5504061302494e310b300906035504081302544e310d300b060355040a1304536966793110300e06 03550403130730377877696669820100300c0603551d13040530030101ff300d06092a864886f70d 0101040500038181006b514f008b6a77757fc73ddbe9d54e4ea925a1ab9ce80ad7895d6d19661d8b 8558d0e359876aac023aa52d4273e00407b9b588b30dbc35c5911bc89d2d99677e0ec8dea17fece3 5d0b4dfab8775ba73eaeb0a0998bcdf1437cff0a1031f6a5b1
        EAP-Message = 0x7e8bcdc01e2e964cb256f49d947eea2cfd42989aef397fa438be294f a3dc7a3d160301004c0d000044020102003f003d303b310b300906035504061302494e310b300906 035504081302544e310d300b060355040a1304536966793110300e06035504031307303778776966 690e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x8312be86097e0bba014e67facd670e26
Finished request 2
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.0.50:1026, id=3, length=209
        Message-Authenticator = 0xd1d028ef0c35ada1104dae076b233114
        Service-Type = Framed-User
        User-Name = \"anoop07\"
        Framed-MTU = 1488
        State = 0x8312be86097e0bba014e67facd670e26
        Called-Station-Id = \"00-0F-3D-AF-DD-C2:default\"
        Calling-Station-Id = \"00-0E-35-F3-A1-67\"
        NAS-Identifier = \"D-Link Access Point\"
        NAS-Port-Type = Wireless-802.11
        Connect-Info = \"CONNECT 54Mbps 802.11g\"
        EAP-Message = 0x020300060d00
        NAS-IP-Address = 192.168.0.50
        NAS-Port = 1
        NAS-Port-Id = \"STA port # 1\"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
  modcall[authorize]: module \"preprocess\" returns ok for request 3
    rlm_realm: No \'@\' in User-Name = \"anoop07\", looking up realm NULL
    rlm_realm: No such realm \"NULL\"
  modcall[authorize]: module \"suffix\" returns noop for request 3
  rlm_eap: EAP packet type response id 3 length 6
  rlm_eap: No EAP Start, assuming it\'s an on-going EAP conversation
  modcall[authorize]: module \"eap\" returns updated for request 3
    users: Matched entry DEFAULT at line 153
    users: Matched entry DEFAULT at line 172
  modcall[authorize]: module \"files\" returns ok for request 3
rlm_pap: WARNING! No \"known good\" password found for the user.  Authentication m ay fail because of this.
  modcall[authorize]: module \"pap\" returns noop for request 3
modcall: leaving group authorize (returns updated) for request 3
  rad_check_password:  Found Auth-Type EAP
auth: type \"EAP\"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/tls
  rlm_eap: processing type tls
  rlm_eap_tls: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake fragment handler
  eaptls_verify returned 1
  eaptls_process returned 13
  modcall[authenticate]: module \"eap\" returns handled for request 3
modcall: leaving group authenticate (returns handled) for request 3
Sending Access-Challenge of id 3 to 192.168.0.50 port 1026
        Framed-IP-Address = 255.255.255.254
        Framed-MTU = 576
        Service-Type = Framed-User
        EAP-Message = 0x0104000a0d8000000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xc08d54ac02795c8e31c2f7865a609bd5
Finished request 3
Going to the next request
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 0 with timestamp 4642cb06
Cleaning up request 1 ID 1 with timestamp 4642cb06
Cleaning up request 2 ID 2 with timestamp 4642cb06
Cleaning up request 3 ID 3 with timestamp 4642cb06
Nothing to do.  Sleeping until we see a request.
 
[root at anoop raddb]#

Wat is the meaning of 
 --- TLS_accept: SSLv3 write certificate request A
    TLS_accept: SSLv3 flush data
    TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
  eaptls_process returned 13----
 this in eap_process returned 13 in the debug log
as well as
 ---rlm_eap: No EAP Start, assuming it\'s an on-going EAP conversation----

Regards
Anoop


Quoting  freeradius-users-request at lists.freeradius.org:

> Send Freeradius-Users mailing list submissions to
> 	freeradius-users at lists.freeradius.org
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> 	http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body \'help\' to
> 	freeradius-users-request at lists.freeradius.org
> 
> You can reach the person managing the list at
> 	freeradius-users-owner at lists.freeradius.org
> 
> When replying, please edit your Subject line so it is more specific
> than \"Re: Contents of Freeradius-Users digest...\"
> 
> 
> Today\'s Topics:
> 
>    1. RE: FR with MySQL - Stored Procedures (Gunther)
>    2. Re: freeradius & redback sms (Alan DeKok)
>    3. Re: Date expansion fails for inner encryption tunnel log
>       files. (Alan DeKok)
>    4. Re: 1.1.6 with rlm_sqlippool: ip=[] len=0 (Alan DeKok)
>    5. Re: ttls problem (tevfik)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Thu, 10 May 2007 03:15:09 -0400
> From: \"Gunther\" <freeradius at caribsms.com>
> Subject: RE: FR with MySQL - Stored Procedures
> To: \"\'FreeRadius users mailing list\'\"
> 	<freeradius-users at lists.freeradius.org>
> Message-ID: <001a01c792d2$f23b79c0$0419a8c0 at ultra3>
> Content-Type: text/plain;	charset=\"US-ASCII\"
> 
> Did some further research on the MySQL - FR Stored Procedure (SP)
> problem.
> 
> When calling the SP, MySQL always returns two results. One is the
> actual
> result and
> the other is the number of affected rows, which is different to a
> normal
> e.g. SELECT query.
> 
> SP:
> mysql> call CheckIt(\'myString\');
> +--------+
> | result |
> +--------+
> |     10 | (result is correct)
> +--------+
> 1 row in set (0.00 sec)
> 
> Query OK, 0 rows affected (0.00 sec) <-- Result plus the number of
> affected
> rows!
> 
> Normal Query:
> mysql> select 25 AS result;
> +--------+
> | result |
> +--------+
> |      25 |
> +--------+
> 1 row in set (0.00 sec) <--- Normal query with one result
> 
> -------- MYSQL 5.0 Ref manual ----
> If you write C programs that use the CALL SQL statement to execute
> stored
> procedures that produce result sets, you must set the
> CLIENT_MULTI_RESULTS
> flag, either explicitly, or implicitly by setting
> CLIENT_MULTI_STATEMENTS
> when you call mysql_real_connect(). This is because each such stored
> procedure produces multiple results: the result sets returned by
> statements
> executed within the procedure, as well as a result to indicate the call
> status. To process the result of a CALL statement, use a loop that
> calls
> mysql_next_result() to determine whether there are more results.
> 
> The following procedure outlines a suggested strategy for handling
> multiple
> statements:
>  1. Pass CLIENT_MULTI_STATEMENTS to mysql_real_connect(), to fully
> enable
> multiple-statement execution and multiple-result processing.
>  2. After calling mysql_query() or mysql_real_query() and verifying that
> it
> succeeds, enter a loop within which you process statement results.
>  3. For each iteration of the loop, handle the current statement
> result,
> retrieving either a result set or an affected-rows count. If an error
> occurs, exit the loop.
>  4. At the end of the loop, call mysql_next_result() to check whether
> another result exists and initiate retrieval for it if so. If no more
> results are available, exit the loop.
> ----------------------------------
> 
> Just for a test, I added a very quick and dirty \'mysql_next_result\' into
> the
> sql_free_result function of
> \"sql_mysql.c\" in row 292 of FR 1.1.6, the same location Thomas used the
> 
> .....
>         if (sqlsocket->row == NULL) {
>                 return sql_check_error(mysql_errno(mysql_sock->sock));
>         }
>         mysql_next_result(mysql_sock->sock); /* eat the number of
> affected
> rows result */
>         return 0;
> }
> .....
> 
> As a result I do not get the 2014 error anymore and everything seems to
> be
> working fine.
> Since I do not really know the implications of just adding this
> command,
> maybe one of the experts
> could help out here.
> 
> In an ealier posting 3 days ago I said that the problem is not really
> stored
> procedure related ...
> but it is! Once the SP is called at least once other queries will have
> errors too.
> 
> Gunther
> 
> FR 1.1.6 - MySQL 5.0.41 - CentOS 4.4
> 
> 
> 
> 
> 
> ------------------------------
> 
> Message: 2
> Date: Thu, 10 May 2007 09:27:45 +0200
> From: Alan DeKok <aland at deployingradius.com>
> Subject: Re: freeradius & redback sms
> To: FreeRadius users mailing list
> 	<freeradius-users at lists.freeradius.org>
> Message-ID: <4642C971.3060509 at deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> Samson Martinez wrote:
> > We are currently using a Redback SMS 500 to terminate PPPoE sessions
> for
> > client desktops. Up until now an older Steelbelted Radius server has
> > been used to authenticate RADIUS requests forwarded by the Redback
> and
> > it\'s worked ok. We want to transfer the RADIUS support to a
> freeradius
> > installation but I am having a bit of a fit trying to get it to work.
> 
>   See \"radsniff\" from the current release.  Watch the packets going TO
> your old RADIUS server, and the responses comign BACK from it.
> Configure FreeRADIUS to respond to requests with the same attributes.
> 
>   The NAS has no idea which server you\'re running.  All it sees is the
> attributes in the packet.
> 
>   The solution is to first find out what needs to be sent back, and
> then
> make FreeRADIUS send the correct response.  There is no magic, and
> there
> is no need to fight with any configuration.
> 
>   The redback log looks like you\'re not sending back the correct
> attributes.   If you don\'t know what attributes to send back, you WILL
> NOT be able to solve the problem.
> 
>   Alan DeKok.
> --
>   http://deployingradius.com       - The web site of the book
>   http://deployingradius.com/blog/ - The blog
> 
> 
> ------------------------------
> 
> Message: 3
> Date: Thu, 10 May 2007 09:39:36 +0200
> From: Alan DeKok <aland at deployingradius.com>
> Subject: Re: Date expansion fails for inner encryption tunnel log
> 	files.
> To: FreeRadius users mailing list
> 	<freeradius-users at lists.freeradius.org>
> Message-ID: <4642CC38.9050204 at deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> Arran Cudbard-Bell wrote:
> > Firstly is is possible to specify return codes for users files
> depending 
> > on matched sections ? Or will the files module always return ok ?
> 
>   You can\'t specify return codes from the \"users\" file.
> 
> > Secondly, whats considered decent throughput in terms of (serial) 
> > requests per second...
> > With none of the SQL or LDAP checking i\'m getting around 300ish
> requests 
> > per second ;
> 
>   That\'s a little low, to be honest.  My tests on a dual core 1.8GHz
> intel show 25k PAP requests per second from localhost to localhost.
> That\'s rather different from what you\'re seeing.
> 
>   Unless you mean 300 full EAP-TLS/TTLS/PEAP authentications per
> second.
>  That\'s pretty fast, considering that almost all of the CPU time is
> spent doing RSA key operations.  And with 5-10 RADIUS packets per EAP
> authentication, that\'s 3k requests/s, not 300.
> 
> > We have a user base of around 10,000 users with a absolute maximum of
> 
> > 4,000 logged in at any one time, and two Dual Core 2.13ghz 64bit Apple
> 
> > Xserves with basic load balancing.
> > 
> > It\'s obvious that the SQL server is lagging behind, and the LDAP
> cluster 
> > is on some ageing Xserves so probably isn\'t performing at it\'s
> peak...
> > 
> > If you have any recommended figures that I could aim for, would be
> very 
> > useful.
> 
>   For plain PAP: 10k+ requests/s would be expected.  For EAP,
> substantially less than that.
> 
>   Alan DeKok.
> --
>   http://deployingradius.com       - The web site of the book
>   http://deployingradius.com/blog/ - The blog
> 
> 
> ------------------------------
> 
> Message: 4
> Date: Thu, 10 May 2007 09:40:13 +0200
> From: Alan DeKok <aland at deployingradius.com>
> Subject: Re: 1.1.6 with rlm_sqlippool: ip=[] len=0
> To: FreeRadius users mailing list
> 	<freeradius-users at lists.freeradius.org>
> Message-ID: <4642CC5D.7070602 at deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> Guilherme Franco wrote:
> >     This was happening with 1.1.4 and I thought that 1.1.6 would
> correct
> >     this.
> >      
> >     Wasn\'t 1.1.6 supposed to work this out?
> 
>   Which part of the ChangeLog said that?
> 
>   Alan DeKok.
> --
>   http://deployingradius.com       - The web site of the book
>   http://deployingradius.com/blog/ - The blog
> 
> 
> ------------------------------
> 
> Message: 5
> Date: Thu, 10 May 2007 00:41:14 -0700 (PDT)
> From: tevfik <tevfikkiziloren at gmail.com>
> Subject: Re: ttls problem
> To: freeradius-users at lists.freeradius.org
> Message-ID: <10408620.post at talk.nabble.com>
> Content-Type: text/plain; charset=us-ascii
> 
> 
> >did you configure SecureW2 to allow new connections?
> 
> Yes i tried both combinations, nothing is changed.
> 
> In addition to this when I enter correct username but wrong password, I
> got
> similar debug log which i lised below.
> 
> I wasn\'t able to see any problem with ldap configuration because it
> works
> with radtest command. (That is when i entered correct usrname but wrong
> password, I got Access-Rejected message. When both of them was true, I
> got
> Access-Accepted)
> 
> Is there a problem with my ldap configuration. Is there any weird
> message in
> my debug log?
> 
> I am dealing with this thing about 20 days. Could anybody tell me whats
> wrong with it?
> 
> Thanks in advance:
> 
> My full debug log: (username was entered true, password was entered
> false )
> -------------------------------------------------------------------------------------------------
> ldap:~ # radiusd -X -A
> Starting - reading configuration files ...
> reread_config:  reading radiusd.conf
> Config:   including file: /etc/raddb/proxy.conf
> Config:   including file: /etc/raddb/clients.conf
> Config:   including file: /etc/raddb/snmp.conf
> Config:   including file: /etc/raddb/eap.conf
> Config:   including file: /etc/raddb/sql.conf
>  main: prefix = \"/usr\"
>  main: localstatedir = \"/var\"
>  main: logdir = \"/var/log/radius\"
>  main: libdir = \"/usr/lib/freeradius\"
>  main: radacctdir = \"/var/log/radius/radacct\"
>  main: hostname_lookups = no
>  main: max_request_time = 30
>  main: cleanup_delay = 5
>  main: max_requests = 1024
>  main: delete_blocked_requests = 0
>  main: port = 0
>  main: allow_core_dumps = no
>  main: log_stripped_names = no
>  main: log_file = \"/var/log/radius/radius.log\"
>  main: log_auth = no
>  main: log_auth_badpass = no
>  main: log_auth_goodpass = no
>  main: pidfile = \"/var/run/radiusd/radiusd.pid\"
>  main: user = \"radiusd\"
>  main: group = \"radiusd\"
>  main: usercollide = no
>  main: lower_user = \"no\"
>  main: lower_pass = \"no\"
>  main: nospace_user = \"no\"
>  main: nospace_pass = \"no\"
>  main: checkrad = \"/usr/sbin/checkrad\"
>  main: proxy_requests = yes
>  proxy: retry_delay = 5
>  proxy: retry_count = 3
>  proxy: synchronous = no
>  proxy: default_fallback = yes
>  proxy: dead_time = 120
>  proxy: post_proxy_authorize = no
>  proxy: wake_all_if_all_dead = no
>  security: max_attributes = 200
>  security: reject_delay = 1
>  security: status_server = no
>  main: debug_level = 0
> read_config_files:  reading dictionary
> read_config_files:  reading naslist
> read_config_files:  reading clients
> read_config_files:  reading realms
> radiusd:  entering modules setup
> Module: Library search path is /usr/lib/freeradius
> Module: Loaded exec
>  exec: wait = yes
>  exec: program = \"(null)\"
>  exec: input_pairs = \"request\"
>  exec: output_pairs = \"(null)\"
>  exec: packet_type = \"(null)\"
> rlm_exec: Wait=yes but no output defined. Did you mean output=none?
> Module: Instantiated exec (exec)
> Module: Loaded expr
> Module: Instantiated expr (expr)
> Module: Loaded PAP
>  pap: encryption_scheme = \"crypt\"
> Module: Instantiated pap (pap)
> Module: Loaded CHAP
> Module: Instantiated chap (chap)
> Module: Loaded MS-CHAP
>  mschap: use_mppe = yes
>  mschap: require_encryption = no
>  mschap: require_strong = no
>  mschap: with_ntdomain_hack = no
>  mschap: passwd = \"(null)\"
>  mschap: authtype = \"MS-CHAP\"
>  mschap: ntlm_auth = \"(null)\"
> Module: Instantiated mschap (mschap)
> Module: Loaded System
>  unix: cache = no
>  unix: passwd = \"(null)\"
>  unix: shadow = \"(null)\"
>  unix: group = \"(null)\"
>  unix: radwtmp = \"/var/log/radius/radwtmp\"
>  unix: usegroup = no
>  unix: cache_reload = 600
> Module: Instantiated unix (unix)
> Module: Loaded LDAP
>  ldap: server = \"ldap.anadolu.edu.tr\"
>  ldap: port = 389
>  ldap: net_timeout = 1
>  ldap: timeout = 4
>  ldap: timelimit = 3
>  ldap: identity = \"\"
>  ldap: tls_mode = no
>  ldap: start_tls = no
>  ldap: tls_cacertfile = \"(null)\"
>  ldap: tls_cacertdir = \"(null)\"
>  ldap: tls_certfile = \"(null)\"
>  ldap: tls_keyfile = \"(null)\"
>  ldap: tls_randfile = \"(null)\"
>  ldap: tls_require_cert = \"allow\"
>  ldap: password = \"\"
>  ldap: basedn = \"ou=people,dc=anadolu,dc=edu,dc=tr\"
>  ldap: filter = \"(uid=%u)\"
>  ldap: base_filter = \"(objectclass=radiusprofile)\"
>  ldap: default_profile = \"(null)\"
>  ldap: profile_attribute = \"(null)\"
>  ldap: password_header = \"(null)\"
>  ldap: password_attribute = \"(null)\"
>  ldap: access_attr = \"(null)\"
>  ldap: groupname_attribute = \"cn\"
>  ldap: groupmembership_filter =
> \"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))\"
>  ldap: groupmembership_attribute = \"(null)\"
>  ldap: dictionary_mapping = \"/etc/raddb/ldap.attrmap\"
>  ldap: ldap_debug = 0
>  ldap: ldap_connections_number = 5
>  ldap: compare_check_items = no
>  ldap: access_attr_used_for_allow = yes
>  ldap: do_xlat = yes
>  ldap: edir_account_policy_check = yes
>  ldap: set_auth_type = yes
> rlm_ldap: Registering ldap_groupcmp for Ldap-Group
> rlm_ldap: Creating new attribute ldap_1x-Ldap-Group
> rlm_ldap: Registering ldap_groupcmp for ldap_1x-Ldap-Group
> rlm_ldap: Registering ldap_xlat with xlat_name ldap_1x
> rlm_ldap: Over-riding set_auth_type, as we\'re not listed in the
> \"authenticate\" section.
> rlm_ldap: reading ldap<->radius mappings from file
> /etc/raddb/ldap.attrmap
> rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
> rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
> rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
> rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
> rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
> rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS
> Calling-Station-Id
> rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
> rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
> rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
> rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
> rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
> rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
> rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
> rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
> rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
> rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
> rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
> rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
> rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS
> Framed-Compression
> rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
> rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
> rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
> rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
> rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
> rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS
> Framed-IPX-Network
> rlm_ldap: LDAP radiusClass mapped to RADIUS Class
> rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
> rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
> rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS
> Termination-Action
> rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
> rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
> rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
> rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS
> Framed-AppleTalk-Link
> rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS
> Framed-AppleTalk-Network
> rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS
> Framed-AppleTalk-Zone
> rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
> rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
> conns: 0x800d0420
> Module: Instantiated ldap (ldap_1x)
> Module: Loaded eap
>  eap: default_eap_type = \"ttls\"
>  eap: timer_expire = 60
>  eap: ignore_unknown_eap_types = no
>  eap: cisco_accounting_username_bug = no
> rlm_eap: Loaded and initialized type md5
> rlm_eap: Loaded and initialized type leap
>  gtc: challenge = \"Password: \"
>  gtc: auth_type = \"PAP\"
> rlm_eap: Loaded and initialized type gtc
>  tls: rsa_key_exchange = no
>  tls: dh_key_exchange = yes
>  tls: rsa_key_length = 512
>  tls: dh_key_length = 512
>  tls: verify_depth = 0
>  tls: CA_path = \"(null)\"
>  tls: pem_file_type = yes
>  tls: private_key_file = \"/etc/raddb/certs/server_keycert.pem\"
>  tls: certificate_file = \"/etc/raddb/certs/server_keycert.pem\"
>  tls: CA_file = \"/etc/raddb/certs/cacert.pem\"
>  tls: private_key_password = \"1234\"
>  tls: dh_file = \"/etc/raddb/certs/dh\"
>  tls: random_file = \"/etc/raddb/certs/random\"
>  tls: fragment_size = 1024
>  tls: include_length = yes
>  tls: check_crl = no
>  tls: check_cert_cn = \"(null)\"
> rlm_eap_tls: Loading the certificate file as a chain
> rlm_eap: Loaded and initialized type tls
>  ttls: default_eap_type = \"md5\"
>  ttls: copy_request_to_tunnel = yes
>  ttls: use_tunneled_reply = no
> rlm_eap: Loaded and initialized type ttls
>  mschapv2: with_ntdomain_hack = no
> rlm_eap: Loaded and initialized type mschapv2
> Module: Instantiated eap (eap)
> Module: Loaded preprocess
>  preprocess: huntgroups = \"/etc/raddb/huntgroups\"
>  preprocess: hints = \"/etc/raddb/hints\"
>  preprocess: with_ascend_hack = no
>  preprocess: ascend_channels_per_line = 23
>  preprocess: with_ntdomain_hack = no
>  preprocess: with_specialix_jetstream_hack = no
>  preprocess: with_cisco_vsa_hack = no
> Module: Instantiated preprocess (preprocess)
> Module: Loaded realm
>  realm: format = \"suffix\"
>  realm: delimiter = \"@\"
>  realm: ignore_default = yes
>  realm: ignore_null = yes
> Module: Instantiated realm (suffix)
> Module: Loaded files
>  files: usersfile = \"/etc/raddb/users\"
>  files: acctusersfile = \"/etc/raddb/acct_users\"
>  files: preproxy_usersfile = \"/etc/raddb/preproxy_users\"
>  files: compat = \"no\"
> Module: Instantiated files (files)
> Module: Loaded Acct-Unique-Session-Id
>  acct_unique: key = \"User-Name, Acct-Session-Id, NAS-IP-Address,
> Client-IP-Address, NAS-Port\"
> Module: Instantiated acct_unique (acct_unique)
> Module: Loaded detail
>  detail: detailfile =
> \"/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d\"
>  detail: detailperm = 384
>  detail: dirperm = 493
>  detail: locking = no
> Module: Instantiated detail (detail)
> Module: Loaded radutmp
>  radutmp: filename = \"/var/log/radius/radutmp\"
>  radutmp: username = \"%{User-Name}\"
>  radutmp: case_sensitive = yes
>  radutmp: check_with_nas = yes
>  radutmp: perm = 384
>  radutmp: callerid = yes
> Module: Instantiated radutmp (radutmp)
> Listening on authentication *:1812
> Listening on accounting *:1813
> Ready to process requests.
> rad_recv: Access-Request packet from host 10.10.7.203:1645, id=146,
> length=139
>         User-Name = \"tkiziloren\"
>         Framed-MTU = 1400
>         Called-Station-Id = \"0017.0e85.f190\"
>         Calling-Station-Id = \"0011.2fb9.d08b\"
>         Service-Type = Login-User
>         Message-Authenticator = 0x4bf1be37ab5fc1598c68bd249777d10d
>         EAP-Message = 0x0202000f01746b697a696c6f72656e
>         NAS-Port-Type = Wireless-802.11
>         NAS-Port = 322
>         NAS-IP-Address = 10.10.7.203
>         NAS-Identifier = \"testbaum\"
>   Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 0
>   modcall[authorize]: module \"preprocess\" returns ok for request 0
>   modcall[authorize]: module \"chap\" returns noop for request 0
>   modcall[authorize]: module \"mschap\" returns noop for request 0
>     rlm_realm: No \'@\' in User-Name = \"tkiziloren\", skipping NULL due to
> config.
>   modcall[authorize]: module \"suffix\" returns noop for request 0
>   rlm_eap: EAP packet type response id 2 length 15
>   rlm_eap: No EAP Start, assuming it\'s an on-going EAP conversation
>   modcall[authorize]: module \"eap\" returns updated for request 0
>     users: Matched entry DEFAULT at line 29
>   modcall[authorize]: module \"files\" returns ok for request 0
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for tkiziloren
> radius_xlat:  \'(uid=tkiziloren)\'
> radius_xlat:  \'ou=people,dc=anadolu,dc=edu,dc=tr\'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to ldap.anadolu.edu.tr:389, authentication 0
> rlm_ldap: bind as / to ldap.anadolu.edu.tr:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in ou=people,dc=anadolu,dc=edu,dc=tr, with
> filter (uid=tkiziloren)
> rlm_ldap: looking for check items in directory...
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user tkiziloren authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
>   modcall[authorize]: module \"ldap_1x\" returns ok for request 0
> modcall: leaving group authorize (returns updated) for request 0
>   rad_check_password:  Found Auth-Type EAP
> auth: type \"EAP\"
>   Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 0
>   rlm_eap: EAP Identity
>   rlm_eap: processing type tls
>   rlm_eap_tls: Initiate
>   rlm_eap_tls: Start returned 1
>   modcall[authenticate]: module \"eap\" returns handled for request 0
> modcall: leaving group authenticate (returns handled) for request 0
> Sending Access-Challenge of id 146 to 10.10.7.203 port 1645
>         EAP-Message = 0x010300061520
>         Message-Authenticator = 0x00000000000000000000000000000000
>         State = 0x0aacb6009ffcc2e6b40b7487d9b49dce
> Finished request 0
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 6 seconds...
> rad_recv: Access-Request packet from host 10.10.7.203:1645, id=147,
> length=202
>         User-Name = \"tkiziloren\"
>         Framed-MTU = 1400
>         Called-Station-Id = \"0017.0e85.f190\"
>         Calling-Station-Id = \"0011.2fb9.d08b\"
>         Service-Type = Login-User
>         Message-Authenticator = 0xec986e334fed0be253f43e2461d77e42
>         EAP-Message =
> 0x0203003c158000000032160301002d01000029030146cbafcad15f26ee9c399c30942cb9a40c438dfa3f0aeb13b9b68e7fd7fa6e64000002000a0100
>         NAS-Port-Type = Wireless-802.11
>         NAS-Port = 322
>         State = 0x0aacb6009ffcc2e6b40b7487d9b49dce
>         NAS-IP-Address = 10.10.7.203
>         NAS-Identifier = \"testbaum\"
>   Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 1
>   modcall[authorize]: module \"preprocess\" returns ok for request 1
>   modcall[authorize]: module \"chap\" returns noop for request 1
>   modcall[authorize]: module \"mschap\" returns noop for request 1
>     rlm_realm: No \'@\' in User-Name = \"tkiziloren\", skipping NULL due to
> config.
>   modcall[authorize]: module \"suffix\" returns noop for request 1
>   rlm_eap: EAP packet type response id 3 length 60
>   rlm_eap: No EAP Start, assuming it\'s an on-going EAP conversation
>   modcall[authorize]: module \"eap\" returns updated for request 1
>     users: Matched entry DEFAULT at line 29
>   modcall[authorize]: module \"files\" returns ok for request 1
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for tkiziloren
> radius_xlat:  \'(uid=tkiziloren)\'
> radius_xlat:  \'ou=people,dc=anadolu,dc=edu,dc=tr\'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in ou=people,dc=anadolu,dc=edu,dc=tr, with
> filter (uid=tkiziloren)
> rlm_ldap: looking for check items in directory...
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user tkiziloren authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
>   modcall[authorize]: module \"ldap_1x\" returns ok for request 1
> modcall: leaving group authorize (returns updated) for request 1
>   rad_check_password:  Found Auth-Type EAP
> auth: type \"EAP\"
>   Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 1
>   rlm_eap: Request found, released from the list
>   rlm_eap: EAP/ttls
>   rlm_eap: processing type ttls
>   rlm_eap_ttls: Authenticate
>   rlm_eap_tls: processing TLS
> rlm_eap_tls:  Length Included
>   eaptls_verify returned 11
>     (other): before/accept initialization
>     TLS_accept: before/accept initialization
>   rlm_eap_tls: <<< TLS 1.0 Handshake [length 002d], ClientHello
>     TLS_accept: SSLv3 read client hello A
>   rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
>     TLS_accept: SSLv3 write server hello A
>   rlm_eap_tls: >>> TLS 1.0 Handshake [length 05e7], Certificate
>     TLS_accept: SSLv3 write certificate A
>   rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
>     TLS_accept: SSLv3 write server done A
>     TLS_accept: SSLv3 flush data
>     TLS_accept:error in SSLv3 read client certificate A
> In SSL Handshake Phase
> In SSL Accept mode
>   eaptls_process returned 13
>   modcall[authenticate]: module \"eap\" returns handled for request 1
> modcall: leaving group authenticate (returns handled) for request 1
> Sending Access-Challenge of id 147 to 10.10.7.203 port 1645
>         EAP-Message =
> 0x0104040a15c000000644160301004a0200004603014642d682aa7f984a7fcdbc4a6bc13b1d264b81e704929e445b4ebf174c04b7cc20d1ee663783e4d828257c89be8df743bbae47180d8e7bd7a41edc3742644c918a000a0016030105e70b0005e30005e00002c5308202c13082022aa003020102020101300d06092a864886f70d010105050030818f310b300906035504061302545231123010060355040813095452416e61646f6c75311b3019060355040a1312416e61646f6c7520556e6976657273697479310d300b060355040b13044241554d311c301a060355040313136c6461702e616e61646f6c752e6564752e74723122302006092a86
>         EAP-Message =
> 0x4886f70d01090116136c64617040616e61646f6c752e6564752e7472301e170d3037303530383130333833325a170d3038303530373130333833325a3081a3310b300906035504061302545231123010060355040813095452416e61646f6c75311230100603550407130945736b697365686972311b3019060355040a1312416e61646f6c7520556e6976657273697479310d300b060355040b13044241554d311c301a060355040313136c6461702e616e61646f6c752e6564752e74723122302006092a864886f70d01090116136c64617040616e61646f6c752e6564752e747230819f300d06092a864886f70d010101050003818d003081890281
>         EAP-Message =
> 0x8100aa7e832714838afb5c85df7c60afaf107142a9e077659f216e0b0cee26180413d2ce23bd4551cb0e7243dbae482db8757502159b52b08f8776b1fef8110ea8798dc7bd0db591296d73e37cad9a07ad8b1c1db6360104861ae0405cab03544b1ae33633df6a5403c79bdde9ab57ed2dcfe191f5f34418b555c953351acc461ce70203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101050500038181003c0a0c3e188348ce41725b4c062f8a8570a1bf407bb6ee3504b9df6a18e935fe2f8792c914c2eabadd85e6ea701ec99443a06e436152b7b9fd413cf44fbd09db68cdf3879c76ea673153
>         EAP-Message =
> 0xb8adc112064df7b8369c796d37251577569523b465b686408649adbb9f9006148c9e8df035dec411681b9365b9d317f44efd89b9b42b000315308203113082027aa003020102020100300d06092a864886f70d010105050030818f310b300906035504061302545231123010060355040813095452416e61646f6c75311b3019060355040a1312416e61646f6c7520556e6976657273697479310d300b060355040b13044241554d311c301a060355040313136c6461702e616e61646f6c752e6564752e74723122302006092a864886f70d01090116136c64617040616e61646f6c752e6564752e7472301e170d3037303530383130333734345a170d
>         EAP-Message = 0x3130303530373130333734345a30818f310b30090603
>         Message-Authenticator = 0x00000000000000000000000000000000
>         State = 0x2c09c8f35ddc35ecd609188a17165621
> Finished request 1
> Going to the next request
> Waking up in 6 seconds...
> rad_recv: Access-Request packet from host 10.10.7.203:1645, id=148,
> length=148
>         User-Name = \"tkiziloren\"
>         Framed-MTU = 1400
>         Called-Station-Id = \"0017.0e85.f190\"
>         Calling-Station-Id = \"0011.2fb9.d08b\"
>         Service-Type = Login-User
>         Message-Authenticator = 0x9b4e281f16c2c5d3cf691e6e195bea68
>         EAP-Message = 0x020400061500
>         NAS-Port-Type = Wireless-802.11
>         NAS-Port = 322
>         State = 0x2c09c8f35ddc35ecd609188a17165621
>         NAS-IP-Address = 10.10.7.203
>         NAS-Identifier = \"testbaum\"
>   Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 2
>   modcall[authorize]: module \"preprocess\" returns ok for request 2
>   modcall[authorize]: module \"chap\" returns noop for request 2
>   modcall[authorize]: module \"mschap\" returns noop for request 2
>     rlm_realm: No \'@\' in User-Name = \"tkiziloren\", skipping NULL due to
> config.
>   modcall[authorize]: module \"suffix\" returns noop for request 2
>   rlm_eap: EAP packet type response id 4 length 6
>   rlm_eap: No EAP Start, assuming it\'s an on-going EAP conversation
>   modcall[authorize]: module \"eap\" returns updated for request 2
>     users: Matched entry DEFAULT at line 29
>   modcall[authorize]: module \"files\" returns ok for request 2
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for tkiziloren
> radius_xlat:  \'(uid=tkiziloren)\'
> radius_xlat:  \'ou=people,dc=anadolu,dc=edu,dc=tr\'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in ou=people,dc=anadolu,dc=edu,dc=tr, with
> filter (uid=tkiziloren)
> rlm_ldap: looking for check items in directory...
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user tkiziloren authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
>   modcall[authorize]: module \"ldap_1x\" returns ok for request 2
> modcall: leaving group authorize (returns updated) for request 2
>   rad_check_password:  Found Auth-Type EAP
> auth: type \"EAP\"
>   Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 2
>   rlm_eap: Request found, released from the list
>   rlm_eap: EAP/ttls
>   rlm_eap: processing type ttls
>   rlm_eap_ttls: Authenticate
>   rlm_eap_tls: processing TLS
> rlm_eap_tls: Received EAP-TLS ACK message
>   rlm_eap_tls: ack handshake fragment handler
>   eaptls_verify returned 1
>   eaptls_process returned 13
>   modcall[authenticate]: module \"eap\" returns handled for request 2
> modcall: leaving group authenticate (returns handled) for request 2
> Sending Access-Challenge of id 148 to 10.10.7.203 port 1645
>         EAP-Message =
> 0x0105024e1580000006445504061302545231123010060355040813095452416e61646f6c75311b3019060355040a1312416e61646f6c7520556e6976657273697479310d300b060355040b13044241554d311c301a060355040313136c6461702e616e61646f6c752e6564752e74723122302006092a864886f70d01090116136c64617040616e61646f6c752e6564752e747230819f300d06092a864886f70d010101050003818d0030818902818100f87fe052d754f4586d4e311ea15bb54cd7bbe1e505e648171bfa44c6a1523906cc31d776e4a8113dd3f002e7ddd43868af03076e0f4c57c6791845adc2f7732d909e58267dc127244ebe656f95
>         EAP-Message =
> 0xf53a09222a4a3451369f97a04391610dc4b77848268d41b7f9bc37f04654d00abdc0ee376c8aad064e5ac5a5a1595bffeea9b30203010001a37b307930090603551d1304023000302c06096086480186f842010d041f161d4f70656e53534c2047656e657261746564204365727469666963617465301d0603551d0e0416041450fd81eacea4e2d3d18547e154bc515d08630096301f0603551d2304183016801450fd81eacea4e2d3d18547e154bc515d08630096300d06092a864886f70d01010505000381810092f44ed2dade447e098f90432e2a2b58d93139471c0b41d3bbdebf1c2d09e321b43bbe2faad7d8c60e6642f5b6c2746fbb4be07033
>         EAP-Message =
> 0x4b77db5093871b2203bf2271cb97b98cc169c03f4f67d7a01261d971dfddc176cce3a42e1dd1e37037060a528db7e8481722e222549b882a93cfa582a29df0f1b401a28e197772410a1f1016030100040e000000
>         Message-Authenticator = 0x00000000000000000000000000000000
>         State = 0xb63cf9e5375c651683e69b8c2d8543fc
> Finished request 2
> Going to the next request
> Waking up in 6 seconds...
> --- Walking the entire request list ---
> Cleaning up request 0 ID 146 with timestamp 4642d682
> Cleaning up request 1 ID 147 with timestamp 4642d682
> Cleaning up request 2 ID 148 with timestamp 4642d682
> Nothing to do.  Sleeping until we see a request.
> 
> 
> 
> 
> A.L.M.Buxey wrote:
> > 
> > Hi,
> > 
> >> However when i try to perform same task by using securew2 on XP
> client,
> >> it
> >> always shows \"attempting to authenticate\",
> > 
> > did you configure SecureW2 to allow new connections?
> > 
> > alan
> > - 
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> > 
> > 
> 
> -- 
> View this message in context:
> http://www.nabble.com/ttls-problem-tf3717596.html#a10408620
> Sent from the FreeRadius - User mailing list archive at Nabble.com.
> 
> 
> 
> ------------------------------
> 
> - 
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 
> 
> End of Freeradius-Users Digest, Vol 25, Issue 36
> ************************************************
> 




More information about the Freeradius-Users mailing list