I can't get 'access-accept' from Linux clients
Sergio Belkin
sebelk at gmail.com
Thu Jan 10 19:54:22 CET 2008
Hi,
I can't still figure it out why I can't access from Linux clients.
I use version 1.1.7 of freeradius. Linux client is a Fedora 8 system.
I use Freeradius+eap+ttls. Users accounts are stored in a LDAP server.
My eap.conf is:
eap {
default_eap_type = ttls
timer_expire = 60
ignore_unknown_eap_types = no
md5 {
}
tls {
certificate_file =
/etc/pki/tls/certs/spectrum.xp-crt.pem
private_key_file =
/etc/pki/tls/certs/spectrum.xp-key.pem
CA_file = /etc/pki/tls/certs/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
fragment_size = 1024
include_length = yes
copy_request_to_tunnel = no
use_tunneled_reply = no
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
}
mschapv2 {
}
}
EOF
These are debugging messages:
rad_recv: Access-Request packet from host 10.30.1.151:2048, id=0, length=125
User-Name = "jsmith"
NAS-IP-Address = 10.30.1.151
Called-Station-Id = "000625f17036"
Calling-Station-Id = "000e35bf5118"
NAS-Identifier = "000625f17036"
NAS-Port = 54
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0200000b016d6261726265
Message-Authenticator = 0x05f08581315f74a9365956e711d1adec
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 78
modcall[authorize]: module "preprocess" returns ok for request 78
rlm_eap: EAP packet type response id 0 length 11
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 78
modcall[authorize]: module "files" returns notfound for request 78
rlm_ldap: - authorize
rlm_ldap: performing user authorization for jsmith
radius_xlat: '(uid=jsmith)'
radius_xlat: 'ou=people,dc=foofoo,dc=edu'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,dc=foofoo,dc=edu, with filter
(uid=jsmith)
request done: ld 0x5555557c59c0 msgid 91
rlm_ldap: checking if remote access for jsmith is allowed by radiusAllowed
rlm_ldap: Added password {SSHA}F8XliBuxscoShNf0k7RxlC7niB7ISswp in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user jsmith authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 78
rlm_pap: Found existing Auth-Type, not changing it.
modcall[authorize]: module "pap" returns noop for request 78
modcall: leaving group authorize (returns updated) for request 78
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 78
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 78
modcall: leaving group authenticate (returns handled) for request 78
Sending Access-Challenge of id 0 to 10.30.1.151 port 2048
EAP-Message = 0x010100061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xfc48a9d073781d46b58418c4b4cd9827
Finished request 78
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.30.1.151:2048, id=0, length=267
User-Name = "jsmith"
NAS-IP-Address = 10.30.1.151
Called-Station-Id = "000625f17036"
Calling-Station-Id = "000e35bf5118"
NAS-Identifier = "000625f17036"
NAS-Port = 54
Framed-MTU = 1400
State = 0xfc48a9d073781d46b58418c4b4cd9827
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x020100871500160301007c010000780301478642113f068a6df0132c744c49958b45592615abb6622beddf19a8fa52510f20fd4cbc7f733120101175d6dd7f27f2585364c73af2b4d0f65332531e8c2d3c4b003000390038003500160013000a00330032002f006600050004006300620015001200090065006400140011000800060003020100
Message-Authenticator = 0xdfd8574e151c9d725b98e1d9f907aff5
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 79
modcall[authorize]: module "preprocess" returns ok for request 79
rlm_eap: EAP packet type response id 1 length 135
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 79
modcall[authorize]: module "files" returns notfound for request 79
rlm_ldap: - authorize
rlm_ldap: performing user authorization for jsmith
radius_xlat: '(uid=jsmith)'
radius_xlat: 'ou=people,dc=foofoo,dc=edu'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,dc=foofoo,dc=edu, with filter
(uid=jsmith)
request done: ld 0x5555557c59c0 msgid 92
rlm_ldap: checking if remote access for jsmith is allowed by radiusAllowed
rlm_ldap: Added password {SSHA}F8XliBuxscoShNf0k7RxlC7niB7ISswp in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user jsmith authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 79
rlm_pap: Found existing Auth-Type, not changing it.
modcall[authorize]: module "pap" returns noop for request 79
modcall: leaving group authorize (returns updated) for request 79
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 79
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 007c], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0852], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange
TLS_accept: SSLv3 write key exchange A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
TLS_accept: SSLv3 write server done A
TLS_accept: SSLv3 flush data
TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 79
modcall: leaving group authenticate (returns handled) for request 79
Sending Access-Challenge of id 0 to 10.30.1.151 port 2048
EAP-Message =
0x0102040a15c000000ac1160301004a0200004603014786342b9ef8bb5abf19685d60fd60612468af00d9ed6e8c3c8d8c500502cc5320818abadd3283b96ff95b519e2730f9a96b58d3c79c5b3a34305a56e68c1403e200390016030108520b00084e00084b0003b9308203b53082029da003020102020111300d06092a864886f70d010104050030818e310b3009060355040613024152311530130603550407130c4275656e6f73204169726573311f301d060355040a1316556e6976657273696461642064652050616c65726d6f31273025060355040b131e446570617274616d656e746f20646520436f6d756e69636163696f6e6573311e301c06
EAP-Message =
0x035504031315436572746966696361746520417574686f72697479301e170d3037313031313233333633305a170d3131313031303233333633305a308193310b3009060355040613024152311530130603550407130c4275656e6f73204169726573311f301d060355040a1316556e6976657273696461642064652050616c65726d6f312d302b060355040b1324446570617274616d656e746f20646520436f6d756e69636163696f6e6573202d20737032311d301b06035504031314737065637472756d2e70616c65726d6f2e65647530820122300d06092a864886f70d01010105000382010f003082010a0282010100e04585aa76fe88e53fe2e5
EAP-Message =
0xfd4e4c9732987996ca13093a1173f9760319f9bf6b1bbad6702284056432c8b9409e28789a2d91e8027baa1fadcf4951be8b3d1932d6a125dd50d18a57ea8c909eb93b83f73404193b6ebb16e7abcc49ec7b3d2546f65e41d895631ab82cbf09c6744c9d6e01064fd1548487e70baf1179f387430d7f193460f4bf55e9c6cb2100202382b2c0c10929e125f8c32bd5cd0d26c3d908688cb747475263370195f56c256bad4ee232fb9db6bf07966c6ad88f5bfa07143c5a626fde432f3582bdc50164e1b216e902efb947be80f5d64cf05e33e1ba76c3734bd4a1586895b5575ac4ea9f87384629547e75ad7c119c66abe7a07f8c7d0203010001a31730
EAP-Message =
0x1530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000382010100c056381386ae47210e7781b5f29f6e345d3cf3170d7b56f207c5120ad7a0a3f50d8d5089b1b670e12571f30f6035435027ba8a6c0f560c4ed67436b09470a25f6c6ed5f6183671143d0119cdbd58f1564ff62d829557d30db8e3e629cde53dc086b2b6e6cbc199f38653349b1abd884554bde148d0b3c6972f3910a3d9a6004b4b85b5c2bea77f8939d3518d718d5a1290ca6c03f3ce5d98906e243f4cc698360b5d5f3015054f0dc7f0cb42475760038477a75d03c048f80b4f50b554499749833660883b818630ae143a9e0ac935e5e3d594
EAP-Message = 0xf97b881df18c0b1712e00eef6a91fa1582e7f8eb93fa
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf0f832daf2650b8149ceb6f275602bd7
Finished request 79
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.30.1.151:2048, id=0, length=138
User-Name = "jsmith"
NAS-IP-Address = 10.30.1.151
Called-Station-Id = "000625f17036"
Calling-Station-Id = "000e35bf5118"
NAS-Identifier = "000625f17036"
NAS-Port = 54
Framed-MTU = 1400
State = 0xf0f832daf2650b8149ceb6f275602bd7
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020200061500
Message-Authenticator = 0x2fa93517832117f062a910387bc0e5fc
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 80
modcall[authorize]: module "preprocess" returns ok for request 80
rlm_eap: EAP packet type response id 2 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 80
modcall[authorize]: module "files" returns notfound for request 80
rlm_ldap: - authorize
rlm_ldap: performing user authorization for jsmith
radius_xlat: '(uid=jsmith)'
radius_xlat: 'ou=people,dc=foofoo,dc=edu'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,dc=foofoo,dc=edu, with filter
(uid=jsmith)
request done: ld 0x5555557c59c0 msgid 93
rlm_ldap: checking if remote access for jsmith is allowed by radiusAllowed
rlm_ldap: Added password {SSHA}F8XliBuxscoShNf0k7RxlC7niB7ISswp in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user jsmith authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 80
rlm_pap: Found existing Auth-Type, not changing it.
modcall[authorize]: module "pap" returns noop for request 80
modcall: leaving group authorize (returns updated) for request 80
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 80
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 80
modcall: leaving group authenticate (returns handled) for request 80
Sending Access-Challenge of id 0 to 10.30.1.151 port 2048
EAP-Message =
0x0103040a15c000000ac14ee3f701692818d33744866b15afbc8774a1ed07b5b43200048c3082048830820370a003020102020101300d06092a864886f70d010104050030818e310b3009060355040613024152311530130603550407130c4275656e6f73204169726573311f301d060355040a1316556e6976657273696461642064652050616c65726d6f31273025060355040b131e446570617274616d656e746f20646520436f6d756e69636163696f6e6573311e301c06035504031315436572746966696361746520417574686f72697479301e170d3035313230313134353835305a170d3135313132393134353835305a30818e310b30090603
EAP-Message =
0x55040613024152311530130603550407130c4275656e6f73204169726573311f301d060355040a1316556e6976657273696461642064652050616c65726d6f31273025060355040b131e446570617274616d656e746f20646520436f6d756e69636163696f6e6573311e301c06035504031315436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100eb878d17120d3af300ab78838b32fde160463d4ff2693c5ebc59123788f0bfe9d90aaa34a22bab04b8e8f294176215b97f2edf6c686434ad87acccd5ecf7edec871e8449a876cbfe531c5158385aa9d30685723c
EAP-Message =
0xf3273b5d2d8cde4ca62b0c07c3bdd54be96f2f68074454281c527079276d3388dcdb097e730c419f58d24eaca71fd8c5d8b6fe023154b9bdb920dc6ac013a57dc9bf94b99250b47bc32a07afbf2a2eddd37bdb8f0421f7df33eb999dce70784d065458b5e590f1c285837464709c6af7e3ae092dd38372420e780d8567699d534897f298fcde4309a2f66afee6dce842a69c31f1ca580454665eae87a04881b0bbb009928b30ef374fa534e50203010001a381ee3081eb301d0603551d0e04160414fd77533bb6a66d1e3b48bfb5d21501d829ddf4693081bb0603551d230481b33081b08014fd77533bb6a66d1e3b48bfb5d21501d829ddf469a18194
EAP-Message =
0xa4819130818e310b3009060355040613024152311530130603550407130c4275656e6f73204169726573311f301d060355040a1316556e6976657273696461642064652050616c65726d6f31273025060355040b131e446570617274616d656e746f20646520436f6d756e69636163696f6e6573311e301c06035504031315436572746966696361746520417574686f72697479820101300c0603551d13040530030101ff300d06092a864886f70d0101040500038201010066656bbb8617d0aa046d938fb367586fb47ba22a4c54ccfc21d3bdc13ae39df3cd89029a0b5bcacb39977e824d94ba8c61296ce2e38d91e22766ce9ce6d988580251e19e
EAP-Message = 0xf037cea75d86cb016c26f8d51bb33fbe8f07daf1f9fc
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x793f1ec27e43cf5e46f8c83bcb621ce2
Finished request 80
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.30.1.151:2048, id=0, length=138
User-Name = "jsmith"
NAS-IP-Address = 10.30.1.151
Called-Station-Id = "000625f17036"
Calling-Station-Id = "000e35bf5118"
NAS-Identifier = "000625f17036"
NAS-Port = 54
Framed-MTU = 1400
State = 0x793f1ec27e43cf5e46f8c83bcb621ce2
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020300061500
Message-Authenticator = 0xe5538b5a1dbce1d2be6e4577a5b03f08
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 81
modcall[authorize]: module "preprocess" returns ok for request 81
rlm_eap: EAP packet type response id 3 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 81
modcall[authorize]: module "files" returns notfound for request 81
rlm_ldap: - authorize
rlm_ldap: performing user authorization for jsmith
radius_xlat: '(uid=jsmith)'
radius_xlat: 'ou=people,dc=foofoo,dc=edu'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,dc=foofoo,dc=edu, with filter
(uid=jsmith)
request done: ld 0x5555557c59c0 msgid 94
rlm_ldap: checking if remote access for jsmith is allowed by radiusAllowed
rlm_ldap: Added password {SSHA}F8XliBuxscoShNf0k7RxlC7niB7ISswp in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user jsmith authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 81
rlm_pap: Found existing Auth-Type, not changing it.
modcall[authorize]: module "pap" returns noop for request 81
modcall: leaving group authorize (returns updated) for request 81
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 81
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 81
modcall: leaving group authenticate (returns handled) for request 81
Sending Access-Challenge of id 0 to 10.30.1.151 port 2048
EAP-Message =
0x010402cb158000000ac178833f2254362517e85e9dcd2c4362773223204e9c66dff65f08f319c5c9a2bb6a6de09b6534fd5df1fc14ba8dc996930e5413bbb2d4cae1c5aa68abe3785bec762c0c47246c2a89066512727dfc1c8b96fb0005841d05009db8e084a3931d2046b4d8047d2c182c9b0a5b5f340ee1b4331ec0ece5185dc33e4f100ec0a0a7e6e2bad313ea717fa4d4ed2e913575014832f80d0298e5c662015b0729eabd6220c0082326acb5160301020d0c0002090080ab5cc42c337b650ab1047c54f7a4fc1a130b5596597983a2b227b2a9969953ee8238cee287777922551db722e8db74a6f760d006dac6ebfcc8a12be3a29d341f28c8
EAP-Message =
0x4c7276144e8ef17163040ab5133ee9dab782f2a030bf37bef653c2081f601c1563997b74cecc8d1d10f7bfdd6d812abd1b020076c2f9d125d24e7148765b000102008092f52b71e3e2a4dd4e731ab4c9897e5e07e78aaf0fc27d4607599a9a5968617c542c8c51b46ec613e25d0314be3cbd69b8b974c2c4ff9d78529ecb5e7c433f990cf57b73c495bdda8611d893847e026ac9ac439c16aaae427f7f08918b198a4e3fb9aa92db96d3693c5b99e54f94851611c866b6da20c767507055de6278329c010090ba89795c01907d37967ad43ec946dfaa36739a3da5a66a3ed0cd06ba1409ba49c0a770b543fcd28b852ab40922272cd3f94a30022bc661
EAP-Message =
0xa0267ce397397e9f49c9bbfa5cf19f2059e39df895eda2db099b4e2d1ce154d0e47284ad5d21319dc1e93c6b0ad55601d5846c7a26109a8c0cef8169817920e7a6fcbb6079172104e1f0e3eab59976a58a4bb5ec6eb833937d318995b622d2c549f41abfea1a8be19be883d1aba398272e3beff4273abe5dc765cd34d41160c1930b49d6f4d06eb12de20ecd6e1983648ed57796d0d8d600f0a26c1430a16043e2f1481cdb2a152ed90fdf3971586e5397260f1123154115452a469c55fc4a05f9dfa6d63fdde02e16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x833294c65fcd0855ebad9d048a4f1774
Finished request 81
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.30.1.151:2048, id=0, length=336
User-Name = "jsmith"
NAS-IP-Address = 10.30.1.151
Called-Station-Id = "000625f17036"
Calling-Station-Id = "000e35bf5118"
NAS-Identifier = "000625f17036"
NAS-Port = 54
Framed-MTU = 1400
State = 0x833294c65fcd0855ebad9d048a4f1774
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x020400cc150016030100861000008200804275e1edcb663653bdf4efea1709c14b253107d9adba49c6996ee0dfa8f8d92df6f59a0bf4466b27f45f7f590ba83ee1575e33c23426a98d8e1eaa634851f8d7a67d85d4e85362d9bd7322932980d79f16812062a8f110f54e43e26b26d422c73c128673826f2bc7336cfc292d8091dbc3296c5511ba98a3b6969d11e426bd851403010001011603010030c4d9938e47bb488e35c479bd812aea40eac63ad8cf9ef56a46d62c1685abd770d4b338626cd61ac7a67f51020d55b6e4
Message-Authenticator = 0x654cb604b66d0e06fb0f43a1bcb1fde4
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 82
modcall[authorize]: module "preprocess" returns ok for request 82
rlm_eap: EAP packet type response id 4 length 204
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 82
modcall[authorize]: module "files" returns notfound for request 82
rlm_ldap: - authorize
rlm_ldap: performing user authorization for jsmith
radius_xlat: '(uid=jsmith)'
radius_xlat: 'ou=people,dc=foofoo,dc=edu'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,dc=foofoo,dc=edu, with filter
(uid=jsmith)
request done: ld 0x5555557c59c0 msgid 95
rlm_ldap: checking if remote access for jsmith is allowed by radiusAllowed
rlm_ldap: Added password {SSHA}F8XliBuxscoShNf0k7RxlC7niB7ISswp in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user jsmith authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 82
rlm_pap: Found existing Auth-Type, not changing it.
modcall[authorize]: module "pap" returns noop for request 82
modcall: leaving group authorize (returns updated) for request 82
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 82
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
TLS_accept: SSLv3 read client key exchange A
rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 read finished A
rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
TLS_accept: SSLv3 write change cipher spec A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 write finished A
TLS_accept: SSLv3 flush data
(other): SSL negotiation finished successfully
SSL Connection Established
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 82
modcall: leaving group authenticate (returns handled) for request 82
Sending Access-Challenge of id 0 to 10.30.1.151 port 2048
EAP-Message =
0x0105004515800000003b1403010001011603010030d6ce47d40a8b1b3e4b794982ec932dd3a4b59c79e0bfabdb461b93451d30d294bae413c55f107ede3bb79847c6e1fe13
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x76a86ea597db1d84801e3d5a33ed315d
Finished request 82
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.30.1.151:2048, id=0, length=228
User-Name = "jsmith"
NAS-IP-Address = 10.30.1.151
Called-Station-Id = "000625f17036"
Calling-Station-Id = "000e35bf5118"
NAS-Identifier = "000625f17036"
NAS-Port = 54
Framed-MTU = 1400
State = 0x76a86ea597db1d84801e3d5a33ed315d
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x020500601500170301002003befb10e115d6be6c1600e87a18821d0f297dbd309252644e30c9940819977817030100308779d4c89404e08e5e26dc999eeee3c5c40d5c4f1de09a9a5155868aa51bb597d88f42c75bb9e637994a438d916178be
Message-Authenticator = 0x71e1ebd7cd9032206838384addf6c61a
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 83
modcall[authorize]: module "preprocess" returns ok for request 83
rlm_eap: EAP packet type response id 5 length 96
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 83
modcall[authorize]: module "files" returns notfound for request 83
rlm_ldap: - authorize
rlm_ldap: performing user authorization for jsmith
radius_xlat: '(uid=jsmith)'
radius_xlat: 'ou=people,dc=foofoo,dc=edu'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,dc=foofoo,dc=edu, with filter
(uid=jsmith)
request done: ld 0x5555557c59c0 msgid 96
rlm_ldap: checking if remote access for jsmith is allowed by radiusAllowed
rlm_ldap: Added password {SSHA}F8XliBuxscoShNf0k7RxlC7niB7ISswp in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user jsmith authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 83
rlm_pap: Found existing Auth-Type, not changing it.
modcall[authorize]: module "pap" returns noop for request 83
modcall: leaving group authorize (returns updated) for request 83
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 83
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes.
TTLS: Got tunneled identity of jsmith
TTLS: Setting default EAP type for tunneled EAP session.
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 83
modcall[authorize]: module "preprocess" returns ok for request 83
rlm_eap: EAP packet type response id 0 length 11
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 83
modcall[authorize]: module "files" returns notfound for request 83
rlm_ldap: - authorize
rlm_ldap: performing user authorization for jsmith
radius_xlat: '(uid=jsmith)'
radius_xlat: 'ou=people,dc=foofoo,dc=edu'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,dc=foofoo,dc=edu, with filter
(uid=jsmith)
request done: ld 0x5555557c59c0 msgid 97
rlm_ldap: checking if remote access for jsmith is allowed by radiusAllowed
rlm_ldap: Added password {SSHA}F8XliBuxscoShNf0k7RxlC7niB7ISswp in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user jsmith authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 83
rlm_pap: Found existing Auth-Type, not changing it.
modcall[authorize]: module "pap" returns noop for request 83
modcall: leaving group authorize (returns updated) for request 83
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 83
rlm_eap: EAP Identity
rlm_eap: processing type md5
rlm_eap_md5: Issuing Challenge
modcall[authenticate]: module "eap" returns handled for request 83
modcall: leaving group authenticate (returns handled) for request 83
TTLS: Got tunneled Access-Challenge
modcall[authenticate]: module "eap" returns handled for request 83
modcall: leaving group authenticate (returns handled) for request 83
Sending Access-Challenge of id 0 to 10.30.1.151 port 2048
EAP-Message =
0x0106004f15800000004517030100403f31dc96dfcf59f81a9bfd4877df1f05556359e4225224ff3dbb33a56cba84c6afa828768b2681f3aafdcf24affae6f42f1541bce71bc1a72ddeab16d1af5433
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xed8be8fd2ea72b6055c80ee9baf77d23
Finished request 83
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.30.1.151:2048, id=0, length=244
User-Name = "jsmith"
NAS-IP-Address = 10.30.1.151
Called-Station-Id = "000625f17036"
Calling-Station-Id = "000e35bf5118"
NAS-Identifier = "000625f17036"
NAS-Port = 54
Framed-MTU = 1400
State = 0xed8be8fd2ea72b6055c80ee9baf77d23
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0206007015001703010020f5edc58442c0561622a1a8071f92bf15d9a71b9727369060e2eda2b79f8c92a117030100405f4a3d549612e997cc5157c71b123ad0850702d1429632e0fa63c7f760673226788bba2f0e777ab1eac4a57f7578f225d0647fda56034121144a3f8aa15e1e89
Message-Authenticator = 0xe9457bdb2bf21de66cf7fd105426e54a
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 84
modcall[authorize]: module "preprocess" returns ok for request 84
rlm_eap: EAP packet type response id 6 length 112
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 84
modcall[authorize]: module "files" returns notfound for request 84
rlm_ldap: - authorize
rlm_ldap: performing user authorization for jsmith
radius_xlat: '(uid=jsmith)'
radius_xlat: 'ou=people,dc=foofoo,dc=edu'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,dc=foofoo,dc=edu, with filter
(uid=jsmith)
request done: ld 0x5555557c59c0 msgid 98
rlm_ldap: checking if remote access for jsmith is allowed by radiusAllowed
rlm_ldap: Added password {SSHA}F8XliBuxscoShNf0k7RxlC7niB7ISswp in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user jsmith authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 84
rlm_pap: Found existing Auth-Type, not changing it.
modcall[authorize]: module "pap" returns noop for request 84
modcall: leaving group authorize (returns updated) for request 84
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 84
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes.
TTLS: Adding old state with 06 81
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 84
modcall[authorize]: module "preprocess" returns ok for request 84
rlm_eap: EAP packet type response id 1 length 22
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 84
modcall[authorize]: module "files" returns notfound for request 84
rlm_ldap: - authorize
rlm_ldap: performing user authorization for jsmith
radius_xlat: '(uid=jsmith)'
radius_xlat: 'ou=people,dc=foofoo,dc=edu'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,dc=foofoo,dc=edu, with filter
(uid=jsmith)
request done: ld 0x5555557c59c0 msgid 99
rlm_ldap: checking if remote access for jsmith is allowed by radiusAllowed
rlm_ldap: Added password {SSHA}F8XliBuxscoShNf0k7RxlC7niB7ISswp in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user jsmith authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 84
rlm_pap: Found existing Auth-Type, not changing it.
modcall[authorize]: module "pap" returns noop for request 84
modcall: leaving group authorize (returns updated) for request 84
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 84
rlm_eap: Request found, released from the list
rlm_eap: EAP/md5
rlm_eap: processing type md5
rlm_eap_md5: User-Password is required for EAP-MD5 authentication
rlm_eap: Handler failed in EAP/md5
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 84
modcall: leaving group authenticate (returns invalid) for request 84
auth: Failed to validate the user.
TTLS: Got tunneled Access-Reject
rlm_eap: Handler failed in EAP/ttls
TTLS: Freeing handler for user jsmith
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 84
modcall: leaving group authenticate (returns invalid) for request 84
auth: Failed to validate the user.
Delaying request 84 for 1 seconds
Finished request 84
Going to the next request
Waking up in 6 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 0 to 10.30.1.151 port 2048
EAP-Message = 0x04060004
Message-Authenticator = 0x00000000000000000000000000000000
Cleaning up request 84 ID 0 with timestamp 4786342b
Nothing to do. Sleeping until we see a request.
Enf of messages
With Windows I can do that with secure2, but I can't do the same in
Linux. How can I solve this?
Thanks in advance!
--
--
Open Kairos http://www.openkairos.com
Watch More TV http://sebelk.blogspot.com
Sergio Belkin -
More information about the Freeradius-Users
mailing list