Debugging access point behaviour
Giovanni Lovato
giovanni.lovato at aldu.net
Thu Sep 18 13:39:34 CEST 2008
First of all, this is not a FR problem. I use FR 2.1.0 and it works very
well! BTW, I'm trying to configure an access point to authenticate
against FR, but the process fails. Maybe someone here can tell me where
is the issue, so I attach the log of FR... Some details:
OS: Debian Lenny
FR version: 2.1.0
Authentication backend: LDAP
Authentication method: WPA2-EAP TLS
Note: authentication works well with other access points.
Thank you!
--
Giovanni Lovato <giovanni.lovato at aldu.net>
-------------- next part --------------
rad_recv: Access-Request packet from host 192.168.11.6 port 3072, id=126, length=169
User-Name = "heruan"
NAS-IP-Address = 0.0.0.0
NAS-Port = 0
Called-Station-Id = "00006c576976"
Calling-Station-Id = "002268c0eb93"
NAS-Identifier = "Realtek Access Point. 8181"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x0200000b0168657275616e
Message-Authenticator = 0x10e69b5ef3ecf07fb56f44023213e72b
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "heruan", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 11
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns updated
++[files] returns noop
[ldap_telperion] performing user authorization for heruan
WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
expand: (|(uid=%{Stripped-User-Name:-%{User-Name}})(cn=%{Stripped-User-Name:-%{User-Name})) -> (|(uid=heruan)(cn=heruan))
expand: dc=aldu,dc=net -> dc=aldu,dc=net
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldaps://ldap.aldu.net, authentication 0
rlm_ldap: setting TLS CACert File to /export/ssl/AlduNetworkCA.crt
rlm_ldap: setting TLS Cert File to /export/ssl/crts/radius.aldu.net.crt
rlm_ldap: setting TLS Key File to /export/ssl/keys/radius.aldu.net.key
rlm_ldap: bind as cn=radius,dc=aldu,dc=net/RaD-802.1X to ldaps://ldap.aldu.net
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=aldu,dc=net, with filter (|(uid=heruan)(cn=heruan))
[ldap_telperion] Added User-Password = {SSHA}...<omitted>... in check items
[ldap_telperion] No default NMAS login sequence
[ldap_telperion] looking for check items in directory...
rlm_ldap: sambaNtPassword -> NT-Password == 0x...<omitted>...
rlm_ldap: sambaLmPassword -> LM-Password == 0x...<omitted>...
[ldap_telperion] looking for reply items in directory...
[ldap_telperion] user heruan authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap_telperion] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing LM-Password from hex encoding
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Replacing User-Password in config items with Cleartext-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good" !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 126 to 192.168.11.6 port 3072
EAP-Message = 0x010100160410fd40decb184fb0fc23a60c70f3a86edc
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xecb4974becb5936c21163977cb2ae20c
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.11.6 port 3072, id=127, length=176
User-Name = "heruan"
NAS-IP-Address = 0.0.0.0
NAS-Port = 0
Called-Station-Id = "00006c576976"
Calling-Station-Id = "002268c0eb93"
NAS-Identifier = "Realtek Access Point. 8181"
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x02010006030d
State = 0xecb4974becb5936c21163977cb2ae20c
Message-Authenticator = 0x5f7eb55227aaa419cce4154003eb5363
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "heruan", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns updated
++[files] returns noop
[ldap_telperion] performing user authorization for heruan
WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
expand: (|(uid=%{Stripped-User-Name:-%{User-Name}})(cn=%{Stripped-User-Name:-%{User-Name})) -> (|(uid=heruan)(cn=heruan))
expand: dc=aldu,dc=net -> dc=aldu,dc=net
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=aldu,dc=net, with filter (|(uid=heruan)(cn=heruan))
[ldap_telperion] Added User-Password = {SSHA}...<omitted>... in check items
[ldap_telperion] No default NMAS login sequence
[ldap_telperion] looking for check items in directory...
rlm_ldap: sambaNtPassword -> NT-Password == 0x...<omitted>...
rlm_ldap: sambaLmPassword -> LM-Password == 0x...<omitted>...
[ldap_telperion] looking for reply items in directory...
[ldap_telperion] user heruan authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap_telperion] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing LM-Password from hex encoding
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Replacing User-Password in config items with Cleartext-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good" !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/tls
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 127 to 192.168.11.6 port 3072
EAP-Message = 0x010200060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xecb4974bedb69a6c21163977cb2ae20c
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.11.6 port 3072, id=128, length=269
User-Name = "heruan"
NAS-IP-Address = 0.0.0.0
NAS-Port = 0
Called-Station-Id = "00006c576976"
Calling-Station-Id = "002268c0eb93"
NAS-Identifier = "Realtek Access Point. 8181"
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020200630d00160301005801000054030148d23b333d34c55f4b7232757604244c797877c21b50760a577371c2faece6de00002600390038003500160013000a00330032002f0005000400150012000900140011000800060003020100000400230000
State = 0xecb4974bedb69a6c21163977cb2ae20c
Message-Authenticator = 0x40c776164bd49641e3c8975bdde06192
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "heruan", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 99
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns updated
++[files] returns noop
[ldap_telperion] performing user authorization for heruan
WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
expand: (|(uid=%{Stripped-User-Name:-%{User-Name}})(cn=%{Stripped-User-Name:-%{User-Name})) -> (|(uid=heruan)(cn=heruan))
expand: dc=aldu,dc=net -> dc=aldu,dc=net
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=aldu,dc=net, with filter (|(uid=heruan)(cn=heruan))
[ldap_telperion] Added User-Password = {SSHA}...<omitted>... in check items
[ldap_telperion] No default NMAS login sequence
[ldap_telperion] looking for check items in directory...
rlm_ldap: sambaNtPassword -> NT-Password == 0x...<omitted>...
rlm_ldap: sambaLmPassword -> LM-Password == 0x...<omitted>...
[ldap_telperion] looking for reply items in directory...
[ldap_telperion] user heruan authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap_telperion] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing LM-Password from hex encoding
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Replacing User-Password in config items with Cleartext-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good" !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] eaptls_verify returned 7
[tls] Done initial handshake
[tls] (other): before/accept initialization
[tls] TLS_accept: before/accept initialization
[tls] <<< TLS 1.0 Handshake [length 0058], ClientHello
[tls] TLS_accept: SSLv3 read client hello A
[tls] >>> TLS 1.0 Handshake [length 0030], ServerHello
[tls] TLS_accept: SSLv3 write server hello A
[tls] >>> TLS 1.0 Handshake [length 0d58], Certificate
[tls] TLS_accept: SSLv3 write certificate A
[tls] >>> TLS 1.0 Handshake [length 030d], ServerKeyExchange
[tls] TLS_accept: SSLv3 write key exchange A
[tls] >>> TLS 1.0 Handshake [length 0096], CertificateRequest
[tls] TLS_accept: SSLv3 write certificate request A
[tls] TLS_accept: SSLv3 flush data
[tls] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 128 to 192.168.11.6 port 3072
EAP-Message = 0x010304000dc00000113f16030100300200002c030148d23b33c026068df3b9546697b3067919464d329662fb14b2ec0e705e204624000039010004002300001603010d580b000d54000d510006e6308206e2308204caa003020102020106300d06092a864886f70d0101050500308181310b30090603550406130249543110300e06035504081307566963656e7a6131153013060355040a130c416c6475204e6574776f726b312d302b06035504031324416c6475204e6574776f726b2043657274696669636174696f6e20417574686f72697479311a301806092a864886f70d010901160b636140616c64752e6e6574301e170d3038303532353137
EAP-Message = 0x333535395a170d3131303532353137333535395a30819e310b30090603550406130249543110300e06035504081307566963656e7a6131193017060355040713105175696e746f20566963656e74696e6f31153013060355040a130c416c6475204e6574776f726b31123010060355040b130954656c706572696f6e311830160603550403130f7261646975732e616c64752e6e6574311d301b06092a864886f70d010901160e61646d696e40616c64752e6e657430820222300d06092a864886f70d01010105000382020f003082020a0282020100baaf8b7cc35660a1c28f10814fdc742405a6d80aa99536279821be517701110d369ff91ae8e0df
EAP-Message = 0x2587a70c4d1d6f4bbaf2a59401f0b37d713f36dfd6cfa6db0676c65d03364e66525328de388503c50fc1df64987bf9eee87360fbee6244d5e8af6de7d17e4962d88afee99670f2d7404447740a01d86453124935f03242168dea7f0db7eaaf58d74f8b91edec5a7d9253033423009850262fe2fb3aa8fe5e25a9819ce31362d8c10331929076e89952e1140f0b2f60878d6d1e10b864c3c810b55fd7a1d939267c6a925e16c25d8d95cb86260b8ab80dba1f25a3ebbcf52b3c03a8243d15645a51994358cdda3ea68bc6d148607607d281e30f2a3868a7dab59e914f708754b947f0d696c388efd54e8e31a90516854c5f0ecb35b8d461367240490496
EAP-Message = 0x8fe972bfff621bd744f312de283a3aaa344d8471fc0cb39ece52c2ff77984ee407ec0a7b531fca81815ffb39002b359ee77c98e93d4c670aaee60d6e04670f98d157d509ba96be28383bbf503139ba93e75c702e362489f63025dd90e236353b9fa7fe4dcbeb9f948918f05bd87e60972d6504c9b51bdd353ed23c00550afd065d1eaa51c362f2d6fa0967b3d0e753b522379edeccbe2d61dc0eb321111de3792d629c410e2ce284fcbf4e0ed081103ee1bbca94904a4799afa254dc0a092ea61a42a147fa9c901aa9d3c90a99659e375200334cdcb73681ccbd0edf0203010001a38201443082014030090603551d1304023000301106096086480186
EAP-Message = 0xf8420101040403020640302e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xecb4974beeb79a6c21163977cb2ae20c
Finished request 2.
Going to the next request
Waking up in 4.6 seconds.
rad_recv: Access-Request packet from host 192.168.11.6 port 3072, id=129, length=176
User-Name = "heruan"
NAS-IP-Address = 0.0.0.0
NAS-Port = 0
Called-Station-Id = "00006c576976"
Calling-Station-Id = "002268c0eb93"
NAS-Identifier = "Realtek Access Point. 8181"
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020300060d00
State = 0xecb4974beeb79a6c21163977cb2ae20c
Message-Authenticator = 0xbcfbc7082ea814ea5a391ed008bcca97
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "heruan", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns updated
++[files] returns noop
[ldap_telperion] performing user authorization for heruan
WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
expand: (|(uid=%{Stripped-User-Name:-%{User-Name}})(cn=%{Stripped-User-Name:-%{User-Name})) -> (|(uid=heruan)(cn=heruan))
expand: dc=aldu,dc=net -> dc=aldu,dc=net
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=aldu,dc=net, with filter (|(uid=heruan)(cn=heruan))
[ldap_telperion] Added User-Password = {SSHA}...<omitted>... in check items
[ldap_telperion] No default NMAS login sequence
[ldap_telperion] looking for check items in directory...
rlm_ldap: sambaNtPassword -> NT-Password == 0x...<omitted>...
rlm_ldap: sambaLmPassword -> LM-Password == 0x...<omitted>...
[ldap_telperion] looking for reply items in directory...
[ldap_telperion] user heruan authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap_telperion] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing LM-Password from hex encoding
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Replacing User-Password in config items with Cleartext-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good" !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake fragment handler
[tls] eaptls_verify returned 1
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 129 to 192.168.11.6 port 3072
EAP-Message = 0x010404000dc00000113f06096086480186f842010d0421161f416c6475204e6574776f726b20736572766572206365727469666963617465301d0603551d0e0416041427567b3c358088be2a88ae38e964eccc07e499b73081ae0603551d230481a63081a38014fe54771221d91a1005efa50f6f8f886af9cf6447a18187a48184308181310b30090603550406130249543110300e06035504081307566963656e7a6131153013060355040a130c416c6475204e6574776f726b312d302b06035504031324416c6475204e6574776f726b2043657274696669636174696f6e20417574686f72697479311a301806092a864886f70d010901160b636140
EAP-Message = 0x616c64752e6e6574820100300b0603551d0f0404030205a030130603551d25040c300a06082b06010505070301300d06092a864886f70d01010505000382020100742d55d4b3875961cbeefc0f3ef724521d0ed3ee2fc997a66e2eb059f3e7f69910ef1f6d21c818f5b48e87bff4268ba2355864de725f5462a62149483848e85f77b0e5fb074cb83ecbd02a16f144bdded0a54ac864803302ee054d8eff8110873f810ebcdfa4af88d977b36eb9f183fda25d577d7420b67f0862e98531c237d3f4c845361236824d95afc1f15ae306ba8a9f1796d9f84ebd0d4ca02b13fa51ea0a9c2ef694aedc5bb18d3921ab2683ac352cd5271f1c8f693716c9a8
EAP-Message = 0x834213249900d970259773739d0e8d2eb48f3146764b7f48dfc595a68c14162d03ffad6422776a5ff163ec766bab25556af2af9461028666f4d597ad8de3fa5487a37bd69551603fc2027f76094b79b79fc4c58584a0f2b2e9281cd4374761f471d1b27aa04b32daad7ca99d9a6b61b7b1ac6309ca2a89839208a3ccb22519046702bd2b0e7ee376c60786f22486ce3a33807d4b3ee6f3690bd1d580e838f1779ee92616f2470c7f56cf3558863b384c9b3909adf442310f61bbb4a5bfecc3157b4658ae0c9e84a8fba6e52a170454c18d037f3602cfcf0129526199c3b3ba0f756de771d64c12eeccf058ed1f6094343a0ecf3bc2665e36f4483cbadd
EAP-Message = 0xf33afd60ac8f1d0cdd175607eb508f0b9bf869a232d2cb7ac3777d43d2541cdafd77e90c6204ab13ceaf09d872a0c97033f09fdee496058d72270025f17852d41d274ca9ada3500006653082066130820449a003020102020100300d06092a864886f70d0101050500308181310b30090603550406130249543110300e06035504081307566963656e7a6131153013060355040a130c416c6475204e6574776f726b312d302b06035504031324416c6475204e6574776f726b2043657274696669636174696f6e20417574686f72697479311a301806092a864886f70d010901160b636140616c64752e6e6574301e170d303830353235313731353233
EAP-Message = 0x5a170d313330353234313731
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xecb4974befb09a6c21163977cb2ae20c
Finished request 3.
Going to the next request
Waking up in 4.6 seconds.
rad_recv: Access-Request packet from host 192.168.11.6 port 3072, id=130, length=176
User-Name = "heruan"
NAS-IP-Address = 0.0.0.0
NAS-Port = 0
Called-Station-Id = "00006c576976"
Calling-Station-Id = "002268c0eb93"
NAS-Identifier = "Realtek Access Point. 8181"
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020400060d00
State = 0xecb4974befb09a6c21163977cb2ae20c
Message-Authenticator = 0x927d969654e29bc36e153b4758156e53
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "heruan", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns updated
++[files] returns noop
[ldap_telperion] performing user authorization for heruan
WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
expand: (|(uid=%{Stripped-User-Name:-%{User-Name}})(cn=%{Stripped-User-Name:-%{User-Name})) -> (|(uid=heruan)(cn=heruan))
expand: dc=aldu,dc=net -> dc=aldu,dc=net
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=aldu,dc=net, with filter (|(uid=heruan)(cn=heruan))
[ldap_telperion] Added User-Password = {SSHA}...<omitted>... in check items
[ldap_telperion] No default NMAS login sequence
[ldap_telperion] looking for check items in directory...
rlm_ldap: sambaNtPassword -> NT-Password == 0x...<omitted>...
rlm_ldap: sambaLmPassword -> LM-Password == 0x...<omitted>...
[ldap_telperion] looking for reply items in directory...
[ldap_telperion] user heruan authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap_telperion] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing LM-Password from hex encoding
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Replacing User-Password in config items with Cleartext-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good" !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake fragment handler
[tls] eaptls_verify returned 1
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 130 to 192.168.11.6 port 3072
EAP-Message = 0x010504000dc00000113f3532335a308181310b30090603550406130249543110300e06035504081307566963656e7a6131153013060355040a130c416c6475204e6574776f726b312d302b06035504031324416c6475204e6574776f726b2043657274696669636174696f6e20417574686f72697479311a301806092a864886f70d010901160b636140616c64752e6e657430820222300d06092a864886f70d01010105000382020f003082020a0282020100e352d800a194047d72504330b65278cf22b0a7211472a77939e369cd5121e27e119f05cb3c660aefda12d90bad75dda2b965f831d5a2e1038bbe7c9f8addb1c5ab1efe5be47d2eac1b39
EAP-Message = 0x72b68bba4c406916c302c35dfd5ef11d36f1a5637ae33661b27f2e9bb8843a5319061eb7167d274bb6942dfc1878b7f638ed9b9ff4ac4b9b5bdf094e275ff5b53a0551f24d1e63f35d7cfa96c2e00a5ca504b62f5f32cfc3d8aa6f589de482bedeb65224d6e425144be81e36eab9844dbb0fc5388a29b55a23f34798a90f534e626e102a0f0df13ae0f72fe99fe9dcf3575bd85a628c06fe8f6cc51f69271b4203ebebfa52b49df5fd0171c36f204bd64c8989d1fa45628140ffa19d8285702462b34ae01721197aefcd87fb79d2417705f8ef205f2b59bafe222a077c91c22e2481dfcc02eb6a0be6fc6317bd52289ef787f1bd9fe34b5b92b7485408
EAP-Message = 0xef15ebe685d408d77dcbd9ba07755e4ecf6574793855e64291199a5a77440faa0101f2b4c85a3a92c62aa075cd4f535b0b0321d7839c7b59c02d61cc77cbf1ec4425b8726d315a3228fba109abe1ede78e13f5cf82fa216cf0193fcc641cf3a4e97b43dd425b7e95cfd5d3c692332ced3bb96d9b6d5a2fbb3777a951e0cbeee0e23cb7b911c728db165f153c1e4e1c68ba690d7fbcb04fb05e78b0363308ca5a67f4a3ba844407f51d3a4796dbdf3bb01739e33a60720418dd0203010001a381e13081de301d0603551d0e04160414fe54771221d91a1005efa50f6f8f886af9cf64473081ae0603551d230481a63081a38014fe54771221d91a1005ef
EAP-Message = 0xa50f6f8f886af9cf6447a18187a48184308181310b30090603550406130249543110300e06035504081307566963656e7a6131153013060355040a130c416c6475204e6574776f726b312d302b06035504031324416c6475204e6574776f726b2043657274696669636174696f6e20417574686f72697479311a301806092a864886f70d010901160b636140616c64752e6e6574820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382020100a53bd0a1d836628f9e26a6c7267136549f18ca3cb6d234a5d055d43abdbcbe0e825def229bdc0cbf3c9f38997a15da051b0ce615e8941940dccd43fb24dbea1ee66af094
EAP-Message = 0x2af577240d47b79a20ecf287
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xecb4974be8b19a6c21163977cb2ae20c
Finished request 4.
Going to the next request
Waking up in 4.6 seconds.
rad_recv: Access-Request packet from host 192.168.11.6 port 3072, id=131, length=176
User-Name = "heruan"
NAS-IP-Address = 0.0.0.0
NAS-Port = 0
Called-Station-Id = "00006c576976"
Calling-Station-Id = "002268c0eb93"
NAS-Identifier = "Realtek Access Point. 8181"
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020500060d00
State = 0xecb4974be8b19a6c21163977cb2ae20c
Message-Authenticator = 0xd9c4eb7ccdb43bf7fa7b4c70ae49cf59
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "heruan", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns updated
++[files] returns noop
[ldap_telperion] performing user authorization for heruan
WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
expand: (|(uid=%{Stripped-User-Name:-%{User-Name}})(cn=%{Stripped-User-Name:-%{User-Name})) -> (|(uid=heruan)(cn=heruan))
expand: dc=aldu,dc=net -> dc=aldu,dc=net
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=aldu,dc=net, with filter (|(uid=heruan)(cn=heruan))
[ldap_telperion] Added User-Password = {SSHA}...<omitted>... in check items
[ldap_telperion] No default NMAS login sequence
[ldap_telperion] looking for check items in directory...
rlm_ldap: sambaNtPassword -> NT-Password == 0x...<omitted>...
rlm_ldap: sambaLmPassword -> LM-Password == 0x...<omitted>...
[ldap_telperion] looking for reply items in directory...
[ldap_telperion] user heruan authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap_telperion] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing LM-Password from hex encoding
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Replacing User-Password in config items with Cleartext-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good" !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake fragment handler
[tls] eaptls_verify returned 1
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 131 to 192.168.11.6 port 3072
EAP-Message = 0x010604000dc00000113f41253f7caef992816fb6b25244e2b2eac310fef7d7a86f60a2b967aa0d28ae7fe86fbf4a029e4a6e8ebedbef1eb7c7a344d87591be5b8bb28140d1faec4c4753fac13fb77dab34db643e84a0cb961f8947fc1fc6b0861993319ac5b28086aa3f5b0847b15bb97d24cf1690a3aab0ccff85403dd201abcb1b8b279b4b9ecb641d70269ebc603614afd6c56cbc44c8e0e9ba67661e63c195e60738ae589ce857a6a9e7a38ff15cc4c17f5872efdd743641ce8bf543883c98c8d468635d8c8801b6c8825cd26537ca4f7e1789d4c3bde7c9d1314a1ac5bb5d1eeb2e12ef7a5bb1c3ddef303a68284cd5a53d58aa612852d92b8191
EAP-Message = 0x1302468572546831641111a81733a42bbe129cf985b42790a5eb675e742364bc2cb449da2955062efeaa1f1a661933e9ef6a2d4a85c2611e6cf3b5c42511555c4fcab1e5ea237f8017f3f38d5f84e9adae7549f05128f89779b28586d38257a9883f71939263b4dce4945c13b3048e5f8d6ac94e8eab4c2742671ae683451cfff0bf5aa169f15edf30a7cad9f02ef7d004df5db2d4a8001e10730cdf3b140bc1251ea71d8332b2ddebf0117d6f52cefdde1ba9b055795c10c57b3e53c2160301030d0c0003090080b8d46838b3e4f268f2283b876198e2fab4efa6c4ff1a4256bf6a33659ce9369bbb62cbf0074beb662a7ab55ea638e64731dd87d5af
EAP-Message = 0xe48ee480b73d0f29cc890ca12058356d38fd2cfe87a9c418f9c6d1463261be3d2e962aa52850c64521e6851bc4f37bcd09790246b13771cd9f777ae8f7b7d75edc8e5eea46d9c76621734b00010200802d8ce25058d41af12cc98f8b2c288b64755488c20098cb8cea3477a4469d48ca4e150ca568cf935966f926aa38e99458f9430bfc2ea6d9aebfdf9d51ed2d814917da0f5e13255df35eb1e3fa3e117ac1cf9b2c6c394fc1f89b69e43e755e24cd113acc158e8af9286c2b1661d2fb21a8dc810007b7d24543f1502426f067eb7302005e9e4b7e48364aea540b72ac1c8f7b6cef698f569c9314aac49d428e1013bf5d464d46d2c9e4347eb5d3f5
EAP-Message = 0xedab802e834292ad461d7431022462a9db0ae3af984318b03d0121e55e8a7fb7c415f5801cccec0063925182cf26795c9eba2f6d83cdbed9556b20751ffa798ff287314472cf96dba4d5120fb05edfe2879bb3fabad5f4420d7cf12a79ddb0716e303527f8860f32d69219a9df7e6ac20b265f6bc5b58ba96bc9d0b23de7306c5cf9933ba0e74838c99bc5457f31e8f7ad509e4174eb99b692da0717bccbd6cb4ff246716ca698c01737ca67a7bb9ebb60422694b32fcd10098351c592aba94bfe659b81257031579e61b97534f73a28b5785cf6f5c204ed9d9d4db30006421f468e14517eff0c1d457799069f901619191189583ddf878254349b15ee
EAP-Message = 0x69f29af5c8c7c5f1abeb3498
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xecb4974be9b29a6c21163977cb2ae20c
Finished request 5.
Going to the next request
Waking up in 4.6 seconds.
Cleaning up request 0 ID 126 with timestamp +15
Cleaning up request 1 ID 127 with timestamp +16
Waking up in 0.2 seconds.
Cleaning up request 2 ID 128 with timestamp +16
Cleaning up request 3 ID 129 with timestamp +17
Cleaning up request 4 ID 130 with timestamp +17
Cleaning up request 5 ID 131 with timestamp +17
Ready to process requests.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4378 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080918/963288da/attachment.bin>
More information about the Freeradius-Users
mailing list