Aruba-User-Vlan, how to configure RADIUS to send the that aruba VSA to the controller
aangles
aav_1984 at hotmail.com
Mon Oct 5 09:17:31 CEST 2009
Ok. I set that parameter you comment: use_tunneled_reply = yes and it does
not sent the VSA in the access-accept which I think that if radius could
sent this VSA atributed inside an access-accept paquet then the NAS would
understand it.
My configuration of eap.conf:
ttls {
# The tunneled EAP session needs a default
# EAP type which is separate from the one for
# the non-tunneled EAP module. Inside of the
# TTLS tunnel, we recommend using EAP-MD5.
# If the request does not contain an EAP
# conversation, then this configuration entry
# is ignored.
default_eap_type = mschapv2
# The tunneled authentication request does
# not usually contain useful attributes
# like 'Calling-Station-Id', etc. These
# attributes are outside of the tunnel,
# and normally unavailable to the tunneled
# authentication request.
#
# By setting this configuration entry to
# 'yes', any attribute which NOT in the
# tunneled authentication request, but
# which IS available outside of the tunnel,
# is copied to the tunneled request.
#
# allowed values: {no, yes}
copy_request_to_tunnel = no
# The reply attributes sent to the NAS are
# usually based on the name of the user
# 'outside' of the tunnel (usually
# 'anonymous'). If you want to send the
# reply attributes based on the user name
# inside of the tunnel, then set this
# configuration entry to 'yes', and the reply
# to the NAS will be taken from the reply to
# the tunneled request.
#
# allowed values: {no, yes}
use_tunneled_reply = yes
#
# The inner tunneled request can be sent
# through a virtual server constructed
# specifically for this purpose.
#
# If this entry is commented out, the inner
# tunneled request will be sent through
# the virtual server that processed the
# outer requests.
#
virtual_server = "inner-tunnel"
}
and if I do radiusd -X i get the following:
......
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.50.50.250 port 32821, id=188,
length=172
User-Name = "guest"
NAS-IP-Address = 10.50.50.250
NAS-Port = 1
NAS-Identifier = "arubacon"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "0022437B7A67"
Called-Station-Id = "000B86615D8C"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message = 0x020e000a016775657374
Aruba-Essid-Name = "SecureWiFIAruba"
Aruba-Location-Id = "apob00off09_pos5"
Message-Authenticator = 0x57bc37ce7c549067b0874937ba0c32f6
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/10.50.50.250/auth-detail-20091005
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/10.50.50.250/auth-detail-20091005
[auth_log] expand: %t -> Mon Oct 5 09:00:47 2009
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "guest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 14 length 10
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry guest at line 59
++[files] returns ok
[ldap] performing user authorization for guest
[ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
[ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
[ldap] expand:
(|(|(uid=%{Stripped-User-Name:-%{User-Name}}))(mail=%{Stripped-User-Name:-%{User-Name}}@cells.es))
-> (|(|(uid=guest))(mail=guest at cells.es))
[ldap] expand: ou=People,dc=CELLS,dc=ES -> ou=People,dc=CELLS,dc=ES
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap01.cells.es:389, authentication 0
rlm_ldap: bind as cn=Manager,dc=CELLS,dc=ES/Kag110vostresenyor to
ldap01.cells.es:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=People,dc=CELLS,dc=ES, with filter
(|(|(uid=guest))(mail=guest at cells.es))
rlm_ldap: object not found or got ambiguous search result
[ldap] search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 188 to 10.50.50.250 port 32821
Aruba-User-Role = "testrole"
Aruba-User-Vlan = 2120
EAP-Message = 0x010f00061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x23c15ae223ce43ea3a0ff95fc6de2960
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.50.50.250 port 32821, id=189,
length=260
User-Name = "guest"
NAS-IP-Address = 10.50.50.250
NAS-Port = 1
NAS-Identifier = "arubacon"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "0022437B7A67"
Called-Station-Id = "000B86615D8C"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message =
0x020f005019800000004616030100410100003d03014ac999c73850ebf8405b1daa64edc2795a1ab44f5d9924e096d849073bd7bf5300001600040005000a000900640062000300060013001200630100
State = 0x23c15ae223ce43ea3a0ff95fc6de2960
Aruba-Essid-Name = "SecureWiFIAruba"
Aruba-Location-Id = "apob00off09_pos5"
Message-Authenticator = 0x8dcb8e14548dddf8cd4834ae4364fbf7
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/10.50.50.250/auth-detail-20091005
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/10.50.50.250/auth-detail-20091005
[auth_log] expand: %t -> Mon Oct 5 09:00:47 2009
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "guest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 15 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 70
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0041], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 0b62], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate
A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 189 to 10.50.50.250 port 32821
EAP-Message =
0x0110040019c000000b9f160301002a0200002603014ac9999f360d6baa2b51846858265df39d0258d6b61ff3b1b2e2387bf3c66f44000004001603010b620b000b5e000b5b0004933082048f30820377a003020102020b010000000001111269caa0300d06092a864886f70d0101050500305f310b300906035504061302424531133011060355040a130a4379626572747275737431173015060355040b130e456475636174696f6e616c20434131223020060355040313194379626572747275737420456475636174696f6e616c204341301e170d3037303330323131323935345a170d3130303330323131323935345a3039310b30090603550406
EAP-Message =
0x13024553310e300c060355040a130543454c4c53311a3018060355040313117765622d6d61696c2e63656c6c732e657330820122300d06092a864886f70d01010105000382010f003082010a0282010100cc46384ee4fe3b3e53c4a2ec840ed7ade3e6ace27d5dba48c79d6f1ee6aaa6f2d72c7deb06caf1877a95daf391c8a4ddfc02352468c2391a5097ce7e13370e4247bdbcb36e3c3a6ed36a60113f403ade97d8782dc17bab7a7d1ef2f09f5ea4975c973bb48d9b5dc96b068e791a4be595805fcb069d7a4a6539ff3a94ec1a3070b1182283c4c6fad9d276327e95ec2115a83f0294d66fafae2b60b5e690bb311c0d594d955c203d52cddadea5
EAP-Message =
0x8ab491fbe7a76006a93cdc1d5f651c20523456ebe4333de37e4110ee1a63ad727b5116e71fc264f4d9726434a5cd693e6de3179a163d9663cbceb3d4d4fcd317e29c3701fa021b5596aaa24e85e88ef7a20f960f0203010001a38201703082016c30500603551d2004493047304506072a8648b13e0100303a303806082b06010505070201162c687474703a2f2f7777772e676c6f62616c7369676e2e6e65742f7265706f7369746f72792f6370732e63666d300e0603551d0f0101ff0404030205a0301f0603551d230418301680146565a33dd73b11a30a072537c9424a5b767750e1301d0603551d0e0416041496d745f253c445bf75496582e5d1
EAP-Message =
0xbd6b21b0bb88303a0603551d1f04333031302fa02da02b8629687474703a2f2f63726c2e676c6f62616c7369676e2e6e65742f656475636174696f6e616c2e63726c304f06082b0601050507010104433041303f06082b060105050730028633687474703a2f2f7365637572652e676c6f62616c7369676e2e6e65742f6361636572742f656475636174696f6e616c2e637274301d0603551d250416301406082b0601050507030106082b06010505070302301c0603551d110415301382117765622d6d61696c2e63656c6c732e6573300d06092a864886f70d010105050003820101004fe3e0e910a1b58a0d3479de0c184b3725a4b1e2a994aaa919
EAP-Message = 0x2186406f44d171c4a8b43606
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x23c15ae222d143ea3a0ff95fc6de2960
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.50.50.250 port 32821, id=190,
length=186
User-Name = "guest"
NAS-IP-Address = 10.50.50.250
NAS-Port = 1
NAS-Identifier = "arubacon"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "0022437B7A67"
Called-Station-Id = "000B86615D8C"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message = 0x021000061900
State = 0x23c15ae222d143ea3a0ff95fc6de2960
Aruba-Essid-Name = "SecureWiFIAruba"
Aruba-Location-Id = "apob00off09_pos5"
Message-Authenticator = 0xe6eaad5386d6481d50a76263074c8524
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/10.50.50.250/auth-detail-20091005
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/10.50.50.250/auth-detail-20091005
[auth_log] expand: %t -> Mon Oct 5 09:00:47 2009
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "guest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 16 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 190 to 10.50.50.250 port 32821
EAP-Message =
0x011103fc194050e01de9f614accad310ab89a73cd3fe543f856139ebf0deabb426dcd0230bf0ed3a9db4c35ea70af48aef17af4e55653b27b1a7f0eb6944b5976694d69e3bc6c9d810f5375617d92c365aee778532464451f7c3dd1965e61c88039d082739433d4b432f959cda064c446515f29e2d635656a5825d063615a895763869e0b36ea09b6e61cf191715c94aa7188b8a0cb9cddaac70054aa98102f83669e52944c97eb0e02182638ee3dbb818a25cdf413cf57089df0c232bae0e12d7ef06430af5be3474155e2a9a698b41f33c4cdb7f89df59e6c8b7912c827b19ed0004613082045d308203c6a0030201020204040003f9300d06092a86
EAP-Message =
0x4886f70d01010505003075310b300906035504061302555331183016060355040a130f47544520436f72706f726174696f6e31273025060355040b131e475445204379626572547275737420536f6c7574696f6e732c20496e632e312330210603550403131a475445204379626572547275737420476c6f62616c20526f6f74301e170d3036303232343136303830305a170d3133303232343233353930305a305f310b300906035504061302424531133011060355040a130a4379626572747275737431173015060355040b130e456475636174696f6e616c20434131223020060355040313194379626572747275737420456475636174696f6e61
EAP-Message =
0x6c20434130820122300d06092a864886f70d01010105000382010f003082010a02820101009522a1101d4a46606e05919bdf83c2ed12b25a7cf8abe1f8505c282c7e7e003893b08b4af1c24c3c102c3cefb0eca1692fb9fccc08146b8d4f18f383d2faa9370820aa5caa8060a2d5a52200cf5ae5b497dfba1ebe5c8e171966fdaf9f7c7b89b20e24d8c7ab63c495328d48e663597d04b833a8bdd75d64bc63b5f74d28fdf90672315cba459465a3d2b458ec3b615844a32f62b39b80b482fdd5c7cc5125e5953f472f307bacc8786ee2e16d27eb3dcc0182e835778dab58bb55d1d5a481568d1cd014b1b006dea09122f3f0a8341747c6e03ef60c5aac
EAP-Message =
0x7e504bcde1696e06fc067e6a4db49599a0595c3566ecd949d417e060b05da5d71ae22a6e66f2af1d0203010001a382018a3082018630450603551d1f043e303c303aa038a0368634687474703a2f2f7777772e7075626c69632d74727573742e636f6d2f6367692d62696e2f43524c2f323031382f6364702e63726c301d0603551d0e041604146565a33dd73b11a30a072537c9424a5b767750e1306e0603551d2004673065304806092b06010401b13e0100303b303906082b06010505070201162d687474703a2f2f7777772e7075626c69632d74727573742e636f6d2f4350532f4f6d6e69526f6f742e68746d6c301906092b06010401b13e0132
EAP-Message = 0x300c300a06082b06
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x23c15ae221d043ea3a0ff95fc6de2960
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.50.50.250 port 32821, id=191,
length=186
User-Name = "guest"
NAS-IP-Address = 10.50.50.250
NAS-Port = 1
NAS-Identifier = "arubacon"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "0022437B7A67"
Called-Station-Id = "000B86615D8C"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message = 0x021100061900
State = 0x23c15ae221d043ea3a0ff95fc6de2960
Aruba-Essid-Name = "SecureWiFIAruba"
Aruba-Location-Id = "apob00off09_pos5"
Message-Authenticator = 0x93ca5c06d7b7bea239ae1db9db7e3ea5
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/10.50.50.250/auth-detail-20091005
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/10.50.50.250/auth-detail-20091005
[auth_log] expand: %t -> Mon Oct 5 09:00:47 2009
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "guest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 17 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 191 to 10.50.50.250 port 32821
EAP-Message =
0x011203b919000105050702013081890603551d23048181307fa179a4773075310b300906035504061302555331183016060355040a130f47544520436f72706f726174696f6e31273025060355040b131e475445204379626572547275737420536f6c7574696f6e732c20496e632e312330210603550403131a475445204379626572547275737420476c6f62616c20526f6f74820201a5300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020100300d06092a864886f70d01010505000381810032ac6514914bd17d36cacfa4d6826366c407e3d8ebfdafbaea7a561162dd2514be8d8a5c8823fb06ce024372aaa0
EAP-Message =
0x49916a057443f924f76df8dbdcbfd9809f2daf84ecf5b2e7bcfa825695d71706cb5acd4414247e4cc047dea2b2ebd24d357e1a95e2fd56d869014ec21926cabaf4b9d513e51b8f93bfb871ad9e6c42581d9d00025e3082025a308201c3020201a5300d06092a864886f70d01010405003075310b300906035504061302555331183016060355040a130f47544520436f72706f726174696f6e31273025060355040b131e475445204379626572547275737420536f6c7574696f6e732c20496e632e312330210603550403131a475445204379626572547275737420476c6f62616c20526f6f74301e170d3938303831333030323930305a170d313830
EAP-Message =
0x3831333233353930305a3075310b300906035504061302555331183016060355040a130f47544520436f72706f726174696f6e31273025060355040b131e475445204379626572547275737420536f6c7574696f6e732c20496e632e312330210603550403131a475445204379626572547275737420476c6f62616c20526f6f7430819f300d06092a864886f70d010101050003818d0030818902818100950fa0b6f0509ce87ac788cddd170e2eb094d01b3d0ef694c08a94c706c89097c8b8641a7a7e6c3c53e1372873607fb29753079f53f96d5894d2af8d6d886780e6edb295cf7231caa51c72ba5c02e76442e7f9a92cd63a0dac8d42aa240139
EAP-Message =
0xe69c3f0185570d588745f8d385aa936926857048803f1215c779b41f052f3b62990203010001300d06092a864886f70d0101040500038181006deb1b09e95ed951db672261a42a3c4877e3a07ca6de73a21403853dfbab0e30c58316338113089e7b344edf40c874d7b97ddcf476557d9b635418e9f0eaf35cb1d98b421eb9c0954ebafad5e27cf56861bf8eec05975f5bb0d7a38534c424a70d0f9593efcb94d89e1f9d5c856dc7aaae4f1f22b5cd95adbaa7ccf9ab0b7a7f16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x23c15ae220d343ea3a0ff95fc6de2960
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.50.50.250 port 32821, id=192,
length=502
User-Name = "guest"
NAS-IP-Address = 10.50.50.250
NAS-Port = 1
NAS-Identifier = "arubacon"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "0022437B7A67"
Called-Station-Id = "000B86615D8C"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message =
0x0212014019800000013616030101061000010201000f8f9f6ce45efc5cea9d847649d26928cb64c560e09bfcf405c74873eefc27c42549adc6047ec12ea55d8f5baf69301c510cc71785f741ec22b20c4f57326d2556777fde7334b7f3db5116aeddf695b1b4fa17191c520c1a0fb7d340feaf940876c591cd333c7d587c82d450201f6b3f5e6bf504ce444b21331d558ed26a913fecb705a045fecd4b8cb07a04ea219fd59177f1182c55e6dfba8bbb3ed627a1a857bcfebbdda91d6570a29170a878d857c45a32617712b111d35e6b348b7bc62f04f8ca672c546bdfd22bedb2147a3f5446b31ff59dd17c2983dd15ee5fbaa699d141ef58a7178b96
EAP-Message =
0xc97f67ff6ec83ada3f065738c29d07cb773207a18bc7dee414030100010116030100200dac101235819d0e63c28dca838c53677d822a01b6d387ef88867e53422c5c09
State = 0x23c15ae220d343ea3a0ff95fc6de2960
Aruba-Essid-Name = "SecureWiFIAruba"
Aruba-Location-Id = "apob00off09_pos5"
Message-Authenticator = 0x57fb1999f8a02adc681561edf0e6d23a
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/10.50.50.250/auth-detail-20091005
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/10.50.50.250/auth-detail-20091005
[auth_log] expand: %t -> Mon Oct 5 09:00:47 2009
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "guest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 18 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 310
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 192 to 10.50.50.250 port 32821
EAP-Message =
0x011300311900140301000101160301002026e1de561aedef09b164f765d9505c4d569d5a1810e200c039d222273f73fcea
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x23c15ae227d243ea3a0ff95fc6de2960
Finished request 4.
Going to the next request
Waking up in 4.8 seconds.
Cleaning up request 0 ID 188 with timestamp +18
Cleaning up request 1 ID 189 with timestamp +18
Cleaning up request 2 ID 190 with timestamp +18
Cleaning up request 3 ID 191 with timestamp +18
Cleaning up request 4 ID 192 with timestamp +18
Ready to process requests.
rad_recv: Access-Request packet from host 10.50.50.250 port 32821, id=193,
length=172
User-Name = "guest"
NAS-IP-Address = 10.50.50.250
NAS-Port = 1
NAS-Identifier = "arubacon"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "0022437B7A67"
Called-Station-Id = "000B86615D8C"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message = 0x0214000a016775657374
Aruba-Essid-Name = "SecureWiFIAruba"
Aruba-Location-Id = "apob00off09_pos5"
Message-Authenticator = 0x415d7281ea1955e4d5ee2278a32b6fe5
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/10.50.50.250/auth-detail-20091005
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/10.50.50.250/auth-detail-20091005
[auth_log] expand: %t -> Mon Oct 5 09:01:47 2009
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "guest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 20 length 10
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry guest at line 59
++[files] returns ok
[ldap] performing user authorization for guest
[ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
[ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
[ldap] expand:
(|(|(uid=%{Stripped-User-Name:-%{User-Name}}))(mail=%{Stripped-User-Name:-%{User-Name}}@cells.es))
-> (|(|(uid=guest))(mail=guest at cells.es))
[ldap] expand: ou=People,dc=CELLS,dc=ES -> ou=People,dc=CELLS,dc=ES
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=People,dc=CELLS,dc=ES, with filter
(|(|(uid=guest))(mail=guest at cells.es))
rlm_ldap: object not found or got ambiguous search result
[ldap] search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 193 to 10.50.50.250 port 32821
Aruba-User-Role = "testrole"
Aruba-User-Vlan = 2120
EAP-Message = 0x011500061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xcfc74ed9cfd2573e8bcb9264c430741e
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.50.50.250 port 32821, id=194,
length=260
User-Name = "guest"
NAS-IP-Address = 10.50.50.250
NAS-Port = 1
NAS-Identifier = "arubacon"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "0022437B7A67"
Called-Station-Id = "000B86615D8C"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message =
0x0215005019800000004616030100410100003d03014ac99a035ef97e318d0b0dbee426ca007d405aeb01801fc7003f0c368745266400001600040005000a000900640062000300060013001200630100
State = 0xcfc74ed9cfd2573e8bcb9264c430741e
Aruba-Essid-Name = "SecureWiFIAruba"
Aruba-Location-Id = "apob00off09_pos5"
Message-Authenticator = 0xc1ea8fdb1eddcea00ad673e3fb6c8d1c
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/10.50.50.250/auth-detail-20091005
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/10.50.50.250/auth-detail-20091005
[auth_log] expand: %t -> Mon Oct 5 09:01:47 2009
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "guest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 21 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 70
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0041], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 0b62], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate
A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 194 to 10.50.50.250 port 32821
EAP-Message =
0x0116040019c000000b9f160301002a0200002603014ac999db2ae9d1e29df2965426f02dc8d96d6575e8bdd395636b063e8ca45f92000004001603010b620b000b5e000b5b0004933082048f30820377a003020102020b010000000001111269caa0300d06092a864886f70d0101050500305f310b300906035504061302424531133011060355040a130a4379626572747275737431173015060355040b130e456475636174696f6e616c20434131223020060355040313194379626572747275737420456475636174696f6e616c204341301e170d3037303330323131323935345a170d3130303330323131323935345a3039310b30090603550406
EAP-Message =
0x13024553310e300c060355040a130543454c4c53311a3018060355040313117765622d6d61696c2e63656c6c732e657330820122300d06092a864886f70d01010105000382010f003082010a0282010100cc46384ee4fe3b3e53c4a2ec840ed7ade3e6ace27d5dba48c79d6f1ee6aaa6f2d72c7deb06caf1877a95daf391c8a4ddfc02352468c2391a5097ce7e13370e4247bdbcb36e3c3a6ed36a60113f403ade97d8782dc17bab7a7d1ef2f09f5ea4975c973bb48d9b5dc96b068e791a4be595805fcb069d7a4a6539ff3a94ec1a3070b1182283c4c6fad9d276327e95ec2115a83f0294d66fafae2b60b5e690bb311c0d594d955c203d52cddadea5
EAP-Message =
0x8ab491fbe7a76006a93cdc1d5f651c20523456ebe4333de37e4110ee1a63ad727b5116e71fc264f4d9726434a5cd693e6de3179a163d9663cbceb3d4d4fcd317e29c3701fa021b5596aaa24e85e88ef7a20f960f0203010001a38201703082016c30500603551d2004493047304506072a8648b13e0100303a303806082b06010505070201162c687474703a2f2f7777772e676c6f62616c7369676e2e6e65742f7265706f7369746f72792f6370732e63666d300e0603551d0f0101ff0404030205a0301f0603551d230418301680146565a33dd73b11a30a072537c9424a5b767750e1301d0603551d0e0416041496d745f253c445bf75496582e5d1
EAP-Message =
0xbd6b21b0bb88303a0603551d1f04333031302fa02da02b8629687474703a2f2f63726c2e676c6f62616c7369676e2e6e65742f656475636174696f6e616c2e63726c304f06082b0601050507010104433041303f06082b060105050730028633687474703a2f2f7365637572652e676c6f62616c7369676e2e6e65742f6361636572742f656475636174696f6e616c2e637274301d0603551d250416301406082b0601050507030106082b06010505070302301c0603551d110415301382117765622d6d61696c2e63656c6c732e6573300d06092a864886f70d010105050003820101004fe3e0e910a1b58a0d3479de0c184b3725a4b1e2a994aaa919
EAP-Message = 0x2186406f44d171c4a8b43606
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xcfc74ed9ced1573e8bcb9264c430741e
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.50.50.250 port 32821, id=195,
length=186
User-Name = "guest"
NAS-IP-Address = 10.50.50.250
NAS-Port = 1
NAS-Identifier = "arubacon"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "0022437B7A67"
Called-Station-Id = "000B86615D8C"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message = 0x021600061900
State = 0xcfc74ed9ced1573e8bcb9264c430741e
Aruba-Essid-Name = "SecureWiFIAruba"
Aruba-Location-Id = "apob00off09_pos5"
Message-Authenticator = 0x8b081d08251a9c7d272b316fc44cecc7
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/10.50.50.250/auth-detail-20091005
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/10.50.50.250/auth-detail-20091005
[auth_log] expand: %t -> Mon Oct 5 09:01:47 2009
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "guest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 22 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 195 to 10.50.50.250 port 32821
EAP-Message =
0x011703fc194050e01de9f614accad310ab89a73cd3fe543f856139ebf0deabb426dcd0230bf0ed3a9db4c35ea70af48aef17af4e55653b27b1a7f0eb6944b5976694d69e3bc6c9d810f5375617d92c365aee778532464451f7c3dd1965e61c88039d082739433d4b432f959cda064c446515f29e2d635656a5825d063615a895763869e0b36ea09b6e61cf191715c94aa7188b8a0cb9cddaac70054aa98102f83669e52944c97eb0e02182638ee3dbb818a25cdf413cf57089df0c232bae0e12d7ef06430af5be3474155e2a9a698b41f33c4cdb7f89df59e6c8b7912c827b19ed0004613082045d308203c6a0030201020204040003f9300d06092a86
EAP-Message =
0x4886f70d01010505003075310b300906035504061302555331183016060355040a130f47544520436f72706f726174696f6e31273025060355040b131e475445204379626572547275737420536f6c7574696f6e732c20496e632e312330210603550403131a475445204379626572547275737420476c6f62616c20526f6f74301e170d3036303232343136303830305a170d3133303232343233353930305a305f310b300906035504061302424531133011060355040a130a4379626572747275737431173015060355040b130e456475636174696f6e616c20434131223020060355040313194379626572747275737420456475636174696f6e61
EAP-Message =
0x6c20434130820122300d06092a864886f70d01010105000382010f003082010a02820101009522a1101d4a46606e05919bdf83c2ed12b25a7cf8abe1f8505c282c7e7e003893b08b4af1c24c3c102c3cefb0eca1692fb9fccc08146b8d4f18f383d2faa9370820aa5caa8060a2d5a52200cf5ae5b497dfba1ebe5c8e171966fdaf9f7c7b89b20e24d8c7ab63c495328d48e663597d04b833a8bdd75d64bc63b5f74d28fdf90672315cba459465a3d2b458ec3b615844a32f62b39b80b482fdd5c7cc5125e5953f472f307bacc8786ee2e16d27eb3dcc0182e835778dab58bb55d1d5a481568d1cd014b1b006dea09122f3f0a8341747c6e03ef60c5aac
EAP-Message =
0x7e504bcde1696e06fc067e6a4db49599a0595c3566ecd949d417e060b05da5d71ae22a6e66f2af1d0203010001a382018a3082018630450603551d1f043e303c303aa038a0368634687474703a2f2f7777772e7075626c69632d74727573742e636f6d2f6367692d62696e2f43524c2f323031382f6364702e63726c301d0603551d0e041604146565a33dd73b11a30a072537c9424a5b767750e1306e0603551d2004673065304806092b06010401b13e0100303b303906082b06010505070201162d687474703a2f2f7777772e7075626c69632d74727573742e636f6d2f4350532f4f6d6e69526f6f742e68746d6c301906092b06010401b13e0132
EAP-Message = 0x300c300a06082b06
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xcfc74ed9cdd0573e8bcb9264c430741e
Finished request 7.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.50.50.250 port 32821, id=196,
length=186
User-Name = "guest"
NAS-IP-Address = 10.50.50.250
NAS-Port = 1
NAS-Identifier = "arubacon"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "0022437B7A67"
Called-Station-Id = "000B86615D8C"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message = 0x021700061900
State = 0xcfc74ed9cdd0573e8bcb9264c430741e
Aruba-Essid-Name = "SecureWiFIAruba"
Aruba-Location-Id = "apob00off09_pos5"
Message-Authenticator = 0xe285d5853798351bd00b623c52a19272
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/10.50.50.250/auth-detail-20091005
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/10.50.50.250/auth-detail-20091005
[auth_log] expand: %t -> Mon Oct 5 09:01:47 2009
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "guest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 23 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 196 to 10.50.50.250 port 32821
EAP-Message =
0x011803b919000105050702013081890603551d23048181307fa179a4773075310b300906035504061302555331183016060355040a130f47544520436f72706f726174696f6e31273025060355040b131e475445204379626572547275737420536f6c7574696f6e732c20496e632e312330210603550403131a475445204379626572547275737420476c6f62616c20526f6f74820201a5300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020100300d06092a864886f70d01010505000381810032ac6514914bd17d36cacfa4d6826366c407e3d8ebfdafbaea7a561162dd2514be8d8a5c8823fb06ce024372aaa0
EAP-Message =
0x49916a057443f924f76df8dbdcbfd9809f2daf84ecf5b2e7bcfa825695d71706cb5acd4414247e4cc047dea2b2ebd24d357e1a95e2fd56d869014ec21926cabaf4b9d513e51b8f93bfb871ad9e6c42581d9d00025e3082025a308201c3020201a5300d06092a864886f70d01010405003075310b300906035504061302555331183016060355040a130f47544520436f72706f726174696f6e31273025060355040b131e475445204379626572547275737420536f6c7574696f6e732c20496e632e312330210603550403131a475445204379626572547275737420476c6f62616c20526f6f74301e170d3938303831333030323930305a170d313830
EAP-Message =
0x3831333233353930305a3075310b300906035504061302555331183016060355040a130f47544520436f72706f726174696f6e31273025060355040b131e475445204379626572547275737420536f6c7574696f6e732c20496e632e312330210603550403131a475445204379626572547275737420476c6f62616c20526f6f7430819f300d06092a864886f70d010101050003818d0030818902818100950fa0b6f0509ce87ac788cddd170e2eb094d01b3d0ef694c08a94c706c89097c8b8641a7a7e6c3c53e1372873607fb29753079f53f96d5894d2af8d6d886780e6edb295cf7231caa51c72ba5c02e76442e7f9a92cd63a0dac8d42aa240139
EAP-Message =
0xe69c3f0185570d588745f8d385aa936926857048803f1215c779b41f052f3b62990203010001300d06092a864886f70d0101040500038181006deb1b09e95ed951db672261a42a3c4877e3a07ca6de73a21403853dfbab0e30c58316338113089e7b344edf40c874d7b97ddcf476557d9b635418e9f0eaf35cb1d98b421eb9c0954ebafad5e27cf56861bf8eec05975f5bb0d7a38534c424a70d0f9593efcb94d89e1f9d5c856dc7aaae4f1f22b5cd95adbaa7ccf9ab0b7a7f16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xcfc74ed9ccdf573e8bcb9264c430741e
Finished request 8.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.50.50.250 port 32821, id=197,
length=502
User-Name = "guest"
NAS-IP-Address = 10.50.50.250
NAS-Port = 1
NAS-Identifier = "arubacon"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "0022437B7A67"
Called-Station-Id = "000B86615D8C"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message =
0x02180140198000000136160301010610000102010005d1ac205aeae976b3770dcc15a1d6a87b784ba15f8a8924f93d81085979bbeb4bbd5f3a5ea2c7dd84b90079e7c5c92be25789a4ed56b59bb5d20dc3d5ecd1a99d9b457656652808c00ef1beba34b04610d90eeb10d9a992ff842770b811fa0caf4a86557d722ac6384547307a7f03d8e2b600f172249fa007afbbedb4c6da08edb35654affcd9ae507957350f93649f4d20b1d239d315ba55c60425f24958c37f2b713a1c2936e299cbd398584fbeb9fff874fdec2a269d1a0de04fbc5d023c2134bc433e186f393d136033919ac2fbac246cc3899ba627e703a52c8f40f6ca761ac3fbd4190f31
EAP-Message =
0xb31320164be84ed1eb427a2e4e2a3a0cd3a54f3e8a7d33ef1403010001011603010020b6a276ea9da800962ebf5fa52d96cc4563af96483f432f9a606d528dbe0c9239
State = 0xcfc74ed9ccdf573e8bcb9264c430741e
Aruba-Essid-Name = "SecureWiFIAruba"
Aruba-Location-Id = "apob00off09_pos5"
Message-Authenticator = 0xd0f565f397e7718479c7dca52b005932
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/10.50.50.250/auth-detail-20091005
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/10.50.50.250/auth-detail-20091005
[auth_log] expand: %t -> Mon Oct 5 09:01:47 2009
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "guest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 24 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 310
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 197 to 10.50.50.250 port 32821
EAP-Message =
0x011900311900140301000101160301002093e268cbc13d7508d782e795a4408666a2fb8bfe2fd2a28c8c4f3bb3956c9d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xcfc74ed9cbde573e8bcb9264c430741e
Finished request 9.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.50.50.250 port 32821, id=198,
length=186
User-Name = "guest"
NAS-IP-Address = 10.50.50.250
NAS-Port = 1
NAS-Identifier = "arubacon"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "0022437B7A67"
Called-Station-Id = "000B86615D8C"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message = 0x021900061900
State = 0xcfc74ed9cbde573e8bcb9264c430741e
Aruba-Essid-Name = "SecureWiFIAruba"
Aruba-Location-Id = "apob00off09_pos5"
Message-Authenticator = 0xfed932e959c7aecc06ab74e25e41d3d6
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/10.50.50.250/auth-detail-20091005
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/10.50.50.250/auth-detail-20091005
[auth_log] expand: %t -> Mon Oct 5 09:01:47 2009
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "guest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 25 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 198 to 10.50.50.250 port 32821
EAP-Message =
0x011a00201900170301001515768e1216472080a3749e31b1714edd9577667da0
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xcfc74ed9cadd573e8bcb9264c430741e
Finished request 10.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.50.50.250 port 32821, id=199,
length=213
User-Name = "guest"
NAS-IP-Address = 10.50.50.250
NAS-Port = 1
NAS-Identifier = "arubacon"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "0022437B7A67"
Called-Station-Id = "000B86615D8C"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message =
0x021a0021190017030100166f3203c51b5d64efd9ccd930e189a0f9e904fdd18e25
State = 0xcfc74ed9cadd573e8bcb9264c430741e
Aruba-Essid-Name = "SecureWiFIAruba"
Aruba-Location-Id = "apob00off09_pos5"
Message-Authenticator = 0x1605fd6d968c61b5f385289f6376075f
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/10.50.50.250/auth-detail-20091005
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/10.50.50.250/auth-detail-20091005
[auth_log] expand: %t -> Mon Oct 5 09:01:47 2009
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "guest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 26 length 33
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Identity - guest
[peap] Got tunnled request
EAP-Message = 0x021a000a016775657374
server (null) {
PEAP: Got tunneled identity of guest
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to guest
Sending tunneled request
EAP-Message = 0x021a000a016775657374
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "guest"
server inner-tunnel {
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/10.50.50.250/auth-detail-20091005
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/10.50.50.250/auth-detail-20091005
[auth_log] expand: %t -> Mon Oct 5 09:01:47 2009
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "guest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "guest", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
++[control] returns noop
[eap] EAP packet type response id 26 length 10
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry guest at line 59
++[files] returns ok
[ldap] performing user authorization for guest
[ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
[ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
[ldap] expand:
(|(|(uid=%{Stripped-User-Name:-%{User-Name}}))(mail=%{Stripped-User-Name:-%{User-Name}}@cells.es))
-> (|(|(uid=guest))(mail=guest at cells.es))
[ldap] expand: ou=People,dc=CELLS,dc=ES -> ou=People,dc=CELLS,dc=ES
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=People,dc=CELLS,dc=ES, with filter
(|(|(uid=guest))(mail=guest at cells.es))
rlm_ldap: object not found or got ambiguous search result
[ldap] search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
Aruba-User-Role = "testrole"
Aruba-User-Vlan = 2120
EAP-Message =
0x011b001f1a011b001a10d96635072c646e554f77e8b44c01afbc6775657374
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2e5ac4772e41def6c5601c1f6d8a45a4
[peap] Got tunneled reply RADIUS code 11
Aruba-User-Role = "testrole"
Aruba-User-Vlan = 2120
EAP-Message =
0x011b001f1a011b001a10d96635072c646e554f77e8b44c01afbc6775657374
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2e5ac4772e41def6c5601c1f6d8a45a4
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 199 to 10.50.50.250 port 32821
EAP-Message =
0x011b00361900170301002b10a706d40c01f8c830382f4a41410f0979575a935db0967e3b5aafd6a63f18b8a1caa264c1b27ea21fe57b
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xcfc74ed9c9dc573e8bcb9264c430741e
Finished request 11.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.50.50.250 port 32821, id=200,
length=267
User-Name = "guest"
NAS-IP-Address = 10.50.50.250
NAS-Port = 1
NAS-Identifier = "arubacon"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "0022437B7A67"
Called-Station-Id = "000B86615D8C"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message =
0x021b00571900170301004cd9fe2923bcf7741f59b559c2aba1bb9cb11cda9f29d7ebbe533b087ee6d1c31a54abd850208d88670916e06760911d06540e992bd175668f5fcb10edd0616992a75a9d5220f727781d59e633
State = 0xcfc74ed9c9dc573e8bcb9264c430741e
Aruba-Essid-Name = "SecureWiFIAruba"
Aruba-Location-Id = "apob00off09_pos5"
Message-Authenticator = 0xf573266d55fced69eba83500059a0b89
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/10.50.50.250/auth-detail-20091005
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/10.50.50.250/auth-detail-20091005
[auth_log] expand: %t -> Mon Oct 5 09:01:47 2009
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "guest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 27 length 87
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunnled request
EAP-Message =
0x021b00401a021b003b31caef4a21f1e8e33bca7aaefeabd2ced6000000000000000086d797a3c01843d6a0e0353ab9421532963bd6b44559fdd5006775657374
server (null) {
PEAP: Setting User-Name to guest
Sending tunneled request
EAP-Message =
0x021b00401a021b003b31caef4a21f1e8e33bca7aaefeabd2ced6000000000000000086d797a3c01843d6a0e0353ab9421532963bd6b44559fdd5006775657374
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "guest"
State = 0x2e5ac4772e41def6c5601c1f6d8a45a4
server inner-tunnel {
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/10.50.50.250/auth-detail-20091005
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/10.50.50.250/auth-detail-20091005
[auth_log] expand: %t -> Mon Oct 5 09:01:47 2009
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "guest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "guest", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
++[control] returns noop
[eap] EAP packet type response id 27 length 64
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry guest at line 59
++[files] returns ok
[ldap] performing user authorization for guest
[ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
[ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
[ldap] expand:
(|(|(uid=%{Stripped-User-Name:-%{User-Name}}))(mail=%{Stripped-User-Name:-%{User-Name}}@cells.es))
-> (|(|(uid=guest))(mail=guest at cells.es))
[ldap] expand: ou=People,dc=CELLS,dc=ES -> ou=People,dc=CELLS,dc=ES
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=People,dc=CELLS,dc=ES, with filter
(|(|(uid=guest))(mail=guest at cells.es))
rlm_ldap: object not found or got ambiguous search result
[ldap] search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv2 for guest with NT-Password
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
Aruba-User-Role = "testrole"
Aruba-User-Vlan = 2120
EAP-Message =
0x011c00331a031b002e533d32393231313230383331304332373843333832343643453638453333384541453431313241364131
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2e5ac4772f46def6c5601c1f6d8a45a4
[peap] Got tunneled reply RADIUS code 11
Aruba-User-Role = "testrole"
Aruba-User-Vlan = 2120
EAP-Message =
0x011c00331a031b002e533d32393231313230383331304332373843333832343643453638453333384541453431313241364131
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2e5ac4772f46def6c5601c1f6d8a45a4
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 200 to 10.50.50.250 port 32821
EAP-Message =
0x011c004a1900170301003fa63a59356ac1d59eb069991fd27bc76711fbd7e97a41fdbf4f6ca3503d3b2c204c85955fb005a0a95c864dcb3277a45a4589a57003686ccf9e94fd55759f68
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xcfc74ed9c8db573e8bcb9264c430741e
Finished request 12.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.50.50.250 port 32821, id=201,
length=209
User-Name = "guest"
NAS-IP-Address = 10.50.50.250
NAS-Port = 1
NAS-Identifier = "arubacon"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "0022437B7A67"
Called-Station-Id = "000B86615D8C"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message = 0x021c001d19001703010012d339352e15490f56e46fcfbb25ac409fc126
State = 0xcfc74ed9c8db573e8bcb9264c430741e
Aruba-Essid-Name = "SecureWiFIAruba"
Aruba-Location-Id = "apob00off09_pos5"
Message-Authenticator = 0x036b6f49909a780300ae42a3e85cae74
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/10.50.50.250/auth-detail-20091005
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/10.50.50.250/auth-detail-20091005
[auth_log] expand: %t -> Mon Oct 5 09:01:47 2009
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "guest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 28 length 29
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunnled request
EAP-Message = 0x021c00061a03
server (null) {
PEAP: Setting User-Name to guest
Sending tunneled request
EAP-Message = 0x021c00061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "guest"
State = 0x2e5ac4772f46def6c5601c1f6d8a45a4
server inner-tunnel {
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/10.50.50.250/auth-detail-20091005
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/10.50.50.250/auth-detail-20091005
[auth_log] expand: %t -> Mon Oct 5 09:01:47 2009
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "guest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "guest", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
++[control] returns noop
[eap] EAP packet type response id 28 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry guest at line 59
++[files] returns ok
[ldap] performing user authorization for guest
[ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
[ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
[ldap] expand:
(|(|(uid=%{Stripped-User-Name:-%{User-Name}}))(mail=%{Stripped-User-Name:-%{User-Name}}@cells.es))
-> (|(|(uid=guest))(mail=guest at cells.es))
[ldap] expand: ou=People,dc=CELLS,dc=ES -> ou=People,dc=CELLS,dc=ES
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=People,dc=CELLS,dc=ES, with filter
(|(|(uid=guest))(mail=guest at cells.es))
rlm_ldap: object not found or got ambiguous search result
[ldap] search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] returns ok
} # server inner-tunnel
[peap] Got tunneled reply code 2
Aruba-User-Role = "testrole"
Aruba-User-Vlan = 2120
EAP-Message = 0x031c0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "guest"
[peap] Got tunneled reply RADIUS code 2
Aruba-User-Role = "testrole"
Aruba-User-Vlan = 2120
EAP-Message = 0x031c0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "guest"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 201 to 10.50.50.250 port 32821
EAP-Message =
0x011d00261900170301001bc0474fb0fd0ad2bd0a6eb80b14840658b61ff194765e57cd363c34
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xcfc74ed9c7da573e8bcb9264c430741e
Finished request 13.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.50.50.250 port 32821, id=202,
length=218
User-Name = "guest"
NAS-IP-Address = 10.50.50.250
NAS-Port = 1
NAS-Identifier = "arubacon"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "0022437B7A67"
Called-Station-Id = "000B86615D8C"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message =
0x021d00261900170301001b5b3e9f4ac8eb6089bb169d87c2d5d808920ef0e75e62e794db370c
State = 0xcfc74ed9c7da573e8bcb9264c430741e
Aruba-Essid-Name = "SecureWiFIAruba"
Aruba-Location-Id = "apob00off09_pos5"
Message-Authenticator = 0xbf235145edbaf5b031707e0b4986a133
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/10.50.50.250/auth-detail-20091005
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/10.50.50.250/auth-detail-20091005
[auth_log] expand: %t -> Mon Oct 5 09:01:47 2009
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "guest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 29 length 38
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Success
[eap] Freeing handler
++[eap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 202 to 10.50.50.250 port 32821
MS-MPPE-Recv-Key =
0xa7226356ffae28db8a4141a68c2d237097e6b0f789757a8fd5d8a75fb84ce155
MS-MPPE-Send-Key =
0xc5b80379a82021d85e592f155bc2e0d34f2ffe17fb7ecf2e5d5a85c10308328b
EAP-Message = 0x031d0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "guest"
Finished request 14.
Going to the next request
No VSA is inside the Access-Accept paquet :(
Also, not all the access-challenge contains the VSA. Why? It should to? You
said me that generally access-challenge does not have suppor for VSA, and
also you commented to modify post_auth section to sent VSA inside an
access-accept. How to do that? which would be this configuration?
thanks a lot!!
.....
Alan DeKok-2 wrote:
>
> aangles wrote:
>> Ok!! I'm sorry, it was not a good idea introducing wireshark print
>> screens.
>> Yeah its better to put here a log of my freeradius , which it is the
>> issue
>> we talk about. I didn't though with that. Here is my log of freeradius.
>> As
>> see, only some Aruba-VSA is sent not in the Access-Accept, but inside
>> some
>> of Access-challenges. Moreover, I have configured to sent the VSA in the
>> users file. How do I conigure the VSA to sent the vlan in the post_auth
>> section of freeradius?
>
> Read eap.conf. Look for "use_tunneled_reply".
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
--
View this message in context: http://www.nabble.com/Aruba-User-Vlan%2C-how-to-configure-RADIUS-to-send-the-that-aruba-VSA-to-the-controller-tp25716490p25746122.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
More information about the Freeradius-Users
mailing list