TLS authentication works, but does not check usernames against 'users' file.
Andrew Bovill
abovill at gmail.com
Tue Nov 30 16:51:35 CET 2010
Hi,
I'm trying to get WPA Enterprise EAP/TLS working with my wireless
router. It appears that the TLS portion of the authentication works
(valid certificates give me a working connection) but it does NOT appear
to actually be checking the username/password combination that is also
sent along the line.
I have followed the WPA_HOWTO as best I could (my clients are OS X and
Android and Gentoo, not Windows XP) but I can't figure out how to 'fail'
an auth attempt with an invalid user/pass combination.
Here is the debug output:
Thanks for any advice. I didn't want to start reconfiguring with a
shotgun :)
freeradius -X
FreeRADIUS Version 2.1.10, for host i486-pc-linux-gnu, built on Nov 17
2010 at 04:06:04
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/echo
including configuration file
/etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/opendirectory
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/ntlm_auth
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/cui
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/dynamic_clients
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/sites-enabled/default
main {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
including dictionary file /etc/freeradius/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
client 3com4400_1 {
ipaddr = 192.168.183.5
netmask = 32
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
client wrt54gl_testbed {
ipaddr = 192.168.183.110
netmask = 32
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file /etc/freeradius/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file /etc/freeradius/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file
/etc/freeradius/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file
/etc/freeradius/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file /etc/freeradius/modules/pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file /etc/freeradius/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file
/etc/freeradius/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file /etc/freeradius/modules/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /etc/freeradius/eap.conf
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/etc/freeradius/certs"
pem_file_type = yes
private_key_file = "/etc/freeradius/certs/server.key"
certificate_file = "/etc/freeradius/certs/server.pem"
CA_file = "/etc/freeradius/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/etc/freeradius/certs/dh"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/freeradius/certs/bootstrap"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file
/etc/freeradius/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file
/etc/freeradius/modules/files
files {
usersfile = "/etc/freeradius/users"
acctusersfile = "/etc/freeradius/acct_users"
preproxy_usersfile = "/etc/freeradius/preproxy_users"
compat = "no"
}
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file
/etc/freeradius/modules/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.access_reject" from file
/etc/freeradius/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/etc/freeradius/attrs.access_reject"
key = "%{User-Name}"
}
} # modules
} # server
server { # from file /etc/freeradius/radiusd.conf
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_digest
Module: Instantiating module "digest" from file
/etc/freeradius/modules/digest
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file
/etc/freeradius/modules/preprocess
preprocess {
huntgroups = "/etc/freeradius/huntgroups"
hints = "/etc/freeradius/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file
/etc/freeradius/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file
/etc/freeradius/modules/detail
detail {
detailfile =
"/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating module "attr_filter.accounting_response" from
file /etc/freeradius/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/freeradius/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server
inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.183.110 port 55425,
id=70, length=154
User-Name = "invaliduser1"
NAS-Identifier = "openwrt"
NAS-Port = 1
Called-Station-Id = "00-18-F8-C1-66-46:testbed"
Calling-Station-Id = "00-17-F2-E7-39-C0"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x02d4000a01706f6f7079
Message-Authenticator = 0x96155aae1c1a13904212926041844222
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "invaliduser1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 212 length 10
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 70 to 192.168.183.110 port 55425
EAP-Message = 0x01d5001604104b7e073f1d295b16bd346d251f67ed9b
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x1925f89c19f0fce511765369958e0fff
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.183.110 port 55425,
id=71, length=168
User-Name = "invaliduser1"
NAS-Identifier = "openwrt"
NAS-Port = 1
Called-Station-Id = "00-18-F8-C1-66-46:testbed"
Calling-Station-Id = "00-17-F2-E7-39-C0"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x02d50006030d
State = 0x1925f89c19f0fce511765369958e0fff
Message-Authenticator = 0xfb81366232f27755b84f3d53880e6793
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "invaliduser1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 213 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/tls
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 71 to 192.168.183.110 port 55425
EAP-Message = 0x01d600060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x1925f89c18f3f5e511765369958e0fff
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.183.110 port 55425,
id=72, length=274
User-Name = "invaliduser1"
NAS-Identifier = "openwrt"
NAS-Port = 1
Called-Station-Id = "00-18-F8-C1-66-46:testbed"
Calling-Station-Id = "00-17-F2-E7-39-C0"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message =
0x02d600700d800000006616030100610100005d03014cf47dccabafcd6559461322e0d11b2781c65dca5f1d237073c77169593a5ace000036002f000500040035000a000900030008000600320033003800390016001500140013001200110034003a0018001b001a0017001900010100
State = 0x1925f89c18f3f5e511765369958e0fff
Message-Authenticator = 0x7d9b552c05313f4f8e4e66559782ed1e
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "invaliduser1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 214 length 112
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
TLS Length 102
[tls] Length Included
[tls] eaptls_verify returned 11
[tls] (other): before/accept initialization
[tls] TLS_accept: before/accept initialization
[tls] <<< TLS 1.0 Handshake [length 0061], ClientHello
[tls] TLS_accept: SSLv3 read client hello A
[tls] >>> TLS 1.0 Handshake [length 002a], ServerHello
[tls] TLS_accept: SSLv3 write server hello A
[tls] >>> TLS 1.0 Handshake [length 0861], Certificate
[tls] TLS_accept: SSLv3 write certificate A
[tls] >>> TLS 1.0 Handshake [length 00a7], CertificateRequest
[tls] TLS_accept: SSLv3 write certificate request A
[tls] TLS_accept: SSLv3 flush data
[tls] TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 72 to 192.168.183.110 port 55425
EAP-Message =
0x01d704000dc000000941160301002a0200002603014cf47dcd98edd353ce39b099785a7e97da101613c63adf77d9643d0092c71e6500002f0016030108610b00085d00085a0003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308194310b30090603550406130255533111300f0603550408130856697267696e6961311430120603550407130b43656e74726576696c6c6531123010060355040a13094565626c652e6e6574311e301c06092a864886f70d010901160f61646d696e406565626c652e6e6574312830260603550403131f4565626c652e6e657420436572746966696361746520417574686f726974
EAP-Message =
0x79301e170d3130313132363037323333305a170d3131313132363037323333305a307b310b30090603550406130255533111300f0603550408130856697267696e696131123010060355040a13094565626c652e6e6574312530230603550403131c4565626c652e6e657420536572766572204365727469666963617465311e301c06092a864886f70d010901160f61646d696e406565626c652e6e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100ab4afd83acd6fea4fce7bb07d045a43436798b06b2f2be86ab6f19386c5e7d536585255834652f9a40160c6d19947c5fd02148f127b1d6d58558e055a952
EAP-Message =
0xaaaaaeb915a8475944790f539aa2084dfcd4de24636182bf350426db1a04320019b47a8d32229c4f4d4f0039bf7c4840673502f1eaefe170447fc3a508944ea8cd2197867ddb4e8f3cf5cba3da5d10f4714f40f4b28e1f48805023bb26cd940e96a68a4dc2a73243321c0af06b9b5356162641a5099fc439255340c3c02df4433f88969ce4e6035d40db3a0b4f74d31ac421e2faeec27c6fc6385d91755c1c4ed458ff850d37d7e06e9f95e87a59a5d63b25e44d3e608f6802ee9ef42619251a13ef0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038201010048267d769b012e4e35
EAP-Message =
0xee42366711bc376d503f76bd2da75c7a4040a07878b5bc5a1ad52e5e3e803b526cefeb61c58bb3db5041f4383377c39b5a72b0d35a0edde4fc3469abdaf0acb14920cc11ca1bf93e95089a627a1b99de8124c51a2dc7524e473e9333eda0aa213b11ecf188fcacbc20c2840beb0906e283d8e9025bbb2eb83ac816b2dcefe20edadddc2d5dfc171882bb8dde3f07a008fb4caa66e98a1c9ae3b452dee84971cfe892cfeab83846a60d9be8dfc0866ab93473c83541dd2d182076da789ec03128445292be43d0150e299e33030f45e4344a32ba4f6ed33a10e1e10f4a472649b92b2da7233986ed251adc2ea59764ef2187070e23a8743c0004ae308204
EAP-Message = 0xaa30820392a0030201020209
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x1925f89c1bf2f5e511765369958e0fff
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.183.110 port 55425,
id=73, length=168
User-Name = "invaliduser1"
NAS-Identifier = "openwrt"
NAS-Port = 1
Called-Station-Id = "00-18-F8-C1-66-46:testbed"
Calling-Station-Id = "00-17-F2-E7-39-C0"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x02d700060d00
State = 0x1925f89c1bf2f5e511765369958e0fff
Message-Authenticator = 0xe6897b99aab4241541cb41bf88f8a8c6
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "invaliduser1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 215 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake fragment handler
[tls] eaptls_verify returned 1
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 73 to 192.168.183.110 port 55425
EAP-Message =
0x01d804000dc0000009410097852e5140914149300d06092a864886f70d0101050500308194310b30090603550406130255533111300f0603550408130856697267696e6961311430120603550407130b43656e74726576696c6c6531123010060355040a13094565626c652e6e6574311e301c06092a864886f70d010901160f61646d696e406565626c652e6e6574312830260603550403131f4565626c652e6e657420436572746966696361746520417574686f72697479301e170d3130313132363037323333305a170d3230313132333037323333305a308194310b30090603550406130255533111300f0603550408130856697267696e696131
EAP-Message =
0x1430120603550407130b43656e74726576696c6c6531123010060355040a13094565626c652e6e6574311e301c06092a864886f70d010901160f61646d696e406565626c652e6e6574312830260603550403131f4565626c652e6e657420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a02820101009a8f48c1dab2627525533672059ac65f037f7e96dca2744211718eda8e799239ada3486e9872eb0b811e888df90de8d5fc0837f5a146191528f1d1ff35adbad8a9b8928080363eb64a6ab03942480f48534902136d8c94b34e01d7e331ad215c11b35bb6990bafc17f
EAP-Message =
0xd261890769bb00533729a6fcc0b5d4d18e08bf54b1d66127996136d9577f12a4513304da016917577afdf64b02cf91d0a39b3c451dce5a920c810b4d23bd34931bb03d156f8d7fe834536b9ae11bd62195b59177db765d9982b232369e5bd89b10f4a0031ba2dbff86f672ac101a155d11ae07b904a4f74ffbb86f2524bc227167e41ca889fa9c56735a5665cfa5de0ad81b7ddaa0785d0203010001a381fc3081f9301d0603551d0e04160414a1454d2d4a35b362e6397fe81e7964fa6d2e9a9a3081c90603551d230481c13081be8014a1454d2d4a35b362e6397fe81e7964fa6d2e9a9aa1819aa48197308194310b30090603550406130255533111
EAP-Message =
0x300f0603550408130856697267696e6961311430120603550407130b43656e74726576696c6c6531123010060355040a13094565626c652e6e6574311e301c06092a864886f70d010901160f61646d696e406565626c652e6e6574312830260603550403131f4565626c652e6e657420436572746966696361746520417574686f7269747982090097852e5140914149300c0603551d13040530030101ff300d06092a864886f70d010105050003820101004a090448190a316f43d373decd0d9e53a75d10c17c49043984a6c492f8bf96d303796e7c4e4539c5c3d49ebbe972a9ca204067bbf9886462119bb1ce627ffb6fe9beb21a56dc152facef50
EAP-Message = 0x40cfcbdd5a55e31c0c9eb904
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x1925f89c1afdf5e511765369958e0fff
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.183.110 port 55425,
id=74, length=168
User-Name = "invaliduser1"
NAS-Identifier = "openwrt"
NAS-Port = 1
Called-Station-Id = "00-18-F8-C1-66-46:testbed"
Calling-Station-Id = "00-17-F2-E7-39-C0"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x02d800060d00
State = 0x1925f89c1afdf5e511765369958e0fff
Message-Authenticator = 0x13f202928ab1d3156068c6d2ecc9fcb9
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "invaliduser1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 216 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake fragment handler
[tls] eaptls_verify returned 1
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 74 to 192.168.183.110 port 55425
EAP-Message =
0x01d9015f0d8000000941914f2148c7338774e1eb3f21449d3bbf86fe03d78f34a07df485fbff7dc3b305fadf41bfcbc41ec076c5c542b8f858008b3b3be00f858d2737331cf567c738692d8723ac6307cac62801513bf055cd6a9c726953195fbd7dbcf9e0a44289e5f1eee447c9ce87570f77a7e8574bc1fff0a2dbf4f85b545d5b6fa0b4c96b5f8db94b42686f9fdc9b7daebd59d83ddbf5dd64e1ac041d4653a4a5175ce9079c27b4a60d4115166c619f3d16030100a70d00009f0301024000990097308194310b30090603550406130255533111300f0603550408130856697267696e6961311430120603550407130b43656e74726576696c6c65
EAP-Message =
0x31123010060355040a13094565626c652e6e6574311e301c06092a864886f70d010901160f61646d696e406565626c652e6e6574312830260603550403131f4565626c652e6e657420436572746966696361746520417574686f726974790e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x1925f89c1dfcf5e511765369958e0fff
Finished request 4.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.183.110 port 55425,
id=75, length=1568
User-Name = "invaliduser1"
NAS-Identifier = "openwrt"
NAS-Port = 1
Called-Station-Id = "00-18-F8-C1-66-46:testbed"
Calling-Station-Id = "00-17-F2-E7-39-C0"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message =
0x02d905740dc000000aa816030108520b00084e00084b000397308203933082027ba003020102020102300d06092a864886f70d0101040500308194310b30090603550406130255533111300f0603550408130856697267696e6961311430120603550407130b43656e74726576696c6c6531123010060355040a13094565626c652e6e6574311e301c06092a864886f70d010901160f61646d696e406565626c652e6e6574312830260603550403131f4565626c652e6e657420436572746966696361746520417574686f72697479301e170d3130313132363037333533385a170d3131313132363037333533385a306c310b30090603550406130255
EAP-Message =
0x533111300f0603550408130856697267696e696131123010060355040a13094565626c652e6e6574311730150603550403140e616e6479406565626c652e6e6574311d301b06092a864886f70d010901160e616e6479406565626c652e6e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100b4023777541709e539867d3033954f764c3a207c352dba4ee043642002ed4df123cb5edbe0d7a35cf9c21c88cd4ea537f3f297d9be68cb7bcbc49fdbc6ed94745d1aa057fcf259ad7898a6eb1b123b277e55da4d877972f169d29b922bfedd8dab070dbe905d1437ef1c84e9c7be7fd9736882d153993e36aa498819
EAP-Message =
0x68e526722d720427a9b2cccece64fcae119806c9ae5a925f68c09d0df5fcd9ebc6e20040cb97dac3f44a32ade71f6cfc40f90ac4b64f2585d45fd6901b13b2ae12347460853c30dab72c88c4f0becccd393433e47037ecb61544cb38155bb8ce9f75a9e5a024b5e03139cacb74d47d4af87aa3b9781903b8b6976260c39fc83df288482f0203010001a317301530130603551d25040c300a06082b06010505070302300d06092a864886f70d0101040500038201010049c7d67a933fd63a42cf33f6adb61bdc203bc30007ed3dfa9da446a6c3e78bced49ae68d7fd3611a431e888a9144d196bf30f46ae1be3d673006bbb6e50d3191f6756b38506838
EAP-Message =
0xad445350dfa97ac88297b8f36979dea39a92c4add1e5f6050eb5af41f3c8702b682365719456074d7623c2a0bca5be7c86c65ad538d4e8c615dde70df4967e6ea2acc5e2e76dde0ca0f13c4a34eddc93615cc7eba93b75ea9c23a85f74f1240ee999c08416d080a36246deec5b552046232ad3470f042bbe1774bb386c84aaa3ddcd4dc38acd816de90983e5a44231e77ae4d641ea14d6e822bbf969852387230eef0e02b3f84916b2bd0ba4aa159a4cb7aeb542b8cf3bd8dd0004ae308204aa30820392a00302010202090097852e5140914149300d06092a864886f70d0101050500308194310b30090603550406130255533111300f060355040813
EAP-Message =
0x0856697267696e6961311430120603550407130b43656e74726576696c6c6531123010060355040a13094565626c652e6e6574311e301c06092a864886f70d010901160f61646d696e406565626c652e6e6574312830260603550403131f4565626c652e6e657420436572746966696361746520417574686f72697479301e170d3130313132363037323333305a170d3230313132333037323333305a308194310b30090603550406130255533111300f0603550408130856697267696e6961311430120603550407130b43656e74726576696c6c6531123010060355040a13094565626c652e6e6574311e301c06092a864886f70d010901160f6164
EAP-Message =
0x6d696e406565626c652e6e6574312830260603550403131f4565626c652e6e657420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a02820101009a8f48c1dab2627525533672059ac65f037f7e96dca2744211718eda8e799239ada3486e9872eb0b811e88
State = 0x1925f89c1dfcf5e511765369958e0fff
Message-Authenticator = 0xfcf4cb45ff5347d477c93f6722c86b03
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "invaliduser1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 217 length 253
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
TLS Length 2728
[tls] Received EAP-TLS First Fragment of the message
[tls] eaptls_verify returned 9
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 75 to 192.168.183.110 port 55425
EAP-Message = 0x01da00060d00
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x1925f89c1cfff5e511765369958e0fff
Finished request 5.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.183.110 port 55425,
id=76, length=1520
User-Name = "invaliduser1"
NAS-Identifier = "openwrt"
NAS-Port = 1
Called-Station-Id = "00-18-F8-C1-66-46:testbed"
Calling-Station-Id = "00-17-F2-E7-39-C0"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message =
0x02da05440d008df90de8d5fc0837f5a146191528f1d1ff35adbad8a9b8928080363eb64a6ab03942480f48534902136d8c94b34e01d7e331ad215c11b35bb6990bafc17fd261890769bb00533729a6fcc0b5d4d18e08bf54b1d66127996136d9577f12a4513304da016917577afdf64b02cf91d0a39b3c451dce5a920c810b4d23bd34931bb03d156f8d7fe834536b9ae11bd62195b59177db765d9982b232369e5bd89b10f4a0031ba2dbff86f672ac101a155d11ae07b904a4f74ffbb86f2524bc227167e41ca889fa9c56735a5665cfa5de0ad81b7ddaa0785d0203010001a381fc3081f9301d0603551d0e04160414a1454d2d4a35b362e6397fe8
EAP-Message =
0x1e7964fa6d2e9a9a3081c90603551d230481c13081be8014a1454d2d4a35b362e6397fe81e7964fa6d2e9a9aa1819aa48197308194310b30090603550406130255533111300f0603550408130856697267696e6961311430120603550407130b43656e74726576696c6c6531123010060355040a13094565626c652e6e6574311e301c06092a864886f70d010901160f61646d696e406565626c652e6e6574312830260603550403131f4565626c652e6e657420436572746966696361746520417574686f7269747982090097852e5140914149300c0603551d13040530030101ff300d06092a864886f70d010105050003820101004a090448190a31
EAP-Message =
0x6f43d373decd0d9e53a75d10c17c49043984a6c492f8bf96d303796e7c4e4539c5c3d49ebbe972a9ca204067bbf9886462119bb1ce627ffb6fe9beb21a56dc152facef5040cfcbdd5a55e31c0c9eb904914f2148c7338774e1eb3f21449d3bbf86fe03d78f34a07df485fbff7dc3b305fadf41bfcbc41ec076c5c542b8f858008b3b3be00f858d2737331cf567c738692d8723ac6307cac62801513bf055cd6a9c726953195fbd7dbcf9e0a44289e5f1eee447c9ce87570f77a7e8574bc1fff0a2dbf4f85b545d5b6fa0b4c96b5f8db94b42686f9fdc9b7daebd59d83ddbf5dd64e1ac041d4653a4a5175ce9079c27b4a60d4115166c619f3d16030101
EAP-Message =
0x061000010201006cd3d5d42d02607bad6cccbd821c47acc842e535db3091bd9cd1cc369c7e0399623ccdcf02b6920f15b853cd89adf40f5f89b1702349e6b4c943b5b52ab983384011ca214a2be1672a68ae91f347060b74fe93db442fe65b09718d6a6b34c87b3b2b5de157bebcecb313bdaf56a437e1eef95a2ece695c37eb54914dc08e08dee09449a011ccfb7124872bc841651511c86fbdffc7f58f5a9b8ad2fae518b0c72c41460ddc486e9dddde73478a990836218d14253d864260ef3902315fca7a5acd21eea5171b6ab224e9b2191cc61958ccb4527d83161f1c369e5164ea82f3339c5165155cc64489ad348571165ce25f2fe83dd92ea6
EAP-Message =
0x5f5e14f428dc80c3f16616030101060f00010201002e81b25e6082ccd1e0f71b7954b92d248e76fbd5734e683991e4409fd0a4e3ec0d13f13fafe41a35824c883c23a2ced28e19ac8659cc7297ef9e6f4a0c5a32dd1eb8c0e832ed929ac41a5f67c1aeeaa95aae9af57b230ba7753ca57783081910e59830c3ad1982499fcde5884bab2b451d026679a613a728d2128123fb76d0fb78944d099d81e86b81a16137633e15ed533401586c3fe773c93fcf2472ac73e41ecbb4c0393638891db14325d52ebe991e29bc976650924f34ffb45e25543d53c869a3cea0638f6fc188ee34a1ff07acb77226722bbfdffa6f04c56614797a8a4cce2abc53b764de
EAP-Message =
0x58cc7ef38ce7145532fde4d99063e60183e6a9e9405a92311403010001011603010030bc0ee785b2ff17529ace39c5a6c66ba168cfc082558510afdbcc3f5114014bbc66545699903692ff3b004ae50fc841b3
State = 0x1925f89c1cfff5e511765369958e0fff
Message-Authenticator = 0x1b3aea67ccedae9d41055d48e08deeca
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "invaliduser1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 218 length 253
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] eaptls_verify returned 7
[tls] Done initial handshake
[tls] <<< TLS 1.0 Handshake [length 0852], Certificate
[tls] chain-depth=1,
[tls] error=0
[tls] --> User-Name = invaliduser1
[tls] --> BUF-Name = Example.net Certificate Authority
[tls] --> subject =
/C=US/ST=Virginia/L=Centreville/O=Example.net/emailAddress=admin at example.net/CN=Example.net
Certificate Authority
[tls] --> issuer =
/C=US/ST=Virginia/L=Centreville/O=Example.net/emailAddress=admin at example.net/CN=Example.net
Certificate Authority
[tls] --> verify return:1
[tls] chain-depth=0,
[tls] error=0
[tls] --> User-Name = invaliduser1
[tls] --> BUF-Name = andy at example.net
[tls] --> subject =
/C=US/ST=Virginia/O=Example.net/CN=andy at example.net/emailAddress=andy at example.net
[tls] --> issuer =
/C=US/ST=Virginia/L=Centreville/O=Example.net/emailAddress=admin at example.net/CN=Example.net
Certificate Authority
[tls] --> verify return:1
[tls] TLS_accept: SSLv3 read client certificate A
[tls] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[tls] TLS_accept: SSLv3 read client key exchange A
[tls] <<< TLS 1.0 Handshake [length 0106], CertificateVerify
[tls] TLS_accept: SSLv3 read certificate verify A
[tls] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[tls] <<< TLS 1.0 Handshake [length 0010], Finished
[tls] TLS_accept: SSLv3 read finished A
[tls] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[tls] TLS_accept: SSLv3 write change cipher spec A
[tls] >>> TLS 1.0 Handshake [length 0010], Finished
[tls] TLS_accept: SSLv3 write finished A
[tls] TLS_accept: SSLv3 flush data
[tls] (other): SSL negotiation finished successfully
SSL Connection Established
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 76 to 192.168.183.110 port 55425
EAP-Message =
0x01db00450d800000003b1403010001011603010030327d72375b8df7a3e6ed4e0575b76d753a34c65a21ed33bcb3036e2b37006404c7356e779df933c9af852f525a6877d1
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x1925f89c1ffef5e511765369958e0fff
Finished request 6.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 192.168.183.110 port 55425,
id=77, length=168
User-Name = "invaliduser1"
NAS-Identifier = "openwrt"
NAS-Port = 1
Called-Station-Id = "00-18-F8-C1-66-46:testbed"
Calling-Station-Id = "00-17-F2-E7-39-C0"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x02db00060d00
State = 0x1925f89c1ffef5e511765369958e0fff
Message-Authenticator = 0x532e5b192c2b3f42d94eca4f8f1b6322
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "invaliduser1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 219 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake is finished
[tls] eaptls_verify returned 3
[tls] eaptls_process returned 3
[tls] Adding user data to cached session
[eap] Freeing handler
++[eap] returns ok
# Executing section post-auth from file
/etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 77 to 192.168.183.110 port 55425
MS-MPPE-Recv-Key =
0xad6a9918758ca549457e3cb1635cebde2c308c218cd1ba3bb1fcb0e6222964f9
MS-MPPE-Send-Key =
0x2d9a175670e6428ae1c84bd869cac06f47b47703c29addc0f8fbbe4081ffe5e7
EAP-Message = 0x03db0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "invaliduser1"
Finished request 7.
Going to the next request
Waking up in 4.7 seconds.
Cleaning up request 0 ID 70 with timestamp +46
Cleaning up request 1 ID 71 with timestamp +46
Cleaning up request 2 ID 72 with timestamp +46
Cleaning up request 3 ID 73 with timestamp +46
Cleaning up request 4 ID 74 with timestamp +46
Cleaning up request 5 ID 75 with timestamp +46
Cleaning up request 6 ID 76 with timestamp +46
Cleaning up request 7 ID 77 with timestamp +46
Ready to process requests.
^[[Brad_recv: Access-Request packet from host 192.168.183.110 port
55425, id=78, length=156
User-Name = "invaliduser2"
NAS-Identifier = "openwrt"
NAS-Port = 2
Called-Station-Id = "00-18-F8-C1-66-46:testbed"
Calling-Station-Id = "00-1F-3A-49-EC-73"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x0265000b01626f6f676572
Message-Authenticator = 0xcbeda4a2bb48dac1e14a1e77420b9ad3
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "invaliduser2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 101 length 11
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 78 to 192.168.183.110 port 55425
EAP-Message = 0x016600160410fab91c864c3e522df93d00b39b6c51bf
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x9106cfd89160cb8160f4a77ced516b61
Finished request 8.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.183.110 port 55425,
id=79, length=169
User-Name = "invaliduser2"
NAS-Identifier = "openwrt"
NAS-Port = 2
Called-Station-Id = "00-18-F8-C1-66-46:testbed"
Calling-Station-Id = "00-1F-3A-49-EC-73"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x02660006030d
State = 0x9106cfd89160cb8160f4a77ced516b61
Message-Authenticator = 0xcc79781441efd250c146b39492c1e6e8
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "invaliduser2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 102 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/tls
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 79 to 192.168.183.110 port 55425
EAP-Message = 0x016700060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x9106cfd89061c28160f4a77ced516b61
Finished request 9.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.183.110 port 55425,
id=80, length=278
User-Name = "invaliduser2"
NAS-Identifier = "openwrt"
NAS-Port = 2
Called-Station-Id = "00-18-F8-C1-66-46:testbed"
Calling-Station-Id = "00-1F-3A-49-EC-73"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message =
0x026700730d0016030100680100006403014cf481b4d6922495a82e8d872689752cd335368ce1d573362881aef4ad676af700003600390038003500880087008400160013000a00330032002f0045004400410007000500040015001200090014001100080006000300ff020100000400230000
State = 0x9106cfd89061c28160f4a77ced516b61
Message-Authenticator = 0x3fb0727493ed1edbe0bae2c6c3dd0501
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "invaliduser2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 103 length 115
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] eaptls_verify returned 7
[tls] Done initial handshake
[tls] (other): before/accept initialization
[tls] TLS_accept: before/accept initialization
[tls] <<< TLS 1.0 Handshake [length 0068], ClientHello
[tls] TLS_accept: SSLv3 read client hello A
[tls] >>> TLS 1.0 Handshake [length 002a], ServerHello
[tls] TLS_accept: SSLv3 write server hello A
[tls] >>> TLS 1.0 Handshake [length 0861], Certificate
[tls] TLS_accept: SSLv3 write certificate A
[tls] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange
[tls] TLS_accept: SSLv3 write key exchange A
[tls] >>> TLS 1.0 Handshake [length 00a9], CertificateRequest
[tls] TLS_accept: SSLv3 write certificate request A
[tls] TLS_accept: SSLv3 flush data
[tls] TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 80 to 192.168.183.110 port 55425
EAP-Message =
0x016804000dc000000b55160301002a0200002603014cf481afc3b222e7c1332f8cc59549c4b063a8bf9077bbd1cde56575eafe36cb0000390116030108610b00085d00085a0003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308194310b30090603550406130255533111300f0603550408130856697267696e6961311430120603550407130b43656e74726576696c6c6531123010060355040a13094565626c652e6e6574311e301c06092a864886f70d010901160f61646d696e406565626c652e6e6574312830260603550403131f4565626c652e6e657420436572746966696361746520417574686f726974
EAP-Message =
0x79301e170d3130313132363037323333305a170d3131313132363037323333305a307b310b30090603550406130255533111300f0603550408130856697267696e696131123010060355040a13094565626c652e6e6574312530230603550403131c4565626c652e6e657420536572766572204365727469666963617465311e301c06092a864886f70d010901160f61646d696e406565626c652e6e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100ab4afd83acd6fea4fce7bb07d045a43436798b06b2f2be86ab6f19386c5e7d536585255834652f9a40160c6d19947c5fd02148f127b1d6d58558e055a952
EAP-Message =
0xaaaaaeb915a8475944790f539aa2084dfcd4de24636182bf350426db1a04320019b47a8d32229c4f4d4f0039bf7c4840673502f1eaefe170447fc3a508944ea8cd2197867ddb4e8f3cf5cba3da5d10f4714f40f4b28e1f48805023bb26cd940e96a68a4dc2a73243321c0af06b9b5356162641a5099fc439255340c3c02df4433f88969ce4e6035d40db3a0b4f74d31ac421e2faeec27c6fc6385d91755c1c4ed458ff850d37d7e06e9f95e87a59a5d63b25e44d3e608f6802ee9ef42619251a13ef0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038201010048267d769b012e4e35
EAP-Message =
0xee42366711bc376d503f76bd2da75c7a4040a07878b5bc5a1ad52e5e3e803b526cefeb61c58bb3db5041f4383377c39b5a72b0d35a0edde4fc3469abdaf0acb14920cc11ca1bf93e95089a627a1b99de8124c51a2dc7524e473e9333eda0aa213b11ecf188fcacbc20c2840beb0906e283d8e9025bbb2eb83ac816b2dcefe20edadddc2d5dfc171882bb8dde3f07a008fb4caa66e98a1c9ae3b452dee84971cfe892cfeab83846a60d9be8dfc0866ab93473c83541dd2d182076da789ec03128445292be43d0150e299e33030f45e4344a32ba4f6ed33a10e1e10f4a472649b92b2da7233986ed251adc2ea59764ef2187070e23a8743c0004ae308204
EAP-Message = 0xaa30820392a0030201020209
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x9106cfd8936ec28160f4a77ced516b61
Finished request 10.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.183.110 port 55425,
id=81, length=169
User-Name = "invaliduser2"
NAS-Identifier = "openwrt"
NAS-Port = 2
Called-Station-Id = "00-18-F8-C1-66-46:testbed"
Calling-Station-Id = "00-1F-3A-49-EC-73"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x026800060d00
State = 0x9106cfd8936ec28160f4a77ced516b61
Message-Authenticator = 0x9a957e238e6c0098c09f429bab8a5cfb
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "invaliduser2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 104 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake fragment handler
[tls] eaptls_verify returned 1
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 81 to 192.168.183.110 port 55425
EAP-Message =
0x016904000dc000000b550097852e5140914149300d06092a864886f70d0101050500308194310b30090603550406130255533111300f0603550408130856697267696e6961311430120603550407130b43656e74726576696c6c6531123010060355040a13094565626c652e6e6574311e301c06092a864886f70d010901160f61646d696e406565626c652e6e6574312830260603550403131f4565626c652e6e657420436572746966696361746520417574686f72697479301e170d3130313132363037323333305a170d3230313132333037323333305a308194310b30090603550406130255533111300f0603550408130856697267696e696131
EAP-Message =
0x1430120603550407130b43656e74726576696c6c6531123010060355040a13094565626c652e6e6574311e301c06092a864886f70d010901160f61646d696e406565626c652e6e6574312830260603550403131f4565626c652e6e657420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a02820101009a8f48c1dab2627525533672059ac65f037f7e96dca2744211718eda8e799239ada3486e9872eb0b811e888df90de8d5fc0837f5a146191528f1d1ff35adbad8a9b8928080363eb64a6ab03942480f48534902136d8c94b34e01d7e331ad215c11b35bb6990bafc17f
EAP-Message =
0xd261890769bb00533729a6fcc0b5d4d18e08bf54b1d66127996136d9577f12a4513304da016917577afdf64b02cf91d0a39b3c451dce5a920c810b4d23bd34931bb03d156f8d7fe834536b9ae11bd62195b59177db765d9982b232369e5bd89b10f4a0031ba2dbff86f672ac101a155d11ae07b904a4f74ffbb86f2524bc227167e41ca889fa9c56735a5665cfa5de0ad81b7ddaa0785d0203010001a381fc3081f9301d0603551d0e04160414a1454d2d4a35b362e6397fe81e7964fa6d2e9a9a3081c90603551d230481c13081be8014a1454d2d4a35b362e6397fe81e7964fa6d2e9a9aa1819aa48197308194310b30090603550406130255533111
EAP-Message =
0x300f0603550408130856697267696e6961311430120603550407130b43656e74726576696c6c6531123010060355040a13094565626c652e6e6574311e301c06092a864886f70d010901160f61646d696e406565626c652e6e6574312830260603550403131f4565626c652e6e657420436572746966696361746520417574686f7269747982090097852e5140914149300c0603551d13040530030101ff300d06092a864886f70d010105050003820101004a090448190a316f43d373decd0d9e53a75d10c17c49043984a6c492f8bf96d303796e7c4e4539c5c3d49ebbe972a9ca204067bbf9886462119bb1ce627ffb6fe9beb21a56dc152facef50
EAP-Message = 0x40cfcbdd5a55e31c0c9eb904
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x9106cfd8926fc28160f4a77ced516b61
Finished request 11.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.183.110 port 55425,
id=82, length=169
User-Name = "invaliduser2"
NAS-Identifier = "openwrt"
NAS-Port = 2
Called-Station-Id = "00-18-F8-C1-66-46:testbed"
Calling-Station-Id = "00-1F-3A-49-EC-73"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x026900060d00
State = 0x9106cfd8926fc28160f4a77ced516b61
Message-Authenticator = 0x6a6a344f5929ac78f2ed252a2870d7b2
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "invaliduser2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 105 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake fragment handler
[tls] eaptls_verify returned 1
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 82 to 192.168.183.110 port 55425
EAP-Message =
0x016a03730d8000000b55914f2148c7338774e1eb3f21449d3bbf86fe03d78f34a07df485fbff7dc3b305fadf41bfcbc41ec076c5c542b8f858008b3b3be00f858d2737331cf567c738692d8723ac6307cac62801513bf055cd6a9c726953195fbd7dbcf9e0a44289e5f1eee447c9ce87570f77a7e8574bc1fff0a2dbf4f85b545d5b6fa0b4c96b5f8db94b42686f9fdc9b7daebd59d83ddbf5dd64e1ac041d4653a4a5175ce9079c27b4a60d4115166c619f3d160301020d0c0002090080ff1dbabee46297bf06de02f05ad815fdf518ce607e3dd1ff5c528dd383fd71430fc86fe3a57b4e2d8e6b2d017f89ff90d03477d409b591bde4502eee1aeb02
EAP-Message =
0x38c518226df76f43435eba774de8611277591c7cbc23913412d8067e5cd7ea38c53f314e3198473832c4f1737a0edb3a09d44f512c4b4131f3e1b5d6d91732691b0001020080a3f58451d5337dde0a183e126d86ee23158947536f4a7a89c279e5fec04915f6052292b9d57c8a0dbe8b3c8feee54217f6c8265da333535fe2b471651c33303cb12abcc1bb925f7d51e35780ba5bc9db2c9f25127abcdd1ad7b239e6fb5542c7bb1b5db0e28695d5e2ac3c84e65f0bd6095edb79a88f8ec2ab64957f34e65ad201007ac7cd7798bb5f7a7bdb90a0db030464d2d7f6e40e085790f1e405b6f627d55f7c70c5ae25951a718f1190462a4b7cbf822a7e7fea
EAP-Message =
0x0b918e8224b19c2782deda073f2a26af8e7c00c3f5d257f939f91cb7abd572e0e5eb97bdd82d29549d4b29051865d7f26d92984d226ded73e4838e542a00e3090841845ac4c50411726153c9cc7c90036d815c24b1118b1983dea8226823d9f9cb4ea15eaea198924265f56d32d612a2d819719c7fa6bd07f1c6a8f4624a9e1f6a51ba426e662726c0bc2bc881ac5290d6fdab5763b7cfd4de06955364ec5cb15a454fe78e8b6b4e24d06f18f8e31b0755ca9aeabb2fcb12eb6f9931b4b8284f0adeb8cfec4cfd979b6f2516030100a90d0000a105030401024000990097308194310b30090603550406130255533111300f0603550408130856697267
EAP-Message =
0x696e6961311430120603550407130b43656e74726576696c6c6531123010060355040a13094565626c652e6e6574311e301c06092a864886f70d010901160f61646d696e406565626c652e6e6574312830260603550403131f4565626c652e6e657420436572746966696361746520417574686f726974790e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x9106cfd8956cc28160f4a77ced516b61
Finished request 12.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.183.110 port 55425,
id=83, length=1483
User-Name = "invaliduser2"
NAS-Identifier = "openwrt"
NAS-Port = 2
Called-Station-Id = "00-18-F8-C1-66-46:testbed"
Calling-Station-Id = "00-1F-3A-49-EC-73"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message =
0x026a051e0dc000000a2816030108520b00084e00084b000397308203933082027ba003020102020102300d06092a864886f70d0101040500308194310b30090603550406130255533111300f0603550408130856697267696e6961311430120603550407130b43656e74726576696c6c6531123010060355040a13094565626c652e6e6574311e301c06092a864886f70d010901160f61646d696e406565626c652e6e6574312830260603550403131f4565626c652e6e657420436572746966696361746520417574686f72697479301e170d3130313132363037333533385a170d3131313132363037333533385a306c310b30090603550406130255
EAP-Message =
0x533111300f0603550408130856697267696e696131123010060355040a13094565626c652e6e6574311730150603550403140e616e6479406565626c652e6e6574311d301b06092a864886f70d010901160e616e6479406565626c652e6e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100b4023777541709e539867d3033954f764c3a207c352dba4ee043642002ed4df123cb5edbe0d7a35cf9c21c88cd4ea537f3f297d9be68cb7bcbc49fdbc6ed94745d1aa057fcf259ad7898a6eb1b123b277e55da4d877972f169d29b922bfedd8dab070dbe905d1437ef1c84e9c7be7fd9736882d153993e36aa498819
EAP-Message =
0x68e526722d720427a9b2cccece64fcae119806c9ae5a925f68c09d0df5fcd9ebc6e20040cb97dac3f44a32ade71f6cfc40f90ac4b64f2585d45fd6901b13b2ae12347460853c30dab72c88c4f0becccd393433e47037ecb61544cb38155bb8ce9f75a9e5a024b5e03139cacb74d47d4af87aa3b9781903b8b6976260c39fc83df288482f0203010001a317301530130603551d25040c300a06082b06010505070302300d06092a864886f70d0101040500038201010049c7d67a933fd63a42cf33f6adb61bdc203bc30007ed3dfa9da446a6c3e78bced49ae68d7fd3611a431e888a9144d196bf30f46ae1be3d673006bbb6e50d3191f6756b38506838
EAP-Message =
0xad445350dfa97ac88297b8f36979dea39a92c4add1e5f6050eb5af41f3c8702b682365719456074d7623c2a0bca5be7c86c65ad538d4e8c615dde70df4967e6ea2acc5e2e76dde0ca0f13c4a34eddc93615cc7eba93b75ea9c23a85f74f1240ee999c08416d080a36246deec5b552046232ad3470f042bbe1774bb386c84aaa3ddcd4dc38acd816de90983e5a44231e77ae4d641ea14d6e822bbf969852387230eef0e02b3f84916b2bd0ba4aa159a4cb7aeb542b8cf3bd8dd0004ae308204aa30820392a00302010202090097852e5140914149300d06092a864886f70d0101050500308194310b30090603550406130255533111300f060355040813
EAP-Message =
0x0856697267696e6961311430120603550407130b43656e74726576696c6c6531123010060355040a13094565626c652e6e6574311e301c06092a864886f70d010901160f61646d696e406565626c652e6e6574312830260603550403131f4565626c652e6e657420436572746966696361746520417574686f72697479301e170d3130313132363037323333305a170d3230313132333037323333305a308194310b30090603550406130255533111300f0603550408130856697267696e6961311430120603550407130b43656e74726576696c6c6531123010060355040a13094565626c652e6e6574311e301c06092a864886f70d010901160f6164
EAP-Message =
0x6d696e406565626c652e6e6574312830260603550403131f4565626c652e6e6574204365727469666963617465
State = 0x9106cfd8956cc28160f4a77ced516b61
Message-Authenticator = 0x7f9e18fbc6764ac5d67ed14f4b9af68f
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "invaliduser2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 106 length 253
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
TLS Length 2600
[tls] Received EAP-TLS First Fragment of the message
[tls] eaptls_verify returned 9
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 83 to 192.168.183.110 port 55425
EAP-Message = 0x016b00060d00
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x9106cfd8946dc28160f4a77ced516b61
Finished request 13.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.183.110 port 55425,
id=84, length=1479
User-Name = "invaliduser2"
NAS-Identifier = "openwrt"
NAS-Port = 2
Called-Station-Id = "00-18-F8-C1-66-46:testbed"
Calling-Station-Id = "00-1F-3A-49-EC-73"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message =
0x026b051a0d0020417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a02820101009a8f48c1dab2627525533672059ac65f037f7e96dca2744211718eda8e799239ada3486e9872eb0b811e888df90de8d5fc0837f5a146191528f1d1ff35adbad8a9b8928080363eb64a6ab03942480f48534902136d8c94b34e01d7e331ad215c11b35bb6990bafc17fd261890769bb00533729a6fcc0b5d4d18e08bf54b1d66127996136d9577f12a4513304da016917577afdf64b02cf91d0a39b3c451dce5a920c810b4d23bd34931bb03d156f8d7fe834536b9ae11bd62195b59177db765d9982b232369e5bd89b10f4a0
EAP-Message =
0x031ba2dbff86f672ac101a155d11ae07b904a4f74ffbb86f2524bc227167e41ca889fa9c56735a5665cfa5de0ad81b7ddaa0785d0203010001a381fc3081f9301d0603551d0e04160414a1454d2d4a35b362e6397fe81e7964fa6d2e9a9a3081c90603551d230481c13081be8014a1454d2d4a35b362e6397fe81e7964fa6d2e9a9aa1819aa48197308194310b30090603550406130255533111300f0603550408130856697267696e6961311430120603550407130b43656e74726576696c6c6531123010060355040a13094565626c652e6e6574311e301c06092a864886f70d010901160f61646d696e406565626c652e6e65743128302606035504
EAP-Message =
0x03131f4565626c652e6e657420436572746966696361746520417574686f7269747982090097852e5140914149300c0603551d13040530030101ff300d06092a864886f70d010105050003820101004a090448190a316f43d373decd0d9e53a75d10c17c49043984a6c492f8bf96d303796e7c4e4539c5c3d49ebbe972a9ca204067bbf9886462119bb1ce627ffb6fe9beb21a56dc152facef5040cfcbdd5a55e31c0c9eb904914f2148c7338774e1eb3f21449d3bbf86fe03d78f34a07df485fbff7dc3b305fadf41bfcbc41ec076c5c542b8f858008b3b3be00f858d2737331cf567c738692d8723ac6307cac62801513bf055cd6a9c726953195fbd
EAP-Message =
0x7dbcf9e0a44289e5f1eee447c9ce87570f77a7e8574bc1fff0a2dbf4f85b545d5b6fa0b4c96b5f8db94b42686f9fdc9b7daebd59d83ddbf5dd64e1ac041d4653a4a5175ce9079c27b4a60d4115166c619f3d1603010086100000820080b6a6fc11dae5b0d91c974b23f5776da3286d51dcc75025f7c365a81ee0549d08874f95a097f285ee3a3cce4fdb904f7b3185a82d3481ab460ced11dff2a41eeaaddd17a9244340ea3ff2528e0166cd881bba22eb4430c0912d549f812860cf3b63dbb074e8fc33725756ab1b2f710b3675f49e0ec8718bf1c58dd8638625cf1d16030101060f000102010065ff0cdee1f13a073180ed689e5b2f589463c9ec0e
EAP-Message =
0x61ebef4b3bc295e8dbc4c54e118053c49235e051480ab69237c3e50f1440072ebca811ae9e2f41435ae59b87a5032edaae224c416acdc06a9c0226244bb52fccd4d3eb3e9b565762923c7ccafd3d2f9140a705cd5aea3bae0a69b9e3acaf2f93aa68a9f7fb188068bd6e5ef5c3a60abf7bee8a2e6b59bb97ca7cb5ab2eefa0f94956920692c62930e794d5d97c33868b5f6a80b6e1c9732ff5cf42c4fa45e4a96d467b379149cabfd92645560ed128d3d2e295fbb7c1906cfe8497bcb266272e0f659038f9a32b98f6f3264983120b590a5e7ff75cffe1c0b1ea09e45e24536ce0990ecf42d99b2a9a1e8314030100010116030100309cc7400c95d751
EAP-Message =
0xf414988cf618ea3991159a7bcc648fb85a02c193b13b9b4171037012a120b2e36bf4f046a626235d30
State = 0x9106cfd8946dc28160f4a77ced516b61
Message-Authenticator = 0x5ffcc1fbcd380454fd25524389e7c6b3
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "invaliduser2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 107 length 253
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] eaptls_verify returned 7
[tls] Done initial handshake
[tls] <<< TLS 1.0 Handshake [length 0852], Certificate
[tls] chain-depth=1,
[tls] error=0
[tls] --> User-Name = invaliduser2
[tls] --> BUF-Name = Example.net Certificate Authority
[tls] --> subject =
/C=US/ST=Virginia/L=Centreville/O=Example.net/emailAddress=admin at example.net/CN=Example.net
Certificate Authority
[tls] --> issuer =
/C=US/ST=Virginia/L=Centreville/O=Example.net/emailAddress=admin at example.net/CN=Example.net
Certificate Authority
[tls] --> verify return:1
[tls] chain-depth=0,
[tls] error=0
[tls] --> User-Name = invaliduser2
[tls] --> BUF-Name = andy at example.net
[tls] --> subject =
/C=US/ST=Virginia/O=Example.net/CN=andy at example.net/emailAddress=andy at example.net
[tls] --> issuer =
/C=US/ST=Virginia/L=Centreville/O=Example.net/emailAddress=admin at example.net/CN=Example.net
Certificate Authority
[tls] --> verify return:1
[tls] TLS_accept: SSLv3 read client certificate A
[tls] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
[tls] TLS_accept: SSLv3 read client key exchange A
[tls] <<< TLS 1.0 Handshake [length 0106], CertificateVerify
[tls] TLS_accept: SSLv3 read certificate verify A
[tls] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[tls] <<< TLS 1.0 Handshake [length 0010], Finished
[tls] TLS_accept: SSLv3 read finished A
[tls] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[tls] TLS_accept: SSLv3 write change cipher spec A
[tls] >>> TLS 1.0 Handshake [length 0010], Finished
[tls] TLS_accept: SSLv3 write finished A
[tls] TLS_accept: SSLv3 flush data
[tls] (other): SSL negotiation finished successfully
SSL Connection Established
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 84 to 192.168.183.110 port 55425
EAP-Message =
0x016c00450d800000003b1403010001011603010030963977704c781d4f4d8f2aa3b335d363af8d81e6263bee6d1c02a09b7a0e47957e42cb94ecad93a231e257b94f0abcbd
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x9106cfd8976ac28160f4a77ced516b61
Finished request 14.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 192.168.183.110 port 55425,
id=85, length=169
User-Name = "invaliduser2"
NAS-Identifier = "openwrt"
NAS-Port = 2
Called-Station-Id = "00-18-F8-C1-66-46:testbed"
Calling-Station-Id = "00-1F-3A-49-EC-73"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x026c00060d00
State = 0x9106cfd8976ac28160f4a77ced516b61
Message-Authenticator = 0x1a64cfaaa61f800e099a0432de248e44
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "invaliduser2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 108 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake is finished
[tls] eaptls_verify returned 3
[tls] eaptls_process returned 3
[tls] Adding user data to cached session
[eap] Freeing handler
++[eap] returns ok
# Executing section post-auth from file
/etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 85 to 192.168.183.110 port 55425
MS-MPPE-Recv-Key =
0x2d08d6053dd69463c00f28fa96253e6fef7ce1c25fcd636ac7801ea4b30f0c9e
MS-MPPE-Send-Key =
0x2436262b744f0612e2b44f856b7e3fa2569a1ee6e6dc68ff6eee62e13fedefb9
EAP-Message = 0x036c0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "invaliduser2"
Finished request 15.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 192.168.183.110 port 55425,
id=86, length=156
User-Name = "invaliduser2"
NAS-Identifier = "openwrt"
NAS-Port = 2
Called-Station-Id = "00-18-F8-C1-66-46:testbed"
Calling-Station-Id = "00-1F-3A-49-EC-73"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x02de000b01626f6f676572
Message-Authenticator = 0x9c78554a3a8b563535d0d903b0c89b00
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "invaliduser2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 222 length 11
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 86 to 192.168.183.110 port 55425
EAP-Message = 0x01df001604105ce2f52a06b4da9a957fd7800282dd99
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x9d0db2769dd2b6bf32cdba76f867f4ab
Finished request 16.
Going to the next request
Waking up in 0.5 seconds.
rad_recv: Access-Request packet from host 192.168.183.110 port 55425,
id=87, length=169
User-Name = "invaliduser2"
NAS-Identifier = "openwrt"
NAS-Port = 2
Called-Station-Id = "00-18-F8-C1-66-46:testbed"
Calling-Station-Id = "00-1F-3A-49-EC-73"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x02df0006030d
State = 0x9d0db2769dd2b6bf32cdba76f867f4ab
Message-Authenticator = 0x417840b8fd464fb1b5c3de9d7fbab021
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "invaliduser2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 223 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/tls
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 87 to 192.168.183.110 port 55425
EAP-Message = 0x01e000060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x9d0db2769cedbfbf32cdba76f867f4ab
Finished request 17.
Going to the next request
Waking up in 0.5 seconds.
rad_recv: Access-Request packet from host 192.168.183.110 port 55425,
id=88, length=278
User-Name = "invaliduser2"
NAS-Identifier = "openwrt"
NAS-Port = 2
Called-Station-Id = "00-18-F8-C1-66-46:testbed"
Calling-Station-Id = "00-1F-3A-49-EC-73"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message =
0x02e000730d0016030100680100006403014cf481b8c295486f451587fade5111838f65298e8700ee9b233d48421510c46000003600390038003500880087008400160013000a00330032002f0045004400410007000500040015001200090014001100080006000300ff020100000400230000
State = 0x9d0db2769cedbfbf32cdba76f867f4ab
Message-Authenticator = 0x8a9e14310b6e47c2c3de26023dae497c
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "invaliduser2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 224 length 115
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] eaptls_verify returned 7
[tls] Done initial handshake
[tls] (other): before/accept initialization
[tls] TLS_accept: before/accept initialization
[tls] <<< TLS 1.0 Handshake [length 0068], ClientHello
[tls] TLS_accept: SSLv3 read client hello A
[tls] >>> TLS 1.0 Handshake [length 002a], ServerHello
[tls] TLS_accept: SSLv3 write server hello A
[tls] >>> TLS 1.0 Handshake [length 0861], Certificate
[tls] TLS_accept: SSLv3 write certificate A
[tls] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange
[tls] TLS_accept: SSLv3 write key exchange A
[tls] >>> TLS 1.0 Handshake [length 00a9], CertificateRequest
[tls] TLS_accept: SSLv3 write certificate request A
[tls] TLS_accept: SSLv3 flush data
[tls] TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 88 to 192.168.183.110 port 55425
EAP-Message =
0x01e104000dc000000b55160301002a0200002603014cf481b46e40ddcb8f677105b2abcbca4ea593ed6f3982f0b5f536ad4d045fe70000390116030108610b00085d00085a0003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308194310b30090603550406130255533111300f0603550408130856697267696e6961311430120603550407130b43656e74726576696c6c6531123010060355040a13094565626c652e6e6574311e301c06092a864886f70d010901160f61646d696e406565626c652e6e6574312830260603550403131f4565626c652e6e657420436572746966696361746520417574686f726974
EAP-Message =
0x79301e170d3130313132363037323333305a170d3131313132363037323333305a307b310b30090603550406130255533111300f0603550408130856697267696e696131123010060355040a13094565626c652e6e6574312530230603550403131c4565626c652e6e657420536572766572204365727469666963617465311e301c06092a864886f70d010901160f61646d696e406565626c652e6e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100ab4afd83acd6fea4fce7bb07d045a43436798b06b2f2be86ab6f19386c5e7d536585255834652f9a40160c6d19947c5fd02148f127b1d6d58558e055a952
EAP-Message =
0xaaaaaeb915a8475944790f539aa2084dfcd4de24636182bf350426db1a04320019b47a8d32229c4f4d4f0039bf7c4840673502f1eaefe170447fc3a508944ea8cd2197867ddb4e8f3cf5cba3da5d10f4714f40f4b28e1f48805023bb26cd940e96a68a4dc2a73243321c0af06b9b5356162641a5099fc439255340c3c02df4433f88969ce4e6035d40db3a0b4f74d31ac421e2faeec27c6fc6385d91755c1c4ed458ff850d37d7e06e9f95e87a59a5d63b25e44d3e608f6802ee9ef42619251a13ef0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038201010048267d769b012e4e35
EAP-Message =
0xee42366711bc376d503f76bd2da75c7a4040a07878b5bc5a1ad52e5e3e803b526cefeb61c58bb3db5041f4383377c39b5a72b0d35a0edde4fc3469abdaf0acb14920cc11ca1bf93e95089a627a1b99de8124c51a2dc7524e473e9333eda0aa213b11ecf188fcacbc20c2840beb0906e283d8e9025bbb2eb83ac816b2dcefe20edadddc2d5dfc171882bb8dde3f07a008fb4caa66e98a1c9ae3b452dee84971cfe892cfeab83846a60d9be8dfc0866ab93473c83541dd2d182076da789ec03128445292be43d0150e299e33030f45e4344a32ba4f6ed33a10e1e10f4a472649b92b2da7233986ed251adc2ea59764ef2187070e23a8743c0004ae308204
EAP-Message = 0xaa30820392a0030201020209
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x9d0db2769fecbfbf32cdba76f867f4ab
Finished request 18.
Going to the next request
Waking up in 0.4 seconds.
rad_recv: Access-Request packet from host 192.168.183.110 port 55425,
id=89, length=169
User-Name = "invaliduser2"
NAS-Identifier = "openwrt"
NAS-Port = 2
Called-Station-Id = "00-18-F8-C1-66-46:testbed"
Calling-Station-Id = "00-1F-3A-49-EC-73"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x02e100060d00
State = 0x9d0db2769fecbfbf32cdba76f867f4ab
Message-Authenticator = 0x3b7277d4745b9e98ca72f95ab5737f7e
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "invaliduser2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 225 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake fragment handler
[tls] eaptls_verify returned 1
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 89 to 192.168.183.110 port 55425
EAP-Message =
0x01e204000dc000000b550097852e5140914149300d06092a864886f70d0101050500308194310b30090603550406130255533111300f0603550408130856697267696e6961311430120603550407130b43656e74726576696c6c6531123010060355040a13094565626c652e6e6574311e301c06092a864886f70d010901160f61646d696e406565626c652e6e6574312830260603550403131f4565626c652e6e657420436572746966696361746520417574686f72697479301e170d3130313132363037323333305a170d3230313132333037323333305a308194310b30090603550406130255533111300f0603550408130856697267696e696131
EAP-Message =
0x1430120603550407130b43656e74726576696c6c6531123010060355040a13094565626c652e6e6574311e301c06092a864886f70d010901160f61646d696e406565626c652e6e6574312830260603550403131f4565626c652e6e657420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a02820101009a8f48c1dab2627525533672059ac65f037f7e96dca2744211718eda8e799239ada3486e9872eb0b811e888df90de8d5fc0837f5a146191528f1d1ff35adbad8a9b8928080363eb64a6ab03942480f48534902136d8c94b34e01d7e331ad215c11b35bb6990bafc17f
EAP-Message =
0xd261890769bb00533729a6fcc0b5d4d18e08bf54b1d66127996136d9577f12a4513304da016917577afdf64b02cf91d0a39b3c451dce5a920c810b4d23bd34931bb03d156f8d7fe834536b9ae11bd62195b59177db765d9982b232369e5bd89b10f4a0031ba2dbff86f672ac101a155d11ae07b904a4f74ffbb86f2524bc227167e41ca889fa9c56735a5665cfa5de0ad81b7ddaa0785d0203010001a381fc3081f9301d0603551d0e04160414a1454d2d4a35b362e6397fe81e7964fa6d2e9a9a3081c90603551d230481c13081be8014a1454d2d4a35b362e6397fe81e7964fa6d2e9a9aa1819aa48197308194310b30090603550406130255533111
EAP-Message =
0x300f0603550408130856697267696e6961311430120603550407130b43656e74726576696c6c6531123010060355040a13094565626c652e6e6574311e301c06092a864886f70d010901160f61646d696e406565626c652e6e6574312830260603550403131f4565626c652e6e657420436572746966696361746520417574686f7269747982090097852e5140914149300c0603551d13040530030101ff300d06092a864886f70d010105050003820101004a090448190a316f43d373decd0d9e53a75d10c17c49043984a6c492f8bf96d303796e7c4e4539c5c3d49ebbe972a9ca204067bbf9886462119bb1ce627ffb6fe9beb21a56dc152facef50
EAP-Message = 0x40cfcbdd5a55e31c0c9eb904
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x9d0db2769eefbfbf32cdba76f867f4ab
Finished request 19.
Going to the next request
Waking up in 0.4 seconds.
rad_recv: Access-Request packet from host 192.168.183.110 port 55425,
id=90, length=169
User-Name = "invaliduser2"
NAS-Identifier = "openwrt"
NAS-Port = 2
Called-Station-Id = "00-18-F8-C1-66-46:testbed"
Calling-Station-Id = "00-1F-3A-49-EC-73"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x02e200060d00
State = 0x9d0db2769eefbfbf32cdba76f867f4ab
Message-Authenticator = 0xf97c53a2038663a789e7316935e0a570
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "invaliduser2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 226 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake fragment handler
[tls] eaptls_verify returned 1
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 90 to 192.168.183.110 port 55425
EAP-Message =
0x01e303730d8000000b55914f2148c7338774e1eb3f21449d3bbf86fe03d78f34a07df485fbff7dc3b305fadf41bfcbc41ec076c5c542b8f858008b3b3be00f858d2737331cf567c738692d8723ac6307cac62801513bf055cd6a9c726953195fbd7dbcf9e0a44289e5f1eee447c9ce87570f77a7e8574bc1fff0a2dbf4f85b545d5b6fa0b4c96b5f8db94b42686f9fdc9b7daebd59d83ddbf5dd64e1ac041d4653a4a5175ce9079c27b4a60d4115166c619f3d160301020d0c0002090080ff1dbabee46297bf06de02f05ad815fdf518ce607e3dd1ff5c528dd383fd71430fc86fe3a57b4e2d8e6b2d017f89ff90d03477d409b591bde4502eee1aeb02
EAP-Message =
0x38c518226df76f43435eba774de8611277591c7cbc23913412d8067e5cd7ea38c53f314e3198473832c4f1737a0edb3a09d44f512c4b4131f3e1b5d6d91732691b000102008045c25ccb2d5fcda4484bd4389895809c2e8bc4ea510ba6c61b2ac53cced54dee16374e3f77d57da1bdd8cad9097bc427581db803f46445b362993f9601bbb8f571de5b8b1874db5a14100f49bf541c82ad0edae92b1d6ff27494ec12872792f88edb19d2fa08d30908c857590b5ed85f6855b88ac7f5ac13bd71bf41a79426b101004c19fc04acceb057ee3b9a5c2083c2803841a17d7d8998feeb2b3966ce510fd9745bb0bfc40dfc00bc2841c0f84ef0360bc103135e
EAP-Message =
0x44c8c94508352176b28e83b5bc3db4e2295136fb775d0b48a0d5fe8a1908b26e698f1ac6af338af3acdb6b3b1925e6f0d149ea4da6b9f172ca702562877890f1ef8e551fc46edddf4101087298b9c2d2065e55289acc82102987b090606069b9d4da96c8c96f9b838d97c4a3c10354dadf2bc90873fba7b89213f4b33f19c89e325e842f3b2f2e0d4eae3f55d7693b4837279417914e2c300456d9a99eba20effbc1ac663e4a4bb90607a62ca30aff1fa9f30d7e745a88505b60ebdb5e6473e918051afe27c2990e1d973b16030100a90d0000a105030401024000990097308194310b30090603550406130255533111300f0603550408130856697267
EAP-Message =
0x696e6961311430120603550407130b43656e74726576696c6c6531123010060355040a13094565626c652e6e6574311e301c06092a864886f70d010901160f61646d696e406565626c652e6e6574312830260603550403131f4565626c652e6e657420436572746966696361746520417574686f726974790e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x9d0db27699eebfbf32cdba76f867f4ab
Finished request 20.
Going to the next request
Waking up in 0.4 seconds.
rad_recv: Access-Request packet from host 192.168.183.110 port 55425,
id=91, length=1483
User-Name = "invaliduser2"
NAS-Identifier = "openwrt"
NAS-Port = 2
Called-Station-Id = "00-18-F8-C1-66-46:testbed"
Calling-Station-Id = "00-1F-3A-49-EC-73"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message =
0x02e3051e0dc000000a2816030108520b00084e00084b000397308203933082027ba003020102020102300d06092a864886f70d0101040500308194310b30090603550406130255533111300f0603550408130856697267696e6961311430120603550407130b43656e74726576696c6c6531123010060355040a13094565626c652e6e6574311e301c06092a864886f70d010901160f61646d696e406565626c652e6e6574312830260603550403131f4565626c652e6e657420436572746966696361746520417574686f72697479301e170d3130313132363037333533385a170d3131313132363037333533385a306c310b30090603550406130255
EAP-Message =
0x533111300f0603550408130856697267696e696131123010060355040a13094565626c652e6e6574311730150603550403140e616e6479406565626c652e6e6574311d301b06092a864886f70d010901160e616e6479406565626c652e6e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100b4023777541709e539867d3033954f764c3a207c352dba4ee043642002ed4df123cb5edbe0d7a35cf9c21c88cd4ea537f3f297d9be68cb7bcbc49fdbc6ed94745d1aa057fcf259ad7898a6eb1b123b277e55da4d877972f169d29b922bfedd8dab070dbe905d1437ef1c84e9c7be7fd9736882d153993e36aa498819
EAP-Message =
0x68e526722d720427a9b2cccece64fcae119806c9ae5a925f68c09d0df5fcd9ebc6e20040cb97dac3f44a32ade71f6cfc40f90ac4b64f2585d45fd6901b13b2ae12347460853c30dab72c88c4f0becccd393433e47037ecb61544cb38155bb8ce9f75a9e5a024b5e03139cacb74d47d4af87aa3b9781903b8b6976260c39fc83df288482f0203010001a317301530130603551d25040c300a06082b06010505070302300d06092a864886f70d0101040500038201010049c7d67a933fd63a42cf33f6adb61bdc203bc30007ed3dfa9da446a6c3e78bced49ae68d7fd3611a431e888a9144d196bf30f46ae1be3d673006bbb6e50d3191f6756b38506838
EAP-Message =
0xad445350dfa97ac88297b8f36979dea39a92c4add1e5f6050eb5af41f3c8702b682365719456074d7623c2a0bca5be7c86c65ad538d4e8c615dde70df4967e6ea2acc5e2e76dde0ca0f13c4a34eddc93615cc7eba93b75ea9c23a85f74f1240ee999c08416d080a36246deec5b552046232ad3470f042bbe1774bb386c84aaa3ddcd4dc38acd816de90983e5a44231e77ae4d641ea14d6e822bbf969852387230eef0e02b3f84916b2bd0ba4aa159a4cb7aeb542b8cf3bd8dd0004ae308204aa30820392a00302010202090097852e5140914149300d06092a864886f70d0101050500308194310b30090603550406130255533111300f060355040813
EAP-Message =
0x0856697267696e6961311430120603550407130b43656e74726576696c6c6531123010060355040a13094565626c652e6e6574311e301c06092a864886f70d010901160f61646d696e406565626c652e6e6574312830260603550403131f4565626c652e6e657420436572746966696361746520417574686f72697479301e170d3130313132363037323333305a170d3230313132333037323333305a308194310b30090603550406130255533111300f0603550408130856697267696e6961311430120603550407130b43656e74726576696c6c6531123010060355040a13094565626c652e6e6574311e301c06092a864886f70d010901160f6164
EAP-Message =
0x6d696e406565626c652e6e6574312830260603550403131f4565626c652e6e6574204365727469666963617465
State = 0x9d0db27699eebfbf32cdba76f867f4ab
Message-Authenticator = 0x30fdfb43685b57ab7bddfa43385223e6
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "invaliduser2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 227 length 253
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
TLS Length 2600
[tls] Received EAP-TLS First Fragment of the message
[tls] eaptls_verify returned 9
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 91 to 192.168.183.110 port 55425
EAP-Message = 0x01e400060d00
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x9d0db27698e9bfbf32cdba76f867f4ab
Finished request 21.
Going to the next request
Waking up in 0.4 seconds.
rad_recv: Access-Request packet from host 192.168.183.110 port 55425,
id=92, length=1479
User-Name = "invaliduser2"
NAS-Identifier = "openwrt"
NAS-Port = 2
Called-Station-Id = "00-18-F8-C1-66-46:testbed"
Calling-Station-Id = "00-1F-3A-49-EC-73"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message =
0x02e4051a0d0020417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a02820101009a8f48c1dab2627525533672059ac65f037f7e96dca2744211718eda8e799239ada3486e9872eb0b811e888df90de8d5fc0837f5a146191528f1d1ff35adbad8a9b8928080363eb64a6ab03942480f48534902136d8c94b34e01d7e331ad215c11b35bb6990bafc17fd261890769bb00533729a6fcc0b5d4d18e08bf54b1d66127996136d9577f12a4513304da016917577afdf64b02cf91d0a39b3c451dce5a920c810b4d23bd34931bb03d156f8d7fe834536b9ae11bd62195b59177db765d9982b232369e5bd89b10f4a0
EAP-Message =
0x031ba2dbff86f672ac101a155d11ae07b904a4f74ffbb86f2524bc227167e41ca889fa9c56735a5665cfa5de0ad81b7ddaa0785d0203010001a381fc3081f9301d0603551d0e04160414a1454d2d4a35b362e6397fe81e7964fa6d2e9a9a3081c90603551d230481c13081be8014a1454d2d4a35b362e6397fe81e7964fa6d2e9a9aa1819aa48197308194310b30090603550406130255533111300f0603550408130856697267696e6961311430120603550407130b43656e74726576696c6c6531123010060355040a13094565626c652e6e6574311e301c06092a864886f70d010901160f61646d696e406565626c652e6e65743128302606035504
EAP-Message =
0x03131f4565626c652e6e657420436572746966696361746520417574686f7269747982090097852e5140914149300c0603551d13040530030101ff300d06092a864886f70d010105050003820101004a090448190a316f43d373decd0d9e53a75d10c17c49043984a6c492f8bf96d303796e7c4e4539c5c3d49ebbe972a9ca204067bbf9886462119bb1ce627ffb6fe9beb21a56dc152facef5040cfcbdd5a55e31c0c9eb904914f2148c7338774e1eb3f21449d3bbf86fe03d78f34a07df485fbff7dc3b305fadf41bfcbc41ec076c5c542b8f858008b3b3be00f858d2737331cf567c738692d8723ac6307cac62801513bf055cd6a9c726953195fbd
EAP-Message =
0x7dbcf9e0a44289e5f1eee447c9ce87570f77a7e8574bc1fff0a2dbf4f85b545d5b6fa0b4c96b5f8db94b42686f9fdc9b7daebd59d83ddbf5dd64e1ac041d4653a4a5175ce9079c27b4a60d4115166c619f3d1603010086100000820080ed1f82c9867a16a46cb828ce67569e8089fa292015add6108605ea65c4b1554f7b03010348b72c9a17540747297560723b4c115a40c201e125d39fe4f751885bef6072ed0712145558e2832085195599ae2f561e1b03ab2e487940ec879517aee794f152e57fc8edc9ba5e1fd9e01d5da21ce38361653a91a238c72c30ea2bf616030101060f000102010097aa1d029159d31e299046a532069c6fa27ad603af
EAP-Message =
0xbbc4a426ab9760c880d3f02266acbe7f1ad4315154f756f2991d5102055a26ec46662645be4d8345ce6b4d205527345e23742c0aa4b1856c022029b1366a047d3bb9a990774c066e955fe8abe2e07f5f1eae43e8b35e1e0bedc5e40ee6171ffaf30a3be80509da4d7d14523bf8f983bd70ceef55db745a4e4921a6e31a40024ce4bb980a91a425b298a8a11bce5927cebf9c42fe4bcfc9135027406153830d17aec39512f7361a69d9678bcd3cc612dd316a21abbc66b20d783c8c06eb0ae7f4bf350f43d12f0a53a8b645a5427685b4124c7a1a0aba8dd080baccf4348c532820142970aaee354abe4aea140301000101160301003032caee1780b846
EAP-Message =
0x4f130f80978d53109065f1989f1e9b08d533c103173afaa6ee21584832f318c702f65213964facd4e4
State = 0x9d0db27698e9bfbf32cdba76f867f4ab
Message-Authenticator = 0x0e8e533bf04c8f47d5f5da946752536b
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "invaliduser2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 228 length 253
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] eaptls_verify returned 7
[tls] Done initial handshake
[tls] <<< TLS 1.0 Handshake [length 0852], Certificate
[tls] chain-depth=1,
[tls] error=0
[tls] --> User-Name = invaliduser2
[tls] --> BUF-Name = Example.net Certificate Authority
[tls] --> subject =
/C=US/ST=Virginia/L=Centreville/O=Example.net/emailAddress=admin at example.net/CN=Example.net
Certificate Authority
[tls] --> issuer =
/C=US/ST=Virginia/L=Centreville/O=Example.net/emailAddress=admin at example.net/CN=Example.net
Certificate Authority
[tls] --> verify return:1
[tls] chain-depth=0,
[tls] error=0
[tls] --> User-Name = invaliduser2
[tls] --> BUF-Name = andy at example.net
[tls] --> subject =
/C=US/ST=Virginia/O=Example.net/CN=andy at example.net/emailAddress=andy at example.net
[tls] --> issuer =
/C=US/ST=Virginia/L=Centreville/O=Example.net/emailAddress=admin at example.net/CN=Example.net
Certificate Authority
[tls] --> verify return:1
[tls] TLS_accept: SSLv3 read client certificate A
[tls] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
[tls] TLS_accept: SSLv3 read client key exchange A
[tls] <<< TLS 1.0 Handshake [length 0106], CertificateVerify
[tls] TLS_accept: SSLv3 read certificate verify A
[tls] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[tls] <<< TLS 1.0 Handshake [length 0010], Finished
[tls] TLS_accept: SSLv3 read finished A
[tls] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[tls] TLS_accept: SSLv3 write change cipher spec A
[tls] >>> TLS 1.0 Handshake [length 0010], Finished
[tls] TLS_accept: SSLv3 write finished A
[tls] TLS_accept: SSLv3 flush data
[tls] (other): SSL negotiation finished successfully
SSL Connection Established
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 92 to 192.168.183.110 port 55425
EAP-Message =
0x01e500450d800000003b1403010001011603010030be498792743bbd0dd2b9ac5f315cc590c4c89eefa413141655418f169cf411a0165c48f0f9da635b73b2fee915b73da9
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x9d0db2769be8bfbf32cdba76f867f4ab
Finished request 22.
Going to the next request
Waking up in 0.3 seconds.
rad_recv: Access-Request packet from host 192.168.183.110 port 55425,
id=93, length=169
User-Name = "invaliduser2"
NAS-Identifier = "openwrt"
NAS-Port = 2
Called-Station-Id = "00-18-F8-C1-66-46:testbed"
Calling-Station-Id = "00-1F-3A-49-EC-73"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x02e500060d00
State = 0x9d0db2769be8bfbf32cdba76f867f4ab
Message-Authenticator = 0x476057e77b2c0c0518242a8f101cc275
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "invaliduser2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 229 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake is finished
[tls] eaptls_verify returned 3
[tls] eaptls_process returned 3
[tls] Adding user data to cached session
[eap] Freeing handler
++[eap] returns ok
# Executing section post-auth from file
/etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 93 to 192.168.183.110 port 55425
MS-MPPE-Recv-Key =
0xbaf2429720d7a5b7d92ace08ca21d2b623a379f67f25b406a314df47b51da996
MS-MPPE-Send-Key =
0xad7b449fcfdc531ebc0c985bab1d25d8843bd0fba29b646bc7c49b97f31df4d7
EAP-Message = 0x03e50004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "invaliduser2"
Finished request 23.
Going to the next request
Waking up in 0.3 seconds.
Cleaning up request 8 ID 78 with timestamp +1040
Cleaning up request 9 ID 79 with timestamp +1040
Cleaning up request 10 ID 80 with timestamp +1040
Cleaning up request 11 ID 81 with timestamp +1040
Cleaning up request 12 ID 82 with timestamp +1040
Cleaning up request 13 ID 83 with timestamp +1041
Cleaning up request 14 ID 84 with timestamp +1041
Cleaning up request 15 ID 85 with timestamp +1041
Waking up in 4.1 seconds.
Cleaning up request 16 ID 86 with timestamp +1045
Cleaning up request 17 ID 87 with timestamp +1045
Cleaning up request 18 ID 88 with timestamp +1045
Cleaning up request 19 ID 89 with timestamp +1045
Cleaning up request 20 ID 90 with timestamp +1045
Cleaning up request 21 ID 91 with timestamp +1045
Cleaning up request 22 ID 92 with timestamp +1045
Cleaning up request 23 ID 93 with timestamp +1045
Ready to process requests.
More information about the Freeradius-Users
mailing list