mschap MS isa error
Doty, Seth
seth.doty at nebraska.gov
Thu May 12 22:57:05 CEST 2011
I have downloaded and installed the git repo version of what will become
2.1.11 on May 10 because of a proxy bug that is fixed in this version.
In our current testing setup freeradius takes all information from the
realm and passes in to a MS network policy server for authentication
into AD. The authentication portion appears to work and we get an
accept, but we are not getting any of the group information passed from
the freeradius server to the wireless controller. It appears that
freeradius is receiving it, just not passing it along. Mostly we are
looking to see if this is a config error or if its an issue in the dev
code. Radius -X output is below.
FreeRADIUS Version 2.1.11, for host x86_64-unknown-linux-gnu, built on
May 10 2011 at 11:21:52
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr/local/etc/raddb/modules/wimax
including configuration file /usr/local/etc/raddb/modules/soh
including configuration file /usr/local/etc/raddb/modules/krb5
including configuration file /usr/local/etc/raddb/modules/pam
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration
file /usr/local/etc/raddb/modules/detail.example.com
including configuration file /usr/local/etc/raddb/modules/cui
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/modules/echo
including configuration
file /usr/local/etc/raddb/modules/dynamic_clients
including configuration file /usr/local/etc/raddb/modules/detail
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/files
including configuration file /usr/local/etc/raddb/modules/rediswho
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/passwd
including configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file /usr/local/etc/raddb/modules/otp
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/perl
including configuration file /usr/local/etc/raddb/modules/ippool
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file /usr/local/etc/raddb/modules/redis
including configuration file /usr/local/etc/raddb/modules/unix
including configuration file /usr/local/etc/raddb/modules/smbpasswd
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/sql_log
including configuration file /usr/local/etc/raddb/modules/smsotp
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/modules/ntlm_auth
including configuration
file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/opendirectory
including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file /usr/local/etc/raddb/modules/logintime
including configuration file /usr/local/etc/raddb/modules/ldap
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration
file /usr/local/etc/raddb/sites-enabled/inner-tunnel
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration
file /usr/local/etc/raddb/sites-enabled/control-socket
main {
allow_core_dumps = no
}
including dictionary file /usr/local/etc/raddb/dictionary
main {
name = "radiusd"
prefix = "/usr/local"
localstatedir = "/usr/local/var"
sbindir = "/usr/local/sbin"
logdir = "/usr/local/var/log/radius"
run_dir = "/usr/local/var/run/radiusd"
libdir = "/usr/local/lib"
radacctdir = "/usr/local/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
realm NULL {
authhost = 10.10.10.10
secret = testing
}
realm nebraska.gov {
nostrip
authhost = 10.10.10.10
secret = testing123
}
realm DEFAULT {
}
realm arr {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
client 10.10.10.11 {
require_message_authenticator = no
secret = "testing"
shortname = "thing-O'doom"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from
file /usr/local/etc/raddb/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from
file /usr/local/etc/raddb/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from
file /usr/local/etc/raddb/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from
file /usr/local/etc/raddb/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server { # from file /usr/local/etc/raddb/radiusd.conf
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from
file /usr/local/etc/raddb/modules/pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from
file /usr/local/etc/raddb/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from
file /usr/local/etc/raddb/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
allow_retry = yes
}
Module: Linked to module rlm_digest
Module: Instantiating module "digest" from
file /usr/local/etc/raddb/modules/digest
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from
file /usr/local/etc/raddb/modules/unix
unix {
radwtmp = "/usr/local/var/log/radius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from
file /usr/local/etc/raddb/eap.conf
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/usr/local/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/usr/local/etc/raddb/certs/server.pem"
certificate_file = "/usr/local/etc/raddb/certs/server.pem"
CA_file = "/usr/local/etc/raddb/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/usr/local/etc/raddb/certs/dh"
random_file = "/usr/local/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/usr/local/etc/raddb/certs/bootstrap"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = no
virtual_server = "inner-tunnel"
soh = no
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from
file /usr/local/etc/raddb/modules/preprocess
preprocess {
huntgroups = "/usr/local/etc/raddb/huntgroups"
hints = "/usr/local/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from
file /usr/local/etc/raddb/modules/files
files {
usersfile = "/usr/local/etc/raddb/users"
acctusersfile = "/usr/local/etc/raddb/acct_users"
preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
compat = "no"
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from
file /usr/local/etc/raddb/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from
file /usr/local/etc/raddb/modules/detail
detail {
detailfile =
"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from
file /usr/local/etc/raddb/modules/radutmp
radutmp {
filename = "/usr/local/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.accounting_response" from
file /usr/local/etc/raddb/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/usr/local/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Instantiating module "attr_filter.access_reject" from
file /usr/local/etc/raddb/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/usr/local/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
}
} # modules
} # server
server inner-tunnel { # from
file /usr/local/etc/raddb/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from
file /usr/local/etc/raddb/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Instantiating module "ntdomain" from
file /usr/local/etc/raddb/modules/realm
realm ntdomain {
format = "prefix"
delimiter = "\"
ignore_default = no
ignore_null = no
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "control"
listen {
socket = "/usr/local/var/run/radiusd/radiusd.sock"
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /usr/local/var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server
inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.10.10.11 port 32800, id=89,
length=177
User-Name = "test.user"
NAS-IP-Address = 10.x.x.x
NAS-Port = 0
NAS-Identifier = "10.x.x.x"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "00259C9BE72C"
Called-Station-Id = "000B8661628C"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message = 0x02010011017061747269636b2e7365696d
Aruba-Essid-Name = "NEW_TEST"
Aruba-Location-Id = "test-ap-41"
Message-Authenticator = 0xdf151b9dba8cb89031a97a35c3a5525c
# Executing section authorize from
file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[eap] EAP packet type response id 1 length 17
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 89 to 10.10.10.11 port 32800
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2052e9672050f0faff17be72cc36539c
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.10.10.11 port 32800, id=90,
length=283
User-Name = "test.user"
NAS-IP-Address = 10.x.x.x
NAS-Port = 0
NAS-Identifier = "10.x.x.x"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "00259C9BE72C"
Called-Station-Id = "000B8661628C"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message =
0x0202006919800000005f160301005a0100005603014dcc447a9e26be32ebd0fd1adefa8a85c46f008e37baba3c6b718a4284c34a2a000018002f00350005000ac013c014c009c00a003200380013000401000015ff01000100000a0006000400170018000b00020100
State = 0x2052e9672050f0faff17be72cc36539c
Aruba-Essid-Name = "NEW_TEST"
Aruba-Location-Id = "test-ap-41"
Message-Authenticator = 0xdf99df74968c610596c6a85a61b0c202
# Executing section authorize from
file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[eap] EAP packet type response id 2 length 105
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 95
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 005a], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0031], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 085e], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 90 to 10.10.10.11 port 32800
EAP-Message =
0x0103040019c0000008a216030100310200002d03014dcc447aed5b1ef6435cfa44f73ea8176fe5e02354695520efb84af0f7118f9200002f000005ff01000100160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c65204365727469666963617465204175
EAP-Message =
0x74686f72697479301e170d3131303531303230343335375a170d3132303530393230343335375a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d463b1aafef2a119e70a826b4a8b44328f135e311cb352000474ddf2a0c06b8a557427d07bf4603327a5b7944c0a419954899a9ff61600
EAP-Message =
0xd0ab2fe76f57ac5f299c664a9442de69a2b9f0ebc93e2887c6abf2ed0c2f1093c798b395409eeb975c8a56b49b43263c7bfae4c2bb7d73d1948c4ceafa88e49cab2cbb270aafd43caf7221d2079ba09d04855d112f09a21a253aa2c0448149a3ae4f3b9cca77ba6237da9e4e26f7b9b957dcc80660f0a512208ff3f3b0045cdcf4f085a497bc055e4241c5d1302ca31ebb75ba82834ae7671165d9197eda04d8b2e81d0f5adcd6512b4141de5c18227ee1d1a1d623ae8154b281353291de93f8f67402d4999e123b630203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038201010007f9
EAP-Message =
0x7a008acba7d5f022e4d938e6f179a7e944ea895df2feec90ff23d4e16a7787d203b7bcf6918e33b9304e1a0b1e539b63421208551bfd03fbdbe64d982b6cf02c6d938314635463e4c9dbb8d09f5499012252c73ac28b8d0c6786676cca6f3a449ebcd61df1d209c6e9faa239ce044c5b7d53457ff90e82e2aedfe41ea5cadbf64ab401e81af4ba2144463e2c22868ec57705bd91e0fa9fb2fcedde7d19ac8f01ff57a5a79371c180e2eb00edbddf56f5b080596d2bbd34a8cb82abfde208e4b4d553ba51ca7df91aa4616b599f646c3700422d49d5fd3b24f9f44c7b183a5f4ca9d4135f361558c6443432cdf339f4196aa914561fa30fe3656afe7bc7
EAP-Message = 0x380004ab308204a73082038f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2052e9672151f0faff17be72cc36539c
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.10.10.11 port 32800, id=91,
length=184
User-Name = "test.user"
NAS-IP-Address = 10.x.x.x
NAS-Port = 0
NAS-Identifier = "10.x.x.x"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "00259C9BE72C"
Called-Station-Id = "000B8661628C"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message = 0x020300061900
State = 0x2052e9672151f0faff17be72cc36539c
Aruba-Essid-Name = "NEW_TEST"
Aruba-Location-Id = "test-ap-41"
Message-Authenticator = 0xc02c4b0944964e409f405fd7adbdc17a
# Executing section authorize from
file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 91 to 10.10.10.11 port 32800
EAP-Message =
0x010403fc1940a003020102020900a8f05f0b37f93f58300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3131303531303230343335375a170d3132303530393230343335375a308193310b3009060355040613024652310f300d0603550408130652616469757331
EAP-Message =
0x12301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100b68445dca1c915e8ee350b1680723b61055f7e21d6975a9905cd66bc1ab98a983b622422fa69571c0a6feaffb2cfa74c040320bec0ea86b517fd11bf3cbc1a28fe420f148ac5a051c1dbd1d1c21b1db60bba211deb85f7ab0449301b37546cded5189bcf497e00e5
EAP-Message =
0x243141a921d87edb371a073ba3af94ae54a39e90ae5f7ac42b14fb794383f9510831b86464f863850a5a8d530ddc52496dc14e51524ae7c44ef073b5f09e2285c062798db69e32f9a3295861812c0e46f5ac6ff135ce61dccf96ad904173305f94053cd82ca8ff1908a7442f7387b342a09394c3bca38409bf91f3e771aaaecb639e4a3b6d9d8c81c94bd4b2e840f88c76676d39620f523f0203010001a381fb3081f8301d0603551d0e04160414975c6511ef5df417b44b06856738d58a76d48d343081c80603551d230481c03081bd8014975c6511ef5df417b44b06856738d58a76d48d34a18199a48196308193310b300906035504061302465231
EAP-Message =
0x0f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900a8f05f0b37f93f58300c0603551d13040530030101ff300d06092a864886f70d0101050500038201010055114aa1808b6dbd7413008cd7c16a549f8814117fd7bf0d414aecc301ed51d2d15a7f9f5579980bf90ed6d9c05c6507cdef893b5aab4bf9448a52f5e83207046fa085c55c33211d0ff476
EAP-Message = 0x625424b11b2973c2
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2052e9672256f0faff17be72cc36539c
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.10.10.11 port 32800, id=92,
length=184
User-Name = "test.user"
NAS-IP-Address = 10.x.x.x
NAS-Port = 0
NAS-Identifier = "10.x.x.x"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "00259C9BE72C"
Called-Station-Id = "000B8661628C"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message = 0x020400061900
State = 0x2052e9672256f0faff17be72cc36539c
Aruba-Essid-Name = "NEW_TEST"
Aruba-Location-Id = "test-ap-41"
Message-Authenticator = 0xbce793c7192ddc319b9a79c0dbbd41a5
# Executing section authorize from
file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 92 to 10.10.10.11 port 32800
EAP-Message =
0x010500bc190097aea26a1dd042d90f3c02c05e438e6e316279e061ad1dea2285c4b5587e88f045afa44cd2fe0c97337d208e2b728b4f0de04540495e4fbb19cfde5e258f9a54256fc6118758a8efafd62b4455d2bd95c1efe2cbd1e7d79eeed1402d04d66ebbf3aa1e48183ae284c4e849fd64db81281a912ea446537710c4318c1bf96b18c269fb16098655227700a2d2c92e735b5eeae8dcbdafb0da219751d868a85a2b27922790ca348a64f9a84b08af4d16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2052e9672357f0faff17be72cc36539c
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.10.10.11 port 32800, id=93,
length=516
User-Name = "test.user"
NAS-IP-Address = 10.x.x.x
NAS-Port = 0
NAS-Identifier = "10.x.x.x"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "00259C9BE72C"
Called-Station-Id = "000B8661628C"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message =
0x020501501980000001461603010106100001020100640c21effedba2f24a2251cbf569b4f20f683ad5c343a5bf19be310a54c5e252969f848e315136144e168bf9ea1e86fe29ce5c5044e4e5d072677b81a3fbe18984011cda1884f46264052867704a6ec3ef8e0485e72e0138a8a70eb74a9cb33b78bc9c9d36e5bdcdb935c273fd8352b4410870426f0b0608ac8763794cf77d91b6b57fda14f207771250ad5d3cc0ddc3a0b75716b030535a726f5b17df426782b6b3251b95f1beb98dd4b28cc8ac4ee65cd4aeb4dbb7dfc9f62f3a1b3e2c5302c6bc652518da877ecad73ff5edfae516e1acc189407ecbdc71678382484887de9c3a5d93e795f4c7
EAP-Message =
0xa2011e44ad7c45d7bc053a48344fefbbf5a6a910b1f53e111403010001011603010030343cf27cd25659485fa80be7a33226410f80e950184826afa4244eca7e4a7a11a901f1fd3f5647f54f27af3496071065
State = 0x2052e9672357f0faff17be72cc36539c
Aruba-Essid-Name = "NEW_TEST"
Aruba-Location-Id = "test-ap-41"
Message-Authenticator = 0xd7cb67bd36cf87c50b4eaddc02d14e18
# Executing section authorize from
file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[eap] EAP packet type response id 5 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 326
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 93 to 10.10.10.11 port 32800
EAP-Message =
0x010600411900140301000101160301003066a73876a01fa3964df69d40f877ff5f284b71a339b38b6022dc323996127d976155e63deec1b57cae6f764ac0307be3
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2052e9672454f0faff17be72cc36539c
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.10.10.11 port 32800, id=94,
length=184
User-Name = "test.user"
NAS-IP-Address = 10.x.x.x
NAS-Port = 0
NAS-Identifier = "10.x.x.x"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "00259C9BE72C"
Called-Station-Id = "000B8661628C"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message = 0x020600061900
State = 0x2052e9672454f0faff17be72cc36539c
Aruba-Essid-Name = "NEW_TEST"
Aruba-Location-Id = "test-ap-41"
Message-Authenticator = 0x50a8c2ff0b03d4e3ef93dfdd854aa205
# Executing section authorize from
file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[eap] EAP packet type response id 6 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] returns handled
Sending Access-Challenge of id 94 to 10.10.10.11 port 32800
EAP-Message =
0x0107002b19001703010020d1bc9f15904697a8f3a5e0c0f6e37bde3b6f406889de52ba92d8f14e3eeb2f7f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2052e9672555f0faff17be72cc36539c
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.10.10.11 port 32800, id=95,
length=237
User-Name = "test.user"
NAS-IP-Address = 10.x.x.x
NAS-Port = 0
NAS-Identifier = "10.x.x.x"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "00259C9BE72C"
Called-Station-Id = "000B8661628C"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message =
0x0207003b19001703010030aa3b4cd58b3962aeae0c612785a20fd2a9ff0823ea6640e47befdaabedab43ab648046ba0a365957694ab46520928d8a
State = 0x2052e9672555f0faff17be72cc36539c
Aruba-Essid-Name = "NEW_TEST"
Aruba-Location-Id = "test-ap-41"
Message-Authenticator = 0x89794a3abd2819405279c72d48e91da8
# Executing section authorize from
file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[eap] EAP packet type response id 7 length 59
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - test.user
[peap] Got inner identity 'test.user'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
EAP-Message = 0x02070011017061747269636b2e7365696d
server {
[peap] Setting User-Name to test.user
Sending tunneled request
EAP-Message = 0x02070011017061747269636b2e7365696d
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "test.user"
NAS-IP-Address = 10.x.x.x
NAS-Port = 0
NAS-Identifier = "10.x.x.x"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "00259C9BE72C"
Called-Station-Id = "000B8661628C"
Service-Type = Login-User
Framed-MTU = 1100
Aruba-Essid-Name = "NEW_TEST"
Aruba-Location-Id = "test-ap-41"
server inner-tunnel {
# Executing section authorize from
file /usr/local/etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "test.user", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test.user"
[suffix] Adding Realm = "NULL"
[suffix] Proxying request from user test.user to realm NULL
[suffix] Preparing to proxy authentication request to realm "NULL"
++[suffix] returns updated
[ntdomain] Request already proxied. Ignoring.
++[ntdomain] returns ok
[eap] Request is supposed to be proxied to Realm NULL. Not doing EAP.
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
} # server inner-tunnel
[peap] Got tunneled reply code 0
PEAP: Calling authenticate in order to initiate tunneled EAP session.
# Executing group from
file /usr/local/etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
PEAP: Cancelling proxy to realm NULL until the tunneled EAP session
has been established
[peap] Got tunneled reply RADIUS code 11
EAP-Message =
0x010800261a0108002110148b6ec01694003ba739d7c1317734327061747269636b2e7365696d
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x77077cec770f66abbb823e592cf0990c
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 95 to 10.10.10.11 port 32800
EAP-Message =
0x0108004b19001703010040a08cd426955c25ad3a51bf209509b2a4bc4fe6c10b3c3493c06eca2839d1bce711f02900d477d0136fb673ddaafee249939c0e18e27849555a40e5368bae0c89
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2052e967265af0faff17be72cc36539c
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.10.10.11 port 32800, id=96,
length=285
User-Name = "test.user"
NAS-IP-Address = 10.x.x.x
NAS-Port = 0
NAS-Identifier = "10.x.x.x"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "00259C9BE72C"
Called-Station-Id = "000B8661628C"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message =
0x0208006b19001703010060df0be2d261566e3ba81ad2ff49841b97963f9a8b38bb45ee22028938767a57c113d36230a7276fccc49641fa2ff660afeea870007f4a26ddb2b82081e8b95981ab8590b82c309facf3f4269b7724c2fac2057882cb750d47112722f0d9d9dc92
State = 0x2052e967265af0faff17be72cc36539c
Aruba-Essid-Name = "NEW_TEST"
Aruba-Location-Id = "test-ap-41"
Message-Authenticator = 0xc7d4fc6f0e62c2922a7ef9eb414b3ab7
# Executing section authorize from
file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[eap] EAP packet type response id 8 length 107
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message =
0x020800471a02080042317d0e90f4aa65b4bd430e9f694541779000000000000000007eb68ee463835b22f336f9e73e379b8308bba82e828efc91007061747269636b2e7365696d
server {
[peap] Setting User-Name to test.user
Sending tunneled request
EAP-Message =
0x020800471a02080042317d0e90f4aa65b4bd430e9f694541779000000000000000007eb68ee463835b22f336f9e73e379b8308bba82e828efc91007061747269636b2e7365696d
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "test.user"
State = 0x77077cec770f66abbb823e592cf0990c
NAS-IP-Address = 10.x.x.x
NAS-Port = 0
NAS-Identifier = "10.x.x.x"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "00259C9BE72C"
Called-Station-Id = "000B8661628C"
Service-Type = Login-User
Framed-MTU = 1100
Aruba-Essid-Name = "NEW_TEST"
Aruba-Location-Id = "test-ap-41"
server inner-tunnel {
# Executing section authorize from
file /usr/local/etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "test.user", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test.user"
[suffix] Adding Realm = "NULL"
[suffix] Proxying request from user test.user to realm NULL
[suffix] Preparing to proxy authentication request to realm "NULL"
++[suffix] returns updated
[ntdomain] Request already proxied. Ignoring.
++[ntdomain] returns ok
[eap] Request is supposed to be proxied to Realm NULL. Not doing EAP.
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
} # server inner-tunnel
[peap] Got tunneled reply code 0
PEAP: Calling authenticate in order to initiate tunneled EAP session.
# Executing group from
file /usr/local/etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Not-EAP proxy set. Not composing EAP
++[eap] returns handled
PEAP: Tunneled authentication will be proxied to NULL
PEAP: Remembering to do EAP-MS-CHAP-V2 post-proxy.
[eap] Tunneled session will be proxied. Not doing EAP.
++[eap] returns handled
WARNING: Empty pre-proxy section. Using default return values.
Sending Access-Request of id 4 to 10.10.10.10 port 1812
User-Name = "test.user"
NAS-IP-Address = 10.x.x.x
NAS-Port = 0
NAS-Identifier = "10.x.x.x"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "00259C9BE72C"
Called-Station-Id = "000B8661628C"
Service-Type = Login-User
Framed-MTU = 1100
Aruba-Essid-Name = "NEW_TEST"
Aruba-Location-Id = "test-ap-41"
MS-CHAP-Challenge = 0x148b6ec01694003ba739d7c131773432
MS-CHAP2-Response =
0x08617d0e90f4aa65b4bd430e9f694541779000000000000000007eb68ee463835b22f336f9e73e379b8308bba82e828efc91
Proxy-State = 0x3936
Proxying request 7 to home server 10.10.10.10 port 1812
Sending Access-Request of id 4 to 10.10.10.10 port 1812
User-Name = "test.user"
NAS-IP-Address = 10.x.x.x
NAS-Port = 0
NAS-Identifier = "10.x.x.x"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "00259C9BE72C"
Called-Station-Id = "000B8661628C"
Service-Type = Login-User
Framed-MTU = 1100
Aruba-Essid-Name = "NEW_TEST"
Aruba-Location-Id = "test-ap-41"
MS-CHAP-Challenge = 0x148b6ec01694003ba739d7c131773432
MS-CHAP2-Response =
0x08617d0e90f4aa65b4bd430e9f694541779000000000000000007eb68ee463835b22f336f9e73e379b8308bba82e828efc91
Proxy-State = 0x3936
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Accept packet from host 10.10.10.10 port 1812, id=4,
length=291
Proxy-State = 0x3936
Aruba-User-Role = "network-fools"
Filter-Id = "networking"
Tunnel-Private-Group-Id:0 = "default"
Class =
0x4e8a062e00000137000117000000000000000000000000000000000101cbfeebf8e6a00c0000000000007429
MS-MPPE-Recv-Key = 0x7f1107c20babf24559df0d663ee39985
MS-MPPE-Send-Key = 0x90d1203360319de86b213aad9476d06f
MS-CHAP2-Success =
0x08533d45364132353930413732433133373630394336383638373838453639443543324637393244444632
MS-CHAP-Domain = "\010STN"
MS-Link-Utilization-Threshold = 50
MS-Link-Drop-Time-Limit = 120
# Executing section post-proxy from
file /usr/local/etc/raddb/sites-enabled/default
+- entering group post-proxy {...}
[eap] Doing post-proxy callback
[eap] Passing reply from proxy back into the tunnel.
server inner-tunnel {
[eap] Passing reply back for EAP-MS-CHAP-V2
# Executing section post-proxy from
file /usr/local/etc/raddb/sites-enabled/inner-tunnel
+- entering group post-proxy {...}
[eap] Doing post-proxy callback
rlm_eap_mschapv2: Passing reply from proxy back into the tunnel
0x997890 2.
rlm_eap_mschapv2: Authentication succeeded.
MSCHAP Success
++[eap] returns ok
# Executing section post-auth from
file /usr/local/etc/raddb/sites-enabled/inner-tunnel
+- entering group post-auth {...}
expand: %{request:Filter-Id} ->
++[outer.reply] returns noop
} # server inner-tunnel
[eap] Final reply from tunneled session code 11
Proxy-State = 0x3936
Aruba-User-Role = "network-fools"
Filter-Id = "networking"
Tunnel-Private-Group-Id:0 = "default"
Class =
0x4e8a062e00000137000117000000000000000000000000000000000101cbfeebf8e6a00c0000000000007429
MS-CHAP-Domain = "\010STN"
MS-Link-Utilization-Threshold = 50
MS-Link-Drop-Time-Limit = 120
EAP-Message =
0x010900331a0308002e533d45364132353930413732433133373630394336383638373838453639443543324637393244444632
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x77077cec760e66abbb823e592cf0990c
[eap] Got reply 11
[eap] Got tunneled reply RADIUS code 11
Proxy-State = 0x3936
Aruba-User-Role = "network-fools"
Filter-Id = "networking"
Tunnel-Private-Group-Id:0 = "default"
Class =
0x4e8a062e00000137000117000000000000000000000000000000000101cbfeebf8e6a00c0000000000007429
MS-CHAP-Domain = "\010STN"
MS-Link-Utilization-Threshold = 50
MS-Link-Drop-Time-Limit = 120
EAP-Message =
0x010900331a0308002e533d45364132353930413732433133373630394336383638373838453639443543324637393244444632
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x77077cec760e66abbb823e592cf0990c
[eap] Got tunneled Access-Challenge
[eap] Saving tunneled attributes for later
[eap] Reply was handled
++[eap] returns ok
Sending Access-Challenge of id 96 to 10.10.10.11 port 32800
Filter-Id = ""
EAP-Message =
0x0109005b190017030100509d9a4aa35ec2cb40ae533f0d7be59fdcc8a6b2cc3fccfa3b6dcaa6ca24dae27f958a0332f39cd817a23f92da039626f59dfca32c43bb8cd8827aefdc43c3c7cbf30a749995ee3169b7392387d5d0b7a5
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2052e967275bf0faff17be72cc36539c
Finished request 7.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.10.10.11 port 32800, id=97,
length=221
User-Name = "test.user"
NAS-IP-Address = 10.x.x.x
NAS-Port = 0
NAS-Identifier = "10.x.x.x"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "00259C9BE72C"
Called-Station-Id = "000B8661628C"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message =
0x0209002b19001703010020bff5e4f0a093f4fbba3dac4511f756c7c5c7d74ed1886fb99d704dd69b6ad7f3
State = 0x2052e967275bf0faff17be72cc36539c
Aruba-Essid-Name = "NEW_TEST"
Aruba-Location-Id = "test-ap-41"
Message-Authenticator = 0x66847103a90432b93ab24808d8ec7a71
# Executing section authorize from
file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[eap] EAP packet type response id 9 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x020900061a03
server {
[peap] Setting User-Name to test.user
Sending tunneled request
EAP-Message = 0x020900061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "test.user"
State = 0x77077cec760e66abbb823e592cf0990c
NAS-IP-Address = 10.x.x.x
NAS-Port = 0
NAS-Identifier = "10.x.x.x"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "00259C9BE72C"
Called-Station-Id = "000B8661628C"
Service-Type = Login-User
Framed-MTU = 1100
Aruba-Essid-Name = "NEW_TEST"
Aruba-Location-Id = "test-ap-41"
server inner-tunnel {
# Executing section authorize from
file /usr/local/etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "test.user", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test.user"
[suffix] Adding Realm = "NULL"
[suffix] Proxying request from user test.user to realm NULL
[suffix] Preparing to proxy authentication request to realm "NULL"
++[suffix] returns updated
[ntdomain] Request already proxied. Ignoring.
++[ntdomain] returns ok
[eap] Request is supposed to be proxied to Realm NULL. Not doing EAP.
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
} # server inner-tunnel
[peap] Got tunneled reply code 0
PEAP: Calling authenticate in order to initiate tunneled EAP session.
# Executing group from
file /usr/local/etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] returns ok
[peap] Got tunneled reply RADIUS code 2
MS-MPPE-Send-Key = 0x90d1203360319de86b213aad9476d06f
MS-MPPE-Recv-Key = 0x7f1107c20babf24559df0d663ee39985
EAP-Message = 0x03090004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "test.user"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
[peap] Saving tunneled attributes for later
++[eap] returns handled
Sending Access-Challenge of id 97 to 10.10.10.11 port 32800
EAP-Message =
0x010a002b19001703010020536577cc3da7e7a391006e8c1445b85700ae00a3425cf630c608144333ced9f9
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2052e9672858f0faff17be72cc36539c
Finished request 8.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.10.10.11 port 32800, id=98,
length=221
User-Name = "test.user"
NAS-IP-Address = 10.x.x.x
NAS-Port = 0
NAS-Identifier = "10.x.x.x"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "00259C9BE72C"
Called-Station-Id = "000B8661628C"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message =
0x020a002b19001703010020d6214a534ba200598e450e90712affef897efd7f3ea95fb6fdaa1d9f200c9ce4
State = 0x2052e9672858f0faff17be72cc36539c
Aruba-Essid-Name = "NEW_TEST"
Aruba-Location-Id = "test-ap-41"
Message-Authenticator = 0xe89f9162ef2fa954e6dc4c038eaed024
# Executing section authorize from
file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[eap] EAP packet type response id 10 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv success
[peap] Received EAP-TLV response.
[peap] Success
[peap] Using saved attributes from the original Access-Accept
User-Name = "test.user"
[eap] Freeing handler
++[eap] returns ok
# Executing section post-auth from
file /usr/local/etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 98 to 10.10.10.11 port 32800
User-Name = "test.user"
MS-MPPE-Recv-Key =
0x0a169a0bf16593123bc68ed03a6b1b826dc04cfba9dd8cc725d51800710f23a1
MS-MPPE-Send-Key =
0x82ef22906ad494b5b2c2a0f65f1a4ebba82918e8b6ae4a8c4c10b43c4711e63f
EAP-Message = 0x030a0004
Message-Authenticator = 0x00000000000000000000000000000000
Finished request 9.
Going to the next request
Waking up in 4.8 seconds.
Cleaning up request 0 ID 89 with timestamp +35
Cleaning up request 1 ID 90 with timestamp +35
Cleaning up request 2 ID 91 with timestamp +35
Cleaning up request 3 ID 92 with timestamp +35
Cleaning up request 4 ID 93 with timestamp +35
Cleaning up request 5 ID 94 with timestamp +35
Cleaning up request 6 ID 95 with timestamp +35
Cleaning up request 7 ID 96 with timestamp +35
Cleaning up request 8 ID 97 with timestamp +35
Cleaning up request 9 ID 98 with timestamp +35
Ready to process requests.
More information about the Freeradius-Users
mailing list