OpenDirectory VLAN Assignment by Group

Tue Aug 21 08:08:02 CEST 2012

Hi Alan~

We have tried to copy all configuration settings from the old server to the new (so that nothing would change).   We have no desire to change any of our configurations because they previously were working.

>>   What happened?  What changed?  You've been careful to avoid saying that.

I suspect the biggest change is the default executable of freeradius that is currently shipping with Mountain Lion server (as opposed to Snow Leopard).   (I'm guessing this version may have some Apple quirks to it???)  
radiusd -v
radiusd: FreeRADIUS Version 2.1.12, for host i386-apple-darwin12.0, built on Jun 20 2012 at 16:50:26

So again... we've tried to keep all configuration files the same... if we /etc/raddb/users has the following ending entry... it does not appear to tag the VLAN anymore:

DEFAULT Group-Name == "testgroup"

        Tunnel-Type = 13,
        Tunnel-Medium-Type = 6,
        Tunnel-Private-Group-Id = "101",
        Fall-Through = no

However... if we try and set a VLAN based upon a specific user (and not a group) ... then this works:

DEFAULT User-Name == "testuser"
        Tunnel-Type = 13,
        Tunnel-Medium-Type = 6,
        Tunnel-Private-Group-Id = "101",
        Fall-Through = no

The following is radius -X showing what happens when we match upon User-Name (which does work):
-----------------------------------------------------------------
rad_recv: Access-Request packet from host 10.0.11.3 port 54613, id=124, length=163
User-Name = "testuser"
NAS-Port = 89
EAP-Message = 0x0200000d016c64656c61697265
Message-Authenticator = 0x80af8ac7a4c209107135c20240cb9ae8
Acct-Session-Id = "8O2.1x811200d0000c3d6d"
NAS-Port-Id = "ge-0/0/19.0"
Calling-Station-Id = "c4-2c-03-04-f1-04"
Called-Station-Id = "2c-6b-f5-35-d4-c0"
NAS-IP-Address = 10.0.11.3
NAS-Identifier = "hqsw1"
NAS-Port-Type = Ethernet
# Executing section authorize from file /private/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 212
++[files] returns ok
[opendirectory] The SACL group "com.apple.access_radius" does not exist on this system.
[opendirectory] The host 10.0.11.3 does not have an access group.
[opendirectory] User testuser exists in OD
[opendirectory] no access control groups, all OD users allowed.
++[opendirectory] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /private/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 124 to 10.0.11.3 port 54613
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "101"
EAP-Message = 0x010100061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4515d63c4514c3febcac6df877a3ee06
Finished request 24.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.11.3 port 54613, id=128, length=296
User-Name = "testuser"
NAS-Port = 89
State = 0x4515d63c4514c3febcac6df877a3ee06
EAP-Message = 0x0201008015800000007616030100710100006d0301503321b0c4ea4cb804bf45bb9a47d475f21fd47aed7a8a7aef6b111e23f34d0c00003200ffc00ac009c007c008c014c013c011c012c004c005c002c003c00ec00fc00cc00d002f000500040035000a00330039001601000012000a00080006001700180019000b00020100
Message-Authenticator = 0x5f7a0f13781541869077259423a93b89
Acct-Session-Id = "8O2.1x811200d0000c3d6d"
NAS-Port-Id = "ge-0/0/19.0"
Calling-Station-Id = "c4-2c-03-04-f1-04"
Called-Station-Id = "2c-6b-f5-35-d4-c0"
NAS-IP-Address = 10.0.11.3
NAS-Identifier = "hqsw1"
NAS-Port-Type = Ethernet
# Executing section authorize from file /private/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 128
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /private/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
  TLS Length 118
[ttls] Length Included
[ttls] eaptls_verify returned 11 
[ttls]     (other): before/accept initialization
[ttls]     TLS_accept: before/accept initialization
[ttls] <<< TLS 1.0 Handshake [length 0071], ClientHello  
[ttls]     TLS_accept: SSLv3 read client hello A
[ttls] >>> TLS 1.0 Handshake [length 0031], ServerHello  
[ttls]     TLS_accept: SSLv3 write server hello A
[ttls] >>> TLS 1.0 Handshake [length 1270], Certificate  
[ttls]     TLS_accept: SSLv3 write certificate A
[ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone  
[ttls]     TLS_accept: SSLv3 write server done A
[ttls]     TLS_accept: SSLv3 flush data
[ttls]     TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase 
In SSL Accept mode  
[ttls] eaptls_process returned 13 
++[eap] returns handled
Sending Access-Challenge of id 128 to 10.0.11.3 port 54613
EAP-Message = 0x0102040015c0000012b416030100310200002d0301503321b0e022d14256714ddfbdf03d00aa348771404e7ccee59ff052385d79ed00002f000005ff0100010016030112700b00126c0012690005913082058d30820475a003020102020727bccde2fa9543300d06092a864886f70d01010505003081ca310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c65311a3018060355040a1311476f44616464792e636f6d2c20496e632e31333031060355040b132a687474703a2f2f6365727469666963617465732e676f64616464792e636f6d2f7265706f7369746f727931
EAP-Message = 0x30302e06035504031327476f204461646479205365637572652043657274696669636174696f6e20417574686f726974793111300f060355040513083037393639323837301e170d3130303932393138313630315a170d3135303932393138313630315a306d31233021060355040a131a6f7065726174696f6e732e7061796a756e6374696f6e2e636f6d3121301f060355040b1318446f6d61696e20436f6e74726f6c2056616c696461746564312330210603550403131a6f7065726174696f6e732e7061796a756e6374696f6e2e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100b3676ce4923f6ecc6d
EAP-Message = 0x026be05c0d4b03362f4e22d1a486740477cfba062ea92b6e4550e61f6eb03de7ea4cc4a03b09e8d8ce6f22c49883928e6502a4f586d26f24f880e9e118bcaa5e678bd352b69851b91b5b6c6c8717b551969aef0f09bb4daccc5923f0fd38e5506b2134505bc1ba1a1d1374bb94377015f9d48c4f9ff12dc860af19a9ecdbb45d53c103243ad4baa62d39c9f44ea9d60943ab711637a1092f5c22d4762c831ed81dc2b9b886dee071c94dca4ea0461644944c05d0677714f2e0fb824490600585444533ecffe402b026f1b377241d68831ae04f7aaad97460d39e40afc35d4a16ad3c161d83cee119d925b119ba56f6aed2fb08861f32c30203010001a3
EAP-Message = 0x8201d2308201ce300f0603551d130101ff04053003010100301d0603551d250416301406082b0601050507030106082b06010505070302300e0603551d0f0101ff0404030205a030330603551d1f042c302a3028a026a0248622687474703a2f2f63726c2e676f64616464792e636f6d2f676473312d32342e63726c304d0603551d20044630443042060b6086480186fd6d010717013033303106082b06010505070201162568747470733a2f2f63657274732e676f64616464792e636f6d2f7265706f7369746f72792f30818006082b0601050507010104743072302406082b060105050730018618687474703a2f2f6f6373702e676f6461646479
EAP-Message = 0x2e636f6d2f304a06082b0601
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4515d63c4417c3febcac6df877a3ee06
Finished request 25.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.11.3 port 54613, id=173, length=174
User-Name = "testuser"
NAS-Port = 89
State = 0x4515d63c4417c3febcac6df877a3ee06
EAP-Message = 0x020200061500
Message-Authenticator = 0x808bddd846dc791f01b4efe0361233b2
Acct-Session-Id = "8O2.1x811200d0000c3d6d"
NAS-Port-Id = "ge-0/0/19.0"
Calling-Station-Id = "c4-2c-03-04-f1-04"
Called-Station-Id = "2c-6b-f5-35-d4-c0"
NAS-IP-Address = 10.0.11.3
NAS-Identifier = "hqsw1"
NAS-Port-Type = Ethernet
# Executing section authorize from file /private/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /private/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1 
[ttls] eaptls_process returned 13 
++[eap] returns handled
Sending Access-Challenge of id 173 to 10.0.11.3 port 54613
EAP-Message = 0x0103040015c0000012b40505073002863e687474703a2f2f6365727469666963617465732e676f64616464792e636f6d2f7265706f7369746f72792f67645f696e7465726d6564696174652e637274301f0603551d23041830168014fdac6132936c45d6e2ee855f9abae7769968cce730450603551d11043e303c821a6f7065726174696f6e732e7061796a756e6374696f6e2e636f6d821e7777772e6f7065726174696f6e732e7061796a756e6374696f6e2e636f6d301d0603551d0e04160414320ac819541c624f368bb6b5c77da0363dd8ecf3300d06092a864886f70d0101050500038201010039d968e55f476c6f2edfb3af48dbdf8fac6980
EAP-Message = 0xdaeb5016514746f0463c0f39864a18215cdc58deb56e5838d11304e68388360cc2d1cda6b84828ecf5140bf2bb10280af03a0d2f6b3d391cbb16f85a647dd2bd94917d22d8787e1f18c8417f63b53f63767c44f13bb872e35e0e5c1b8ba384598bb59aa57394ce1644440fadb09d0d2a29285e99ad4aaa6b7b4abafc4dc522240e5e1310032f972283b96407192d9ff49384490f26ac4865c122a0d9a844430f0ae47f554507bc4cc617c6bc94c7b3a5b0d03acf638a6a89c421e5048e95f502aba18a7bf435721f1072e4e730fc28f93cd4d9051c249f151857ec82f8001ed8e21c2568910e0328a61aefc0bf0004e2308204de308203c6a003020102
EAP-Message = 0x02020301300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3036313131363031353433375a170d3236313131363031353433375a3081ca310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c65311a3018060355040a1311476f44616464792e636f6d2c20496e632e31333031060355040b132a687474703a2f2f
EAP-Message = 0x6365727469666963617465732e676f64616464792e636f6d2f7265706f7369746f72793130302e06035504031327476f204461646479205365637572652043657274696669636174696f6e20417574686f726974793111300f06035504051308303739363932383730820122300d06092a864886f70d01010105000382010f003082010a0282010100c42dd5158c9c264cec3235eb5fb859015aa66181593b7063abe3dc3dc72ab8c933d379e43aed3c3023848eb33014b6b287c33d9554049edf99dd0b251e21de65297e35a8a954ebf6f73239d4265595adeffbfe5886d79ef4008d8c2a0cbd4204cea73f04f6ee80f2aaef52a16966dabe1aad5dda
EAP-Message = 0x2c66ea1a6bbbe51a514a002f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4515d63c4716c3febcac6df877a3ee06
Finished request 26.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.11.3 port 54613, id=10, length=174
User-Name = "testuser"
NAS-Port = 89
State = 0x4515d63c4716c3febcac6df877a3ee06
EAP-Message = 0x020300061500
Message-Authenticator = 0x1f0b7f0fe9de1fdb006f22ab2f812f9f
Acct-Session-Id = "8O2.1x811200d0000c3d6d"
NAS-Port-Id = "ge-0/0/19.0"
Calling-Station-Id = "c4-2c-03-04-f1-04"
Called-Station-Id = "2c-6b-f5-35-d4-c0"
NAS-IP-Address = 10.0.11.3
NAS-Identifier = "hqsw1"
NAS-Port-Type = Ethernet
# Executing section authorize from file /private/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /private/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1 
[ttls] eaptls_process returned 13 
++[eap] returns handled
Sending Access-Challenge of id 10 to 10.0.11.3 port 54613
EAP-Message = 0x0104040015c0000012b448c79875d8b929c8eef8666d0a9cb3f3fc787ca2f8a3f2b5c3f3b97a91c1a7e6252e9ca8ed12656e6af6124453703095c39c2b582b3d08744af2be51b0bf87d04c27586bb535c59daf1731f80b8feead813605890898cf3aaf2587c049eaa7fd67f7458e97cc1439e23685b57e1a37fd16f671119a743016fe1394a33f840d4f0203010001a38201323082012e301d0603551d0e04160414fdac6132936c45d6e2ee855f9abae7769968cce7301f0603551d23041830168014d2c4b0d291d44c1171b361cb3da1fedda86ad4e330120603551d130101ff040830060101ff020100303306082b06010505070101042730253023
EAP-Message = 0x06082b060105050730018617687474703a2f2f6f6373702e676f64616464792e636f6d30460603551d1f043f303d303ba039a0378635687474703a2f2f6365727469666963617465732e676f64616464792e636f6d2f7265706f7369746f72792f6764726f6f742e63726c304b0603551d200444304230400604551d20003038303606082b06010505070201162a687474703a2f2f6365727469666963617465732e676f64616464792e636f6d2f7265706f7369746f7279300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100d286c0ecbdf9a1b667ee660ba2063a04508e1572ac4a749553cb37cb4449ef0790
EAP-Message = 0x6b33d996f09456a51330053c8532217bc9c70aa824a490de46d32523140367c210d66f0f5d7b7acc9fc5582ac1c49e21a85af3aca446f39ee463cb2f90a4292901d9722c29df370127bc4fee68d3218fc0b3e4f509edd210aa53b4bef0cc590bd63b961c952449dfceecfda7489114450e3a366fda45b345a241c9d4d7444e3eb97476d5a213552cc687a3b599ac0684877f7506fcbf144c0ecc6ec4df3db71271f4e8f15140222849e01d4b87a834cc06a2dd125ad186366403356f6f776eebf28550985eab0353ad9123631f169ccdb9b205633ae1f4681b1705359553ee0004ff308204fb30820464a0030201020202010d300d06092a864886f70d
EAP-Message = 0x01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3034303632393137303632305a170d3234303632393137303632305a3063310b30090603550406130255533121301f060355040a1318
EAP-Message = 0x54686520476f204461646479
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4515d63c4611c3febcac6df877a3ee06
Finished request 27.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.11.3 port 54613, id=190, length=174
User-Name = "testuser"
NAS-Port = 89
State = 0x4515d63c4611c3febcac6df877a3ee06
EAP-Message = 0x020400061500
Message-Authenticator = 0x86c163d59b3a0e56734fd96efcb1c6a4
Acct-Session-Id = "8O2.1x811200d0000c3d6d"
NAS-Port-Id = "ge-0/0/19.0"
Calling-Station-Id = "c4-2c-03-04-f1-04"
Called-Station-Id = "2c-6b-f5-35-d4-c0"
NAS-IP-Address = 10.0.11.3
NAS-Identifier = "hqsw1"
NAS-Port-Type = Ethernet
# Executing section authorize from file /private/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /private/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1 
[ttls] eaptls_process returned 13 
++[eap] returns handled
Sending Access-Challenge of id 190 to 10.0.11.3 port 54613
EAP-Message = 0x0105040015c0000012b42047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da00805
EAP-Message = 0x08b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a38201e1308201dd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e33081d20603551d230481ca3081c7a181c1a481be3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c6943
EAP-Message = 0x65727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d820101300f0603551d130101ff040530030101ff303306082b0601050507010104273025302306082b060105050730018617687474703a2f2f6f6373702e676f64616464792e636f6d30440603551d1f043d303b3039a037a0358633687474703a2f2f6365727469666963617465732e676f64616464792e636f6d2f7265706f7369746f72792f726f6f742e63726c304b
EAP-Message = 0x0603551d200444304230400604551d20003038303606082b06010505070201162a687474703a2f2f6365727469666963617465732e676f64616464792e636f6d2f7265706f7369746f7279300e0603551d0f0101ff040403020106300d06092a864886f70d010105050003818100b540f9a71df6eafea41a425a44f715d4854689c0be9ee3e3ebc5e358898f929f57a8712c48d181b2791fac063519b04e0e581b14b39881d1041ec807c9839f78440a180b98dc767a650d0d6d80c40b011ccbad473e71be774bcc0677d0f4566b1f4b139a148a8823a851f0834cab35bf467e39dc75a4aee829fbef398f4f55670002eb308202e73082025002010130
EAP-Message = 0x0d06092a864886f70d010105
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4515d63c4110c3febcac6df877a3ee06
Finished request 28.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.0.11.3 port 54613, id=82, length=174
User-Name = "testuser"
NAS-Port = 89
State = 0x4515d63c4110c3febcac6df877a3ee06
EAP-Message = 0x020500061500
Message-Authenticator = 0x4410301a2dd8b830cac4def877a05167
Acct-Session-Id = "8O2.1x811200d0000c3d6d"
NAS-Port-Id = "ge-0/0/19.0"
Calling-Station-Id = "c4-2c-03-04-f1-04"
Called-Station-Id = "2c-6b-f5-35-d4-c0"
NAS-IP-Address = 10.0.11.3
NAS-Identifier = "hqsw1"
NAS-Port-Type = Ethernet
# Executing section authorize from file /private/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /private/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1 
[ttls] eaptls_process returned 13 
++[eap] returns handled
Sending Access-Challenge of id 82 to 10.0.11.3 port 54613
EAP-Message = 0x010602e61580000012b405003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c6943
EAP-Message = 0x6572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37c
EAP-Message = 0xdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4515d63c4013c3febcac6df877a3ee06
Finished request 29.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.0.11.3 port 54613, id=6, length=506
User-Name = "testuser"
NAS-Port = 89
State = 0x4515d63c4013c3febcac6df877a3ee06
EAP-Message = 0x0206015015800000014616030101061000010201006dac8c6fa17699c642676c8d6ad88f592a533736758d1797496051ca0923e542c90524451e26d610ee0b2b3ed8dbee519080db11c8b2817497c48f6cdd9c254f4d0ac1650b473ff8461ef37379f2fae772b4a340d6d915589eba965c46338450f921819ac4b1054bf261bc9dbe17e3c7a62a057d224a614bbc2bac720ca60c3641c80fd13f854754df51f6e19999c418c095defed9396cff90fcd59346bb679d0f91f588206d1caca3b2f6361a55b5944996e19039ac951819451da20e8fc68d0bf7b17ef60373040b2396ce6fb9b7b06e3efefbceb2e22ca20aa726e8dc253a5a6b178214f08539
EAP-Message = 0x4ee647227e6244a7293fcffa28d62291c320aa698ae9754c1403010001011603010030451287b5040a5f1d8e7e26aad5428397f48138e1992616ada492291f470501852105c5c44254b8cd71fd3ea29abcf427
Message-Authenticator = 0x411897122fa57e10d96bd5b97d3886a4
Acct-Session-Id = "8O2.1x811200d0000c3d6d"
NAS-Port-Id = "ge-0/0/19.0"
Calling-Station-Id = "c4-2c-03-04-f1-04"
Called-Station-Id = "2c-6b-f5-35-d4-c0"
NAS-IP-Address = 10.0.11.3
NAS-Identifier = "hqsw1"
NAS-Port-Type = Ethernet
# Executing section authorize from file /private/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /private/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
  TLS Length 326
[ttls] Length Included
[ttls] eaptls_verify returned 11 
[ttls] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange  
[ttls]     TLS_accept: SSLv3 read client key exchange A
[ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001]  
[ttls] <<< TLS 1.0 Handshake [length 0010], Finished  
[ttls]     TLS_accept: SSLv3 read finished A
[ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001]  
[ttls]     TLS_accept: SSLv3 write change cipher spec A
[ttls] >>> TLS 1.0 Handshake [length 0010], Finished  
[ttls]     TLS_accept: SSLv3 write finished A
[ttls]     TLS_accept: SSLv3 flush data
[ttls]     (other): SSL negotiation finished successfully
SSL Connection Established 
[ttls] eaptls_process returned 13 
++[eap] returns handled
Sending Access-Challenge of id 6 to 10.0.11.3 port 54613
EAP-Message = 0x0107004515800000003b140301000101160301003007d8a3669a3bf7b2a983eefdbf3174ba778613d32be7466af5055d33b57509520c00f2dbab583c8aa900dfa621e7d5f8
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4515d63c4312c3febcac6df877a3ee06
Finished request 30.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.0.11.3 port 54613, id=224, length=327
User-Name = "testuser"
NAS-Port = 89
State = 0x4515d63c4312c3febcac6df877a3ee06
EAP-Message = 0x0207009f158000000095170301009013f12baf88e483f6a7e99a21587ff9140efa5b38c4150d0810beec57fea54f5b669adf3420e847e135ba2b6d66e25a3e20a48c96981a9532c713174adad2b27f5853db89499122a5117ddeca7877f6dc82661224977f790dce17e1925f768653db7336a0f8fcd3696b219ac720ac530c1b49a26dfe7809455d5d026059b576c4b9098baaa9c49c1f2930856c8b303c79
Message-Authenticator = 0x9eac09dc843575fb6169411e53fcd117
Acct-Session-Id = "8O2.1x811200d0000c3d6d"
NAS-Port-Id = "ge-0/0/19.0"
Calling-Station-Id = "c4-2c-03-04-f1-04"
Called-Station-Id = "2c-6b-f5-35-d4-c0"
NAS-IP-Address = 10.0.11.3
NAS-Identifier = "hqsw1"
NAS-Port-Type = Ethernet
# Executing section authorize from file /private/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 159
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /private/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
  TLS Length 149
[ttls] Length Included
[ttls] eaptls_verify returned 11 
[ttls] eaptls_process returned 7 
[ttls] Session established.  Proceeding to decode tunneled attributes.
[ttls] Got tunneled request
User-Name = "testuser"
MS-CHAP-Challenge = 0x98f430a43599f957282310422e8669ca
MS-CHAP2-Response = 0xfb0050a391b9a77fd794f7e4ad83c6781a540000000000000000865b0fcebda08a02e3c5d31e33d62294f08769a230ccbd24
FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Sending tunneled request
User-Name = "testuser"
MS-CHAP-Challenge = 0x98f430a43599f957282310422e8669ca
MS-CHAP2-Response = 0xfb0050a391b9a77fd794f7e4ad83c6781a540000000000000000865b0fcebda08a02e3c5d31e33d62294f08769a230ccbd24
FreeRADIUS-Proxied-To = 127.0.0.1
NAS-Port = 89
Acct-Session-Id = "8O2.1x811200d0000c3d6d"
NAS-Port-Id = "ge-0/0/19.0"
Calling-Station-Id = "c4-2c-03-04-f1-04"
Called-Station-Id = "2c-6b-f5-35-d4-c0"
NAS-IP-Address = 10.0.11.3
NAS-Identifier = "hqsw1"
NAS-Port-Type = Ethernet
server  {
# Executing section authorize from file /private/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
++[mschap] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 212
++[files] returns ok
[opendirectory] The SACL group "com.apple.access_radius" does not exist on this system.
[opendirectory] The host 10.0.11.3 does not have an access group.
[opendirectory] User testuser exists in OD
[opendirectory] no access control groups, all OD users allowed.
++[opendirectory] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /private/etc/raddb/sites-enabled/default
+- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] Creating challenge hash with username: testuser
[mschap] Told to do MS-CHAPv2 for testuser with NT-Password
[mschap] Using OpenDirectory to authenticate
[mschap] Doing OD MSCHAPv2 auth
[mschap] Successful authentication for testuser
++[mschap] returns ok
# Executing section post-auth from file /private/etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
} # server 
[ttls] Got tunneled reply code 2
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "101"
MS-CHAP2-Success = 0xfb533d41423831383844313944333842364137363241314430454644353931344634363734384138303836
[ttls] Got tunneled Access-Accept
[ttls] Got MS-CHAP2-Success, tunneling it to the client in a challenge.
++[eap] returns handled
Sending Access-Challenge of id 224 to 10.0.11.3 port 54613
EAP-Message = 0x0108008415800000007a1703010020724895cfa11745c963ab2a3d5b8b0e2b76ca7ebccc5b5d1af53ad9cf62f9bb6f1703010050db4f5296d1da8c4f613dbf48289cb5f5ca54c3fb24ca81be847b2f3f8c062c0a2491ae698dc9f69398313b065af863f75c13fd2995421532c88eadbc86447f9e01756148485dc84c64fb86ccad58b370
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4515d63c421dc3febcac6df877a3ee06
Finished request 31.
Going to the next request
Waking up in 4.6 seconds.
rad_recv: Access-Request packet from host 10.0.11.3 port 54613, id=115, length=174
User-Name = "testuser"
NAS-Port = 89
State = 0x4515d63c421dc3febcac6df877a3ee06
EAP-Message = 0x020800061500
Message-Authenticator = 0xfa1bae1ab9867108c1206f2ced983996
Acct-Session-Id = "8O2.1x811200d0000c3d6d"
NAS-Port-Id = "ge-0/0/19.0"
Calling-Station-Id = "c4-2c-03-04-f1-04"
Called-Station-Id = "2c-6b-f5-35-d4-c0"
NAS-IP-Address = 10.0.11.3
NAS-Identifier = "hqsw1"
NAS-Port-Type = Ethernet
# Executing section authorize from file /private/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /private/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake is finished
[ttls] eaptls_verify returned 3 
[ttls] eaptls_process returned 3 
[ttls] Using saved attributes from the original Access-Accept
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "101"
[eap] Freeing handler
++[eap] returns ok
# Executing section post-auth from file /private/etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 115 to 10.0.11.3 port 54613
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "101"
MS-MPPE-Recv-Key = 0xebc7e5ca22d86cac82bb0efebf66bdb6852b5cee5087969b02488e3628b13e57
MS-MPPE-Send-Key = 0x4468ab64e74186dbe09282296b582253f1324675fba1164fc1a6917c9cb79636
EAP-Message = 0x03080004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "testuser"
Finished request 32.
Going to the next request
Waking up in 4.6 seconds.
Cleaning up request 24 ID 124 with timestamp +157
Cleaning up request 25 ID 128 with timestamp +157
Cleaning up request 26 ID 173 with timestamp +157
Cleaning up request 27 ID 10 with timestamp +157
Cleaning up request 28 ID 190 with timestamp +157
Cleaning up request 29 ID 82 with timestamp +157
Cleaning up request 30 ID 6 with timestamp +158
Waking up in 0.1 seconds.
Cleaning up request 31 ID 224 with timestamp +158
Cleaning up request 32 ID 115 with timestamp +158
Ready to process requests.

-----------------------------------------------------------------

The following does not work if we try and match on Group-Name (which does not work):
-----------------------------------------------------------------

rad_recv: Access-Request packet from host 10.0.11.3 port 54613, id=38, length=163
User-Name = "testuser"
NAS-Port = 89
EAP-Message = 0x0201000d016c64656c61697265
Message-Authenticator = 0x8f7ff65e289a0572bc17bd1576fb5950
Acct-Session-Id = "8O2.1x811200dd000315d4"
NAS-Port-Id = "ge-0/0/19.0"
Calling-Station-Id = "c4-2c-03-04-f1-04"
Called-Station-Id = "2c-6b-f5-35-d4-c0"
NAS-IP-Address = 10.0.11.3
NAS-Identifier = "hqsw1"
NAS-Port-Type = Ethernet
# Executing section authorize from file /private/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[opendirectory] The SACL group "com.apple.access_radius" does not exist on this system.
[opendirectory] The host 10.0.11.3 does not have an access group.
[opendirectory] User testuser exists in OD
[opendirectory] no access control groups, all OD users allowed.
++[opendirectory] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /private/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 38 to 10.0.11.3 port 54613
EAP-Message = 0x010200061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7376aa107374bfe2777048181a406d0c
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.11.3 port 54613, id=185, length=296
User-Name = "testuser"
NAS-Port = 89
State = 0x7376aa107374bfe2777048181a406d0c
EAP-Message = 0x0202008015800000007616030100710100006d0301503322f101ec417ed81232a4f0f75d7a4cd5c4fe93fa330292088fa8ed44b5f600003200ffc00ac009c007c008c014c013c011c012c004c005c002c003c00ec00fc00cc00d002f000500040035000a00330039001601000012000a00080006001700180019000b00020100
Message-Authenticator = 0xd15b1455669c385df86958714dcbf048
Acct-Session-Id = "8O2.1x811200dd000315d4"
NAS-Port-Id = "ge-0/0/19.0"
Calling-Station-Id = "c4-2c-03-04-f1-04"
Called-Station-Id = "2c-6b-f5-35-d4-c0"
NAS-IP-Address = 10.0.11.3
NAS-Identifier = "hqsw1"
NAS-Port-Type = Ethernet
# Executing section authorize from file /private/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 128
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /private/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
  TLS Length 118
[ttls] Length Included
[ttls] eaptls_verify returned 11 
[ttls]     (other): before/accept initialization
[ttls]     TLS_accept: before/accept initialization
[ttls] <<< TLS 1.0 Handshake [length 0071], ClientHello  
[ttls]     TLS_accept: SSLv3 read client hello A
[ttls] >>> TLS 1.0 Handshake [length 0031], ServerHello  
[ttls]     TLS_accept: SSLv3 write server hello A
[ttls] >>> TLS 1.0 Handshake [length 1270], Certificate  
[ttls]     TLS_accept: SSLv3 write certificate A
[ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone  
[ttls]     TLS_accept: SSLv3 write server done A
[ttls]     TLS_accept: SSLv3 flush data
[ttls]     TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase 
In SSL Accept mode  
[ttls] eaptls_process returned 13 
++[eap] returns handled
Sending Access-Challenge of id 185 to 10.0.11.3 port 54613
EAP-Message = 0x0103040015c0000012b416030100310200002d0301503322f18e2c1ea3ccf0fa3e00660b6946ce7786ce51d0f04026b39a78c765d700002f000005ff0100010016030112700b00126c0012690005913082058d30820475a003020102020727bccde2fa9543300d06092a864886f70d01010505003081ca310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c65311a3018060355040a1311476f44616464792e636f6d2c20496e632e31333031060355040b132a687474703a2f2f6365727469666963617465732e676f64616464792e636f6d2f7265706f7369746f727931
EAP-Message = 0x30302e06035504031327476f204461646479205365637572652043657274696669636174696f6e20417574686f726974793111300f060355040513083037393639323837301e170d3130303932393138313630315a170d3135303932393138313630315a306d31233021060355040a131a6f7065726174696f6e732e7061796a756e6374696f6e2e636f6d3121301f060355040b1318446f6d61696e20436f6e74726f6c2056616c696461746564312330210603550403131a6f7065726174696f6e732e7061796a756e6374696f6e2e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100b3676ce4923f6ecc6d
EAP-Message = 0x026be05c0d4b03362f4e22d1a486740477cfba062ea92b6e4550e61f6eb03de7ea4cc4a03b09e8d8ce6f22c49883928e6502a4f586d26f24f880e9e118bcaa5e678bd352b69851b91b5b6c6c8717b551969aef0f09bb4daccc5923f0fd38e5506b2134505bc1ba1a1d1374bb94377015f9d48c4f9ff12dc860af19a9ecdbb45d53c103243ad4baa62d39c9f44ea9d60943ab711637a1092f5c22d4762c831ed81dc2b9b886dee071c94dca4ea0461644944c05d0677714f2e0fb824490600585444533ecffe402b026f1b377241d68831ae04f7aaad97460d39e40afc35d4a16ad3c161d83cee119d925b119ba56f6aed2fb08861f32c30203010001a3
EAP-Message = 0x8201d2308201ce300f0603551d130101ff04053003010100301d0603551d250416301406082b0601050507030106082b06010505070302300e0603551d0f0101ff0404030205a030330603551d1f042c302a3028a026a0248622687474703a2f2f63726c2e676f64616464792e636f6d2f676473312d32342e63726c304d0603551d20044630443042060b6086480186fd6d010717013033303106082b06010505070201162568747470733a2f2f63657274732e676f64616464792e636f6d2f7265706f7369746f72792f30818006082b0601050507010104743072302406082b060105050730018618687474703a2f2f6f6373702e676f6461646479
EAP-Message = 0x2e636f6d2f304a06082b0601
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7376aa107275bfe2777048181a406d0c
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.11.3 port 54613, id=65, length=174
User-Name = "testuser"
NAS-Port = 89
State = 0x7376aa107275bfe2777048181a406d0c
EAP-Message = 0x020300061500
Message-Authenticator = 0xb2706ac2b20ebbc4044ca0ddb359a3a0
Acct-Session-Id = "8O2.1x811200dd000315d4"
NAS-Port-Id = "ge-0/0/19.0"
Calling-Station-Id = "c4-2c-03-04-f1-04"
Called-Station-Id = "2c-6b-f5-35-d4-c0"
NAS-IP-Address = 10.0.11.3
NAS-Identifier = "hqsw1"
NAS-Port-Type = Ethernet
# Executing section authorize from file /private/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /private/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1 
[ttls] eaptls_process returned 13 
++[eap] returns handled
Sending Access-Challenge of id 65 to 10.0.11.3 port 54613
EAP-Message = 0x0104040015c0000012b40505073002863e687474703a2f2f6365727469666963617465732e676f64616464792e636f6d2f7265706f7369746f72792f67645f696e7465726d6564696174652e637274301f0603551d23041830168014fdac6132936c45d6e2ee855f9abae7769968cce730450603551d11043e303c821a6f7065726174696f6e732e7061796a756e6374696f6e2e636f6d821e7777772e6f7065726174696f6e732e7061796a756e6374696f6e2e636f6d301d0603551d0e04160414320ac819541c624f368bb6b5c77da0363dd8ecf3300d06092a864886f70d0101050500038201010039d968e55f476c6f2edfb3af48dbdf8fac6980
EAP-Message = 0xdaeb5016514746f0463c0f39864a18215cdc58deb56e5838d11304e68388360cc2d1cda6b84828ecf5140bf2bb10280af03a0d2f6b3d391cbb16f85a647dd2bd94917d22d8787e1f18c8417f63b53f63767c44f13bb872e35e0e5c1b8ba384598bb59aa57394ce1644440fadb09d0d2a29285e99ad4aaa6b7b4abafc4dc522240e5e1310032f972283b96407192d9ff49384490f26ac4865c122a0d9a844430f0ae47f554507bc4cc617c6bc94c7b3a5b0d03acf638a6a89c421e5048e95f502aba18a7bf435721f1072e4e730fc28f93cd4d9051c249f151857ec82f8001ed8e21c2568910e0328a61aefc0bf0004e2308204de308203c6a003020102
EAP-Message = 0x02020301300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3036313131363031353433375a170d3236313131363031353433375a3081ca310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c65311a3018060355040a1311476f44616464792e636f6d2c20496e632e31333031060355040b132a687474703a2f2f
EAP-Message = 0x6365727469666963617465732e676f64616464792e636f6d2f7265706f7369746f72793130302e06035504031327476f204461646479205365637572652043657274696669636174696f6e20417574686f726974793111300f06035504051308303739363932383730820122300d06092a864886f70d01010105000382010f003082010a0282010100c42dd5158c9c264cec3235eb5fb859015aa66181593b7063abe3dc3dc72ab8c933d379e43aed3c3023848eb33014b6b287c33d9554049edf99dd0b251e21de65297e35a8a954ebf6f73239d4265595adeffbfe5886d79ef4008d8c2a0cbd4204cea73f04f6ee80f2aaef52a16966dabe1aad5dda
EAP-Message = 0x2c66ea1a6bbbe51a514a002f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7376aa107172bfe2777048181a406d0c
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.11.3 port 54613, id=131, length=174
User-Name = "testuser"
NAS-Port = 89
State = 0x7376aa107172bfe2777048181a406d0c
EAP-Message = 0x020400061500
Message-Authenticator = 0xe80eacfe69775b297b14b61b803bd39d
Acct-Session-Id = "8O2.1x811200dd000315d4"
NAS-Port-Id = "ge-0/0/19.0"
Calling-Station-Id = "c4-2c-03-04-f1-04"
Called-Station-Id = "2c-6b-f5-35-d4-c0"
NAS-IP-Address = 10.0.11.3
NAS-Identifier = "hqsw1"
NAS-Port-Type = Ethernet
# Executing section authorize from file /private/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /private/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1 
[ttls] eaptls_process returned 13 
++[eap] returns handled
Sending Access-Challenge of id 131 to 10.0.11.3 port 54613
EAP-Message = 0x0105040015c0000012b448c79875d8b929c8eef8666d0a9cb3f3fc787ca2f8a3f2b5c3f3b97a91c1a7e6252e9ca8ed12656e6af6124453703095c39c2b582b3d08744af2be51b0bf87d04c27586bb535c59daf1731f80b8feead813605890898cf3aaf2587c049eaa7fd67f7458e97cc1439e23685b57e1a37fd16f671119a743016fe1394a33f840d4f0203010001a38201323082012e301d0603551d0e04160414fdac6132936c45d6e2ee855f9abae7769968cce7301f0603551d23041830168014d2c4b0d291d44c1171b361cb3da1fedda86ad4e330120603551d130101ff040830060101ff020100303306082b06010505070101042730253023
EAP-Message = 0x06082b060105050730018617687474703a2f2f6f6373702e676f64616464792e636f6d30460603551d1f043f303d303ba039a0378635687474703a2f2f6365727469666963617465732e676f64616464792e636f6d2f7265706f7369746f72792f6764726f6f742e63726c304b0603551d200444304230400604551d20003038303606082b06010505070201162a687474703a2f2f6365727469666963617465732e676f64616464792e636f6d2f7265706f7369746f7279300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100d286c0ecbdf9a1b667ee660ba2063a04508e1572ac4a749553cb37cb4449ef0790
EAP-Message = 0x6b33d996f09456a51330053c8532217bc9c70aa824a490de46d32523140367c210d66f0f5d7b7acc9fc5582ac1c49e21a85af3aca446f39ee463cb2f90a4292901d9722c29df370127bc4fee68d3218fc0b3e4f509edd210aa53b4bef0cc590bd63b961c952449dfceecfda7489114450e3a366fda45b345a241c9d4d7444e3eb97476d5a213552cc687a3b599ac0684877f7506fcbf144c0ecc6ec4df3db71271f4e8f15140222849e01d4b87a834cc06a2dd125ad186366403356f6f776eebf28550985eab0353ad9123631f169ccdb9b205633ae1f4681b1705359553ee0004ff308204fb30820464a0030201020202010d300d06092a864886f70d
EAP-Message = 0x01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3034303632393137303632305a170d3234303632393137303632305a3063310b30090603550406130255533121301f060355040a1318
EAP-Message = 0x54686520476f204461646479
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7376aa107073bfe2777048181a406d0c
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.11.3 port 54613, id=59, length=174
User-Name = "testuser"
NAS-Port = 89
State = 0x7376aa107073bfe2777048181a406d0c
EAP-Message = 0x020500061500
Message-Authenticator = 0xe3a9499075fdb6897cd7c1ebecc568dd
Acct-Session-Id = "8O2.1x811200dd000315d4"
NAS-Port-Id = "ge-0/0/19.0"
Calling-Station-Id = "c4-2c-03-04-f1-04"
Called-Station-Id = "2c-6b-f5-35-d4-c0"
NAS-IP-Address = 10.0.11.3
NAS-Identifier = "hqsw1"
NAS-Port-Type = Ethernet
# Executing section authorize from file /private/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /private/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1 
[ttls] eaptls_process returned 13 
++[eap] returns handled
Sending Access-Challenge of id 59 to 10.0.11.3 port 54613
EAP-Message = 0x0106040015c0000012b42047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da00805
EAP-Message = 0x08b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a38201e1308201dd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e33081d20603551d230481ca3081c7a181c1a481be3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c6943
EAP-Message = 0x65727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d820101300f0603551d130101ff040530030101ff303306082b0601050507010104273025302306082b060105050730018617687474703a2f2f6f6373702e676f64616464792e636f6d30440603551d1f043d303b3039a037a0358633687474703a2f2f6365727469666963617465732e676f64616464792e636f6d2f7265706f7369746f72792f726f6f742e63726c304b
EAP-Message = 0x0603551d200444304230400604551d20003038303606082b06010505070201162a687474703a2f2f6365727469666963617465732e676f64616464792e636f6d2f7265706f7369746f7279300e0603551d0f0101ff040403020106300d06092a864886f70d010105050003818100b540f9a71df6eafea41a425a44f715d4854689c0be9ee3e3ebc5e358898f929f57a8712c48d181b2791fac063519b04e0e581b14b39881d1041ec807c9839f78440a180b98dc767a650d0d6d80c40b011ccbad473e71be774bcc0677d0f4566b1f4b139a148a8823a851f0834cab35bf467e39dc75a4aee829fbef398f4f55670002eb308202e73082025002010130
EAP-Message = 0x0d06092a864886f70d010105
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7376aa107770bfe2777048181a406d0c
Finished request 4.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.0.11.3 port 54613, id=150, length=174
User-Name = "testuser"
NAS-Port = 89
State = 0x7376aa107770bfe2777048181a406d0c
EAP-Message = 0x020600061500
Message-Authenticator = 0x7f92e4f61667f18c36a2b22fe08dcae2
Acct-Session-Id = "8O2.1x811200dd000315d4"
NAS-Port-Id = "ge-0/0/19.0"
Calling-Station-Id = "c4-2c-03-04-f1-04"
Called-Station-Id = "2c-6b-f5-35-d4-c0"
NAS-IP-Address = 10.0.11.3
NAS-Identifier = "hqsw1"
NAS-Port-Type = Ethernet
# Executing section authorize from file /private/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /private/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1 
[ttls] eaptls_process returned 13 
++[eap] returns handled
Sending Access-Challenge of id 150 to 10.0.11.3 port 54613
EAP-Message = 0x010702e61580000012b405003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c6943
EAP-Message = 0x6572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37c
EAP-Message = 0xdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7376aa107671bfe2777048181a406d0c
Finished request 5.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.0.11.3 port 54613, id=99, length=506
User-Name = "testuser"
NAS-Port = 89
State = 0x7376aa107671bfe2777048181a406d0c
EAP-Message = 0x0207015015800000014616030101061000010201000e38bcbb99bc024df880287f421ffc733f53c6d2783fe237bad3f73459f96b2f1b08cca5041e244d99d9630a10367b4d668f156c3511a1ad024b7cbae594096ffb0c2d434e8534c6757c45dd7d114ef315092023b2a723e4a33a886852aeb7b177ae287965a6633431bf1480654435f767c473b02e9e7e94da8c620e226173d3d6031ee80034ad516d83d63a558387689dee3fbe40b19985717da4b2816ecbcd0cda811b86a4e0ecd68f46051293c5ff47e61e83dc0fbb13789da56e79698972b27f292b3e58b4c76720457ed2b09ce2176662ef92e6297e537c240218f614e0b70a71da08c08192
EAP-Message = 0x35a333a42a0f29e8b04377204855a344a07c872f783d84831403010001011603010030596c41624945ac08ff0f637c891179bcbeb912306f74fee91eecc7b454792d0bf97f08e3afae3bba275fb8b514322100
Message-Authenticator = 0x3e22c0c5f61c577c44e58cc92c1e2504
Acct-Session-Id = "8O2.1x811200dd000315d4"
NAS-Port-Id = "ge-0/0/19.0"
Calling-Station-Id = "c4-2c-03-04-f1-04"
Called-Station-Id = "2c-6b-f5-35-d4-c0"
NAS-IP-Address = 10.0.11.3
NAS-Identifier = "hqsw1"
NAS-Port-Type = Ethernet
# Executing section authorize from file /private/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /private/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
  TLS Length 326
[ttls] Length Included
[ttls] eaptls_verify returned 11 
[ttls] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange  
[ttls]     TLS_accept: SSLv3 read client key exchange A
[ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001]  
[ttls] <<< TLS 1.0 Handshake [length 0010], Finished  
[ttls]     TLS_accept: SSLv3 read finished A
[ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001]  
[ttls]     TLS_accept: SSLv3 write change cipher spec A
[ttls] >>> TLS 1.0 Handshake [length 0010], Finished  
[ttls]     TLS_accept: SSLv3 write finished A
[ttls]     TLS_accept: SSLv3 flush data
[ttls]     (other): SSL negotiation finished successfully
SSL Connection Established 
[ttls] eaptls_process returned 13 
++[eap] returns handled
Sending Access-Challenge of id 99 to 10.0.11.3 port 54613
EAP-Message = 0x0108004515800000003b1403010001011603010030498b97ea12669c760165ae5e461ac8f9985ff23afdc0851e1b9e5b5deb5fc621784648b522ee7a58896acdd8b7b9ee24
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7376aa10757ebfe2777048181a406d0c
Finished request 6.
Going to the next request
Waking up in 4.4 seconds.
rad_recv: Access-Request packet from host 10.0.11.3 port 54613, id=151, length=327
User-Name = "testuser"
NAS-Port = 89
State = 0x7376aa10757ebfe2777048181a406d0c
EAP-Message = 0x0208009f15800000009517030100909a5bc2fc0aa3e196e45a467a1ffcb4c685b2dcef5a45f54ba7a20f2a34131ada4c48cfe457774c25dd5a6b8b0830cc526ce54b5e164328b749b4c1215695ec4b1642536159dc71611fd4566edc98293c397d0329acf7e93c00b91bcea4ac41faa14c355455d5c627afe3115faa537909c0c67bd8cc6df715691d8f61513d8e0977852d11e196f6bd2ef6ad99445a3dd7
Message-Authenticator = 0x6fc895432c98cfdf25211e9c9fcdc4fe
Acct-Session-Id = "8O2.1x811200dd000315d4"
NAS-Port-Id = "ge-0/0/19.0"
Calling-Station-Id = "c4-2c-03-04-f1-04"
Called-Station-Id = "2c-6b-f5-35-d4-c0"
NAS-IP-Address = 10.0.11.3
NAS-Identifier = "hqsw1"
NAS-Port-Type = Ethernet
# Executing section authorize from file /private/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 159
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /private/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
  TLS Length 149
[ttls] Length Included
[ttls] eaptls_verify returned 11 
[ttls] eaptls_process returned 7 
[ttls] Session established.  Proceeding to decode tunneled attributes.
[ttls] Got tunneled request
User-Name = "testuser"
MS-CHAP-Challenge = 0x980b880e579ddf430d6a546c9208b8d3
MS-CHAP2-Response = 0xc600d9073bcb7d5c6f3da4805f9fdd0cd9080000000000000000bbc853afd7373a6a21f64a81fb6429e976994a46c89554d6
FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Sending tunneled request
User-Name = "testuser"
MS-CHAP-Challenge = 0x980b880e579ddf430d6a546c9208b8d3
MS-CHAP2-Response = 0xc600d9073bcb7d5c6f3da4805f9fdd0cd9080000000000000000bbc853afd7373a6a21f64a81fb6429e976994a46c89554d6
FreeRADIUS-Proxied-To = 127.0.0.1
NAS-Port = 89
Acct-Session-Id = "8O2.1x811200dd000315d4"
NAS-Port-Id = "ge-0/0/19.0"
Calling-Station-Id = "c4-2c-03-04-f1-04"
Called-Station-Id = "2c-6b-f5-35-d4-c0"
NAS-IP-Address = 10.0.11.3
NAS-Identifier = "hqsw1"
NAS-Port-Type = Ethernet
server  {
# Executing section authorize from file /private/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
++[mschap] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[opendirectory] The SACL group "com.apple.access_radius" does not exist on this system.
[opendirectory] The host 10.0.11.3 does not have an access group.
[opendirectory] User testuser exists in OD
[opendirectory] no access control groups, all OD users allowed.
++[opendirectory] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /private/etc/raddb/sites-enabled/default
+- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] Creating challenge hash with username: testuser
[mschap] Told to do MS-CHAPv2 for testuser with NT-Password
[mschap] Using OpenDirectory to authenticate
[mschap] Doing OD MSCHAPv2 auth
[mschap] Successful authentication for testuser
++[mschap] returns ok
# Executing section post-auth from file /private/etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
} # server 
[ttls] Got tunneled reply code 2
MS-CHAP2-Success = 0xc6533d37344337434145353137333237383734434439373730394332414545384545384230463944463639
[ttls] Got tunneled Access-Accept
[ttls] Got MS-CHAP2-Success, tunneling it to the client in a challenge.
++[eap] returns handled
Sending Access-Challenge of id 151 to 10.0.11.3 port 54613
EAP-Message = 0x0109008415800000007a17030100204ee1536a695f88f034580d0ed954ea1559043d5058c5a725d0ba4f14c421203e170301005020cc04fcd5018811246bb209f92c8d0784950b43f5c2fbc2845e6b28c469137eb7f2d2387c4a305119120aac1ce071b60662601a67dadc7be435f862831e33e0154697199527acd7c58f896840010d44
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7376aa10747fbfe2777048181a406d0c
Finished request 7.
Going to the next request
Waking up in 4.4 seconds.
rad_recv: Access-Request packet from host 10.0.11.3 port 54613, id=25, length=174
User-Name = "testuser"
NAS-Port = 89
State = 0x7376aa10747fbfe2777048181a406d0c
EAP-Message = 0x020900061500
Message-Authenticator = 0x9ebea890a54788a8c31cf9d46df1c5b6
Acct-Session-Id = "8O2.1x811200dd000315d4"
NAS-Port-Id = "ge-0/0/19.0"
Calling-Station-Id = "c4-2c-03-04-f1-04"
Called-Station-Id = "2c-6b-f5-35-d4-c0"
NAS-IP-Address = 10.0.11.3
NAS-Identifier = "hqsw1"
NAS-Port-Type = Ethernet
# Executing section authorize from file /private/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 9 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /private/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake is finished
[ttls] eaptls_verify returned 3 
[ttls] eaptls_process returned 3 
[ttls] Using saved attributes from the original Access-Accept
[eap] Freeing handler
++[eap] returns ok
# Executing section post-auth from file /private/etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 25 to 10.0.11.3 port 54613
MS-MPPE-Recv-Key = 0x9851eef160f7deb5c2ceb8926e928834320f8c8ceec8ae32de0beb38768f3928
MS-MPPE-Send-Key = 0x18f20ab349a3dcb4f4476e33339d73247f3283b711342da21d08df70dce55e10
EAP-Message = 0x03090004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "testuser"
Finished request 8.
Going to the next request
Waking up in 4.4 seconds.
Cleaning up request 0 ID 38 with timestamp +11
Cleaning up request 1 ID 185 with timestamp +11
Cleaning up request 2 ID 65 with timestamp +11
Cleaning up request 3 ID 131 with timestamp +11
Cleaning up request 4 ID 59 with timestamp +11
Cleaning up request 5 ID 150 with timestamp +11
Waking up in 0.3 seconds.
Cleaning up request 6 ID 99 with timestamp +11
Cleaning up request 7 ID 151 with timestamp +11
Cleaning up request 8 ID 25 with timestamp +11
Ready to process requests.
-----------------------------------------------------------------

Basically... it appears the Group-Name is no longer being returned... and therefore we cannot tag based upon groups.     I would assume this relies on the OpenDirectory plugin that Apple provides... perhaps it does not function like it previously did?

Since OpenDirectory relies open openldap, perhaps we need to query ldap?

Any thoughts or suggestions would be appreciated.  Thank you.

----- Original Message -----
From: Alan DeKok <aland at deployingradius.com>
To: Theparanoidone Theparanoidone <theparanoidone at yahoo.com>; FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Cc: 
Sent: Monday, August 20, 2012 11:23 AM
Subject: Re: OpenDirectory VLAN Assignment by Group

Theparanoidone Theparanoidone wrote:
> Previously using radius, we were able to assign VLAN based upon group membership using the following syntax in   /etc/raddb/users   :

  That should still work.

> Now with FreeRADIUS Version 2.1.12, we are unable to make the above syntax work anymore.

  Nonsense.  See the FAQ for "it doesn't work".

  It works  People use that syntax.  It's documented as working.  It
hasn't changed in about 10 years.

  Which version were you using?  You didn't say...

> After some reading, we stumbled upon a someone with a similar issue who claimed that you now have to place the post-auth section of   /etc/raddb/sites-enabled/default  ... we had to make some modifications to the syntax as well:

  Why would that be?

> While the above syntax does appear to properly assign the VLAN ... we are unable to match this against the Group-Name field  (so the following does not work): 

  <sigh>  See the FAQ for "it doesn't work".

> However ... we appear unable to get any variable to expand that relates to group.   (we have tried Group Group-Name Ldap-Group LDAP-Group gid group all without success).   It would be ideal to base VLAN membership off of group as opposed to individual user.

  Group-Name is Unix groups.

  You clearly changed something in your system.  But you didn't say
what.  You didn't say which version you were using.  You didn't say how
you upgraded.

> Questions:
> 
> 1)  Is there a way to echo out *all* variables that radiusd -X has access to at the time of testing so we can perhaps see what field contains the valid group on?

  No.  Many "variables" are pulled from external databases, or things
like the Unix group file.  Printing out all of them is impossible,
because there may be hundreds.

> 2)  Does anyone know what the variable for groups we should be using is?

  Group-Name?

> 3)  Is there documentation that covers the change in syntax as I described above?  (... I'm sure just not finding it but I have been looking)

  The "users" file documentation?  Which hasn't changed in 10 years?

> (This is on the latest version of Apple's deployment of freeradius that relies on OpenDirectory)
> 
> (We will try and contact Apple as well... but I'm imaging this request will be beyond their capabilities... echoing out all variables may get us a solution faster???)
> 
> Thank you in advance for any advice or pointers to relevant documentation.

  What happened?  What changed?  You've been careful to avoid saying that.

  "Hi, stuff used to work.  Then I tried 2.1.12, and now stuff doesn't
work.  Why?"

  How do you expect anyone to be able to answer that?

  Alan DeKok.