Setting ntlm_auth parameters depending on NAS-IP-Address
Antoine Benkemoun
antoine.benkemoun at nexthink.com
Wed May 7 16:35:27 CEST 2014
Thank you for your answer. Sorry for that.
Please find the entire debug log below.
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
Module: Instantiating module "ntlm_auth" from file /etc/freeradius/modules/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
input_pairs = "request"
shell_escape = yes
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess
preprocess {
huntgroups = "/etc/freeradius/huntgroups"
hints = "/etc/freeradius/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_realm
Module: Instantiating module "ntdomain" from file /etc/freeradius/modules/realm
realm ntdomain {
format = "prefix"
delimiter = "\"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file /etc/freeradius/modules/files
files {
usersfile = "/etc/freeradius/users"
acctusersfile = "/etc/freeradius/acct_users"
preproxy_usersfile = "/etc/freeradius/preproxy_users"
compat = "no"
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file /etc/freeradius/modules/detail
detail {
detailfile = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/freeradius/attrs.accounting_response"
key = "%{User-Name}"
relaxed = no
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/etc/freeradius/attrs.access_reject"
key = "%{User-Name}"
relaxed = no
}
} # modules
} # server
server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
... adding new socket proxy address * port 37680
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 172.16.2.254 port 32769, id=251, length=246
User-Name = "user1"
Calling-Station-Id = "bc-92-6b-aa-aa-aa"
Called-Station-Id = "1c-e6-c7-bb-bb-bb:WifiAP"
NAS-Port = 3
Cisco-AVPair = "audit-session-id=ac1002fe0000096d536a43a4"
NAS-IP-Address = 172.16.2.254
NAS-Identifier = "cisco-ap-1"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "168"
EAP-Message = 0x0201000f016162656e6b656d6f756e
Message-Authenticator = 0x1b5aad0ef8877762ea2832178b4e0ab1
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++? if ("%{request:NAS-IP-Address}" == "172.16.2.254")
expand: %{request:NAS-IP-Address} -> 172.16.2.254
? Evaluating ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE
++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE
++- entering if ("%{request:NAS-IP-Address}" == "172.16.2.254") {...}
+++[request] returns notfound
++- if ("%{request:NAS-IP-Address}" == "172.16.2.254") returns notfound
++ ... skipping elsif for request 0: Preceding "if" was taken
++ ... skipping else for request 0: Preceding "if" was taken
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[ntdomain] No '\' in User-Name = "user1", looking up realm NULL
[ntdomain] Found realm "NULL"
[ntdomain] Adding Stripped-User-Name = "user1"
[ntdomain] Adding Realm = "NULL"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[eap] EAP packet type response id 1 length 15
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 251 to 172.16.2.254 port 32769
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2eaf4ccd2ead553f96bd63d5fd0e3e5f
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.16.2.254 port 32769, id=252, length=401
User-Name = "user1"
Calling-Station-Id = "bc-92-6b-aa-aa-aa"
Called-Station-Id = "1c-e6-c7-bb-bb-bb:WifiAP"
NAS-Port = 3
Cisco-AVPair = "audit-session-id=ac1002fe0000096d536a43a4"
NAS-IP-Address = 172.16.2.254
NAS-Identifier = "cisco-ap-1"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "168"
EAP-Message = 0x0202009819800000008e1603010089010000850301536a43a6444bca59bfbbdf23e1910b4f04015192225639f4786e7f40b6822ef500004a00ffc024c023c00ac009c007c008c028c027c014c013c011c012c026c025c02ac029c005c004c002c003c00fc00ec00cc00d003d003c002f000500040035000a0067006b00330039001601000012000a00080006001700180019000b00020100
State = 0x2eaf4ccd2ead553f96bd63d5fd0e3e5f
Message-Authenticator = 0xb7ab88c129f84efe838c9e455df34eae
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++? if ("%{request:NAS-IP-Address}" == "172.16.2.254")
expand: %{request:NAS-IP-Address} -> 172.16.2.254
? Evaluating ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE
++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE
++- entering if ("%{request:NAS-IP-Address}" == "172.16.2.254") {...}
+++[request] returns notfound
++- if ("%{request:NAS-IP-Address}" == "172.16.2.254") returns notfound
++ ... skipping elsif for request 1: Preceding "if" was taken
++ ... skipping else for request 1: Preceding "if" was taken
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[ntdomain] No '\' in User-Name = "user1", looking up realm NULL
[ntdomain] Found realm "NULL"
[ntdomain] Adding Stripped-User-Name = "user1"
[ntdomain] Adding Realm = "NULL"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[eap] EAP packet type response id 2 length 152
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 142
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0089], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0039], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 0550], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
[peap] TLS_accept: SSLv3 write key exchange A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 252 to 172.16.2.254 port 32769
EAP-Message = 0x0103040019c0000006ec1603010039020000350301536a43a901ec5af2e220c3545bda41f6f503016e8d45900d46f694f27ecb346a00c01400000dff01000100000b00040300010216030105500b00054c000549000546308205423082042aa0030201020209009163e378a45e4373300d06092a864886f70d0101050500306e310b3009060355040613024348310d300b06035504081304566175643111300f060355040a13084e65787468696e6b310b3009060355040b130249543110300e060355040313074954205465616d311e301c06092a864886f70d010901160f6974406e65787468696e6b2e636f6d301e170d3134303330353039353933
EAP-Message = 0x335a170d3139303631323039353933335a3081a2310b3009060355040613024348310d300b06035504081304566175643111300f060355040713084c617573616e6e653111300f060355040a13084e65787468696e6b3110300e060355040b13074954205465616d312c302a06035504031323636973636f2d7377632d323530302d312e696e7472612e6e65787468696e6b2e636f6d311e301c06092a864886f70d010901160f6974406e65787468696e6b2e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100ba39cee32672aca7bbf26026be98e0563338f575ae8f93fe4c62b12c9c1653938f7b7b146284
EAP-Message = 0xe7ead531d6472e71d052af2cc834d48bb7db7ecf3c9256bee6aba1ef3d4033d01c5b5b6cc3979ca3c1a79ee5b008a93cbeb3a71e3afb7045181e4816d533c96a4f97c416888fab2567e3418d2bd9b717cf2d12e0f794ffe7a079526b86d88fc1071dfed371972c22f92dbe2ead837f56d54ac4dc8198458eb1bc853742594a383051f9cc7d587b1a54e5effe71ba0d66c0714469ee79c4908f9db05685971c97464787fb7de17249367db0298994a6bdc7a58c4e107b76d44c97a4d2b7eebbab98fa128487a5bce934f777335da34da5ed7004e1896f734122370203010001a38201ac308201a830090603551d1304023000301106096086480186f842
EAP-Message = 0x0101040403020640300b0603551d0f0404030203f830130603551d25040c300a06082b06010505070301303506096086480186f842010d042816264e65787468696e6b204f70656e53534c2047656e657261746564204365727469666963617465304e0603551d11044730458223636973636f2d7377632d323530302d312e696e7472612e6e65787468696e6b2e636f6d8210636973636f2d7377632d323530302d31820c3137322e31362e322e323534301d0603551d0e04160414d3f2b3a6d48a468f738ff5dd6056d3f384a6dbee301f0603551d23041830168014fb320a0d0c3081f1517718946a7797aee67a6e08303206096086480186f84201
EAP-Message = 0x0404251623687474703a2f2f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2eaf4ccd2fac553f96bd63d5fd0e3e5f
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.16.2.254 port 32769, id=253, length=255
User-Name = "user1"
Calling-Station-Id = "bc-92-6b-aa-aa-aa"
Called-Station-Id = "1c-e6-c7-bb-bb-bb:WifiAP"
NAS-Port = 3
Cisco-AVPair = "audit-session-id=ac1002fe0000096d536a43a4"
NAS-IP-Address = 172.16.2.254
NAS-Identifier = "cisco-ap-1"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "168"
EAP-Message = 0x020300061900
State = 0x2eaf4ccd2fac553f96bd63d5fd0e3e5f
Message-Authenticator = 0xe14e3c9ead9b88944258c7934f444fe8
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++? if ("%{request:NAS-IP-Address}" == "172.16.2.254")
expand: %{request:NAS-IP-Address} -> 172.16.2.254
? Evaluating ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE
++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE
++- entering if ("%{request:NAS-IP-Address}" == "172.16.2.254") {...}
+++[request] returns notfound
++- if ("%{request:NAS-IP-Address}" == "172.16.2.254") returns notfound
++ ... skipping elsif for request 2: Preceding "if" was taken
++ ... skipping else for request 2: Preceding "if" was taken
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[ntdomain] No '\' in User-Name = "user1", looking up realm NULL
[ntdomain] Found realm "NULL"
[ntdomain] Adding Stripped-User-Name = "user1"
[ntdomain] Adding Realm = "NULL"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 253 to 172.16.2.254 port 32769
EAP-Message = 0x010402fc190069742e6e65787468696e6b2e6c6f63616c2f63612d63726c2e70656d30340603551d1f042d302b3029a027a0258623687474703a2f2f69742e6e65787468696e6b2e6c6f63616c2f63612d63726c2e70656d303506082b0601050507010104293027302506082b060105050730018619687474703a2f2f69742e6e65787468696e6b2e6c6f63616c2f300d06092a864886f70d0101050500038201010016fde58d60d1a9567e825fa65720dabad5ecfafc8ee146c6312a4b60983808a1261d94e1c4e84f4a70d770e8262a217f43a23cf034e86179aa921287198553fecea4f1277b811692a530321194137b17ef47c5b261ac36c8211e
EAP-Message = 0x617b4e14cdd8dda6627de232040efd97d69c71d926d44869e59e91fcfcb8f90a5875aa9ddec2417dfa82c35980e7dacbb7fdd7a6247b961ff3fe0db906a8544982cc72fa100fd5a799e809eb4b9c4e0dac5728573f0b95aae8439a55528227d946fc1efae3ad8c28cacf093b62f6a27950ae3ea2ca391717334744d73ecfcd0152b3cc7b9eed59c5ece62c91846fc0e126fa1d2bdc3a8f4a9d1f806f9487fabae3a214d59d6f160301014b0c0001470300174104ddfa1e9eb4aba37ed9f6718df44b350c01e5c0093d17eb66b67d037ffa765aa658bc9dcc5821bfcdea7ae0f3d602799c2b379b9174f157c9ae136e9ad5025dee0100ade26975d9f952
EAP-Message = 0x14c06d26f4651e8c66cb7783fd9a10d4acc500dee83c016b4f71de3f62610299b67fffb8e3abb449ebbde99b782d1d0a94ff53a490f9ea4c536dfbb4c68495a9dd26ac4c51b5088194d5089e7cf8e7d621a97af03f57c209b19046f57ed1b8e41f4e5a9d5a9104e02bae4d32b070788a28e9902470c569a5cae54cfbe2f97114e8bbc9ac422ebe62766528e8471dd31c785fecfeeb14c539c305df7590314b2bdbf8e8f2399a116a26b2b36e2065b2ac08f052f330cd473ed2c1f39a4272a951c5f31b9fa9b3586e671e7be73d7954bac2d0c7c72718fde0b9ed77f1e65bbf2a384c2f9fbeb18d44ce443a9700e9335962cb4dd0dd689e503216030100
EAP-Message = 0x040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2eaf4ccd2cab553f96bd63d5fd0e3e5f
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.16.2.254 port 32769, id=254, length=393
User-Name = "user1"
Calling-Station-Id = "bc-92-6b-aa-aa-aa"
Called-Station-Id = "1c-e6-c7-bb-bb-bb:WifiAP"
NAS-Port = 3
Cisco-AVPair = "audit-session-id=ac1002fe0000096d536a43a4"
NAS-IP-Address = 172.16.2.254
NAS-Identifier = "cisco-ap-1"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "168"
EAP-Message = 0x02040090198000000086160301004610000042410479a5816fc4469badb7b96f2d7834854fdf750af1fe94bffa525defcf879bc6a05ea66400643db7ec9869c4c9f54149817a136f75e79b19d35d57851568f75d3a14030100010116030100302bed7dd77900cb202884e16b48589fbeaabf7e297a3a96d813c0b95baad8fe84b3e2692c838db3aba4ace134e7747aa2
State = 0x2eaf4ccd2cab553f96bd63d5fd0e3e5f
Message-Authenticator = 0x92ac34611d403b2f0799da5552ffeccf
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++? if ("%{request:NAS-IP-Address}" == "172.16.2.254")
expand: %{request:NAS-IP-Address} -> 172.16.2.254
? Evaluating ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE
++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE
++- entering if ("%{request:NAS-IP-Address}" == "172.16.2.254") {...}
+++[request] returns notfound
++- if ("%{request:NAS-IP-Address}" == "172.16.2.254") returns notfound
++ ... skipping elsif for request 3: Preceding "if" was taken
++ ... skipping else for request 3: Preceding "if" was taken
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[ntdomain] No '\' in User-Name = "user1", looking up realm NULL
[ntdomain] Found realm "NULL"
[ntdomain] Adding Stripped-User-Name = "user1"
[ntdomain] Adding Realm = "NULL"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[eap] EAP packet type response id 4 length 144
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 134
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 254 to 172.16.2.254 port 32769
EAP-Message = 0x010500411900140301000101160301003041d0c407f76f5234af15ff78f9ec99228fca6447b2ab593c26d7b33fb092deb4b7608eda7cefa100d7610e35623831dd
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2eaf4ccd2daa553f96bd63d5fd0e3e5f
Finished request 3.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 172.16.2.254 port 32769, id=255, length=255
User-Name = "user1"
Calling-Station-Id = "bc-92-6b-aa-aa-aa"
Called-Station-Id = "1c-e6-c7-bb-bb-bb:WifiAP"
NAS-Port = 3
Cisco-AVPair = "audit-session-id=ac1002fe0000096d536a43a4"
NAS-IP-Address = 172.16.2.254
NAS-Identifier = "cisco-ap-1"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "168"
EAP-Message = 0x020500061900
State = 0x2eaf4ccd2daa553f96bd63d5fd0e3e5f
Message-Authenticator = 0x64b278fc4d4e892fdf0eaf6de21b6250
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++? if ("%{request:NAS-IP-Address}" == "172.16.2.254")
expand: %{request:NAS-IP-Address} -> 172.16.2.254
? Evaluating ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE
++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE
++- entering if ("%{request:NAS-IP-Address}" == "172.16.2.254") {...}
+++[request] returns notfound
++- if ("%{request:NAS-IP-Address}" == "172.16.2.254") returns notfound
++ ... skipping elsif for request 4: Preceding "if" was taken
++ ... skipping else for request 4: Preceding "if" was taken
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[ntdomain] No '\' in User-Name = "user1", looking up realm NULL
[ntdomain] Found realm "NULL"
[ntdomain] Adding Stripped-User-Name = "user1"
[ntdomain] Adding Realm = "NULL"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] returns handled
Sending Access-Challenge of id 255 to 172.16.2.254 port 32769
EAP-Message = 0x0106002b1900170301002017ab6fcfec80bac56aef6061cc21dd5936e5f17ba6871bd39c0e0f39f03b5250
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2eaf4ccd2aa9553f96bd63d5fd0e3e5f
Finished request 4.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 172.16.2.254 port 32769, id=0, length=292
User-Name = "user1"
Calling-Station-Id = "bc-92-6b-aa-aa-aa"
Called-Station-Id = "1c-e6-c7-bb-bb-bb:WifiAP"
NAS-Port = 3
Cisco-AVPair = "audit-session-id=ac1002fe0000096d536a43a4"
NAS-IP-Address = 172.16.2.254
NAS-Identifier = "cisco-ap-1"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "168"
EAP-Message = 0x0206002b1900170301002050a7b15799682707695b0ecca644c907cd9b7126153b23cbffbfc55d36a93a4a
State = 0x2eaf4ccd2aa9553f96bd63d5fd0e3e5f
Message-Authenticator = 0x154a6f183ef57ed2759cdb84d248eb7b
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++? if ("%{request:NAS-IP-Address}" == "172.16.2.254")
expand: %{request:NAS-IP-Address} -> 172.16.2.254
? Evaluating ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE
++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE
++- entering if ("%{request:NAS-IP-Address}" == "172.16.2.254") {...}
+++[request] returns notfound
++- if ("%{request:NAS-IP-Address}" == "172.16.2.254") returns notfound
++ ... skipping elsif for request 5: Preceding "if" was taken
++ ... skipping else for request 5: Preceding "if" was taken
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[ntdomain] No '\' in User-Name = "user1", looking up realm NULL
[ntdomain] Found realm "NULL"
[ntdomain] Adding Stripped-User-Name = "user1"
[ntdomain] Adding Realm = "NULL"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[eap] EAP packet type response id 6 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - user1
[peap] Got inner identity 'user1'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
EAP-Message = 0x0206000f016162656e6b656d6f756e
server {
[peap] Setting User-Name to user1
Sending tunneled request
EAP-Message = 0x0206000f016162656e6b656d6f756e
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "user1"
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[ntdomain] No '\' in User-Name = "user1", looking up realm NULL
[ntdomain] Found realm "NULL"
[ntdomain] Adding Stripped-User-Name = "user1"
[ntdomain] Adding Realm = "NULL"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
++[control] returns ok
[eap] EAP packet type response id 6 length 15
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message = 0x010700241a0107001f1057083219cce753ec4da2946e4cf315b96162656e6b656d6f756e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x6a5cdbc96a5bc19791d80465670c3e25
[peap] Got tunneled reply RADIUS code 11
EAP-Message = 0x010700241a0107001f1057083219cce753ec4da2946e4cf315b96162656e6b656d6f756e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x6a5cdbc96a5bc19791d80465670c3e25
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 0 to 172.16.2.254 port 32769
EAP-Message = 0x0107004b190017030100405edb4c91479e44b4fbd4542db40e3bee3aed09237d3fd39be1dca6f7b6dfb6d151c78bbac47a3e6a5d0b5a17ac2aa81e942f6c966bc1f04f21e41e3af729237e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2eaf4ccd2ba8553f96bd63d5fd0e3e5f
Finished request 5.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 172.16.2.254 port 32769, id=1, length=356
User-Name = "user1"
Calling-Station-Id = "bc-92-6b-aa-aa-aa"
Called-Station-Id = "1c-e6-c7-bb-bb-bb:WifiAP"
NAS-Port = 3
Cisco-AVPair = "audit-session-id=ac1002fe0000096d536a43a4"
NAS-IP-Address = 172.16.2.254
NAS-Identifier = "cisco-ap-1"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "168"
EAP-Message = 0x0207006b190017030100605ec951545ca8b0283435811c00367d135a3573a01c484b2c3caef30d1dc21d48e463ec0edeb61f0531bef4bc621f666ed6c370d3d9c56c9449a448beeaac32fc3efbbcb3fb01b47dcd98a26a9b2231b051870ed9701c6232b1e3cb83764bda9d
State = 0x2eaf4ccd2ba8553f96bd63d5fd0e3e5f
Message-Authenticator = 0x322b09af70b49fce3659602a50ef58fb
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++? if ("%{request:NAS-IP-Address}" == "172.16.2.254")
expand: %{request:NAS-IP-Address} -> 172.16.2.254
? Evaluating ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE
++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE
++- entering if ("%{request:NAS-IP-Address}" == "172.16.2.254") {...}
+++[request] returns notfound
++- if ("%{request:NAS-IP-Address}" == "172.16.2.254") returns notfound
++ ... skipping elsif for request 6: Preceding "if" was taken
++ ... skipping else for request 6: Preceding "if" was taken
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[ntdomain] No '\' in User-Name = "user1", looking up realm NULL
[ntdomain] Found realm "NULL"
[ntdomain] Adding Stripped-User-Name = "user1"
[ntdomain] Adding Realm = "NULL"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[eap] EAP packet type response id 7 length 107
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x020700451a0207004031e4a9b4721b606c910d4cbfae477a37e30000000000000000279a92d632ac266295b6bf7ddcd03019b97daabbcf55de3a006162656e6b656d6f756e
server {
[peap] Setting User-Name to user1
Sending tunneled request
EAP-Message = 0x020700451a0207004031e4a9b4721b606c910d4cbfae477a37e30000000000000000279a92d632ac266295b6bf7ddcd03019b97daabbcf55de3a006162656e6b656d6f756e
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "user1"
State = 0x6a5cdbc96a5bc19791d80465670c3e25
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[ntdomain] No '\' in User-Name = "user1", looking up realm NULL
[ntdomain] Found realm "NULL"
[ntdomain] Adding Stripped-User-Name = "user1"
[ntdomain] Adding Realm = "NULL"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
++[control] returns ok
[eap] EAP packet type response id 7 length 69
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: user1
[mschap] Told to do MS-CHAPv2 for user1 with NT-Password
[mschap] expand: %{Stripped-User-Name} -> user1
[mschap] expand: --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} -> --username=user1
[mschap] Creating challenge hash with username: user1
[mschap] expand: %{mschap:Challenge} -> 8ca1377208f1742e
[mschap] expand: --challenge=%{%{mschap:Challenge}:-00} -> --challenge=8ca1377208f1742e
[mschap] expand: %{mschap:NT-Response} -> 279a92d632ac266295b6bf7ddcd03019b97daabbcf55de3a
[mschap] expand: --nt-response=%{%{mschap:NT-Response}:-00} -> --nt-response=279a92d632ac266295b6bf7ddcd03019b97daabbcf55de3a
[mschap] expand: --require-membership-of=%{request:NTLM-Group-Required} -> --require-membership-of=
Could not parse into seperate domain/name parts!
Exec-Program output: (null) (0xc000000d)
Exec-Program-Wait: plaintext: (null) (0xc000000d)
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
Login incorrect (mschap: External script says (null) (0xc000000d)): [user1] (from client 172.16.2.254 port 0 via TLS tunnel)
} # server inner-tunnel
[peap] Got tunneled reply code 3
MS-CHAP-Error = "\007E=691 R=1"
EAP-Message = 0x04070004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
MS-CHAP-Error = "\007E=691 R=1"
EAP-Message = 0x04070004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 1 to 172.16.2.254 port 32769
EAP-Message = 0x0108002b19001703010020feb623eb0bb3dca917592b6afe1500709bd79b96337e135d970d06b8997c26d0
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2eaf4ccd28a7553f96bd63d5fd0e3e5f
Finished request 6.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 172.16.2.254 port 32769, id=2, length=292
User-Name = "user1"
Calling-Station-Id = "bc-92-6b-aa-aa-aa"
Called-Station-Id = "1c-e6-c7-bb-bb-bb:WifiAP"
NAS-Port = 3
Cisco-AVPair = "audit-session-id=ac1002fe0000096d536a43a4"
NAS-IP-Address = 172.16.2.254
NAS-Identifier = "cisco-ap-1"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "168"
EAP-Message = 0x0208002b1900170301002019b84798928d1bde9fcf75002a3e1044b6dd2fa2cce8da7f6cab1292767e66cb
State = 0x2eaf4ccd28a7553f96bd63d5fd0e3e5f
Message-Authenticator = 0x290721d82f147cc6fc88b27c5d3b81b1
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++? if ("%{request:NAS-IP-Address}" == "172.16.2.254")
expand: %{request:NAS-IP-Address} -> 172.16.2.254
? Evaluating ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE
++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE
++- entering if ("%{request:NAS-IP-Address}" == "172.16.2.254") {...}
+++[request] returns notfound
++- if ("%{request:NAS-IP-Address}" == "172.16.2.254") returns notfound
++ ... skipping elsif for request 7: Preceding "if" was taken
++ ... skipping else for request 7: Preceding "if" was taken
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[ntdomain] No '\' in User-Name = "user1", looking up realm NULL
[ntdomain] Found realm "NULL"
[ntdomain] Adding Stripped-User-Name = "user1"
[ntdomain] Adding Realm = "NULL"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[eap] EAP packet type response id 8 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv failure
[peap] Received EAP-TLV response.
[peap] The users session was previously rejected: returning reject (again.)
[peap] *** This means you need to read the PREVIOUS messages in the debug output
[peap] *** to find out the reason why the user was rejected.
[peap] *** Look for "reject" or "fail". Those earlier messages will tell you.
[peap] *** what went wrong, and how to fix the problem.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [user1] (from client 172.16.2.254 port 3 cli bc-92-6b-aa-aa-aa)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> user1
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 7 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 7
Sending Access-Reject of id 2 to 172.16.2.254 port 32769
EAP-Message = 0x04080004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.8 seconds.
rad_recv: Access-Request packet from host 172.16.2.254 port 32769, id=3, length=246
User-Name = "user1"
Calling-Station-Id = "bc-92-6b-aa-aa-aa"
Called-Station-Id = "1c-e6-c7-bb-bb-bb:WifiAP"
NAS-Port = 3
Cisco-AVPair = "audit-session-id=ac1002fe0000096d536a43a4"
NAS-IP-Address = 172.16.2.254
NAS-Identifier = "cisco-ap-1"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "168"
EAP-Message = 0x0201000f016162656e6b656d6f756e
Message-Authenticator = 0xef0454742ef67005127515ded256b71a
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++? if ("%{request:NAS-IP-Address}" == "172.16.2.254")
expand: %{request:NAS-IP-Address} -> 172.16.2.254
? Evaluating ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE
++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE
++- entering if ("%{request:NAS-IP-Address}" == "172.16.2.254") {...}
+++[request] returns notfound
++- if ("%{request:NAS-IP-Address}" == "172.16.2.254") returns notfound
++ ... skipping elsif for request 8: Preceding "if" was taken
++ ... skipping else for request 8: Preceding "if" was taken
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[ntdomain] No '\' in User-Name = "user1", looking up realm NULL
[ntdomain] Found realm "NULL"
[ntdomain] Adding Stripped-User-Name = "user1"
[ntdomain] Adding Realm = "NULL"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[eap] EAP packet type response id 1 length 15
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 3 to 172.16.2.254 port 32769
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd864ff25d866e67d724fec8265bde908
Finished request 8.
Going to the next request
Waking up in 2.0 seconds.
rad_recv: Access-Request packet from host 172.16.2.254 port 32769, id=4, length=401
User-Name = "user1"
Calling-Station-Id = "bc-92-6b-aa-aa-aa"
Called-Station-Id = "1c-e6-c7-bb-bb-bb:WifiAP"
NAS-Port = 3
Cisco-AVPair = "audit-session-id=ac1002fe0000096d536a43a4"
NAS-IP-Address = 172.16.2.254
NAS-Identifier = "cisco-ap-1"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "168"
EAP-Message = 0x0202009819800000008e1603010089010000850301536a43a90310de667ed488f873dba4d02a4f737c10edfb934fa6f18c237690fd00004a00ffc024c023c00ac009c007c008c028c027c014c013c011c012c026c025c02ac029c005c004c002c003c00fc00ec00cc00d003d003c002f000500040035000a0067006b00330039001601000012000a00080006001700180019000b00020100
State = 0xd864ff25d866e67d724fec8265bde908
Message-Authenticator = 0x2cf136d506f7df502ecc34ba6b7a30f3
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++? if ("%{request:NAS-IP-Address}" == "172.16.2.254")
expand: %{request:NAS-IP-Address} -> 172.16.2.254
? Evaluating ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE
++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE
++- entering if ("%{request:NAS-IP-Address}" == "172.16.2.254") {...}
+++[request] returns notfound
++- if ("%{request:NAS-IP-Address}" == "172.16.2.254") returns notfound
++ ... skipping elsif for request 9: Preceding "if" was taken
++ ... skipping else for request 9: Preceding "if" was taken
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[ntdomain] No '\' in User-Name = "user1", looking up realm NULL
[ntdomain] Found realm "NULL"
[ntdomain] Adding Stripped-User-Name = "user1"
[ntdomain] Adding Realm = "NULL"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[eap] EAP packet type response id 2 length 152
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 142
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0089], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0039], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 0550], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
[peap] TLS_accept: SSLv3 write key exchange A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 4 to 172.16.2.254 port 32769
EAP-Message = 0x0103040019c0000006ec1603010039020000350301536a43acb352e63dd22a952054553efabbaeec15d08d106ee74feb27ecbda89000c01400000dff01000100000b00040300010216030105500b00054c000549000546308205423082042aa0030201020209009163e378a45e4373300d06092a864886f70d0101050500306e310b3009060355040613024348310d300b06035504081304566175643111300f060355040a13084e65787468696e6b310b3009060355040b130249543110300e060355040313074954205465616d311e301c06092a864886f70d010901160f6974406e65787468696e6b2e636f6d301e170d3134303330353039353933
EAP-Message = 0x335a170d3139303631323039353933335a3081a2310b3009060355040613024348310d300b06035504081304566175643111300f060355040713084c617573616e6e653111300f060355040a13084e65787468696e6b3110300e060355040b13074954205465616d312c302a06035504031323636973636f2d7377632d323530302d312e696e7472612e6e65787468696e6b2e636f6d311e301c06092a864886f70d010901160f6974406e65787468696e6b2e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100ba39cee32672aca7bbf26026be98e0563338f575ae8f93fe4c62b12c9c1653938f7b7b146284
EAP-Message = 0xe7ead531d6472e71d052af2cc834d48bb7db7ecf3c9256bee6aba1ef3d4033d01c5b5b6cc3979ca3c1a79ee5b008a93cbeb3a71e3afb7045181e4816d533c96a4f97c416888fab2567e3418d2bd9b717cf2d12e0f794ffe7a079526b86d88fc1071dfed371972c22f92dbe2ead837f56d54ac4dc8198458eb1bc853742594a383051f9cc7d587b1a54e5effe71ba0d66c0714469ee79c4908f9db05685971c97464787fb7de17249367db0298994a6bdc7a58c4e107b76d44c97a4d2b7eebbab98fa128487a5bce934f777335da34da5ed7004e1896f734122370203010001a38201ac308201a830090603551d1304023000301106096086480186f842
EAP-Message = 0x0101040403020640300b0603551d0f0404030203f830130603551d25040c300a06082b06010505070301303506096086480186f842010d042816264e65787468696e6b204f70656e53534c2047656e657261746564204365727469666963617465304e0603551d11044730458223636973636f2d7377632d323530302d312e696e7472612e6e65787468696e6b2e636f6d8210636973636f2d7377632d323530302d31820c3137322e31362e322e323534301d0603551d0e04160414d3f2b3a6d48a468f738ff5dd6056d3f384a6dbee301f0603551d23041830168014fb320a0d0c3081f1517718946a7797aee67a6e08303206096086480186f84201
EAP-Message = 0x0404251623687474703a2f2f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd864ff25d967e67d724fec8265bde908
Finished request 9.
Going to the next request
Waking up in 1.8 seconds.
rad_recv: Access-Request packet from host 172.16.2.254 port 32769, id=5, length=255
User-Name = "user1"
Calling-Station-Id = "bc-92-6b-aa-aa-aa"
Called-Station-Id = "1c-e6-c7-bb-bb-bb:WifiAP"
NAS-Port = 3
Cisco-AVPair = "audit-session-id=ac1002fe0000096d536a43a4"
NAS-IP-Address = 172.16.2.254
NAS-Identifier = "cisco-ap-1"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "168"
EAP-Message = 0x020300061900
State = 0xd864ff25d967e67d724fec8265bde908
Message-Authenticator = 0xc23739ad862e1f6d0f7c7239e03e0bae
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++? if ("%{request:NAS-IP-Address}" == "172.16.2.254")
expand: %{request:NAS-IP-Address} -> 172.16.2.254
? Evaluating ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE
++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE
++- entering if ("%{request:NAS-IP-Address}" == "172.16.2.254") {...}
+++[request] returns notfound
++- if ("%{request:NAS-IP-Address}" == "172.16.2.254") returns notfound
++ ... skipping elsif for request 10: Preceding "if" was taken
++ ... skipping else for request 10: Preceding "if" was taken
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[ntdomain] No '\' in User-Name = "user1", looking up realm NULL
[ntdomain] Found realm "NULL"
[ntdomain] Adding Stripped-User-Name = "user1"
[ntdomain] Adding Realm = "NULL"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 5 to 172.16.2.254 port 32769
EAP-Message = 0x010402fc190069742e6e65787468696e6b2e6c6f63616c2f63612d63726c2e70656d30340603551d1f042d302b3029a027a0258623687474703a2f2f69742e6e65787468696e6b2e6c6f63616c2f63612d63726c2e70656d303506082b0601050507010104293027302506082b060105050730018619687474703a2f2f69742e6e65787468696e6b2e6c6f63616c2f300d06092a864886f70d0101050500038201010016fde58d60d1a9567e825fa65720dabad5ecfafc8ee146c6312a4b60983808a1261d94e1c4e84f4a70d770e8262a217f43a23cf034e86179aa921287198553fecea4f1277b811692a530321194137b17ef47c5b261ac36c8211e
EAP-Message = 0x617b4e14cdd8dda6627de232040efd97d69c71d926d44869e59e91fcfcb8f90a5875aa9ddec2417dfa82c35980e7dacbb7fdd7a6247b961ff3fe0db906a8544982cc72fa100fd5a799e809eb4b9c4e0dac5728573f0b95aae8439a55528227d946fc1efae3ad8c28cacf093b62f6a27950ae3ea2ca391717334744d73ecfcd0152b3cc7b9eed59c5ece62c91846fc0e126fa1d2bdc3a8f4a9d1f806f9487fabae3a214d59d6f160301014b0c000147030017410478a4de69f4ad8220c537254cde9c4deab819de7b146976789b2620542928416358ba8b2046213d41b5a9e76e55eb80ef78267fe9ce67ae3ff3634883ea66d425010086a95017326c77
EAP-Message = 0x0b10f25ecac6eaf376eb49651546583a864cefedad7e433a296055474d89a606922ae82089f12e1bf5a70c0b427523a7c2e1a25a768c6e5a5e27bf693afa3e0ff073f9ec18c7940b7f39ee2e177bd253fec7e888e311aa8d44588b4cecd03d8406faf2eb4b2a186462f7b2d39861f452fc1289df0e485b09e55170de247779b33f7071d4662e146c3146d3c593837839fcedbed60590e5f57897b9aab5f8de56cc3bb02fd6f8ea0c6b67b17799b141e22e805aa335ae6970ee6904a393bdd0387de567ffb34bf399e0f29f2c735bae242897cf28c03559c848440775c4805cf4d32df122541b8a36c13ff5a7786fea547693ee40d4f7761bb016030100
EAP-Message = 0x040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd864ff25da60e67d724fec8265bde908
Finished request 10.
Going to the next request
Waking up in 1.8 seconds.
rad_recv: Access-Request packet from host 172.16.2.254 port 32769, id=6, length=393
User-Name = "user1"
Calling-Station-Id = "bc-92-6b-aa-aa-aa"
Called-Station-Id = "1c-e6-c7-bb-bb-bb:WifiAP"
NAS-Port = 3
Cisco-AVPair = "audit-session-id=ac1002fe0000096d536a43a4"
NAS-IP-Address = 172.16.2.254
NAS-Identifier = "cisco-ap-1"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "168"
EAP-Message = 0x02040090198000000086160301004610000042410465523734a03ce7e9294aa90ab1bdf73edf995304ed48594a22b89d9fda69b9e3f16fd81e69efb8c429c6978eb49954ab7ae742e075a49f9348d192b9da94a08b14030100010116030100300941f6b3bdb0e41dcd8db6feb7b532b06cc311d8a104046aa3a5ee388dfc7910abfcad52a634822025a635079bd931e1
State = 0xd864ff25da60e67d724fec8265bde908
Message-Authenticator = 0x2cd9b972ebdbfb770feea1c7084f121c
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++? if ("%{request:NAS-IP-Address}" == "172.16.2.254")
expand: %{request:NAS-IP-Address} -> 172.16.2.254
? Evaluating ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE
++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE
++- entering if ("%{request:NAS-IP-Address}" == "172.16.2.254") {...}
+++[request] returns notfound
++- if ("%{request:NAS-IP-Address}" == "172.16.2.254") returns notfound
++ ... skipping elsif for request 11: Preceding "if" was taken
++ ... skipping else for request 11: Preceding "if" was taken
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[ntdomain] No '\' in User-Name = "user1", looking up realm NULL
[ntdomain] Found realm "NULL"
[ntdomain] Adding Stripped-User-Name = "user1"
[ntdomain] Adding Realm = "NULL"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[eap] EAP packet type response id 4 length 144
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 134
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 6 to 172.16.2.254 port 32769
EAP-Message = 0x01050041190014030100010116030100309ef6c697a3b591a0093d0e8820f8730c6e3aa04fbaceda76a9bfe6de1f460580aa5c1ad747bd56b16b322d53efe5d6a5
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd864ff25db61e67d724fec8265bde908
Finished request 11.
Going to the next request
Waking up in 1.5 seconds.
rad_recv: Access-Request packet from host 172.16.2.254 port 32769, id=7, length=255
User-Name = "user1"
Calling-Station-Id = "bc-92-6b-aa-aa-aa"
Called-Station-Id = "1c-e6-c7-bb-bb-bb:WifiAP"
NAS-Port = 3
Cisco-AVPair = "audit-session-id=ac1002fe0000096d536a43a4"
NAS-IP-Address = 172.16.2.254
NAS-Identifier = "cisco-ap-1"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "168"
EAP-Message = 0x020500061900
State = 0xd864ff25db61e67d724fec8265bde908
Message-Authenticator = 0xd3ac100b594700e6e1e5022e10700a62
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++? if ("%{request:NAS-IP-Address}" == "172.16.2.254")
expand: %{request:NAS-IP-Address} -> 172.16.2.254
? Evaluating ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE
++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE
++- entering if ("%{request:NAS-IP-Address}" == "172.16.2.254") {...}
+++[request] returns notfound
++- if ("%{request:NAS-IP-Address}" == "172.16.2.254") returns notfound
++ ... skipping elsif for request 12: Preceding "if" was taken
++ ... skipping else for request 12: Preceding "if" was taken
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[ntdomain] No '\' in User-Name = "user1", looking up realm NULL
[ntdomain] Found realm "NULL"
[ntdomain] Adding Stripped-User-Name = "user1"
[ntdomain] Adding Realm = "NULL"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] returns handled
Sending Access-Challenge of id 7 to 172.16.2.254 port 32769
EAP-Message = 0x0106002b19001703010020ebe2fa589f360ffc2ce812a7f1082a300c2f308607cc2100a483cd8636a2bb50
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd864ff25dc62e67d724fec8265bde908
Finished request 12.
Going to the next request
Waking up in 1.5 seconds.
rad_recv: Access-Request packet from host 172.16.2.254 port 32769, id=8, length=292
User-Name = "user1"
Calling-Station-Id = "bc-92-6b-aa-aa-aa"
Called-Station-Id = "1c-e6-c7-bb-bb-bb:WifiAP"
NAS-Port = 3
Cisco-AVPair = "audit-session-id=ac1002fe0000096d536a43a4"
NAS-IP-Address = 172.16.2.254
NAS-Identifier = "cisco-ap-1"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "168"
EAP-Message = 0x0206002b190017030100202ed0c0fa87656289851bde561203fc530a4bc5695c2853429bf542f985236d01
State = 0xd864ff25dc62e67d724fec8265bde908
Message-Authenticator = 0x8d7853676140a0cf23c34a159f23ca9f
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++? if ("%{request:NAS-IP-Address}" == "172.16.2.254")
expand: %{request:NAS-IP-Address} -> 172.16.2.254
? Evaluating ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE
++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE
++- entering if ("%{request:NAS-IP-Address}" == "172.16.2.254") {...}
+++[request] returns notfound
++- if ("%{request:NAS-IP-Address}" == "172.16.2.254") returns notfound
++ ... skipping elsif for request 13: Preceding "if" was taken
++ ... skipping else for request 13: Preceding "if" was taken
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[ntdomain] No '\' in User-Name = "user1", looking up realm NULL
[ntdomain] Found realm "NULL"
[ntdomain] Adding Stripped-User-Name = "user1"
[ntdomain] Adding Realm = "NULL"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[eap] EAP packet type response id 6 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - user1
[peap] Got inner identity 'user1'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
EAP-Message = 0x0206000f016162656e6b656d6f756e
server {
[peap] Setting User-Name to user1
Sending tunneled request
EAP-Message = 0x0206000f016162656e6b656d6f756e
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "user1"
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[ntdomain] No '\' in User-Name = "user1", looking up realm NULL
[ntdomain] Found realm "NULL"
[ntdomain] Adding Stripped-User-Name = "user1"
[ntdomain] Adding Realm = "NULL"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
++[control] returns ok
[eap] EAP packet type response id 6 length 15
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message = 0x010700241a0107001f10dd48fc50339afd40eeb45d1a42c441d16162656e6b656d6f756e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x26cbc59926ccdf9d42d5aad01356b8d4
[peap] Got tunneled reply RADIUS code 11
EAP-Message = 0x010700241a0107001f10dd48fc50339afd40eeb45d1a42c441d16162656e6b656d6f756e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x26cbc59926ccdf9d42d5aad01356b8d4
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 8 to 172.16.2.254 port 32769
EAP-Message = 0x0107004b1900170301004060a123198a4de75c4dea3082f6c982779e62e1320dad9a47d826e932a14cb74274e6f0a83d978599d93402f2d936b680e1b94fff0381a1014e70dc4d2553396e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd864ff25dd63e67d724fec8265bde908
Finished request 13.
Going to the next request
Waking up in 1.5 seconds.
rad_recv: Access-Request packet from host 172.16.2.254 port 32769, id=9, length=356
User-Name = "user1"
Calling-Station-Id = "bc-92-6b-aa-aa-aa"
Called-Station-Id = "1c-e6-c7-bb-bb-bb:WifiAP"
NAS-Port = 3
Cisco-AVPair = "audit-session-id=ac1002fe0000096d536a43a4"
NAS-IP-Address = 172.16.2.254
NAS-Identifier = "cisco-ap-1"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "168"
EAP-Message = 0x0207006b190017030100607c3790d7ef3ab9b4bd3afdbc886ab2858d4ae0245c2c6c319fcc6e2779dd178d925be524703ea209f9ca275622178ace50e7e0799597ee87472655dc67e4367455be9555df9f705d26b133793e6b600fffd16456de72dd1da02e9413d1fe75f4
State = 0xd864ff25dd63e67d724fec8265bde908
Message-Authenticator = 0xafc5c3ea6de3504bbe6465406721cb95
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++? if ("%{request:NAS-IP-Address}" == "172.16.2.254")
expand: %{request:NAS-IP-Address} -> 172.16.2.254
? Evaluating ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE
++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE
++- entering if ("%{request:NAS-IP-Address}" == "172.16.2.254") {...}
+++[request] returns notfound
++- if ("%{request:NAS-IP-Address}" == "172.16.2.254") returns notfound
++ ... skipping elsif for request 14: Preceding "if" was taken
++ ... skipping else for request 14: Preceding "if" was taken
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[ntdomain] No '\' in User-Name = "user1", looking up realm NULL
[ntdomain] Found realm "NULL"
[ntdomain] Adding Stripped-User-Name = "user1"
[ntdomain] Adding Realm = "NULL"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[eap] EAP packet type response id 7 length 107
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x020700451a0207004031f9f5cbb4ddaf2892719829fd9bb26356000000000000000014db6cd3d628987cf96dc4c9029301b17f7ea5c2837b8874006162656e6b656d6f756e
server {
[peap] Setting User-Name to user1
Sending tunneled request
EAP-Message = 0x020700451a0207004031f9f5cbb4ddaf2892719829fd9bb26356000000000000000014db6cd3d628987cf96dc4c9029301b17f7ea5c2837b8874006162656e6b656d6f756e
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "user1"
State = 0x26cbc59926ccdf9d42d5aad01356b8d4
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[ntdomain] No '\' in User-Name = "user1", looking up realm NULL
[ntdomain] Found realm "NULL"
[ntdomain] Adding Stripped-User-Name = "user1"
[ntdomain] Adding Realm = "NULL"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
++[control] returns ok
[eap] EAP packet type response id 7 length 69
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: user1
[mschap] Told to do MS-CHAPv2 for user1 with NT-Password
[mschap] expand: %{Stripped-User-Name} -> user1
[mschap] expand: --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} -> --username=user1
[mschap] Creating challenge hash with username: user1
[mschap] expand: %{mschap:Challenge} -> 758a3904d98ee0d6
[mschap] expand: --challenge=%{%{mschap:Challenge}:-00} -> --challenge=758a3904d98ee0d6
[mschap] expand: %{mschap:NT-Response} -> 14db6cd3d628987cf96dc4c9029301b17f7ea5c2837b8874
[mschap] expand: --nt-response=%{%{mschap:NT-Response}:-00} -> --nt-response=14db6cd3d628987cf96dc4c9029301b17f7ea5c2837b8874
[mschap] expand: --require-membership-of=%{request:NTLM-Group-Required} -> --require-membership-of=
Could not parse into seperate domain/name parts!
Exec-Program output: (null) (0xc000000d)
Exec-Program-Wait: plaintext: (null) (0xc000000d)
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
Login incorrect (mschap: External script says (null) (0xc000000d)): [user1] (from client 172.16.2.254 port 0 via TLS tunnel)
} # server inner-tunnel
[peap] Got tunneled reply code 3
MS-CHAP-Error = "\007E=691 R=1"
EAP-Message = 0x04070004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
MS-CHAP-Error = "\007E=691 R=1"
EAP-Message = 0x04070004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 9 to 172.16.2.254 port 32769
EAP-Message = 0x0108002b19001703010020df11358c618d7724dc94e50e988bc104feceb801687c7f6d3e521f967399a96e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd864ff25de6ce67d724fec8265bde908
Finished request 14.
Going to the next request
Waking up in 1.5 seconds.
rad_recv: Access-Request packet from host 172.16.2.254 port 32769, id=10, length=292
User-Name = "user1"
Calling-Station-Id = "bc-92-6b-aa-aa-aa"
Called-Station-Id = "1c-e6-c7-bb-bb-bb:WifiAP"
NAS-Port = 3
Cisco-AVPair = "audit-session-id=ac1002fe0000096d536a43a4"
NAS-IP-Address = 172.16.2.254
NAS-Identifier = "cisco-ap-1"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "168"
EAP-Message = 0x0208002b1900170301002096139b810b608b186b59db65e9d832b454b9f15a4445131330c212922c7e56db
State = 0xd864ff25de6ce67d724fec8265bde908
Message-Authenticator = 0x75af079e0a94a782e2a349b17eb87ef9
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++? if ("%{request:NAS-IP-Address}" == "172.16.2.254")
expand: %{request:NAS-IP-Address} -> 172.16.2.254
? Evaluating ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE
++? if ("%{request:NAS-IP-Address}" == "172.16.2.254") -> TRUE
++- entering if ("%{request:NAS-IP-Address}" == "172.16.2.254") {...}
+++[request] returns notfound
++- if ("%{request:NAS-IP-Address}" == "172.16.2.254") returns notfound
++ ... skipping elsif for request 15: Preceding "if" was taken
++ ... skipping else for request 15: Preceding "if" was taken
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[ntdomain] No '\' in User-Name = "user1", looking up realm NULL
[ntdomain] Found realm "NULL"
[ntdomain] Adding Stripped-User-Name = "user1"
[ntdomain] Adding Realm = "NULL"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[eap] EAP packet type response id 8 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv failure
[peap] Received EAP-TLV response.
[peap] The users session was previously rejected: returning reject (again.)
[peap] *** This means you need to read the PREVIOUS messages in the debug output
[peap] *** to find out the reason why the user was rejected.
[peap] *** Look for "reject" or "fail". Those earlier messages will tell you.
[peap] *** what went wrong, and how to fix the problem.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [user1] (from client 172.16.2.254 port 3 cli bc-92-6b-aa-aa-aa)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> user1
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 15 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 15
Sending Access-Reject of id 10 to 172.16.2.254 port 32769
EAP-Message = 0x04080004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 0.5 seconds.
Cleaning up request 0 ID 251 with timestamp +6
Cleaning up request 1 ID 252 with timestamp +6
Cleaning up request 2 ID 253 with timestamp +6
Cleaning up request 3 ID 254 with timestamp +6
Cleaning up request 4 ID 255 with timestamp +6
Cleaning up request 5 ID 0 with timestamp +6
Cleaning up request 6 ID 1 with timestamp +6
Waking up in 1.0 seconds.
________________________________________
From: freeradius-users-bounces+antoine.benkemoun=nexthink.com at lists.freeradius.org <freeradius-users-bounces+antoine.benkemoun=nexthink.com at lists.freeradius.org> on behalf of Phil Mayers <p.mayers at imperial.ac.uk>
Sent: Wednesday, May 7, 2014 3:55 PM
To: freeradius-users at lists.freeradius.org
Subject: Re: Setting ntlm_auth parameters depending on NAS-IP-Address
On 07/05/14 14:17, Antoine Benkemoun wrote:
> What am I doing incorrectly ?
Only sending a tiny portion of the debugging...
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list