using external script in virtual server config
the2nd at otpme.org
the2nd at otpme.org
Tue Jan 27 19:05:45 CET 2015
On 2015-01-27 14:17, Alan DeKok wrote:
> On Jan 27, 2015, at 3:56 AM, the2nd at otpme.org wrote:
>> btw. rlm_python examples do not show how to handle mschap requests. it
>> would be of much help to have an example.
>
> No.
>
> Read RFC 2548. Or, the source code to rlm_mschap. This is already
> available to you.
>
>> the output of authData i send in my last mail is just what i receive
>> from rlm_python. there is nothing i have invented. its just a "log
>> authData" from within the authenticate() function
>
> Which is YOUR MODULE. And YOUR PYTHON CODE. i.e. something you
> invented.
>
> I’ll be clear. I don’t wan to see that data. I don’t know what
> “authData” is, and I don’t care. You’re assuming that I magically
> know everything about what you’re doing, without you explaining it.
sorry i dont want to be rude but it's just not true what you say.
authData is send from rlm_python to the authenticate() function of the
module it loads. i just used the example prepaid.py module that comes
with freeradius as a "template". and it does exactly what you call "my
invention". it uses authData to get a tuple with authentication data
(e.g. username and password):
http://fossies.org/dox/freeradius-server-2.2.6/prepaid_8py_source.html
so its not my code that sets this tuple and its nothing i have invented.
and all i want to know is if it is possible to get "%{mschap:Challenge}"
and "%{mschap:NT-Response}" in this tuple to verify an mschap request
just like it can be done with the ntlm_auth statement from within the
mschap module.
and i think thats a valid use case when someone wants to integrate an
otp solution with freeradius using rlm_python.
so here is the debug output of two request and the corresponding config.
the first one is using my python script as a replacement of ntlm_auth
from within the mschap module and succeeds. the second one uses
rlm_python and my module. you can see in the debug ouput whats in
authData (one of the lines that starts with otpme.py) because i used the
provided log function to log it.
# OTPme ntlm
mschap otpme_ntlm {
ntlm_auth = "/usr/local/bin/otpme-auth -l verify_ntlm
'%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}'
'%{%{otpme_ntlm:Challenge}:-00}' '%{%{otpme_ntlm:NT-Response}:-00}'
'%{NAS-Identifier}' '%{Client-IP-Address}'"
}
python otpme_mod {
module = otpme
mod_instantiate = ${.module}
func_instantiate = instantiate
mod_detach = ${.module}
func_detach = detach
mod_authenticate = ${.module}
func_authenticate = authenticate
}
authenticate {
Auth-Type EAP {
eap
}
Auth-Type MS-CHAP {
otpme_ntlm
}
}
authorize {
eap
mschap
}
radiusd: FreeRADIUS Version 2.2.5, for host i686-pc-linux-gnu, built on
Jan 18 2015 at 12:00:30
Copyright (C) 1999-2013 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/soh
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/krb5
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/opendirectory
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/cache
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/otpme
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/redis
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/replicate
including configuration file /etc/raddb/modules/dhcp_sqlippool
including configuration file /etc/raddb/sql/mysql/ippool-dhcp.conf
including configuration file /etc/raddb/modules/linelog
including configuration file
/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/radrelay
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/dynamic_clients
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/script
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/rediswho
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/otpme
main {
user = "radiusd"
group = "radiusd"
allow_core_dumps = no
}
including dictionary file /etc/raddb/dictionary
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/var/lib"
sbindir = "/usr/sbin"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = no
log {
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = no
allow_vulnerable_openssl = no
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "test123"
nastype = "other"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file /etc/raddb/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file /etc/raddb/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file
/etc/raddb/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file
/etc/raddb/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server { # from file TÚJ·?
modules {
} # modules
} # server
server otpme { # from file /etc/raddb/sites-enabled/otpme
modules {
Module: Creating Auth-Type = OTPme
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /etc/raddb/eap.conf
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 1024
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server.pem"
certificate_file = "/etc/raddb/certs/server.pem"
private_key_password = "whatever"
dh_file = "/etc/raddb/certs/dh"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/raddb/certs/bootstrap"
virtual_server = "otpme"
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = no
virtual_server = "otpme"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
virtual_server = "otpme"
soh = no
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
Module: Linked to module rlm_mschap
Module: Instantiating module "otpme_ntlm" from file
/etc/raddb/modules/otpme
mschap otpme_ntlm {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
ntlm_auth = "/usr/local/bin/otpme-auth -l verify_ntlm
'%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}'
'%{%{otpme_ntlm:Challenge}:-00}' '%{%{otpme_ntlm:NT-Response}:-00}'
'%{NAS-Identifier}' '%{Client-IP-Address}'"
allow_retry = yes
}
Module: Linked to module rlm_python
Module: Instantiating module "otpme_mod" from file
/etc/raddb/modules/otpme
python_init done
python otpme_mod {
mod_instantiate = "otpme"
func_instantiate = "instantiate"
mod_authenticate = "otpme"
func_authenticate = "authenticate"
mod_detach = "otpme"
func_detach = "detach"
}
Module: Checking authorize {...} for more modules to load
Module: Instantiating module "mschap" from file
/etc/raddb/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
allow_retry = yes
}
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = 10.219.195.1
port = 1812
client 10.219.195.18 {
require_message_authenticator = no
secret = "123"
shortname = "host1"
}
}
Listening on authentication address 10.219.195.1 port 1812 as server
otpme
Ready to process requests.
otpme.py: OTPme config verfied successful.
otpme.py: Instantiated OTPme module.
rad_recv: Access-Request packet from host 10.219.195.1 port 37538, id=0,
length=126
User-Name = "testuser1"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x0200000e01746573747573657231
Message-Authenticator = 0xc6a9d4db12aa9a3fa241a3810c655494
server otpme {
# Executing section authorize from file /etc/raddb/sites-enabled/otpme
+group authorize {
[eap] EAP packet type response id 0 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[mschap] = noop
++? if (!control:Auth-Type)
? Evaluating !(control:Auth-Type) -> FALSE
++? if (!control:Auth-Type) -> FALSE
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/otpme
+group EAP {
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group EAP = handled
} # server otpme
Sending Access-Challenge of id 0 to 10.219.195.1 port 37538
EAP-Message = 0x010100061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7563bf7e7562a6491fd890a063366da0
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.219.195.1 port 37538, id=1,
length=352
User-Name = "testuser1"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x020100de190016030100d3010000cf0301a741278a0cfb95e7f7ad572b9e9003e26a0ec3d1cedb3a61ee7b35b95ad3c9f600005cc014c00a0039003800880087c00fc00500350084c013c00900330032009a009900450044c00ec004002f009600410007c011c007c00cc00200050004c012c00800160013c00dc003000a0015001200090014001100080006000300ff0201000049000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500120013000100020003000f0010001100230000000f000101
State = 0x7563bf7e7562a6491fd890a063366da0
Message-Authenticator = 0x06b5d1eac47be747a523dea518b88a2a
server otpme {
# Executing section authorize from file /etc/raddb/sites-enabled/otpme
+group authorize {
[eap] EAP packet type response id 1 length 222
[eap] Continuing tunnel setup.
++[eap] = ok
++[mschap] = noop
++? if (!control:Auth-Type)
? Evaluating !(control:Auth-Type) -> FALSE
++? if (!control:Auth-Type) -> FALSE
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/otpme
+group EAP {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 00d3], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 003e], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 03b0], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
[peap] TLS_accept: SSLv3 write key exchange A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group EAP = handled
} # server otpme
Sending Access-Challenge of id 1 to 10.219.195.1 port 37538
EAP-Message =
0x0102040019c000000551160301003e0200003a030112a80abf015913dfd18591767af8d31a7421918e78e906539842667c9a347e4a00c014010012ff01000100000b000403000102000f00010116030103b00b0003ac0003a90003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c652043
EAP-Message =
0x6572746966696361746520417574686f72697479301e170d3132303231303230303231305a170d3133303230393230303231305a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100f46fbd0d756be26abb5b67573414398205c75b8b1be90ccc43cf479af3c7f570486eb9fdb02a372634b4
EAP-Message =
0x050bd49743d559c1385ac25268b1bee7e0cee585acb8a5102811cb568f31bd6218b97efdc6be84a789697cea6a68dab56cd9e40f0867b4ec2b986610c608405e0b7c426fb8fe04da36c2732ed8aa14d0f4b53b69c6c07150fd4188ef935a66c030681cfe0d5ea6fa80045d8319c5a0b141e34926225185b384273a50058dc27d20beb6b78dc4ed76f694ffda1e3849b93755ec9bf02bf5a99ee9222835cc95f3bfced8a01b47d2c84ef6a86bea8b7251091fdf968cd084d1ea1c02658e535c2875e429af9ad21e1b5cda55e4d42ade8f1b82b31294830203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f7
EAP-Message =
0x0d0101040500038201010019c7c020438aafabfe2ef98eb3ebd302687dae3411309deef7a228bcbdd1bfd2ae45c75a39a25ecd53599efc38a56e0a288ee208f7d129dd3daf9197e3b1bd93bfb2d0433eadfe846ac9c97a65f35d322df5e5458e7e49a99354e40410e95d8874862216107c02a51cd428a60755e41d0158e5a1fabb979f37432005e065f4533599dd248c67032723dca1b3acbcc775e775fd5e010d4405e86306fb1af2dc4da0af01f0f17c9a2d5e55d1e895d4ac185cb3371e648c1a1e71fd27080c1adf3804251dd0c75aea734be1fc83af0699d5a0c0f9f6d5afff00d688edf74177ad4357711e6d4eb5cca9b72eb493fb7c3a83b396
EAP-Message = 0xad17d75da15a7cac2ecd58db
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7563bf7e7461a6491fd890a063366da0
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.219.195.1 port 37538, id=2,
length=136
User-Name = "testuser1"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020200061900
State = 0x7563bf7e7461a6491fd890a063366da0
Message-Authenticator = 0xf10086a8043a391d9f34e5f93ac3d50b
server otpme {
# Executing section authorize from file /etc/raddb/sites-enabled/otpme
+group authorize {
[eap] EAP packet type response id 2 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
++[mschap] = noop
++? if (!control:Auth-Type)
? Evaluating !(control:Auth-Type) -> FALSE
++? if (!control:Auth-Type) -> FALSE
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/otpme
+group EAP {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group EAP = handled
} # server otpme
Sending Access-Challenge of id 2 to 10.219.195.1 port 37538
EAP-Message =
0x0103016119006f2a160301014b0c0001470300174104313b9aa0b47dcbd72975dce05e6792a55cfd1795f077bf4fbcd4551aceb77ad0d9c4d7b18f1519161fe31fca376fef874ec04f7500e0a080a0a4206ac1e1181901008c409456515256c7de3459d577d98c718eb260e12a90f176144628753528a4dce40e66677fe27cf8755a3693ef0db80d6bdd8a543a718cb3934a5655ebbf4b5f493608cafd6c4b102edae1eb15b740c7c1afba58620f1fc02c44ca6a490ef703291d417c09bae2d842456ef205e48ceb5f2c782e0f523c895b0d0ea06d6f3ce3eb67377fe4a16f70e6474c096b03289227db4c2f12ec3cb5dffdeb7cf4bccdf21d714a610e
EAP-Message =
0x3fb128087eba6bf1a6acc03786ed2ff39ae3823f1e4f9e374204f03bfbbec021ce768b36d290f9666f60a8756cd061e70332b48dc4bac07e8c38abba380f561dd996017f4392e2199a5fa06c886057d47e170e42cc8c7a414f796a16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7563bf7e7760a6491fd890a063366da0
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.219.195.1 port 37538, id=3,
length=270
User-Name = "testuser1"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x0203008c190016030100461000004241043c8e62e48361799a71777b230786c6ddbd899d9257d73d5fb4d730366671f8f166c0ea2577fcc68ed3e21899edf5b82f7e401f1cb99f7a973c2d35315c619c6d1403010001011603010030543bfb94bffc0be1b81e3e1268ac126fd2d73fb6306e806798e1d651ead4190a74e521db1561c4e16f1acdc896c4afb6
State = 0x7563bf7e7760a6491fd890a063366da0
Message-Authenticator = 0xc6e998f7aef0baef668d678ad3ffd5de
server otpme {
# Executing section authorize from file /etc/raddb/sites-enabled/otpme
+group authorize {
[eap] EAP packet type response id 3 length 140
[eap] Continuing tunnel setup.
++[eap] = ok
++[mschap] = noop
++? if (!control:Auth-Type)
? Evaluating !(control:Auth-Type) -> FALSE
++? if (!control:Auth-Type) -> FALSE
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/otpme
+group EAP {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group EAP = handled
} # server otpme
Sending Access-Challenge of id 3 to 10.219.195.1 port 37538
EAP-Message =
0x0104004119001403010001011603010030dafc2aa3b8b15dcb31e8774f67876afb903a651d8f475b94647d45668ca9abde22ffbea12f0e799b6acc4b4900860181
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7563bf7e7667a6491fd890a063366da0
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.219.195.1 port 37538, id=4,
length=136
User-Name = "testuser1"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020400061900
State = 0x7563bf7e7667a6491fd890a063366da0
Message-Authenticator = 0x8e3735680df6daec47a50279795ae18c
server otpme {
# Executing section authorize from file /etc/raddb/sites-enabled/otpme
+group authorize {
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
++[mschap] = noop
++? if (!control:Auth-Type)
? Evaluating !(control:Auth-Type) -> FALSE
++? if (!control:Auth-Type) -> FALSE
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/otpme
+group EAP {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] = handled
+} # group EAP = handled
} # server otpme
Sending Access-Challenge of id 4 to 10.219.195.1 port 37538
EAP-Message =
0x0105002b190017030100208fda5e20590d922d9602dbd0e299d5e1ef0027e5d663ef326913f07d313c790d
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7563bf7e7166a6491fd890a063366da0
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.219.195.1 port 37538, id=5,
length=226
User-Name = "testuser1"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x0205006019001703010020f3832f06ae8629d40538b61ce86c6b65a6801b4d6c40550d32837dc2aa108b2a1703010030c5e43a0106ae6b61e4d3277abb002bc86b7c0ebffba9c48199aecddad8885ad112753e1d114e2dd391572ace81722539
State = 0x7563bf7e7166a6491fd890a063366da0
Message-Authenticator = 0xf1cf3918a83a26b7efae51172bf43dfb
server otpme {
# Executing section authorize from file /etc/raddb/sites-enabled/otpme
+group authorize {
[eap] EAP packet type response id 5 length 96
[eap] Continuing tunnel setup.
++[eap] = ok
++[mschap] = noop
++? if (!control:Auth-Type)
? Evaluating !(control:Auth-Type) -> FALSE
++? if (!control:Auth-Type) -> FALSE
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/otpme
+group EAP {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - testuser1
[peap] Got inner identity 'testuser1'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
EAP-Message = 0x0205000e01746573747573657231
server otpme {
[peap] Setting User-Name to testuser1
Sending tunneled request
EAP-Message = 0x0205000e01746573747573657231
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "testuser1"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
server otpme {
# Executing section authorize from file /etc/raddb/sites-enabled/otpme
+group authorize {
[eap] EAP packet type response id 5 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[mschap] = noop
++? if (!control:Auth-Type)
? Evaluating !(control:Auth-Type) -> FALSE
++? if (!control:Auth-Type) -> FALSE
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/otpme
+group EAP {
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] = handled
+} # group EAP = handled
} # server otpme
[peap] Got tunneled reply code 11
EAP-Message =
0x010600231a0106001e1084108f423e2fec5767ad08fc69bbd564746573747573657231
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xbfdadb2bbfdcc100d33b37b4334ad1a9
[peap] Got tunneled reply RADIUS code 11
EAP-Message =
0x010600231a0106001e1084108f423e2fec5767ad08fc69bbd564746573747573657231
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xbfdadb2bbfdcc100d33b37b4334ad1a9
[peap] Got tunneled Access-Challenge
++[eap] = handled
+} # group EAP = handled
} # server otpme
Sending Access-Challenge of id 5 to 10.219.195.1 port 37538
EAP-Message =
0x0106004b19001703010040a5594e26652fc133151ca57e9cbc052085294fc31795e67abdaf52d8b88e62fedbdb73905c7faa45de2062d5a9bdaf4291ee698b57b07f39609cac5d0cc44452
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7563bf7e7065a6491fd890a063366da0
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.219.195.1 port 37538, id=6,
length=274
User-Name = "testuser1"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x02060090190017030100206028167c17fb23fa70e50cb5672a1971e68abea603c5020ef8b19b08e5620ac317030100607afabbdd1caff01b58f4e307fbef41481f55ab7b4137d9f1807bd84a8ee609d235885d2c995004bd6bcaa467679d50c7e8706c383c326ae5cb6f573a651e2279568a55493eb3712e15b84ef90de1b0402743a46cc92a0b09bdaee4d5858a1bab
State = 0x7563bf7e7065a6491fd890a063366da0
Message-Authenticator = 0x82a114c11feb9e1259540ea7e6bab80e
server otpme {
# Executing section authorize from file /etc/raddb/sites-enabled/otpme
+group authorize {
[eap] EAP packet type response id 6 length 144
[eap] Continuing tunnel setup.
++[eap] = ok
++[mschap] = noop
++? if (!control:Auth-Type)
? Evaluating !(control:Auth-Type) -> FALSE
++? if (!control:Auth-Type) -> FALSE
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/otpme
+group EAP {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message =
0x020600441a0206003f31c6209eb3e4f1c334ec156850e8e831c90000000000000000b30b7de20b87d7158c571ff2bbffa75e2751147babd02c7100746573747573657231
server otpme {
[peap] Setting User-Name to testuser1
Sending tunneled request
EAP-Message =
0x020600441a0206003f31c6209eb3e4f1c334ec156850e8e831c90000000000000000b30b7de20b87d7158c571ff2bbffa75e2751147babd02c7100746573747573657231
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "testuser1"
State = 0xbfdadb2bbfdcc100d33b37b4334ad1a9
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
server otpme {
# Executing section authorize from file /etc/raddb/sites-enabled/otpme
+group authorize {
[eap] EAP packet type response id 6 length 68
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[mschap] = noop
++? if (!control:Auth-Type)
? Evaluating !(control:Auth-Type) -> FALSE
++? if (!control:Auth-Type) -> FALSE
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/otpme
+group EAP {
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/raddb/sites-enabled/otpme
[mschapv2] +group MS-CHAP {
[otpme_ntlm] Creating challenge hash with username: testuser1
[otpme_ntlm] Client is using MS-CHAPv2 for testuser1, we need
NT-Password
[otpme_ntlm] expand: %{Stripped-User-Name} ->
[otpme_ntlm] ... expanding second conditional
[otpme_ntlm] expand: %{User-Name} -> testuser1
[otpme_ntlm] expand: %{%{User-Name}:-None} -> testuser1
[otpme_ntlm] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-None}} ->
testuser1
[otpme_ntlm] Creating challenge hash with username: testuser1
[otpme_ntlm] expand: %{otpme_ntlm:Challenge} -> a9696cdff7c89500
[otpme_ntlm] expand: %{%{otpme_ntlm:Challenge}:-00} -> a9696cdff7c89500
[otpme_ntlm] expand: %{otpme_ntlm:NT-Response} ->
b30b7de20b87d7158c571ff2bbffa75e2751147babd02c71
[otpme_ntlm] expand: %{%{otpme_ntlm:NT-Response}:-00} ->
b30b7de20b87d7158c571ff2bbffa75e2751147babd02c71
[otpme_ntlm] expand: %{NAS-Identifier} ->
[otpme_ntlm] expand: %{Client-IP-Address} -> 10.219.195.1
Exec output: NT_KEY: DAC3BE8FCFB20063D121449A6B2A28B4
Exec plaintext: NT_KEY: DAC3BE8FCFB20063D121449A6B2A28B4
[otpme_ntlm] Exec: program returned: 0
[otpme_ntlm] adding MS-CHAPv2 MPPE keys
++[otpme_ntlm] = ok
+} # group MS-CHAP = ok
MSCHAP Success
++[eap] = handled
+} # group EAP = handled
} # server otpme
[peap] Got tunneled reply code 11
EAP-Message =
0x010700331a0306002e533d30344339463830304333304639343241304638354242383238353431363743303646463436463744
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xbfdadb2bbeddc100d33b37b4334ad1a9
[peap] Got tunneled reply RADIUS code 11
EAP-Message =
0x010700331a0306002e533d30344339463830304333304639343241304638354242383238353431363743303646463436463744
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xbfdadb2bbeddc100d33b37b4334ad1a9
[peap] Got tunneled Access-Challenge
++[eap] = handled
+} # group EAP = handled
} # server otpme
Sending Access-Challenge of id 6 to 10.219.195.1 port 37538
EAP-Message =
0x0107005b19001703010050b81a606209effd7af621dd30534a25262dcd73b33bb75ecbe99f623722ea4b19c97b5d573dacc032fdecdff2a035a96501daa76d8e60c8e05c1dbabc576156be1695acabc01aaad9a50ab7fe1e403163
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7563bf7e7364a6491fd890a063366da0
Finished request 6.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.219.195.1 port 37538, id=7,
length=210
User-Name = "testuser1"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x0207005019001703010020f1da00695d99bd592351f25e17e5cfc05b9d96fd110091997c4647c88e90256b1703010020d1fead54c4bf7c06d67f3146e1d450280bcbf7d5338190f43d98fb6171704322
State = 0x7563bf7e7364a6491fd890a063366da0
Message-Authenticator = 0xcdce9a9c5e9d1cf664f2543ff31f4e90
server otpme {
# Executing section authorize from file /etc/raddb/sites-enabled/otpme
+group authorize {
[eap] EAP packet type response id 7 length 80
[eap] Continuing tunnel setup.
++[eap] = ok
++[mschap] = noop
++? if (!control:Auth-Type)
? Evaluating !(control:Auth-Type) -> FALSE
++? if (!control:Auth-Type) -> FALSE
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/otpme
+group EAP {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x020700061a03
server otpme {
[peap] Setting User-Name to testuser1
Sending tunneled request
EAP-Message = 0x020700061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "testuser1"
State = 0xbfdadb2bbeddc100d33b37b4334ad1a9
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
server otpme {
# Executing section authorize from file /etc/raddb/sites-enabled/otpme
+group authorize {
[eap] EAP packet type response id 7 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[mschap] = noop
++? if (!control:Auth-Type)
? Evaluating !(control:Auth-Type) -> FALSE
++? if (!control:Auth-Type) -> FALSE
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/otpme
+group EAP {
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] = ok
+} # group EAP = ok
Login OK: [testuser1] (from client host1 port 0 cli 02-00-00-00-00-01
via TLS tunnel)
WARNING: Empty post-auth section. Using default return values.
} # server otpme
[peap] Got tunneled reply code 2
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
MS-MPPE-Send-Key = 0x6bf9caf3f1b3e8007b6775fa29593fc8
MS-MPPE-Recv-Key = 0x3ccb89c970dc74d2c6926747980e8a29
EAP-Message = 0x03070004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "testuser1"
[peap] Got tunneled reply RADIUS code 2
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
MS-MPPE-Send-Key = 0x6bf9caf3f1b3e8007b6775fa29593fc8
MS-MPPE-Recv-Key = 0x3ccb89c970dc74d2c6926747980e8a29
EAP-Message = 0x03070004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "testuser1"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
[peap] Saving tunneled attributes for later
++[eap] = handled
+} # group EAP = handled
} # server otpme
Sending Access-Challenge of id 7 to 10.219.195.1 port 37538
EAP-Message =
0x0108003b19001703010030fdf7d5232e0e4e9a4e84310efa211c13c6c91e2e1fd52ff7b32d4a553db3776149177d11c40a5775df92fece70c5b47f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7563bf7e726ba6491fd890a063366da0
Finished request 7.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.219.195.1 port 37538, id=8,
length=226
User-Name = "testuser1"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x020800601900170301002064fbbb5b85581cd88640e2d2cef6a2b4c933da3a036f165687094fd61ff8796d170301003045dcae79cc3449aaf7a524e7d9f7c341e524501c8004254369db68458339dfd3e87789d08cfa71428f400639bdbdf7ba
State = 0x7563bf7e726ba6491fd890a063366da0
Message-Authenticator = 0x8ceeb6ced09ceff25ff156dbf5daef45
server otpme {
# Executing section authorize from file /etc/raddb/sites-enabled/otpme
+group authorize {
[eap] EAP packet type response id 8 length 96
[eap] Continuing tunnel setup.
++[eap] = ok
++[mschap] = noop
++? if (!control:Auth-Type)
? Evaluating !(control:Auth-Type) -> FALSE
++? if (!control:Auth-Type) -> FALSE
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/otpme
+group EAP {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv success
[peap] Received EAP-TLV response.
[peap] Success
[peap] Using saved attributes from the original Access-Accept
User-Name = "testuser1"
[eap] Freeing handler
++[eap] = ok
+} # group EAP = ok
Login OK: [testuser1] (from client host1 port 0 cli 02-00-00-00-00-01)
} # server otpme
WARNING: Empty post-auth section. Using default return values.
Sending Access-Accept of id 8 to 10.219.195.1 port 37538
User-Name = "testuser1"
MS-MPPE-Recv-Key =
0x08dd033d2e35356c3aad01d0345683f412dcca316db9625ec07bdb697635d1e4
MS-MPPE-Send-Key =
0xcf24fb6cf74db5618f535c557eca41e00f8ad8fb82ff506fd1a690b498a23dbd
EAP-Message = 0x03080004
Message-Authenticator = 0x00000000000000000000000000000000
Finished request 8.
Going to the next request
Waking up in 4.8 seconds.
authenticate {
Auth-Type EAP {
eap
}
Auth-Type MS-CHAP {
update request {
Tmp-Octets-0 := "%{mschap:Challenge}"
Tmp-Octets-1 := "%{mschap:NT-Response}"
}
otpme_mod
}
}
authorize {
eap
update request {
Tmp-Octets-0 := "%{mschap:Challenge}"
Tmp-Octets-1 := "%{mschap:NT-Response}"
}
}
}
radiusd: FreeRADIUS Version 2.2.5, for host i686-pc-linux-gnu, built on
Jan 18 2015 at 12:00:30
Copyright (C) 1999-2013 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/soh
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/krb5
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/opendirectory
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/cache
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/otpme
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/redis
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/replicate
including configuration file /etc/raddb/modules/dhcp_sqlippool
including configuration file /etc/raddb/sql/mysql/ippool-dhcp.conf
including configuration file /etc/raddb/modules/linelog
including configuration file
/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/radrelay
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/dynamic_clients
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/script
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/rediswho
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/otpme
main {
user = "radiusd"
group = "radiusd"
allow_core_dumps = no
}
including dictionary file /etc/raddb/dictionary
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/var/lib"
sbindir = "/usr/sbin"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = no
log {
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = no
allow_vulnerable_openssl = no
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "test123"
nastype = "other"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file /etc/raddb/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file /etc/raddb/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file
/etc/raddb/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file
/etc/raddb/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server { # from file T:N·?
modules {
} # modules
} # server
server otpme { # from file /etc/raddb/sites-enabled/otpme
modules {
Module: Creating Auth-Type = OTPme
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /etc/raddb/eap.conf
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 1024
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server.pem"
certificate_file = "/etc/raddb/certs/server.pem"
private_key_password = "whatever"
dh_file = "/etc/raddb/certs/dh"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/raddb/certs/bootstrap"
virtual_server = "otpme"
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = no
virtual_server = "otpme"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
virtual_server = "otpme"
soh = no
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
Module: Linked to module rlm_python
Module: Instantiating module "otpme_mod" from file
/etc/raddb/modules/otpme
python_init done
python otpme_mod {
mod_instantiate = "otpme"
func_instantiate = "instantiate"
mod_authenticate = "otpme"
func_authenticate = "authenticate"
mod_detach = "otpme"
func_detach = "detach"
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file
/etc/raddb/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
allow_retry = yes
}
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = 10.219.195.1
port = 1812
client 10.219.195.1 {
require_message_authenticator = no
secret = "123"
shortname = "host1"
}
}
Listening on authentication address 10.219.195.1 port 1812 as server
otpme
Ready to process requests.
otpme.py: OTPme config verfied successful.
otpme.py: Instantiated OTPme module.
rad_recv: Access-Request packet from host 10.219.195.1 port 33824, id=0,
length=126
User-Name = "testuser1"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x0200000e01746573747573657231
Message-Authenticator = 0xcf54d7ba4a3e53ec15ab9662706461f1
server otpme {
# Executing section authorize from file /etc/raddb/sites-enabled/otpme
+group authorize {
[eap] EAP packet type response id 0 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[mschap] = noop
++? if (!control:Auth-Type)
? Evaluating !(control:Auth-Type) -> FALSE
++? if (!control:Auth-Type) -> FALSE
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/otpme
+group EAP {
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group EAP = handled
} # server otpme
Sending Access-Challenge of id 0 to 10.219.195.1 port 33824
EAP-Message = 0x010100061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4b64a1994b65b8dfd5d7ed270cbb0d2f
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.219.195.1 port 33824, id=1,
length=352
User-Name = "testuser1"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x020100de190016030100d3010000cf03016dd1fdb03ffdd213827520ea5f7c184dde487465683f7196aa5cbe666e837e3000005cc014c00a0039003800880087c00fc00500350084c013c00900330032009a009900450044c00ec004002f009600410007c011c007c00cc00200050004c012c00800160013c00dc003000a0015001200090014001100080006000300ff0201000049000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500120013000100020003000f0010001100230000000f000101
State = 0x4b64a1994b65b8dfd5d7ed270cbb0d2f
Message-Authenticator = 0x3263975944a89f7d15c2cdcfcea94db5
server otpme {
# Executing section authorize from file /etc/raddb/sites-enabled/otpme
+group authorize {
[eap] EAP packet type response id 1 length 222
[eap] Continuing tunnel setup.
++[eap] = ok
++[mschap] = noop
++? if (!control:Auth-Type)
? Evaluating !(control:Auth-Type) -> FALSE
++? if (!control:Auth-Type) -> FALSE
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/otpme
+group EAP {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 00d3], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 003e], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 03b0], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
[peap] TLS_accept: SSLv3 write key exchange A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group EAP = handled
} # server otpme
Sending Access-Challenge of id 1 to 10.219.195.1 port 33824
EAP-Message =
0x0102040019c000000551160301003e0200003a0301e30c8c45a37d5610ca7ff2fbc4db6ebeea682cbbac43e98c8aadc1f7ecaee7f300c014010012ff01000100000b000403000102000f00010116030103b00b0003ac0003a90003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c652043
EAP-Message =
0x6572746966696361746520417574686f72697479301e170d3132303231303230303231305a170d3133303230393230303231305a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100f46fbd0d756be26abb5b67573414398205c75b8b1be90ccc43cf479af3c7f570486eb9fdb02a372634b4
EAP-Message =
0x050bd49743d559c1385ac25268b1bee7e0cee585acb8a5102811cb568f31bd6218b97efdc6be84a789697cea6a68dab56cd9e40f0867b4ec2b986610c608405e0b7c426fb8fe04da36c2732ed8aa14d0f4b53b69c6c07150fd4188ef935a66c030681cfe0d5ea6fa80045d8319c5a0b141e34926225185b384273a50058dc27d20beb6b78dc4ed76f694ffda1e3849b93755ec9bf02bf5a99ee9222835cc95f3bfced8a01b47d2c84ef6a86bea8b7251091fdf968cd084d1ea1c02658e535c2875e429af9ad21e1b5cda55e4d42ade8f1b82b31294830203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f7
EAP-Message =
0x0d0101040500038201010019c7c020438aafabfe2ef98eb3ebd302687dae3411309deef7a228bcbdd1bfd2ae45c75a39a25ecd53599efc38a56e0a288ee208f7d129dd3daf9197e3b1bd93bfb2d0433eadfe846ac9c97a65f35d322df5e5458e7e49a99354e40410e95d8874862216107c02a51cd428a60755e41d0158e5a1fabb979f37432005e065f4533599dd248c67032723dca1b3acbcc775e775fd5e010d4405e86306fb1af2dc4da0af01f0f17c9a2d5e55d1e895d4ac185cb3371e648c1a1e71fd27080c1adf3804251dd0c75aea734be1fc83af0699d5a0c0f9f6d5afff00d688edf74177ad4357711e6d4eb5cca9b72eb493fb7c3a83b396
EAP-Message = 0xad17d75da15a7cac2ecd58db
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4b64a1994a66b8dfd5d7ed270cbb0d2f
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.219.195.1 port 33824, id=2,
length=136
User-Name = "testuser1"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020200061900
State = 0x4b64a1994a66b8dfd5d7ed270cbb0d2f
Message-Authenticator = 0xd493ce90415969edf6127c50518c4732
server otpme {
# Executing section authorize from file /etc/raddb/sites-enabled/otpme
+group authorize {
[eap] EAP packet type response id 2 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
++[mschap] = noop
++? if (!control:Auth-Type)
? Evaluating !(control:Auth-Type) -> FALSE
++? if (!control:Auth-Type) -> FALSE
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/otpme
+group EAP {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group EAP = handled
} # server otpme
Sending Access-Challenge of id 2 to 10.219.195.1 port 33824
EAP-Message =
0x0103016119006f2a160301014b0c0001470300174104c35e1963d7c639e085a97c24ea72d92f1e54a9c3d40601612667935afed91c7e062825adabadbcaaa2e5877d536c97e1c7ff4dc71b6f858ef51ab39e994893a20100ed9a2ab740d608a5af8c78409adc8740485b9272dba98663bf51085574cbbb9b62498605e8e499b209a7d60b342b66cc358cf9d60f7aae06ef74a235029005b5cb2ac163eb10055f71cd1128d08f936a488f05a0a03f28d7273842619aa230a3369d9f2f4da9e9dc5e1b723cdad594c2be13d2565f09e35af1e538132fab155aaf1d4821c29865ae5713ba1ab4f83751b9d8fa86fb72fa6f654befc3d8b7501b7d85e8f2ae
EAP-Message =
0x5ae3f1212861427e208fc889607a04e9be505a4bebf43d98c1cdaf81f37d55d5e3af85e9dc6f5a62e947d766721825ad29b442a69f905c9c3e0eade42647199419879001f2ddb7e69a7dda56655e77a3ad2f1e37be2e84e64ff43616030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4b64a1994967b8dfd5d7ed270cbb0d2f
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.219.195.1 port 33824, id=3,
length=270
User-Name = "testuser1"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x0203008c190016030100461000004241042b60cdd4c6bdeb200c77d3d537f674a5631b755a80b7982bf733ce33320ca0407225180646fa6f0093ad6a5105188aceb1863f63f3c136aeef6c368e1502d95314030100010116030100301d71fea144c432c55f558ba0b49ff5aac18fdd3009aac62e72f7eb39968e8d48f96f2995dbe2c5710ad2f69464f980c2
State = 0x4b64a1994967b8dfd5d7ed270cbb0d2f
Message-Authenticator = 0x237e70a50554e023763eb64c066aec55
server otpme {
# Executing section authorize from file /etc/raddb/sites-enabled/otpme
+group authorize {
[eap] EAP packet type response id 3 length 140
[eap] Continuing tunnel setup.
++[eap] = ok
++[mschap] = noop
++? if (!control:Auth-Type)
? Evaluating !(control:Auth-Type) -> FALSE
++? if (!control:Auth-Type) -> FALSE
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/otpme
+group EAP {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group EAP = handled
} # server otpme
Sending Access-Challenge of id 3 to 10.219.195.1 port 33824
EAP-Message =
0x01040041190014030100010116030100308c4cd23b129b4d6b112e48ee7cb711c51f995451c68db430c60ca062db367ee570205bff7eb8aafdd934683d574fcea4
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4b64a1994860b8dfd5d7ed270cbb0d2f
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.219.195.1 port 33824, id=4,
length=136
User-Name = "testuser1"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020400061900
State = 0x4b64a1994860b8dfd5d7ed270cbb0d2f
Message-Authenticator = 0x69e82b0f4e465e073eae3a268b674f06
server otpme {
# Executing section authorize from file /etc/raddb/sites-enabled/otpme
+group authorize {
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
++[mschap] = noop
++? if (!control:Auth-Type)
? Evaluating !(control:Auth-Type) -> FALSE
++? if (!control:Auth-Type) -> FALSE
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/otpme
+group EAP {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] = handled
+} # group EAP = handled
} # server otpme
Sending Access-Challenge of id 4 to 10.219.195.1 port 33824
EAP-Message =
0x0105002b1900170301002082cd7593171297731f9bb967c298eede87b931f7d0196983be108cd4531492cc
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4b64a1994f61b8dfd5d7ed270cbb0d2f
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.219.195.1 port 33824, id=5,
length=226
User-Name = "testuser1"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x0205006019001703010020f274ddb4f22667dabece5f95d79dc8c045a661d70905a752d35466f03c2370da1703010030ac36bcde5cf6e84853efb3151ae374c0aa7ee14e9c8006e827780b890ba08a2dea53d647d1d7cc2e3566a9ec976b9510
State = 0x4b64a1994f61b8dfd5d7ed270cbb0d2f
Message-Authenticator = 0x03569fa4ad0362141f844f4a5996a0ad
server otpme {
# Executing section authorize from file /etc/raddb/sites-enabled/otpme
+group authorize {
[eap] EAP packet type response id 5 length 96
[eap] Continuing tunnel setup.
++[eap] = ok
++[mschap] = noop
++? if (!control:Auth-Type)
? Evaluating !(control:Auth-Type) -> FALSE
++? if (!control:Auth-Type) -> FALSE
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/otpme
+group EAP {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - testuser1
[peap] Got inner identity 'testuser1'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
EAP-Message = 0x0205000e01746573747573657231
server otpme {
[peap] Setting User-Name to testuser1
Sending tunneled request
EAP-Message = 0x0205000e01746573747573657231
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "testuser1"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
server otpme {
# Executing section authorize from file /etc/raddb/sites-enabled/otpme
+group authorize {
[eap] EAP packet type response id 5 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[mschap] = noop
++? if (!control:Auth-Type)
? Evaluating !(control:Auth-Type) -> FALSE
++? if (!control:Auth-Type) -> FALSE
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/otpme
+group EAP {
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] = handled
+} # group EAP = handled
} # server otpme
[peap] Got tunneled reply code 11
EAP-Message =
0x010600231a0106001e109718a01768fd75c1209b1c257a4fd2be746573747573657231
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xef3dc50aef3bdf904f03abafc54a8a4c
[peap] Got tunneled reply RADIUS code 11
EAP-Message =
0x010600231a0106001e109718a01768fd75c1209b1c257a4fd2be746573747573657231
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xef3dc50aef3bdf904f03abafc54a8a4c
[peap] Got tunneled Access-Challenge
++[eap] = handled
+} # group EAP = handled
} # server otpme
Sending Access-Challenge of id 5 to 10.219.195.1 port 33824
EAP-Message =
0x0106004b190017030100406aa431b9b62079ba567d85b917f35ae0772924c9078e8f667416ecd10508d012726fe8dc02954fbadd6cd4765eb4f330a844677a7b942260db20f71f09470a41
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4b64a1994e62b8dfd5d7ed270cbb0d2f
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.219.195.1 port 33824, id=6,
length=274
User-Name = "testuser1"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x02060090190017030100207a5f44949cd792d5be3b6de4a1138d8079d27c4ca89126a4d8e3fd3aaac5935e1703010060e4da27ea84d607fdb3157877e788ac0d83626bd5395d96a07e5e15657af37466f3b9924c963a823c3582b10a9e78f6a82412aeda1ee37e0fdce65d394e687036c68abf7502a489efa24de7049e236a6b4fc5f15756d873deab341407af3a1af2
State = 0x4b64a1994e62b8dfd5d7ed270cbb0d2f
Message-Authenticator = 0xdda1b35918197604282ed1da107008e8
server otpme {
# Executing section authorize from file /etc/raddb/sites-enabled/otpme
+group authorize {
[eap] EAP packet type response id 6 length 144
[eap] Continuing tunnel setup.
++[eap] = ok
++[mschap] = noop
++? if (!control:Auth-Type)
? Evaluating !(control:Auth-Type) -> FALSE
++? if (!control:Auth-Type) -> FALSE
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/otpme
+group EAP {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message =
0x020600441a0206003f31ce62417d83cc845be89af47e43de8e85000000000000000029e51adbb58ea4ca9bf39d832700639c0f2eebefb98900be00746573747573657231
server otpme {
[peap] Setting User-Name to testuser1
Sending tunneled request
EAP-Message =
0x020600441a0206003f31ce62417d83cc845be89af47e43de8e85000000000000000029e51adbb58ea4ca9bf39d832700639c0f2eebefb98900be00746573747573657231
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "testuser1"
State = 0xef3dc50aef3bdf904f03abafc54a8a4c
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
server otpme {
# Executing section authorize from file /etc/raddb/sites-enabled/otpme
+group authorize {
[eap] EAP packet type response id 6 length 68
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[mschap] = noop
++? if (!control:Auth-Type)
? Evaluating !(control:Auth-Type) -> FALSE
++? if (!control:Auth-Type) -> FALSE
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/otpme
+group EAP {
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/raddb/sites-enabled/otpme
[mschapv2] +group MS-CHAP {
[mschapv2] ++update request {
[mschapv2] Creating challenge hash with username: testuser1
[mschapv2] expand: %{mschap:Challenge} -> 7b0455c972d1cf5a
[mschapv2] expand: %{mschap:NT-Response} ->
29e51adbb58ea4ca9bf39d832700639c0f2eebefb98900be
[mschapv2] ++} # update request = noop
otpme.py: (('EAP-Message',
'0x020600441a0206003f31ce62417d83cc845be89af47e43de8e85000000000000000029e51adbb58ea4ca9bf39d832700639c0f2eebefb98900be00746573747573657231'),
('FreeRADIUS-Proxied-To', '127.0.0.1'), ('User-Name', '"testuser1"'),
('State', '0xef3dc50aef3bdf904f03abafc54a8a4c'), ('NAS-IP-Address',
'127.0.0.1'), ('Calling-Station-Id', '"02-00-00-00-00-01"'),
('Framed-MTU', '1400'), ('NAS-Port-Type', 'Wireless-802.11'),
('Connect-Info', '"CONNECT 11Mbps 802.11b"'), ('EAP-Type',
'MS-CHAP-V2'), ('MS-CHAP-Challenge',
'0x9718a01768fd75c1209b1c257a4fd2be'), ('MS-CHAP2-Response',
'0x0665ce62417d83cc845be89af47e43de8e85000000000000000029e51adbb58ea4ca9bf39d832700639c0f2eebefb98900be'),
('MS-CHAP-User-Name', '"testuser1"'), ('Tmp-Octets-0',
'0x37623034353563393732643163663561'), ('Tmp-Octets-1',
'0x323965353161646262353865613463613962663339643833323730303633396330663265656265666239383930306265'))
++[otpme_mod] = fail
+} # group MS-CHAP = fail
[eap] Freeing handler
++[eap] = reject
+} # group EAP = reject
Failed to authenticate the user.
Login incorrect: [testuser1] (from client host1 port 0 cli
02-00-00-00-00-01 via TLS tunnel)
} # server otpme
[peap] Got tunneled reply code 3
EAP-Message = 0x04060004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
EAP-Message = 0x04060004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] = handled
+} # group EAP = handled
} # server otpme
Sending Access-Challenge of id 6 to 10.219.195.1 port 33824
EAP-Message =
0x0107003b19001703010030bafab3f8b086bdb25e11ee4102f959f8a15afe60af25cb7ea51226f50fc22739f1360c3ae4f23b9c3bd64220403469b2
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4b64a1994d63b8dfd5d7ed270cbb0d2f
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.219.195.1 port 33824, id=7,
length=226
User-Name = "testuser1"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x02070060190017030100201475fdf487cb7c5cdbc28275c523942e9478b881702b3715bf41f14e37fd571517030100309264cd7daa17a72f42129836e9fa9d36b3fc98994441970908d89a5fce9831c0cc84703d6d6a4c5d027561bd9da36fe7
State = 0x4b64a1994d63b8dfd5d7ed270cbb0d2f
Message-Authenticator = 0xa10e2442d21c4201b6110b4f3f0e9ef5
server otpme {
# Executing section authorize from file /etc/raddb/sites-enabled/otpme
+group authorize {
[eap] EAP packet type response id 7 length 96
[eap] Continuing tunnel setup.
++[eap] = ok
++[mschap] = noop
++? if (!control:Auth-Type)
? Evaluating !(control:Auth-Type) -> FALSE
++? if (!control:Auth-Type) -> FALSE
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/otpme
+group EAP {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv failure
[peap] Received EAP-TLV response.
[peap] The users session was previously rejected: returning reject
(again.)
[peap] *** This means you need to read the PREVIOUS messages in the
debug output
[peap] *** to find out the reason why the user was rejected.
[peap] *** Look for "reject" or "fail". Those earlier messages will
tell you.
[peap] *** what went wrong, and how to fix the problem.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] = invalid
+} # group EAP = invalid
Failed to authenticate the user.
Login incorrect: [testuser1] (from client host1 port 0 cli
02-00-00-00-00-01)
} # server otpme
Delaying reject of request 7 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 7
Sending Access-Reject of id 7 to 10.219.195.1 port 33824
EAP-Message = 0x04070004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
More information about the Freeradius-Users
mailing list