freeradius 2.1.12 - EAP Trouble - files is used with LEAP, not PEAP, and AD/mschap is used with PEAP, not LEAP
freerad
list.radius at tiri.li
Sun Jul 26 15:40:46 CEST 2015
# freeradius -v
freeradius: FreeRADIUS Version 2.1.12, for host x86_64-pc-linux-gnu, built
on Feb 24 2014 at 14:57:57
Copyright (C) 1999-2011 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
/etc/freeradius/files contains:
*testuser Cleartext-Password := "password"*
# radexample with user "testuser" and password "password" - as it exists in
/etc/freeradius/users works:
# radexample
login: testuser
Password: password
"testuser" RADIUS Authentication OK
(log01.txt)
but
# ./rad_eap_test -H 10.160.4.50 -P 1812 -S testing123 -u testuser -p
password -m IEEE8021X -e PEAP -2 MSCHAPV2 -v
access-reject; 1
fails (log02.txt), but I wanted to have it handled by "files".
but with LEAP it works:
# ./rad_eap_test -H 10.160.4.50 -P 1812 -S testing123 -u testuser -p
password -m IEEE8021X -e LEAP -2 MSCHAPV2 -v
access-accept; 0
RADIUS message: code=2 (Access-Accept) identifier=3 length=149
Attribute 26 (Vendor-Specific) length=59
Value: 00 00 00 09 01 35 6c 65 61 70 3a 73 65 73 73 69 6f 6e 2d 6b 65
79 3d 82 68 87 56 16 2a 3d 5a 79 ae c4 db ee d3 2c db 38 83 9a 9f 81 a7 70
03 55 00 c4 b1 cb 45 78 ea ce 63
Attribute 79 (EAP-Message) length=42
Value: 02 04 00 28 11 01 00 18 24 16 99 a0 97 e6 72 86 eb 2d 2e 97 5a
ef 9c c7 e2 00 cf b4 95 8a fa 42 74 65 73 74 75 73 65 72
Attribute 80 (Message-Authenticator) length=18
Value: e2 d3 98 f4 75 a9 44 6b 04 e2 d8 ef 6b 54 4f b1
Attribute 1 (User-Name) length=10
Value: 'testuser'
(log03.txt).
And - with AD User, LEAP does not work
# ./rad_eap_test -H 10.160.4.50 -P 1812 -S testing123 -u wlan_test -p test
-m IEEE8021X -e LEAP -2 MSCHAPV2 -v
access-reject; 1
(log04.txt)
while with AD User PEAP is working:
# ./rad_eap_test -H 10.160.4.50 -P 1812 -S testing123 -u wlan_test -p test
-m IEEE8021X -e PEAP -2 MSCHAPV2 -v
access-accept; 0
RADIUS message: code=2 (Access-Accept) identifier=9 length=171
Attribute 26 (Vendor-Specific) length=58
Value: 00 00 01 37 11 34 81 3f 5f f6 c1 df a3 6f 6e bc 39 89 09 c8 5f
da bd a7 e4 86 45 0e a9 b7 b1 e9 0d 88 1a 4c 15 d7 9a 8a db 25 87 bd 4f b2
33 11 e6 b2 0b 68 b1 c6 7f 91
Attribute 26 (Vendor-Specific) length=58
Value: 00 00 01 37 10 34 89 ca ed f6 a0 75 fc 03 b8 91 24 91 ab a0 ba
ae 25 72 b0 66 6d b0 69 b0 72 43 83 61 c2 30 fc 4c 62 9f 44 5c 23 00 c3 1b
40 d3 cf 12 3c 55 4d dd 4a 93
Attribute 79 (EAP-Message) length=6
Value: 03 09 00 04
Attribute 80 (Message-Authenticator) length=18
Value: e9 5f 92 1a 6f 01 26 29 b2 b3 9c 87 61 e8 e3 ca
Attribute 1 (User-Name) length=11
Value: 'wlan_test'
What is wrong here?
I want to handle first files, then mschap/ntlm_auth Authentication.
Any help is appreciated.
Thomas
-------------- next part --------------
FreeRADIUS Version 2.1.12, for host x86_64-pc-linux-gnu, built on Feb 24 2014 at 14:57:57
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/replicate
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/soh
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/cui
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/redis
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/rediswho
including configuration file /etc/freeradius/modules/dynamic_clients
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/ntlm_auth
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/opendirectory
including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
main {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
including dictionary file /etc/freeradius/dictionary
main {
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "WLAN4zyxel"
nastype = "other"
}
client 10.160.199.11 {
require_message_authenticator = no
secret = "WLAN4zyxel"
}
client 10.160.4.5 {
require_message_authenticator = no
secret = "testing123"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file /etc/freeradius/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file /etc/freeradius/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/radiusd.conf
modules {
Module: Creating Auth-Type = Perl
Module: Creating Auth-Type = digest
Module: Creating Post-Auth-Type = Perl
Module: Creating Post-Auth-Type = REJECT
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_perl
Module: Instantiating module "perl" from file /etc/freeradius/modules/perl
perl {
module = "/etc/freeradius/tiri_rlm_perl.pl"
func_authorize = "authorize"
func_authenticate = "authenticate"
func_accounting = "accounting"
func_preacct = "preacct"
func_checksimul = "checksimul"
func_detach = "detach"
func_xlat = "xlat"
func_pre_proxy = "pre_proxy"
func_post_proxy = "post_proxy"
func_post_auth = "post_auth"
func_recv_coa = "recv_coa"
func_send_coa = "send_coa"
}
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file /etc/freeradius/modules/pap
pap {
encryption_scheme = "auto"
auto_header = yes
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file /etc/freeradius/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} --domain=%{%{mschap:NT-Domain}:-SWBT} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
allow_retry = yes
}
Module: Linked to module rlm_digest
Module: Instantiating module "digest" from file /etc/freeradius/modules/digest
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file /etc/freeradius/modules/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /etc/freeradius/eap.conf
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/etc/freeradius/certs"
pem_file_type = yes
private_key_file = "/etc/freeradius/certs/server.key"
certificate_file = "/etc/freeradius/certs/server.pem"
CA_file = "/etc/freeradius/certs/ca.pem"
private_key_password = "WLAN4hotspot"
dh_file = "/etc/freeradius/certs/dh"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/freeradius/certs/bootstrap"
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
tmpdir = "/tmp/freeradius"
client = "/usr/bin/openssl verify -CAfile /etc/freeradius/certs/ca.pem -CApath /etc/freeradius/certs %{TLS-Client-Cert-Filename}"
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = yes
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess
preprocess {
huntgroups = "/etc/freeradius/huntgroups"
hints = "/etc/freeradius/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_detail
Module: Instantiating module "auth_log" from file /etc/freeradius/modules/detail.log
detail auth_log {
detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file /etc/freeradius/modules/files
files {
usersfile = "/etc/freeradius/users"
acctusersfile = "/etc/freeradius/acct_users"
preproxy_usersfile = "/etc/freeradius/preproxy_users"
compat = "no"
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Instantiating module "detail" from file /etc/freeradius/modules/detail
detail {
detailfile = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/freeradius/attrs.accounting_response"
key = "%{User-Name}"
relaxed = no
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/etc/freeradius/attrs.access_reject"
key = "%{User-Name}"
relaxed = no
}
} # modules
} # server
server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel
modules {
Module: Creating Post-Proxy-Type = Fail
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
... adding new socket proxy address * port 47086
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.160.4.5 port 28117, id=115, length=66
User-Name = "testuser"
User-Password = "password"
Service-Type = Authenticate-Only
NAS-Port = 0
NAS-IP-Address = 10.160.4.5
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/10.160.4.5/auth-detail-20150726
[auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.160.4.5/auth-detail-20150726
[auth_log] expand: %t -> Sun Jul 26 15:34:42 2015
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry testuser at line 204
++[files] returns ok
WARNING: Please update your configuration, and remove 'Auth-Type = Local'
WARNING: Use the PAP or CHAP modules instead.
User-Password in the request is correct.
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 115 to 10.160.4.5 port 28117
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 115 with timestamp +9
Ready to process requests.
-------------- next part --------------
FreeRADIUS Version 2.1.12, for host x86_64-pc-linux-gnu, built on Feb 24 2014 at 14:57:57
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/replicate
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/soh
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/cui
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/redis
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/rediswho
including configuration file /etc/freeradius/modules/dynamic_clients
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/ntlm_auth
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/opendirectory
including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
main {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
including dictionary file /etc/freeradius/dictionary
main {
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "WLAN4zyxel"
nastype = "other"
}
client 10.160.199.11 {
require_message_authenticator = no
secret = "WLAN4zyxel"
}
client 10.160.4.5 {
require_message_authenticator = no
secret = "testing123"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file /etc/freeradius/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file /etc/freeradius/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/radiusd.conf
modules {
Module: Creating Auth-Type = Perl
Module: Creating Auth-Type = digest
Module: Creating Post-Auth-Type = Perl
Module: Creating Post-Auth-Type = REJECT
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_perl
Module: Instantiating module "perl" from file /etc/freeradius/modules/perl
perl {
module = "/etc/freeradius/tiri_rlm_perl.pl"
func_authorize = "authorize"
func_authenticate = "authenticate"
func_accounting = "accounting"
func_preacct = "preacct"
func_checksimul = "checksimul"
func_detach = "detach"
func_xlat = "xlat"
func_pre_proxy = "pre_proxy"
func_post_proxy = "post_proxy"
func_post_auth = "post_auth"
func_recv_coa = "recv_coa"
func_send_coa = "send_coa"
}
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file /etc/freeradius/modules/pap
pap {
encryption_scheme = "auto"
auto_header = yes
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file /etc/freeradius/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} --domain=%{%{mschap:NT-Domain}:-SWBT} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
allow_retry = yes
}
Module: Linked to module rlm_digest
Module: Instantiating module "digest" from file /etc/freeradius/modules/digest
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file /etc/freeradius/modules/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /etc/freeradius/eap.conf
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/etc/freeradius/certs"
pem_file_type = yes
private_key_file = "/etc/freeradius/certs/server.key"
certificate_file = "/etc/freeradius/certs/server.pem"
CA_file = "/etc/freeradius/certs/ca.pem"
private_key_password = "WLAN4hotspot"
dh_file = "/etc/freeradius/certs/dh"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/freeradius/certs/bootstrap"
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
tmpdir = "/tmp/freeradius"
client = "/usr/bin/openssl verify -CAfile /etc/freeradius/certs/ca.pem -CApath /etc/freeradius/certs %{TLS-Client-Cert-Filename}"
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = yes
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess
preprocess {
huntgroups = "/etc/freeradius/huntgroups"
hints = "/etc/freeradius/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_detail
Module: Instantiating module "auth_log" from file /etc/freeradius/modules/detail.log
detail auth_log {
detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file /etc/freeradius/modules/files
files {
usersfile = "/etc/freeradius/users"
acctusersfile = "/etc/freeradius/acct_users"
preproxy_usersfile = "/etc/freeradius/preproxy_users"
compat = "no"
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Instantiating module "detail" from file /etc/freeradius/modules/detail
detail {
detailfile = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/freeradius/attrs.accounting_response"
key = "%{User-Name}"
relaxed = no
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/etc/freeradius/attrs.access_reject"
key = "%{User-Name}"
relaxed = no
}
} # modules
} # server
server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel
modules {
Module: Creating Post-Proxy-Type = Fail
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
... adding new socket proxy address * port 37341
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.160.4.5 port 10648, id=0, length=127
User-Name = "testuser"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "70-6F-6C-69-73-68"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "rad_eap_test + eapol_test"
EAP-Message = 0x0200000d017465737475736572
Message-Authenticator = 0x4528575c33716501d0c69aa016f6d4d7
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/10.160.4.5/auth-detail-20150726
[auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.160.4.5/auth-detail-20150726
[auth_log] expand: %t -> Sun Jul 26 15:35:16 2015
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry testuser at line 204
++[files] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.160.4.5 port 10648
EAP-Message = 0x010100061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8a825e178a83472d8effec5a905ad761
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.160.4.5 port 10648, id=1, length=225
User-Name = "testuser"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "70-6F-6C-69-73-68"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "rad_eap_test + eapol_test"
EAP-Message = 0x0201005d190016030100520100004e030155b4e1e01cfae0eb91b357e80fc7d8b00e163af8836503fb47fe2d0ef929844c00002600390038003500160013000a00330032002f0005000400150012000900140011000800060003020100
State = 0x8a825e178a83472d8effec5a905ad761
Message-Authenticator = 0x37c6beada3bfdcd902fa6648c3da713a
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/10.160.4.5/auth-detail-20150726
[auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.160.4.5/auth-detail-20150726
[auth_log] expand: %t -> Sun Jul 26 15:35:16 2015
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 93
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0052], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 080a], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange
[peap] TLS_accept: SSLv3 write key exchange A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 1 to 10.160.4.5 port 10648
EAP-Message = 0x0102040019c000000a59160301002a0200002603014ddc8c41e35ec4f2446fb8405f011f96b3cda0a2ec5881778c05821f1d8a8ec000003900160301080a0b0008060008030003913082038d30820275a003020102020101300d06092a864886f70d0101040500307f310b30090603550406130244453110300e0603550408130748616d62757267311530130603550407130c5363687761727a656e62656b31123010060355040a13097469726920476d62483121301f06092a864886f70d0109011612636140686f7473706f742e746972692e6c693110300e0603550403130774697269204341301e170d3135303732353139313334395a170d3136
EAP-Message = 0x303732343139313334395a307c310b30090603550406130244453110300e0603550408130748616d6275726731123010060355040a13097469726920476d62483120301e0603550403131774697269205261646975732043657274696669636174653125302306092a864886f70d010901161672616469757340686f7473706f742e746972692e6c6930820122300d06092a864886f70d01010105000382010f003082010a0282010100c1d137622cec8d1f14603614804ea4cac9bde4092f508745a39ab61f7703bc2f6f97e22e59d276ec589c64abdb53302e95dd685886010b9d2fe50c47aea977dde5695375773ccccd1386a77286637e34e5bcb4
EAP-Message = 0x867fb45a59480052075c1ecaa3729784a201f755777af2687e2e968104d037a6c425f6bdf60ac8cfe12adc6d4566df042de359e2bf89a6620e151198651e0231f01acbdc4be27f7b5ff753ff00ffb0107bbeab65635170bb85683d3d0808f72da5a7d81b1ff01b3a1d0c939ab9aab4019524603a3b8c6f9bca0b8a10781369c9b509727ab93d7e327462828ec970ae02c2faec4ea31dbd0fe38fce7176219c5c5a342491cd488559654911fa8b0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003820101001349bf30e7bc3b1efca2070b746e268898bcc0735350b58f3463e4f8e7a8
EAP-Message = 0xe90998ceb0b1681c163e10742b8971b0179ee0ef7b5ca7b113743125d2653bd36700851af43ddc1fc4940ed334760f691d3ea2641155e38f7c4f5e334f76cdfe688f032dfff24af341d04c85c2abe62156003d2c44bfbe276d52504514e3843b7db0eb1c745ebedf3207ff5f7e49afeb3a8522ddc9769874b62bcef98ee674d66a3c242de9977944f70c08238666fecaecf6f2807e9e7d5df815334091fe52050502e44fe1b62c32c6704be94426285aeb09ef08936386a4e0e45f5db4d675430b3ba545b1f022b1905b36982abc0a8bf788b8e9fa95890614e251f445a44c80102d00046c3082046830820350a0030201020209009d2885275ceebbc8
EAP-Message = 0x300d06092a864886f70d0101
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8a825e178b80472d8effec5a905ad761
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.160.4.5 port 10648, id=2, length=138
User-Name = "testuser"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "70-6F-6C-69-73-68"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "rad_eap_test + eapol_test"
EAP-Message = 0x020200061900
State = 0x8a825e178b80472d8effec5a905ad761
Message-Authenticator = 0xcf73318281ac54719bd9f1ef7713ffd0
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/10.160.4.5/auth-detail-20150726
[auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.160.4.5/auth-detail-20150726
[auth_log] expand: %t -> Sun Jul 26 15:35:16 2015
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 2 to 10.160.4.5 port 10648
EAP-Message = 0x010303fc19400b0500307f310b30090603550406130244453110300e0603550408130748616d62757267311530130603550407130c5363687761727a656e62656b31123010060355040a13097469726920476d62483121301f06092a864886f70d0109011612636140686f7473706f742e746972692e6c693110300e0603550403130774697269204341301e170d3135303732353139313334395a170d3136303732343139313334395a307f310b30090603550406130244453110300e0603550408130748616d62757267311530130603550407130c5363687761727a656e62656b31123010060355040a13097469726920476d62483121301f06092a
EAP-Message = 0x864886f70d0109011612636140686f7473706f742e746972692e6c693110300e060355040313077469726920434130820122300d06092a864886f70d01010105000382010f003082010a028201010098727c23aded345afae75754ea9bb3a7dc7949f26b6944f98233c2e5ed1e5c720c358566aec7ccf61fc4579826efce1537a465eb8e02df124ff28140d4ad19a5573c6d0d67952f2feeccfb42232186c00eb6a0590cd0fac23c3e87351520b77c0e142e0210522a3098a503ab74660d61801d362297d8a81c56214d036d60f11d43819cfdbaa736e3b9f10e350677f5e0cf14e4856388477fa7a2ea1520b6acc495ca29de77a1a390c1ae0a0e5bf6
EAP-Message = 0xc3d6f7af85603bde8a61622d3462c9c2bdba96893cfe72c3f663144458463a201f34cf6d009c03916a4799ae50048aa12039c3b814898a23c9f10537f7d8f5be505e873c3ef5a4441d08f20daf6f17ca81110203010001a381e63081e3301d0603551d0e04160414136c09d813ec30d48c30f591549d1526d14391753081b30603551d230481ab3081a88014136c09d813ec30d48c30f591549d1526d1439175a18184a48181307f310b30090603550406130244453110300e0603550408130748616d62757267311530130603550407130c5363687761727a656e62656b31123010060355040a13097469726920476d62483121301f06092a864886f7
EAP-Message = 0x0d0109011612636140686f7473706f742e746972692e6c693110300e06035504031307746972692043418209009d2885275ceebbc8300c0603551d13040530030101ff300d06092a864886f70d01010b05000382010100555aade04c2ef507a90f7af3483086a8142316aab27f54eb95df32eb9e0ee4fd30c2cf9e30508a85131bdaca42cb5cddcd5ff1793780cb71b9900b1de16b2b658d3933ab25aec085bfae2ced2e024a3b7465367e09af5b3fc032385351710274fe464947ab19784fec492c62ada1bfa2b745b8cbcc7d58f154af7b396f24585f80a848139ce37d3152ed3d07dca656fe9f0acb14fd4374e363da9d4da9b4dec47af9ef98a0f8
EAP-Message = 0x74f85879d1441db5
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8a825e178881472d8effec5a905ad761
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.160.4.5 port 10648, id=3, length=138
User-Name = "testuser"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "70-6F-6C-69-73-68"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "rad_eap_test + eapol_test"
EAP-Message = 0x020300061900
State = 0x8a825e178881472d8effec5a905ad761
Message-Authenticator = 0x95dec4e6db2b7a6a443d93df9503baa6
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/10.160.4.5/auth-detail-20150726
[auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.160.4.5/auth-detail-20150726
[auth_log] expand: %t -> Sun Jul 26 15:35:16 2015
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 3 to 10.160.4.5 port 10648
EAP-Message = 0x01040273190028dd70b5677c5fb00cd4f0e60089c0d76daba78b91d9da9abc6ce42a5f1d3091291e9f7f40838cb4b64c0c868023335b65648bd62f96ce8780ad2e85716a7c51a2b546e4ba2ad7dca2fb817678c0b88c2034160301020d0c0002090080fec9bdc030018ad3d1bce0420bfec7cf29629b1be544a4404663b31cd7c175f53b8076780a983748e76b6d7d93dd225ac2a4b192dbd9bc34f3d41b7616220cfe01060ff4aef79e5780f8f29eb82c7fb33121b14a178a6bd870d63f840ffa4659220762e89ceda1eb7e3f2a28a6314875cca127fc95e93921acf72f42010727c3000102008059d44299a5deb9767dd1fc0a5b6fb97a0a0cb6fd87
EAP-Message = 0x05e8434c5eda1cf24c259e0ca09bfae9084df1a7fa6da1ba08d3737ced700dd17e2f81b112766cfb8fdc1b89b54b6f3b420cd398a17614a2baab3c2b38925c062216132e90e8e56e0f68d4f60784eadd0c843f3c080f089c42e26320a89ec9aa97b42afbb387b7edfc2b5c01009f0a86a9a5bb03d815bd97ae4f2eb291c6687f80a756e7cedeb7607586594bbe7ab4539a4f8454195689c37470fac94d9c9c20048f07c215c54fc9a9d95c10bb50f4e1a5a0fea4219db03aa34c0b79da5016ce8ca9468ea6f9a0d234ac42a15a15af2de30358d9d3755f2ea29290d76b7a7341613d97ab6dfec355eb2079fa936c4e10a1f407c61ccfafc8b745184fb4
EAP-Message = 0xa4485e65a82b07a02b624697f5b0c15543d6eada11c9b0d77f22ac6f86e378e928e39580d25a68d07a421591e296d73ff6fbcc556fb90445c671175ff7c186ccf6707cac3e4b2141aaa068c79cfc5c4b324325f9b7fae83f16da6b3f32fb870fd897ed9a3e412ce21472fb701fa944c516030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8a825e178986472d8effec5a905ad761
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.160.4.5 port 10648, id=4, length=336
User-Name = "testuser"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "70-6F-6C-69-73-68"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "rad_eap_test + eapol_test"
EAP-Message = 0x020400cc1900160301008610000082008075cad293f8eb6b336cdca07cfd71027e509de6a4b038c971a117941fe3a4f8afd109af9061d331b3ecb1df0735a64ea8eab567466c4106029d0eb658c8704274e977a73b182a1d67e814891fe8bc3eb9a7b1692c3eada21f163607737d5ca5db48a151d172fd1a4ad07cb3c4e6a195220b5f9930ff71845d624dd567374defd4140301000101160301003016224e72d27378299c61ce71527fcba614df5bc5d443081967986242609b3847b8cb886479e2d5b3dca73a5d1e478f44
State = 0x8a825e178986472d8effec5a905ad761
Message-Authenticator = 0xcbc373c106661199f700ed12c298f491
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/10.160.4.5/auth-detail-20150726
[auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.160.4.5/auth-detail-20150726
[auth_log] expand: %t -> Sun Jul 26 15:35:16 2015
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 204
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 4 to 10.160.4.5 port 10648
EAP-Message = 0x0105004119001403010001011603010030b778a860dd154a2abdb2d562be8e19ff962e626ee2d3ed8a95de2de92d73a4d5548278ba41423a37f1af2c3a95134019
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8a825e178e87472d8effec5a905ad761
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.160.4.5 port 10648, id=5, length=138
User-Name = "testuser"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "70-6F-6C-69-73-68"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "rad_eap_test + eapol_test"
EAP-Message = 0x020500061900
State = 0x8a825e178e87472d8effec5a905ad761
Message-Authenticator = 0x627468b037a687d0bfd279b106278032
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/10.160.4.5/auth-detail-20150726
[auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.160.4.5/auth-detail-20150726
[auth_log] expand: %t -> Sun Jul 26 15:35:16 2015
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] returns handled
Sending Access-Challenge of id 5 to 10.160.4.5 port 10648
EAP-Message = 0x0106002b19001703010020820cda67d0a8882866d6f93353ec827fddd25caf9a5fdbc225af615058435176
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8a825e178f84472d8effec5a905ad761
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.160.4.5 port 10648, id=6, length=212
User-Name = "testuser"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "70-6F-6C-69-73-68"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "rad_eap_test + eapol_test"
EAP-Message = 0x0206005019001703010020858412ca6a250f2d630d8e192b32d8143c929fd1bdc3483e1ff6201d4cd98642170301002032c90ad9bf8af7d1b9d52a06bc72ef0eb32be1b9f06cd8c54355fafc3d282d86
State = 0x8a825e178f84472d8effec5a905ad761
Message-Authenticator = 0x2d472b781d5b340e8fe2b6f103c3e53f
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/10.160.4.5/auth-detail-20150726
[auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.160.4.5/auth-detail-20150726
[auth_log] expand: %t -> Sun Jul 26 15:35:16 2015
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - testuser
[peap] Got inner identity 'testuser'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
EAP-Message = 0x0206000d017465737475736572
server {
[peap] Setting User-Name to testuser
Sending tunneled request
EAP-Message = 0x0206000d017465737475736572
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "testuser"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "70-6F-6C-69-73-68"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "rad_eap_test + eapol_test"
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
expand: %{request:User-Name} -> testuser
++[outer.control] returns noop
[eap] EAP packet type response id 6 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry testuser at line 204
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message = 0x010700221a0107001d1003c775094a243789837e71ccb7b06af27465737475736572
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf126c5f6f121dfdf95f83ebe07e2c5fd
[peap] Got tunneled reply RADIUS code 11
EAP-Message = 0x010700221a0107001d1003c775094a243789837e71ccb7b06af27465737475736572
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf126c5f6f121dfdf95f83ebe07e2c5fd
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 6 to 10.160.4.5 port 10648
EAP-Message = 0x0107004b19001703010040b3c81b328ac97b02895fbf3e3933278fd7e995b09787e8f883422a2c3e1612b4104f7b3793d201dadb4fa5a6078834576c3c2eb9e2e805f0e9a2af1f11adf01f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8a825e178c85472d8effec5a905ad761
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.160.4.5 port 10648, id=7, length=276
User-Name = "testuser"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "70-6F-6C-69-73-68"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "rad_eap_test + eapol_test"
EAP-Message = 0x0207009019001703010020f495ba707f995e7dac1edff8d775d4ba9fd25cdf1e4cab00f4008c98e622427e1703010060c7ff4a8cf6c295755eca66b475bc3c63254ea602af3242743dc1943deb6bb1bf3a87e7ca9cb71fa8cb53f07545bba68d5756cc305874cf03bb86272c8b93e6cd2464029c4274bf206f17b90900d4099bf47b4d20137af06cbcd4cddaa22b49d7
State = 0x8a825e178c85472d8effec5a905ad761
Message-Authenticator = 0x18e00f9378598c10bd497ef6cea7f2f7
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/10.160.4.5/auth-detail-20150726
[auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.160.4.5/auth-detail-20150726
[auth_log] expand: %t -> Sun Jul 26 15:35:16 2015
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 144
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x020700431a0207003e31001ed775f0a55c43d7431a6e6c66bdfd000000000000000041c0b1c318ef07cf0c9e02730365f4c86648e8fe6dd12eb5007465737475736572
server {
[peap] Setting User-Name to testuser
Sending tunneled request
EAP-Message = 0x020700431a0207003e31001ed775f0a55c43d7431a6e6c66bdfd000000000000000041c0b1c318ef07cf0c9e02730365f4c86648e8fe6dd12eb5007465737475736572
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "testuser"
State = 0xf126c5f6f121dfdf95f83ebe07e2c5fd
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "70-6F-6C-69-73-68"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "rad_eap_test + eapol_test"
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
expand: %{request:User-Name} -> testuser
++[outer.control] returns noop
[eap] EAP packet type response id 7 length 67
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry testuser at line 204
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: testuser
[mschap] Told to do MS-CHAPv2 for testuser with NT-Password
[mschap] expand: %{Stripped-User-Name} ->
[mschap] ... expanding second conditional
[mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
[mschap] expand: %{User-Name:-None} -> testuser
[mschap] expand: --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} -> --username=testuser
[mschap] No NT-Domain was found in the User-Name.
[mschap] expand: %{mschap:NT-Domain} ->
[mschap] ... expanding second conditional
[mschap] expand: --domain=%{%{mschap:NT-Domain}:-SWBT} -> --domain=SWBT
[mschap] Creating challenge hash with username: testuser
[mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=d1606f27ded0aaeb
[mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=41c0b1c318ef07cf0c9e02730365f4c86648e8fe6dd12eb5
Exec-Program output: Logon failure (0xc000006d)
Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
MS-CHAP-Error = "\007E=691 R=1"
EAP-Message = 0x04070004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
MS-CHAP-Error = "\007E=691 R=1"
EAP-Message = 0x04070004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 7 to 10.160.4.5 port 10648
EAP-Message = 0x0108002b19001703010020a2eeb5495b49b95c8f2636fe86c74bd50533f80d52c3c1e633327b62ca24a550
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8a825e178d8a472d8effec5a905ad761
Finished request 7.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.160.4.5 port 10648, id=8, length=212
User-Name = "testuser"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "70-6F-6C-69-73-68"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "rad_eap_test + eapol_test"
EAP-Message = 0x02080050190017030100206c963cfe8058a4039178a69f804c3a0cbfaf81b8115cd984cd1e6932641747e41703010020de6a6f08c5e47ebbb34c3f4743fedf6cd866ccf1c679a3c21ca4c80855578710
State = 0x8a825e178d8a472d8effec5a905ad761
Message-Authenticator = 0xcdd80be01205f53c713c05763771d637
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/10.160.4.5/auth-detail-20150726
[auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.160.4.5/auth-detail-20150726
[auth_log] expand: %t -> Sun Jul 26 15:35:16 2015
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv failure
[peap] Received EAP-TLV response.
[peap] The users session was previously rejected: returning reject (again.)
[peap] *** This means you need to read the PREVIOUS messages in the debug output
[peap] *** to find out the reason why the user was rejected.
[peap] *** Look for "reject" or "fail". Those earlier messages will tell you.
[peap] *** what went wrong, and how to fix the problem.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> testuser
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 8 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 8
Sending Access-Reject of id 8 to 10.160.4.5 port 10648
EAP-Message = 0x04080004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
Cleaning up request 0 ID 0 with timestamp +5
Cleaning up request 1 ID 1 with timestamp +5
Cleaning up request 2 ID 2 with timestamp +5
Cleaning up request 3 ID 3 with timestamp +5
Cleaning up request 4 ID 4 with timestamp +5
Cleaning up request 5 ID 5 with timestamp +5
Cleaning up request 6 ID 6 with timestamp +5
Cleaning up request 7 ID 7 with timestamp +5
Waking up in 1.0 seconds.
-------------- next part --------------
FreeRADIUS Version 2.1.12, for host x86_64-pc-linux-gnu, built on Feb 24 2014 at 14:57:57
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/replicate
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/soh
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/cui
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/redis
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/rediswho
including configuration file /etc/freeradius/modules/dynamic_clients
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/ntlm_auth
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/opendirectory
including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
main {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
including dictionary file /etc/freeradius/dictionary
main {
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "WLAN4zyxel"
nastype = "other"
}
client 10.160.199.11 {
require_message_authenticator = no
secret = "WLAN4zyxel"
}
client 10.160.4.5 {
require_message_authenticator = no
secret = "testing123"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file /etc/freeradius/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file /etc/freeradius/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/radiusd.conf
modules {
Module: Creating Auth-Type = Perl
Module: Creating Auth-Type = digest
Module: Creating Post-Auth-Type = Perl
Module: Creating Post-Auth-Type = REJECT
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_perl
Module: Instantiating module "perl" from file /etc/freeradius/modules/perl
perl {
module = "/etc/freeradius/tiri_rlm_perl.pl"
func_authorize = "authorize"
func_authenticate = "authenticate"
func_accounting = "accounting"
func_preacct = "preacct"
func_checksimul = "checksimul"
func_detach = "detach"
func_xlat = "xlat"
func_pre_proxy = "pre_proxy"
func_post_proxy = "post_proxy"
func_post_auth = "post_auth"
func_recv_coa = "recv_coa"
func_send_coa = "send_coa"
}
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file /etc/freeradius/modules/pap
pap {
encryption_scheme = "auto"
auto_header = yes
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file /etc/freeradius/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} --domain=%{%{mschap:NT-Domain}:-SWBT} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
allow_retry = yes
}
Module: Linked to module rlm_digest
Module: Instantiating module "digest" from file /etc/freeradius/modules/digest
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file /etc/freeradius/modules/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /etc/freeradius/eap.conf
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/etc/freeradius/certs"
pem_file_type = yes
private_key_file = "/etc/freeradius/certs/server.key"
certificate_file = "/etc/freeradius/certs/server.pem"
CA_file = "/etc/freeradius/certs/ca.pem"
private_key_password = "WLAN4hotspot"
dh_file = "/etc/freeradius/certs/dh"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/freeradius/certs/bootstrap"
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
tmpdir = "/tmp/freeradius"
client = "/usr/bin/openssl verify -CAfile /etc/freeradius/certs/ca.pem -CApath /etc/freeradius/certs %{TLS-Client-Cert-Filename}"
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = yes
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess
preprocess {
huntgroups = "/etc/freeradius/huntgroups"
hints = "/etc/freeradius/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_detail
Module: Instantiating module "auth_log" from file /etc/freeradius/modules/detail.log
detail auth_log {
detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file /etc/freeradius/modules/files
files {
usersfile = "/etc/freeradius/users"
acctusersfile = "/etc/freeradius/acct_users"
preproxy_usersfile = "/etc/freeradius/preproxy_users"
compat = "no"
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Instantiating module "detail" from file /etc/freeradius/modules/detail
detail {
detailfile = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/freeradius/attrs.accounting_response"
key = "%{User-Name}"
relaxed = no
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/etc/freeradius/attrs.access_reject"
key = "%{User-Name}"
relaxed = no
}
} # modules
} # server
server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel
modules {
Module: Creating Post-Proxy-Type = Fail
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
... adding new socket proxy address * port 60237
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.160.4.5 port 29663, id=0, length=127
User-Name = "testuser"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "70-6F-6C-69-73-68"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "rad_eap_test + eapol_test"
EAP-Message = 0x0200000d017465737475736572
Message-Authenticator = 0xaf9deaee8fbf5f849ef89dec07d401ae
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/10.160.4.5/auth-detail-20150726
[auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.160.4.5/auth-detail-20150726
[auth_log] expand: %t -> Sun Jul 26 15:35:34 2015
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry testuser at line 204
++[files] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.160.4.5 port 29663
EAP-Message = 0x010100061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa318fd95a319e400d4e5e3731585dfe7
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.160.4.5 port 29663, id=1, length=138
User-Name = "testuser"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "70-6F-6C-69-73-68"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "rad_eap_test + eapol_test"
EAP-Message = 0x020100060311
State = 0xa318fd95a319e400d4e5e3731585dfe7
Message-Authenticator = 0xf4629f252d1ca1db2cc68777337af71c
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/10.160.4.5/auth-detail-20150726
[auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.160.4.5/auth-detail-20150726
[auth_log] expand: %t -> Sun Jul 26 15:35:34 2015
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry testuser at line 204
++[files] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/leap
[eap] processing type leap
rlm_eap_leap: Stage 2
rlm_eap_leap: Issuing AP Challenge
rlm_eap_leap: Successfully initiated
++[eap] returns handled
Sending Access-Challenge of id 1 to 10.160.4.5 port 29663
EAP-Message = 0x0102001811010008f575ac37fa1f4b797465737475736572
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa318fd95a21aec00d4e5e3731585dfe7
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.160.4.5 port 29663, id=2, length=172
User-Name = "testuser"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "70-6F-6C-69-73-68"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "rad_eap_test + eapol_test"
EAP-Message = 0x0202002811010018914a33cc9a090571a0948b77deed85558ab8f49887052bd17465737475736572
State = 0xa318fd95a21aec00d4e5e3731585dfe7
Message-Authenticator = 0x8f0aa46bac2cf830c3ada61251e084a2
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/10.160.4.5/auth-detail-20150726
[auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.160.4.5/auth-detail-20150726
[auth_log] expand: %t -> Sun Jul 26 15:35:34 2015
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 40
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry testuser at line 204
++[files] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/leap
[eap] processing type leap
rlm_eap_leap: Stage 4
rlm_eap_leap: NtChallengeResponse from AP is valid
[eap] Underlying EAP-Type set EAP ID to 3
++[eap] returns ok
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Challenge of id 2 to 10.160.4.5 port 29663
EAP-Message = 0x03030004
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa318fd95a11bec00d4e5e3731585dfe7
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.160.4.5 port 29663, id=3, length=156
User-Name = "testuser"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "70-6F-6C-69-73-68"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "rad_eap_test + eapol_test"
EAP-Message = 0x0103001811010008a2274d68d4b9c2427465737475736572
State = 0xa318fd95a11bec00d4e5e3731585dfe7
Message-Authenticator = 0xe0659d929e7e01624fe977bb4b17b508
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/10.160.4.5/auth-detail-20150726
[auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.160.4.5/auth-detail-20150726
[auth_log] expand: %t -> Sun Jul 26 15:35:34 2015
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type request id 3 length 24
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry testuser at line 204
++[files] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/leap
[eap] processing type leap
rlm_eap_leap: Stage 6
[eap] Freeing handler
++[eap] returns handled
Sending Access-Accept of id 3 to 10.160.4.5 port 29663
Cisco-AVPair += "leap:session-key=\202h\207V\026*=Zy\256\304\333\356\323,\3338\203\232\237\201\247p\003U\000ı\313Ex\352\316c"
EAP-Message = 0x0204002811010018241699a097e67286eb2d2e975aef9cc7e200cfb4958afa427465737475736572
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "testuser"
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 0 with timestamp +9
Cleaning up request 1 ID 1 with timestamp +9
Cleaning up request 2 ID 2 with timestamp +9
Cleaning up request 3 ID 3 with timestamp +9
Ready to process requests.
-------------- next part --------------
FreeRADIUS Version 2.1.12, for host x86_64-pc-linux-gnu, built on Feb 24 2014 at 14:57:57
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/replicate
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/soh
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/cui
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/redis
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/rediswho
including configuration file /etc/freeradius/modules/dynamic_clients
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/ntlm_auth
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/opendirectory
including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
main {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
including dictionary file /etc/freeradius/dictionary
main {
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "WLAN4zyxel"
nastype = "other"
}
client 10.160.199.11 {
require_message_authenticator = no
secret = "WLAN4zyxel"
}
client 10.160.4.5 {
require_message_authenticator = no
secret = "testing123"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file /etc/freeradius/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file /etc/freeradius/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/radiusd.conf
modules {
Module: Creating Auth-Type = Perl
Module: Creating Auth-Type = digest
Module: Creating Post-Auth-Type = Perl
Module: Creating Post-Auth-Type = REJECT
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_perl
Module: Instantiating module "perl" from file /etc/freeradius/modules/perl
perl {
module = "/etc/freeradius/tiri_rlm_perl.pl"
func_authorize = "authorize"
func_authenticate = "authenticate"
func_accounting = "accounting"
func_preacct = "preacct"
func_checksimul = "checksimul"
func_detach = "detach"
func_xlat = "xlat"
func_pre_proxy = "pre_proxy"
func_post_proxy = "post_proxy"
func_post_auth = "post_auth"
func_recv_coa = "recv_coa"
func_send_coa = "send_coa"
}
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file /etc/freeradius/modules/pap
pap {
encryption_scheme = "auto"
auto_header = yes
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file /etc/freeradius/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} --domain=%{%{mschap:NT-Domain}:-SWBT} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
allow_retry = yes
}
Module: Linked to module rlm_digest
Module: Instantiating module "digest" from file /etc/freeradius/modules/digest
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file /etc/freeradius/modules/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /etc/freeradius/eap.conf
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/etc/freeradius/certs"
pem_file_type = yes
private_key_file = "/etc/freeradius/certs/server.key"
certificate_file = "/etc/freeradius/certs/server.pem"
CA_file = "/etc/freeradius/certs/ca.pem"
private_key_password = "WLAN4hotspot"
dh_file = "/etc/freeradius/certs/dh"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/freeradius/certs/bootstrap"
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
tmpdir = "/tmp/freeradius"
client = "/usr/bin/openssl verify -CAfile /etc/freeradius/certs/ca.pem -CApath /etc/freeradius/certs %{TLS-Client-Cert-Filename}"
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = yes
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess
preprocess {
huntgroups = "/etc/freeradius/huntgroups"
hints = "/etc/freeradius/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_detail
Module: Instantiating module "auth_log" from file /etc/freeradius/modules/detail.log
detail auth_log {
detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file /etc/freeradius/modules/files
files {
usersfile = "/etc/freeradius/users"
acctusersfile = "/etc/freeradius/acct_users"
preproxy_usersfile = "/etc/freeradius/preproxy_users"
compat = "no"
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Instantiating module "detail" from file /etc/freeradius/modules/detail
detail {
detailfile = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/freeradius/attrs.accounting_response"
key = "%{User-Name}"
relaxed = no
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/etc/freeradius/attrs.access_reject"
key = "%{User-Name}"
relaxed = no
}
} # modules
} # server
server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel
modules {
Module: Creating Post-Proxy-Type = Fail
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
... adding new socket proxy address * port 39671
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.160.4.5 port 46167, id=0, length=129
User-Name = "wlan_test"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "70-6F-6C-69-73-68"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "rad_eap_test + eapol_test"
EAP-Message = 0x0200000e01776c616e5f74657374
Message-Authenticator = 0xb1343e12f424ea6f0546898dbfada5d2
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/10.160.4.5/auth-detail-20150726
[auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.160.4.5/auth-detail-20150726
[auth_log] expand: %t -> Sun Jul 26 15:37:07 2015
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "wlan_test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
rlm_perl: RAD_REQUEST: EAP-Type = Identity
rlm_perl: RAD_REQUEST: User-Name = wlan_test
rlm_perl: RAD_REQUEST: Framed-MTU = 1400
rlm_perl: RAD_REQUEST: EAP-Message = 0x0200000e01776c616e5f74657374
rlm_perl: RAD_REQUEST: Calling-Station-Id = 70-6F-6C-69-73-68
rlm_perl: RAD_REQUEST: Message-Authenticator = 0xb1343e12f424ea6f0546898dbfada5d2
rlm_perl: RAD_REQUEST: NAS-IP-Address = 127.0.0.1
rlm_perl: RAD_REQUEST: NAS-Port-Type = Wireless-802.11
rlm_perl: RAD_REQUEST: Connect-Info = rad_eap_test + eapol_test
rlm_perl: Added pair EAP-Type = Identity
rlm_perl: Added pair User-Name = wlan_test
rlm_perl: Added pair Framed-MTU = 1400
rlm_perl: Added pair EAP-Message = 0x0200000e01776c616e5f74657374
rlm_perl: Added pair Calling-Station-Id = 70-6F-6C-69-73-68
rlm_perl: Added pair Message-Authenticator = 0xb1343e12f424ea6f0546898dbfada5d2
rlm_perl: Added pair NAS-IP-Address = 127.0.0.1
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Connect-Info = rad_eap_test + eapol_test
rlm_perl: Added pair Reply-Message = rlm_perl authorize function
rlm_perl: Added pair Auth-Type = EAP
++[perl] returns ok
++? if (!EAP-Message)
? Evaluating !(EAP-Message) -> FALSE
++? if (!EAP-Message) -> FALSE
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.160.4.5 port 46167
Reply-Message = "rlm_perl authorize function"
EAP-Message = 0x010100061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x97a73d7397a624930c9f0a59567d10f5
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.160.4.5 port 46167, id=1, length=139
User-Name = "wlan_test"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "70-6F-6C-69-73-68"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "rad_eap_test + eapol_test"
EAP-Message = 0x020100060311
State = 0x97a73d7397a624930c9f0a59567d10f5
Message-Authenticator = 0xc8b56c7f995ec2cf7ec1714e07d56dc4
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/10.160.4.5/auth-detail-20150726
[auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.160.4.5/auth-detail-20150726
[auth_log] expand: %t -> Sun Jul 26 15:37:07 2015
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "wlan_test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
rlm_perl: RAD_REQUEST: EAP-Type = NAK
rlm_perl: RAD_REQUEST: User-Name = wlan_test
rlm_perl: RAD_REQUEST: State = 0x97a73d7397a624930c9f0a59567d10f5
rlm_perl: RAD_REQUEST: Framed-MTU = 1400
rlm_perl: RAD_REQUEST: EAP-Message = 0x020100060311
rlm_perl: RAD_REQUEST: Calling-Station-Id = 70-6F-6C-69-73-68
rlm_perl: RAD_REQUEST: Message-Authenticator = 0xc8b56c7f995ec2cf7ec1714e07d56dc4
rlm_perl: RAD_REQUEST: NAS-IP-Address = 127.0.0.1
rlm_perl: RAD_REQUEST: NAS-Port-Type = Wireless-802.11
rlm_perl: RAD_REQUEST: Connect-Info = rad_eap_test + eapol_test
rlm_perl: Added pair EAP-Type = NAK
rlm_perl: Added pair User-Name = wlan_test
rlm_perl: Added pair State = 0x97a73d7397a624930c9f0a59567d10f5
rlm_perl: Added pair Framed-MTU = 1400
rlm_perl: Added pair EAP-Message = 0x020100060311
rlm_perl: Added pair Calling-Station-Id = 70-6F-6C-69-73-68
rlm_perl: Added pair Message-Authenticator = 0xc8b56c7f995ec2cf7ec1714e07d56dc4
rlm_perl: Added pair NAS-IP-Address = 127.0.0.1
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Connect-Info = rad_eap_test + eapol_test
rlm_perl: Added pair Reply-Message = rlm_perl authorize function
rlm_perl: Added pair Auth-Type = EAP
++[perl] returns ok
++? if (!EAP-Message)
? Evaluating !(EAP-Message) -> FALSE
++? if (!EAP-Message) -> FALSE
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/leap
[eap] processing type leap
rlm_eap_leap: Stage 2
rlm_eap_leap: Issuing AP Challenge
rlm_eap_leap: Successfully initiated
++[eap] returns handled
Sending Access-Challenge of id 1 to 10.160.4.5 port 46167
Reply-Message = "rlm_perl authorize function"
EAP-Message = 0x01020019110100087347b7cc1f1f22fb776c616e5f74657374
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x97a73d7396a52c930c9f0a59567d10f5
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.160.4.5 port 46167, id=2, length=174
User-Name = "wlan_test"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "70-6F-6C-69-73-68"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "rad_eap_test + eapol_test"
EAP-Message = 0x02020029110100181084660e41454e601ca61ce490ac25ff69357d6793654306776c616e5f74657374
State = 0x97a73d7396a52c930c9f0a59567d10f5
Message-Authenticator = 0xe90e996f933fca8a4dea063a97d370dc
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/10.160.4.5/auth-detail-20150726
[auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.160.4.5/auth-detail-20150726
[auth_log] expand: %t -> Sun Jul 26 15:37:07 2015
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "wlan_test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 41
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
rlm_perl: RAD_REQUEST: EAP-Type = Cisco-LEAP
rlm_perl: RAD_REQUEST: User-Name = wlan_test
rlm_perl: RAD_REQUEST: State = 0x97a73d7396a52c930c9f0a59567d10f5
rlm_perl: RAD_REQUEST: Framed-MTU = 1400
rlm_perl: RAD_REQUEST: EAP-Message = 0x02020029110100181084660e41454e601ca61ce490ac25ff69357d6793654306776c616e5f74657374
rlm_perl: RAD_REQUEST: Calling-Station-Id = 70-6F-6C-69-73-68
rlm_perl: RAD_REQUEST: Message-Authenticator = 0xe90e996f933fca8a4dea063a97d370dc
rlm_perl: RAD_REQUEST: NAS-IP-Address = 127.0.0.1
rlm_perl: RAD_REQUEST: NAS-Port-Type = Wireless-802.11
rlm_perl: RAD_REQUEST: Connect-Info = rad_eap_test + eapol_test
rlm_perl: Added pair EAP-Type = Cisco-LEAP
rlm_perl: Added pair User-Name = wlan_test
rlm_perl: Added pair State = 0x97a73d7396a52c930c9f0a59567d10f5
rlm_perl: Added pair Framed-MTU = 1400
rlm_perl: Added pair EAP-Message = 0x02020029110100181084660e41454e601ca61ce490ac25ff69357d6793654306776c616e5f74657374
rlm_perl: Added pair Calling-Station-Id = 70-6F-6C-69-73-68
rlm_perl: Added pair Message-Authenticator = 0xe90e996f933fca8a4dea063a97d370dc
rlm_perl: Added pair NAS-IP-Address = 127.0.0.1
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Connect-Info = rad_eap_test + eapol_test
rlm_perl: Added pair Reply-Message = rlm_perl authorize function
rlm_perl: Added pair Auth-Type = EAP
++[perl] returns ok
++? if (!EAP-Message)
? Evaluating !(EAP-Message) -> FALSE
++? if (!EAP-Message) -> FALSE
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/leap
[eap] processing type leap
rlm_eap_leap: No Cleartext-Password or NT-Password configured for this user
[eap] Handler failed in EAP/leap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> wlan_test
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 2 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 2
Sending Access-Reject of id 2 to 10.160.4.5 port 46167
Reply-Message = "rlm_perl authorize function"
EAP-Message = 0x04020004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
Cleaning up request 0 ID 0 with timestamp +15
Cleaning up request 1 ID 1 with timestamp +15
Waking up in 0.9 seconds.
Cleaning up request 2 ID 2 with timestamp +15
Ready to process requests.
-------------- next part --------------
FreeRADIUS Version 2.1.12, for host x86_64-pc-linux-gnu, built on Feb 24 2014 at 14:57:57
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/replicate
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/soh
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/cui
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/redis
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/rediswho
including configuration file /etc/freeradius/modules/dynamic_clients
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/ntlm_auth
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/opendirectory
including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
main {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
including dictionary file /etc/freeradius/dictionary
main {
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "WLAN4zyxel"
nastype = "other"
}
client 10.160.199.11 {
require_message_authenticator = no
secret = "WLAN4zyxel"
}
client 10.160.4.5 {
require_message_authenticator = no
secret = "testing123"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file /etc/freeradius/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file /etc/freeradius/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/radiusd.conf
modules {
Module: Creating Auth-Type = Perl
Module: Creating Auth-Type = digest
Module: Creating Post-Auth-Type = Perl
Module: Creating Post-Auth-Type = REJECT
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_perl
Module: Instantiating module "perl" from file /etc/freeradius/modules/perl
perl {
module = "/etc/freeradius/tiri_rlm_perl.pl"
func_authorize = "authorize"
func_authenticate = "authenticate"
func_accounting = "accounting"
func_preacct = "preacct"
func_checksimul = "checksimul"
func_detach = "detach"
func_xlat = "xlat"
func_pre_proxy = "pre_proxy"
func_post_proxy = "post_proxy"
func_post_auth = "post_auth"
func_recv_coa = "recv_coa"
func_send_coa = "send_coa"
}
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file /etc/freeradius/modules/pap
pap {
encryption_scheme = "auto"
auto_header = yes
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file /etc/freeradius/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} --domain=%{%{mschap:NT-Domain}:-SWBT} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
allow_retry = yes
}
Module: Linked to module rlm_digest
Module: Instantiating module "digest" from file /etc/freeradius/modules/digest
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file /etc/freeradius/modules/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /etc/freeradius/eap.conf
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/etc/freeradius/certs"
pem_file_type = yes
private_key_file = "/etc/freeradius/certs/server.key"
certificate_file = "/etc/freeradius/certs/server.pem"
CA_file = "/etc/freeradius/certs/ca.pem"
private_key_password = "WLAN4hotspot"
dh_file = "/etc/freeradius/certs/dh"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/freeradius/certs/bootstrap"
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
tmpdir = "/tmp/freeradius"
client = "/usr/bin/openssl verify -CAfile /etc/freeradius/certs/ca.pem -CApath /etc/freeradius/certs %{TLS-Client-Cert-Filename}"
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = yes
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess
preprocess {
huntgroups = "/etc/freeradius/huntgroups"
hints = "/etc/freeradius/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_detail
Module: Instantiating module "auth_log" from file /etc/freeradius/modules/detail.log
detail auth_log {
detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file /etc/freeradius/modules/files
files {
usersfile = "/etc/freeradius/users"
acctusersfile = "/etc/freeradius/acct_users"
preproxy_usersfile = "/etc/freeradius/preproxy_users"
compat = "no"
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Instantiating module "detail" from file /etc/freeradius/modules/detail
detail {
detailfile = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/freeradius/attrs.accounting_response"
key = "%{User-Name}"
relaxed = no
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/etc/freeradius/attrs.access_reject"
key = "%{User-Name}"
relaxed = no
}
} # modules
} # server
server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel
modules {
Module: Creating Post-Proxy-Type = Fail
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
... adding new socket proxy address * port 52056
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.160.4.5 port 9838, id=0, length=129
User-Name = "wlan_test"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "70-6F-6C-69-73-68"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "rad_eap_test + eapol_test"
EAP-Message = 0x0200000e01776c616e5f74657374
Message-Authenticator = 0x68a0df39ac5366537fc59c9e6bbca296
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/10.160.4.5/auth-detail-20150726
[auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.160.4.5/auth-detail-20150726
[auth_log] expand: %t -> Sun Jul 26 15:37:46 2015
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "wlan_test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
rlm_perl: RAD_REQUEST: Connect-Info = rad_eap_test + eapol_test
rlm_perl: RAD_REQUEST: EAP-Message = 0x0200000e01776c616e5f74657374
rlm_perl: RAD_REQUEST: Calling-Station-Id = 70-6F-6C-69-73-68
rlm_perl: RAD_REQUEST: NAS-IP-Address = 127.0.0.1
rlm_perl: RAD_REQUEST: NAS-Port-Type = Wireless-802.11
rlm_perl: RAD_REQUEST: EAP-Type = Identity
rlm_perl: RAD_REQUEST: Framed-MTU = 1400
rlm_perl: RAD_REQUEST: Message-Authenticator = 0x68a0df39ac5366537fc59c9e6bbca296
rlm_perl: RAD_REQUEST: User-Name = wlan_test
rlm_perl: Added pair Connect-Info = rad_eap_test + eapol_test
rlm_perl: Added pair EAP-Message = 0x0200000e01776c616e5f74657374
rlm_perl: Added pair Calling-Station-Id = 70-6F-6C-69-73-68
rlm_perl: Added pair NAS-IP-Address = 127.0.0.1
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair EAP-Type = Identity
rlm_perl: Added pair Framed-MTU = 1400
rlm_perl: Added pair Message-Authenticator = 0x68a0df39ac5366537fc59c9e6bbca296
rlm_perl: Added pair User-Name = wlan_test
rlm_perl: Added pair Reply-Message = rlm_perl authorize function
rlm_perl: Added pair Auth-Type = EAP
++[perl] returns ok
++? if (!EAP-Message)
? Evaluating !(EAP-Message) -> FALSE
++? if (!EAP-Message) -> FALSE
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.160.4.5 port 9838
Reply-Message = "rlm_perl authorize function"
EAP-Message = 0x010100061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8609790d86086042e7955f855d8bcd86
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.160.4.5 port 9838, id=1, length=226
User-Name = "wlan_test"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "70-6F-6C-69-73-68"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "rad_eap_test + eapol_test"
EAP-Message = 0x0201005d190016030100520100004e030155b4e276ad0efd1c187a0e861d42a34aef1dba3239ad95e97a33298fc6dd81f400002600390038003500160013000a00330032002f0005000400150012000900140011000800060003020100
State = 0x8609790d86086042e7955f855d8bcd86
Message-Authenticator = 0x96b85e162197cfef2a7c990bb0df6b50
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/10.160.4.5/auth-detail-20150726
[auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.160.4.5/auth-detail-20150726
[auth_log] expand: %t -> Sun Jul 26 15:37:46 2015
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "wlan_test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 93
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0052], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 080a], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange
[peap] TLS_accept: SSLv3 write key exchange A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 1 to 10.160.4.5 port 9838
EAP-Message = 0x0102040019c000000a59160301002a020000260301a9f2b4f41a8eb272fa5491ed4fa580a3eee88396551f682931f3d27b223f55e900003900160301080a0b0008060008030003913082038d30820275a003020102020101300d06092a864886f70d0101040500307f310b30090603550406130244453110300e0603550408130748616d62757267311530130603550407130c5363687761727a656e62656b31123010060355040a13097469726920476d62483121301f06092a864886f70d0109011612636140686f7473706f742e746972692e6c693110300e0603550403130774697269204341301e170d3135303732353139313334395a170d3136
EAP-Message = 0x303732343139313334395a307c310b30090603550406130244453110300e0603550408130748616d6275726731123010060355040a13097469726920476d62483120301e0603550403131774697269205261646975732043657274696669636174653125302306092a864886f70d010901161672616469757340686f7473706f742e746972692e6c6930820122300d06092a864886f70d01010105000382010f003082010a0282010100c1d137622cec8d1f14603614804ea4cac9bde4092f508745a39ab61f7703bc2f6f97e22e59d276ec589c64abdb53302e95dd685886010b9d2fe50c47aea977dde5695375773ccccd1386a77286637e34e5bcb4
EAP-Message = 0x867fb45a59480052075c1ecaa3729784a201f755777af2687e2e968104d037a6c425f6bdf60ac8cfe12adc6d4566df042de359e2bf89a6620e151198651e0231f01acbdc4be27f7b5ff753ff00ffb0107bbeab65635170bb85683d3d0808f72da5a7d81b1ff01b3a1d0c939ab9aab4019524603a3b8c6f9bca0b8a10781369c9b509727ab93d7e327462828ec970ae02c2faec4ea31dbd0fe38fce7176219c5c5a342491cd488559654911fa8b0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003820101001349bf30e7bc3b1efca2070b746e268898bcc0735350b58f3463e4f8e7a8
EAP-Message = 0xe90998ceb0b1681c163e10742b8971b0179ee0ef7b5ca7b113743125d2653bd36700851af43ddc1fc4940ed334760f691d3ea2641155e38f7c4f5e334f76cdfe688f032dfff24af341d04c85c2abe62156003d2c44bfbe276d52504514e3843b7db0eb1c745ebedf3207ff5f7e49afeb3a8522ddc9769874b62bcef98ee674d66a3c242de9977944f70c08238666fecaecf6f2807e9e7d5df815334091fe52050502e44fe1b62c32c6704be94426285aeb09ef08936386a4e0e45f5db4d675430b3ba545b1f022b1905b36982abc0a8bf788b8e9fa95890614e251f445a44c80102d00046c3082046830820350a0030201020209009d2885275ceebbc8
EAP-Message = 0x300d06092a864886f70d0101
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8609790d870b6042e7955f855d8bcd86
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.160.4.5 port 9838, id=2, length=139
User-Name = "wlan_test"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "70-6F-6C-69-73-68"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "rad_eap_test + eapol_test"
EAP-Message = 0x020200061900
State = 0x8609790d870b6042e7955f855d8bcd86
Message-Authenticator = 0xa156f7878774ab34ecc1876717b27d0e
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/10.160.4.5/auth-detail-20150726
[auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.160.4.5/auth-detail-20150726
[auth_log] expand: %t -> Sun Jul 26 15:37:46 2015
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "wlan_test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 2 to 10.160.4.5 port 9838
EAP-Message = 0x010303fc19400b0500307f310b30090603550406130244453110300e0603550408130748616d62757267311530130603550407130c5363687761727a656e62656b31123010060355040a13097469726920476d62483121301f06092a864886f70d0109011612636140686f7473706f742e746972692e6c693110300e0603550403130774697269204341301e170d3135303732353139313334395a170d3136303732343139313334395a307f310b30090603550406130244453110300e0603550408130748616d62757267311530130603550407130c5363687761727a656e62656b31123010060355040a13097469726920476d62483121301f06092a
EAP-Message = 0x864886f70d0109011612636140686f7473706f742e746972692e6c693110300e060355040313077469726920434130820122300d06092a864886f70d01010105000382010f003082010a028201010098727c23aded345afae75754ea9bb3a7dc7949f26b6944f98233c2e5ed1e5c720c358566aec7ccf61fc4579826efce1537a465eb8e02df124ff28140d4ad19a5573c6d0d67952f2feeccfb42232186c00eb6a0590cd0fac23c3e87351520b77c0e142e0210522a3098a503ab74660d61801d362297d8a81c56214d036d60f11d43819cfdbaa736e3b9f10e350677f5e0cf14e4856388477fa7a2ea1520b6acc495ca29de77a1a390c1ae0a0e5bf6
EAP-Message = 0xc3d6f7af85603bde8a61622d3462c9c2bdba96893cfe72c3f663144458463a201f34cf6d009c03916a4799ae50048aa12039c3b814898a23c9f10537f7d8f5be505e873c3ef5a4441d08f20daf6f17ca81110203010001a381e63081e3301d0603551d0e04160414136c09d813ec30d48c30f591549d1526d14391753081b30603551d230481ab3081a88014136c09d813ec30d48c30f591549d1526d1439175a18184a48181307f310b30090603550406130244453110300e0603550408130748616d62757267311530130603550407130c5363687761727a656e62656b31123010060355040a13097469726920476d62483121301f06092a864886f7
EAP-Message = 0x0d0109011612636140686f7473706f742e746972692e6c693110300e06035504031307746972692043418209009d2885275ceebbc8300c0603551d13040530030101ff300d06092a864886f70d01010b05000382010100555aade04c2ef507a90f7af3483086a8142316aab27f54eb95df32eb9e0ee4fd30c2cf9e30508a85131bdaca42cb5cddcd5ff1793780cb71b9900b1de16b2b658d3933ab25aec085bfae2ced2e024a3b7465367e09af5b3fc032385351710274fe464947ab19784fec492c62ada1bfa2b745b8cbcc7d58f154af7b396f24585f80a848139ce37d3152ed3d07dca656fe9f0acb14fd4374e363da9d4da9b4dec47af9ef98a0f8
EAP-Message = 0x74f85879d1441db5
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8609790d840a6042e7955f855d8bcd86
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.160.4.5 port 9838, id=3, length=139
User-Name = "wlan_test"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "70-6F-6C-69-73-68"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "rad_eap_test + eapol_test"
EAP-Message = 0x020300061900
State = 0x8609790d840a6042e7955f855d8bcd86
Message-Authenticator = 0xc3f41957d22a2112f4e6eea84777d04a
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/10.160.4.5/auth-detail-20150726
[auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.160.4.5/auth-detail-20150726
[auth_log] expand: %t -> Sun Jul 26 15:37:46 2015
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "wlan_test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 3 to 10.160.4.5 port 9838
EAP-Message = 0x01040273190028dd70b5677c5fb00cd4f0e60089c0d76daba78b91d9da9abc6ce42a5f1d3091291e9f7f40838cb4b64c0c868023335b65648bd62f96ce8780ad2e85716a7c51a2b546e4ba2ad7dca2fb817678c0b88c2034160301020d0c0002090080fec9bdc030018ad3d1bce0420bfec7cf29629b1be544a4404663b31cd7c175f53b8076780a983748e76b6d7d93dd225ac2a4b192dbd9bc34f3d41b7616220cfe01060ff4aef79e5780f8f29eb82c7fb33121b14a178a6bd870d63f840ffa4659220762e89ceda1eb7e3f2a28a6314875cca127fc95e93921acf72f42010727c300010200808e1bb25320f069c49052bb41542c6ac5721ab039c0
EAP-Message = 0xc8c4d0d55e5ce56462b071514bcd7336dbff2bf5dfe126680985cccc63c8fa5373ed74bfa3a01b01a501693f1b904eb5f9ed9154740e9482a9c70b2dfd7103f52ebce913314e70105e9a28dc410de2ff59f582f572dc70e237728e89f783958946334c030ba96887b43ad90100c0453a58b87d38e57ce521d301bcd5cb5c61ce70b2798a1d70af8dddcf5e9d97720c1e912122b5eb7a73cf6f7780e41df86a4c20afa08bef0d1f4ece60317d261bc3d996b5fa77fb4416900a30a720b5e775cd8d81889658359746a4691db252bc207f9a5cde05aab7a6bbf4bb6a04c44dbf70a168e27a314db450836eb8d39b554da25edc9b2730ff1db388d54d3467
EAP-Message = 0xd84b91e2376593b99f3f33587fdb418e7d25ea59a21d73034f6d37d945058c790f5142aaf3ccd30a7800f208fe76b9e94142b579cadea1a3f60111fa6bd556fe2b5dfa65acebd395c341c34de3c450de4e24f7d40ce6f91d9d2a34e1a2b11dddfaf9cb68cdebc9746a215a74eb30ad4416030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8609790d850d6042e7955f855d8bcd86
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.160.4.5 port 9838, id=4, length=337
User-Name = "wlan_test"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "70-6F-6C-69-73-68"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "rad_eap_test + eapol_test"
EAP-Message = 0x020400cc19001603010086100000820080c9a33d38d99cc5a6d01e1825c607fdcd95e3a646edb87d9a6e84af2ab33ebc2c088bf7478a76795e2c03174a2111ecb460e5c8ba9980b7cc7f0e7f855f30a950a7ad9fcab4e698f073c988b4402b768344698c087c2c2a2013e72e40e368210e3d50897719b0125811fd2302068cebec49c3d4339180bb600d01c876719a67b714030100010116030100307cd006d6223c65ba7b60393b7e5f44bdf49b5276d818487f0419e4c5baf159775883b510f23d1f44fa281b8ca16171fc
State = 0x8609790d850d6042e7955f855d8bcd86
Message-Authenticator = 0x3c25b48dc8aef26d40b032b04ff96da4
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/10.160.4.5/auth-detail-20150726
[auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.160.4.5/auth-detail-20150726
[auth_log] expand: %t -> Sun Jul 26 15:37:46 2015
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "wlan_test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 204
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 4 to 10.160.4.5 port 9838
EAP-Message = 0x01050041190014030100010116030100309880c2dc9ba02051a79508af444ddb0a99998a3b17350e47c08dd7c43e96d68f4d9fdf1a7755b06266792cdb276b8b6d
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8609790d820c6042e7955f855d8bcd86
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.160.4.5 port 9838, id=5, length=139
User-Name = "wlan_test"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "70-6F-6C-69-73-68"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "rad_eap_test + eapol_test"
EAP-Message = 0x020500061900
State = 0x8609790d820c6042e7955f855d8bcd86
Message-Authenticator = 0xb2d3d15e0556e3e8b42d247c30d05cb7
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/10.160.4.5/auth-detail-20150726
[auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.160.4.5/auth-detail-20150726
[auth_log] expand: %t -> Sun Jul 26 15:37:46 2015
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "wlan_test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] returns handled
Sending Access-Challenge of id 5 to 10.160.4.5 port 9838
EAP-Message = 0x0106002b19001703010020b8c2d3be1c605028c5b5dc0c019ef75da40c22fe5baa59a9d687ce8da0dc212a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8609790d830f6042e7955f855d8bcd86
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.160.4.5 port 9838, id=6, length=213
User-Name = "wlan_test"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "70-6F-6C-69-73-68"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "rad_eap_test + eapol_test"
EAP-Message = 0x02060050190017030100202b628396a34010e927d874108bf041b23c9e7ab5e1a0ed787edb6881aec4a8b217030100209eb857235363c4c58068ea47e7dc7e4d33cd5f085b90f5c5c4f8e78f4313738d
State = 0x8609790d830f6042e7955f855d8bcd86
Message-Authenticator = 0xa1d2878e5a37ba7ed3d08a371d4cf298
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/10.160.4.5/auth-detail-20150726
[auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.160.4.5/auth-detail-20150726
[auth_log] expand: %t -> Sun Jul 26 15:37:46 2015
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "wlan_test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - wlan_test
[peap] Got inner identity 'wlan_test'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
EAP-Message = 0x0206000e01776c616e5f74657374
server {
[peap] Setting User-Name to wlan_test
Sending tunneled request
EAP-Message = 0x0206000e01776c616e5f74657374
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "wlan_test"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "70-6F-6C-69-73-68"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "rad_eap_test + eapol_test"
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "wlan_test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
expand: %{request:User-Name} -> wlan_test
++[outer.control] returns noop
[eap] EAP packet type response id 6 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message = 0x010700231a0107001e106fd7241dcf34e0137481aee8a50e454b776c616e5f74657374
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x1839db62183ec1f9826f0afe924156ce
[peap] Got tunneled reply RADIUS code 11
EAP-Message = 0x010700231a0107001e106fd7241dcf34e0137481aee8a50e454b776c616e5f74657374
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x1839db62183ec1f9826f0afe924156ce
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 6 to 10.160.4.5 port 9838
EAP-Message = 0x0107004b190017030100407ad69010aece989fb7fc099a0a189091c9cce3b09d92529b2e43b12c633ad9f7fda99cf69b83a6ee7e4f18fb905026273234c9c88928de0957d9b39a545b063b
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8609790d800e6042e7955f855d8bcd86
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.160.4.5 port 9838, id=7, length=277
User-Name = "wlan_test"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "70-6F-6C-69-73-68"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "rad_eap_test + eapol_test"
EAP-Message = 0x0207009019001703010020f75f2734059b83c7f010cdf2f8235859fd0456fed42729737417ff6bbe630e6a1703010060ace960531b72cb5c8e385e24b4dc06bea9e2b317a26cadcaf83378d6caaf1fa4341c7141338caaa36565f89cd8715172ba4f4e87a5a221c171216952abe149a864ce39cb8487481e6bbacf87ab4e6e8b3c7a9255327671773ed36ee05bffcdd7
State = 0x8609790d800e6042e7955f855d8bcd86
Message-Authenticator = 0x960f7fea1ea35ad4f0a9031a7a5cc21f
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/10.160.4.5/auth-detail-20150726
[auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.160.4.5/auth-detail-20150726
[auth_log] expand: %t -> Sun Jul 26 15:37:46 2015
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "wlan_test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 144
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x020700441a0207003f31af2595eb8d6f4c4580e8e2e35ef5e7c5000000000000000064cbd72344df1b1418118f20956ffadef3b05eb41cefe39100776c616e5f74657374
server {
[peap] Setting User-Name to wlan_test
Sending tunneled request
EAP-Message = 0x020700441a0207003f31af2595eb8d6f4c4580e8e2e35ef5e7c5000000000000000064cbd72344df1b1418118f20956ffadef3b05eb41cefe39100776c616e5f74657374
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "wlan_test"
State = 0x1839db62183ec1f9826f0afe924156ce
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "70-6F-6C-69-73-68"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "rad_eap_test + eapol_test"
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "wlan_test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
expand: %{request:User-Name} -> wlan_test
++[outer.control] returns noop
[eap] EAP packet type response id 7 length 68
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: wlan_test
[mschap] Told to do MS-CHAPv2 for wlan_test with NT-Password
[mschap] expand: %{Stripped-User-Name} ->
[mschap] ... expanding second conditional
[mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
[mschap] expand: %{User-Name:-None} -> wlan_test
[mschap] expand: --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} -> --username=wlan_test
[mschap] No NT-Domain was found in the User-Name.
[mschap] expand: %{mschap:NT-Domain} ->
[mschap] ... expanding second conditional
[mschap] expand: --domain=%{%{mschap:NT-Domain}:-SWBT} -> --domain=SWBT
[mschap] Creating challenge hash with username: wlan_test
[mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=37ef35ad98975d0b
[mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=64cbd72344df1b1418118f20956ffadef3b05eb41cefe391
Exec-Program output: NT_KEY: 2066656E05C22F3A995AD9ECFED913D6
Exec-Program-Wait: plaintext: NT_KEY: 2066656E05C22F3A995AD9ECFED913D6
Exec-Program: returned: 0
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message = 0x010800331a0307002e533d37384530313645424443453233453333413941464235304641463139304541384430463239323842
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x1839db621931c1f9826f0afe924156ce
[peap] Got tunneled reply RADIUS code 11
EAP-Message = 0x010800331a0307002e533d37384530313645424443453233453333413941464235304641463139304541384430463239323842
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x1839db621931c1f9826f0afe924156ce
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 7 to 10.160.4.5 port 9838
EAP-Message = 0x0108005b19001703010050a62cb45a408a0385a63974663bd05c61ff4650cf60ec9a390d417a590be45f83dc91c70c083d531946c4f389eced60d71a1d1c694a3929ad996cda5ae277de31bc1e0b692833ea4f6c5834fa18ceacff
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8609790d81016042e7955f855d8bcd86
Finished request 7.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.160.4.5 port 9838, id=8, length=213
User-Name = "wlan_test"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "70-6F-6C-69-73-68"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "rad_eap_test + eapol_test"
EAP-Message = 0x0208005019001703010020564515dd247a9f469f0e2e7bc910026867b9063aa415bf81e51248139e5557261703010020a67152e3610f03d2bbca25917c0618862fc5cf034ac7ff407652d0300caf9023
State = 0x8609790d81016042e7955f855d8bcd86
Message-Authenticator = 0x3fa739b7d4f7fa973579a6ac2d661785
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/10.160.4.5/auth-detail-20150726
[auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.160.4.5/auth-detail-20150726
[auth_log] expand: %t -> Sun Jul 26 15:37:46 2015
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "wlan_test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x020800061a03
server {
[peap] Setting User-Name to wlan_test
Sending tunneled request
EAP-Message = 0x020800061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "wlan_test"
State = 0x1839db621931c1f9826f0afe924156ce
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "70-6F-6C-69-73-68"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "rad_eap_test + eapol_test"
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "wlan_test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
expand: %{request:User-Name} -> wlan_test
++[outer.control] returns noop
[eap] EAP packet type response id 8 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] returns ok
WARNING: Empty post-auth section. Using default return values.
# Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel
} # server inner-tunnel
[peap] Got tunneled reply code 2
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
MS-MPPE-Send-Key = 0xc5dbf78ff2d15a7f07cb9ee637c97aab
MS-MPPE-Recv-Key = 0xafc6caf8a466f440871501f8f0902092
EAP-Message = 0x03080004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "wlan_test"
[peap] Got tunneled reply RADIUS code 2
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
MS-MPPE-Send-Key = 0xc5dbf78ff2d15a7f07cb9ee637c97aab
MS-MPPE-Recv-Key = 0xafc6caf8a466f440871501f8f0902092
EAP-Message = 0x03080004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "wlan_test"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 8 to 10.160.4.5 port 9838
EAP-Message = 0x0109002b1900170301002092197ff2939b86de39a9c65fd5c8996771573a96eac5c2f3d255c03e8f3b9ff4
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8609790d8e006042e7955f855d8bcd86
Finished request 8.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.160.4.5 port 9838, id=9, length=213
User-Name = "wlan_test"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "70-6F-6C-69-73-68"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "rad_eap_test + eapol_test"
EAP-Message = 0x0209005019001703010020404f3f4d8d1d28904a69fd61e450db7e0ca14526b30073825ffd827e647fff5f1703010020af53cdf1f1df6c4b8ab2510afe0ab3f304326e88273084bbfd860b243469abb1
State = 0x8609790d8e006042e7955f855d8bcd86
Message-Authenticator = 0x7e96659e361a63af6973ac7a487179cb
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/10.160.4.5/auth-detail-20150726
[auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.160.4.5/auth-detail-20150726
[auth_log] expand: %t -> Sun Jul 26 15:37:46 2015
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "wlan_test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 9 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv success
[peap] Received EAP-TLV response.
[peap] Success
[eap] Freeing handler
++[eap] returns ok
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 9 to 10.160.4.5 port 9838
MS-MPPE-Recv-Key = 0x355d7cf722e0b65de53be6cc23386be1a5ecb19b6ee6711746eecee7967d2159
MS-MPPE-Send-Key = 0xe7fca5958df2dcc7d1dc7e8df0d4d85f88c76a53656408452ea6d92da596fd21
EAP-Message = 0x03090004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "wlan_test"
Finished request 9.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 0 with timestamp +9
Cleaning up request 1 ID 1 with timestamp +9
Cleaning up request 2 ID 2 with timestamp +9
Cleaning up request 3 ID 3 with timestamp +9
Cleaning up request 4 ID 4 with timestamp +9
Cleaning up request 5 ID 5 with timestamp +9
Cleaning up request 6 ID 6 with timestamp +9
Cleaning up request 7 ID 7 with timestamp +9
Cleaning up request 8 ID 8 with timestamp +9
Cleaning up request 9 ID 9 with timestamp +9
Ready to process requests.
More information about the Freeradius-Users
mailing list