MAC authentication with freeradius
Daniel Lopez
danilogo1991 at gmail.com
Tue Nov 3 15:04:34 CET 2015
Hi, I'm using freeradius 2.1.12 with mysql module (freeradius-mysql) I want
to authenticate users by MAC address, so in radcheck table I set the
attribute Calling-Station Id == XX-XX-XX-XX-XX-XX, but it didn't work, user
can't authenticate, when I delete this row, user can authenticate
perfectly, so it seems this is not the way I should configure server to
perform MAC authentication. Could somebody help me with this?
Thanks
[this is the output when I set Calling-Station-Id == XX-XX-XX-XX-XX-XX}:
rad_recv: Access-Request packet from host 10.25.4.250 port 44145, id=158,
length=158
User-Name = "dprueba"
NAS-IP-Address = 192.168.0.1
NAS-Port = 0
Called-Station-Id = "E8-DE-27-F7-83-A4:cdebiles.eti"
Calling-Station-Id = "10-68-3F-82-42-16"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11"
EAP-Message = 0x0200000c0164707275656261
Message-Authenticator = 0x4be696f8c2c8db73cf3e49464a80a84a
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "dprueba", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 12
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[sql] expand: %{User-Name} -> dprueba
[sql] sql_set_user escaped user --> 'dprueba'
rlm_sql (sql): Reserving sql socket id: 2
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY
id -> SELECT id, username, attribute, value, op FROM
radcheck WHERE username = 'dprueba' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY
id -> SELECT id, username, attribute, value, op FROM
radreply WHERE username = 'dprueba' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username =
'dprueba' ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value,
op FROM radgroupcheck WHERE groupname =
'%{Sql-Group}' ORDER BY id -> SELECT id, groupname,
attribute, Value, op FROM radgroupcheck WHERE
groupname = 'wifi' ORDER BY id
[sql] User found in group wifi
[sql] expand: SELECT id, groupname, attribute, value,
op FROM radgroupreply WHERE groupname =
'%{Sql-Group}' ORDER BY id -> SELECT id, groupname,
attribute, value, op FROM radgroupreply WHERE
groupname = 'wifi' ORDER BY id
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 158 to 10.25.4.250 port 44145
Framed-Protocol := PPP
Framed-Compression := Van-Jacobson-TCP-IP
Framed-MTU := 1500
Service-Type := Framed-User
MS-Primary-DNS-Server := 10.25.1.10
Framed-IP-Netmask := 255.255.255.255
EAP-Message = 0x010100160410ce619bb1b16b584f4a55e298b518b595
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa65194aaa65090b9e5aa8a871ea68523
Finished request 36.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.25.4.250 port 44145, id=159,
length=170
User-Name = "dprueba"
NAS-IP-Address = 192.168.0.1
NAS-Port = 0
Called-Station-Id = "E8-DE-27-F7-83-A4:cdebiles.eti"
Calling-Station-Id = "10-68-3F-82-42-16"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11"
EAP-Message = 0x020100060319
State = 0xa65194aaa65090b9e5aa8a871ea68523
Message-Authenticator = 0x49e2f93415e6ffa01f754feda2629bd6
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "dprueba", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[sql] expand: %{User-Name} -> dprueba
[sql] sql_set_user escaped user --> 'dprueba'
rlm_sql (sql): Reserving sql socket id: 1
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY
id -> SELECT id, username, attribute, value, op FROM
radcheck WHERE username = 'dprueba' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY
id -> SELECT id, username, attribute, value, op FROM
radreply WHERE username = 'dprueba' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username =
'dprueba' ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value,
op FROM radgroupcheck WHERE groupname =
'%{Sql-Group}' ORDER BY id -> SELECT id, groupname,
attribute, Value, op FROM radgroupcheck WHERE
groupname = 'wifi' ORDER BY id
[sql] User found in group wifi
[sql] expand: SELECT id, groupname, attribute, value,
op FROM radgroupreply WHERE groupname =
'%{Sql-Group}' ORDER BY id -> SELECT id, groupname,
attribute, value, op FROM radgroupreply WHERE
groupname = 'wifi' ORDER BY id
rlm_sql (sql): Released sql socket id: 1
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 159 to 10.25.4.250 port 44145
Framed-Protocol := PPP
Framed-Compression := Van-Jacobson-TCP-IP
Framed-MTU := 1500
Service-Type := Framed-User
MS-Primary-DNS-Server := 10.25.1.10
Framed-IP-Netmask := 255.255.255.255
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa65194aaa7538db9e5aa8a871ea68523
Finished request 37.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.25.4.250 port 44145, id=160,
length=364
User-Name = "dprueba"
NAS-IP-Address = 192.168.0.1
NAS-Port = 0
Called-Station-Id = "E8-DE-27-F7-83-A4:cdebiles.eti"
Calling-Station-Id = "10-68-3F-82-42-16"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11"
EAP-Message =
0x020200c81980000000be16030100b9010000b503015638bd689d9c6ee8b3f1a8853b65c2d8594789b893023905f46fa838fdcda289000048c014c00a00390038c00fc0050035c012c00800160013c00dc003000ac013c00900330032c00ec004002fc011c007c00cc002000500040015001200090014001100080006000300ff01000044000b000403000102000a00340032000100020003000400050006000700080009000a000b000c000d000e000f001000110012001300140015001600170018001900230000
State = 0xa65194aaa7538db9e5aa8a871ea68523
Message-Authenticator = 0x4120527dda65730b1f014fa03c973746
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "dprueba", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 200
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 190
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 00b9], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0039], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 02c8], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
[peap] TLS_accept: SSLv3 write key exchange A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 160 to 10.25.4.250 port 44145
EAP-Message =
0x0103040019c0000004641603010039020000350301e349bb58d1d3295ec527d76a7eebdca2d3fb2ae4cfac72f973ffbcff62a77a9b00c01400000dff01000100000b00040300010216030102c80b0002c40002c10002be308202ba308201a2a003020102020900ce69d09555557538300d06092a864886f70d01010b05003015311330110603550403130a77696669726164697573301e170d3135313032393135313530325a170d3235313032363135313530325a3015311330110603550403130a7769666972616469757330820122300d06092a864886f70d01010105000382010f003082010a02820101009c1433a91142092dabc37d5325c8eeb6
EAP-Message =
0x056e5c2013b734155ed595d570443d4b9a775fff03d74f88a6f77c3a77dd9339394d356639a69ff20868d94749a4683d0a7d72b13bf305c6fb760f1779401d713c872f90ed68c957f9f5c83d78be375233516f99c8e24fd6be6f98e804a00ad929b5681112ff83fb0d89b33aa9ce1e3406c05676b25eb62ffecd39f17361184a3e7438f6a83738c69a31285ebde0025a9fddbab018c07007d979dfd14bccd171f3994dde09244972aa69a2227fd4af075490577d77d6997c4b4e543872e5adc5860c356203e996f8eda8e90633078f60f24529efc19a311206e5e519517aa9b64d224416b4d27bd5daf5ffe66772cc710203010001a30d300b30090603
EAP-Message =
0x551d1304023000300d06092a864886f70d01010b050003820101001eb333a9023182bea3f5cff9d9bb6f237209706cd1b8aa42db6a1e2505f0355d5aab0e49640191fbc54464fd8bdaad9ac8633650c99178c78d09d9b9db9971c98b6283999da38050e411a9049eb93c355cd913f792795957e37e3376ec144d8de7bf6d434e3450029dc669a4ea176aeddfb612f280cc5a44ed86ecf0bb6b932b962f9b075eb63eb10af2e425f0909836cca41706f236d058fc7f50953ee08fbfd43bed06151eb2dbe1eb3184fe72b4f18ae17bfb5c2581b181fa260ab7c86837f9f748c9694a5db35ced09c94ef5e936659b1cc8e99d2b0d78abf8c03022c5c06d87
EAP-Message =
0x3d9820712b41eeabe4600486644990bc34b49890a14c0a2ffb9dc60483cf160301014b0c0001470300174104bb1283b8643e3a221a317f23a50a31b91f0799d4a8bebf1893b54c405da7cfa4cd07033b70a12d18c761eb1e11d6d4d7b967704f91dfc93ecf68d6642d019e5f01002cfc8504d595106cf4add50a3f5b31bf94daa316072eb0bb2f6e2883763a4918ae23c5f18c16d3ce50b86e3c3834882a874b5c25cc96d55b100b826e87267ec61b627c8846c2740fe2a5b33e241eff469723ac7d6bc838ae8e7145ab8c3b40e5c148e48e3af994b76f2cc1a8e3a63337b8acf961bd6c8f0724a902470a0f5d52c50d017556f75b5aa427a49af80e21
EAP-Message = 0x3f55b8c20d939065e7bf45cf
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa65194aaa4528db9e5aa8a871ea68523
Finished request 38.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.25.4.250 port 44145, id=161,
length=170
User-Name = "dprueba"
NAS-IP-Address = 192.168.0.1
NAS-Port = 0
Called-Station-Id = "E8-DE-27-F7-83-A4:cdebiles.eti"
Calling-Station-Id = "10-68-3F-82-42-16"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11"
EAP-Message = 0x020300061900
State = 0xa65194aaa4528db9e5aa8a871ea68523
Message-Authenticator = 0xe8ae7aafbf65523d200ffe429c2a66c0
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "dprueba", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 161 to 10.25.4.250 port 44145
EAP-Message =
0x0104007419001aeaaf3170c28c77913b4c33a2dc5c4386afd7f37111872be8af7d575e4b323a56a89f84122b92b22f77f88514a1ac593d3e885beea192f419e198caaaab64e37478cb4f40365cbee9fb50eb0dabbecde54aae6482c7aab720d5006138438a26acbca734bc16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa65194aaa5558db9e5aa8a871ea68523
Finished request 39.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.25.4.250 port 44145, id=162,
length=308
User-Name = "dprueba"
NAS-IP-Address = 192.168.0.1
NAS-Port = 0
Called-Station-Id = "E8-DE-27-F7-83-A4:cdebiles.eti"
Calling-Station-Id = "10-68-3F-82-42-16"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11"
EAP-Message =
0x0204009019800000008616030100461000004241045751461749561a2d5d3194b5e79d548e8933be5aa103414fc3316cdfd2d30edab44a349495eecd34490465dc08f3270bf3ac231bcdedb40158cad7d15525d1b51403010001011603010030f69b46babe879f7a06ef536a075e1c7b034f341fae14fa451570db3c7767ebc66cbec2db5bb2dc58c6cabdf2700bc777
State = 0xa65194aaa5558db9e5aa8a871ea68523
Message-Authenticator = 0xf96563cc6ba01abaa1048cfff4efd9d0
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "dprueba", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 144
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 134
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 162 to 10.25.4.250 port 44145
EAP-Message =
0x0105004119001403010001011603010030026f349689fa5da4363102163d0dd8908f1b5847d21dc1f95bbf9377d897232d5477a431b68c6d561f47c34ea8b3c2d0
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa65194aaa2548db9e5aa8a871ea68523
Finished request 40.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.25.4.250 port 44145, id=163,
length=170
User-Name = "dprueba"
NAS-IP-Address = 192.168.0.1
NAS-Port = 0
Called-Station-Id = "E8-DE-27-F7-83-A4:cdebiles.eti"
Calling-Station-Id = "10-68-3F-82-42-16"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11"
EAP-Message = 0x020500061900
State = 0xa65194aaa2548db9e5aa8a871ea68523
Message-Authenticator = 0x00bd0e39e83e214fb866c735ff089d2b
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "dprueba", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] returns handled
Sending Access-Challenge of id 163 to 10.25.4.250 port 44145
EAP-Message =
0x0106002b190017030100208c4dccbdfac51bb4b216b385ee7d974f9e675fe16104eb4274dfc9bb5f263ca6
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa65194aaa3578db9e5aa8a871ea68523
Finished request 41.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.25.4.250 port 44145, id=164,
length=244
User-Name = "dprueba"
NAS-IP-Address = 192.168.0.1
NAS-Port = 0
Called-Station-Id = "E8-DE-27-F7-83-A4:cdebiles.eti"
Calling-Station-Id = "10-68-3F-82-42-16"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11"
EAP-Message =
0x02060050190017030100203f864e1a350a312975bdbbfcaf7ff2021d133bcb969b27210179851fc1ccb40b17030100206e0599cf15687f6c43aa33ec532c67e0ddc39ccb74fc3adb2473376d3b5bcb85
State = 0xa65194aaa3578db9e5aa8a871ea68523
Message-Authenticator = 0x14b99b8e5853b55670f8936e949ae9cd
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "dprueba", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - dprueba
[peap] Got inner identity 'dprueba'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
EAP-Message = 0x0206000c0164707275656261
server {
[peap] Setting User-Name to dprueba
Sending tunneled request
EAP-Message = 0x0206000c0164707275656261
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "dprueba"
server inner-tunnel {
# Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "dprueba", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 6 length 12
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[sql] expand: %{User-Name} -> dprueba
[sql] sql_set_user escaped user --> 'dprueba'
rlm_sql (sql): Reserving sql socket id: 0
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY
id -> SELECT id, username, attribute, value, op FROM
radcheck WHERE username = 'dprueba' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username =
'dprueba' ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value,
op FROM radgroupcheck WHERE groupname =
'%{Sql-Group}' ORDER BY id -> SELECT id, groupname,
attribute, Value, op FROM radgroupcheck WHERE
groupname = 'wifi' ORDER BY id
[sql] User found in group wifi
[sql] expand: SELECT id, groupname, attribute, value,
op FROM radgroupreply WHERE groupname =
'%{Sql-Group}' ORDER BY id -> SELECT id, groupname,
attribute, value, op FROM radgroupreply WHERE
groupname = 'wifi' ORDER BY id
rlm_sql (sql): Released sql socket id: 0
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
Framed-Protocol := PPP
Framed-Compression := Van-Jacobson-TCP-IP
Framed-MTU := 1500
Service-Type := Framed-User
MS-Primary-DNS-Server := 10.25.1.10
Framed-IP-Netmask := 255.255.255.255
EAP-Message =
0x010700211a0107001c10a58f1aff9e9e95e3df5667726e5b86da64707275656261
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x138ded3d138af7a13ad2c8138d486583
[peap] Got tunneled reply RADIUS code 11
Framed-Protocol := PPP
Framed-Compression := Van-Jacobson-TCP-IP
Framed-MTU := 1500
Service-Type := Framed-User
MS-Primary-DNS-Server := 10.25.1.10
Framed-IP-Netmask := 255.255.255.255
EAP-Message =
0x010700211a0107001c10a58f1aff9e9e95e3df5667726e5b86da64707275656261
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x138ded3d138af7a13ad2c8138d486583
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 164 to 10.25.4.250 port 44145
EAP-Message =
0x0107004b19001703010040bdef2d38678359432d6266c8d7f420ba14921ee87fd862a0a7257e539659dcc0bec990abad261b9f26bbe5db1ac85bd262bf5de6fb73e3ae326f294d6060c824
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa65194aaa0568db9e5aa8a871ea68523
Finished request 42.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.25.4.250 port 44145, id=165,
length=308
User-Name = "dprueba"
NAS-IP-Address = 192.168.0.1
NAS-Port = 0
Called-Station-Id = "E8-DE-27-F7-83-A4:cdebiles.eti"
Calling-Station-Id = "10-68-3F-82-42-16"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11"
EAP-Message =
0x0207009019001703010020acb86b95706efaa775287c058b069664408382577b67bb85dbf0b0799c35f099170301006048783d63d8d53df67cc63b4e341b204c0b332e503cda2f22d44cef5660f2d60d0622885dd9e96b86e2a8948f60bfc5453e48eaaa1b118be663680db9d6de04cb9a9730bcdc7387e8f391ac68206356df81cb4e9d10e10835ef2ddd691ac730a6
State = 0xa65194aaa0568db9e5aa8a871ea68523
Message-Authenticator = 0x4773d1a02e02785f3c640a863b235080
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "dprueba", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 144
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message =
0x020700421a0207003d312c29b4e62a18efaf1bca93031a9bc48a0000000000000000ff2b7cade8eb372e40905cc5552700f40738dbfcb23121840064707275656261
server {
[peap] Setting User-Name to dprueba
Sending tunneled request
EAP-Message =
0x020700421a0207003d312c29b4e62a18efaf1bca93031a9bc48a0000000000000000ff2b7cade8eb372e40905cc5552700f40738dbfcb23121840064707275656261
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "dprueba"
State = 0x138ded3d138af7a13ad2c8138d486583
server inner-tunnel {
# Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "dprueba", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 7 length 66
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[sql] expand: %{User-Name} -> dprueba
[sql] sql_set_user escaped user --> 'dprueba'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY
id -> SELECT id, username, attribute, value, op FROM
radcheck WHERE username = 'dprueba' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT
groupname FROM radusergroup WHERE username =
'dprueba' ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value,
op FROM radgroupcheck WHERE groupname =
'%{Sql-Group}' ORDER BY id -> SELECT id, groupname,
attribute, Value, op FROM radgroupcheck WHERE
groupname = 'wifi' ORDER BY id
[sql] User found in group wifi
[sql] expand: SELECT id, groupname, attribute, value,
op FROM radgroupreply WHERE groupname =
'%{Sql-Group}' ORDER BY id -> SELECT id, groupname,
attribute, value, op FROM radgroupreply WHERE
groupname = 'wifi' ORDER BY id
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file
/etc/freeradius/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Creating challenge hash with username: dprueba
[mschap] Told to do MS-CHAPv2 for dprueba with NT-Password
*[mschap] FAILED: No NT/LM-Password. Cannot perform
authentication.[mschap] FAILED: MS-CHAP2-Response is incorrec*t
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
Framed-Protocol := PPP
Framed-Compression := Van-Jacobson-TCP-IP
Framed-MTU := 1500
Service-Type := Framed-User
MS-Primary-DNS-Server := 10.25.1.10
Framed-IP-Netmask := 255.255.255.255
MS-CHAP-Error = "\007E=691 R=1"
EAP-Message = 0x04070004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
Framed-Protocol := PPP
Framed-Compression := Van-Jacobson-TCP-IP
Framed-MTU := 1500
Service-Type := Framed-User
MS-Primary-DNS-Server := 10.25.1.10
Framed-IP-Netmask := 255.255.255.255
MS-CHAP-Error = "\007E=691 R=1"
EAP-Message = 0x04070004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 165 to 10.25.4.250 port 44145
EAP-Message =
0x0108002b190017030100200f7edf20af25286e24f0a1ec03a04a5e4b893e385955244fa3c44457b30c81cb
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa65194aaa1598db9e5aa8a871ea68523
Finished request 43.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.25.4.250 port 44145, id=166,
length=244
User-Name = "dprueba"
NAS-IP-Address = 192.168.0.1
NAS-Port = 0
Called-Station-Id = "E8-DE-27-F7-83-A4:cdebiles.eti"
Calling-Station-Id = "10-68-3F-82-42-16"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11"
EAP-Message =
0x0208005019001703010020a60874f0b621b855a82de262f1330ac8a1b05f4708527620f981ef3722e3b1cf170301002006ae0d5ee86405c776ba893bd138d82d811bcf6916da13d0681a9d327692ef1b
State = 0xa65194aaa1598db9e5aa8a871ea68523
Message-Authenticator = 0xa8b1ee9f9adf7785813d07e9b14f55a9
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "dprueba", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
*[peap] Peap state send tlv failure*
[peap] Received EAP-TLV response.
[peap] The users session was previously rejected: returning reject (again.)
[peap] *** This means you need to read the PREVIOUS messages in the debug
output
[peap] *** to find out the reason why the user was rejected.
[peap] *** Look for "reject" or "fail". Those earlier messages will tell
you.
[peap] *** what went wrong, and how to fix the problem.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> dprueba
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 44 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 44
Sending Access-Reject of id 166 to 10.25.4.250 port 44145
EAP-Message = 0x04080004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.8 seconds.
Cleaning up request 36 ID 158 with timestamp +40
Cleaning up request 37 ID 159 with timestamp +40
Cleaning up request 38 ID 160 with timestamp +40
Cleaning up request 39 ID 161 with timestamp +40
Cleaning up request 40 ID 162 with timestamp +40
Cleaning up request 41 ID 163 with timestamp +40
Cleaning up request 42 ID 164 with timestamp +40
Cleaning up request 43 ID 165 with timestamp +40
Waking up in 1.0 seconds.
Cleaning up request 44 ID 166 with timestamp +41
Ready to process requests.
More information about the Freeradius-Users
mailing list