iOS, Certificate and "Could not scan for wireless network"

Vito A. Smaldino vitoantonio.smaldino at istruzione.it
Fri Oct 16 19:08:42 CEST 2015


Hi all,
in my test environment i'm facing this problem:
When i try to connect from an iPad (iOS 8.4 and 9.0) i receive the
Certificate immediately followed by the popup saying "Could not scan for
wireless network" ( http://www.smaldino.it/appo/IMG_1160.png )
Almost simultaneously FR ends with "Ready to process requests." and, even
if i close the popup and tap "Trust", it doesn't connect.

I visited
http://wiki.freeradius.org/guide/Certificate_Compatibility#eap-session-did-not-finish
but it refers to Windows problems and MTU size. In the log i found that the
Framed-MTU is set to 1400, is it small enough, or the problem is elsewhere?
And the last: sometimes after the popup and the "Trust" it connects! N.B.
FR and the AP are on the same LAN.

Thanks for the help.
V


radiusd: FreeRADIUS Version 2.2.8, for host i686-pc-linux-gnu, built on Sep
22 2015 at 21:42:30
Copyright (C) 1999-2015 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including configuration file /etc/raddb/eap.conf
main {
allow_core_dumps = no
}
including dictionary file /etc/raddb/dictionary
main {
name = "radiusd"
prefix = "/usr/local"
localstatedir = "/var"
sbindir = "/usr/local/sbin"
logdir = "/var/log"
run_dir = "/var/run/radiusd"
libdir = "/usr/local/lib"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/tmp/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = yes
 log {
  stripped_names = no
  auth = yes
  auth_badpass = no
  auth_goodpass = no
 }
 security {
  max_attributes = 200
  reject_delay = 1
  status_server = no
  allow_vulnerable_openssl = no
 }
}
radiusd: #### Loading Realms and Home Servers ####
 proxy server {
  retry_delay = 5
  retry_count = 3
  default_fallback = yes
  dead_time = 120
  wake_all_if_all_dead = no
 }
 realm LOCAL {
authhost = LOCAL
accthost = LOCAL
 }
 realm SMALDINO.LAN {
authhost = LOCAL
accthost = LOCAL
 }
radiusd: #### Loading Clients ####
 client 127.0.0.1 {
  require_message_authenticator = no
  secret = "ZeroShell"
  shortname = "localhost"
  nastype = "other"
 }
 client 192.0.0.0/8 {
  require_message_authenticator = no
  secret = "testing123"
  shortname = "Cl192"
  nastype = "other"
 }
radiusd: #### Instantiating modules ####
 instantiate {
 }
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/raddb/radiusd.conf
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_mschap
 Module: Instantiating module "mschap" from file /etc/raddb/radiusd.conf
  mschap {
  use_mppe = yes
  require_encryption = no
  require_strong = yes
  with_ntdomain_hack = yes
  allow_retry = yes
  }
 Module: Linked to module rlm_eap
 Module: Instantiating module "eap" from file /etc/raddb/eap.conf
  eap {
  default_eap_type = "tls"
  timer_expire = 60
  ignore_unknown_eap_types = no
  cisco_accounting_username_bug = no
  max_sessions = 2048
  }
 Module: Linked to sub-module rlm_eap_tls
 Module: Instantiating eap-tls
   tls {
    rsa_key_exchange = no
    dh_key_exchange = yes
    rsa_key_length = 512
    dh_key_length = 512
    verify_depth = 0
    CA_path = "/etc/ssl/certs/trusted_CAs/"
    pem_file_type = yes
    private_key_file = "/var/register/system/radius/TLS/key.pem"
    certificate_file = "/var/register/system/radius/TLS/cert.pem"
    dh_file = "/etc/ssl/dh.pem"
    random_file = "/dev/urandom"
    fragment_size = 1024
    include_length = yes
    check_crl = no
    check_all_crl = no
    ecdh_curve = "prime256v1"
   }
 Module: Linked to sub-module rlm_eap_ttls
 Module: Instantiating eap-ttls
   ttls {
    default_eap_type = "md5"
    copy_request_to_tunnel = no
    use_tunneled_reply = yes
    include_length = yes
   }
 Module: Linked to sub-module rlm_eap_peap
 Module: Instantiating eap-peap
   peap {
    default_eap_type = "mschapv2"
    copy_request_to_tunnel = no
    use_tunneled_reply = no
    proxy_tunneled_request_as_eap = yes
    soh = no
   }
 Module: Linked to sub-module rlm_eap_mschapv2
 Module: Instantiating eap-mschapv2
   mschapv2 {
    with_ntdomain_hack = no
    send_error = no
   }
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_attr_rewrite
 Module: Instantiating module "routeradmin" from file
/etc/raddb/radiusd.conf
  attr_rewrite routeradmin {
  attribute = "User-Name"
  searchfor = ".enab15."
  searchin = "packet"
  replacewith = "_enab15_"
  append = no
  ignore_case = yes
  new_attribute = no
  max_matches = 10
  }
 Module: Linked to module rlm_preprocess
 Module: Instantiating module "preprocess" from file /etc/raddb/radiusd.conf
  preprocess {
  with_ascend_hack = no
  ascend_channels_per_line = 23
  with_ntdomain_hack = yes
  with_specialix_jetstream_hack = no
  with_cisco_vsa_hack = no
  with_alvarion_vsa_hack = no
  }
 Module: Linked to module rlm_detail
 Module: Instantiating module "auth_log" from file /etc/raddb/radiusd.conf
  detail auth_log {
  detailfile = "/var/log/radius/reply"
  header = "%t"
  detailperm = 384
  dirperm = 493
  locking = no
  log_packet_header = no
  escape_filenames = no
  }
 Module: Linked to module rlm_chap
 Module: Instantiating module "chap" from file /etc/raddb/radiusd.conf
 Module: Linked to module rlm_realm
 Module: Instantiating module "suffix" from file /etc/raddb/radiusd.conf
  realm suffix {
  format = "suffix"
  delimiter = "@"
  ignore_default = no
  ignore_null = no
  }
 Module: Linked to module rlm_files
 Module: Instantiating module "files" from file /etc/raddb/radiusd.conf
  files {
  usersfile = "/etc/raddb/users"
  acctusersfile = "/etc/raddb/acct_users"
  compat = "no"
  }
reading pairlist file /etc/raddb/users
reading pairlist file /etc/raddb/acct_users
 Module: Linked to module rlm_ldap
 Module: Instantiating module "ldap" from file /etc/raddb/radiusd.conf
  ldap {
  server = "127.0.0.1"
  port = 389
  password = ""
  expect_password = yes
  identity = ""
  net_timeout = 1
  timeout = 4
  timelimit = 3
  max_uses = 0
  tls_mode = no
  start_tls = no
  tls_require_cert = "allow"
  basedn = "ou=Radius,dc=smaldino,dc=lan"
  filter = "(cn=%{Stripped-User-Name:-%{User-Name}})"
  base_filter = "(objectclass=radiusprofile)"
  password_attribute = "sn"
  auto_header = no
  access_attr = "dialupAccess"
  access_attr_used_for_allow = yes
  groupname_attribute = "cn"
  groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
  dictionary_mapping = "/etc/raddb/ldap.attrmap"
  ldap_debug = 0
  ldap_connections_number = 5
  compare_check_items = no
  do_xlat = yes
  set_auth_type = yes
  }
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: Over-riding set_auth_type, as there is no module ldap listed in
the "authenticate" section.
rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS
Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS
Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS
Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS
Tunnel-Private-Group-Id
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
conns: 0x861cf48
 Module: Linked to module rlm_exec
 Module: Instantiating module "pppIP" from file /etc/raddb/radiusd.conf
  exec pppIP {
  wait = yes
  program = "/root/kerbynet.cgi/scripts/pppIP"
  input_pairs = "request"
  output_pairs = "reply"
  shell_escape = yes
  }
 Module: Checking preacct {...} for more modules to load
 Module: Linked to module rlm_acct_unique
 Module: Instantiating module "acct_unique" from file
/etc/raddb/radiusd.conf
  acct_unique {
  key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
NAS-Port"
  }
 Module: Checking accounting {...} for more modules to load
 Module: Instantiating module "detail" from file /etc/raddb/radiusd.conf
  detail {
  detailfile = "/dev/null"
  header = "%t"
  detailperm = 384
  dirperm = 493
  locking = no
  log_packet_header = no
  escape_filenames = no
  }
 Module: Instantiating module "acct_store" from file /etc/raddb/radiusd.conf
  exec acct_store {
  wait = yes
  program = "/root/kerbynet.cgi/scripts/acct_store"
  input_pairs = "request"
  output_pairs = "reply"
  shell_escape = yes
  }
 Module: Checking post-auth {...} for more modules to load
 Module: Instantiating module "SessionLimits" from file
/etc/raddb/radiusd.conf
  exec SessionLimits {
  wait = yes
  program = "/root/kerbynet.cgi/scripts/radius-session-limits"
  input_pairs = "request"
  output_pairs = "reply"
  shell_escape = yes
  }
 Module: Instantiating module "RadiusLog" from file /etc/raddb/radiusd.conf
  exec RadiusLog {
  wait = yes
  program = "/root/kerbynet.cgi/scripts/RadiusLog"
  input_pairs = "request"
  output_pairs = "reply"
  shell_escape = yes
  }
 Module: Instantiating module "reply_log" from file /etc/raddb/radiusd.conf
  detail reply_log {
  detailfile = "/dev/null"
  header = "%t"
  detailperm = 384
  dirperm = 493
  locking = no
  log_packet_header = no
  escape_filenames = no
  }
 } # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
  type = "auth"
  ipaddr = *
  port = 0
}
listen {
  type = "acct"
  ipaddr = *
  port = 0
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.2.1 port 45290, id=10,
length=185
User-Name = "test1 at smaldino.lan"
NAS-IP-Address = 192.168.2.1
NAS-Port = 0
Called-Station-Id = "E8-DE-27-90-5C-EB:Alice-55852143-5G"
Calling-Station-Id = "BC-3B-AF-C1-9B-41"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11"
EAP-Message = 0x0200001701746573743140736d616c64696e6f2e6c616e
Message-Authenticator = 0x6d9e58408de63738f0cffcafff2cf992
# Executing section authorize from file /etc/raddb/radiusd.conf
+group authorize {
[routeradmin] expand: .enab15. -> .enab15.
routeradmin: Does not match: User-Name = test1 at smaldino.lan
++[routeradmin] = ok
++[preprocess] = ok
[auth_log] expand: /var/log/radius/reply -> /var/log/radius/reply
[auth_log] /var/log/radius/reply expands to /var/log/radius/reply
[auth_log] expand: %t -> Fri Oct 16 17:30:49 2015
++[auth_log] = ok
++[chap] = noop
++[mschap] = noop
[suffix] Looking up realm "smaldino.lan" for User-Name = "test1 at smaldino.lan
"
[suffix] Found realm "SMALDINO.LAN"
[suffix] Adding Stripped-User-Name = "test1"
[suffix] Adding Realm = "SMALDINO.LAN"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 0 length 23
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[ldap] performing user authorization for test1
[ldap] WARNING: Deprecated conditional expansion ":-".  See "man unlang"
for details
[ldap] expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=test1)
[ldap] expand: ou=Radius,dc=smaldino,dc=lan -> ou=Radius,dc=smaldino,dc=lan
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] attempting LDAP reconnection
  [ldap] (re)connect to 127.0.0.1:389, authentication 0
  [ldap] bind as / to 127.0.0.1:389
  [ldap] waiting for bind result ...
  [ldap] Bind was successful
  [ldap] performing search in ou=Radius,dc=smaldino,dc=lan, with filter
(cn=test1)
[ldap] checking if remote access for test1 is allowed by dialupAccess
[ldap] Added User-Password = testa in check items
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
[ldap] user test1 authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
Exec output:
[pppIP] Exec: program returned: 0
++[pppIP] = ok
+} # group authorize = updated
Found Auth-Type = EAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!    Replacing User-Password in config items with Cleartext-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good"
!!!
!!! clear text password is in Cleartext-Password, and not in User-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# Executing group from file /etc/raddb/radiusd.conf
+group authenticate {
[eap] EAP Identity
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 10 to 192.168.2.1 port 45290
EAP-Message = 0x010100060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe1c2aac6e1c3a7cd8f7bb7a7c9250742
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.2.1 port 45290, id=11,
length=186
User-Name = "test1 at smaldino.lan"
NAS-IP-Address = 192.168.2.1
NAS-Port = 0
Called-Station-Id = "E8-DE-27-90-5C-EB:Alice-55852143-5G"
Calling-Station-Id = "BC-3B-AF-C1-9B-41"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11"
EAP-Message = 0x020100060319
State = 0xe1c2aac6e1c3a7cd8f7bb7a7c9250742
Message-Authenticator = 0x8a2a41183e342309aa40ff4974455ba7
# Executing section authorize from file /etc/raddb/radiusd.conf
+group authorize {
[routeradmin] expand: .enab15. -> .enab15.
routeradmin: Does not match: User-Name = test1 at smaldino.lan
++[routeradmin] = ok
++[preprocess] = ok
[auth_log] expand: /var/log/radius/reply -> /var/log/radius/reply
[auth_log] /var/log/radius/reply expands to /var/log/radius/reply
[auth_log] expand: %t -> Fri Oct 16 17:30:49 2015
++[auth_log] = ok
++[chap] = noop
++[mschap] = noop
[suffix] Looking up realm "smaldino.lan" for User-Name = "test1 at smaldino.lan
"
[suffix] Found realm "SMALDINO.LAN"
[suffix] Adding Stripped-User-Name = "test1"
[suffix] Adding Realm = "SMALDINO.LAN"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 1 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[ldap] performing user authorization for test1
[ldap] WARNING: Deprecated conditional expansion ":-".  See "man unlang"
for details
[ldap] expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=test1)
[ldap] expand: ou=Radius,dc=smaldino,dc=lan -> ou=Radius,dc=smaldino,dc=lan
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in ou=Radius,dc=smaldino,dc=lan, with filter
(cn=test1)
[ldap] checking if remote access for test1 is allowed by dialupAccess
[ldap] Added User-Password = testa in check items
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
[ldap] user test1 authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
Exec output:
[pppIP] Exec: program returned: 0
++[pppIP] = ok
+} # group authorize = updated
Found Auth-Type = EAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!    Replacing User-Password in config items with Cleartext-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good"
!!!
!!! clear text password is in Cleartext-Password, and not in User-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# Executing group from file /etc/raddb/radiusd.conf
+group authenticate {
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 11 to 192.168.2.1 port 45290
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe1c2aac6e0c0b3cd8f7bb7a7c9250742
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.2.1 port 45290, id=12,
length=332
User-Name = "test1 at smaldino.lan"
NAS-IP-Address = 192.168.2.1
NAS-Port = 0
Called-Station-Id = "E8-DE-27-90-5C-EB:Alice-55852143-5G"
Calling-Station-Id = "BC-3B-AF-C1-9B-41"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11"
EAP-Message =
0x0202009819800000008e160301008901000085030156211829e5957d201cda1bae922443901fe3790b6d9105a60794b4dce2fdfa7400004a00ffc024c023c00ac009c008c028c027c014c013c012c026c025c005c004c003c02ac029c00fc00ec00d006b0067003900330016003d003c0035002f000ac007c011c002c00c0005000401000012000a00080006001700180019000b00020100
State = 0xe1c2aac6e0c0b3cd8f7bb7a7c9250742
Message-Authenticator = 0x5dbd5564fcff2011be133c641c1ca2a6
# Executing section authorize from file /etc/raddb/radiusd.conf
+group authorize {
[routeradmin] expand: .enab15. -> .enab15.
routeradmin: Does not match: User-Name = test1 at smaldino.lan
++[routeradmin] = ok
++[preprocess] = ok
[auth_log] expand: /var/log/radius/reply -> /var/log/radius/reply
[auth_log] /var/log/radius/reply expands to /var/log/radius/reply
[auth_log] expand: %t -> Fri Oct 16 17:30:49 2015
++[auth_log] = ok
++[chap] = noop
++[mschap] = noop
[suffix] Looking up realm "smaldino.lan" for User-Name = "test1 at smaldino.lan
"
[suffix] Found realm "SMALDINO.LAN"
[suffix] Adding Stripped-User-Name = "test1"
[suffix] Adding Realm = "SMALDINO.LAN"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 2 length 152
[eap] Continuing tunnel setup.
++[eap] = ok
++[files] = noop
[ldap] performing user authorization for test1
[ldap] WARNING: Deprecated conditional expansion ":-".  See "man unlang"
for details
[ldap] expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=test1)
[ldap] expand: ou=Radius,dc=smaldino,dc=lan -> ou=Radius,dc=smaldino,dc=lan
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in ou=Radius,dc=smaldino,dc=lan, with filter
(cn=test1)
[ldap] checking if remote access for test1 is allowed by dialupAccess
[ldap] Added User-Password = testa in check items
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
[ldap] user test1 authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
Exec output:
[pppIP] Exec: program returned: 0
++[pppIP] = ok
+} # group authorize = ok
Found Auth-Type = EAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!    Replacing User-Password in config items with Cleartext-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good"
!!!
!!! clear text password is in Cleartext-Password, and not in User-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# Executing group from file /etc/raddb/radiusd.conf
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 142
[peap] Length Included
[peap] eaptls_verify returned 11
[peap]     (other): before/accept initialization
[peap]     TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0089], ClientHello
[peap]     TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0031], ServerHello
[peap]     TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 06e1], Certificate
[peap]     TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange
[peap]     TLS_accept: SSLv3 write key exchange A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap]     TLS_accept: SSLv3 write server done A
[peap]     TLS_accept: SSLv3 flush data
[peap]     TLS_accept: Need to read more data: SSLv3 read client
certificate A
[peap]     TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 12 to 192.168.2.1 port 45290
EAP-Message =
0x0103040019c00000093716030100310200002d0301562118299e15ea37dfa894c94cab3ea57e2e0972526b3d634e7bccb67425c007000039000005ff0100010016030106e10b0006dd0006da00033a308203363082021ea003020102020101300d06092a864886f70d010105050030403111300f060355040a1308736d616c64696e6f31173015060355040b130e7a65726f7368656c6c206635666131123010060355040313095a65726f5368656c6c301e170d3135313031353230343034365a170d3137313031343230343034365a3031310e300c060355040b1305486f737473311f301d060355040313167a65726f7368656c6c2e736d616c6469
EAP-Message =
0x6e6f2e6c616e30820122300d06092a864886f70d01010105000382010f003082010a0282010100d1b539e54ef6cf74fe2f83f09b14154adeb5828c2e21394b1acc90e6824e477dddcdf3e4615ed251be9b11e48a6d159f86562f9bae4fb2a4471007d98505d164d21ae3c88e1572fa8cf1d9d1c3b64612ec7433bb4a3e08d4bb703a4fd6a9da5a646c0727259e748198fbe28ff24da657f8ea801054e50e780f5e3a7aeed4a3f6ae4645f0a62209085326da267594a046aeb65084fe76b75012b53ac5fdc33cfab216c74469d35fd25e7a5256b4a88537c51eee6d28b7f6dc4d08b526a4f1c7eeb65d14fa92c1cd41decef5be2f598b01d21129e5c064
EAP-Message =
0xa35282fc3b2c47b9f624f580c03c40738ae49660c45d9d530f8c7324a26b025f30c47fc0d53a28d4cf2d0203010001a34a3048301d0603551d250416301406082b0601050507030106082b0601050507030230270603551d110420301e82167a65726f7368656c6c2e736d616c64696e6f2e6c616e8704c0a802a9300d06092a864886f70d010105050003820101009d36d4d05d2b35426bdc0fe74f206f793de68df073b6ae57778b8db87c49605f52ea5a95bd9552ff623fc5f135e8b08b370cdf456d392e1cbc2d4a8c18f1c3b7ab3000bce401563fcd2374dce320dbbc3d4b21dd6acb56c74887387e196f41c7090cd7fd9d0fe74f7b260adbde44
EAP-Message =
0x214da1f97e1190c205ffe84af2ca8d10e0ee9692c2083f15670543ccbb56f86b56451d037e9cfe29d6df2837f2c8079d70b0a19af328e8b0e6ffb3d27043aadc2fd7822033ec6954616b209291b16e4b687b7b008bd60da8763ccddd0352dd8f795d6e28c5c5446da4d4014a4a8307b1f30c72655cd2e4a351a18456acf092800ae5526d900a90dfac92f4eadc27b95ab1bd00039a308203963082027ea003020102020100300d06092a864886f70d010105050030403111300f060355040a1308736d616c64696e6f31173015060355040b130e7a65726f7368656c6c206635666131123010060355040313095a65726f5368656c6c301e170d313531
EAP-Message = 0x3031353230343034335a170d
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe1c2aac6e3c1b3cd8f7bb7a7c9250742
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.2.1 port 45290, id=13,
length=186
User-Name = "test1 at smaldino.lan"
NAS-IP-Address = 192.168.2.1
NAS-Port = 0
Called-Station-Id = "E8-DE-27-90-5C-EB:Alice-55852143-5G"
Calling-Station-Id = "BC-3B-AF-C1-9B-41"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11"
EAP-Message = 0x020300061900
State = 0xe1c2aac6e3c1b3cd8f7bb7a7c9250742
Message-Authenticator = 0x9cfe139ac01c61752c18a7d388667309
# Executing section authorize from file /etc/raddb/radiusd.conf
+group authorize {
[routeradmin] expand: .enab15. -> .enab15.
routeradmin: Does not match: User-Name = test1 at smaldino.lan
++[routeradmin] = ok
++[preprocess] = ok
[auth_log] expand: /var/log/radius/reply -> /var/log/radius/reply
[auth_log] /var/log/radius/reply expands to /var/log/radius/reply
[auth_log] expand: %t -> Fri Oct 16 17:30:49 2015
++[auth_log] = ok
++[chap] = noop
++[mschap] = noop
[suffix] Looking up realm "smaldino.lan" for User-Name = "test1 at smaldino.lan
"
[suffix] Found realm "SMALDINO.LAN"
[suffix] Adding Stripped-User-Name = "test1"
[suffix] Adding Realm = "SMALDINO.LAN"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
++[files] = noop
[ldap] performing user authorization for test1
[ldap] WARNING: Deprecated conditional expansion ":-".  See "man unlang"
for details
[ldap] expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=test1)
[ldap] expand: ou=Radius,dc=smaldino,dc=lan -> ou=Radius,dc=smaldino,dc=lan
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in ou=Radius,dc=smaldino,dc=lan, with filter
(cn=test1)
[ldap] checking if remote access for test1 is allowed by dialupAccess
[ldap] Added User-Password = testa in check items
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
[ldap] user test1 authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
Exec output:
[pppIP] Exec: program returned: 0
++[pppIP] = ok
+} # group authorize = ok
Found Auth-Type = EAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!    Replacing User-Password in config items with Cleartext-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good"
!!!
!!! clear text password is in Cleartext-Password, and not in User-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# Executing group from file /etc/raddb/radiusd.conf
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 13 to 192.168.2.1 port 45290
EAP-Message =
0x010403fc19403235313031323230343034335a30403111300f060355040a1308736d616c64696e6f31173015060355040b130e7a65726f7368656c6c206635666131123010060355040313095a65726f5368656c6c30820122300d06092a864886f70d01010105000382010f003082010a0282010100c983e10b966097fa8cdcc116ca16f95a9fa3ff365c3afc3870473f14308f0e9bf8f2d238a29396c0bfa28787a32b5c37df143255ebf2beb0da5aa2dde6cb7ac816d84a4f0b7c6cf801f41c9f1864c5746a19ab63e528407b76c474bfeaa2a5508fbb21e7385be79469beda208179e7c7431fa5653b6427f029445ffda67e98be7b8ff7d0bc6e03
EAP-Message =
0xd00f009634ac4474b69514c73e11e88609b1c854969abbd84d7a30d984780d6c8914c3fc8662662d648ba35adf4d9d3a91b84f10c13a3f6daaad83580e1b967491e1ce8455dfeaafb136bfecd436ce977d3bb7b678392ae6733b715541625de10304701ad617651192988324c18d5685e76e6fec30221c8b650203010001a3819a308197301d0603551d0e04160414260ab6b08949dd42c15f6f70ee273d02ab40bb4030680603551d230461305f8014260ab6b08949dd42c15f6f70ee273d02ab40bb40a144a44230403111300f060355040a1308736d616c64696e6f31173015060355040b130e7a65726f7368656c6c206635666131123010060355
EAP-Message =
0x040313095a65726f5368656c6c820100300c0603551d13040530030101ff300d06092a864886f70d0101050500038201010098174b261bcadaf871a77223fbd6c3e19001c44657b245df2fe84d0bc97498696ee9c3f9ab1d811189da45915e8f2af130934f41d53264b0245cc7d1baef9ccb3c1d936933ef7c21c2663b454e2dce96aa389c4c90ac37411191dbf1e1d0c2db33f0fbb2ac98f4ea25bef3240190adcde5dd88b60c1c66f7099fae94714330cd9454daa48e840fd23d1bcd6c85a542ed956cc87b28e8422043890df20f354f5780a53fde4d3ccb064f2cb42fb132bb3d3372a70fcc13e73b7f5b77016a25f1b42a8a0da03a5e79ef7e4b99
EAP-Message =
0xd1ec2beda6bed9c8da4a96da10d15f6b62b4c21c87a0c4eb800427f0134d36b480cde0e865f7ff50b45771c21a223396516648857a160301020d0c0002090080bf8ec9af3537d850914da67115562a2214d2ad0b1f1fac1fcb7f4899b88ce4e660b5da88ffb064f0bdfd94881795f6e4901247037ee111dcbeb512cfb1ace3c35ff4316dfccbd2a5d2dc7be52acf4b9db3ffd7896eea89e9879e9bbe16ed7eef0c75c2a835964bf0234029f6fe8e31554ab70d768d5c1659fe7ff435d3f707db0001020080a700c7436388918a6147213ca8ee2824c43967830afa13078e10d880d0e5348cb93342307ae3407bc43014aac874c2e88dba462fdef3b459
EAP-Message = 0x529d5e7cf72734cf
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe1c2aac6e2c6b3cd8f7bb7a7c9250742
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.2.1 port 45290, id=14,
length=186
User-Name = "test1 at smaldino.lan"
NAS-IP-Address = 192.168.2.1
NAS-Port = 0
Called-Station-Id = "E8-DE-27-90-5C-EB:Alice-55852143-5G"
Calling-Station-Id = "BC-3B-AF-C1-9B-41"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11"
EAP-Message = 0x020400061900
State = 0xe1c2aac6e2c6b3cd8f7bb7a7c9250742
Message-Authenticator = 0x036f0f4ebd2ecf2f42519b9ad1983cf1
# Executing section authorize from file /etc/raddb/radiusd.conf
+group authorize {
[routeradmin] expand: .enab15. -> .enab15.
routeradmin: Does not match: User-Name = test1 at smaldino.lan
++[routeradmin] = ok
++[preprocess] = ok
[auth_log] expand: /var/log/radius/reply -> /var/log/radius/reply
[auth_log] /var/log/radius/reply expands to /var/log/radius/reply
[auth_log] expand: %t -> Fri Oct 16 17:30:49 2015
++[auth_log] = ok
++[chap] = noop
++[mschap] = noop
[suffix] Looking up realm "smaldino.lan" for User-Name = "test1 at smaldino.lan
"
[suffix] Found realm "SMALDINO.LAN"
[suffix] Adding Stripped-User-Name = "test1"
[suffix] Adding Realm = "SMALDINO.LAN"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
++[files] = noop
[ldap] performing user authorization for test1
[ldap] WARNING: Deprecated conditional expansion ":-".  See "man unlang"
for details
[ldap] expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=test1)
[ldap] expand: ou=Radius,dc=smaldino,dc=lan -> ou=Radius,dc=smaldino,dc=lan
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in ou=Radius,dc=smaldino,dc=lan, with filter
(cn=test1)
[ldap] checking if remote access for test1 is allowed by dialupAccess
[ldap] Added User-Password = testa in check items
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
[ldap] user test1 authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
Exec output:
[pppIP] Exec: program returned: 0
++[pppIP] = ok
+} # group authorize = ok
Found Auth-Type = EAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!    Replacing User-Password in config items with Cleartext-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good"
!!!
!!! clear text password is in Cleartext-Password, and not in User-Password.
!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# Executing group from file /etc/raddb/radiusd.conf
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 14 to 192.168.2.1 port 45290
EAP-Message =
0x0105015119005e963fa660565b4f8d54a4372bff3740c57468a50cf21cd8099dd3cf425b7290ed2436ee93161bcc029536743df097d32ae39e90fc05f71bb2b321a485a800b50100b4dc522b855ce93ef5c9b899d8e0a8411d840241ececb7dc5c1943ff2982e80fd5e4e5962aa409b18116629a4872088c64eef13c409fe3866526de48426570ba1a64dfb416ad4f26324b6e8b95f34f05e278136ef01667f3cdb971f0865f77fdc3f686583136ed78708bad75ae4ef44b784320f3378d337f1018497e859baca9f31136e2e7543954a88d6e217ac9043e5b0959c8b5d901b78e55f6cd5106d84929bfd31aadbb05fa0e0aa0e62b98fa0f354ac412d5
EAP-Message =
0x4bcf1659c974acbd061c230a936775ca0ce5d0590ea4b3d185806e7fb12aab089f77cbaa7ec004873d51555d3a447198e8471c1d92993599e7cc30c4cc1264e97f0b1d0f196e2294d36c6416030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe1c2aac6e5c7b3cd8f7bb7a7c9250742
Finished request 4.
Going to the next request
Waking up in 4.8 seconds.
Cleaning up request 0 ID 10 with timestamp +35
Cleaning up request 1 ID 11 with timestamp +35
Cleaning up request 2 ID 12 with timestamp +35
Cleaning up request 3 ID 13 with timestamp +35
Cleaning up request 4 ID 14 with timestamp +35
WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0xe1c2aac6e5c7b3cd did not finish!
WARNING: !! Please read
http://wiki.freeradius.org/guide/Certificate_Compatibility
WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Ready to process requests.



-- 
Vito A. Smaldino


More information about the Freeradius-Users mailing list