Yet Another PEAP-MSCHAPV2 problem
Alex Moen
alexm at ndtel.com
Mon Sep 21 21:57:07 CEST 2015
I have searched through the mailing list and Google for the resolution
to this, and I have found quite a bit of information, but I have not yet
found the solution to my problem. I am trying to properly configure a
FreeRADIUS version 3.0.9 server to authenticate wireless users using
PEAP and MSCHAPv2 against a OpenLDAP version 2.4.39. I can authenticate
both users that I will be discussing directly against the LDAP server
correctly (using "ldapsearch"). However, only one of them work via the
wireless connection.
I have attached 2 files:
- debi-debug.txt: the failing account full debug of radiusd -x
- alex-debug.txt: the working account full debug of radiusd -x
These dubugs were gathered by attempting to authenticate the same
Windows 7 laptop to the 802.1x wireless network. Working laptop,
working network, different outcomes with two accounts that both work
when authenticated with ldapsearch.
When I run the debi-debug.txt text through the web debugger, I get the
following lines in red:
mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication
mschap: ERROR: MS-CHAP2-Response is incorrect
[mschap] = reject
} # Auth-Type MS-CHAP = reject
MSCHAP-Error: ?E=691 R=1
Could not parse new challenge from MS-CHAP-Error: 2
ERROR: MSCHAP Failure
This is what I have been searching for, but I can't find any real reason
that it works for the alex account but not the debi account.
I can provide whatever is needed to find the problem here, I just don't
know what will be helpful.
TIA!
Alex
-------------- next part --------------
(12) Received Access-Request Id 56 from 192.168.255.112:51351 to 192.168.255.5:1812 length 195
(12) User-Name = "debio at ndtel.com"
(12) NAS-IP-Address = 192.168.255.112
(12) NAS-Identifier = "0418d620086c"
(12) NAS-Port = 0
(12) Called-Station-Id = "0E-18-D6-22-08-6C:NDTC Corporate 11x"
(12) Calling-Station-Id = "C4-85-08-F5-2C-10"
(12) Framed-MTU = 1400
(12) NAS-Port-Type = Wireless-802.11
(12) Connect-Info = "CONNECT 0Mbps 802.11b"
(12) EAP-Message = 0x0218001401646562696f406e6474656c2e636f6d
(12) Message-Authenticator = 0xf095375e1cafefea7e5235c249c50e8b
(12) # Executing section authorize from file /etc/raddb/sites-enabled/default
(12) authorize {
(12) policy filter_username {
(12) if (!&User-Name) {
(12) if (!&User-Name) -> FALSE
(12) if (&User-Name =~ / /) {
(12) if (&User-Name =~ / /) -> FALSE
(12) if (&User-Name =~ /@.*@/ ) {
(12) if (&User-Name =~ /@.*@/ ) -> FALSE
(12) if (&User-Name =~ /\.\./ ) {
(12) if (&User-Name =~ /\.\./ ) -> FALSE
(12) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(12) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(12) if (&User-Name =~ /\.$/) {
(12) if (&User-Name =~ /\.$/) -> FALSE
(12) if (&User-Name =~ /@\./) {
(12) if (&User-Name =~ /@\./) -> FALSE
(12) } # policy filter_username = notfound
(12) [preprocess] = ok
(12) [digest] = noop
(12) suffix: Checking for suffix after "@"
(12) suffix: Looking up realm "ndtel.com" for User-Name = "debio at ndtel.com"
(12) suffix: Found realm "ndtel.com"
(12) suffix: Adding Stripped-User-Name = "debio"
(12) suffix: Adding Realm = "ndtel.com"
(12) suffix: Authentication realm is LOCAL
(12) [suffix] = ok
(12) eap: Peer sent EAP Response (code 2) ID 24 length 20
(12) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(12) [eap] = ok
(12) } # authorize = ok
(12) Found Auth-Type = EAP
(12) # Executing group from file /etc/raddb/sites-enabled/default
(12) authenticate {
(12) eap: Peer sent packet with method EAP Identity (1)
(12) eap: Calling submodule eap_peap to process data
(12) eap_peap: Initiating new EAP-TLS session
(12) eap_peap: [eaptls start] = request
(12) eap: Sending EAP Request (code 1) ID 25 length 6
(12) eap: EAP session adding &reply:State = 0xf7e39e6bf7fa872e
(12) [eap] = handled
(12) } # authenticate = handled
(12) Using Post-Auth-Type Challenge
(12) Post-Auth-Type sub-section not found. Ignoring.
(12) # Executing group from file /etc/raddb/sites-enabled/default
(12) Sent Access-Challenge Id 56 from 192.168.255.5:1812 to 192.168.255.112:51351 length 0
(12) EAP-Message = 0x011900061920
(12) Message-Authenticator = 0x00000000000000000000000000000000
(12) State = 0xf7e39e6bf7fa872ec52992fbbfa43f16
(12) Finished request
Waking up in 4.9 seconds.
(13) Received Access-Request Id 57 from 192.168.255.112:51351 to 192.168.255.5:1812 length 300
(13) User-Name = "debio at ndtel.com"
(13) NAS-IP-Address = 192.168.255.112
(13) NAS-Identifier = "0418d620086c"
(13) NAS-Port = 0
(13) Called-Station-Id = "0E-18-D6-22-08-6C:NDTC Corporate 11x"
(13) Calling-Station-Id = "C4-85-08-F5-2C-10"
(13) Framed-MTU = 1400
(13) NAS-Port-Type = Wireless-802.11
(13) Connect-Info = "CONNECT 0Mbps 802.11b"
(13) EAP-Message = 0x0219006b198000000061160301005c0100005803015600313efce0ac71eff0676e3fe3e0edd301f290b31ec2546412a772dee66392000018c014c013c00ac0090035002f00380032000a00130005000401000017000a00080006001900170018000b00020100ff01000100
(13) State = 0xf7e39e6bf7fa872ec52992fbbfa43f16
(13) Message-Authenticator = 0x7e4d4cc6e7a82c011a831da0e73059c5
(13) session-state: No cached attributes
(13) # Executing section authorize from file /etc/raddb/sites-enabled/default
(13) authorize {
(13) policy filter_username {
(13) if (!&User-Name) {
(13) if (!&User-Name) -> FALSE
(13) if (&User-Name =~ / /) {
(13) if (&User-Name =~ / /) -> FALSE
(13) if (&User-Name =~ /@.*@/ ) {
(13) if (&User-Name =~ /@.*@/ ) -> FALSE
(13) if (&User-Name =~ /\.\./ ) {
(13) if (&User-Name =~ /\.\./ ) -> FALSE
(13) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(13) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(13) if (&User-Name =~ /\.$/) {
(13) if (&User-Name =~ /\.$/) -> FALSE
(13) if (&User-Name =~ /@\./) {
(13) if (&User-Name =~ /@\./) -> FALSE
(13) } # policy filter_username = notfound
(13) [preprocess] = ok
(13) [digest] = noop
(13) suffix: Checking for suffix after "@"
(13) suffix: Looking up realm "ndtel.com" for User-Name = "debio at ndtel.com"
(13) suffix: Found realm "ndtel.com"
(13) suffix: Adding Stripped-User-Name = "debio"
(13) suffix: Adding Realm = "ndtel.com"
(13) suffix: Authentication realm is LOCAL
(13) [suffix] = ok
(13) eap: Peer sent EAP Response (code 2) ID 25 length 107
(13) eap: Continuing tunnel setup
(13) [eap] = ok
(13) } # authorize = ok
(13) Found Auth-Type = EAP
(13) # Executing group from file /etc/raddb/sites-enabled/default
(13) authenticate {
(13) eap: Expiring EAP session with state 0xf7e39e6bf7fa872e
(13) eap: Finished EAP session with state 0xf7e39e6bf7fa872e
(13) eap: Previous EAP request found for state 0xf7e39e6bf7fa872e, released from the list
(13) eap: Peer sent packet with method EAP PEAP (25)
(13) eap: Calling submodule eap_peap to process data
(13) eap_peap: Continuing EAP-TLS
(13) eap_peap: Peer indicated complete TLS record size will be 97 bytes
(13) eap_peap: Got complete TLS record (97 bytes)
(13) eap_peap: [eaptls verify] = length included
(13) eap_peap: (other): before/accept initialization
(13) eap_peap: TLS_accept: before/accept initialization
(13) eap_peap: <<< TLS 1.0 Handshake [length 005c], ClientHello
(13) eap_peap: TLS_accept: SSLv3 read client hello A
(13) eap_peap: >>> TLS 1.0 Handshake [length 0059], ServerHello
(13) eap_peap: TLS_accept: SSLv3 write server hello A
(13) eap_peap: >>> TLS 1.0 Handshake [length 08b0], Certificate
(13) eap_peap: TLS_accept: SSLv3 write certificate A
(13) eap_peap: >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
(13) eap_peap: TLS_accept: SSLv3 write key exchange A
(13) eap_peap: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
(13) eap_peap: TLS_accept: SSLv3 write server done A
(13) eap_peap: TLS_accept: SSLv3 flush data
(13) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A
(13) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A
(13) eap_peap: In SSL Handshake Phase
(13) eap_peap: In SSL Accept mode
(13) eap_peap: [eaptls process] = handled
(13) eap: Sending EAP Request (code 1) ID 26 length 1004
(13) eap: EAP session adding &reply:State = 0xf7e39e6bf6f9872e
(13) [eap] = handled
(13) } # authenticate = handled
(13) Using Post-Auth-Type Challenge
(13) Post-Auth-Type sub-section not found. Ignoring.
(13) # Executing group from file /etc/raddb/sites-enabled/default
(13) Sent Access-Challenge Id 57 from 192.168.255.5:1812 to 192.168.255.112:51351 length 0
(13) EAP-Message = 0x011a03ec19c000000a6c16030100590200005503015600313cc168e781977d554266bae9007d61dcc9b0cda093c4d321375802979720a860fc35e416d563f0afd67f69e48cacafc9c1a1cfced303a30428c3d7e5cd60c01400000dff01000100000b00040300010216030108b00b0008ac0008a90003d0
(13) Message-Authenticator = 0x00000000000000000000000000000000
(13) State = 0xf7e39e6bf6f9872ec52992fbbfa43f16
(13) Finished request
Waking up in 4.9 seconds.
(14) Received Access-Request Id 58 from 192.168.255.112:51351 to 192.168.255.5:1812 length 199
(14) User-Name = "debio at ndtel.com"
(14) NAS-IP-Address = 192.168.255.112
(14) NAS-Identifier = "0418d620086c"
(14) NAS-Port = 0
(14) Called-Station-Id = "0E-18-D6-22-08-6C:NDTC Corporate 11x"
(14) Calling-Station-Id = "C4-85-08-F5-2C-10"
(14) Framed-MTU = 1400
(14) NAS-Port-Type = Wireless-802.11
(14) Connect-Info = "CONNECT 0Mbps 802.11b"
(14) EAP-Message = 0x021a00061900
(14) State = 0xf7e39e6bf6f9872ec52992fbbfa43f16
(14) Message-Authenticator = 0x386ff16c812e42bb55c10eda7b7c53ef
(14) session-state: No cached attributes
(14) # Executing section authorize from file /etc/raddb/sites-enabled/default
(14) authorize {
(14) policy filter_username {
(14) if (!&User-Name) {
(14) if (!&User-Name) -> FALSE
(14) if (&User-Name =~ / /) {
(14) if (&User-Name =~ / /) -> FALSE
(14) if (&User-Name =~ /@.*@/ ) {
(14) if (&User-Name =~ /@.*@/ ) -> FALSE
(14) if (&User-Name =~ /\.\./ ) {
(14) if (&User-Name =~ /\.\./ ) -> FALSE
(14) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(14) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(14) if (&User-Name =~ /\.$/) {
(14) if (&User-Name =~ /\.$/) -> FALSE
(14) if (&User-Name =~ /@\./) {
(14) if (&User-Name =~ /@\./) -> FALSE
(14) } # policy filter_username = notfound
(14) [preprocess] = ok
(14) [digest] = noop
(14) suffix: Checking for suffix after "@"
(14) suffix: Looking up realm "ndtel.com" for User-Name = "debio at ndtel.com"
(14) suffix: Found realm "ndtel.com"
(14) suffix: Adding Stripped-User-Name = "debio"
(14) suffix: Adding Realm = "ndtel.com"
(14) suffix: Authentication realm is LOCAL
(14) [suffix] = ok
(14) eap: Peer sent EAP Response (code 2) ID 26 length 6
(14) eap: Continuing tunnel setup
(14) [eap] = ok
(14) } # authorize = ok
(14) Found Auth-Type = EAP
(14) # Executing group from file /etc/raddb/sites-enabled/default
(14) authenticate {
(14) eap: Expiring EAP session with state 0xf7e39e6bf6f9872e
(14) eap: Finished EAP session with state 0xf7e39e6bf6f9872e
(14) eap: Previous EAP request found for state 0xf7e39e6bf6f9872e, released from the list
(14) eap: Peer sent packet with method EAP PEAP (25)
(14) eap: Calling submodule eap_peap to process data
(14) eap_peap: Continuing EAP-TLS
(14) eap_peap: Peer ACKed our handshake fragment
(14) eap_peap: [eaptls verify] = request
(14) eap_peap: [eaptls process] = handled
(14) eap: Sending EAP Request (code 1) ID 27 length 1000
(14) eap: EAP session adding &reply:State = 0xf7e39e6bf5f8872e
(14) [eap] = handled
(14) } # authenticate = handled
(14) Using Post-Auth-Type Challenge
(14) Post-Auth-Type sub-section not found. Ignoring.
(14) # Executing group from file /etc/raddb/sites-enabled/default
(14) Sent Access-Challenge Id 58 from 192.168.255.5:1812 to 192.168.255.112:51351 length 0
(14) EAP-Message = 0x011b03e81940cb266556c619c5b2efa5b201a6104aeffbbebb8cfd465f6a691bd7b1d49fb2d61b1273cc603b2a22bbabcde5c31eabc6bbff16f1a1e487f5daded9fe6ffc9dfacbdac64c43825dee4e2a378bcc2859de84c80339fd6dedd41a13450004d3308204cf308203b7a0030201020209008be4d1
(14) Message-Authenticator = 0x00000000000000000000000000000000
(14) State = 0xf7e39e6bf5f8872ec52992fbbfa43f16
(14) Finished request
Waking up in 4.9 seconds.
(15) Received Access-Request Id 59 from 192.168.255.112:51351 to 192.168.255.5:1812 length 199
(15) User-Name = "debio at ndtel.com"
(15) NAS-IP-Address = 192.168.255.112
(15) NAS-Identifier = "0418d620086c"
(15) NAS-Port = 0
(15) Called-Station-Id = "0E-18-D6-22-08-6C:NDTC Corporate 11x"
(15) Calling-Station-Id = "C4-85-08-F5-2C-10"
(15) Framed-MTU = 1400
(15) NAS-Port-Type = Wireless-802.11
(15) Connect-Info = "CONNECT 0Mbps 802.11b"
(15) EAP-Message = 0x021b00061900
(15) State = 0xf7e39e6bf5f8872ec52992fbbfa43f16
(15) Message-Authenticator = 0xf66a218ad0103da738e0d17ee3dc607b
(15) session-state: No cached attributes
(15) # Executing section authorize from file /etc/raddb/sites-enabled/default
(15) authorize {
(15) policy filter_username {
(15) if (!&User-Name) {
(15) if (!&User-Name) -> FALSE
(15) if (&User-Name =~ / /) {
(15) if (&User-Name =~ / /) -> FALSE
(15) if (&User-Name =~ /@.*@/ ) {
(15) if (&User-Name =~ /@.*@/ ) -> FALSE
(15) if (&User-Name =~ /\.\./ ) {
(15) if (&User-Name =~ /\.\./ ) -> FALSE
(15) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(15) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(15) if (&User-Name =~ /\.$/) {
(15) if (&User-Name =~ /\.$/) -> FALSE
(15) if (&User-Name =~ /@\./) {
(15) if (&User-Name =~ /@\./) -> FALSE
(15) } # policy filter_username = notfound
(15) [preprocess] = ok
(15) [digest] = noop
(15) suffix: Checking for suffix after "@"
(15) suffix: Looking up realm "ndtel.com" for User-Name = "debio at ndtel.com"
(15) suffix: Found realm "ndtel.com"
(15) suffix: Adding Stripped-User-Name = "debio"
(15) suffix: Adding Realm = "ndtel.com"
(15) suffix: Authentication realm is LOCAL
(15) [suffix] = ok
(15) eap: Peer sent EAP Response (code 2) ID 27 length 6
(15) eap: Continuing tunnel setup
(15) [eap] = ok
(15) } # authorize = ok
(15) Found Auth-Type = EAP
(15) # Executing group from file /etc/raddb/sites-enabled/default
(15) authenticate {
(15) eap: Expiring EAP session with state 0xf7e39e6bf5f8872e
(15) eap: Finished EAP session with state 0xf7e39e6bf5f8872e
(15) eap: Previous EAP request found for state 0xf7e39e6bf5f8872e, released from the list
(15) eap: Peer sent packet with method EAP PEAP (25)
(15) eap: Calling submodule eap_peap to process data
(15) eap_peap: Continuing EAP-TLS
(15) eap_peap: Peer ACKed our handshake fragment
(15) eap_peap: [eaptls verify] = request
(15) eap_peap: [eaptls process] = handled
(15) eap: Sending EAP Request (code 1) ID 28 length 686
(15) eap: EAP session adding &reply:State = 0xf7e39e6bf4ff872e
(15) [eap] = handled
(15) } # authenticate = handled
(15) Using Post-Auth-Type Challenge
(15) Post-Auth-Type sub-section not found. Ignoring.
(15) # Executing group from file /etc/raddb/sites-enabled/default
(15) Sent Access-Challenge Id 59 from 192.168.255.5:1812 to 192.168.255.112:51351 length 0
(15) EAP-Message = 0x011c02ae19000101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010505000382010100b707329146869fa84ff08f2d837b56ab01c7cf46e55fb12e73f7b6ca691d156b9074
(15) Message-Authenticator = 0x00000000000000000000000000000000
(15) State = 0xf7e39e6bf4ff872ec52992fbbfa43f16
(15) Finished request
Waking up in 4.9 seconds.
(16) Received Access-Request Id 60 from 192.168.255.112:51351 to 192.168.255.5:1812 length 337
(16) User-Name = "debio at ndtel.com"
(16) NAS-IP-Address = 192.168.255.112
(16) NAS-Identifier = "0418d620086c"
(16) NAS-Port = 0
(16) Called-Station-Id = "0E-18-D6-22-08-6C:NDTC Corporate 11x"
(16) Calling-Station-Id = "C4-85-08-F5-2C-10"
(16) Framed-MTU = 1400
(16) NAS-Port-Type = Wireless-802.11
(16) Connect-Info = "CONNECT 0Mbps 802.11b"
(16) EAP-Message = 0x021c00901980000000861603010046100000424104ee480bfb45ff99e538896c6229fab4477530fdb3600adeecbdfe5a4c605f328b321de6dda7d9dc205bea98ce1ad1d2e822a5ebeedd700661044f5805d96758181403010001011603010030b8753d10337c8902aaeab13856f7ea1262415ee050661e
(16) State = 0xf7e39e6bf4ff872ec52992fbbfa43f16
(16) Message-Authenticator = 0x465a05fa5494427b0cb04fa547073b14
(16) session-state: No cached attributes
(16) # Executing section authorize from file /etc/raddb/sites-enabled/default
(16) authorize {
(16) policy filter_username {
(16) if (!&User-Name) {
(16) if (!&User-Name) -> FALSE
(16) if (&User-Name =~ / /) {
(16) if (&User-Name =~ / /) -> FALSE
(16) if (&User-Name =~ /@.*@/ ) {
(16) if (&User-Name =~ /@.*@/ ) -> FALSE
(16) if (&User-Name =~ /\.\./ ) {
(16) if (&User-Name =~ /\.\./ ) -> FALSE
(16) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(16) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(16) if (&User-Name =~ /\.$/) {
(16) if (&User-Name =~ /\.$/) -> FALSE
(16) if (&User-Name =~ /@\./) {
(16) if (&User-Name =~ /@\./) -> FALSE
(16) } # policy filter_username = notfound
(16) [preprocess] = ok
(16) [digest] = noop
(16) suffix: Checking for suffix after "@"
(16) suffix: Looking up realm "ndtel.com" for User-Name = "debio at ndtel.com"
(16) suffix: Found realm "ndtel.com"
(16) suffix: Adding Stripped-User-Name = "debio"
(16) suffix: Adding Realm = "ndtel.com"
(16) suffix: Authentication realm is LOCAL
(16) [suffix] = ok
(16) eap: Peer sent EAP Response (code 2) ID 28 length 144
(16) eap: Continuing tunnel setup
(16) [eap] = ok
(16) } # authorize = ok
(16) Found Auth-Type = EAP
(16) # Executing group from file /etc/raddb/sites-enabled/default
(16) authenticate {
(16) eap: Expiring EAP session with state 0xf7e39e6bf4ff872e
(16) eap: Finished EAP session with state 0xf7e39e6bf4ff872e
(16) eap: Previous EAP request found for state 0xf7e39e6bf4ff872e, released from the list
(16) eap: Peer sent packet with method EAP PEAP (25)
(16) eap: Calling submodule eap_peap to process data
(16) eap_peap: Continuing EAP-TLS
(16) eap_peap: Peer indicated complete TLS record size will be 134 bytes
(16) eap_peap: Got complete TLS record (134 bytes)
(16) eap_peap: [eaptls verify] = length included
(16) eap_peap: <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
(16) eap_peap: TLS_accept: SSLv3 read client key exchange A
(16) eap_peap: <<< TLS 1.0 ChangeCipherSpec [length 0001]
(16) eap_peap: <<< TLS 1.0 Handshake [length 0010], Finished
(16) eap_peap: TLS_accept: SSLv3 read finished A
(16) eap_peap: >>> TLS 1.0 ChangeCipherSpec [length 0001]
(16) eap_peap: TLS_accept: SSLv3 write change cipher spec A
(16) eap_peap: >>> TLS 1.0 Handshake [length 0010], Finished
(16) eap_peap: TLS_accept: SSLv3 write finished A
(16) eap_peap: TLS_accept: SSLv3 flush data
(16) eap_peap: (other): SSL negotiation finished successfully
(16) eap_peap: SSL Connection Established
(16) eap_peap: [eaptls process] = handled
(16) eap: Sending EAP Request (code 1) ID 29 length 65
(16) eap: EAP session adding &reply:State = 0xf7e39e6bf3fe872e
(16) [eap] = handled
(16) } # authenticate = handled
(16) Using Post-Auth-Type Challenge
(16) Post-Auth-Type sub-section not found. Ignoring.
(16) # Executing group from file /etc/raddb/sites-enabled/default
(16) Sent Access-Challenge Id 60 from 192.168.255.5:1812 to 192.168.255.112:51351 length 0
(16) EAP-Message = 0x011d004119001403010001011603010030f751cd5ff31bf9ce1e9efa4f09554562a199e9d7f3196a0c5a9b52881f3846ea362b70b2113903e6ec38ab5c4b3c64fd
(16) Message-Authenticator = 0x00000000000000000000000000000000
(16) State = 0xf7e39e6bf3fe872ec52992fbbfa43f16
(16) Finished request
Waking up in 4.9 seconds.
(17) Received Access-Request Id 61 from 192.168.255.112:51351 to 192.168.255.5:1812 length 199
(17) User-Name = "debio at ndtel.com"
(17) NAS-IP-Address = 192.168.255.112
(17) NAS-Identifier = "0418d620086c"
(17) NAS-Port = 0
(17) Called-Station-Id = "0E-18-D6-22-08-6C:NDTC Corporate 11x"
(17) Calling-Station-Id = "C4-85-08-F5-2C-10"
(17) Framed-MTU = 1400
(17) NAS-Port-Type = Wireless-802.11
(17) Connect-Info = "CONNECT 0Mbps 802.11b"
(17) EAP-Message = 0x021d00061900
(17) State = 0xf7e39e6bf3fe872ec52992fbbfa43f16
(17) Message-Authenticator = 0x98c2321ed5d87ca48e43a397c5d02ec6
(17) session-state: No cached attributes
(17) # Executing section authorize from file /etc/raddb/sites-enabled/default
(17) authorize {
(17) policy filter_username {
(17) if (!&User-Name) {
(17) if (!&User-Name) -> FALSE
(17) if (&User-Name =~ / /) {
(17) if (&User-Name =~ / /) -> FALSE
(17) if (&User-Name =~ /@.*@/ ) {
(17) if (&User-Name =~ /@.*@/ ) -> FALSE
(17) if (&User-Name =~ /\.\./ ) {
(17) if (&User-Name =~ /\.\./ ) -> FALSE
(17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(17) if (&User-Name =~ /\.$/) {
(17) if (&User-Name =~ /\.$/) -> FALSE
(17) if (&User-Name =~ /@\./) {
(17) if (&User-Name =~ /@\./) -> FALSE
(17) } # policy filter_username = notfound
(17) [preprocess] = ok
(17) [digest] = noop
(17) suffix: Checking for suffix after "@"
(17) suffix: Looking up realm "ndtel.com" for User-Name = "debio at ndtel.com"
(17) suffix: Found realm "ndtel.com"
(17) suffix: Adding Stripped-User-Name = "debio"
(17) suffix: Adding Realm = "ndtel.com"
(17) suffix: Authentication realm is LOCAL
(17) [suffix] = ok
(17) eap: Peer sent EAP Response (code 2) ID 29 length 6
(17) eap: Continuing tunnel setup
(17) [eap] = ok
(17) } # authorize = ok
(17) Found Auth-Type = EAP
(17) # Executing group from file /etc/raddb/sites-enabled/default
(17) authenticate {
(17) eap: Expiring EAP session with state 0xf7e39e6bf3fe872e
(17) eap: Finished EAP session with state 0xf7e39e6bf3fe872e
(17) eap: Previous EAP request found for state 0xf7e39e6bf3fe872e, released from the list
(17) eap: Peer sent packet with method EAP PEAP (25)
(17) eap: Calling submodule eap_peap to process data
(17) eap_peap: Continuing EAP-TLS
(17) eap_peap: Peer ACKed our handshake fragment. handshake is finished
(17) eap_peap: [eaptls verify] = success
(17) eap_peap: [eaptls process] = success
(17) eap_peap: Session established. Decoding tunneled attributes
(17) eap_peap: PEAP state TUNNEL ESTABLISHED
(17) eap: Sending EAP Request (code 1) ID 30 length 43
(17) eap: EAP session adding &reply:State = 0xf7e39e6bf2fd872e
(17) [eap] = handled
(17) } # authenticate = handled
(17) Using Post-Auth-Type Challenge
(17) Post-Auth-Type sub-section not found. Ignoring.
(17) # Executing group from file /etc/raddb/sites-enabled/default
(17) Sent Access-Challenge Id 61 from 192.168.255.5:1812 to 192.168.255.112:51351 length 0
(17) EAP-Message = 0x011e002b190017030100202f5eaf31eaba02beaee46eca5cc816eeb5033b908b3be222f98eb36c0c0f8d5b
(17) Message-Authenticator = 0x00000000000000000000000000000000
(17) State = 0xf7e39e6bf2fd872ec52992fbbfa43f16
(17) Finished request
Waking up in 4.9 seconds.
(18) Received Access-Request Id 62 from 192.168.255.112:51351 to 192.168.255.5:1812 length 252
(18) User-Name = "debio at ndtel.com"
(18) NAS-IP-Address = 192.168.255.112
(18) NAS-Identifier = "0418d620086c"
(18) NAS-Port = 0
(18) Called-Station-Id = "0E-18-D6-22-08-6C:NDTC Corporate 11x"
(18) Calling-Station-Id = "C4-85-08-F5-2C-10"
(18) Framed-MTU = 1400
(18) NAS-Port-Type = Wireless-802.11
(18) Connect-Info = "CONNECT 0Mbps 802.11b"
(18) EAP-Message = 0x021e003b1900170301003091dd2ee944d413dca54984c1ef542af5bad59ab556fc60d88c9f465389fe6100f0f6b250f17507672e78dd17e929bd69
(18) State = 0xf7e39e6bf2fd872ec52992fbbfa43f16
(18) Message-Authenticator = 0x9cff036f682de67d322217138a7a75ae
(18) session-state: No cached attributes
(18) # Executing section authorize from file /etc/raddb/sites-enabled/default
(18) authorize {
(18) policy filter_username {
(18) if (!&User-Name) {
(18) if (!&User-Name) -> FALSE
(18) if (&User-Name =~ / /) {
(18) if (&User-Name =~ / /) -> FALSE
(18) if (&User-Name =~ /@.*@/ ) {
(18) if (&User-Name =~ /@.*@/ ) -> FALSE
(18) if (&User-Name =~ /\.\./ ) {
(18) if (&User-Name =~ /\.\./ ) -> FALSE
(18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(18) if (&User-Name =~ /\.$/) {
(18) if (&User-Name =~ /\.$/) -> FALSE
(18) if (&User-Name =~ /@\./) {
(18) if (&User-Name =~ /@\./) -> FALSE
(18) } # policy filter_username = notfound
(18) [preprocess] = ok
(18) [digest] = noop
(18) suffix: Checking for suffix after "@"
(18) suffix: Looking up realm "ndtel.com" for User-Name = "debio at ndtel.com"
(18) suffix: Found realm "ndtel.com"
(18) suffix: Adding Stripped-User-Name = "debio"
(18) suffix: Adding Realm = "ndtel.com"
(18) suffix: Authentication realm is LOCAL
(18) [suffix] = ok
(18) eap: Peer sent EAP Response (code 2) ID 30 length 59
(18) eap: Continuing tunnel setup
(18) [eap] = ok
(18) } # authorize = ok
(18) Found Auth-Type = EAP
(18) # Executing group from file /etc/raddb/sites-enabled/default
(18) authenticate {
(18) eap: Expiring EAP session with state 0xf7e39e6bf2fd872e
(18) eap: Finished EAP session with state 0xf7e39e6bf2fd872e
(18) eap: Previous EAP request found for state 0xf7e39e6bf2fd872e, released from the list
(18) eap: Peer sent packet with method EAP PEAP (25)
(18) eap: Calling submodule eap_peap to process data
(18) eap_peap: Continuing EAP-TLS
(18) eap_peap: [eaptls verify] = ok
(18) eap_peap: Done initial handshake
(18) eap_peap: [eaptls process] = ok
(18) eap_peap: Session established. Decoding tunneled attributes
(18) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(18) eap_peap: Identity - debio at ndtel.com
(18) eap_peap: Got inner identity 'debio at ndtel.com'
(18) eap_peap: Setting default EAP type for tunneled EAP session
(18) eap_peap: Got tunneled request
(18) eap_peap: EAP-Message = 0x021e001401646562696f406e6474656c2e636f6d
(18) eap_peap: Setting User-Name to debio at ndtel.com
(18) eap_peap: Sending tunneled request to inner-tunnel
(18) eap_peap: EAP-Message = 0x021e001401646562696f406e6474656c2e636f6d
(18) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(18) eap_peap: User-Name = "debio at ndtel.com"
(18) Virtual server inner-tunnel received request
(18) EAP-Message = 0x021e001401646562696f406e6474656c2e636f6d
(18) FreeRADIUS-Proxied-To = 127.0.0.1
(18) User-Name = "debio at ndtel.com"
(18) server inner-tunnel {
(18) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(18) authorize {
(18) [mschap] = noop
(18) suffix: Checking for suffix after "@"
(18) suffix: Looking up realm "ndtel.com" for User-Name = "debio at ndtel.com"
(18) suffix: Found realm "ndtel.com"
(18) suffix: Adding Stripped-User-Name = "debio"
(18) suffix: Adding Realm = "ndtel.com"
(18) suffix: Authentication realm is LOCAL
(18) [suffix] = ok
(18) update control {
(18) &Proxy-To-Realm := LOCAL
(18) } # update control = noop
(18) eap: Peer sent EAP Response (code 2) ID 30 length 20
(18) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(18) [eap] = ok
(18) } # authorize = ok
(18) Found Auth-Type = EAP
(18) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(18) authenticate {
(18) eap: Peer sent packet with method EAP Identity (1)
(18) eap: Calling submodule eap_mschapv2 to process data
(18) eap_mschapv2: Issuing Challenge
(18) eap: Sending EAP Request (code 1) ID 31 length 42
(18) eap: EAP session adding &reply:State = 0x7754d57b774bcf56
(18) [eap] = handled
(18) } # authenticate = handled
(18) } # server inner-tunnel
(18) Virtual server sending reply
(18) EAP-Message = 0x011f002a1a011f00251076135fe21091cf110819cd50a2ee9d38667265657261646975732d332e302e39
(18) Message-Authenticator = 0x00000000000000000000000000000000
(18) State = 0x7754d57b774bcf56655288daaaba3b4b
(18) eap_peap: Got tunneled reply code 11
(18) eap_peap: EAP-Message = 0x011f002a1a011f00251076135fe21091cf110819cd50a2ee9d38667265657261646975732d332e302e39
(18) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(18) eap_peap: State = 0x7754d57b774bcf56655288daaaba3b4b
(18) eap_peap: Got tunneled reply RADIUS code 11
(18) eap_peap: EAP-Message = 0x011f002a1a011f00251076135fe21091cf110819cd50a2ee9d38667265657261646975732d332e302e39
(18) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(18) eap_peap: State = 0x7754d57b774bcf56655288daaaba3b4b
(18) eap_peap: Got tunneled Access-Challenge
(18) eap: Sending EAP Request (code 1) ID 31 length 75
(18) eap: EAP session adding &reply:State = 0xf7e39e6bf1fc872e
(18) [eap] = handled
(18) } # authenticate = handled
(18) Using Post-Auth-Type Challenge
(18) Post-Auth-Type sub-section not found. Ignoring.
(18) # Executing group from file /etc/raddb/sites-enabled/default
(18) Sent Access-Challenge Id 62 from 192.168.255.5:1812 to 192.168.255.112:51351 length 0
(18) EAP-Message = 0x011f004b19001703010040588bc6b7cb7f9b26799cebdd4aaf1ea95ed2e0732255f0d3dbad0e82297e1d9239a52496f930deaedbccc22e93d692e5f1b75df0391aa7a2942127609b11f077
(18) Message-Authenticator = 0x00000000000000000000000000000000
(18) State = 0xf7e39e6bf1fc872ec52992fbbfa43f16
(18) Finished request
Waking up in 4.9 seconds.
(19) Received Access-Request Id 63 from 192.168.255.112:51351 to 192.168.255.5:1812 length 300
(19) User-Name = "debio at ndtel.com"
(19) NAS-IP-Address = 192.168.255.112
(19) NAS-Identifier = "0418d620086c"
(19) NAS-Port = 0
(19) Called-Station-Id = "0E-18-D6-22-08-6C:NDTC Corporate 11x"
(19) Calling-Station-Id = "C4-85-08-F5-2C-10"
(19) Framed-MTU = 1400
(19) NAS-Port-Type = Wireless-802.11
(19) Connect-Info = "CONNECT 0Mbps 802.11b"
(19) EAP-Message = 0x021f006b190017030100606aeb43d36debca55b0356524d649ed1c4869f7ceb203d90b1e82d8beb9273161a0d1a1788b8c60f6555df96607850ca5e8948cd506f710eaa8d0fd28164bf75f731679da639def09d798b49a569f1dff9bb213a694ebeecb5478d71d8f296c2a
(19) State = 0xf7e39e6bf1fc872ec52992fbbfa43f16
(19) Message-Authenticator = 0xd8346598faaeb39fc73c3dbd3d119b69
(19) session-state: No cached attributes
(19) # Executing section authorize from file /etc/raddb/sites-enabled/default
(19) authorize {
(19) policy filter_username {
(19) if (!&User-Name) {
(19) if (!&User-Name) -> FALSE
(19) if (&User-Name =~ / /) {
(19) if (&User-Name =~ / /) -> FALSE
(19) if (&User-Name =~ /@.*@/ ) {
(19) if (&User-Name =~ /@.*@/ ) -> FALSE
(19) if (&User-Name =~ /\.\./ ) {
(19) if (&User-Name =~ /\.\./ ) -> FALSE
(19) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(19) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(19) if (&User-Name =~ /\.$/) {
(19) if (&User-Name =~ /\.$/) -> FALSE
(19) if (&User-Name =~ /@\./) {
(19) if (&User-Name =~ /@\./) -> FALSE
(19) } # policy filter_username = notfound
(19) [preprocess] = ok
(19) [digest] = noop
(19) suffix: Checking for suffix after "@"
(19) suffix: Looking up realm "ndtel.com" for User-Name = "debio at ndtel.com"
(19) suffix: Found realm "ndtel.com"
(19) suffix: Adding Stripped-User-Name = "debio"
(19) suffix: Adding Realm = "ndtel.com"
(19) suffix: Authentication realm is LOCAL
(19) [suffix] = ok
(19) eap: Peer sent EAP Response (code 2) ID 31 length 107
(19) eap: Continuing tunnel setup
(19) [eap] = ok
(19) } # authorize = ok
(19) Found Auth-Type = EAP
(19) # Executing group from file /etc/raddb/sites-enabled/default
(19) authenticate {
(19) eap: Expiring EAP session with state 0x7754d57b774bcf56
(19) eap: Finished EAP session with state 0xf7e39e6bf1fc872e
(19) eap: Previous EAP request found for state 0xf7e39e6bf1fc872e, released from the list
(19) eap: Peer sent packet with method EAP PEAP (25)
(19) eap: Calling submodule eap_peap to process data
(19) eap_peap: Continuing EAP-TLS
(19) eap_peap: [eaptls verify] = ok
(19) eap_peap: Done initial handshake
(19) eap_peap: [eaptls process] = ok
(19) eap_peap: Session established. Decoding tunneled attributes
(19) eap_peap: PEAP state phase2
(19) eap_peap: EAP method MSCHAPv2 (26)
(19) eap_peap: Got tunneled request
(19) eap_peap: EAP-Message = 0x021f004a1a021f004531fec8a3f3e19e61986b123c7d727ae0580000000000000000ba7cf7daa2fb3d78850a99b4bcc07ef20ba45b3dc0830adc00646562696f406e6474656c2e636f6d
(19) eap_peap: Setting User-Name to debio at ndtel.com
(19) eap_peap: Sending tunneled request to inner-tunnel
(19) eap_peap: EAP-Message = 0x021f004a1a021f004531fec8a3f3e19e61986b123c7d727ae0580000000000000000ba7cf7daa2fb3d78850a99b4bcc07ef20ba45b3dc0830adc00646562696f406e6474656c2e636f6d
(19) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(19) eap_peap: User-Name = "debio at ndtel.com"
(19) eap_peap: State = 0x7754d57b774bcf56655288daaaba3b4b
(19) Virtual server inner-tunnel received request
(19) EAP-Message = 0x021f004a1a021f004531fec8a3f3e19e61986b123c7d727ae0580000000000000000ba7cf7daa2fb3d78850a99b4bcc07ef20ba45b3dc0830adc00646562696f406e6474656c2e636f6d
(19) FreeRADIUS-Proxied-To = 127.0.0.1
(19) User-Name = "debio at ndtel.com"
(19) State = 0x7754d57b774bcf56655288daaaba3b4b
(19) server inner-tunnel {
(19) session-state: No cached attributes
(19) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(19) authorize {
(19) [mschap] = noop
(19) suffix: Checking for suffix after "@"
(19) suffix: Looking up realm "ndtel.com" for User-Name = "debio at ndtel.com"
(19) suffix: Found realm "ndtel.com"
(19) suffix: Adding Stripped-User-Name = "debio"
(19) suffix: Adding Realm = "ndtel.com"
(19) suffix: Authentication realm is LOCAL
(19) [suffix] = ok
(19) update control {
(19) &Proxy-To-Realm := LOCAL
(19) } # update control = noop
(19) eap: Peer sent EAP Response (code 2) ID 31 length 74
(19) eap: No EAP Start, assuming it's an on-going EAP conversation
(19) [eap] = updated
rlm_ldap (ldap): Closing connection (6): Hit idle_timeout, was idle for 186 seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): Closing connection (5): Hit idle_timeout, was idle for 186 seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): 0 of 0 connections in use. You may need to increase "spare"
rlm_ldap (ldap): Opening additional connection (7), 1 of 32 pending slots used
rlm_ldap (ldap): Connecting to ldap://66.163.129.140:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Reserved connection (7)
(19) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(19) ldap: --> (uid=debio)
(19) ldap: Performing search in "o=ndtc" with filter "(uid=debio)", scope "sub"
(19) ldap: Waiting for search result...
(19) ldap: Search returned no results
rlm_ldap (ldap): Released connection (7)
rlm_ldap (ldap): 0 of 1 connections in use. Need more spares
rlm_ldap (ldap): Opening additional connection (8), 1 of 31 pending slots used
rlm_ldap (ldap): Connecting to ldap://66.163.129.140:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(19) [ldap] = notfound
(19) [expiration] = noop
(19) [logintime] = noop
(19) [pap] = noop
(19) } # authorize = updated
(19) Found Auth-Type = EAP
(19) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(19) authenticate {
(19) eap: Expiring EAP session with state 0x7754d57b774bcf56
(19) eap: Finished EAP session with state 0x7754d57b774bcf56
(19) eap: Previous EAP request found for state 0x7754d57b774bcf56, released from the list
(19) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(19) eap: Calling submodule eap_mschapv2 to process data
(19) eap_mschapv2: # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(19) eap_mschapv2: Auth-Type MS-CHAP {
(19) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password
(19) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password
(19) mschap: Creating challenge hash with username: debio at ndtel.com
(19) mschap: Client is using MS-CHAPv2
(19) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication
(19) mschap: ERROR: MS-CHAP2-Response is incorrect
(19) [mschap] = reject
(19) } # Auth-Type MS-CHAP = reject
(19) MSCHAP-Error: ?E=691 R=1
(19) Could not parse new challenge from MS-CHAP-Error: 2
(19) ERROR: MSCHAP Failure
(19) eap: Sending EAP Request (code 1) ID 32 length 18
(19) eap: EAP session adding &reply:State = 0x7754d57b7674cf56
(19) [eap] = handled
(19) } # authenticate = handled
(19) } # server inner-tunnel
(19) Virtual server sending reply
(19) EAP-Message = 0x012000121a041f000d453d36393120523d31
(19) Message-Authenticator = 0x00000000000000000000000000000000
(19) State = 0x7754d57b7674cf56655288daaaba3b4b
(19) eap_peap: Got tunneled reply code 11
(19) eap_peap: EAP-Message = 0x012000121a041f000d453d36393120523d31
(19) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(19) eap_peap: State = 0x7754d57b7674cf56655288daaaba3b4b
(19) eap_peap: Got tunneled reply RADIUS code 11
(19) eap_peap: EAP-Message = 0x012000121a041f000d453d36393120523d31
(19) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(19) eap_peap: State = 0x7754d57b7674cf56655288daaaba3b4b
(19) eap_peap: Got tunneled Access-Challenge
(19) eap: Sending EAP Request (code 1) ID 32 length 59
(19) eap: EAP session adding &reply:State = 0xf7e39e6bf0c3872e
(19) [eap] = handled
(19) } # authenticate = handled
(19) Using Post-Auth-Type Challenge
(19) Post-Auth-Type sub-section not found. Ignoring.
(19) # Executing group from file /etc/raddb/sites-enabled/default
(19) Sent Access-Challenge Id 63 from 192.168.255.5:1812 to 192.168.255.112:51351 length 0
(19) EAP-Message = 0x0120003b19001703010030bdecb3e326cafd70e31a3e7f70140eb79d39527746ec66d7ae534b462bae18d9beb5560abea1866cb890281f55d37e81
(19) Message-Authenticator = 0x00000000000000000000000000000000
(19) State = 0xf7e39e6bf0c3872ec52992fbbfa43f16
(19) Finished request
Waking up in 4.7 seconds.
(12) <done>: Cleaning up request packet ID 56 with timestamp +285
(13) <done>: Cleaning up request packet ID 57 with timestamp +285
(14) <done>: Cleaning up request packet ID 58 with timestamp +285
(15) <done>: Cleaning up request packet ID 59 with timestamp +285
(16) <done>: Cleaning up request packet ID 60 with timestamp +285
(17) <done>: Cleaning up request packet ID 61 with timestamp +285
(18) <done>: Cleaning up request packet ID 62 with timestamp +285
Waking up in 0.1 seconds.
(19) <done>: Cleaning up request packet ID 63 with timestamp +285
Ready to process requests
-------------- next part --------------
[root at ndtc-fs raddb]# (21) Received Access-Request Id 65 from 192.168.255.112:51351 to 192.168.255.5:1812 length 195
(21) User-Name = "alexm at ndtel.com"
(21) NAS-IP-Address = 192.168.255.112
(21) NAS-Identifier = "0418d620086c"
(21) NAS-Port = 0
(21) Called-Station-Id = "0E-18-D6-22-08-6C:NDTC Corporate 11x"
(21) Calling-Station-Id = "C4-85-08-F5-2C-10"
(21) Framed-MTU = 1400
(21) NAS-Port-Type = Wireless-802.11
(21) Connect-Info = "CONNECT 0Mbps 802.11b"
(21) EAP-Message = 0x024c001401616c65786d406e6474656c2e636f6d
(21) Message-Authenticator = 0x8a89b9abc0ad91064379ed9c58562316
(21) # Executing section authorize from file /etc/raddb/sites-enabled/default
(21) authorize {
(21) policy filter_username {
(21) if (!&User-Name) {
(21) if (!&User-Name) -> FALSE
(21) if (&User-Name =~ / /) {
(21) if (&User-Name =~ / /) -> FALSE
(21) if (&User-Name =~ /@.*@/ ) {
(21) if (&User-Name =~ /@.*@/ ) -> FALSE
(21) if (&User-Name =~ /\.\./ ) {
(21) if (&User-Name =~ /\.\./ ) -> FALSE
(21) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(21) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(21) if (&User-Name =~ /\.$/) {
(21) if (&User-Name =~ /\.$/) -> FALSE
(21) if (&User-Name =~ /@\./) {
(21) if (&User-Name =~ /@\./) -> FALSE
(21) } # policy filter_username = notfound
(21) [preprocess] = ok
(21) [digest] = noop
(21) suffix: Checking for suffix after "@"
(21) suffix: Looking up realm "ndtel.com" for User-Name = "alexm at ndtel.com"
(21) suffix: Found realm "ndtel.com"
(21) suffix: Adding Stripped-User-Name = "alexm"
(21) suffix: Adding Realm = "ndtel.com"
(21) suffix: Authentication realm is LOCAL
(21) [suffix] = ok
(21) eap: Peer sent EAP Response (code 2) ID 76 length 20
(21) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(21) [eap] = ok
(21) } # authorize = ok
(21) Found Auth-Type = EAP
(21) # Executing group from file /etc/raddb/sites-enabled/default
(21) authenticate {
(21) eap: Peer sent packet with method EAP Identity (1)
(21) eap: Calling submodule eap_peap to process data
(21) eap_peap: Initiating new EAP-TLS session
(21) eap_peap: [eaptls start] = request
(21) eap: Sending EAP Request (code 1) ID 77 length 6
(21) eap: EAP session adding &reply:State = 0x39036bb7394e72a2
(21) [eap] = handled
(21) } # authenticate = handled
(21) Using Post-Auth-Type Challenge
(21) Post-Auth-Type sub-section not found. Ignoring.
(21) # Executing group from file /etc/raddb/sites-enabled/default
(21) Sent Access-Challenge Id 65 from 192.168.255.5:1812 to 192.168.255.112:51351 length 0
(21) EAP-Message = 0x014d00061920
(21) Message-Authenticator = 0x00000000000000000000000000000000
(21) State = 0x39036bb7394e72a2f4cfd4fec187241f
(21) Finished request
Waking up in 4.9 seconds.
(22) Received Access-Request Id 66 from 192.168.255.112:51351 to 192.168.255.5:1812 length 300
(22) User-Name = "alexm at ndtel.com"
(22) NAS-IP-Address = 192.168.255.112
(22) NAS-Identifier = "0418d620086c"
(22) NAS-Port = 0
(22) Called-Station-Id = "0E-18-D6-22-08-6C:NDTC Corporate 11x"
(22) Calling-Station-Id = "C4-85-08-F5-2C-10"
(22) Framed-MTU = 1400
(22) NAS-Port-Type = Wireless-802.11
(22) Connect-Info = "CONNECT 0Mbps 802.11b"
(22) EAP-Message = 0x024d006b198000000061160301005c010000580301560059a91b3bfcb065d4bb8dd742f6d614ba212b00361edcef24d1aef9ae5bfa000018c014c013c00ac0090035002f00380032000a00130005000401000017000a00080006001900170018000b00020100ff01000100
(22) State = 0x39036bb7394e72a2f4cfd4fec187241f
(22) Message-Authenticator = 0xb702121907ebc7a389a8fd8755907d35
(22) session-state: No cached attributes
(22) # Executing section authorize from file /etc/raddb/sites-enabled/default
(22) authorize {
(22) policy filter_username {
(22) if (!&User-Name) {
(22) if (!&User-Name) -> FALSE
(22) if (&User-Name =~ / /) {
(22) if (&User-Name =~ / /) -> FALSE
(22) if (&User-Name =~ /@.*@/ ) {
(22) if (&User-Name =~ /@.*@/ ) -> FALSE
(22) if (&User-Name =~ /\.\./ ) {
(22) if (&User-Name =~ /\.\./ ) -> FALSE
(22) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(22) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(22) if (&User-Name =~ /\.$/) {
(22) if (&User-Name =~ /\.$/) -> FALSE
(22) if (&User-Name =~ /@\./) {
(22) if (&User-Name =~ /@\./) -> FALSE
(22) } # policy filter_username = notfound
(22) [preprocess] = ok
(22) [digest] = noop
(22) suffix: Checking for suffix after "@"
(22) suffix: Looking up realm "ndtel.com" for User-Name = "alexm at ndtel.com"
(22) suffix: Found realm "ndtel.com"
(22) suffix: Adding Stripped-User-Name = "alexm"
(22) suffix: Adding Realm = "ndtel.com"
(22) suffix: Authentication realm is LOCAL
(22) [suffix] = ok
(22) eap: Peer sent EAP Response (code 2) ID 77 length 107
(22) eap: Continuing tunnel setup
(22) [eap] = ok
(22) } # authorize = ok
(22) Found Auth-Type = EAP
(22) # Executing group from file /etc/raddb/sites-enabled/default
(22) authenticate {
(22) eap: Expiring EAP session with state 0x7754d57b7575cf56
(22) eap: Expiring EAP session with state 0xf7e39e6bffc2872e
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!! EAP session with state 0xf7e39e6bffc2872e did not finish! !!
!! Please read http://wiki.freeradius.org/guide/Certificate_Compatibility !!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
(22) eap: Expiring EAP session with state 0x39036bb7394e72a2
(22) eap: Finished EAP session with state 0x39036bb7394e72a2
(22) eap: Previous EAP request found for state 0x39036bb7394e72a2, released from the list
(22) eap: Peer sent packet with method EAP PEAP (25)
(22) eap: Calling submodule eap_peap to process data
(22) eap_peap: Continuing EAP-TLS
(22) eap_peap: Peer indicated complete TLS record size will be 97 bytes
(22) eap_peap: Got complete TLS record (97 bytes)
(22) eap_peap: [eaptls verify] = length included
(22) eap_peap: (other): before/accept initialization
(22) eap_peap: TLS_accept: before/accept initialization
(22) eap_peap: <<< TLS 1.0 Handshake [length 005c], ClientHello
(22) eap_peap: TLS_accept: SSLv3 read client hello A
(22) eap_peap: >>> TLS 1.0 Handshake [length 0059], ServerHello
(22) eap_peap: TLS_accept: SSLv3 write server hello A
(22) eap_peap: >>> TLS 1.0 Handshake [length 08b0], Certificate
(22) eap_peap: TLS_accept: SSLv3 write certificate A
(22) eap_peap: >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
(22) eap_peap: TLS_accept: SSLv3 write key exchange A
(22) eap_peap: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
(22) eap_peap: TLS_accept: SSLv3 write server done A
(22) eap_peap: TLS_accept: SSLv3 flush data
(22) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A
(22) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A
(22) eap_peap: In SSL Handshake Phase
(22) eap_peap: In SSL Accept mode
(22) eap_peap: [eaptls process] = handled
(22) eap: Sending EAP Request (code 1) ID 78 length 1004
(22) eap: EAP session adding &reply:State = 0x39036bb7384d72a2
(22) [eap] = handled
(22) } # authenticate = handled
(22) Using Post-Auth-Type Challenge
(22) Post-Auth-Type sub-section not found. Ignoring.
(22) # Executing group from file /etc/raddb/sites-enabled/default
(22) Sent Access-Challenge Id 66 from 192.168.255.5:1812 to 192.168.255.112:51351 length 0
(22) EAP-Message = 0x014e03ec19c000000a6c1603010059020000550301560059a7ed7e2b1a40ba3594f8d0d8132ddf697ad9c410f4cb47e069acd76a8e20c7979f8d03913bfaadf5f8b9f9d798c4cd259a9d9cdd3424e94843ddbc5c4898c01400000dff01000100000b00040300010216030108b00b0008ac0008a90003d0
(22) Message-Authenticator = 0x00000000000000000000000000000000
(22) State = 0x39036bb7384d72a2f4cfd4fec187241f
(22) Finished request
Waking up in 4.9 seconds.
(23) Received Access-Request Id 67 from 192.168.255.112:51351 to 192.168.255.5:1812 length 199
(23) User-Name = "alexm at ndtel.com"
(23) NAS-IP-Address = 192.168.255.112
(23) NAS-Identifier = "0418d620086c"
(23) NAS-Port = 0
(23) Called-Station-Id = "0E-18-D6-22-08-6C:NDTC Corporate 11x"
(23) Calling-Station-Id = "C4-85-08-F5-2C-10"
(23) Framed-MTU = 1400
(23) NAS-Port-Type = Wireless-802.11
(23) Connect-Info = "CONNECT 0Mbps 802.11b"
(23) EAP-Message = 0x024e00061900
(23) State = 0x39036bb7384d72a2f4cfd4fec187241f
(23) Message-Authenticator = 0xccb8217447e747bafbd64c6e01a84bf9
(23) session-state: No cached attributes
(23) # Executing section authorize from file /etc/raddb/sites-enabled/default
(23) authorize {
(23) policy filter_username {
(23) if (!&User-Name) {
(23) if (!&User-Name) -> FALSE
(23) if (&User-Name =~ / /) {
(23) if (&User-Name =~ / /) -> FALSE
(23) if (&User-Name =~ /@.*@/ ) {
(23) if (&User-Name =~ /@.*@/ ) -> FALSE
(23) if (&User-Name =~ /\.\./ ) {
(23) if (&User-Name =~ /\.\./ ) -> FALSE
(23) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(23) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(23) if (&User-Name =~ /\.$/) {
(23) if (&User-Name =~ /\.$/) -> FALSE
(23) if (&User-Name =~ /@\./) {
(23) if (&User-Name =~ /@\./) -> FALSE
(23) } # policy filter_username = notfound
(23) [preprocess] = ok
(23) [digest] = noop
(23) suffix: Checking for suffix after "@"
(23) suffix: Looking up realm "ndtel.com" for User-Name = "alexm at ndtel.com"
(23) suffix: Found realm "ndtel.com"
(23) suffix: Adding Stripped-User-Name = "alexm"
(23) suffix: Adding Realm = "ndtel.com"
(23) suffix: Authentication realm is LOCAL
(23) [suffix] = ok
(23) eap: Peer sent EAP Response (code 2) ID 78 length 6
(23) eap: Continuing tunnel setup
(23) [eap] = ok
(23) } # authorize = ok
(23) Found Auth-Type = EAP
(23) # Executing group from file /etc/raddb/sites-enabled/default
(23) authenticate {
(23) eap: Expiring EAP session with state 0x39036bb7384d72a2
(23) eap: Finished EAP session with state 0x39036bb7384d72a2
(23) eap: Previous EAP request found for state 0x39036bb7384d72a2, released from the list
(23) eap: Peer sent packet with method EAP PEAP (25)
(23) eap: Calling submodule eap_peap to process data
(23) eap_peap: Continuing EAP-TLS
(23) eap_peap: Peer ACKed our handshake fragment
(23) eap_peap: [eaptls verify] = request
(23) eap_peap: [eaptls process] = handled
(23) eap: Sending EAP Request (code 1) ID 79 length 1000
(23) eap: EAP session adding &reply:State = 0x39036bb73b4c72a2
(23) [eap] = handled
(23) } # authenticate = handled
(23) Using Post-Auth-Type Challenge
(23) Post-Auth-Type sub-section not found. Ignoring.
(23) # Executing group from file /etc/raddb/sites-enabled/default
(23) Sent Access-Challenge Id 67 from 192.168.255.5:1812 to 192.168.255.112:51351 length 0
(23) EAP-Message = 0x014f03e81940cb266556c619c5b2efa5b201a6104aeffbbebb8cfd465f6a691bd7b1d49fb2d61b1273cc603b2a22bbabcde5c31eabc6bbff16f1a1e487f5daded9fe6ffc9dfacbdac64c43825dee4e2a378bcc2859de84c80339fd6dedd41a13450004d3308204cf308203b7a0030201020209008be4d1
(23) Message-Authenticator = 0x00000000000000000000000000000000
(23) State = 0x39036bb73b4c72a2f4cfd4fec187241f
(23) Finished request
Waking up in 4.9 seconds.
(24) Received Access-Request Id 68 from 192.168.255.112:51351 to 192.168.255.5:1812 length 199
(24) User-Name = "alexm at ndtel.com"
(24) NAS-IP-Address = 192.168.255.112
(24) NAS-Identifier = "0418d620086c"
(24) NAS-Port = 0
(24) Called-Station-Id = "0E-18-D6-22-08-6C:NDTC Corporate 11x"
(24) Calling-Station-Id = "C4-85-08-F5-2C-10"
(24) Framed-MTU = 1400
(24) NAS-Port-Type = Wireless-802.11
(24) Connect-Info = "CONNECT 0Mbps 802.11b"
(24) EAP-Message = 0x024f00061900
(24) State = 0x39036bb73b4c72a2f4cfd4fec187241f
(24) Message-Authenticator = 0xa77fefe4cb4e4ac8437ad0f748c06063
(24) session-state: No cached attributes
(24) # Executing section authorize from file /etc/raddb/sites-enabled/default
(24) authorize {
(24) policy filter_username {
(24) if (!&User-Name) {
(24) if (!&User-Name) -> FALSE
(24) if (&User-Name =~ / /) {
(24) if (&User-Name =~ / /) -> FALSE
(24) if (&User-Name =~ /@.*@/ ) {
(24) if (&User-Name =~ /@.*@/ ) -> FALSE
(24) if (&User-Name =~ /\.\./ ) {
(24) if (&User-Name =~ /\.\./ ) -> FALSE
(24) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(24) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(24) if (&User-Name =~ /\.$/) {
(24) if (&User-Name =~ /\.$/) -> FALSE
(24) if (&User-Name =~ /@\./) {
(24) if (&User-Name =~ /@\./) -> FALSE
(24) } # policy filter_username = notfound
(24) [preprocess] = ok
(24) [digest] = noop
(24) suffix: Checking for suffix after "@"
(24) suffix: Looking up realm "ndtel.com" for User-Name = "alexm at ndtel.com"
(24) suffix: Found realm "ndtel.com"
(24) suffix: Adding Stripped-User-Name = "alexm"
(24) suffix: Adding Realm = "ndtel.com"
(24) suffix: Authentication realm is LOCAL
(24) [suffix] = ok
(24) eap: Peer sent EAP Response (code 2) ID 79 length 6
(24) eap: Continuing tunnel setup
(24) [eap] = ok
(24) } # authorize = ok
(24) Found Auth-Type = EAP
(24) # Executing group from file /etc/raddb/sites-enabled/default
(24) authenticate {
(24) eap: Expiring EAP session with state 0x39036bb73b4c72a2
(24) eap: Finished EAP session with state 0x39036bb73b4c72a2
(24) eap: Previous EAP request found for state 0x39036bb73b4c72a2, released from the list
(24) eap: Peer sent packet with method EAP PEAP (25)
(24) eap: Calling submodule eap_peap to process data
(24) eap_peap: Continuing EAP-TLS
(24) eap_peap: Peer ACKed our handshake fragment
(24) eap_peap: [eaptls verify] = request
(24) eap_peap: [eaptls process] = handled
(24) eap: Sending EAP Request (code 1) ID 80 length 686
(24) eap: EAP session adding &reply:State = 0x39036bb73a5372a2
(24) [eap] = handled
(24) } # authenticate = handled
(24) Using Post-Auth-Type Challenge
(24) Post-Auth-Type sub-section not found. Ignoring.
(24) # Executing group from file /etc/raddb/sites-enabled/default
(24) Sent Access-Challenge Id 68 from 192.168.255.5:1812 to 192.168.255.112:51351 length 0
(24) EAP-Message = 0x015002ae19000101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010505000382010100b707329146869fa84ff08f2d837b56ab01c7cf46e55fb12e73f7b6ca691d156b9074
(24) Message-Authenticator = 0x00000000000000000000000000000000
(24) State = 0x39036bb73a5372a2f4cfd4fec187241f
(24) Finished request
Waking up in 4.9 seconds.
(25) Received Access-Request Id 69 from 192.168.255.112:51351 to 192.168.255.5:1812 length 337
(25) User-Name = "alexm at ndtel.com"
(25) NAS-IP-Address = 192.168.255.112
(25) NAS-Identifier = "0418d620086c"
(25) NAS-Port = 0
(25) Called-Station-Id = "0E-18-D6-22-08-6C:NDTC Corporate 11x"
(25) Calling-Station-Id = "C4-85-08-F5-2C-10"
(25) Framed-MTU = 1400
(25) NAS-Port-Type = Wireless-802.11
(25) Connect-Info = "CONNECT 0Mbps 802.11b"
(25) EAP-Message = 0x025000901980000000861603010046100000424104ae5aeb743d4eb7c9dffb53424f60ea7113a62902682d0b87c3957ce05c7e1c9a0b12f23a22f300c570cef47aaaaf2b5b1f7b1f21e025300f96bfbba2793218cb1403010001011603010030d089b7acb8cb7d3e5f256be3899bc16e0491dccf76e788
(25) State = 0x39036bb73a5372a2f4cfd4fec187241f
(25) Message-Authenticator = 0x7f12732d64cab4b66c0e585d738cf470
(25) session-state: No cached attributes
(25) # Executing section authorize from file /etc/raddb/sites-enabled/default
(25) authorize {
(25) policy filter_username {
(25) if (!&User-Name) {
(25) if (!&User-Name) -> FALSE
(25) if (&User-Name =~ / /) {
(25) if (&User-Name =~ / /) -> FALSE
(25) if (&User-Name =~ /@.*@/ ) {
(25) if (&User-Name =~ /@.*@/ ) -> FALSE
(25) if (&User-Name =~ /\.\./ ) {
(25) if (&User-Name =~ /\.\./ ) -> FALSE
(25) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(25) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(25) if (&User-Name =~ /\.$/) {
(25) if (&User-Name =~ /\.$/) -> FALSE
(25) if (&User-Name =~ /@\./) {
(25) if (&User-Name =~ /@\./) -> FALSE
(25) } # policy filter_username = notfound
(25) [preprocess] = ok
(25) [digest] = noop
(25) suffix: Checking for suffix after "@"
(25) suffix: Looking up realm "ndtel.com" for User-Name = "alexm at ndtel.com"
(25) suffix: Found realm "ndtel.com"
(25) suffix: Adding Stripped-User-Name = "alexm"
(25) suffix: Adding Realm = "ndtel.com"
(25) suffix: Authentication realm is LOCAL
(25) [suffix] = ok
(25) eap: Peer sent EAP Response (code 2) ID 80 length 144
(25) eap: Continuing tunnel setup
(25) [eap] = ok
(25) } # authorize = ok
(25) Found Auth-Type = EAP
(25) # Executing group from file /etc/raddb/sites-enabled/default
(25) authenticate {
(25) eap: Expiring EAP session with state 0x39036bb73a5372a2
(25) eap: Finished EAP session with state 0x39036bb73a5372a2
(25) eap: Previous EAP request found for state 0x39036bb73a5372a2, released from the list
(25) eap: Peer sent packet with method EAP PEAP (25)
(25) eap: Calling submodule eap_peap to process data
(25) eap_peap: Continuing EAP-TLS
(25) eap_peap: Peer indicated complete TLS record size will be 134 bytes
(25) eap_peap: Got complete TLS record (134 bytes)
(25) eap_peap: [eaptls verify] = length included
(25) eap_peap: <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
(25) eap_peap: TLS_accept: SSLv3 read client key exchange A
(25) eap_peap: <<< TLS 1.0 ChangeCipherSpec [length 0001]
(25) eap_peap: <<< TLS 1.0 Handshake [length 0010], Finished
(25) eap_peap: TLS_accept: SSLv3 read finished A
(25) eap_peap: >>> TLS 1.0 ChangeCipherSpec [length 0001]
(25) eap_peap: TLS_accept: SSLv3 write change cipher spec A
(25) eap_peap: >>> TLS 1.0 Handshake [length 0010], Finished
(25) eap_peap: TLS_accept: SSLv3 write finished A
(25) eap_peap: TLS_accept: SSLv3 flush data
(25) eap_peap: (other): SSL negotiation finished successfully
(25) eap_peap: SSL Connection Established
(25) eap_peap: [eaptls process] = handled
(25) eap: Sending EAP Request (code 1) ID 81 length 65
(25) eap: EAP session adding &reply:State = 0x39036bb73d5272a2
(25) [eap] = handled
(25) } # authenticate = handled
(25) Using Post-Auth-Type Challenge
(25) Post-Auth-Type sub-section not found. Ignoring.
(25) # Executing group from file /etc/raddb/sites-enabled/default
(25) Sent Access-Challenge Id 69 from 192.168.255.5:1812 to 192.168.255.112:51351 length 0
(25) EAP-Message = 0x01510041190014030100010116030100308c1d2dcf911b887554f5d6c6c81037295ceb3315b99255c042b9bf07e9583585f039a8173f02f94856d4f4f73a726425
(25) Message-Authenticator = 0x00000000000000000000000000000000
(25) State = 0x39036bb73d5272a2f4cfd4fec187241f
(25) Finished request
Waking up in 4.9 seconds.
(26) Received Access-Request Id 70 from 192.168.255.112:51351 to 192.168.255.5:1812 length 199
(26) User-Name = "alexm at ndtel.com"
(26) NAS-IP-Address = 192.168.255.112
(26) NAS-Identifier = "0418d620086c"
(26) NAS-Port = 0
(26) Called-Station-Id = "0E-18-D6-22-08-6C:NDTC Corporate 11x"
(26) Calling-Station-Id = "C4-85-08-F5-2C-10"
(26) Framed-MTU = 1400
(26) NAS-Port-Type = Wireless-802.11
(26) Connect-Info = "CONNECT 0Mbps 802.11b"
(26) EAP-Message = 0x025100061900
(26) State = 0x39036bb73d5272a2f4cfd4fec187241f
(26) Message-Authenticator = 0xdcd7bcda8db8112b7080cf4066c2d7c2
(26) session-state: No cached attributes
(26) # Executing section authorize from file /etc/raddb/sites-enabled/default
(26) authorize {
(26) policy filter_username {
(26) if (!&User-Name) {
(26) if (!&User-Name) -> FALSE
(26) if (&User-Name =~ / /) {
(26) if (&User-Name =~ / /) -> FALSE
(26) if (&User-Name =~ /@.*@/ ) {
(26) if (&User-Name =~ /@.*@/ ) -> FALSE
(26) if (&User-Name =~ /\.\./ ) {
(26) if (&User-Name =~ /\.\./ ) -> FALSE
(26) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(26) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(26) if (&User-Name =~ /\.$/) {
(26) if (&User-Name =~ /\.$/) -> FALSE
(26) if (&User-Name =~ /@\./) {
(26) if (&User-Name =~ /@\./) -> FALSE
(26) } # policy filter_username = notfound
(26) [preprocess] = ok
(26) [digest] = noop
(26) suffix: Checking for suffix after "@"
(26) suffix: Looking up realm "ndtel.com" for User-Name = "alexm at ndtel.com"
(26) suffix: Found realm "ndtel.com"
(26) suffix: Adding Stripped-User-Name = "alexm"
(26) suffix: Adding Realm = "ndtel.com"
(26) suffix: Authentication realm is LOCAL
(26) [suffix] = ok
(26) eap: Peer sent EAP Response (code 2) ID 81 length 6
(26) eap: Continuing tunnel setup
(26) [eap] = ok
(26) } # authorize = ok
(26) Found Auth-Type = EAP
(26) # Executing group from file /etc/raddb/sites-enabled/default
(26) authenticate {
(26) eap: Expiring EAP session with state 0x39036bb73d5272a2
(26) eap: Finished EAP session with state 0x39036bb73d5272a2
(26) eap: Previous EAP request found for state 0x39036bb73d5272a2, released from the list
(26) eap: Peer sent packet with method EAP PEAP (25)
(26) eap: Calling submodule eap_peap to process data
(26) eap_peap: Continuing EAP-TLS
(26) eap_peap: Peer ACKed our handshake fragment. handshake is finished
(26) eap_peap: [eaptls verify] = success
(26) eap_peap: [eaptls process] = success
(26) eap_peap: Session established. Decoding tunneled attributes
(26) eap_peap: PEAP state TUNNEL ESTABLISHED
(26) eap: Sending EAP Request (code 1) ID 82 length 43
(26) eap: EAP session adding &reply:State = 0x39036bb73c5172a2
(26) [eap] = handled
(26) } # authenticate = handled
(26) Using Post-Auth-Type Challenge
(26) Post-Auth-Type sub-section not found. Ignoring.
(26) # Executing group from file /etc/raddb/sites-enabled/default
(26) Sent Access-Challenge Id 70 from 192.168.255.5:1812 to 192.168.255.112:51351 length 0
(26) EAP-Message = 0x0152002b190017030100200123c883d800f5396d50abe395e4a49aecdc42189748f1c668ab5bfd73b89fc9
(26) Message-Authenticator = 0x00000000000000000000000000000000
(26) State = 0x39036bb73c5172a2f4cfd4fec187241f
(26) Finished request
Waking up in 4.9 seconds.
(27) Received Access-Request Id 71 from 192.168.255.112:51351 to 192.168.255.5:1812 length 252
(27) User-Name = "alexm at ndtel.com"
(27) NAS-IP-Address = 192.168.255.112
(27) NAS-Identifier = "0418d620086c"
(27) NAS-Port = 0
(27) Called-Station-Id = "0E-18-D6-22-08-6C:NDTC Corporate 11x"
(27) Calling-Station-Id = "C4-85-08-F5-2C-10"
(27) Framed-MTU = 1400
(27) NAS-Port-Type = Wireless-802.11
(27) Connect-Info = "CONNECT 0Mbps 802.11b"
(27) EAP-Message = 0x0252003b19001703010030068e21a6db7c94633c94625141c26942550669bb77fd3ddb20187b3569f665d5143a9c5b9d84f79f6d4225040f2ac41b
(27) State = 0x39036bb73c5172a2f4cfd4fec187241f
(27) Message-Authenticator = 0xc48db601cc4d55d39fc0bf50be05d284
(27) session-state: No cached attributes
(27) # Executing section authorize from file /etc/raddb/sites-enabled/default
(27) authorize {
(27) policy filter_username {
(27) if (!&User-Name) {
(27) if (!&User-Name) -> FALSE
(27) if (&User-Name =~ / /) {
(27) if (&User-Name =~ / /) -> FALSE
(27) if (&User-Name =~ /@.*@/ ) {
(27) if (&User-Name =~ /@.*@/ ) -> FALSE
(27) if (&User-Name =~ /\.\./ ) {
(27) if (&User-Name =~ /\.\./ ) -> FALSE
(27) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(27) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(27) if (&User-Name =~ /\.$/) {
(27) if (&User-Name =~ /\.$/) -> FALSE
(27) if (&User-Name =~ /@\./) {
(27) if (&User-Name =~ /@\./) -> FALSE
(27) } # policy filter_username = notfound
(27) [preprocess] = ok
(27) [digest] = noop
(27) suffix: Checking for suffix after "@"
(27) suffix: Looking up realm "ndtel.com" for User-Name = "alexm at ndtel.com"
(27) suffix: Found realm "ndtel.com"
(27) suffix: Adding Stripped-User-Name = "alexm"
(27) suffix: Adding Realm = "ndtel.com"
(27) suffix: Authentication realm is LOCAL
(27) [suffix] = ok
(27) eap: Peer sent EAP Response (code 2) ID 82 length 59
(27) eap: Continuing tunnel setup
(27) [eap] = ok
(27) } # authorize = ok
(27) Found Auth-Type = EAP
(27) # Executing group from file /etc/raddb/sites-enabled/default
(27) authenticate {
(27) eap: Expiring EAP session with state 0x39036bb73c5172a2
(27) eap: Finished EAP session with state 0x39036bb73c5172a2
(27) eap: Previous EAP request found for state 0x39036bb73c5172a2, released from the list
(27) eap: Peer sent packet with method EAP PEAP (25)
(27) eap: Calling submodule eap_peap to process data
(27) eap_peap: Continuing EAP-TLS
(27) eap_peap: [eaptls verify] = ok
(27) eap_peap: Done initial handshake
(27) eap_peap: [eaptls process] = ok
(27) eap_peap: Session established. Decoding tunneled attributes
(27) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(27) eap_peap: Identity - alexm at ndtel.com
(27) eap_peap: Got inner identity 'alexm at ndtel.com'
(27) eap_peap: Setting default EAP type for tunneled EAP session
(27) eap_peap: Got tunneled request
(27) eap_peap: EAP-Message = 0x0252001401616c65786d406e6474656c2e636f6d
(27) eap_peap: Setting User-Name to alexm at ndtel.com
(27) eap_peap: Sending tunneled request to inner-tunnel
(27) eap_peap: EAP-Message = 0x0252001401616c65786d406e6474656c2e636f6d
(27) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(27) eap_peap: User-Name = "alexm at ndtel.com"
(27) Virtual server inner-tunnel received request
(27) EAP-Message = 0x0252001401616c65786d406e6474656c2e636f6d
(27) FreeRADIUS-Proxied-To = 127.0.0.1
(27) User-Name = "alexm at ndtel.com"
(27) server inner-tunnel {
(27) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(27) authorize {
(27) [mschap] = noop
(27) suffix: Checking for suffix after "@"
(27) suffix: Looking up realm "ndtel.com" for User-Name = "alexm at ndtel.com"
(27) suffix: Found realm "ndtel.com"
(27) suffix: Adding Stripped-User-Name = "alexm"
(27) suffix: Adding Realm = "ndtel.com"
(27) suffix: Authentication realm is LOCAL
(27) [suffix] = ok
(27) update control {
(27) &Proxy-To-Realm := LOCAL
(27) } # update control = noop
(27) eap: Peer sent EAP Response (code 2) ID 82 length 20
(27) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(27) [eap] = ok
(27) } # authorize = ok
(27) Found Auth-Type = EAP
(27) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(27) authenticate {
(27) eap: Peer sent packet with method EAP Identity (1)
(27) eap: Calling submodule eap_mschapv2 to process data
(27) eap_mschapv2: Issuing Challenge
(27) eap: Sending EAP Request (code 1) ID 83 length 42
(27) eap: EAP session adding &reply:State = 0xd77fe400d72cfece
(27) [eap] = handled
(27) } # authenticate = handled
(27) } # server inner-tunnel
(27) Virtual server sending reply
(27) EAP-Message = 0x0153002a1a0153002510fa2b24f2dfef1285f1fdcc5515f36515667265657261646975732d332e302e39
(27) Message-Authenticator = 0x00000000000000000000000000000000
(27) State = 0xd77fe400d72cfece2851929aa3b5a756
(27) eap_peap: Got tunneled reply code 11
(27) eap_peap: EAP-Message = 0x0153002a1a0153002510fa2b24f2dfef1285f1fdcc5515f36515667265657261646975732d332e302e39
(27) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(27) eap_peap: State = 0xd77fe400d72cfece2851929aa3b5a756
(27) eap_peap: Got tunneled reply RADIUS code 11
(27) eap_peap: EAP-Message = 0x0153002a1a0153002510fa2b24f2dfef1285f1fdcc5515f36515667265657261646975732d332e302e39
(27) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(27) eap_peap: State = 0xd77fe400d72cfece2851929aa3b5a756
(27) eap_peap: Got tunneled Access-Challenge
(27) eap: Sending EAP Request (code 1) ID 83 length 75
(27) eap: EAP session adding &reply:State = 0x39036bb73f5072a2
(27) [eap] = handled
(27) } # authenticate = handled
(27) Using Post-Auth-Type Challenge
(27) Post-Auth-Type sub-section not found. Ignoring.
(27) # Executing group from file /etc/raddb/sites-enabled/default
(27) Sent Access-Challenge Id 71 from 192.168.255.5:1812 to 192.168.255.112:51351 length 0
(27) EAP-Message = 0x0153004b19001703010040edea0d11ce59143e174960cbb16736c0ceb8211dcd856784f9b503b879a0420ec44f3bf3c064c1d44bf357d72bc8bf9ed579b98948a3c1874ef34fc146cb8378
(27) Message-Authenticator = 0x00000000000000000000000000000000
(27) State = 0x39036bb73f5072a2f4cfd4fec187241f
(27) Finished request
Waking up in 4.9 seconds.
(28) Received Access-Request Id 72 from 192.168.255.112:51351 to 192.168.255.5:1812 length 300
(28) User-Name = "alexm at ndtel.com"
(28) NAS-IP-Address = 192.168.255.112
(28) NAS-Identifier = "0418d620086c"
(28) NAS-Port = 0
(28) Called-Station-Id = "0E-18-D6-22-08-6C:NDTC Corporate 11x"
(28) Calling-Station-Id = "C4-85-08-F5-2C-10"
(28) Framed-MTU = 1400
(28) NAS-Port-Type = Wireless-802.11
(28) Connect-Info = "CONNECT 0Mbps 802.11b"
(28) EAP-Message = 0x0253006b190017030100609355a46f5b87e9306fa1e0133cf12e13fe0a1710c937ce816f1541a241cfdb2960f568bae3c8c461437339f0619f3663370ec411a4ada0584abd86de76abb92263f1062c4fd0f5f94aec038be789e25eaae0f6dc1cf5597012164337555edb1c
(28) State = 0x39036bb73f5072a2f4cfd4fec187241f
(28) Message-Authenticator = 0x7fc1a0b92fb0b8eb7d515dafb0acb408
(28) session-state: No cached attributes
(28) # Executing section authorize from file /etc/raddb/sites-enabled/default
(28) authorize {
(28) policy filter_username {
(28) if (!&User-Name) {
(28) if (!&User-Name) -> FALSE
(28) if (&User-Name =~ / /) {
(28) if (&User-Name =~ / /) -> FALSE
(28) if (&User-Name =~ /@.*@/ ) {
(28) if (&User-Name =~ /@.*@/ ) -> FALSE
(28) if (&User-Name =~ /\.\./ ) {
(28) if (&User-Name =~ /\.\./ ) -> FALSE
(28) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(28) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(28) if (&User-Name =~ /\.$/) {
(28) if (&User-Name =~ /\.$/) -> FALSE
(28) if (&User-Name =~ /@\./) {
(28) if (&User-Name =~ /@\./) -> FALSE
(28) } # policy filter_username = notfound
(28) [preprocess] = ok
(28) [digest] = noop
(28) suffix: Checking for suffix after "@"
(28) suffix: Looking up realm "ndtel.com" for User-Name = "alexm at ndtel.com"
(28) suffix: Found realm "ndtel.com"
(28) suffix: Adding Stripped-User-Name = "alexm"
(28) suffix: Adding Realm = "ndtel.com"
(28) suffix: Authentication realm is LOCAL
(28) [suffix] = ok
(28) eap: Peer sent EAP Response (code 2) ID 83 length 107
(28) eap: Continuing tunnel setup
(28) [eap] = ok
(28) } # authorize = ok
(28) Found Auth-Type = EAP
(28) # Executing group from file /etc/raddb/sites-enabled/default
(28) authenticate {
(28) eap: Expiring EAP session with state 0xd77fe400d72cfece
(28) eap: Finished EAP session with state 0x39036bb73f5072a2
(28) eap: Previous EAP request found for state 0x39036bb73f5072a2, released from the list
(28) eap: Peer sent packet with method EAP PEAP (25)
(28) eap: Calling submodule eap_peap to process data
(28) eap_peap: Continuing EAP-TLS
(28) eap_peap: [eaptls verify] = ok
(28) eap_peap: Done initial handshake
(28) eap_peap: [eaptls process] = ok
(28) eap_peap: Session established. Decoding tunneled attributes
(28) eap_peap: PEAP state phase2
(28) eap_peap: EAP method MSCHAPv2 (26)
(28) eap_peap: Got tunneled request
(28) eap_peap: EAP-Message = 0x0253004a1a0253004531031738731326f90958e5b0ee88a6534a0000000000000000dce650bfef629365ffbfe5290cd3f2dfeb8261567f27b92900616c65786d406e6474656c2e636f6d
(28) eap_peap: Setting User-Name to alexm at ndtel.com
(28) eap_peap: Sending tunneled request to inner-tunnel
(28) eap_peap: EAP-Message = 0x0253004a1a0253004531031738731326f90958e5b0ee88a6534a0000000000000000dce650bfef629365ffbfe5290cd3f2dfeb8261567f27b92900616c65786d406e6474656c2e636f6d
(28) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(28) eap_peap: User-Name = "alexm at ndtel.com"
(28) eap_peap: State = 0xd77fe400d72cfece2851929aa3b5a756
(28) Virtual server inner-tunnel received request
(28) EAP-Message = 0x0253004a1a0253004531031738731326f90958e5b0ee88a6534a0000000000000000dce650bfef629365ffbfe5290cd3f2dfeb8261567f27b92900616c65786d406e6474656c2e636f6d
(28) FreeRADIUS-Proxied-To = 127.0.0.1
(28) User-Name = "alexm at ndtel.com"
(28) State = 0xd77fe400d72cfece2851929aa3b5a756
(28) server inner-tunnel {
(28) session-state: No cached attributes
(28) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(28) authorize {
(28) [mschap] = noop
(28) suffix: Checking for suffix after "@"
(28) suffix: Looking up realm "ndtel.com" for User-Name = "alexm at ndtel.com"
(28) suffix: Found realm "ndtel.com"
(28) suffix: Adding Stripped-User-Name = "alexm"
(28) suffix: Adding Realm = "ndtel.com"
(28) suffix: Authentication realm is LOCAL
(28) [suffix] = ok
(28) update control {
(28) &Proxy-To-Realm := LOCAL
(28) } # update control = noop
(28) eap: Peer sent EAP Response (code 2) ID 83 length 74
(28) eap: No EAP Start, assuming it's an on-going EAP conversation
(28) [eap] = updated
rlm_ldap (ldap): Closing connection (8): Hit idle_timeout, was idle for 10347 seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): Closing connection (7): Hit idle_timeout, was idle for 10298 seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): Closing connection (9): Hit idle_timeout, was idle for 10298 seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): 0 of 0 connections in use. You may need to increase "spare"
rlm_ldap (ldap): Opening additional connection (10), 1 of 32 pending slots used
rlm_ldap (ldap): Connecting to ldap://66.163.129.140:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Reserved connection (10)
(28) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(28) ldap: --> (uid=alexm)
(28) ldap: Performing search in "o=ndtc" with filter "(uid=alexm)", scope "sub"
(28) ldap: Waiting for search result...
(28) ldap: User object found at DN "uid=alexm,ou=ndtcadministration,o=ndtc"
(28) ldap: Processing user attributes
(28) ldap: control:Password-With-Header += 'ose55m1'
rlm_ldap (ldap): Released connection (10)
rlm_ldap (ldap): 0 of 1 connections in use. Need more spares
rlm_ldap (ldap): Opening additional connection (11), 1 of 31 pending slots used
rlm_ldap (ldap): Connecting to ldap://66.163.129.140:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(28) [ldap] = updated
(28) [expiration] = noop
(28) [logintime] = noop
(28) pap: No {...} in Password-With-Header, re-writing to Cleartext-Password
(28) pap: Removing &control:Password-With-Header
(28) pap: WARNING: Auth-Type already set. Not setting to PAP
(28) [pap] = noop
(28) } # authorize = updated
(28) Found Auth-Type = EAP
(28) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(28) authenticate {
(28) eap: Expiring EAP session with state 0xd77fe400d72cfece
(28) eap: Finished EAP session with state 0xd77fe400d72cfece
(28) eap: Previous EAP request found for state 0xd77fe400d72cfece, released from the list
(28) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(28) eap: Calling submodule eap_mschapv2 to process data
(28) eap_mschapv2: # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(28) eap_mschapv2: Auth-Type MS-CHAP {
(28) mschap: Found Cleartext-Password, hashing to create NT-Password
(28) mschap: Found Cleartext-Password, hashing to create LM-Password
(28) mschap: Creating challenge hash with username: alexm at ndtel.com
(28) mschap: Client is using MS-CHAPv2
(28) mschap: Adding MS-CHAPv2 MPPE keys
(28) [mschap] = ok
(28) } # Auth-Type MS-CHAP = ok
(28) MSCHAP Success
(28) eap: Sending EAP Request (code 1) ID 84 length 51
(28) eap: EAP session adding &reply:State = 0xd77fe400d62bfece
(28) [eap] = handled
(28) } # authenticate = handled
(28) } # server inner-tunnel
(28) Virtual server sending reply
(28) EAP-Message = 0x015400331a0353002e533d32373131423833323846424231334141343735304442464436414535413739363539343735413036
(28) Message-Authenticator = 0x00000000000000000000000000000000
(28) State = 0xd77fe400d62bfece2851929aa3b5a756
(28) eap_peap: Got tunneled reply code 11
(28) eap_peap: EAP-Message = 0x015400331a0353002e533d32373131423833323846424231334141343735304442464436414535413739363539343735413036
(28) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(28) eap_peap: State = 0xd77fe400d62bfece2851929aa3b5a756
(28) eap_peap: Got tunneled reply RADIUS code 11
(28) eap_peap: EAP-Message = 0x015400331a0353002e533d32373131423833323846424231334141343735304442464436414535413739363539343735413036
(28) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(28) eap_peap: State = 0xd77fe400d62bfece2851929aa3b5a756
(28) eap_peap: Got tunneled Access-Challenge
(28) eap: Sending EAP Request (code 1) ID 84 length 91
(28) eap: EAP session adding &reply:State = 0x39036bb73e5772a2
(28) [eap] = handled
(28) } # authenticate = handled
(28) Using Post-Auth-Type Challenge
(28) Post-Auth-Type sub-section not found. Ignoring.
(28) # Executing group from file /etc/raddb/sites-enabled/default
(28) Sent Access-Challenge Id 72 from 192.168.255.5:1812 to 192.168.255.112:51351 length 0
(28) EAP-Message = 0x0154005b190017030100507b1e6c10e23828a18a3225e68907891e7826c050a3395b416c2a9a4b1c137c1bc6540db43c945007042d806d9d0d4f2c35706aa03cb13dd56f0f1c479302ac46b5bcca3dc9b19a037ef9d37497b4f1f8
(28) Message-Authenticator = 0x00000000000000000000000000000000
(28) State = 0x39036bb73e5772a2f4cfd4fec187241f
(28) Finished request
Waking up in 4.7 seconds.
(29) Received Access-Request Id 73 from 192.168.255.112:51351 to 192.168.255.5:1812 length 236
(29) User-Name = "alexm at ndtel.com"
(29) NAS-IP-Address = 192.168.255.112
(29) NAS-Identifier = "0418d620086c"
(29) NAS-Port = 0
(29) Called-Station-Id = "0E-18-D6-22-08-6C:NDTC Corporate 11x"
(29) Calling-Station-Id = "C4-85-08-F5-2C-10"
(29) Framed-MTU = 1400
(29) NAS-Port-Type = Wireless-802.11
(29) Connect-Info = "CONNECT 0Mbps 802.11b"
(29) EAP-Message = 0x0254002b19001703010020bd8ab85adeeed8fdca57041c4f37d0a701a8c916843a0b65c891fcdbaf23cecd
(29) State = 0x39036bb73e5772a2f4cfd4fec187241f
(29) Message-Authenticator = 0x0f4e64e083a8b3ad7eded0652d86713b
(29) session-state: No cached attributes
(29) # Executing section authorize from file /etc/raddb/sites-enabled/default
(29) authorize {
(29) policy filter_username {
(29) if (!&User-Name) {
(29) if (!&User-Name) -> FALSE
(29) if (&User-Name =~ / /) {
(29) if (&User-Name =~ / /) -> FALSE
(29) if (&User-Name =~ /@.*@/ ) {
(29) if (&User-Name =~ /@.*@/ ) -> FALSE
(29) if (&User-Name =~ /\.\./ ) {
(29) if (&User-Name =~ /\.\./ ) -> FALSE
(29) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(29) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(29) if (&User-Name =~ /\.$/) {
(29) if (&User-Name =~ /\.$/) -> FALSE
(29) if (&User-Name =~ /@\./) {
(29) if (&User-Name =~ /@\./) -> FALSE
(29) } # policy filter_username = notfound
(29) [preprocess] = ok
(29) [digest] = noop
(29) suffix: Checking for suffix after "@"
(29) suffix: Looking up realm "ndtel.com" for User-Name = "alexm at ndtel.com"
(29) suffix: Found realm "ndtel.com"
(29) suffix: Adding Stripped-User-Name = "alexm"
(29) suffix: Adding Realm = "ndtel.com"
(29) suffix: Authentication realm is LOCAL
(29) [suffix] = ok
(29) eap: Peer sent EAP Response (code 2) ID 84 length 43
(29) eap: Continuing tunnel setup
(29) [eap] = ok
(29) } # authorize = ok
(29) Found Auth-Type = EAP
(29) # Executing group from file /etc/raddb/sites-enabled/default
(29) authenticate {
(29) eap: Expiring EAP session with state 0xd77fe400d62bfece
(29) eap: Finished EAP session with state 0x39036bb73e5772a2
(29) eap: Previous EAP request found for state 0x39036bb73e5772a2, released from the list
(29) eap: Peer sent packet with method EAP PEAP (25)
(29) eap: Calling submodule eap_peap to process data
(29) eap_peap: Continuing EAP-TLS
(29) eap_peap: [eaptls verify] = ok
(29) eap_peap: Done initial handshake
(29) eap_peap: [eaptls process] = ok
(29) eap_peap: Session established. Decoding tunneled attributes
(29) eap_peap: PEAP state phase2
(29) eap_peap: EAP method MSCHAPv2 (26)
(29) eap_peap: Got tunneled request
(29) eap_peap: EAP-Message = 0x025400061a03
(29) eap_peap: Setting User-Name to alexm at ndtel.com
(29) eap_peap: Sending tunneled request to inner-tunnel
(29) eap_peap: EAP-Message = 0x025400061a03
(29) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(29) eap_peap: User-Name = "alexm at ndtel.com"
(29) eap_peap: State = 0xd77fe400d62bfece2851929aa3b5a756
(29) Virtual server inner-tunnel received request
(29) EAP-Message = 0x025400061a03
(29) FreeRADIUS-Proxied-To = 127.0.0.1
(29) User-Name = "alexm at ndtel.com"
(29) State = 0xd77fe400d62bfece2851929aa3b5a756
(29) server inner-tunnel {
(29) session-state: No cached attributes
(29) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(29) authorize {
(29) [mschap] = noop
(29) suffix: Checking for suffix after "@"
(29) suffix: Looking up realm "ndtel.com" for User-Name = "alexm at ndtel.com"
(29) suffix: Found realm "ndtel.com"
(29) suffix: Adding Stripped-User-Name = "alexm"
(29) suffix: Adding Realm = "ndtel.com"
(29) suffix: Authentication realm is LOCAL
(29) [suffix] = ok
(29) update control {
(29) &Proxy-To-Realm := LOCAL
(29) } # update control = noop
(29) eap: Peer sent EAP Response (code 2) ID 84 length 6
(29) eap: No EAP Start, assuming it's an on-going EAP conversation
(29) [eap] = updated
rlm_ldap (ldap): Reserved connection (10)
(29) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(29) ldap: --> (uid=alexm)
(29) ldap: Performing search in "o=ndtc" with filter "(uid=alexm)", scope "sub"
(29) ldap: Waiting for search result...
(29) ldap: User object found at DN "uid=alexm,ou=ndtcadministration,o=ndtc"
(29) ldap: Processing user attributes
(29) ldap: control:Password-With-Header += 'ose55m1'
rlm_ldap (ldap): Released connection (10)
rlm_ldap (ldap): 0 of 2 connections in use. Need more spares
rlm_ldap (ldap): Opening additional connection (12), 1 of 30 pending slots used
rlm_ldap (ldap): Connecting to ldap://66.163.129.140:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(29) [ldap] = updated
(29) [expiration] = noop
(29) [logintime] = noop
(29) pap: No {...} in Password-With-Header, re-writing to Cleartext-Password
(29) pap: Removing &control:Password-With-Header
(29) pap: WARNING: Auth-Type already set. Not setting to PAP
(29) [pap] = noop
(29) } # authorize = updated
(29) Found Auth-Type = EAP
(29) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(29) authenticate {
(29) eap: Expiring EAP session with state 0xd77fe400d62bfece
(29) eap: Finished EAP session with state 0xd77fe400d62bfece
(29) eap: Previous EAP request found for state 0xd77fe400d62bfece, released from the list
(29) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(29) eap: Calling submodule eap_mschapv2 to process data
(29) eap: Sending EAP Success (code 3) ID 84 length 4
(29) eap: Freeing handler
(29) [eap] = ok
(29) } # authenticate = ok
(29) # Executing section post-auth from file /etc/raddb/sites-enabled/inner-tunnel
(29) } # server inner-tunnel
(29) Virtual server sending reply
(29) MS-MPPE-Encryption-Policy = Encryption-Allowed
(29) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(29) MS-MPPE-Send-Key = 0x6a5f664a8802325bf79a3ed8072a84a3
(29) MS-MPPE-Recv-Key = 0x95751d8c7a1a00efe44210ca630ae182
(29) EAP-Message = 0x03540004
(29) Message-Authenticator = 0x00000000000000000000000000000000
(29) Stripped-User-Name = "alexm"
(29) eap_peap: Got tunneled reply code 2
(29) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(29) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(29) eap_peap: MS-MPPE-Send-Key = 0x6a5f664a8802325bf79a3ed8072a84a3
(29) eap_peap: MS-MPPE-Recv-Key = 0x95751d8c7a1a00efe44210ca630ae182
(29) eap_peap: EAP-Message = 0x03540004
(29) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(29) eap_peap: Stripped-User-Name = "alexm"
(29) eap_peap: Got tunneled reply RADIUS code 2
(29) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(29) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(29) eap_peap: MS-MPPE-Send-Key = 0x6a5f664a8802325bf79a3ed8072a84a3
(29) eap_peap: MS-MPPE-Recv-Key = 0x95751d8c7a1a00efe44210ca630ae182
(29) eap_peap: EAP-Message = 0x03540004
(29) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(29) eap_peap: Stripped-User-Name = "alexm"
(29) eap_peap: Tunneled authentication was successful
(29) eap_peap: SUCCESS
(29) eap: Sending EAP Request (code 1) ID 85 length 43
(29) eap: EAP session adding &reply:State = 0x39036bb7315672a2
(29) [eap] = handled
(29) } # authenticate = handled
(29) Using Post-Auth-Type Challenge
(29) Post-Auth-Type sub-section not found. Ignoring.
(29) # Executing group from file /etc/raddb/sites-enabled/default
(29) Sent Access-Challenge Id 73 from 192.168.255.5:1812 to 192.168.255.112:51351 length 0
(29) EAP-Message = 0x0155002b190017030100205fabc34bbdfeda0f060f62f95449696d5cef7fe7e2d6f677729eb4da6add0d84
(29) Message-Authenticator = 0x00000000000000000000000000000000
(29) State = 0x39036bb7315672a2f4cfd4fec187241f
(29) Finished request
Waking up in 4.5 seconds.
(30) Received Access-Request Id 74 from 192.168.255.112:51351 to 192.168.255.5:1812 length 236
(30) User-Name = "alexm at ndtel.com"
(30) NAS-IP-Address = 192.168.255.112
(30) NAS-Identifier = "0418d620086c"
(30) NAS-Port = 0
(30) Called-Station-Id = "0E-18-D6-22-08-6C:NDTC Corporate 11x"
(30) Calling-Station-Id = "C4-85-08-F5-2C-10"
(30) Framed-MTU = 1400
(30) NAS-Port-Type = Wireless-802.11
(30) Connect-Info = "CONNECT 0Mbps 802.11b"
(30) EAP-Message = 0x0255002b19001703010020ee6fe875602061e37ee92242d9e441b96225ad634b2be8a9ba7e57c815d2ba88
(30) State = 0x39036bb7315672a2f4cfd4fec187241f
(30) Message-Authenticator = 0xfcbe13c3efe1d8006158f72082e9b190
(30) session-state: No cached attributes
(30) # Executing section authorize from file /etc/raddb/sites-enabled/default
(30) authorize {
(30) policy filter_username {
(30) if (!&User-Name) {
(30) if (!&User-Name) -> FALSE
(30) if (&User-Name =~ / /) {
(30) if (&User-Name =~ / /) -> FALSE
(30) if (&User-Name =~ /@.*@/ ) {
(30) if (&User-Name =~ /@.*@/ ) -> FALSE
(30) if (&User-Name =~ /\.\./ ) {
(30) if (&User-Name =~ /\.\./ ) -> FALSE
(30) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(30) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(30) if (&User-Name =~ /\.$/) {
(30) if (&User-Name =~ /\.$/) -> FALSE
(30) if (&User-Name =~ /@\./) {
(30) if (&User-Name =~ /@\./) -> FALSE
(30) } # policy filter_username = notfound
(30) [preprocess] = ok
(30) [digest] = noop
(30) suffix: Checking for suffix after "@"
(30) suffix: Looking up realm "ndtel.com" for User-Name = "alexm at ndtel.com"
(30) suffix: Found realm "ndtel.com"
(30) suffix: Adding Stripped-User-Name = "alexm"
(30) suffix: Adding Realm = "ndtel.com"
(30) suffix: Authentication realm is LOCAL
(30) [suffix] = ok
(30) eap: Peer sent EAP Response (code 2) ID 85 length 43
(30) eap: Continuing tunnel setup
(30) [eap] = ok
(30) } # authorize = ok
(30) Found Auth-Type = EAP
(30) # Executing group from file /etc/raddb/sites-enabled/default
(30) authenticate {
(30) eap: Expiring EAP session with state 0x39036bb7315672a2
(30) eap: Finished EAP session with state 0x39036bb7315672a2
(30) eap: Previous EAP request found for state 0x39036bb7315672a2, released from the list
(30) eap: Peer sent packet with method EAP PEAP (25)
(30) eap: Calling submodule eap_peap to process data
(30) eap_peap: Continuing EAP-TLS
(30) eap_peap: [eaptls verify] = ok
(30) eap_peap: Done initial handshake
(30) eap_peap: [eaptls process] = ok
(30) eap_peap: Session established. Decoding tunneled attributes
(30) eap_peap: PEAP state send tlv success
(30) eap_peap: Received EAP-TLV response
(30) eap_peap: Success
(30) eap_peap: caching Stripped-User-Name = "alexm"
(30) eap_peap: Failed to find 'persist_dir' in TLS configuration. Session will not be cached on disk.
(30) eap: Sending EAP Success (code 3) ID 85 length 4
(30) eap: Freeing handler
(30) [eap] = ok
(30) } # authenticate = ok
(30) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(30) post-auth {
(30) update {
(30) No attributes updated
(30) } # update = noop
(30) [exec] = noop
(30) policy remove_reply_message_if_eap {
(30) if (&reply:EAP-Message && &reply:Reply-Message) {
(30) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(30) else {
(30) [noop] = noop
(30) } # else = noop
(30) } # policy remove_reply_message_if_eap = noop
(30) } # post-auth = noop
(30) Sent Access-Accept Id 74 from 192.168.255.5:1812 to 192.168.255.112:51351 length 0
(30) MS-MPPE-Recv-Key = 0x9a7301955a47749a1a32efb21810504168ed739ad4f135621a034e4aa3a36bd5
(30) MS-MPPE-Send-Key = 0xf3e51d880cfb4b049f20d9183c3192cdd8d59e949838f8ae7d4689a6c6351a4e
(30) EAP-Message = 0x03550004
(30) Message-Authenticator = 0x00000000000000000000000000000000
(30) Finished request
Waking up in 4.5 seconds.
(31) Received Accounting-Request Id 75 from 192.168.255.112:45499 to 192.168.255.5:1813 length 180
(31) Acct-Session-Id = "00000014-00000094"
(31) Acct-Status-Type = Start
(31) Acct-Authentic = RADIUS
(31) User-Name = "alexm at ndtel.com"
(31) NAS-IP-Address = 192.168.255.112
(31) NAS-Identifier = "0418d620086c"
(31) NAS-Port = 0
(31) Called-Station-Id = "0E-18-D6-22-08-6C:NDTC Corporate 11x"
(31) Calling-Station-Id = "C4-85-08-F5-2C-10"
(31) NAS-Port-Type = Wireless-802.11
(31) Connect-Info = "CONNECT 0Mbps 802.11b"
(31) # Executing section preacct from file /etc/raddb/sites-enabled/default
(31) preacct {
(31) [preprocess] = ok
(31) policy acct_unique {
(31) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) {
(31) EXPAND %{string:Class}
(31) -->
(31) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) -> FALSE
(31) else {
(31) update request {
(31) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(31) --> 797383573585f14f6518fcaec4588107
(31) &Acct-Unique-Session-Id := 797383573585f14f6518fcaec4588107
(31) } # update request = noop
(31) } # else = noop
(31) } # policy acct_unique = noop
(31) suffix: Checking for suffix after "@"
(31) suffix: Looking up realm "ndtel.com" for User-Name = "alexm at ndtel.com"
(31) suffix: Found realm "ndtel.com"
(31) suffix: Adding Stripped-User-Name = "alexm"
(31) suffix: Adding Realm = "ndtel.com"
(31) suffix: Accounting realm is LOCAL
(31) [suffix] = ok
(31) [files] = noop
(31) } # preacct = ok
(31) # Executing section accounting from file /etc/raddb/sites-enabled/default
(31) accounting {
(31) detail: EXPAND /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
(31) detail: --> /usr/local/var/log/radius/radacct/192.168.255.112/detail-20150921
(31) detail: /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.255.112/detail-20150921
(31) detail: EXPAND %t
(31) detail: --> Mon Sep 21 14:25:28 2015
(31) [detail] = ok
(31) [unix] = ok
(31) [exec] = noop
(31) attr_filter.accounting_response: EXPAND %{User-Name}
(31) attr_filter.accounting_response: --> alexm at ndtel.com
(31) attr_filter.accounting_response: Matched entry DEFAULT at line 15
(31) [attr_filter.accounting_response] = updated
(31) } # accounting = updated
(31) Sent Accounting-Response Id 75 from 192.168.255.5:1813 to 192.168.255.112:45499 length 0
(31) Finished request
(31) <done>: Cleaning up request packet ID 75 with timestamp +10633
Waking up in 4.5 seconds.
(21) <done>: Cleaning up request packet ID 65 with timestamp +10632
(22) <done>: Cleaning up request packet ID 66 with timestamp +10632
(23) <done>: Cleaning up request packet ID 67 with timestamp +10632
(24) <done>: Cleaning up request packet ID 68 with timestamp +10632
(25) <done>: Cleaning up request packet ID 69 with timestamp +10632
(26) <done>: Cleaning up request packet ID 70 with timestamp +10632
(27) <done>: Cleaning up request packet ID 71 with timestamp +10632
Waking up in 0.1 seconds.
(28) <done>: Cleaning up request packet ID 72 with timestamp +10632
Waking up in 0.1 seconds.
(29) <done>: Cleaning up request packet ID 73 with timestamp +10632
(30) <done>: Cleaning up request packet ID 74 with timestamp +10633
Ready to process requests
More information about the Freeradius-Users
mailing list