FreeRADIUS no longer authenticating domain clients following spplication of RHEL5 package updates yesterday morning
Jeremy Hill
j.hill at bathspa.ac.uk
Wed Apr 20 18:11:36 CEST 2016
Hi,
Yesterday the following package updates were applied to our main RHEL5
FreeRADIUS server after which it was successfully rebooted:
Apr 19 07:10:01 Updated: samba-client-3.0.33-3.41.el5_11.i386
Apr 19 07:10:00 Updated: 30:bind-utils-9.3.6-25.P1.el5_11.8.i386
Apr 19 07:10:00 Updated: samba-3.0.33-3.41.el5_11.i386
Apr 19 07:09:58 Updated: samba-common-3.0.33-3.41.el5_11.i386
Apr 19 07:09:58 Updated: libsmbclient-3.0.33-3.41.el5_11.i386
Apr 19 07:09:57 Installed: kernel-2.6.18-409.el5.i686
Apr 19 07:09:49 Updated: tzdata-2016c-1.el5.i386
Apr 19 07:09:47 Updated: redhat-release-5Server-5.11.0.3.i386
Apr 19 07:09:46 Updated: 30:bind-libs-9.3.6-25.P1.el5_11.8.i386
Following the reboot, the radius.log file is full of entries such as the
following and no local clients are able to authenticate via this server:
Wed Apr 20 16:04:26 2016 : Auth: Login incorrect: [lixc1 at bathspa.ac.uk]
(from client roaming1.ja.net port 0 cli B0-9F-BA-C5-EE-C0)
Wed Apr 20 16:04:26 2016 : Error: rlm_eap: No EAP session matching the
State variable.
Wed Apr 20 16:04:20 2016 : Auth: Login incorrect: [222394 at bathspa.ac.uk]
(from client roaming0.ja.net port 13 cli f0-c1-f1-b0-82-01)
Wed Apr 20 16:04:20 2016 : Error: rlm_eap: No EAP session matching the
State variable.
Wed Apr 20 16:04:14 2016 : Auth: Login incorrect: [305657 at bathspa.ac.uk]
(from client roaming1.ja.net port 13 cli 30-19-66-47-a3-f6)
Wed Apr 20 16:04:14 2016 : Error: rlm_eap: No EAP session matching the
State variable.
Wed Apr 20 16:04:09 2016 : Auth: Login incorrect: [305268 at bathspa.ac.uk]
(from client roaming0.ja.net port 0 cli e0-c7-67-32-a1-32)
Wed Apr 20 16:04:09 2016 : Error: rlm_eap: No EAP session matching the
State variable.
Wed Apr 20 16:04:01 2016 : Auth: Login incorrect: [222394 at bathspa.ac.uk]
(from client roaming0.ja.net port 13 cli f0-c1-f1-b0-82-01)
Wed Apr 20 16:04:01 2016 : Error: rlm_eap: No EAP session matching the
State variable.
Wed Apr 20 16:04:01 2016 : Auth: Login incorrect: [305657 at bathspa.ac.uk]
(from client roaming1.ja.net port 13 cli 30-19-66-47-a3-f6)
Wed Apr 20 16:04:01 2016 : Error: rlm_eap: No EAP session matching the
State variable.
Wed Apr 20 16:03:56 2016 : Auth: Login incorrect: [222394 at bathspa.ac.uk]
(from client roaming0.ja.net port 13 cli f0-c1-f1-b0-82-01)
Wed Apr 20 16:03:56 2016 : Error: rlm_eap: No EAP session matching the
State variable.
Wed Apr 20 16:03:56 2016 : Auth: Login incorrect: [306757 at bathspa.ac.uk]
(from client roaming0.ja.net port 0 cli f0-db-f8-bf-dd-22)
Wed Apr 20 16:03:56 2016 : Error: rlm_eap: No EAP session matching the
State variable.
Wed Apr 20 16:03:42 2016 : Auth: Login incorrect: [303331 at bathspa.ac.uk]
(from client roaming1.ja.net port 0 cli AC293A4C57DB)
Wed Apr 20 16:03:42 2016 : Error: rlm_eap: No EAP session matching the
State variable.
Wed Apr 20 16:03:40 2016 : Auth: Login incorrect: [266114 at bathspa.ac.uk]
(from client roaming0.ja.net port 0 cli ec-1f-72-e8-95-f6)
Wed Apr 20 16:03:40 2016 : Error: rlm_eap: No EAP session matching the
State variable.
Wed Apr 20 16:03:39 2016 : Auth: Login incorrect: [273213 at bathspa.ac.uk]
(from client roaming0.ja.net port 0 cli 8C3AE3979A3D)
Wed Apr 20 16:03:39 2016 : Error: rlm_eap: No EAP session matching the
State variable.
Wed Apr 20 16:03:37 2016 : Info: Ready to process requests.
Wed Apr 20 16:03:37 2016 : Info: ... adding new socket proxy address *
port 36236
Wed Apr 20 16:03:37 2016 : Info: ... adding new socket proxy address *
port 45657
Wed Apr 20 16:03:37 2016 : Info: ... adding new socket proxy address *
port 57014
Wed Apr 20 16:03:37 2016 : Info: ... adding new socket proxy address *
port 44335
Wed Apr 20 16:03:37 2016 : Info: ... adding new socket proxy address *
port 49723
Wed Apr 20 16:03:37 2016 : Info: ... adding new socket proxy address *
port 39639
Wed Apr 20 16:03:37 2016 : Info: ... adding new socket proxy address *
port 36555
Wed Apr 20 16:03:37 2016 : Info: Loaded virtual server eduroam-inner-tunnel
Wed Apr 20 16:03:37 2016 : Info: Loaded virtual server inner-tunnel
Wed Apr 20 16:03:37 2016 : Info: Loaded virtual server bathspa
Wed Apr 20 16:03:37 2016 : Info: Loaded virtual server eduroam
Wed Apr 20 16:03:37 2016 : Auth: rlm_krb5: krb5_init ok
Wed Apr 20 16:03:37 2016 : Info: Loaded virtual server <default>
Oddly, the results from a: "lsof -i tcp -nP | grep winbindd" does not show
any LDAP connections over port 389 to our active directory either:
winbindd 4535 root 23u IPv4 16513 0t0 TCP 172.19.0.123:56635->
172.19.0.73:445 (ESTABLISHED)
We would expect to find the following:
winbindd 4221 root 23u IPv4 34419318 0t0 TCP
172.19.0.124:36502->1 72.19.0.73:389 (ESTABLISHED)
winbindd 4221 root 24u IPv4 8106940 0t0 TCP
172.19.0.124:50653->1 72.19.0.107:445 (ESTABLISHED)
Closer inspection of the attached debug log with a search term of: warning
turns up:
Cleaning up request 2 ID 253 with timestamp +2
WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0xdc342b61de3b32a7 did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Ready to process requests.
To my knowledge our certificate is valid until 2018 so am not sure how to
proceed, any help gratefully received.
Cheers,
*Jeremy HillLead Server Analyst (Windows)Bath Spa UniversityT: +44 (0)1225
875637Visit www.bathspa.ac.uk <http://www.bathspa.ac.uk/>Join us on:
Facebook <http://www.facebook.com/bath.spa.university>| Twitter
<https://twitter.com/#!/BathSpaUni>| YouTube
<http://www.youtube.com/BathSpaUniversity>| LinkedIn
<http://www.linkedin.com/company/bath-spa-university>Newton Park, Bath, BA2
9BNThink before you printDisclaimerIf you have received this message in
error, please notify us and remove it from your system. Any views or
opinions expressed in personal emails are solely those of the author and do
not necessarily represent those of Bath Spa University. Neither Bath Spa
University nor the sender accepts any responsibility for viruses and it is
your responsibility to scan this email and any attachments for viruses.*
-------------- next part --------------
FreeRADIUS Version 2.1.12, for host i386-redhat-linux-gnu, built on Sep 25 2012 at 10:55:14
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/rediswho
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/dynamic_clients
including configuration file /etc/raddb/modules/redis
including configuration file /etc/raddb/modules/krb5
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/replicate
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/soh
including configuration file /etc/raddb/modules/opendirectory
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/eduroam-eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/eduroam
including configuration file /etc/raddb/sites-enabled/bathspa
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/eduroam-inner-tunnel
including configuration file /etc/raddb/sites-enabled/control-socket
including configuration file /etc/raddb/sites-enabled/default
main {
user = "radiusd"
group = "radiusd"
allow_core_dumps = no
}
including dictionary file /etc/raddb/dictionary
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/radiuslogs"
run_dir = "/var/run/radiusd"
libdir = "/usr/lib/freeradius"
radacctdir = "/radiuslogs/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 0
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "scrubbed"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server eduroam0 {
ipaddr = roaming0.ja.net IP address [194.82.174.185]
port = 1812
type = "auth+acct"
secret = "scrubbed"
response_window = 30
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 300
status_check_timeout = 4
}
home_server eduroam1 {
ipaddr = roaming1.ja.net IP address [194.83.56.233]
port = 1812
type = "auth+acct"
secret = "scrubbed"
response_window = 30
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 300
status_check_timeout = 4
}
home_server eduroam2 {
ipaddr = roaming2.ja.net IP address [194.83.56.249]
port = 1812
type = "auth+acct"
secret = "scrubbed"
response_window = 30
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 300
status_check_timeout = 4
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
home_server_pool eduroam {
type = client-port-balance
home_server = eduroam0
home_server = eduroam1
home_server = eduroam2
}
realm eduroam {
pool = eduroam
nostrip
}
realm bathspa.ac.uk {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "scrubbed"
nastype = "other"
virtual_server = "bathspa"
}
client roaming0.ja.net {
require_message_authenticator = no
secret = "scrubbed"
shortname = "roaming0.ja.net"
nastype = "other"
virtual_server = "eduroam"
}
client roaming1.ja.net {
require_message_authenticator = no
secret = "scrubbed"
shortname = "roaming1.ja.net"
nastype = "other"
virtual_server = "eduroam"
}
client roaming2.ja.net {
require_message_authenticator = no
secret = "scrubbed"
shortname = "roaming2.ja.net"
nastype = "other"
virtual_server = "eduroam"
}
client 172.23.1.100 {
require_message_authenticator = yes
secret = "scrubbed"
shortname = "NPTNG01-L-1"
nastype = "other"
virtual_server = "bathspa"
}
client 172.23.1.102 {
require_message_authenticator = yes
secret = "scrubbed"
shortname = "NPTNG01-L-1"
nastype = "other"
virtual_server = "bathspa"
}
client 172.23.1.104 {
require_message_authenticator = yes
secret = "scrubbed"
shortname = "NPTNG01-L-2"
nastype = "other"
virtual_server = "bathspa"
}
client 172.23.1.106 {
require_message_authenticator = yes
secret = "scrubbed"
shortname = "NPLYG28-L-2"
nastype = "other"
virtual_server = "bathspa"
}
client 172.23.1.108 {
require_message_authenticator = yes
secret = "scrubbed"
shortname = "NPTNG01-L-3"
nastype = "other"
virtual_server = "bathspa"
}
client 172.23.1.110 {
require_message_authenticator = yes
secret = "scrubbed"
shortname = "NPLYG28-L-3"
nastype = "other"
virtual_server = "bathspa"
}
client 172.23.1.112 {
require_message_authenticator = yes
secret = "scrubbed"
shortname = "NPLYG28-L-4"
nastype = "other"
virtual_server = "bathspa"
}
client 172.23.1.114 {
require_message_authenticator = yes
secret = "scrubbed"
shortname = "NPTNG01-L-4"
nastype = "other"
virtual_server = "bathspa"
}
client 172.23.116 {
require_message_authenticator = yes
secret = "scrubbed"
shortname = "NPLYG28-L-5"
nastype = "other"
virtual_server = "bathspa"
}
client 172.19.0.129 {
require_message_authenticator = yes
secret = "scrubbed"
shortname = "NPLNX-NSCRTL1"
nastype = "other"
virtual_server = "bathspa"
}
client 172.19.0.113 {
require_message_authenticator = yes
secret = "scrubbed"
shortname = "NPWIN-ORIONWEB1"
nastype = "other"
virtual_server = "bathspa"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file /etc/raddb/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file /etc/raddb/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file /etc/raddb/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file /etc/raddb/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/raddb/radiusd.conf
modules {
Module: Creating Post-Auth-Type = REJECT
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file /etc/raddb/modules/pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file /etc/raddb/modules/mschap
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
allow_retry = yes
retry_msg = "Re-enter (or reset) the password"
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /etc/raddb/eap.conf
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = yes
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/etc/raddb/certs/radius.key"
certificate_file = "/etc/raddb/certs/eduroam.bathspa.ac.uk.07052015.crt"
private_key_password = "in4.wdja"
dh_file = "/etc/raddb/certs/dh"
random_file = "/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
cache {
enable = no
lifetime = 24
max_entries = 65535
}
verify {
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = yes
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file /etc/raddb/modules/preprocess
preprocess {
huntgroups = "/etc/raddb/huntgroups"
hints = "/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file /etc/raddb/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = yes
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file /etc/raddb/modules/files
files {
usersfile = "/etc/raddb/users"
acctusersfile = "/etc/raddb/acct_users"
preproxy_usersfile = "/etc/raddb/preproxy_users"
compat = "no"
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file /etc/raddb/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file /etc/raddb/modules/detail
detail {
detailfile = "/radiuslogs/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.accounting_response" from file /etc/raddb/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
relaxed = no
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Instantiating module "attr_filter.access_reject" from file /etc/raddb/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
relaxed = no
}
} # modules
} # server
server eduroam { # from file /etc/raddb/sites-enabled/eduroam
modules {
Module: Creating Auth-Type = eduroam-eap
Module: Creating Post-Proxy-Type = Fail
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_krb5
Module: Instantiating module "krb5" from file /etc/raddb/modules/krb5
krb5 {
keytab = "/path/to/keytab"
service_principal = "name_of_principle"
}
rlm_krb5: krb5_init ok
Module: Instantiating module "eduroam-eap" from file /etc/raddb/eduroam-eap.conf
eap eduroam-eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = yes
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/etc/raddb/certs/radius.key"
certificate_file = "/etc/raddb/certs/eduroam.bathspa.ac.uk.07052015.crt"
private_key_password = "in4.wdja"
dh_file = "/etc/raddb/certs/dh"
random_file = "/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
cache {
enable = yes
lifetime = 24
max_entries = 65535
}
verify {
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "eduroam-inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
virtual_server = "eduroam-inner-tunnel"
soh = no
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = yes
}
Module: Instantiating module "attr_filter.access_challenge" from file /etc/raddb/modules/attr_filter
attr_filter attr_filter.access_challenge {
attrsfile = "/etc/raddb/attrs.access_challenge"
key = "%{User-Name}"
relaxed = no
}
Module: Linked to module rlm_always
Module: Instantiating module "handled" from file /etc/raddb/modules/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
Module: Checking authorize {...} for more modules to load
Module: Instantiating module "auth_log" from file /etc/raddb/modules/detail.log
detail auth_log {
detailfile = "/radiuslogs/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating module "ntdomain" from file /etc/raddb/modules/realm
realm ntdomain {
format = "prefix"
delimiter = "\"
ignore_default = no
ignore_null = yes
}
Module: Checking preacct {...} for more modules to load
Module: Checking accounting {...} for more modules to load
Module: Instantiating module "ok" from file /etc/raddb/modules/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
Module: Checking pre-proxy {...} for more modules to load
Module: Instantiating module "attr_filter.pre-proxy" from file /etc/raddb/modules/attr_filter
attr_filter attr_filter.pre-proxy {
attrsfile = "/etc/raddb/attrs.pre-proxy"
key = "%{Realm}"
relaxed = no
}
Module: Instantiating module "pre_proxy_log" from file /etc/raddb/modules/detail.log
detail pre_proxy_log {
detailfile = "/radiuslogs/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Checking post-proxy {...} for more modules to load
Module: Instantiating module "post_proxy_log" from file /etc/raddb/modules/detail.log
detail post_proxy_log {
detailfile = "/radiuslogs/radacct/%{Client-IP-Address}/post-proxy-detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating module "attr_filter.post-proxy" from file /etc/raddb/modules/attr_filter
attr_filter attr_filter.post-proxy {
attrsfile = "/etc/raddb/attrs"
key = "%{Realm}"
relaxed = no
}
Module: Linked to module rlm_linelog
Module: Instantiating module "linelog" from file /etc/raddb/modules/linelog
linelog {
filename = "syslog"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "%{%{reply:Packet-Type}:-format}"
}
Module: Checking post-auth {...} for more modules to load
Module: Instantiating module "reply_log" from file /etc/raddb/modules/detail.log
detail reply_log {
detailfile = "/radiuslogs/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
} # modules
} # server
server bathspa { # from file /etc/raddb/sites-enabled/bathspa
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Loading virtual module filter_username
Module: Instantiating module "reject" from file /etc/raddb/modules/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
Module: Loading virtual module filter_duff_realms
Module: Loading virtual module reject_user_without_realm
Module: Checking preacct {...} for more modules to load
Module: Checking accounting {...} for more modules to load
Module: Checking pre-proxy {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file /etc/raddb/modules/chap
Module: Checking authorize {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_perl
Module: Instantiating module "perl" from file /etc/raddb/modules/perl
perl {
module = "/etc/raddb/perl-scripts/vlan-override.pl"
func_authorize = "authorize"
func_authenticate = "authenticate"
func_accounting = "accounting"
func_preacct = "preacct"
func_checksimul = "checksimul"
func_detach = "detach"
func_xlat = "xlat"
func_pre_proxy = "pre_proxy"
func_post_proxy = "post_proxy"
func_post_auth = "post_auth"
func_recv_coa = "recv_coa"
func_send_coa = "send_coa"
}
} # modules
} # server
server eduroam-inner-tunnel { # from file /etc/raddb/sites-enabled/eduroam-inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "control"
listen {
socket = "/var/run/radiusd/radiusd.sock"
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18121
}
... adding new socket proxy address * port 44108
... adding new socket proxy address * port 53758
... adding new socket proxy address * port 50923
... adding new socket proxy address * port 33781
... adding new socket proxy address * port 44649
... adding new socket proxy address * port 38494
... adding new socket proxy address * port 59759
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on authentication address 127.0.0.1 port 18121 as server eduroam-inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 194.83.56.233 port 63667, id=226, length=282
User-Name = "244422 at bathspa.ac.uk"
NAS-IP-Address = 146.87.203.100
NAS-Port = 13
Service-Type = Framed-User
Framed-MTU = 1300
Called-Station-Id = "80-e0-1d-d2-43-c0:eduroam"
Calling-Station-Id = "54-ea-a8-5a-27-19"
NAS-Identifier = "WiSM2-1"
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
EAP-Message = 0x020c00190132343434323240626174687370612e61632e756b
Message-Authenticator = 0x81b03f2d7543c72f12244b222761741e
Tunnel-Private-Group-Id:0 = "\000753"
Chargeable-User-Identity = ""
Location-Capable = Civix-Location
Airespace-Wlan-Id = 5
Cisco-AVPair = "audit-session-id=9257cb64010a089c57178155"
Proxy-State = 0x4f53432d457874656e6465642d49643d35363032
server eduroam {
# Executing section authorize from file /etc/raddb/sites-enabled/eduroam
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /radiuslogs/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /radiuslogs/radacct/194.83.56.233/auth-detail-20160420
[auth_log] /radiuslogs/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /radiuslogs/radacct/194.83.56.233/auth-detail-20160420
[auth_log] expand: %t -> Wed Apr 20 14:17:31 2016
++[auth_log] returns ok
++[mschap] returns noop
[suffix] Looking up realm "bathspa.ac.uk" for User-Name = "244422 at bathspa.ac.uk"
[suffix] Found realm "bathspa.ac.uk"
[suffix] Adding Stripped-User-Name = "244422"
[suffix] Adding Realm = "bathspa.ac.uk"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied. Ignoring.
++[ntdomain] returns ok
[eduroam-eap] EAP packet type response id 12 length 25
[eduroam-eap] No EAP Start, assuming it's an on-going EAP conversation
++[eduroam-eap] returns updated
[files] users: Matched entry DEFAULT at line 202
++[files] returns ok
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = eduroam-eap
# Executing group from file /etc/raddb/sites-enabled/eduroam
+- entering group authenticate {...}
[eduroam-eap] EAP Identity
[eduroam-eap] processing type tls
[tls] Flushing SSL sessions (of #0)
[tls] Initiate
[tls] Start returned 1
++[eduroam-eap] returns handled
} # server eduroam
Sending Access-Challenge of id 226 to 194.83.56.233 port 63667
EAP-Message = 0x010d00061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xdc342b61dc3932a7b8572b0657f6462d
Proxy-State = 0x4f53432d457874656e6465642d49643d35363032
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 194.83.56.233 port 46173, id=145, length=460
User-Name = "244422 at bathspa.ac.uk"
NAS-IP-Address = 146.87.203.100
NAS-Port = 13
Service-Type = Framed-User
Framed-MTU = 1300
State = 0xdc342b61dc3932a7b8572b0657f6462d
Called-Station-Id = "80-e0-1d-d2-43-c0:eduroam"
Calling-Station-Id = "54-ea-a8-5a-27-19"
NAS-Identifier = "WiSM2-1"
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
EAP-Message = 0x020d00b81980000000ae16030100a9010000a503015717816b6956f2fb3f46399245ef3d21dbf69b4c7db5af35b295189ecc7f781420e7f02ec12bdf881cb9bbe4e647b758f309079c4043f2883f649200480d7119c8004a00ffc024c023c00ac009c008c028c027c014c013c012c026c025c005c004c003c02ac029c00fc00ec00d006b0067003900330016003d003c0035002f000ac007c011c002c00c0005000401000012000a00080006001700180019000b00020100
Message-Authenticator = 0x0bc824003597afbbe95d48d26593d916
Tunnel-Private-Group-Id:0 = "\000753"
Chargeable-User-Identity = ""
Location-Capable = Civix-Location
Airespace-Wlan-Id = 5
Cisco-AVPair = "audit-session-id=9257cb64010a089c57178155"
Proxy-State = 0x4f53432d457874656e6465642d49643d3130383937
server eduroam {
# Executing section authorize from file /etc/raddb/sites-enabled/eduroam
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /radiuslogs/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /radiuslogs/radacct/194.83.56.233/auth-detail-20160420
[auth_log] /radiuslogs/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /radiuslogs/radacct/194.83.56.233/auth-detail-20160420
[auth_log] expand: %t -> Wed Apr 20 14:17:31 2016
++[auth_log] returns ok
++[mschap] returns noop
[suffix] Looking up realm "bathspa.ac.uk" for User-Name = "244422 at bathspa.ac.uk"
[suffix] Found realm "bathspa.ac.uk"
[suffix] Adding Stripped-User-Name = "244422"
[suffix] Adding Realm = "bathspa.ac.uk"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied. Ignoring.
++[ntdomain] returns ok
[eduroam-eap] EAP packet type response id 13 length 184
[eduroam-eap] Continuing tunnel setup.
++[eduroam-eap] returns ok
Found Auth-Type = eduroam-eap
# Executing group from file /etc/raddb/sites-enabled/eduroam
+- entering group authenticate {...}
[eduroam-eap] Request found, released from the list
[eduroam-eap] EAP/peap
[eduroam-eap] processing type peap
[peap] processing EAP-TLS
TLS Length 174
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 00a9], ClientHello
SSL: Client requested nonexistent cached session e7f02ec12bdf881cb9bbe4e647b758f309079c4043f2883f649200480d7119c8
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0051], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 146e], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange
[peap] TLS_accept: SSLv3 write key exchange A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eduroam-eap] returns handled
} # server eduroam
Sending Access-Challenge of id 145 to 194.83.56.233 port 46173
EAP-Message = 0x010e040019c0000016e416030100510200004d03015717816bf4a6b65d6b809aced3b448612944b76865611560d9cad783a8aa1e612001758fd434e20b9484b316ed79a90fd77d67b76aacce46eaab57ab32427d73890039000005ff01000100160301146e0b00146a0014670004a9308204a53082038da003020102021100e736e2aa986b1c248d60b36d642d1ee7300d06092a864886f70d01010b05003064310b3009060355040613024e4c311630140603550408130d4e6f6f72642d486f6c6c616e643112301006035504071309416d7374657264616d310f300d060355040a1306544552454e41311830160603550403130f544552454e412053
EAP-Message = 0x534c2043412032301e170d3135303530383030303030305a170d3138303530373233353935395a30433121301f060355040b1318446f6d61696e20436f6e74726f6c2056616c696461746564311e301c06035504031315656475726f616d2e626174687370612e61632e756b30820122300d06092a864886f70d01010105000382010f003082010a0282010100da56807764ab38051d48ebf0ff2ad6aabf826e400f6c33797b0646aaa9cc72d062b3447a072400c303d08ee4334f9d6f56b0089b14559327a5703d43e20e0cfed9f7c5eea93a37c6eccf9b3f9f6764f544eb792906b87bbca6711de168c55e2f481e42c473ace578bd74bb5a32903a20
EAP-Message = 0xd86b9a35e99f62dd5b1d78e09ca96fdd391f029f883c943bfec74e9eeafd402095c8dc28eb4bbd60d659e156e915e0fece11cfd0ea4f41de9e5aaae5da3333b073985028219da184f01477a1eee85fbb58aa54a31f4986cd8a959978e306b69a444a5ed3abf9432d26c91a7a87af1f27ff7ad6883723de33eba3eb42478ced8b67c6177a342ae590b8e56add24b74ba70203010001a38201713082016d301f0603551d230418301680145bd08a1c9a325be0b5dd96541be18628b0fdb6bd301d0603551d0e041604147949a7db5ac1d3481397c4bba213acf65d29c69a300e0603551d0f0101ff0404030205a0300c0603551d130101ff04023000301d
EAP-Message = 0x0603551d250416301406082b0601050507030106082b0601050507030230220603551d20041b3019300d060b2b06010401b2310102021d3008060667810c010201303a0603551d1f04333031302fa02da02b8629687474703a2f2f63726c2e7573657274727573742e636f6d2f544552454e4153534c4341322e63726c306c06082b060105050701010460305e303506082b060105050730028629687474703a2f2f6372742e7573657274727573742e636f6d2f544552454e4153534c4341322e637274302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d30200603551d11041930178215656475726f
EAP-Message = 0x616d2e626174687370612e61
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xdc342b61dd3a32a7b8572b0657f6462d
Proxy-State = 0x4f53432d457874656e6465642d49643d3130383937
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 194.83.56.233 port 43638, id=253, length=281
User-Name = "244422 at bathspa.ac.uk"
NAS-IP-Address = 146.87.203.100
NAS-Port = 13
Service-Type = Framed-User
Framed-MTU = 1300
State = 0xdc342b61dd3a32a7b8572b0657f6462d
Called-Station-Id = "80-e0-1d-d2-43-c0:eduroam"
Calling-Station-Id = "54-ea-a8-5a-27-19"
NAS-Identifier = "WiSM2-1"
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
EAP-Message = 0x020e00061900
Message-Authenticator = 0x448091ce8f85f42cb929dccdea80c7fc
Tunnel-Private-Group-Id:0 = "\000753"
Chargeable-User-Identity = ""
Location-Capable = Civix-Location
Airespace-Wlan-Id = 5
Cisco-AVPair = "audit-session-id=9257cb64010a089c57178155"
Proxy-State = 0x4f53432d457874656e6465642d49643d34333439
server eduroam {
# Executing section authorize from file /etc/raddb/sites-enabled/eduroam
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /radiuslogs/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /radiuslogs/radacct/194.83.56.233/auth-detail-20160420
[auth_log] /radiuslogs/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /radiuslogs/radacct/194.83.56.233/auth-detail-20160420
[auth_log] expand: %t -> Wed Apr 20 14:17:31 2016
++[auth_log] returns ok
++[mschap] returns noop
[suffix] Looking up realm "bathspa.ac.uk" for User-Name = "244422 at bathspa.ac.uk"
[suffix] Found realm "bathspa.ac.uk"
[suffix] Adding Stripped-User-Name = "244422"
[suffix] Adding Realm = "bathspa.ac.uk"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied. Ignoring.
++[ntdomain] returns ok
[eduroam-eap] EAP packet type response id 14 length 6
[eduroam-eap] Continuing tunnel setup.
++[eduroam-eap] returns ok
Found Auth-Type = eduroam-eap
# Executing group from file /etc/raddb/sites-enabled/eduroam
+- entering group authenticate {...}
[eduroam-eap] Request found, released from the list
[eduroam-eap] EAP/peap
[eduroam-eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eduroam-eap] returns handled
} # server eduroam
Sending Access-Challenge of id 253 to 194.83.56.233 port 43638
EAP-Message = 0x010f03fc1940632e756b300d06092a864886f70d01010b0500038201010085efc4f03090d4cafe1cb4ff97c8dfbf5c61d1b8fa50f699436a46ee408fa45c29318cc07b1d8f37a4f9690f479e8719240961d6d27c31fd014cbb06cd9c92f3e47708d2c4def6e020c18bc4f6f64b9ab067756cf0e53fdacf1e0b58e55bf49fbc4bfa22a167192f693240ba76b9b35222748fba20d0985e67bc42473e2f67cc8f3b570f98cbfe884692669d4c123fcd69b050d1097a5de7eaf04976463a9b5e08c5d2300986550527bc50f3ee8cda36f8dbd6e21e221c14ba7b27e2efec27e5dc796382ada5cd8fdec31622990bfe64301c99bd7b1adb94a4c622412b2584
EAP-Message = 0x7e2da8e173059af991acc093ea0de0e3bc0cc5e460c11adb25e8efb61c14d4ae490005fd308205f9308203e1a003020102021100b0ffcf3a1d82449815629d64886a4165300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3134313030393030303030305a170d323431303038323335393539
EAP-Message = 0x5a3064310b3009060355040613024e4c311630140603550408130d4e6f6f72642d486f6c6c616e643112301006035504071309416d7374657264616d310f300d060355040a1306544552454e41311830160603550403130f544552454e412053534c204341203230820122300d06092a864886f70d01010105000382010f003082010a0282010100b03a6d7fa9b8009ef3853a08642cf9440c20b4b3154d062da6f093c948bef764ada48e15b331811417fc6ee28b19758b3612cf076d7678265e27bf2c16ba42fbdd1e508f64af759b0a3a82a93125518e7fc442dd1f5c9391bb94fa7057fae7fdb8b868ca9b6a19245437fe326189f722c18f63d5d1
EAP-Message = 0x697e494dbcd7d0db4cd6f60fbdc1884293d691f99f969911ea6e72e780216cf14e8eec63b83daf6539d085922a793a0ed6e8ad9b2589a2d42e726b73a1d2e2dfce5870ffc05401775df9769d2f43daa226dd1d429a4d38b156fe3ab4cb6b6cf26a9f3fb3ae3ba7d0153eac277f1bf4596050567e9d75259e3fc676bfff99ccd8f1a96a895fdee707cd8d8b0203010001a382017f3082017b301f0603551d230418301680145379bf5aaa2b4acf5480e1d89bc09df2b20366cb301d0603551d0e041604145bd08a1c9a325be0b5dd96541be18628b0fdb6bd300e0603551d0f0101ff04040302018630120603551d130101ff040830060101ff02010030
EAP-Message = 0x1d0603551d250416
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xdc342b61de3b32a7b8572b0657f6462d
Proxy-State = 0x4f53432d457874656e6465642d49643d34333439
Finished request 2.
Going to the next request
Waking up in 4.8 seconds.
Cleaning up request 0 ID 226 with timestamp +2
Cleaning up request 1 ID 145 with timestamp +2
Cleaning up request 2 ID 253 with timestamp +2
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0xdc342b61de3b32a7 did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Ready to process requests.
rad_recv: Access-Request packet from host 194.83.56.233 port 46173, id=146, length=283
User-Name = "244422 at bathspa.ac.uk"
NAS-IP-Address = 146.87.203.100
NAS-Port = 13
Service-Type = Framed-User
Framed-MTU = 1300
Called-Station-Id = "80-e0-1d-d2-43-c0:eduroam"
Calling-Station-Id = "54-ea-a8-5a-27-19"
NAS-Identifier = "WiSM2-1"
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
EAP-Message = 0x021100190132343434323240626174687370612e61632e756b
Message-Authenticator = 0x914bda759f99830fb70d9c5b8c91f872
Tunnel-Private-Group-Id:0 = "\000753"
Chargeable-User-Identity = ""
Location-Capable = Civix-Location
Airespace-Wlan-Id = 5
Cisco-AVPair = "audit-session-id=9257cb64010a089c57178155"
Proxy-State = 0x4f53432d457874656e6465642d49643d3130383938
server eduroam {
# Executing section authorize from file /etc/raddb/sites-enabled/eduroam
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /radiuslogs/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /radiuslogs/radacct/194.83.56.233/auth-detail-20160420
[auth_log] /radiuslogs/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /radiuslogs/radacct/194.83.56.233/auth-detail-20160420
[auth_log] expand: %t -> Wed Apr 20 14:17:36 2016
++[auth_log] returns ok
++[mschap] returns noop
[suffix] Looking up realm "bathspa.ac.uk" for User-Name = "244422 at bathspa.ac.uk"
[suffix] Found realm "bathspa.ac.uk"
[suffix] Adding Stripped-User-Name = "244422"
[suffix] Adding Realm = "bathspa.ac.uk"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied. Ignoring.
++[ntdomain] returns ok
[eduroam-eap] EAP packet type response id 17 length 25
[eduroam-eap] No EAP Start, assuming it's an on-going EAP conversation
++[eduroam-eap] returns updated
[files] users: Matched entry DEFAULT at line 202
++[files] returns ok
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = eduroam-eap
# Executing group from file /etc/raddb/sites-enabled/eduroam
+- entering group authenticate {...}
[eduroam-eap] EAP Identity
[eduroam-eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eduroam-eap] returns handled
} # server eduroam
Sending Access-Challenge of id 146 to 194.83.56.233 port 46173
EAP-Message = 0x011200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x32c8ffac32dae6d6c18785ac28106757
Proxy-State = 0x4f53432d457874656e6465642d49643d3130383938
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 194.83.56.233 port 22937, id=36, length=459
User-Name = "244422 at bathspa.ac.uk"
NAS-IP-Address = 146.87.203.100
NAS-Port = 13
Service-Type = Framed-User
Framed-MTU = 1300
State = 0x32c8ffac32dae6d6c18785ac28106757
Called-Station-Id = "80-e0-1d-d2-43-c0:eduroam"
Calling-Station-Id = "54-ea-a8-5a-27-19"
NAS-Identifier = "WiSM2-1"
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
EAP-Message = 0x021200b81980000000ae16030100a9010000a50301571781701f161531d9f47a0984bd3c4722e23e384387369933ecde20d3b9701a20e7f02ec12bdf881cb9bbe4e647b758f309079c4043f2883f649200480d7119c8004a00ffc024c023c00ac009c008c028c027c014c013c012c026c025c005c004c003c02ac029c00fc00ec00d006b0067003900330016003d003c0035002f000ac007c011c002c00c0005000401000012000a00080006001700180019000b00020100
Message-Authenticator = 0xf9d4c2d7d1a3793c1f532da744c9ba3f
Tunnel-Private-Group-Id:0 = "\000753"
Chargeable-User-Identity = ""
Location-Capable = Civix-Location
Airespace-Wlan-Id = 5
Cisco-AVPair = "audit-session-id=9257cb64010a089c57178155"
Proxy-State = 0x4f53432d457874656e6465642d49643d34333838
server eduroam {
# Executing section authorize from file /etc/raddb/sites-enabled/eduroam
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /radiuslogs/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /radiuslogs/radacct/194.83.56.233/auth-detail-20160420
[auth_log] /radiuslogs/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /radiuslogs/radacct/194.83.56.233/auth-detail-20160420
[auth_log] expand: %t -> Wed Apr 20 14:17:36 2016
++[auth_log] returns ok
++[mschap] returns noop
[suffix] Looking up realm "bathspa.ac.uk" for User-Name = "244422 at bathspa.ac.uk"
[suffix] Found realm "bathspa.ac.uk"
[suffix] Adding Stripped-User-Name = "244422"
[suffix] Adding Realm = "bathspa.ac.uk"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied. Ignoring.
++[ntdomain] returns ok
[eduroam-eap] EAP packet type response id 18 length 184
[eduroam-eap] Continuing tunnel setup.
++[eduroam-eap] returns ok
Found Auth-Type = eduroam-eap
# Executing group from file /etc/raddb/sites-enabled/eduroam
+- entering group authenticate {...}
[eduroam-eap] Request found, released from the list
[eduroam-eap] EAP/peap
[eduroam-eap] processing type peap
[peap] processing EAP-TLS
TLS Length 174
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 00a9], ClientHello
SSL: Client requested nonexistent cached session e7f02ec12bdf881cb9bbe4e647b758f309079c4043f2883f649200480d7119c8
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0051], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 146e], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange
[peap] TLS_accept: SSLv3 write key exchange A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eduroam-eap] returns handled
} # server eduroam
Sending Access-Challenge of id 36 to 194.83.56.233 port 22937
EAP-Message = 0x0113040019c0000016e416030100510200004d0301571781706d04c8efd519bbbdcb63095dcb8fdc5145081d48a3eaadbff1f08721204a9f21cc160dd0a7072e5f9e0e2ab6940e42527cb6e3f800cedc3cdbf2ec82df0039000005ff01000100160301146e0b00146a0014670004a9308204a53082038da003020102021100e736e2aa986b1c248d60b36d642d1ee7300d06092a864886f70d01010b05003064310b3009060355040613024e4c311630140603550408130d4e6f6f72642d486f6c6c616e643112301006035504071309416d7374657264616d310f300d060355040a1306544552454e41311830160603550403130f544552454e412053
EAP-Message = 0x534c2043412032301e170d3135303530383030303030305a170d3138303530373233353935395a30433121301f060355040b1318446f6d61696e20436f6e74726f6c2056616c696461746564311e301c06035504031315656475726f616d2e626174687370612e61632e756b30820122300d06092a864886f70d01010105000382010f003082010a0282010100da56807764ab38051d48ebf0ff2ad6aabf826e400f6c33797b0646aaa9cc72d062b3447a072400c303d08ee4334f9d6f56b0089b14559327a5703d43e20e0cfed9f7c5eea93a37c6eccf9b3f9f6764f544eb792906b87bbca6711de168c55e2f481e42c473ace578bd74bb5a32903a20
EAP-Message = 0xd86b9a35e99f62dd5b1d78e09ca96fdd391f029f883c943bfec74e9eeafd402095c8dc28eb4bbd60d659e156e915e0fece11cfd0ea4f41de9e5aaae5da3333b073985028219da184f01477a1eee85fbb58aa54a31f4986cd8a959978e306b69a444a5ed3abf9432d26c91a7a87af1f27ff7ad6883723de33eba3eb42478ced8b67c6177a342ae590b8e56add24b74ba70203010001a38201713082016d301f0603551d230418301680145bd08a1c9a325be0b5dd96541be18628b0fdb6bd301d0603551d0e041604147949a7db5ac1d3481397c4bba213acf65d29c69a300e0603551d0f0101ff0404030205a0300c0603551d130101ff04023000301d
EAP-Message = 0x0603551d250416301406082b0601050507030106082b0601050507030230220603551d20041b3019300d060b2b06010401b2310102021d3008060667810c010201303a0603551d1f04333031302fa02da02b8629687474703a2f2f63726c2e7573657274727573742e636f6d2f544552454e4153534c4341322e63726c306c06082b060105050701010460305e303506082b060105050730028629687474703a2f2f6372742e7573657274727573742e636f6d2f544552454e4153534c4341322e637274302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d30200603551d11041930178215656475726f
EAP-Message = 0x616d2e626174687370612e61
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x32c8ffac33dbe6d6c18785ac28106757
Proxy-State = 0x4f53432d457874656e6465642d49643d34333838
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
More information about the Freeradius-Users
mailing list