FreeRADIUS not sending "Access-Accept" for Cisco Phone

craig at mypenguin.net.au craig at mypenguin.net.au
Fri May 27 02:26:56 CEST 2016 

Ok I've upgraded to freeradius-server-3.0.11
Below is the output I get from the Cisco phone attempt, this is
iteration "320" and it just continues to make attempts (i assume because
it's UDP)?

==================================================================================================================================================================
(320) Received Access-Request Id 17 from 192.168.11.62:34495 to
192.168.11.61:1812 length 288
(320)   User-Name = "CP-7841-SEPF07816D1207E"
(320)   Called-Station-Id = "f8-b1-56-6f-15-d6"
(320)   Calling-Station-Id = "f0:78:16:d1:20:7e"
(320)   NAS-Identifier = "f8-b1-56-6f-15-d4"
(320)   NAS-IP-Address = 192.168.11.62
(320)   NAS-Port = 112
(320)   Framed-MTU = 1500
(320)   NAS-Port-Type = Ethernet
(320)   State = 0x7d8fc9d87d2bc4167bd29e25682eecf2
(320)   EAP-Message =
0x02a4007c0d8000000072160301006d0100006903035c452fa402c853860cd34fcff40565ec53ec45be8cf56a5ed4643fefd588dc6300000ac030c02f0035002f00ff01000036000b000403000102000a000a00080019001800170013000d001c001a000004010501060103010201010102020403050306
(320)   Message-Authenticator = 0x0162446871ec20dd4a2638fd7278064c
(320) session-state: No cached attributes
(320) # Executing section authorize from file
/usr/local/freeradius/etc/raddb/sites-enabled/default
(320)   authorize {
(320)     policy filter_username {
(320)       if (!&User-Name) {
(320)       if (!&User-Name)  -> FALSE
(320)       if (&User-Name =~ / /) {
(320)       if (&User-Name =~ / /)  -> FALSE
(320)       if (&User-Name =~ /@.*@/ ) {
(320)       if (&User-Name =~ /@.*@/ )  -> FALSE
(320)       if (&User-Name =~ /\\.\\./ ) {
(320)       if (&User-Name =~ /\\.\\./ )  -> FALSE
(320)       if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
{
(320)       if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
-> FALSE
(320)       if (&User-Name =~ /\\.$/)  {
(320)       if (&User-Name =~ /\\.$/)   -> FALSE
(320)       if (&User-Name =~ /@\\./)  {
(320)       if (&User-Name =~ /@\\./)   -> FALSE
(320)     } # policy filter_username = notfound
(320)     [preprocess] = ok
(320)     [digest] = noop
(320) suffix: Checking for suffix after "@"
(320) suffix: No '@' in User-Name = "CP-7841-SEPF07816D1207E", looking
up realm NULL
(320) suffix: No such realm "NULL"
(320)     [suffix] = noop
(320) eap: Peer sent EAP Response (code 2) ID 164 length 124
(320) eap: No EAP Start, assuming it's an on-going EAP conversation
(320)     [eap] = updated
(320)     [files] = noop
(320)     [expiration] = noop
(320)     [logintime] = noop
(320)     [pap] = noop
(320)   } # authorize = updated
(320) Found Auth-Type = eap
(320) # Executing group from file
/usr/local/freeradius/etc/raddb/sites-enabled/default
(320)   authenticate {
(320) eap: Expiring EAP session with state 0x59e62fe75ae3223b
(320) eap: Finished EAP session with state 0x7d8fc9d87d2bc416
(320) eap: Previous EAP request found for state 0x7d8fc9d87d2bc416,
released from the list
(320) eap: Peer sent packet with method EAP TLS (13)
(320) eap: Calling submodule eap_tls to process data
(320) eap_tls: Continuing EAP-TLS
(320) eap_tls: Peer indicated complete TLS record size will be 114 bytes
(320) eap_tls: Got complete TLS record (114 bytes)
(320) eap_tls: [eaptls verify] = length included
(320) eap_tls: (other): before/accept initialization
(320) eap_tls: TLS_accept: before/accept initialization
(320) eap_tls: <<< recv TLS 1.2  [length 006d]
(320) eap_tls: TLS_accept: SSLv3 read client hello A
(320) eap_tls: >>> send TLS 1.2  [length 0059]
(320) eap_tls: TLS_accept: SSLv3 write server hello A
(320) eap_tls: >>> send TLS 1.2  [length 0816]
(320) eap_tls: TLS_accept: SSLv3 write certificate A
(320) eap_tls: >>> send TLS 1.2  [length 014d]
(320) eap_tls: TLS_accept: SSLv3 write key exchange A
(320) eap_tls: >>> send TLS 1.2  [length 0073]
(320) eap_tls: TLS_accept: SSLv3 write certificate request A
(320) eap_tls: TLS_accept: SSLv3 flush data
(320) eap_tls: TLS_accept: Need to read more data: SSLv3 read client
certificate A
(320) eap_tls: TLS_accept: Need to read more data: SSLv3 read client
certificate A
(320) eap_tls: In SSL Handshake Phase
(320) eap_tls: In SSL Accept mode
(320) eap_tls: [eaptls process] = handled
(320) eap: Sending EAP Request (code 1) ID 165 length 1004
(320) eap: EAP session adding &reply:State = 0x7d8fc9d87c2ac416
(320)     [eap] = handled
(320)   } # authenticate = handled
(320) Using Post-Auth-Type Challenge
(320) Post-Auth-Type sub-section not found.  Ignoring.
(320) # Executing group from file
/usr/local/freeradius/etc/raddb/sites-enabled/default
(320) Sent Access-Challenge Id 17 from 192.168.11.61:1812 to
192.168.11.62:34495 length 0
(320)   EAP-Message =
0x01a503ec0dc000000a43160303005902000055030357478e00dd7b5997bbb83b60ba5536c72cc6bf4cc099ed8246b5d6ba09b8eb30206df24a0f79a02af8687ebf21332b9e9a3fbf6b849f47f5a008b1eac24bd4d481c03000000dff01000100000b00040300010216030308160b00081200080f000452
(320)   Message-Authenticator = 0x00000000000000000000000000000000
(320)   State = 0x7d8fc9d87c2ac4167bd29e25682eecf2
(320) Finished request
(320) Cleaning up request packet ID 17 with timestamp +435
==================================================================================================================================================================

cheers

Craig

More information about the Freeradius-Users mailing list