radius and ldap authentication.
Edelberto Franco
esilva at midiacom.uff.br
Fri Aug 11 07:44:48 CEST 2017
Dear,
I guess you do not have hashNT (sambaNTPasswd attribute) configured in
your LDAP, right? If it is true, configure it there or your
PEAP/MSCHAPv2 authentication won't work.
See the mods-available/ldap for examples about how configure NT-Password
(from FR) to LDAP hashNT attribute (maybe sambaNTPassword).
TTLS/PAP works, right?!
--E
Em 11-Aug-17 1:53 AM, Mohd Akhbar escreveu:
> I want to connect radius with my ldap (389 Directory) and my user password
> in SHA. Actually taking over the task from colleague. Please give some
> advice. Thank you.
>
> ===========================================
> [root at eduroam-idp ~]# radiusd -X
> radiusd: FreeRADIUS Version 2.2.6, for host x86_64-redhat-linux-gnu, built
> on Jul 17 2017 at 23:07:34
> Copyright (C) 1999-2013 The FreeRADIUS server project and contributors.
> There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
> PARTICULAR PURPOSE.
> You may redistribute copies of FreeRADIUS under the terms of the
> GNU General Public License.
> For more information about these matters, see the file named COPYRIGHT.
> Starting - reading configuration files ...
> including configuration file /etc/raddb/radiusd.conf
> including configuration file /etc/raddb/proxy.conf
> including configuration file /etc/raddb/clients.conf
> including files in directory /etc/raddb/modules/
> including configuration file /etc/raddb/modules/smsotp
> including configuration file /etc/raddb/modules/mac2vlan
> including configuration file /etc/raddb/modules/linelog
> including configuration file /etc/raddb/modules/pap
> including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
> including configuration file /etc/raddb/modules/echo
> including configuration file /etc/raddb/modules/ntlm_auth
> including configuration file /etc/raddb/modules/mschap
> including configuration file /etc/raddb/modules/inner-eap
> including configuration file /etc/raddb/modules/smbpasswd
> including configuration file /etc/raddb/modules/pam
> including configuration file /etc/raddb/modules/ldap
> including configuration file /etc/raddb/modules/passwd
> including configuration file /etc/raddb/modules/realm
> including configuration file /etc/raddb/modules/acct_unique
> including configuration file /etc/raddb/modules/policy
> including configuration file /etc/raddb/modules/otp
> including configuration file /etc/raddb/modules/logintime
> including configuration file /etc/raddb/modules/rediswho
> including configuration file /etc/raddb/modules/ldap.BAK
> including configuration file /etc/raddb/modules/ippool
> including configuration file /etc/raddb/modules/opendirectory
> including configuration file /etc/raddb/modules/counter
> including configuration file /etc/raddb/modules/always
> including configuration file /etc/raddb/modules/detail
> including configuration file /etc/raddb/modules/expiration
> including configuration file /etc/raddb/modules/expr
> including configuration file /etc/raddb/modules/etc_group
> including configuration file /etc/raddb/modules/detail.example.com
> including configuration file /etc/raddb/modules/sradutmp
> including configuration file /etc/raddb/modules/sql_log
> including configuration file /etc/raddb/modules/files
> including configuration file /etc/raddb/modules/perl
> including configuration file /etc/raddb/modules/cui
> including configuration file /etc/raddb/modules/dhcp_sqlippool
> including configuration file /etc/raddb/modules/attr_filter
> including configuration file /etc/raddb/modules/radrelay
> including configuration file /etc/raddb/modules/chap
> including configuration file /etc/raddb/modules/soh
> including configuration file /etc/raddb/modules/unix
> including configuration file /etc/raddb/modules/mac2ip
> including configuration file /etc/raddb/modules/digest
> including configuration file /etc/raddb/modules/preprocess
> including configuration file /etc/raddb/modules/wimax
> including configuration file /etc/raddb/modules/checkval
> including configuration file /etc/raddb/modules/exec
> including configuration file /etc/raddb/modules/replicate
> including configuration file /etc/raddb/modules/redis
> including configuration file /etc/raddb/modules/cache
> including configuration file /etc/raddb/modules/detail.log
> including configuration file /etc/raddb/modules/dynamic_clients
> including configuration file /etc/raddb/modules/radutmp
> including configuration file /etc/raddb/modules/attr_rewrite
> including configuration file /etc/raddb/eap.conf
> including configuration file /etc/raddb/policy.conf
> including files in directory /etc/raddb/sites-enabled/
> including configuration file /etc/raddb/sites-enabled/inner-tunnel
> including configuration file /etc/raddb/sites-enabled/eduroam-inner-tunnel
> including configuration file /etc/raddb/sites-enabled/control-socket
> including configuration file /etc/raddb/sites-enabled/default
> main {
> allow_core_dumps = no
> }
> including dictionary file /etc/raddb/dictionary
> main {
> name = "radiusd"
> prefix = "/usr"
> localstatedir = "/var"
> sbindir = "/usr/sbin"
> logdir = "/var/log/radius"
> run_dir = "/var/run/radiusd"
> libdir = "/usr/lib"
> radacctdir = "/var/log/radius/radacct"
> hostname_lookups = no
> max_request_time = 30
> cleanup_delay = 5
> max_requests = 1024
> pidfile = "/var/run/radiusd/radiusd.pid"
> checkrad = "/usr/sbin/checkrad"
> debug_level = 0
> proxy_requests = yes
> log {
> stripped_names = no
> auth = yes
> auth_badpass = no
> auth_goodpass = no
> }
> security {
> max_attributes = 200
> reject_delay = 1
> status_server = yes
> }
> }
> radiusd: #### Loading Realms and Home Servers ####
> proxy server {
> retry_delay = 5
> retry_count = 3
> default_fallback = yes
> dead_time = 120
> wake_all_if_all_dead = no
> }
> realm ~^(.+\.)?uthm\.edu\.my$ {
> authhost = LOCAL
> accthost = LOCAL
> }
> realm DEFAULT {
> nostrip
> authhost = 192.168.241.12:1812
> secret = TcMvKbBdVChdYdeY
> }
> realm suffix {
> }
> radiusd: #### Loading Clients ####
> client localhost {
> ipaddr = 192.168.241.12
> netmask = 32
> require_message_authenticator = no
> secret = "TcMvKbBdVChdYdeY"
> shortname = "radsec"
> nastype = "other"
> virtual_server = "eduroam-inner-tunnel"
> }
> radiusd: #### Instantiating modules ####
> instantiate {
> Module: Linked to module rlm_expr
> Module: Instantiating module "expr" from file /etc/raddb/modules/expr
> }
> radiusd: #### Loading Virtual Servers ####
> server { # from file
> modules {
> Module: Creating Auth-Type = digest
> Module: Creating Post-Auth-Type = REJECT
> Module: Checking authenticate {...} for more modules to load
> Module: Linked to module rlm_pap
> Module: Instantiating module "pap" from file /etc/raddb/modules/pap
> pap {
> encryption_scheme = "auto"
> auto_header = yes
> }
> Module: Linked to module rlm_chap
> Module: Instantiating module "chap" from file /etc/raddb/modules/chap
> Module: Linked to module rlm_mschap
> Module: Instantiating module "mschap" from file /etc/raddb/modules/mschap
> mschap {
> use_mppe = yes
> require_encryption = no
> require_strong = no
> with_ntdomain_hack = no
> allow_retry = yes
> }
> Module: Linked to module rlm_digest
> Module: Instantiating module "digest" from file /etc/raddb/modules/digest
> Module: Linked to module rlm_unix
> Module: Instantiating module "unix" from file /etc/raddb/modules/unix
> unix {
> radwtmp = "/var/log/radius/radwtmp"
> }
> Module: Linked to module rlm_eap
> Module: Instantiating module "eap" from file /etc/raddb/eap.conf
> eap {
> default_eap_type = "peap"
> timer_expire = 60
> ignore_unknown_eap_types = no
> cisco_accounting_username_bug = no
> max_sessions = 2048
> }
> Module: Linked to sub-module rlm_eap_tls
> Module: Instantiating eap-tls
> tls {
> rsa_key_exchange = no
> dh_key_exchange = yes
> rsa_key_length = 512
> dh_key_length = 512
> verify_depth = 0
> pem_file_type = yes
> private_key_file = "/etc/letsencrypt/live/
> idp.uthm.edu.my/privkey.pem"
> certificate_file = "/etc/letsencrypt/live/idp.uthm.edu.my/cert.pem"
> CA_file = "/etc/letsencrypt/live/idp.uthm.edu.my/chain.pem"
> dh_file = "/etc/certs/dh"
> random_file = "/dev/urandom"
> fragment_size = 1024
> include_length = yes
> check_crl = no
> cipher_list = "DEFAULT"
> ecdh_curve = "prime256v1"
> }
> WARNING: rlm_eap_tls: Unable to set DH parameters. DH cipher suites may
> not work!
> WARNING: Fix this by running the OpenSSL command listed in eap.conf
> Module: Linked to sub-module rlm_eap_ttls
> Module: Instantiating eap-ttls
> ttls {
> default_eap_type = "mschapv2"
> copy_request_to_tunnel = yes
> use_tunneled_reply = yes
> virtual_server = "eduroam-inner-tunnel"
> include_length = yes
> }
> Module: Linked to sub-module rlm_eap_peap
> Module: Instantiating eap-peap
> peap {
> default_eap_type = "mschapv2"
> copy_request_to_tunnel = yes
> use_tunneled_reply = yes
> proxy_tunneled_request_as_eap = yes
> virtual_server = "eduroam-inner-tunnel"
> soh = no
> }
> Module: Linked to sub-module rlm_eap_mschapv2
> Module: Instantiating eap-mschapv2
> mschapv2 {
> with_ntdomain_hack = no
> send_error = no
> }
> Module: Checking authorize {...} for more modules to load
> Module: Linked to module rlm_preprocess
> Module: Instantiating module "preprocess" from file
> /etc/raddb/modules/preprocess
> preprocess {
> huntgroups = "/etc/raddb/huntgroups"
> hints = "/etc/raddb/hints"
> with_ascend_hack = no
> ascend_channels_per_line = 23
> with_ntdomain_hack = no
> with_specialix_jetstream_hack = no
> with_cisco_vsa_hack = no
> with_alvarion_vsa_hack = no
> }
> reading pairlist file /etc/raddb/huntgroups
> reading pairlist file /etc/raddb/hints
> Module: Linked to module rlm_realm
> Module: Instantiating module "suffix" from file /etc/raddb/modules/realm
> realm suffix {
> format = "suffix"
> delimiter = "@"
> ignore_default = no
> ignore_null = no
> }
> Module: Linked to module rlm_files
> Module: Instantiating module "files" from file /etc/raddb/modules/files
> files {
> usersfile = "/etc/raddb/users"
> acctusersfile = "/etc/raddb/acct_users"
> preproxy_usersfile = "/etc/raddb/preproxy_users"
> compat = "no"
> }
> reading pairlist file /etc/raddb/users
> reading pairlist file /etc/raddb/acct_users
> reading pairlist file /etc/raddb/preproxy_users
> Module: Linked to module rlm_ldap
> Module: Instantiating module "ldap" from file /etc/raddb/modules/ldap
> ldap {
> server = "ldap.uthm.edu.my"
> port = 389
> password = "mypassword"
> expect_password = yes
> identity = "cn=Directory Manager"
> net_timeout = 1
> timeout = 4
> timelimit = 3
> max_uses = 0
> tls_mode = no
> start_tls = no
> tls_require_cert = "allow"
> basedn = "dc=uthm,dc=edu,dc=my"
> filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
> base_filter = "(objectclass=inetOrgPerson)"
> auto_header = no
> access_attr = "uid"
> access_attr_used_for_allow = yes
> groupname_attribute = "cn"
> groupmembership_filter =
> "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
> dictionary_mapping = "/etc/raddb/ldap.attrmap"
> ldap_debug = 0
> ldap_connections_number = 10
> compare_check_items = no
> do_xlat = yes
> set_auth_type = yes
> }
> rlm_ldap: Registering ldap_groupcmp for Ldap-Group
> rlm_ldap: Registering ldap_xlat with xlat_name ldap
> rlm_ldap: Over-riding set_auth_type, as there is no module ldap listed in
> the "authenticate" section.
> rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap
> rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
> rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
> rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
> rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
> rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
> rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
> rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header
> rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
> rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
> rlm_ldap: LDAP uid mapped to RADIUS User-Name
> rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
> rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
> rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
> rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
> rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
> rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
> rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
> rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
> rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
> rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
> rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
> rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
> rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
> rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
> rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
> rlm_ldap: LDAP radiusClass mapped to RADIUS Class
> rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
> rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
> rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
> rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
> rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
> rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
> rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS
> Framed-AppleTalk-Link
> rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS
> Framed-AppleTalk-Network
> rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS
> Framed-AppleTalk-Zone
> rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
> rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
> rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
> rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
> rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
> rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS
> Tunnel-Private-Group-Id
> conns: 0x7f75996694a0
> Module: Linked to module rlm_expiration
> Module: Instantiating module "expiration" from file
> /etc/raddb/modules/expiration
> expiration {
> reply-message = "Password Has Expired "
> }
> Module: Linked to module rlm_logintime
> Module: Instantiating module "logintime" from file
> /etc/raddb/modules/logintime
> logintime {
> reply-message = "You are calling outside your allowed timespan "
> minimum-timeout = 60
> }
> Module: Checking preacct {...} for more modules to load
> Module: Linked to module rlm_acct_unique
> Module: Instantiating module "acct_unique" from file
> /etc/raddb/modules/acct_unique
> acct_unique {
> key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier,
> NAS-Port"
> }
> Module: Checking accounting {...} for more modules to load
> Module: Linked to module rlm_detail
> Module: Instantiating module "detail" from file /etc/raddb/modules/detail
> detail {
> detailfile =
> "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
> header = "%t"
> detailperm = 384
> dirperm = 493
> locking = no
> log_packet_header = no
> }
> Module: Linked to module rlm_exec
> Module: Instantiating module "exec" from file /etc/raddb/modules/exec
> exec {
> wait = no
> input_pairs = "request"
> shell_escape = yes
> timeout = 10
> }
> Module: Linked to module rlm_attr_filter
> Module: Instantiating module "attr_filter.accounting_response" from file
> /etc/raddb/modules/attr_filter
> attr_filter attr_filter.accounting_response {
> attrsfile = "/etc/raddb/attrs.accounting_response"
> key = "%{User-Name}"
> relaxed = no
> }
> reading pairlist file /etc/raddb/attrs.accounting_response
> Module: Checking session {...} for more modules to load
> Module: Linked to module rlm_radutmp
> Module: Instantiating module "radutmp" from file /etc/raddb/modules/radutmp
> radutmp {
> filename = "/var/log/radius/radutmp"
> username = "%{User-Name}"
> case_sensitive = yes
> check_with_nas = yes
> perm = 384
> callerid = yes
> }
> Module: Checking post-proxy {...} for more modules to load
> Module: Checking post-auth {...} for more modules to load
> Module: Instantiating module "attr_filter.access_reject" from file
> /etc/raddb/modules/attr_filter
> attr_filter attr_filter.access_reject {
> attrsfile = "/etc/raddb/attrs.access_reject"
> key = "%{User-Name}"
> relaxed = no
> }
> reading pairlist file /etc/raddb/attrs.access_reject
> } # modules
> } # server
> server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
> modules {
> Module: Checking authenticate {...} for more modules to load
> Module: Checking authorize {...} for more modules to load
> Module: Checking session {...} for more modules to load
> Module: Checking post-proxy {...} for more modules to load
> Module: Checking post-auth {...} for more modules to load
> } # modules
> } # server
> server eduroam-inner-tunnel { # from file
> /etc/raddb/sites-enabled/eduroam-inner-tunnel
> modules {
> Module: Checking authenticate {...} for more modules to load
> Module: Checking authorize {...} for more modules to load
> Module: Instantiating module "auth_log" from file
> /etc/raddb/modules/detail.log
> detail auth_log {
> detailfile =
> "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
> header = "%t"
> detailperm = 384
> dirperm = 493
> locking = no
> log_packet_header = no
> }
> Module: Checking post-auth {...} for more modules to load
> Module: Instantiating module "reply_log" from file
> /etc/raddb/modules/detail.log
> detail reply_log {
> detailfile =
> "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
> header = "%t"
> detailperm = 384
> dirperm = 493
> locking = no
> log_packet_header = no
> }
> } # modules
> } # server
> radiusd: #### Opening IP addresses and Ports ####
> listen {
> type = "auth"
> ipaddr = 127.0.0.1
> port = 0
> }
> listen {
> type = "acct"
> ipaddr = 127.0.0.1
> port = 0
> }
> listen {
> type = "control"
> listen {
> socket = "/var/run/radiusd/radiusd.sock"
> }
> }
> listen {
> type = "auth"
> ipaddr = 127.0.0.1
> port = 18120
> }
> Listening on authentication address 127.0.0.1 port 1812
> Listening on accounting address 127.0.0.1 port 1813
> Listening on command file /var/run/radiusd/radiusd.sock
> Listening on authentication address 127.0.0.1 port 18120 as server
> inner-tunnel
> Listening on proxy address * port 1217
> Ready to process requests.
> rad_recv: Status-Server packet from host 192.168.241.12 port 56951, id=0,
> length=38
> Message-Authenticator = 0xbf53e4c9a8a5a0bb431dc680c121d53d
> server eduroam-inner-tunnel {
> } # server eduroam-inner-tunnel
> Sending Access-Accept of id 0 to 192.168.241.12 port 56951
> Finished request 0.
> Cleaning up request 0 ID 0 with timestamp +18
> Going to the next request
> Ready to process requests.
>
> ============================
>
>
>
> log when i try to connect as user test.
> -================================
>
> rad_recv: Access-Request packet from host 192.168.241.12 port 56951,
> id=150, length=223
> User-Name = "test at uthm.edu.my"
> NAS-IP-Address = 192.168.241.12
> NAS-Port = 0
> NAS-Identifier = "eduroam"
> NAS-Port-Type = Wireless-802.11
> Calling-Station-Id = "606720CB37CC"
> Called-Station-Id = "001A1E012EE8"
> Service-Type = Login-User
> Framed-MTU = 1100
> EAP-Message = 0x020100150174657374407574686d2e6564752e6d79
> Aruba-Essid-Name = "eduroam"
> Aruba-Location-Id = "PTM-MIS"
> Aruba-AP-Group = "MC-A05-Pusat_Teknologi_Maklumat"
> Message-Authenticator = 0xdc2b75e509a96ab724feaf3d03953633
> server eduroam-inner-tunnel {
> # Executing section authorize from file
> /etc/raddb/sites-enabled/eduroam-inner-tunnel
> +group authorize {
> [auth_log] expand: %{Packet-Src-IP-Address} -> 192.168.241.12
> [auth_log] expand:
> /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> -> /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
> [auth_log]
> /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> expands to /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
> [auth_log] expand: %t -> Fri Aug 11 12:48:34 2017
> ++[auth_log] = ok
> [suffix] Looking up realm "uthm.edu.my" for User-Name = "test at uthm.edu.my"
> [suffix] Found realm "~^(.+\.)?uthm\.edu\.my$"
> [suffix] Adding Stripped-User-Name = "test"
> [suffix] Adding Realm = "uthm.edu.my"
> [suffix] Authentication realm is LOCAL.
> ++[suffix] = ok
> [ldap] performing user authorization for test
> [ldap] expand: %{Stripped-User-Name} -> test
> [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=test)
> [ldap] expand: dc=uthm,dc=edu,dc=my -> dc=uthm,dc=edu,dc=my
> [ldap] ldap_get_conn: Checking Id: 0
> [ldap] ldap_get_conn: Got Id: 0
> [ldap] attempting LDAP reconnection
> [ldap] (re)connect to ldap.uthm.edu.my:389, authentication 0
> [ldap] bind as cn=Directory Manager/ik4k388x to ldap.uthm.edu.my:389
> [ldap] waiting for bind result ...
> [ldap] Bind was successful
> [ldap] performing search in dc=uthm,dc=edu,dc=my, with filter (uid=test)
> [ldap] checking if remote access for test is allowed by uid
> [ldap] looking for check items in directory...
> [ldap] uid -> User-Name == "test"
> [ldap] userPassword -> Password-With-Header ==
> "{SHA}m8NFSdVl2VBbKH3gzSCsd74dPyw="
> [ldap] looking for reply items in directory...
> [ldap] user test authorized to use remote access
> [ldap] ldap_release_conn: Release Id: 0
> ++[ldap] = ok
> ++[files] = noop
> ++[mschap] = noop
> [pap] No clear-text password in the request. Not performing PAP.
> ++[pap] = noop
> [eap] EAP packet type response id 1 length 21
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] = updated
> +} # group authorize = updated
> Found Auth-Type = EAP
> # Executing group from file /etc/raddb/sites-enabled/eduroam-inner-tunnel
> +group authenticate {
> [eap] EAP Identity
> [eap] processing type tls
> [tls] Initiate
> [tls] Start returned 1
> ++[eap] = handled
> +} # group authenticate = handled
> } # server eduroam-inner-tunnel
> Sending Access-Challenge of id 150 to 192.168.241.12 port 56951
> EAP-Message = 0x010200061920
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x8fae4f288fac56d7f54a19d8916d3466
> Finished request 7.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Status-Server packet from host 192.168.241.12 port 56951, id=0,
> length=38
> Message-Authenticator = 0xecface185786ea7a6b82e20ad361fc34
> server eduroam-inner-tunnel {
> } # server eduroam-inner-tunnel
> Sending Access-Accept of id 0 to 192.168.241.12 port 56951
> Finished request 8.
> Cleaning up request 8 ID 0 with timestamp +220
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.241.12 port 56951,
> id=151, length=398
> User-Name = "test at uthm.edu.my"
> NAS-IP-Address = 192.168.241.12
> NAS-Port = 0
> NAS-Identifier = "eduroam"
> NAS-Port-Type = Wireless-802.11
> Calling-Station-Id = "606720CB37CC"
> Called-Station-Id = "001A1E012EE8"
> Service-Type = Login-User
> Framed-MTU = 1100
> EAP-Message =
> 0x020200b21980000000a816030300a30100009f0303598d3725e7a897863c61fbd68a95003f647bab3f0324fa2da6110b4e8860890200003cc02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c01300390033009d009c003d003c0035002f000a006a0040003800320013000500040100003a000500050100000000000a0006000400170018000b00020100000d0010000e04010501020104030503020302020023000000170000ff01000100
> State = 0x8fae4f288fac56d7f54a19d8916d3466
> Aruba-Essid-Name = "eduroam"
> Aruba-Location-Id = "PTM-MIS"
> Aruba-AP-Group = "MC-A05-Pusat_Teknologi_Maklumat"
> Message-Authenticator = 0x063c2c71061d7ae5e121a4058281fa1d
> server eduroam-inner-tunnel {
> # Executing section authorize from file
> /etc/raddb/sites-enabled/eduroam-inner-tunnel
> +group authorize {
> [auth_log] expand: %{Packet-Src-IP-Address} -> 192.168.241.12
> [auth_log] expand:
> /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> -> /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
> [auth_log]
> /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> expands to /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
> [auth_log] expand: %t -> Fri Aug 11 12:48:34 2017
> ++[auth_log] = ok
> [suffix] Looking up realm "uthm.edu.my" for User-Name = "test at uthm.edu.my"
> [suffix] Found realm "~^(.+\.)?uthm\.edu\.my$"
> [suffix] Adding Stripped-User-Name = "test"
> [suffix] Adding Realm = "uthm.edu.my"
> [suffix] Authentication realm is LOCAL.
> ++[suffix] = ok
> [ldap] performing user authorization for test
> [ldap] expand: %{Stripped-User-Name} -> test
> [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=test)
> [ldap] expand: dc=uthm,dc=edu,dc=my -> dc=uthm,dc=edu,dc=my
> [ldap] ldap_get_conn: Checking Id: 0
> [ldap] ldap_get_conn: Got Id: 0
> [ldap] performing search in dc=uthm,dc=edu,dc=my, with filter (uid=test)
> [ldap] checking if remote access for test is allowed by uid
> [ldap] looking for check items in directory...
> [ldap] uid -> User-Name == "test"
> [ldap] userPassword -> Password-With-Header ==
> "{SHA}m8NFSdVl2VBbKH3gzSCsd74dPyw="
> [ldap] looking for reply items in directory...
> [ldap] user test authorized to use remote access
> [ldap] ldap_release_conn: Release Id: 0
> ++[ldap] = ok
> ++[files] = noop
> ++[mschap] = noop
> [pap] No clear-text password in the request. Not performing PAP.
> ++[pap] = noop
> [eap] EAP packet type response id 2 length 178
> [eap] Continuing tunnel setup.
> ++[eap] = ok
> +} # group authorize = ok
> Found Auth-Type = EAP
> # Executing group from file /etc/raddb/sites-enabled/eduroam-inner-tunnel
> +group authenticate {
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> TLS Length 168
> [peap] Length Included
> [peap] eaptls_verify returned 11
> [peap] (other): before/accept initialization
> [peap] TLS_accept: before/accept initialization
> [peap] <<< Unknown TLS version [length 00a3]
> [peap] TLS_accept: SSLv3 read client hello A
> [peap] >>> Unknown TLS version [length 0039]
> [peap] TLS_accept: SSLv3 write server hello A
> [peap] >>> Unknown TLS version [length 09a8]
> [peap] TLS_accept: SSLv3 write certificate A
> [peap] >>> Unknown TLS version [length 014d]
> [peap] TLS_accept: SSLv3 write key exchange A
> [peap] >>> Unknown TLS version [length 0004]
> [peap] TLS_accept: SSLv3 write server done A
> [peap] TLS_accept: SSLv3 flush data
> [peap] TLS_accept: Need to read more data: SSLv3 read client
> certificate A
> [peap] TLS_accept: Need to read more data: SSLv3 read client
> certificate A
> In SSL Handshake Phase
> In SSL Accept mode
> [peap] eaptls_process returned 13
> [peap] EAPTLS_HANDLED
> ++[eap] = handled
> +} # group authenticate = handled
> } # server eduroam-inner-tunnel
> Sending Access-Challenge of id 151 to 192.168.241.12 port 56951
> EAP-Message =
> 0x0103040019c000000b461603030039020000350303598d3722b66051021af8c426626367198fc97f2723232f6c27daed0144df5f6600c03000000dff01000100000b00040300010216030309a80b0009a40009a100050530820501308203e9a0030201020212043ed440d5ecca3c0ac65f015b543248e449300d06092a864886f70d01010b0500304a310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074312330210603550403131a4c6574277320456e637279707420417574686f72697479205833301e170d3137303732373031333630305a170d3137313032353031333630305a301a3118301606035504
> EAP-Message =
> 0x03130f6964702e7574686d2e6564752e6d7930820122300d06092a864886f70d01010105000382010f003082010a0282010100d23d855a6505d658f13890992c15d80251c49843e4d5bec8bfa049143a3496f2a18e04e2b397ce12be6b6af0aa25ac0b11c11602fcb355f2adf34dbfdd7158301070cd34317ddf09ecb2a4bd946d38769371c5d305cc5a0b95d812533561307ea748f676fc68fbbf6b2ae4736c74cab3399d9a3b3ec9a393c939967f0f3414010c18172663d9ab62f8beba8909cde4ea7dafbd21c13f304014ca457bcb32ff3c92ee1b5495fdffd587db664c8afa902ccac201dc89a3f3cb358b348eb606ed616f56c82dada466370f14
> EAP-Message =
> 0xf8f54004db5d26f078fff6d3d064623a47337c0fccaff2b8005968d04175c0ecaeb6ff49e952dcf1b679290e7ca8b857baec65cdaabb0203010001a382020f3082020b300e0603551d0f0101ff0404030205a0301d0603551d250416301406082b0601050507030106082b06010505070302300c0603551d130101ff04023000301d0603551d0e04160414f5c39602b5276cfcccfb5394192bb8607a1c7c2a301f0603551d23041830168014a84a6a63047dddbae6d139b7a64565eff3a8eca1306f06082b0601050507010104633061302e06082b060105050730018622687474703a2f2f6f6373702e696e742d78332e6c657473656e63727970742e
> EAP-Message =
> 0x6f7267302f06082b060105050730028623687474703a2f2f636572742e696e742d78332e6c657473656e63727970742e6f72672f301a0603551d1104133011820f6964702e7574686d2e6564752e6d793081fe0603551d200481f63081f33008060667810c0102013081e6060b2b0601040182df130101013081d6302606082b06010505070201161a687474703a2f2f6370732e6c657473656e63727970742e6f72673081ab06082b0601050507020230819e0c819b54686973204365727469666963617465206d6179206f6e6c792062652072656c6965642075706f6e2062792052656c79696e67205061727469657320616e64206f6e6c7920696e
> EAP-Message = 0x206163636f7264616e636520
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x8fae4f288ead56d7f54a19d8916d3466
> Finished request 9.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.241.12 port 56951,
> id=152, length=226
> User-Name = "test at uthm.edu.my"
> NAS-IP-Address = 192.168.241.12
> NAS-Port = 0
> NAS-Identifier = "eduroam"
> NAS-Port-Type = Wireless-802.11
> Calling-Station-Id = "606720CB37CC"
> Called-Station-Id = "001A1E012EE8"
> Service-Type = Login-User
> Framed-MTU = 1100
> EAP-Message = 0x020300061900
> State = 0x8fae4f288ead56d7f54a19d8916d3466
> Aruba-Essid-Name = "eduroam"
> Aruba-Location-Id = "PTM-MIS"
> Aruba-AP-Group = "MC-A05-Pusat_Teknologi_Maklumat"
> Message-Authenticator = 0x169f17aff5bf1ec04b4c7b2e442b3ed9
> server eduroam-inner-tunnel {
> # Executing section authorize from file
> /etc/raddb/sites-enabled/eduroam-inner-tunnel
> +group authorize {
> [auth_log] expand: %{Packet-Src-IP-Address} -> 192.168.241.12
> [auth_log] expand:
> /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> -> /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
> [auth_log]
> /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> expands to /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
> [auth_log] expand: %t -> Fri Aug 11 12:48:34 2017
> ++[auth_log] = ok
> [suffix] Looking up realm "uthm.edu.my" for User-Name = "test at uthm.edu.my"
> [suffix] Found realm "~^(.+\.)?uthm\.edu\.my$"
> [suffix] Adding Stripped-User-Name = "test"
> [suffix] Adding Realm = "uthm.edu.my"
> [suffix] Authentication realm is LOCAL.
> ++[suffix] = ok
> [ldap] performing user authorization for test
> [ldap] expand: %{Stripped-User-Name} -> test
> [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=test)
> [ldap] expand: dc=uthm,dc=edu,dc=my -> dc=uthm,dc=edu,dc=my
> [ldap] ldap_get_conn: Checking Id: 0
> [ldap] ldap_get_conn: Got Id: 0
> [ldap] performing search in dc=uthm,dc=edu,dc=my, with filter (uid=test)
> [ldap] checking if remote access for test is allowed by uid
> [ldap] looking for check items in directory...
> [ldap] uid -> User-Name == "test"
> [ldap] userPassword -> Password-With-Header ==
> "{SHA}m8NFSdVl2VBbKH3gzSCsd74dPyw="
> [ldap] looking for reply items in directory...
> [ldap] user test authorized to use remote access
> [ldap] ldap_release_conn: Release Id: 0
> ++[ldap] = ok
> ++[files] = noop
> ++[mschap] = noop
> [pap] No clear-text password in the request. Not performing PAP.
> ++[pap] = noop
> [eap] EAP packet type response id 3 length 6
> [eap] Continuing tunnel setup.
> ++[eap] = ok
> +} # group authorize = ok
> Found Auth-Type = EAP
> # Executing group from file /etc/raddb/sites-enabled/eduroam-inner-tunnel
> +group authenticate {
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] Received TLS ACK
> [peap] ACK handshake fragment handler
> [peap] eaptls_verify returned 1
> [peap] eaptls_process returned 13
> [peap] EAPTLS_HANDLED
> ++[eap] = handled
> +} # group authenticate = handled
> } # server eduroam-inner-tunnel
> Sending Access-Challenge of id 152 to 192.168.241.12 port 56951
> EAP-Message =
> 0x010403fc1940776974682074686520436572746966696361746520506f6c69637920666f756e642061742068747470733a2f2f6c657473656e63727970742e6f72672f7265706f7369746f72792f300d06092a864886f70d01010b050003820101006af6a364c1c07b19bfaf54a31b10c74de4e2c2113b30dcbdcb77a5b82f6cbdf369ede76ef835056ea2f6d2bf4fb1f9ad5ff3530e0047caed7a469747b9869a2997f574c94cf2d2bb09798f00e2f84483d7562d851cfdeaa034cb9cadddb6826a6323673edd921eb1c070c5dcc03f862de9fa868028a8b3eff046d08a15af03035b8785019f81b076ca6b85722d4ed4789c0291055c85fac2ad0a49
> EAP-Message =
> 0x2e57a9f8bd5a07f22977812adc3b2a11d725c86a3aa0a93700b5c61830cbc6081f26520d3b9ce6339fab2a6f58fab00c2648142c337a3c4939feb309e711eb02d96e9e1a4cc468696c233e5429c4fc69a5e2055d14fba459a279cc8f13a96ae7f5d01c4a1f000496308204923082037aa00302010202100a0141420000015385736a0b85eca708300d06092a864886f70d01010b0500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3136303331373136343034365a170d3231303331373136343034365a304a310b3009
> EAP-Message =
> 0x06035504061302555331163014060355040a130d4c6574277320456e6372797074312330210603550403131a4c6574277320456e637279707420417574686f7269747920583330820122300d06092a864886f70d01010105000382010f003082010a02820101009cd30cf05ae52e47b7725d3783b3686330ead735261925e1bdbe35f170922fb7b84b4105aba99e350858ecb12ac468870ba3e375e4e6f3a76271ba7981601fd7919a9ff3d0786771c8690e9591cffee699e9603c48cc7eca4d7712249d471b5aebb9ec1e37001c9cac7ba705eace4aebbd41e53698b9cbfd6d3c9668df232a42900c867467c87fa59ab8526114133f65e98287cbdbfa
> EAP-Message =
> 0x0e56f68689f3853f9786afb0dc1aef6b0d95167dc42ba065b299043675806bac4af31b9049782fa2964f2a20252904c674c0d031cd8f31389516baa833b843f1b11fc3307fa27931133d2d36f8e3fcf2336ab93931c5afc48d0d1d641633aafa8429b6d40bc0d87dc3930203010001a382017d3082017930120603551d130101ff040830060101ff020100300e0603551d0f0101ff040403020186307f06082b0601050507010104733071303206082b060105050730018626687474703a2f2f697372672e747275737469642e6f6373702e6964656e74727573742e636f6d303b06082b06010505073002862f687474703a2f2f617070732e6964656e
> EAP-Message = 0x74727573742e636f
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x8fae4f288daa56d7f54a19d8916d3466
> Finished request 10.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.241.12 port 56951,
> id=153, length=226
> User-Name = "test at uthm.edu.my"
> NAS-IP-Address = 192.168.241.12
> NAS-Port = 0
> NAS-Identifier = "eduroam"
> NAS-Port-Type = Wireless-802.11
> Calling-Station-Id = "606720CB37CC"
> Called-Station-Id = "001A1E012EE8"
> Service-Type = Login-User
> Framed-MTU = 1100
> EAP-Message = 0x020400061900
> State = 0x8fae4f288daa56d7f54a19d8916d3466
> Aruba-Essid-Name = "eduroam"
> Aruba-Location-Id = "PTM-MIS"
> Aruba-AP-Group = "MC-A05-Pusat_Teknologi_Maklumat"
> Message-Authenticator = 0xc60aac92364e2b6924ae3770ca74f5e0
> server eduroam-inner-tunnel {
> # Executing section authorize from file
> /etc/raddb/sites-enabled/eduroam-inner-tunnel
> +group authorize {
> [auth_log] expand: %{Packet-Src-IP-Address} -> 192.168.241.12
> [auth_log] expand:
> /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> -> /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
> [auth_log]
> /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> expands to /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
> [auth_log] expand: %t -> Fri Aug 11 12:48:34 2017
> ++[auth_log] = ok
> [suffix] Looking up realm "uthm.edu.my" for User-Name = "test at uthm.edu.my"
> [suffix] Found realm "~^(.+\.)?uthm\.edu\.my$"
> [suffix] Adding Stripped-User-Name = "test"
> [suffix] Adding Realm = "uthm.edu.my"
> [suffix] Authentication realm is LOCAL.
> ++[suffix] = ok
> [ldap] performing user authorization for test
> [ldap] expand: %{Stripped-User-Name} -> test
> [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=test)
> [ldap] expand: dc=uthm,dc=edu,dc=my -> dc=uthm,dc=edu,dc=my
> [ldap] ldap_get_conn: Checking Id: 0
> [ldap] ldap_get_conn: Got Id: 0
> [ldap] performing search in dc=uthm,dc=edu,dc=my, with filter (uid=test)
> [ldap] checking if remote access for test is allowed by uid
> [ldap] looking for check items in directory...
> [ldap] uid -> User-Name == "test"
> [ldap] userPassword -> Password-With-Header ==
> "{SHA}m8NFSdVl2VBbKH3gzSCsd74dPyw="
> [ldap] looking for reply items in directory...
> [ldap] user test authorized to use remote access
> [ldap] ldap_release_conn: Release Id: 0
> ++[ldap] = ok
> ++[files] = noop
> ++[mschap] = noop
> [pap] No clear-text password in the request. Not performing PAP.
> ++[pap] = noop
> [eap] EAP packet type response id 4 length 6
> [eap] Continuing tunnel setup.
> ++[eap] = ok
> +} # group authorize = ok
> Found Auth-Type = EAP
> # Executing group from file /etc/raddb/sites-enabled/eduroam-inner-tunnel
> +group authenticate {
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] Received TLS ACK
> [peap] ACK handshake fragment handler
> [peap] eaptls_verify returned 1
> [peap] eaptls_process returned 13
> [peap] EAPTLS_HANDLED
> ++[eap] = handled
> +} # group authenticate = handled
> } # server eduroam-inner-tunnel
> Sending Access-Challenge of id 153 to 192.168.241.12 port 56951
> EAP-Message =
> 0x0105036019006d2f726f6f74732f647374726f6f74636178332e703763301f0603551d23041830168014c4a7b1a47b2c71fadbe14b9075ffc4156085891030540603551d20044d304b3008060667810c010201303f060b2b0601040182df130101013030302e06082b060105050702011622687474703a2f2f6370732e726f6f742d78312e6c657473656e63727970742e6f7267303c0603551d1f043530333031a02fa02d862b687474703a2f2f63726c2e6964656e74727573742e636f6d2f445354524f4f544341583343524c2e63726c301d0603551d0e04160414a84a6a63047dddbae6d139b7a64565eff3a8eca1300d06092a864886f70d0101
> EAP-Message =
> 0x0b05000382010100dd33d711f3635838dd1815fb0955be7656b97048a56947277bc2240892f15a1f4a1229372474511c6268b8cd957067e5f7a4bc4e2851cd9be8ae879dead8ba5aa1019adcf0dd6a1d6ad83e57239ea61e04629affd705cab71f3fc00a48bc94b0b66562e0c154e5a32aad20c4e9e6bbdcc8f6b5c332a398cc77a8e67965072bcb28fe3a165281ce520c2e5f83e8d50633fb776cce40ea329e1f925c41c1746c5b5d0a5f33cc4d9fac38f02f7b2c629dd9a3916f251b2f90b119463df67e1ba67a87b9a37a6d18fa25a5918715e0f2162f58b0062f2c6826c64b98cdda9f0cf97f90ed434a12444e6f737a28eaa4aa6e7b4c7d87dde0
> EAP-Message =
> 0xc90244a787afc3345bb442160303014d0c0001490300174104937ef4214267c66e54b943286f2aaee0d7136583436503bc9771b29543c715226c45d5d7a14e14877be87ae18304b19c725acb27d5f7e67dd6a95146c87bd69204010100801b8d8ce4a7e05deb44da62e7fdefc579ea4fa2d6ea86438b76661a461e2edf2dda7254e76c90ebd2c425149a7f4c202d80c553f6ac268a6726c01ff4defadb7a06049b147774e50009e8ea4e75c7277ca1ab7dd549a2f99eaadab70143e49b1de3ae104e73f307aca89d03f0165ec72ae32586aa3322fd193c34f8e254cb1035404691253be279552f8b22e7e645ccf06f48ddd89274421ac224636daf1fce
> EAP-Message =
> 0x6c8b5405eb5f25c413af4115fcaaaee24c89899d0a5de9676776b0c57c6d7e673a0439528bc4b55ba9f5572cedfbd3fc8405ea36f11d2661abc315739ccabafe8c19e498555e91a06ca95eac01dd688f2dd07779e92f3f84172551df1bdf2e7d16030300040e000000
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x8fae4f288cab56d7f54a19d8916d3466
> Finished request 11.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.241.12 port 56951,
> id=154, length=356
> User-Name = "test at uthm.edu.my"
> NAS-IP-Address = 192.168.241.12
> NAS-Port = 0
> NAS-Identifier = "eduroam"
> NAS-Port-Type = Wireless-802.11
> Calling-Station-Id = "606720CB37CC"
> Called-Station-Id = "001A1E012EE8"
> Service-Type = Login-User
> Framed-MTU = 1100
> EAP-Message =
> 0x0205008819800000007e1603030046100000424104c54e810e0876a2f48de285e28044b9d5705e0502717c3dc8017dc66f925db3a936b10c757bfdd0c306034d301be3d9f000b3d8e396baa95c8b466988a54e689b140303000101160303002800000000000000006ac72ce7125c46232cff9613def48589606506c06bf5ba73c81ef1a541f67972
> State = 0x8fae4f288cab56d7f54a19d8916d3466
> Aruba-Essid-Name = "eduroam"
> Aruba-Location-Id = "PTM-MIS"
> Aruba-AP-Group = "MC-A05-Pusat_Teknologi_Maklumat"
> Message-Authenticator = 0x9a6c65b38d5d36756f9d367c70d9c188
> server eduroam-inner-tunnel {
> # Executing section authorize from file
> /etc/raddb/sites-enabled/eduroam-inner-tunnel
> +group authorize {
> [auth_log] expand: %{Packet-Src-IP-Address} -> 192.168.241.12
> [auth_log] expand:
> /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> -> /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
> [auth_log]
> /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> expands to /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
> [auth_log] expand: %t -> Fri Aug 11 12:48:34 2017
> ++[auth_log] = ok
> [suffix] Looking up realm "uthm.edu.my" for User-Name = "test at uthm.edu.my"
> [suffix] Found realm "~^(.+\.)?uthm\.edu\.my$"
> [suffix] Adding Stripped-User-Name = "test"
> [suffix] Adding Realm = "uthm.edu.my"
> [suffix] Authentication realm is LOCAL.
> ++[suffix] = ok
> [ldap] performing user authorization for test
> [ldap] expand: %{Stripped-User-Name} -> test
> [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=test)
> [ldap] expand: dc=uthm,dc=edu,dc=my -> dc=uthm,dc=edu,dc=my
> [ldap] ldap_get_conn: Checking Id: 0
> [ldap] ldap_get_conn: Got Id: 0
> [ldap] performing search in dc=uthm,dc=edu,dc=my, with filter (uid=test)
> [ldap] checking if remote access for test is allowed by uid
> [ldap] looking for check items in directory...
> [ldap] uid -> User-Name == "test"
> [ldap] userPassword -> Password-With-Header ==
> "{SHA}m8NFSdVl2VBbKH3gzSCsd74dPyw="
> [ldap] looking for reply items in directory...
> [ldap] user test authorized to use remote access
> [ldap] ldap_release_conn: Release Id: 0
> ++[ldap] = ok
> ++[files] = noop
> ++[mschap] = noop
> [pap] No clear-text password in the request. Not performing PAP.
> ++[pap] = noop
> [eap] EAP packet type response id 5 length 136
> [eap] Continuing tunnel setup.
> ++[eap] = ok
> +} # group authorize = ok
> Found Auth-Type = EAP
> # Executing group from file /etc/raddb/sites-enabled/eduroam-inner-tunnel
> +group authenticate {
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> TLS Length 126
> [peap] Length Included
> [peap] eaptls_verify returned 11
> [peap] <<< Unknown TLS version [length 0046]
> [peap] TLS_accept: SSLv3 read client key exchange A
> [peap] <<< Unknown TLS version [length 0001]
> [peap] <<< Unknown TLS version [length 0010]
> [peap] TLS_accept: SSLv3 read finished A
> [peap] >>> Unknown TLS version [length 0001]
> [peap] TLS_accept: SSLv3 write change cipher spec A
> [peap] >>> Unknown TLS version [length 0010]
> [peap] TLS_accept: SSLv3 write finished A
> [peap] TLS_accept: SSLv3 flush data
> [peap] (other): SSL negotiation finished successfully
> SSL Connection Established
> [peap] eaptls_process returned 13
> [peap] EAPTLS_HANDLED
> ++[eap] = handled
> +} # group authenticate = handled
> } # server eduroam-inner-tunnel
> Sending Access-Challenge of id 154 to 192.168.241.12 port 56951
> EAP-Message =
> 0x01060039190014030300010116030300281c8a45d0b7de86498defbc89a27764b06a43196af0bf4a2db7824809a50bd2d3e34b5b203a2345cd
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x8fae4f288ba856d7f54a19d8916d3466
> Finished request 12.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.241.12 port 56951,
> id=155, length=226
> User-Name = "test at uthm.edu.my"
> NAS-IP-Address = 192.168.241.12
> NAS-Port = 0
> NAS-Identifier = "eduroam"
> NAS-Port-Type = Wireless-802.11
> Calling-Station-Id = "606720CB37CC"
> Called-Station-Id = "001A1E012EE8"
> Service-Type = Login-User
> Framed-MTU = 1100
> EAP-Message = 0x020600061900
> State = 0x8fae4f288ba856d7f54a19d8916d3466
> Aruba-Essid-Name = "eduroam"
> Aruba-Location-Id = "PTM-MIS"
> Aruba-AP-Group = "MC-A05-Pusat_Teknologi_Maklumat"
> Message-Authenticator = 0xb3457d7a24957b9fa3781dc6b0c24295
> server eduroam-inner-tunnel {
> # Executing section authorize from file
> /etc/raddb/sites-enabled/eduroam-inner-tunnel
> +group authorize {
> [auth_log] expand: %{Packet-Src-IP-Address} -> 192.168.241.12
> [auth_log] expand:
> /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> -> /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
> [auth_log]
> /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> expands to /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
> [auth_log] expand: %t -> Fri Aug 11 12:48:36 2017
> ++[auth_log] = ok
> [suffix] Looking up realm "uthm.edu.my" for User-Name = "test at uthm.edu.my"
> [suffix] Found realm "~^(.+\.)?uthm\.edu\.my$"
> [suffix] Adding Stripped-User-Name = "test"
> [suffix] Adding Realm = "uthm.edu.my"
> [suffix] Authentication realm is LOCAL.
> ++[suffix] = ok
> [ldap] performing user authorization for test
> [ldap] expand: %{Stripped-User-Name} -> test
> [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=test)
> [ldap] expand: dc=uthm,dc=edu,dc=my -> dc=uthm,dc=edu,dc=my
> [ldap] ldap_get_conn: Checking Id: 0
> [ldap] ldap_get_conn: Got Id: 0
> [ldap] performing search in dc=uthm,dc=edu,dc=my, with filter (uid=test)
> [ldap] checking if remote access for test is allowed by uid
> [ldap] looking for check items in directory...
> [ldap] uid -> User-Name == "test"
> [ldap] userPassword -> Password-With-Header ==
> "{SHA}m8NFSdVl2VBbKH3gzSCsd74dPyw="
> [ldap] looking for reply items in directory...
> [ldap] user test authorized to use remote access
> [ldap] ldap_release_conn: Release Id: 0
> ++[ldap] = ok
> ++[files] = noop
> ++[mschap] = noop
> [pap] No clear-text password in the request. Not performing PAP.
> ++[pap] = noop
> [eap] EAP packet type response id 6 length 6
> [eap] Continuing tunnel setup.
> ++[eap] = ok
> +} # group authorize = ok
> Found Auth-Type = EAP
> # Executing group from file /etc/raddb/sites-enabled/eduroam-inner-tunnel
> +group authenticate {
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] Received TLS ACK
> [peap] ACK handshake is finished
> [peap] eaptls_verify returned 3
> [peap] eaptls_process returned 3
> [peap] EAPTLS_SUCCESS
> [peap] Session established. Decoding tunneled attributes.
> [peap] Peap state TUNNEL ESTABLISHED
> ++[eap] = handled
> +} # group authenticate = handled
> } # server eduroam-inner-tunnel
> Sending Access-Challenge of id 155 to 192.168.241.12 port 56951
> EAP-Message =
> 0x010700281900170303001d1c8a45d0b7de864ad470a8ed8a39384d931984faa55ad2ebc731ac4bbb
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x8fae4f288aa956d7f54a19d8916d3466
> Finished request 13.
> Going to the next request
> Waking up in 2.6 seconds.
> rad_recv: Access-Request packet from host 192.168.241.12 port 56951,
> id=156, length=272
> User-Name = "test at uthm.edu.my"
> NAS-IP-Address = 192.168.241.12
> NAS-Port = 0
> NAS-Identifier = "eduroam"
> NAS-Port-Type = Wireless-802.11
> Calling-Station-Id = "606720CB37CC"
> Called-Station-Id = "001A1E012EE8"
> Service-Type = Login-User
> Framed-MTU = 1100
> EAP-Message =
> 0x0207003419001703030029000000000000000134f54fb6fe56b12faf31a04562eb50ddcfa3354f7bbfd1545aa0130c45e0dd385c
> State = 0x8fae4f288aa956d7f54a19d8916d3466
> Aruba-Essid-Name = "eduroam"
> Aruba-Location-Id = "PTM-MIS"
> Aruba-AP-Group = "MC-A05-Pusat_Teknologi_Maklumat"
> Message-Authenticator = 0xa7c3a3db99bf62cb53cf74ae99a4acd5
> server eduroam-inner-tunnel {
> # Executing section authorize from file
> /etc/raddb/sites-enabled/eduroam-inner-tunnel
> +group authorize {
> [auth_log] expand: %{Packet-Src-IP-Address} -> 192.168.241.12
> [auth_log] expand:
> /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> -> /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
> [auth_log]
> /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> expands to /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
> [auth_log] expand: %t -> Fri Aug 11 12:48:36 2017
> ++[auth_log] = ok
> [suffix] Looking up realm "uthm.edu.my" for User-Name = "test at uthm.edu.my"
> [suffix] Found realm "~^(.+\.)?uthm\.edu\.my$"
> [suffix] Adding Stripped-User-Name = "test"
> [suffix] Adding Realm = "uthm.edu.my"
> [suffix] Authentication realm is LOCAL.
> ++[suffix] = ok
> [ldap] performing user authorization for test
> [ldap] expand: %{Stripped-User-Name} -> test
> [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=test)
> [ldap] expand: dc=uthm,dc=edu,dc=my -> dc=uthm,dc=edu,dc=my
> [ldap] ldap_get_conn: Checking Id: 0
> [ldap] ldap_get_conn: Got Id: 0
> [ldap] performing search in dc=uthm,dc=edu,dc=my, with filter (uid=test)
> [ldap] checking if remote access for test is allowed by uid
> [ldap] looking for check items in directory...
> [ldap] uid -> User-Name == "test"
> [ldap] userPassword -> Password-With-Header ==
> "{SHA}m8NFSdVl2VBbKH3gzSCsd74dPyw="
> [ldap] looking for reply items in directory...
> [ldap] user test authorized to use remote access
> [ldap] ldap_release_conn: Release Id: 0
> ++[ldap] = ok
> ++[files] = noop
> ++[mschap] = noop
> [pap] No clear-text password in the request. Not performing PAP.
> ++[pap] = noop
> [eap] EAP packet type response id 7 length 52
> [eap] Continuing tunnel setup.
> ++[eap] = ok
> +} # group authorize = ok
> Found Auth-Type = EAP
> # Executing group from file /etc/raddb/sites-enabled/eduroam-inner-tunnel
> +group authenticate {
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] eaptls_verify returned 7
> [peap] Done initial handshake
> [peap] eaptls_process returned 7
> [peap] EAPTLS_OK
> [peap] Session established. Decoding tunneled attributes.
> [peap] Peap state WAITING FOR INNER IDENTITY
> [peap] Identity - test at uthm.edu.my
> [peap] Got inner identity 'test at uthm.edu.my'
> [peap] Setting default EAP type for tunneled EAP session.
> [peap] Got tunneled request
> EAP-Message = 0x020700150174657374407574686d2e6564752e6d79
> server eduroam-inner-tunnel {
> [peap] Setting User-Name to test at uthm.edu.my
> Sending tunneled request
> EAP-Message = 0x020700150174657374407574686d2e6564752e6d79
> FreeRADIUS-Proxied-To = 127.0.0.1
> User-Name = "test at uthm.edu.my"
> NAS-IP-Address = 192.168.241.12
> NAS-Port = 0
> NAS-Identifier = "eduroam"
> NAS-Port-Type = Wireless-802.11
> Calling-Station-Id = "606720CB37CC"
> Called-Station-Id = "001A1E012EE8"
> Service-Type = Login-User
> Framed-MTU = 1100
> Aruba-Essid-Name = "eduroam"
> Aruba-Location-Id = "PTM-MIS"
> Aruba-AP-Group = "MC-A05-Pusat_Teknologi_Maklumat"
> server eduroam-inner-tunnel {
> # Executing section authorize from file
> /etc/raddb/sites-enabled/eduroam-inner-tunnel
> +group authorize {
> [auth_log] expand: %{Packet-Src-IP-Address} -> 192.168.241.12
> [auth_log] expand:
> /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> -> /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
> [auth_log]
> /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> expands to /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
> [auth_log] expand: %t -> Fri Aug 11 12:48:36 2017
> ++[auth_log] = ok
> [suffix] Looking up realm "uthm.edu.my" for User-Name = "test at uthm.edu.my"
> [suffix] Found realm "~^(.+\.)?uthm\.edu\.my$"
> [suffix] Adding Stripped-User-Name = "test"
> [suffix] Adding Realm = "uthm.edu.my"
> [suffix] Authentication realm is LOCAL.
> ++[suffix] = ok
> [ldap] performing user authorization for test
> [ldap] expand: %{Stripped-User-Name} -> test
> [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=test)
> [ldap] expand: dc=uthm,dc=edu,dc=my -> dc=uthm,dc=edu,dc=my
> [ldap] ldap_get_conn: Checking Id: 0
> [ldap] ldap_get_conn: Got Id: 0
> [ldap] performing search in dc=uthm,dc=edu,dc=my, with filter (uid=test)
> [ldap] checking if remote access for test is allowed by uid
> [ldap] looking for check items in directory...
> [ldap] uid -> User-Name == "test"
> [ldap] userPassword -> Password-With-Header ==
> "{SHA}m8NFSdVl2VBbKH3gzSCsd74dPyw="
> [ldap] looking for reply items in directory...
> [ldap] user test authorized to use remote access
> [ldap] ldap_release_conn: Release Id: 0
> ++[ldap] = ok
> ++[files] = noop
> ++[mschap] = noop
> [pap] No clear-text password in the request. Not performing PAP.
> ++[pap] = noop
> [eap] EAP packet type response id 7 length 21
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] = updated
> +} # group authorize = updated
> Found Auth-Type = EAP
> # Executing group from file /etc/raddb/sites-enabled/eduroam-inner-tunnel
> +group authenticate {
> [eap] EAP Identity
> [eap] processing type mschapv2
> rlm_eap_mschapv2: Issuing Challenge
> ++[eap] = handled
> +} # group authenticate = handled
> } # server eduroam-inner-tunnel
> [peap] Got tunneled reply code 11
> EAP-Message =
> 0x0108002a1a0108002510343a9d3341344d17be103ba1b8102a4d74657374407574686d2e6564752e6d79
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xcbeddcf3cbe5c6059f24a1ca23970697
> [peap] Got tunneled reply RADIUS code Access-Challenge
> EAP-Message =
> 0x0108002a1a0108002510343a9d3341344d17be103ba1b8102a4d74657374407574686d2e6564752e6d79
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xcbeddcf3cbe5c6059f24a1ca23970697
> [peap] Got tunneled Access-Challenge
> ++[eap] = handled
> +} # group authenticate = handled
> } # server eduroam-inner-tunnel
> Sending Access-Challenge of id 156 to 192.168.241.12 port 56951
> EAP-Message =
> 0x010800491900170303003e1c8a45d0b7de864b2d1e68270fa233de3ac15f3ba93a9d2e2df074591a16e288b38d1ec3175acf72ef0f30a6f19ee6e5a4e9b3ccb86e49568d7c2cb0af87
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x8fae4f2889a656d7f54a19d8916d3466
> Finished request 14.
> Going to the next request
> Waking up in 2.6 seconds.
> rad_recv: Access-Request packet from host 192.168.241.12 port 56951,
> id=157, length=326
> User-Name = "test at uthm.edu.my"
> NAS-IP-Address = 192.168.241.12
> NAS-Port = 0
> NAS-Identifier = "eduroam"
> NAS-Port-Type = Wireless-802.11
> Calling-Station-Id = "606720CB37CC"
> Called-Station-Id = "001A1E012EE8"
> Service-Type = Login-User
> Framed-MTU = 1100
> EAP-Message =
> 0x0208006a1900170303005f0000000000000002e601a6aa39b3f001761524212d3ad0f41d4ed51d41f2ccd5e98cec19669d823871d2c63f9d0e24a20b54572e2f27420eee0f333e8bc450f328c4a5a29778e395986cd10574041407466476fa397de3d2e27c8e2408f5b2
> State = 0x8fae4f2889a656d7f54a19d8916d3466
> Aruba-Essid-Name = "eduroam"
> Aruba-Location-Id = "PTM-MIS"
> Aruba-AP-Group = "MC-A05-Pusat_Teknologi_Maklumat"
> Message-Authenticator = 0x1a31e183513b430559a36db139e98115
> server eduroam-inner-tunnel {
> # Executing section authorize from file
> /etc/raddb/sites-enabled/eduroam-inner-tunnel
> +group authorize {
> [auth_log] expand: %{Packet-Src-IP-Address} -> 192.168.241.12
> [auth_log] expand:
> /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> -> /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
> [auth_log]
> /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> expands to /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
> [auth_log] expand: %t -> Fri Aug 11 12:48:36 2017
> ++[auth_log] = ok
> [suffix] Looking up realm "uthm.edu.my" for User-Name = "test at uthm.edu.my"
> [suffix] Found realm "~^(.+\.)?uthm\.edu\.my$"
> [suffix] Adding Stripped-User-Name = "test"
> [suffix] Adding Realm = "uthm.edu.my"
> [suffix] Authentication realm is LOCAL.
> ++[suffix] = ok
> [ldap] performing user authorization for test
> [ldap] expand: %{Stripped-User-Name} -> test
> [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=test)
> [ldap] expand: dc=uthm,dc=edu,dc=my -> dc=uthm,dc=edu,dc=my
> [ldap] ldap_get_conn: Checking Id: 0
> [ldap] ldap_get_conn: Got Id: 0
> [ldap] performing search in dc=uthm,dc=edu,dc=my, with filter (uid=test)
> [ldap] checking if remote access for test is allowed by uid
> [ldap] looking for check items in directory...
> [ldap] uid -> User-Name == "test"
> [ldap] userPassword -> Password-With-Header ==
> "{SHA}m8NFSdVl2VBbKH3gzSCsd74dPyw="
> [ldap] looking for reply items in directory...
> [ldap] user test authorized to use remote access
> [ldap] ldap_release_conn: Release Id: 0
> ++[ldap] = ok
> ++[files] = noop
> ++[mschap] = noop
> [pap] No clear-text password in the request. Not performing PAP.
> ++[pap] = noop
> [eap] EAP packet type response id 8 length 106
> [eap] Continuing tunnel setup.
> ++[eap] = ok
> +} # group authorize = ok
> Found Auth-Type = EAP
> # Executing group from file /etc/raddb/sites-enabled/eduroam-inner-tunnel
> +group authenticate {
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] eaptls_verify returned 7
> [peap] Done initial handshake
> [peap] eaptls_process returned 7
> [peap] EAPTLS_OK
> [peap] Session established. Decoding tunneled attributes.
> [peap] Peap state phase2
> [peap] EAP type mschapv2
> [peap] Got tunneled request
> EAP-Message =
> 0x0208004b1a02080046315a9c485813afb0d85fa3ff490bc740b30000000000000000710dff1dfc34e780f32401e4a4772847f532a4ce5e8b43500074657374407574686d2e6564752e6d79
> server eduroam-inner-tunnel {
> [peap] Setting User-Name to test at uthm.edu.my
> Sending tunneled request
> EAP-Message =
> 0x0208004b1a02080046315a9c485813afb0d85fa3ff490bc740b30000000000000000710dff1dfc34e780f32401e4a4772847f532a4ce5e8b43500074657374407574686d2e6564752e6d79
> FreeRADIUS-Proxied-To = 127.0.0.1
> User-Name = "test at uthm.edu.my"
> State = 0xcbeddcf3cbe5c6059f24a1ca23970697
> NAS-IP-Address = 192.168.241.12
> NAS-Port = 0
> NAS-Identifier = "eduroam"
> NAS-Port-Type = Wireless-802.11
> Calling-Station-Id = "606720CB37CC"
> Called-Station-Id = "001A1E012EE8"
> Service-Type = Login-User
> Framed-MTU = 1100
> Aruba-Essid-Name = "eduroam"
> Aruba-Location-Id = "PTM-MIS"
> Aruba-AP-Group = "MC-A05-Pusat_Teknologi_Maklumat"
> server eduroam-inner-tunnel {
> # Executing section authorize from file
> /etc/raddb/sites-enabled/eduroam-inner-tunnel
> +group authorize {
> [auth_log] expand: %{Packet-Src-IP-Address} -> 192.168.241.12
> [auth_log] expand:
> /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> -> /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
> [auth_log]
> /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> expands to /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
> [auth_log] expand: %t -> Fri Aug 11 12:48:36 2017
> ++[auth_log] = ok
> [suffix] Looking up realm "uthm.edu.my" for User-Name = "test at uthm.edu.my"
> [suffix] Found realm "~^(.+\.)?uthm\.edu\.my$"
> [suffix] Adding Stripped-User-Name = "test"
> [suffix] Adding Realm = "uthm.edu.my"
> [suffix] Authentication realm is LOCAL.
> ++[suffix] = ok
> [ldap] performing user authorization for test
> [ldap] expand: %{Stripped-User-Name} -> test
> [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=test)
> [ldap] expand: dc=uthm,dc=edu,dc=my -> dc=uthm,dc=edu,dc=my
> [ldap] ldap_get_conn: Checking Id: 0
> [ldap] ldap_get_conn: Got Id: 0
> [ldap] performing search in dc=uthm,dc=edu,dc=my, with filter (uid=test)
> [ldap] checking if remote access for test is allowed by uid
> [ldap] looking for check items in directory...
> [ldap] uid -> User-Name == "test"
> [ldap] userPassword -> Password-With-Header ==
> "{SHA}m8NFSdVl2VBbKH3gzSCsd74dPyw="
> [ldap] looking for reply items in directory...
> [ldap] user test authorized to use remote access
> [ldap] ldap_release_conn: Release Id: 0
> ++[ldap] = ok
> ++[files] = noop
> ++[mschap] = noop
> [pap] No clear-text password in the request. Not performing PAP.
> ++[pap] = noop
> [eap] EAP packet type response id 8 length 75
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] = updated
> +} # group authorize = updated
> Found Auth-Type = EAP
> # Executing group from file /etc/raddb/sites-enabled/eduroam-inner-tunnel
> +group authenticate {
> [eap] Request found, released from the list
> [eap] EAP/mschapv2
> [eap] processing type mschapv2
> [mschapv2] # Executing group from file
> /etc/raddb/sites-enabled/eduroam-inner-tunnel
> [mschapv2] +group MS-CHAP {
> [mschap] No Cleartext-Password configured. Cannot create LM-Password.
> [mschap] No Cleartext-Password configured. Cannot create NT-Password.
> [mschap] Creating challenge hash with username: test at uthm.edu.my
> [mschap] Client is using MS-CHAPv2 for test at uthm.edu.my, we need NT-Password
> [mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
> [mschap] FAILED: MS-CHAP2-Response is incorrect
> ++[mschap] = reject
> +} # group MS-CHAP = reject
> [eap] Freeing handler
> ++[eap] = reject
> +} # group authenticate = reject
> Failed to authenticate the user.
> Login incorrect: [test at uthm.edu.my] (from client radsec port 0 cli
> 606720CB37CC via TLS tunnel)
> Using Post-Auth-Type REJECT
> # Executing group from file /etc/raddb/sites-enabled/eduroam-inner-tunnel
> +group REJECT {
> [reply_log] expand: %{Packet-Src-IP-Address} -> 192.168.241.12
> [reply_log] expand:
> /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
> -> /var/log/radius/radacct/192.168.241.12/reply-detail-20170811
> [reply_log]
> /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
> expands to /var/log/radius/radacct/192.168.241.12/reply-detail-20170811
> [reply_log] expand: %t -> Fri Aug 11 12:48:36 2017
> ++[reply_log] = ok
> +} # group REJECT = ok
> } # server eduroam-inner-tunnel
> [peap] Got tunneled reply code 3
> MS-CHAP-Error = "\010E=691 R=1"
> EAP-Message = 0x04080004
> Message-Authenticator = 0x00000000000000000000000000000000
> [peap] Got tunneled reply RADIUS code Access-Reject
> MS-CHAP-Error = "\010E=691 R=1"
> EAP-Message = 0x04080004
> Message-Authenticator = 0x00000000000000000000000000000000
> [peap] Tunneled authentication was rejected.
> [peap] FAILURE
> ++[eap] = handled
> +} # group authenticate = handled
> } # server eduroam-inner-tunnel
> Sending Access-Challenge of id 157 to 192.168.241.12 port 56951
> EAP-Message =
> 0x0109002e190017030300231c8a45d0b7de864c86cfe8658e8f5a7692bff076e34cac34a4f898a86fb7d7bd87bd0d
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x8fae4f2888a756d7f54a19d8916d3466
> Finished request 15.
> Going to the next request
> Waking up in 2.6 seconds.
> rad_recv: Access-Request packet from host 192.168.241.12 port 56951,
> id=158, length=266
> User-Name = "test at uthm.edu.my"
> NAS-IP-Address = 192.168.241.12
> NAS-Port = 0
> NAS-Identifier = "eduroam"
> NAS-Port-Type = Wireless-802.11
> Calling-Station-Id = "606720CB37CC"
> Called-Station-Id = "001A1E012EE8"
> Service-Type = Login-User
> Framed-MTU = 1100
> EAP-Message =
> 0x0209002e19001703030023000000000000000334b2a2f72bfaff9cb368e59ee145ac3b61bb33f10ff54368601eda
> State = 0x8fae4f2888a756d7f54a19d8916d3466
> Aruba-Essid-Name = "eduroam"
> Aruba-Location-Id = "PTM-MIS"
> Aruba-AP-Group = "MC-A05-Pusat_Teknologi_Maklumat"
> Message-Authenticator = 0x13d985f1b0164cab9128cf4e07b3a9e0
> server eduroam-inner-tunnel {
> # Executing section authorize from file
> /etc/raddb/sites-enabled/eduroam-inner-tunnel
> +group authorize {
> [auth_log] expand: %{Packet-Src-IP-Address} -> 192.168.241.12
> [auth_log] expand:
> /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> -> /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
> [auth_log]
> /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> expands to /var/log/radius/radacct/192.168.241.12/auth-detail-20170811
> [auth_log] expand: %t -> Fri Aug 11 12:48:36 2017
> ++[auth_log] = ok
> [suffix] Looking up realm "uthm.edu.my" for User-Name = "test at uthm.edu.my"
> [suffix] Found realm "~^(.+\.)?uthm\.edu\.my$"
> [suffix] Adding Stripped-User-Name = "test"
> [suffix] Adding Realm = "uthm.edu.my"
> [suffix] Authentication realm is LOCAL.
> ++[suffix] = ok
> [ldap] performing user authorization for test
> [ldap] expand: %{Stripped-User-Name} -> test
> [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=test)
> [ldap] expand: dc=uthm,dc=edu,dc=my -> dc=uthm,dc=edu,dc=my
> [ldap] ldap_get_conn: Checking Id: 0
> [ldap] ldap_get_conn: Got Id: 0
> [ldap] performing search in dc=uthm,dc=edu,dc=my, with filter (uid=test)
> [ldap] checking if remote access for test is allowed by uid
> [ldap] looking for check items in directory...
> [ldap] uid -> User-Name == "test"
> [ldap] userPassword -> Password-With-Header ==
> "{SHA}m8NFSdVl2VBbKH3gzSCsd74dPyw="
> [ldap] looking for reply items in directory...
> [ldap] user test authorized to use remote access
> [ldap] ldap_release_conn: Release Id: 0
> ++[ldap] = ok
> ++[files] = noop
> ++[mschap] = noop
> [pap] No clear-text password in the request. Not performing PAP.
> ++[pap] = noop
> [eap] EAP packet type response id 9 length 46
> [eap] Continuing tunnel setup.
> ++[eap] = ok
> +} # group authorize = ok
> Found Auth-Type = EAP
> # Executing group from file /etc/raddb/sites-enabled/eduroam-inner-tunnel
> +group authenticate {
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] eaptls_verify returned 7
> [peap] Done initial handshake
> [peap] eaptls_process returned 7
> [peap] EAPTLS_OK
> [peap] Session established. Decoding tunneled attributes.
> [peap] Peap state send tlv failure
> [peap] Received EAP-TLV response.
> [peap] The users session was previously rejected: returning reject (again.)
> [peap] *** This means you need to read the PREVIOUS messages in the debug
> output
> [peap] *** to find out the reason why the user was rejected.
> [peap] *** Look for "reject" or "fail". Those earlier messages will tell
> you.
> [peap] *** what went wrong, and how to fix the problem.
> [eap] Handler failed in EAP/peap
> [eap] Failed in EAP select
> ++[eap] = invalid
> +} # group authenticate = invalid
> Failed to authenticate the user.
> Login incorrect: [test at uthm.edu.my] (from client radsec port 0 cli
> 606720CB37CC)
> } # server eduroam-inner-tunnel
> Using Post-Auth-Type REJECT
> # Executing group from file /etc/raddb/sites-enabled/eduroam-inner-tunnel
> +group REJECT {
> [reply_log] expand: %{Packet-Src-IP-Address} -> 192.168.241.12
> [reply_log] expand:
> /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
> -> /var/log/radius/radacct/192.168.241.12/reply-detail-20170811
> [reply_log]
> /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
> expands to /var/log/radius/radacct/192.168.241.12/reply-detail-20170811
> [reply_log] expand: %t -> Fri Aug 11 12:48:36 2017
> ++[reply_log] = ok
> +} # group REJECT = ok
> Delaying reject of request 16 for 1 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> Sending delayed reject for request 16
> Sending Access-Reject of id 158 to 192.168.241.12 port 56951
> EAP-Message = 0x04090004
> Message-Authenticator = 0x00000000000000000000000000000000
> Waking up in 1.6 seconds.
> Cleaning up request 7 ID 150 with timestamp +220
> Cleaning up request 9 ID 151 with timestamp +220
> Cleaning up request 10 ID 152 with timestamp +220
> Cleaning up request 11 ID 153 with timestamp +220
> Cleaning up request 12 ID 154 with timestamp +220
> Waking up in 2.2 seconds.
> Cleaning up request 13 ID 155 with timestamp +222
> Cleaning up request 14 ID 156 with timestamp +222
> Cleaning up request 15 ID 157 with timestamp +222
> Waking up in 1.0 seconds.
> Cleaning up request 16 ID 158 with timestamp +222
> Ready to process requests.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list