eap_peap: fatal access_denied error
mustafa mujahid
mustafa.mujahid at outlook.com
Thu Mar 9 14:44:30 CET 2017
I got this the first time :
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state ...... did not finish!
WARNING: !! Please read http://wiki.freeradius.org/guide/Certificate_Compatibility
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
and then after that it same message every time. 'The users session was previously rejected: returning reject (again.)'
I dont understand. Shouldn't the server run TLS out of the box. and OID dependency is only for windows XP right? I've been testing with windows 10. Fragment Size is 1024 which is default.
Please see below complete Debug. (it's pretty long)
Ready to process requests
(0) Received Access-Request Id 31 from 10.10.99.5:1645 to 115.186.154.51:1812 length 158
(0) User-Name = "asif.mehmood"
(0) Service-Type = Framed-User
(0) Framed-MTU = 1500
(0) Called-Station-Id = "F4-1F-C2-29-F2-04"
(0) Calling-Station-Id = "E0-DB-55-D5-8F-92"
(0) EAP-Message = 0x0201001101617369662e6d65686d6f6f64
(0) Message-Authenticator = 0x29c1757607232b3d614dcd903406abc4
(0) NAS-Port-Type = Ethernet
(0) NAS-Port = 50004
(0) NAS-Port-Id = "FastEthernet0/4"
(0) NAS-IP-Address = 10.10.99.5
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0) authorize {
(0) [preprocess] = ok
(0) auth_log: EXPAND /var/log/radius/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(0) auth_log: --> /var/log/radius/log/radius/radacct/10.10.99.5/auth-detail-20170309
(0) auth_log: /var/log/radius/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/log/radius/radacct/10.10.99.5/auth-detail-20170309
(0) auth_log: EXPAND %t
(0) auth_log: --> Thu Mar 9 16:44:20 2017
(0) [auth_log] = ok
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "asif.mehmood", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 1 length 17
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_md5 to process data
(0) eap_md5: Issuing MD5 Challenge
(0) eap: Sending EAP Request (code 1) ID 2 length 22
(0) eap: EAP session adding &reply:State = 0x93026393930067fc
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) Post-Auth-Type sub-section not found. Ignoring.
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) Sent Access-Challenge Id 31 from 115.186.154.51:1812 to 10.10.99.5:1645 length 0
(0) EAP-Message = 0x010200160410653c8fd6e2ecd4db2df902eed11e8170
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x93026393930067fcaf4c2661a90413af
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 32 from 10.10.99.5:1645 to 115.186.154.51:1812 length 165
(1) User-Name = "asif.mehmood"
(1) Service-Type = Framed-User
(1) Framed-MTU = 1500
(1) Called-Station-Id = "F4-1F-C2-29-F2-04"
(1) Calling-Station-Id = "E0-DB-55-D5-8F-92"
(1) EAP-Message = 0x020200060319
(1) Message-Authenticator = 0x983a9c7a8519393e72e279ae293d712f
(1) NAS-Port-Type = Ethernet
(1) NAS-Port = 50004
(1) NAS-Port-Id = "FastEthernet0/4"
(1) State = 0x93026393930067fcaf4c2661a90413af
(1) NAS-IP-Address = 10.10.99.5
(1) session-state: No cached attributes
(1) # Executing section authorize from file /etc/raddb/sites-enabled/default
(1) authorize {
(1) [preprocess] = ok
(1) auth_log: EXPAND /var/log/radius/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(1) auth_log: --> /var/log/radius/log/radius/radacct/10.10.99.5/auth-detail-20170309
(1) auth_log: /var/log/radius/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/log/radius/radacct/10.10.99.5/auth-detail-20170309
(1) auth_log: EXPAND %t
(1) auth_log: --> Thu Mar 9 16:44:20 2017
(1) [auth_log] = ok
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "asif.mehmood", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 2 length 6
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1) [eap] = updated
(1) sql: EXPAND %{User-Name}
(1) sql: --> asif.mehmood
(1) sql: SQL-User-Name set to 'asif.mehmood'
rlm_sql (sql): Reserved connection (0)
(1) sql: EXPAND SELECT id,UserName,Attribute,Value,op FROM radcheck_office WHERE Username = '%{SQL-User-Name}' and Attribute = 'NT-Password' ORDER BY id
(1) sql: --> SELECT id,UserName,Attribute,Value,op FROM radcheck_office WHERE Username = 'asif.mehmood' and Attribute = 'NT-Password' ORDER BY id
(1) sql: Executing select query: SELECT id,UserName,Attribute,Value,op FROM radcheck_office WHERE Username = 'asif.mehmood' and Attribute = 'NT-Password' ORDER BY id
(1) sql: User found in radcheck table
(1) sql: Conditional check items matched, merging assignment check items
(1) sql: NT-Password := 0x4331373130303946314231453344413833464230364343323441463634363043
(1) sql: EXPAND SELECT GroupName FROM office.usergroup_office WHERE UserName='%{SQL-User-Name}'
(1) sql: --> SELECT GroupName FROM office.usergroup_office WHERE UserName='asif.mehmood'
(1) sql: Executing select query: SELECT GroupName FROM office.usergroup_office WHERE UserName='asif.mehmood'
(1) sql: User not found in any groups
rlm_sql (sql): Released connection (0)
(1) [sql] = ok
(1) [expiration] = noop
(1) [logintime] = noop
(1) pap: Normalizing NT-Password from hex encoding, 32 bytes -> 16 bytes
(1) pap: WARNING: Auth-Type already set. Not setting to PAP
(1) [pap] = noop
(1) } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0x93026393930067fc
(1) eap: Finished EAP session with state 0x93026393930067fc
(1) eap: Previous EAP request found for state 0x93026393930067fc, released from the list
(1) eap: Peer sent packet with method EAP NAK (3)
(1) eap: Found mutually acceptable type PEAP (25)
(1) eap: Calling submodule eap_peap to process data
(1) eap_peap: Initiating new EAP-TLS session
(1) eap_peap: [eaptls start] = request
(1) eap: Sending EAP Request (code 1) ID 3 length 6
(1) eap: EAP session adding &reply:State = 0x9302639392017afc
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) Post-Auth-Type sub-section not found. Ignoring.
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) Sent Access-Challenge Id 32 from 115.186.154.51:1812 to 10.10.99.5:1645 length 0
(1) EAP-Message = 0x010300061920
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x9302639392017afcaf4c2661a90413af
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 33 from 10.10.99.5:1645 to 115.186.154.51:1812 length 281
(2) User-Name = "asif.mehmood"
(2) Service-Type = Framed-User
(2) Framed-MTU = 1500
(2) Called-Station-Id = "F4-1F-C2-29-F2-04"
(2) Calling-Station-Id = "E0-DB-55-D5-8F-92"
(2) EAP-Message = 0x0203007a198000000070160301006b01000067030158c140773dd3f726798de2ca3ba80fb89fb5bd0c3bce1385c22e4eb39fbf5456000018c014c0130035002fc00ac00900380032000a00130005000401000026000500050100000000000a0006000400170018000b000201000023000000170000ff01
(2) Message-Authenticator = 0xd37a911a4ea82ad10978aee11de61b06
(2) NAS-Port-Type = Ethernet
(2) NAS-Port = 50004
(2) NAS-Port-Id = "FastEthernet0/4"
(2) State = 0x9302639392017afcaf4c2661a90413af
(2) NAS-IP-Address = 10.10.99.5
(2) session-state: No cached attributes
(2) # Executing section authorize from file /etc/raddb/sites-enabled/default
(2) authorize {
(2) [preprocess] = ok
(2) auth_log: EXPAND /var/log/radius/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(2) auth_log: --> /var/log/radius/log/radius/radacct/10.10.99.5/auth-detail-20170309
(2) auth_log: /var/log/radius/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/log/radius/radacct/10.10.99.5/auth-detail-20170309
(2) auth_log: EXPAND %t
(2) auth_log: --> Thu Mar 9 16:44:20 2017
(2) [auth_log] = ok
(2) [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "asif.mehmood", looking up realm NULL
(2) suffix: No such realm "NULL"
(2) [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 3 length 122
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0x9302639392017afc
(2) eap: Finished EAP session with state 0x9302639392017afc
(2) eap: Previous EAP request found for state 0x9302639392017afc, released from the list
(2) eap: Peer sent packet with method EAP PEAP (25)
(2) eap: Calling submodule eap_peap to process data
(2) eap_peap: Continuing EAP-TLS
(2) eap_peap: Peer indicated complete TLS record size will be 112 bytes
(2) eap_peap: Got complete TLS record (112 bytes)
(2) eap_peap: [eaptls verify] = length included
(2) eap_peap: (other): before/accept initialization
(2) eap_peap: TLS_accept: before/accept initialization
(2) eap_peap: <<< recv TLS 1.0 Handshake [length 006b], ClientHello
(2) eap_peap: TLS_accept: SSLv3 read client hello A
(2) eap_peap: >>> send TLS 1.0 Handshake [length 0039], ServerHello
(2) eap_peap: TLS_accept: SSLv3 write server hello A
(2) eap_peap: >>> send TLS 1.0 Handshake [length 08d3], Certificate
(2) eap_peap: TLS_accept: SSLv3 write certificate A
(2) eap_peap: >>> send TLS 1.0 Handshake [length 014b], ServerKeyExchange
(2) eap_peap: TLS_accept: SSLv3 write key exchange A
(2) eap_peap: >>> send TLS 1.0 Handshake [length 0004], ServerHelloDone
(2) eap_peap: TLS_accept: SSLv3 write server done A
(2) eap_peap: TLS_accept: SSLv3 flush data
(2) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A
(2) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A
(2) eap_peap: In SSL Handshake Phase
(2) eap_peap: In SSL Accept mode
(2) eap_peap: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 4 length 1004
(2) eap: EAP session adding &reply:State = 0x9302639391067afc
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) Post-Auth-Type sub-section not found. Ignoring.
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2) Sent Access-Challenge Id 33 from 115.186.154.51:1812 to 10.10.99.5:1645 length 0
(2) EAP-Message = 0x010403ec19c000000a6f160301003902000035030158c1401426a6b28dcc1098ebab806483096310c6d16cc856d68091d564c3c07300c01400000dff01000100000b00040300010216030108d30b0008cf0008cc0003de308203da308202c2a003020102020101300d06092a864886f70d01010b050030
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x9302639391067afcaf4c2661a90413af
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 34 from 10.10.99.5:1645 to 115.186.154.51:1812 length 165
(3) User-Name = "asif.mehmood"
(3) Service-Type = Framed-User
(3) Framed-MTU = 1500
(3) Called-Station-Id = "F4-1F-C2-29-F2-04"
(3) Calling-Station-Id = "E0-DB-55-D5-8F-92"
(3) EAP-Message = 0x020400061900
(3) Message-Authenticator = 0x57be0ed1d7330cb2f02505d1fea98859
(3) NAS-Port-Type = Ethernet
(3) NAS-Port = 50004
(3) NAS-Port-Id = "FastEthernet0/4"
(3) State = 0x9302639391067afcaf4c2661a90413af
(3) NAS-IP-Address = 10.10.99.5
(3) session-state: No cached attributes
(3) # Executing section authorize from file /etc/raddb/sites-enabled/default
(3) authorize {
(3) [preprocess] = ok
(3) auth_log: EXPAND /var/log/radius/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(3) auth_log: --> /var/log/radius/log/radius/radacct/10.10.99.5/auth-detail-20170309
(3) auth_log: /var/log/radius/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/log/radius/radacct/10.10.99.5/auth-detail-20170309
(3) auth_log: EXPAND %t
(3) auth_log: --> Thu Mar 9 16:44:20 2017
(3) [auth_log] = ok
(3) [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "asif.mehmood", looking up realm NULL
(3) suffix: No such realm "NULL"
(3) [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 4 length 6
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3) authenticate {
(3) eap: Expiring EAP session with state 0x9302639391067afc
(3) eap: Finished EAP session with state 0x9302639391067afc
(3) eap: Previous EAP request found for state 0x9302639391067afc, released from the list
(3) eap: Peer sent packet with method EAP PEAP (25)
(3) eap: Calling submodule eap_peap to process data
(3) eap_peap: Continuing EAP-TLS
(3) eap_peap: Peer ACKed our handshake fragment
(3) eap_peap: [eaptls verify] = request
(3) eap_peap: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 5 length 1000
(3) eap: EAP session adding &reply:State = 0x9302639390077afc
(3) [eap] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) Post-Auth-Type sub-section not found. Ignoring.
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3) Sent Access-Challenge Id 34 from 115.186.154.51:1812 to 10.10.99.5:1645 length 0
(3) EAP-Message = 0x010503e819409b2d4c0345df751fd711e8ea4e75714b29a30375779446c49ce87ccf9d58117de4f2115aa1e5653a44779d0cc47875d9c752336a6c5fe4badfcf84bc9e1a915e7297c630bad9abf8c30004e8308204e4308203cca003020102020900b6aa9b5ee768955a300d06092a864886f70d010105
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0x9302639390077afcaf4c2661a90413af
(3) Finished request
Waking up in 4.9 seconds.
(4) Received Access-Request Id 35 from 10.10.99.5:1645 to 115.186.154.51:1812 length 165
(4) User-Name = "asif.mehmood"
(4) Service-Type = Framed-User
(4) Framed-MTU = 1500
(4) Called-Station-Id = "F4-1F-C2-29-F2-04"
(4) Calling-Station-Id = "E0-DB-55-D5-8F-92"
(4) EAP-Message = 0x020500061900
(4) Message-Authenticator = 0xf565ce762672d59e9a92e9531840fddb
(4) NAS-Port-Type = Ethernet
(4) NAS-Port = 50004
(4) NAS-Port-Id = "FastEthernet0/4"
(4) State = 0x9302639390077afcaf4c2661a90413af
(4) NAS-IP-Address = 10.10.99.5
(4) session-state: No cached attributes
(4) # Executing section authorize from file /etc/raddb/sites-enabled/default
(4) authorize {
(4) [preprocess] = ok
(4) auth_log: EXPAND /var/log/radius/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(4) auth_log: --> /var/log/radius/log/radius/radacct/10.10.99.5/auth-detail-20170309
(4) auth_log: /var/log/radius/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/log/radius/radacct/10.10.99.5/auth-detail-20170309
(4) auth_log: EXPAND %t
(4) auth_log: --> Thu Mar 9 16:44:20 2017
(4) [auth_log] = ok
(4) [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "asif.mehmood", looking up realm NULL
(4) suffix: No such realm "NULL"
(4) [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 5 length 6
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/raddb/sites-enabled/default
(4) authenticate {
(4) eap: Expiring EAP session with state 0x9302639390077afc
(4) eap: Finished EAP session with state 0x9302639390077afc
(4) eap: Previous EAP request found for state 0x9302639390077afc, released from the list
(4) eap: Peer sent packet with method EAP PEAP (25)
(4) eap: Calling submodule eap_peap to process data
(4) eap_peap: Continuing EAP-TLS
(4) eap_peap: Peer ACKed our handshake fragment
(4) eap_peap: [eaptls verify] = request
(4) eap_peap: [eaptls process] = handled
(4) eap: Sending EAP Request (code 1) ID 6 length 689
(4) eap: EAP session adding &reply:State = 0x9302639397047afc
(4) [eap] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) Post-Auth-Type sub-section not found. Ignoring.
(4) # Executing group from file /etc/raddb/sites-enabled/default
(4) Sent Access-Challenge Id 35 from 115.186.154.51:1812 to 10.10.99.5:1645 length 0
(4) EAP-Message = 0x010602b119000530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d0101050500038201010048377e8fa1d71da67cd91ae43c66ec9d54d74a2593705ce23f35396f788e48
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x9302639397047afcaf4c2661a90413af
(4) Finished request
Waking up in 4.9 seconds.
(5) Received Access-Request Id 36 from 10.10.99.5:1645 to 115.186.154.51:1812 length 303
(5) User-Name = "asif.mehmood"
(5) Service-Type = Framed-User
(5) Framed-MTU = 1500
(5) Called-Station-Id = "F4-1F-C2-29-F2-04"
(5) Calling-Station-Id = "E0-DB-55-D5-8F-92"
(5) EAP-Message = 0x020600901980000000861603010046100000424104271baf1e422913595faf82c9afc0decfaf85279ee4a3008bc38804f6698ee7c4c48865a59045a5c2ba86a10237c2ad2f10cfb92e7db15c177e526c854b9bb5061403010001011603010030c3503156ce176b0730cf1579ec48e58c42bce693ec6a51
(5) Message-Authenticator = 0x639f20282139d45d3a76330dad060a3f
(5) NAS-Port-Type = Ethernet
(5) NAS-Port = 50004
(5) NAS-Port-Id = "FastEthernet0/4"
(5) State = 0x9302639397047afcaf4c2661a90413af
(5) NAS-IP-Address = 10.10.99.5
(5) session-state: No cached attributes
(5) # Executing section authorize from file /etc/raddb/sites-enabled/default
(5) authorize {
(5) [preprocess] = ok
(5) auth_log: EXPAND /var/log/radius/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(5) auth_log: --> /var/log/radius/log/radius/radacct/10.10.99.5/auth-detail-20170309
(5) auth_log: /var/log/radius/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/log/radius/radacct/10.10.99.5/auth-detail-20170309
(5) auth_log: EXPAND %t
(5) auth_log: --> Thu Mar 9 16:44:20 2017
(5) [auth_log] = ok
(5) [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "asif.mehmood", looking up realm NULL
(5) suffix: No such realm "NULL"
(5) [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 6 length 144
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5) authenticate {
(5) eap: Expiring EAP session with state 0x9302639397047afc
(5) eap: Finished EAP session with state 0x9302639397047afc
(5) eap: Previous EAP request found for state 0x9302639397047afc, released from the list
(5) eap: Peer sent packet with method EAP PEAP (25)
(5) eap: Calling submodule eap_peap to process data
(5) eap_peap: Continuing EAP-TLS
(5) eap_peap: Peer indicated complete TLS record size will be 134 bytes
(5) eap_peap: Got complete TLS record (134 bytes)
(5) eap_peap: [eaptls verify] = length included
(5) eap_peap: <<< recv TLS 1.0 Handshake [length 0046], ClientKeyExchange
(5) eap_peap: TLS_accept: SSLv3 read client key exchange A
(5) eap_peap: <<< recv TLS 1.0 ChangeCipherSpec [length 0001]
(5) eap_peap: <<< recv TLS 1.0 Handshake [length 0010], Finished
(5) eap_peap: TLS_accept: SSLv3 read finished A
(5) eap_peap: >>> send TLS 1.0 ChangeCipherSpec [length 0001]
(5) eap_peap: TLS_accept: SSLv3 write change cipher spec A
(5) eap_peap: >>> send TLS 1.0 Handshake [length 0010], Finished
(5) eap_peap: TLS_accept: SSLv3 write finished A
(5) eap_peap: TLS_accept: SSLv3 flush data
(5) eap_peap: (other): SSL negotiation finished successfully
(5) eap_peap: SSL Connection Established
(5) eap_peap: [eaptls process] = handled
(5) eap: Sending EAP Request (code 1) ID 7 length 65
(5) eap: EAP session adding &reply:State = 0x9302639396057afc
(5) [eap] = handled
(5) } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) Post-Auth-Type sub-section not found. Ignoring.
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5) Sent Access-Challenge Id 36 from 115.186.154.51:1812 to 10.10.99.5:1645 length 0
(5) EAP-Message = 0x0107004119001403010001011603010030e1bbd9cd7a90654608621594ebfc5d995f68261cb68a5a3622f3020d87ce23ddc2cea28c469d9cca53314c8271e15b41
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x9302639396057afcaf4c2661a90413af
(5) Finished request
Waking up in 4.9 seconds.
(6) Received Access-Request Id 37 from 10.10.99.5:1645 to 115.186.154.51:1812 length 165
(6) User-Name = "asif.mehmood"
(6) Service-Type = Framed-User
(6) Framed-MTU = 1500
(6) Called-Station-Id = "F4-1F-C2-29-F2-04"
(6) Calling-Station-Id = "E0-DB-55-D5-8F-92"
(6) EAP-Message = 0x020700061900
(6) Message-Authenticator = 0x8339c72f9dc82f949714ecf748814d36
(6) NAS-Port-Type = Ethernet
(6) NAS-Port = 50004
(6) NAS-Port-Id = "FastEthernet0/4"
(6) State = 0x9302639396057afcaf4c2661a90413af
(6) NAS-IP-Address = 10.10.99.5
(6) session-state: No cached attributes
(6) # Executing section authorize from file /etc/raddb/sites-enabled/default
(6) authorize {
(6) [preprocess] = ok
(6) auth_log: EXPAND /var/log/radius/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(6) auth_log: --> /var/log/radius/log/radius/radacct/10.10.99.5/auth-detail-20170309
(6) auth_log: /var/log/radius/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/log/radius/radacct/10.10.99.5/auth-detail-20170309
(6) auth_log: EXPAND %t
(6) auth_log: --> Thu Mar 9 16:44:20 2017
(6) [auth_log] = ok
(6) [digest] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "asif.mehmood", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) eap: Peer sent EAP Response (code 2) ID 7 length 6
(6) eap: Continuing tunnel setup
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/raddb/sites-enabled/default
(6) authenticate {
(6) eap: Expiring EAP session with state 0x9302639396057afc
(6) eap: Finished EAP session with state 0x9302639396057afc
(6) eap: Previous EAP request found for state 0x9302639396057afc, released from the list
(6) eap: Peer sent packet with method EAP PEAP (25)
(6) eap: Calling submodule eap_peap to process data
(6) eap_peap: Continuing EAP-TLS
(6) eap_peap: Peer ACKed our handshake fragment. handshake is finished
(6) eap_peap: [eaptls verify] = success
(6) eap_peap: [eaptls process] = success
(6) eap_peap: Session established. Decoding tunneled attributes
(6) eap_peap: PEAP state TUNNEL ESTABLISHED
(6) eap: Sending EAP Request (code 1) ID 8 length 43
(6) eap: EAP session adding &reply:State = 0x93026393950a7afc
(6) [eap] = handled
(6) } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) Post-Auth-Type sub-section not found. Ignoring.
(6) # Executing group from file /etc/raddb/sites-enabled/default
(6) Sent Access-Challenge Id 37 from 115.186.154.51:1812 to 10.10.99.5:1645 length 0
(6) EAP-Message = 0x0108002b1900170301002054ed0fbd04d9cd6841083d95d4a66c2ad8d7603fcdced6c7e80b1e0489729ff0
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0x93026393950a7afcaf4c2661a90413af
(6) Finished request
Waking up in 4.9 seconds.
(7) Received Access-Request Id 38 from 10.10.99.5:1645 to 115.186.154.51:1812 length 218
(7) User-Name = "asif.mehmood"
(7) Service-Type = Framed-User
(7) Framed-MTU = 1500
(7) Called-Station-Id = "F4-1F-C2-29-F2-04"
(7) Calling-Station-Id = "E0-DB-55-D5-8F-92"
(7) EAP-Message = 0x0208003b19001703010030d5f42be51ee50771c3dec5c5d6dca178a15a80c0d359ff0b2d59e38da947033e146e6748de1b8bad9bdc3d133634c717
(7) Message-Authenticator = 0x3745a5f1ae21885e80d6d22577ac4869
(7) NAS-Port-Type = Ethernet
(7) NAS-Port = 50004
(7) NAS-Port-Id = "FastEthernet0/4"
(7) State = 0x93026393950a7afcaf4c2661a90413af
(7) NAS-IP-Address = 10.10.99.5
(7) session-state: No cached attributes
(7) # Executing section authorize from file /etc/raddb/sites-enabled/default
(7) authorize {
(7) [preprocess] = ok
(7) auth_log: EXPAND /var/log/radius/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(7) auth_log: --> /var/log/radius/log/radius/radacct/10.10.99.5/auth-detail-20170309
(7) auth_log: /var/log/radius/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/log/radius/radacct/10.10.99.5/auth-detail-20170309
(7) auth_log: EXPAND %t
(7) auth_log: --> Thu Mar 9 16:44:20 2017
(7) [auth_log] = ok
(7) [digest] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "asif.mehmood", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) eap: Peer sent EAP Response (code 2) ID 8 length 59
(7) eap: Continuing tunnel setup
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7) authenticate {
(7) eap: Expiring EAP session with state 0x93026393950a7afc
(7) eap: Finished EAP session with state 0x93026393950a7afc
(7) eap: Previous EAP request found for state 0x93026393950a7afc, released from the list
(7) eap: Peer sent packet with method EAP PEAP (25)
(7) eap: Calling submodule eap_peap to process data
(7) eap_peap: Continuing EAP-TLS
(7) eap_peap: [eaptls verify] = ok
(7) eap_peap: Done initial handshake
(7) eap_peap: [eaptls process] = ok
(7) eap_peap: Session established. Decoding tunneled attributes
(7) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(7) eap_peap: Identity - asif.mehmood
(7) eap_peap: Got inner identity 'asif.mehmood'
(7) eap_peap: Setting default EAP type for tunneled EAP session
(7) eap_peap: Got tunneled request
(7) eap_peap: EAP-Message = 0x0208001101617369662e6d65686d6f6f64
(7) eap_peap: Setting User-Name to asif.mehmood
(7) eap_peap: Sending tunneled request to inner-tunnel
(7) eap_peap: EAP-Message = 0x0208001101617369662e6d65686d6f6f64
(7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(7) eap_peap: User-Name = "asif.mehmood"
(7) Virtual server inner-tunnel received request
(7) EAP-Message = 0x0208001101617369662e6d65686d6f6f64
(7) FreeRADIUS-Proxied-To = 127.0.0.1
(7) User-Name = "asif.mehmood"
(7) WARNING: Outer and inner identities are the same. User privacy is compromised.
(7) server inner-tunnel {
(7) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(7) authorize {
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "asif.mehmood", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) update control {
(7) &Proxy-To-Realm := LOCAL
(7) } # update control = noop
(7) eap: Peer sent EAP Response (code 2) ID 8 length 17
(7) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(7) authenticate {
(7) eap: Peer sent packet with method EAP Identity (1)
(7) eap: Calling submodule eap_mschapv2 to process data
(7) eap_mschapv2: Issuing Challenge
(7) eap: Sending EAP Request (code 1) ID 9 length 43
(7) eap: EAP session adding &reply:State = 0x102bfd681022e731
(7) [eap] = handled
(7) } # authenticate = handled
(7) } # server inner-tunnel
(7) Virtual server sending reply
(7) EAP-Message = 0x0109002b1a0109002610edaf8fe933a57a6d850995acf8661a48667265657261646975732d332e302e3132
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0x102bfd681022e73167606d45f80bcb43
(7) eap_peap: Got tunneled reply code 11
(7) eap_peap: EAP-Message = 0x0109002b1a0109002610edaf8fe933a57a6d850995acf8661a48667265657261646975732d332e302e3132
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: State = 0x102bfd681022e73167606d45f80bcb43
(7) eap_peap: Got tunneled reply RADIUS code 11
(7) eap_peap: EAP-Message = 0x0109002b1a0109002610edaf8fe933a57a6d850995acf8661a48667265657261646975732d332e302e3132
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: State = 0x102bfd681022e73167606d45f80bcb43
(7) eap_peap: Got tunneled Access-Challenge
(7) eap: Sending EAP Request (code 1) ID 9 length 75
(7) eap: EAP session adding &reply:State = 0x93026393940b7afc
(7) [eap] = handled
(7) } # authenticate = handled
(7) Using Post-Auth-Type Challenge
(7) Post-Auth-Type sub-section not found. Ignoring.
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7) Sent Access-Challenge Id 38 from 115.186.154.51:1812 to 10.10.99.5:1645 length 0
(7) EAP-Message = 0x0109004b19001703010040623ce1c74b562bd60c1daec91d282c45fcf1754602e4ad5945b8991fd39e9f814b5d694fcc4b3d9f3ba05fbd1f77e61b85c489dba6bf5a68cb616e5d920f773d
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0x93026393940b7afcaf4c2661a90413af
(7) Finished request
Waking up in 4.9 seconds.
(8) Received Access-Request Id 39 from 10.10.99.5:1645 to 115.186.154.51:1812 length 266
(8) User-Name = "asif.mehmood"
(8) Service-Type = Framed-User
(8) Framed-MTU = 1500
(8) Called-Station-Id = "F4-1F-C2-29-F2-04"
(8) Calling-Station-Id = "E0-DB-55-D5-8F-92"
(8) EAP-Message = 0x0209006b190017030100600934c29aa9849433ca69308699de1f2b82e048dc2fa184716d56e7d97aaceb4cc6adf2a7367bbfef8af11a99f32abc2998bdad40a400e2ada63377053a208c07dba3a99ce955b6fbcd9217a6b9b1e3f47825aa198c6f849aa74c1a334e3fe87e
(8) Message-Authenticator = 0x4d7af9a1821111f0c571698067fa5842
(8) NAS-Port-Type = Ethernet
(8) NAS-Port = 50004
(8) NAS-Port-Id = "FastEthernet0/4"
(8) State = 0x93026393940b7afcaf4c2661a90413af
(8) NAS-IP-Address = 10.10.99.5
(8) session-state: No cached attributes
(8) # Executing section authorize from file /etc/raddb/sites-enabled/default
(8) authorize {
(8) [preprocess] = ok
(8) auth_log: EXPAND /var/log/radius/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(8) auth_log: --> /var/log/radius/log/radius/radacct/10.10.99.5/auth-detail-20170309
(8) auth_log: /var/log/radius/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/log/radius/radacct/10.10.99.5/auth-detail-20170309
(8) auth_log: EXPAND %t
(8) auth_log: --> Thu Mar 9 16:44:20 2017
(8) [auth_log] = ok
(8) [digest] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "asif.mehmood", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) eap: Peer sent EAP Response (code 2) ID 9 length 107
(8) eap: Continuing tunnel setup
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/raddb/sites-enabled/default
(8) authenticate {
(8) eap: Expiring EAP session with state 0x102bfd681022e731
(8) eap: Finished EAP session with state 0x93026393940b7afc
(8) eap: Previous EAP request found for state 0x93026393940b7afc, released from the list
(8) eap: Peer sent packet with method EAP PEAP (25)
(8) eap: Calling submodule eap_peap to process data
(8) eap_peap: Continuing EAP-TLS
(8) eap_peap: [eaptls verify] = ok
(8) eap_peap: Done initial handshake
(8) eap_peap: [eaptls process] = ok
(8) eap_peap: Session established. Decoding tunneled attributes
(8) eap_peap: PEAP state phase2
(8) eap_peap: EAP method MSCHAPv2 (26)
(8) eap_peap: Got tunneled request
(8) eap_peap: EAP-Message = 0x020900471a02090042318e7a2c69ea9ee26492289089923f62630000000000000000791433516d663bc4f0de37eadbc53763b9201fef85caa1be00617369662e6d65686d6f6f64
(8) eap_peap: Setting User-Name to asif.mehmood
(8) eap_peap: Sending tunneled request to inner-tunnel
(8) eap_peap: EAP-Message = 0x020900471a02090042318e7a2c69ea9ee26492289089923f62630000000000000000791433516d663bc4f0de37eadbc53763b9201fef85caa1be00617369662e6d65686d6f6f64
(8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(8) eap_peap: User-Name = "asif.mehmood"
(8) eap_peap: State = 0x102bfd681022e73167606d45f80bcb43
(8) Virtual server inner-tunnel received request
(8) EAP-Message = 0x020900471a02090042318e7a2c69ea9ee26492289089923f62630000000000000000791433516d663bc4f0de37eadbc53763b9201fef85caa1be00617369662e6d65686d6f6f64
(8) FreeRADIUS-Proxied-To = 127.0.0.1
(8) User-Name = "asif.mehmood"
(8) State = 0x102bfd681022e73167606d45f80bcb43
(8) WARNING: Outer and inner identities are the same. User privacy is compromised.
(8) server inner-tunnel {
(8) session-state: No cached attributes
(8) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(8) authorize {
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "asif.mehmood", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) update control {
(8) &Proxy-To-Realm := LOCAL
(8) } # update control = noop
(8) eap: Peer sent EAP Response (code 2) ID 9 length 71
(8) eap: No EAP Start, assuming it's an on-going EAP conversation
(8) [eap] = updated
(8) sql: EXPAND %{User-Name}
(8) sql: --> asif.mehmood
(8) sql: SQL-User-Name set to 'asif.mehmood'
rlm_sql (sql): Reserved connection (1)
(8) sql: EXPAND SELECT id,UserName,Attribute,Value,op FROM radcheck_office WHERE Username = '%{SQL-User-Name}' and Attribute = 'NT-Password' ORDER BY id
(8) sql: --> SELECT id,UserName,Attribute,Value,op FROM radcheck_office WHERE Username = 'asif.mehmood' and Attribute = 'NT-Password' ORDER BY id
(8) sql: Executing select query: SELECT id,UserName,Attribute,Value,op FROM radcheck_office WHERE Username = 'asif.mehmood' and Attribute = 'NT-Password' ORDER BY id
(8) sql: User found in radcheck table
(8) sql: Conditional check items matched, merging assignment check items
(8) sql: NT-Password := 0x4331373130303946314231453344413833464230364343323441463634363043
(8) sql: EXPAND SELECT GroupName FROM office.usergroup_office WHERE UserName='%{SQL-User-Name}'
(8) sql: --> SELECT GroupName FROM office.usergroup_office WHERE UserName='asif.mehmood'
(8) sql: Executing select query: SELECT GroupName FROM office.usergroup_office WHERE UserName='asif.mehmood'
(8) sql: User not found in any groups
rlm_sql (sql): Released connection (1)
(8) [sql] = ok
(8) [expiration] = noop
(8) [logintime] = noop
(8) pap: Normalizing NT-Password from hex encoding, 32 bytes -> 16 bytes
(8) pap: WARNING: Auth-Type already set. Not setting to PAP
(8) [pap] = noop
(8) } # authorize = updated
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(8) authenticate {
(8) eap: Expiring EAP session with state 0x102bfd681022e731
(8) eap: Finished EAP session with state 0x102bfd681022e731
(8) eap: Previous EAP request found for state 0x102bfd681022e731, released from the list
(8) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(8) eap: Calling submodule eap_mschapv2 to process data
(8) eap_mschapv2: Auth-Type sub-section not found. Ignoring.
(8) eap_mschapv2: # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(8) eap: Sending EAP Failure (code 4) ID 9 length 4
(8) eap: Freeing handler
(8) [eap] = reject
(8) } # authenticate = reject
(8) Failed to authenticate the user
(8) Using Post-Auth-Type Reject
(8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(8) Post-Auth-Type REJECT {
(8) attr_filter.access_reject: EXPAND %{User-Name}
(8) attr_filter.access_reject: --> asif.mehmood
(8) attr_filter.access_reject: Matched entry DEFAULT at line 11
(8) [attr_filter.access_reject] = updated
(8) update outer.session-state {
(8) No attributes updated
(8) } # update outer.session-state = noop
(8) } # Post-Auth-Type REJECT = updated
(8) } # server inner-tunnel
(8) Virtual server sending reply
(8) EAP-Message = 0x04090004
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: Got tunneled reply code 3
(8) eap_peap: EAP-Message = 0x04090004
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: Got tunneled reply RADIUS code 3
(8) eap_peap: EAP-Message = 0x04090004
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: Tunneled authentication was rejected
(8) eap_peap: FAILURE
(8) eap: Sending EAP Request (code 1) ID 10 length 43
(8) eap: EAP session adding &reply:State = 0x930263939b087afc
(8) [eap] = handled
(8) } # authenticate = handled
(8) Using Post-Auth-Type Challenge
(8) Post-Auth-Type sub-section not found. Ignoring.
(8) # Executing group from file /etc/raddb/sites-enabled/default
(8) Sent Access-Challenge Id 39 from 115.186.154.51:1812 to 10.10.99.5:1645 length 0
(8) EAP-Message = 0x010a002b190017030100200a7285d0d4f4f708eb2f6acebd5fb79b3ef14a95f7acf0353aa9963e16c86107
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0x930263939b087afcaf4c2661a90413af
(8) Finished request
Waking up in 4.8 seconds.
(9) Received Access-Request Id 40 from 10.10.99.5:1645 to 115.186.154.51:1812 length 202
(9) User-Name = "asif.mehmood"
(9) Service-Type = Framed-User
(9) Framed-MTU = 1500
(9) Called-Station-Id = "F4-1F-C2-29-F2-04"
(9) Calling-Station-Id = "E0-DB-55-D5-8F-92"
(9) EAP-Message = 0x020a002b19001703010020149de6fdbc24bbedb5004b867d365c38fd35138aace8da74e83e8cf2e7e388d8
(9) Message-Authenticator = 0x1e7c56cddf4a33ff14763e1b535f1ed4
(9) NAS-Port-Type = Ethernet
(9) NAS-Port = 50004
(9) NAS-Port-Id = "FastEthernet0/4"
(9) State = 0x930263939b087afcaf4c2661a90413af
(9) NAS-IP-Address = 10.10.99.5
(9) session-state: No cached attributes
(9) # Executing section authorize from file /etc/raddb/sites-enabled/default
(9) authorize {
(9) [preprocess] = ok
(9) auth_log: EXPAND /var/log/radius/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(9) auth_log: --> /var/log/radius/log/radius/radacct/10.10.99.5/auth-detail-20170309
(9) auth_log: /var/log/radius/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/log/radius/radacct/10.10.99.5/auth-detail-20170309
(9) auth_log: EXPAND %t
(9) auth_log: --> Thu Mar 9 16:44:20 2017
(9) [auth_log] = ok
(9) [digest] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "asif.mehmood", looking up realm NULL
(9) suffix: No such realm "NULL"
(9) [suffix] = noop
(9) eap: Peer sent EAP Response (code 2) ID 10 length 43
(9) eap: Continuing tunnel setup
(9) [eap] = ok
(9) } # authorize = ok
(9) Found Auth-Type = eap
(9) # Executing group from file /etc/raddb/sites-enabled/default
(9) authenticate {
(9) eap: Expiring EAP session with state 0x930263939b087afc
(9) eap: Finished EAP session with state 0x930263939b087afc
(9) eap: Previous EAP request found for state 0x930263939b087afc, released from the list
(9) eap: Peer sent packet with method EAP PEAP (25)
(9) eap: Calling submodule eap_peap to process data
(9) eap_peap: Continuing EAP-TLS
(9) eap_peap: [eaptls verify] = ok
(9) eap_peap: Done initial handshake
(9) eap_peap: [eaptls process] = ok
(9) eap_peap: Session established. Decoding tunneled attributes
(9) eap_peap: PEAP state send tlv failure
(9) eap_peap: Received EAP-TLV response
(9) eap_peap: The users session was previously rejected: returning reject (again.)
(9) eap_peap: This means you need to read the PREVIOUS messages in the debug output
(9) eap_peap: to find out the reason why the user was rejected
(9) eap_peap: Look for "reject" or "fail". Those earlier messages will tell you
(9) eap_peap: what went wrong, and how to fix the problem
(9) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed
(9) eap: Sending EAP Failure (code 4) ID 10 length 4
(9) eap: Failed in EAP select
(9) [eap] = invalid
(9) } # authenticate = invalid
(9) Failed to authenticate the user
(9) Using Post-Auth-Type Reject
(9) # Executing group from file /etc/raddb/sites-enabled/default
(9) Post-Auth-Type REJECT {
(9) sql: EXPAND .query
(9) sql: --> .query
(9) sql: WARNING: No such configuration item .query
(9) [sql] = noop
(9) } # Post-Auth-Type REJECT = noop
(9) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(9) Sending delayed response
(9) Sent Access-Reject Id 40 from 115.186.154.51:1812 to 10.10.99.5:1645 length 44
(9) EAP-Message = 0x040a0004
(9) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.8 seconds.
(0) Cleaning up request packet ID 31 with timestamp +19
(1) Cleaning up request packet ID 32 with timestamp +19
(2) Cleaning up request packet ID 33 with timestamp +19
(3) Cleaning up request packet ID 34 with timestamp +19
(4) Cleaning up request packet ID 35 with timestamp +19
(5) Cleaning up request packet ID 36 with timestamp +19
(6) Cleaning up request packet ID 37 with timestamp +19
(7) Cleaning up request packet ID 38 with timestamp +19
(8) Cleaning up request packet ID 39 with timestamp +19
(9) Cleaning up request packet ID 40 with timestamp +19
Ready to process requests
________________________________
From: Freeradius-Users <freeradius-users-bounces+mustafa.mujahid=outlook.com at lists.freeradius.org> on behalf of Wegener, Norbert <norbert.wegener at atos.net>
Sent: Thursday, March 9, 2017 4:16 AM
To: FreeRadius users mailing list
Subject: RE: eap_peap: fatal access_denied error
What has happened before, as the session was rejected?
(9) eap_peap: The users session was previously rejected: returning reject
(again.)
(9) eap_peap: This means you need to read the PREVIOUS messages in the debug
output
(9) eap_peap: to find out the reason why the user was rejected
(9) eap_peap: Look for "reject" or "fail". Those earlier messages will tell
you
Norbert Wegener
-----Original Message-----
From: Freeradius-Users
[mailto:freeradius-users-bounces+norbert.wegener=atos.net at lists.freeradius.org]
On Behalf Of mustafa mujahid
Sent: Thursday, March 09, 2017 12:50 PM
To: FreeRadius users mailing list
Subject: Re: eap_peap: fatal access_denied error
I've been trying again. but keep coming back to this.
(9) Found Auth-Type = eap
(9) # Executing group from file /etc/raddb/sites-enabled/default
(9) authenticate {
(9) eap: Expiring EAP session with state 0x930263939b087afc
(9) eap: Finished EAP session with state 0x930263939b087afc
(9) eap: Previous EAP request found for state 0x930263939b087afc, released
from the list
(9) eap: Peer sent packet with method EAP PEAP (25)
(9) eap: Calling submodule eap_peap to process data
(9) eap_peap: Continuing EAP-TLS
(9) eap_peap: [eaptls verify] = ok
(9) eap_peap: Done initial handshake
(9) eap_peap: [eaptls process] = ok
(9) eap_peap: Session established. Decoding tunneled attributes
(9) eap_peap: PEAP state send tlv failure
(9) eap_peap: Received EAP-TLV response
(9) eap_peap: The users session was previously rejected: returning reject
(again.)
(9) eap_peap: This means you need to read the PREVIOUS messages in the debug
output
(9) eap_peap: to find out the reason why the user was rejected
(9) eap_peap: Look for "reject" or "fail". Those earlier messages will tell
you
(9) eap_peap: what went wrong, and how to fix the problem
(9) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module
failed
(9) eap: Sending EAP Failure (code 4) ID 10 length 4
(9) eap: Failed in EAP select
(9) [eap] = invalid
(9) } # authenticate = invalid
Any help on this would be much appreciated.
BR/Mustafa.
________________________________
From: Freeradius-Users
<freeradius-users-bounces+mustafa.mujahid=outlook.com at lists.freeradius.org> on
behalf of mustafa mujahid <mustafa.mujahid at outlook.com>
Sent: Thursday, March 9, 2017 1:53 AM
To: FreeRadius users mailing list
Subject: Re: eap_peap: fatal access_denied error
PFA.
________________________________
From: Freeradius-Users
<freeradius-users-bounces+mustafa.mujahid=outlook.com at lists.freeradius.org> on
behalf of mustafa mujahid <mustafa.mujahid at outlook.com>
Sent: Thursday, March 9, 2017 12:53 AM
To: FreeRadius users mailing list
Subject: Re: eap_peap: fatal access_denied error
Hi , So I re-created the certificates in the certs directory. I'm no longer
getting the 'fatal access denied' error. but this time I got this after a
along 11 page debug ouput:
WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state ...... did not finish!
WARNING: !! Please read
http://wiki.freeradius.org/guide/Certificate_Compatibility
Certificate Compatibility -
FreeRADIUS<http://wiki.freeradius.org/guide/Certificate_Compatibility>
wiki.freeradius.org
The certificates created using the scripts in the raddb/certs directory
(https://github.com/FreeRADIUS/freeradius-server/tree/v3.0.x/raddb/certs) are
known to be ...
Certificate Compatibility -
FreeRADIUS<http://wiki.freeradius.org/guide/Certificate_Compatibility>
Certificate Compatibility -
FreeRADIUS<http://wiki.freeradius.org/guide/Certificate_Compatibility>
wiki.freeradius.org
The certificates created using the scripts in the raddb/certs directory
(https://github.com/FreeRADIUS/freeradius-server/tree/v3.0.x/raddb/certs) are
known to be ...
wiki.freeradius.org
The certificates created using the scripts in the raddb/certs directory
(https://github.com/FreeRADIUS/freeradius-server/tree/v3.0.x/raddb/certs) are
known to be ...
[https://avatars3.githubusercontent.com/u/2430370?v=3&s=400]<https://github.com/FreeRADIUS/freeradius-server/tree/v3.0.x/raddb/certs>
FreeRADIUS/freeradius-server<https://github.com/FreeRADIUS/freeradius-server/tree/v3.0.x/raddb/certs>
github.com
freeradius-server - The FreeRADIUS Server. RADIUS, DHCP, and VMPS.
WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
I researched the link provided and seems that the client certificate requires
the OID mentioned in xpextension file to be present in it. But what I don't
understand is how can I incorporate this OID into the certificate. I created
the certificates using the 'bootstrap' script in the certs directory
Should I manually run the commands present in the README file or should the
make command automatically generate the certs and include the OID or would I
have to do it.
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 CRL Distribution Points:
Right the above is a part of the client.crt file . Please guide me in this
regard and excuse any lapse in understanding that I may have. By the way I
attached a screen shot of the prompt I received on client machine when first
authenticated.
BR/Mustafa
________________________________
From: Freeradius-Users
<freeradius-users-bounces+mustafa.mujahid=outlook.com at lists.freeradius.org> on
behalf of Alan DeKok <aland at deployingradius.com>
Sent: Wednesday, March 8, 2017 10:05 AM
To: FreeRadius users mailing list
Subject: Re: eap_peap: fatal access_denied error
On Mar 8, 2017, at 12:53 PM, mustafa mujahid <mustafa.mujahid at outlook.com>
wrote:
>
> Hello all, I've been trying to authentication LAN on Cisco 2960 Switch. I've
> done configurations with PAP but this is the first time working with EAP. I
> have run into a bit of an issue. I receive a 'fatal :access denied error' in
> the debug log while testing with a single client. Radius version is 3.0.12
Using google, the first link is:
https://gtacknowledge.extremenetworks.com/articles/Solution/NAC-Certificate-problems
GTACKnowledge - Clients cannot authenticate to NAC because
...<https://gtacknowledge.extremenetworks.com/articles/Solution/NAC-Certificate-problems>
gtacknowledge.extremenetworks.com
Clients cannot authenticate to NAC because of TLS Alert Read: fatal access
denied errors or missing FQDN name in certificate
GTACKnowledge - Clients cannot authenticate to NAC because
...<https://gtacknowledge.extremenetworks.com/articles/Solution/NAC-Certificate-problems>
GTACKnowledge - Clients cannot authenticate to NAC because
...<https://gtacknowledge.extremenetworks.com/articles/Solution/NAC-Certificate-problems>
gtacknowledge.extremenetworks.com
Clients cannot authenticate to NAC because of TLS Alert Read: fatal access
denied errors or missing FQDN name in certificate
gtacknowledge.extremenetworks.com
Clients cannot authenticate to NAC because of TLS Alert Read: fatal access
denied errors or missing FQDN name in certificate
GTACKnowledge - Clients cannot authenticate to NAC because
...<https://gtacknowledge.extremenetworks.com/articles/Solution/NAC-Certificate-problems>
gtacknowledge.extremenetworks.com
Clients cannot authenticate to NAC because of TLS Alert Read: fatal access
denied errors or missing FQDN name in certificate
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS -- users' list info<http://www.freeradius.org/list/users.html>
www.freeradius.org<http://www.freeradius.org>
Users' List Information. The freeradius-users mailing list is for users of the
FreeRADIUS server not Cistron's server! There are a few house-rules to which
we'd like ...
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list