freeradius with UNIFI APs

Nawar Al Tarazi nawar.tarazi at contentful.com
Mon Aug 12 17:47:51 CEST 2019


I have a problem , My  freeradius Server works with Radtest , with  Normal
Home Router but not with UNIFI APs , he is the debug ,
The Server send the Access-Accept but the AP seems to not accept the
connection from the Server

my Hardware is Unifi

please Help

(0) Received Access-Request Id 4 from 192.168.1.6:44463 to
192.168.1.10:1812 length
245
(0)   User-Name = "oktaradius at contentful.com"
(0)   NAS-IP-Address = 192.168.1.6
(0)   NAS-Identifier = "F09FC2307B82D74DA8A1"
(0)   Called-Station-Id = "F0-9F-C2-32-7B-82:Seko"
(0)   NAS-Port-Type = Wireless-802.11
(0)   Service-Type = Framed-User
(0)   Calling-Station-Id = "8C-85-90-C9-C4-A5"
(0)   Connect-Info = "CONNECT 0Mbps 802.11b"
(0)   Acct-Session-Id = "9CDA00101279DBED"
(0)   WLAN-Pairwise-Cipher = 1027076
(0)   WLAN-Group-Cipher = 1027074
(0)   WLAN-AKM-Suite = 1027073
(0)   Framed-MTU = 1400
(0)   EAP-Message =
0x0216001e016f6b746172616469757340636f6e74656e7466756c2e636f6d
(0)   Message-Authenticator = 0xeec65192e2ddf53d4d33db8190adf232
(0) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(0)   authorize {
(0)     update control {
(0)       Proxy-To-Realm := LOCAL
(0)     } # update control = noop
(0) eap: Peer sent EAP Response (code 2) ID 22 length 30
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0)     [eap] = ok
(0)   } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(0)   authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_ttls to process data
(0) eap_ttls: Initiating new EAP-TLS session
(0) eap_ttls: [eaptls start] = request
(0) eap: Sending EAP Request (code 1) ID 23 length 6
(0) eap: EAP session adding &reply:State = 0xfaa47198fab36411
(0)     [eap] = handled
(0)   } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) Post-Auth-Type sub-section not found.  Ignoring.
(0) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(0) Sent Access-Challenge Id 4 from 192.168.1.10:1812 to
192.168.1.6:44463 length
0
(0)   EAP-Message = 0x011700061520
(0)   Message-Authenticator = 0x00000000000000000000000000000000
(0)   State = 0xfaa47198fab36411baefeb91c43d0602
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 5 from 192.168.1.6:44463 to
192.168.1.10:1812 length
394
(1)   User-Name = "oktaradius at contentful.com"
(1)   NAS-IP-Address = 192.168.1.6
(1)   NAS-Identifier = "F09FC2307B82D74DA8A1"
(1)   Called-Station-Id = "F0-9F-C2-32-7B-82:Seko"
(1)   NAS-Port-Type = Wireless-802.11
(1)   Service-Type = Framed-User
(1)   Calling-Station-Id = "8C-85-90-C9-C4-A5"
(1)   Connect-Info = "CONNECT 0Mbps 802.11b"
(1)   Acct-Session-Id = "9CDA00101279DBED"
(1)   WLAN-Pairwise-Cipher = 1027076
(1)   WLAN-Group-Cipher = 1027074
(1)   WLAN-AKM-Suite = 1027073
(1)   Framed-MTU = 1400
(1)   EAP-Message =
0x021700a115800000009716030100920100008e03035d5188828d15cd4d7a82bf0731e77373065ecf57a0bf3f4d4082633bee46876100002c00ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009d009c003d003c0035002f000a01000039000a00080006001700180019000b00
(1)   State = 0xfaa47198fab36411baefeb91c43d0602
(1)   Message-Authenticator = 0xbe4a540bc251f8055feaedc56f6d5fff
(1) session-state: No cached attributes
(1) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(1)   authorize {
(1)     update control {
(1)       Proxy-To-Realm := LOCAL
(1)     } # update control = noop
(1) eap: Peer sent EAP Response (code 2) ID 23 length 161
(1) eap: Continuing tunnel setup
(1)     [eap] = ok
(1)   } # authorize = ok
(1) Found Auth-Type = eap
(1) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(1)   authenticate {
(1) eap: Expiring EAP session with state 0xfaa47198fab36411
(1) eap: Finished EAP session with state 0xfaa47198fab36411
(1) eap: Previous EAP request found for state 0xfaa47198fab36411, released
from the list
(1) eap: Peer sent packet with method EAP TTLS (21)
(1) eap: Calling submodule eap_ttls to process data
(1) eap_ttls: Authenticate
(1) eap_ttls: Continuing EAP-TLS
(1) eap_ttls: Peer indicated complete TLS record size will be 151 bytes
(1) eap_ttls: Got complete TLS record (151 bytes)
(1) eap_ttls: [eaptls verify] = length included
(1) eap_ttls: (other): before SSL initialization
(1) eap_ttls: TLS_accept: before SSL initialization
(1) eap_ttls: TLS_accept: before SSL initialization
(1) eap_ttls: <<< recv UNKNOWN TLS VERSION ?0304? [length 0092]
(1) eap_ttls: TLS_accept: SSLv3/TLS read client hello
(1) eap_ttls: >>> send TLS 1.2  [length 003d]
(1) eap_ttls: TLS_accept: SSLv3/TLS write server hello
(1) eap_ttls: >>> send TLS 1.2  [length 03e8]
(1) eap_ttls: TLS_accept: SSLv3/TLS write certificate
(1) eap_ttls: >>> send TLS 1.2  [length 014d]
(1) eap_ttls: TLS_accept: SSLv3/TLS write key exchange
(1) eap_ttls: >>> send TLS 1.2  [length 0004]
(1) eap_ttls: TLS_accept: SSLv3/TLS write server done
(1) eap_ttls: TLS_accept: Need to read more data: SSLv3/TLS write server
done
(1) eap_ttls: In SSL Handshake Phase
(1) eap_ttls: In SSL Accept mode
(1) eap_ttls: [eaptls process] = handled
(1) eap: Sending EAP Request (code 1) ID 24 length 1004
(1) eap: EAP session adding &reply:State = 0xfaa47198fbbc6411
(1)     [eap] = handled
(1)   } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) Post-Auth-Type sub-section not found.  Ignoring.
(1) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(1) Sent Access-Challenge Id 5 from 192.168.1.10:1812 to
192.168.1.6:44463 length
0
(1)   EAP-Message =
0x011803ec15c00000058a160303003d02000039030349e81822793d24a35e670383027a3eada3f2f3378a72d3789a4e393459bb0f3600c030000011ff01000100000b0004030001020017000016030303e80b0003e40003e10003de308203da308202c2a003020102020101300d06092a864886f70d0101
(1)   Message-Authenticator = 0x00000000000000000000000000000000
(1)   State = 0xfaa47198fbbc6411baefeb91c43d0602
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 6 from 192.168.1.6:44463 to
192.168.1.10:1812 length
239
(2)   User-Name = "oktaradius at contentful.com"
(2)   NAS-IP-Address = 192.168.1.6
(2)   NAS-Identifier = "F09FC2307B82D74DA8A1"
(2)   Called-Station-Id = "F0-9F-C2-32-7B-82:Seko"
(2)   NAS-Port-Type = Wireless-802.11
(2)   Service-Type = Framed-User
(2)   Calling-Station-Id = "8C-85-90-C9-C4-A5"
(2)   Connect-Info = "CONNECT 0Mbps 802.11b"
(2)   Acct-Session-Id = "9CDA00101279DBED"
(2)   WLAN-Pairwise-Cipher = 1027076
(2)   WLAN-Group-Cipher = 1027074
(2)   WLAN-AKM-Suite = 1027073
(2)   Framed-MTU = 1400
(2)   EAP-Message = 0x021800061500
(2)   State = 0xfaa47198fbbc6411baefeb91c43d0602
(2)   Message-Authenticator = 0xd673ec1af4da37f49eee91a44fff135f
(2) session-state: No cached attributes
(2) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(2)   authorize {
(2)     update control {
(2)       Proxy-To-Realm := LOCAL
(2)     } # update control = noop
(2) eap: Peer sent EAP Response (code 2) ID 24 length 6
(2) eap: Continuing tunnel setup
(2)     [eap] = ok
(2)   } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(2)   authenticate {
(2) eap: Expiring EAP session with state 0xfaa47198fbbc6411
(2) eap: Finished EAP session with state 0xfaa47198fbbc6411
(2) eap: Previous EAP request found for state 0xfaa47198fbbc6411, released
from the list
(2) eap: Peer sent packet with method EAP TTLS (21)
(2) eap: Calling submodule eap_ttls to process data
(2) eap_ttls: Authenticate
(2) eap_ttls: Continuing EAP-TLS
(2) eap_ttls: Peer ACKed our handshake fragment
(2) eap_ttls: [eaptls verify] = request
(2) eap_ttls: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 25 length 434
(2) eap: EAP session adding &reply:State = 0xfaa47198f8bd6411
(2)     [eap] = handled
(2)   } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) Post-Auth-Type sub-section not found.  Ignoring.
(2) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(2) Sent Access-Challenge Id 6 from 192.168.1.10:1812 to
192.168.1.6:44463 length
0
(2)   EAP-Message =
0x011901b215800000058a1243396539a2f1ad1b6a17603569def5a0794b3af441b40273fd27a0361b18742b5e898d798d94b85c2aaa4ede14cfe7c5f7406c7d5eb178bc1e609fbfefb1920ce1f720d4bbd7ea7e4c91a2b0160303014d0c0001490300174104c4784b7e2fc3e8cf21033a4766054d0266e0
(2)   Message-Authenticator = 0x00000000000000000000000000000000
(2)   State = 0xfaa47198f8bd6411baefeb91c43d0602
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 7 from 192.168.1.6:44463 to
192.168.1.10:1812 length
369
(3)   User-Name = "oktaradius at contentful.com"
(3)   NAS-IP-Address = 192.168.1.6
(3)   NAS-Identifier = "F09FC2307B82D74DA8A1"
(3)   Called-Station-Id = "F0-9F-C2-32-7B-82:Seko"
(3)   NAS-Port-Type = Wireless-802.11
(3)   Service-Type = Framed-User
(3)   Calling-Station-Id = "8C-85-90-C9-C4-A5"
(3)   Connect-Info = "CONNECT 0Mbps 802.11b"
(3)   Acct-Session-Id = "9CDA00101279DBED"
(3)   WLAN-Pairwise-Cipher = 1027076
(3)   WLAN-Group-Cipher = 1027074
(3)   WLAN-AKM-Suite = 1027073
(3)   Framed-MTU = 1400
(3)   EAP-Message =
0x0219008815800000007e1603030046100000424104c9371a045101d7c7d9563212df6bc5a5b2417a499869eeaa50453d1f81bc96938addc1a9bf0512021dfdf2091938b4da9646febec921b00a57a717e72e7155861403030001011603030028860b3611b6543395b1c6bbaaf83beea322054daf0beb35
(3)   State = 0xfaa47198f8bd6411baefeb91c43d0602
(3)   Message-Authenticator = 0xd8e7b2d6e17e721eda1f459d4d421864
(3) session-state: No cached attributes
(3) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(3)   authorize {
(3)     update control {
(3)       Proxy-To-Realm := LOCAL
(3)     } # update control = noop
(3) eap: Peer sent EAP Response (code 2) ID 25 length 136
(3) eap: Continuing tunnel setup
(3)     [eap] = ok
(3)   } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(3)   authenticate {
(3) eap: Expiring EAP session with state 0xfaa47198f8bd6411
(3) eap: Finished EAP session with state 0xfaa47198f8bd6411
(3) eap: Previous EAP request found for state 0xfaa47198f8bd6411, released
from the list
(3) eap: Peer sent packet with method EAP TTLS (21)
(3) eap: Calling submodule eap_ttls to process data
(3) eap_ttls: Authenticate
(3) eap_ttls: Continuing EAP-TLS
(3) eap_ttls: Peer indicated complete TLS record size will be 126 bytes
(3) eap_ttls: Got complete TLS record (126 bytes)
(3) eap_ttls: [eaptls verify] = length included
(3) eap_ttls: TLS_accept: SSLv3/TLS write server done
(3) eap_ttls: <<< recv TLS 1.2  [length 0046]
(3) eap_ttls: TLS_accept: SSLv3/TLS read client key exchange
(3) eap_ttls: TLS_accept: SSLv3/TLS read change cipher spec
(3) eap_ttls: <<< recv TLS 1.2  [length 0010]
(3) eap_ttls: TLS_accept: SSLv3/TLS read finished
(3) eap_ttls: >>> send TLS 1.2  [length 0001]
(3) eap_ttls: TLS_accept: SSLv3/TLS write change cipher spec
(3) eap_ttls: >>> send TLS 1.2  [length 0010]
(3) eap_ttls: TLS_accept: SSLv3/TLS write finished
(3) eap_ttls: (other): SSL negotiation finished successfully
(3) eap_ttls: SSL Connection Established
(3) eap_ttls: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 26 length 61
(3) eap: EAP session adding &reply:State = 0xfaa47198f9be6411
(3)     [eap] = handled
(3)   } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) Post-Auth-Type sub-section not found.  Ignoring.
(3) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(3) Sent Access-Challenge Id 7 from 192.168.1.10:1812 to
192.168.1.6:44463 length
0
(3)   EAP-Message =
0x011a003d15800000003314030300010116030300286d3279646040945eb6f8d448620c0719de823b9e656e0260d632d35eacaa5fa8a16d89afdfad464c
(3)   Message-Authenticator = 0x00000000000000000000000000000000
(3)   State = 0xfaa47198f9be6411baefeb91c43d0602
(3) Finished request
Waking up in 4.8 seconds.
(4) Received Access-Request Id 8 from 192.168.1.6:44463 to
192.168.1.10:1812 length
332
(4)   User-Name = "oktaradius at contentful.com"
(4)   NAS-IP-Address = 192.168.1.6
(4)   NAS-Identifier = "F09FC2307B82D74DA8A1"
(4)   Called-Station-Id = "F0-9F-C2-32-7B-82:Seko"
(4)   NAS-Port-Type = Wireless-802.11
(4)   Service-Type = Framed-User
(4)   Calling-Station-Id = "8C-85-90-C9-C4-A5"
(4)   Connect-Info = "CONNECT 0Mbps 802.11b"
(4)   Acct-Session-Id = "9CDA00101279DBED"
(4)   WLAN-Pairwise-Cipher = 1027076
(4)   WLAN-Group-Cipher = 1027074
(4)   WLAN-AKM-Suite = 1027073
(4)   Framed-MTU = 1400
(4)   EAP-Message =
0x021a00631580000000591703030054860b3611b65433960489141a64f3a8cb7c13b947583a4921f0806cd7acc46445465f35fb81bd6104f94599eefeb0d061f172f627a632af17613fac442a331cd9cb5030708bebf6dcf788682be55ac8c3f52b02ae
(4)   State = 0xfaa47198f9be6411baefeb91c43d0602
(4)   Message-Authenticator = 0xdfcd2b5cc81d4042154a25f616974409
(4) session-state: No cached attributes
(4) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(4)   authorize {
(4)     update control {
(4)       Proxy-To-Realm := LOCAL
(4)     } # update control = noop
(4) eap: Peer sent EAP Response (code 2) ID 26 length 99
(4) eap: Continuing tunnel setup
(4)     [eap] = ok
(4)   } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(4)   authenticate {
(4) eap: Expiring EAP session with state 0xfaa47198f9be6411
(4) eap: Finished EAP session with state 0xfaa47198f9be6411
(4) eap: Previous EAP request found for state 0xfaa47198f9be6411, released
from the list
(4) eap: Peer sent packet with method EAP TTLS (21)
(4) eap: Calling submodule eap_ttls to process data
(4) eap_ttls: Authenticate
(4) eap_ttls: Continuing EAP-TLS
(4) eap_ttls: Peer indicated complete TLS record size will be 89 bytes
(4) eap_ttls: Got complete TLS record (89 bytes)
(4) eap_ttls: [eaptls verify] = length included
(4) eap_ttls: [eaptls process] = ok
(4) eap_ttls: Session established.  Proceeding to decode tunneled attributes
(4) eap_ttls: Got tunneled request
(4) eap_ttls:   User-Name = "oktaradius at contentful.com"
(4) eap_ttls:   User-Password = "BetAThetA135"
(4) eap_ttls:   FreeRADIUS-Proxied-To = 127.0.0.1
(4) eap_ttls: Sending tunneled request
(4) Virtual server inner-tunnel received request
(4)   User-Name = "oktaradius at contentful.com"
(4)   User-Password = "BetAThetA135"
(4)   FreeRADIUS-Proxied-To = 127.0.0.1
(4)   NAS-IP-Address = 192.168.1.6
(4)   NAS-Identifier = "F09FC2307B82D74DA8A1"
(4)   Called-Station-Id = "F0-9F-C2-32-7B-82:Seko"
(4)   NAS-Port-Type = Wireless-802.11
(4)   Service-Type = Framed-User
(4)   Calling-Station-Id = "8C-85-90-C9-C4-A5"
(4)   Connect-Info = "CONNECT 0Mbps 802.11b"
(4)   Acct-Session-Id = "9CDA00101279DBED"
(4)   WLAN-Pairwise-Cipher = 1027076
(4)   WLAN-Group-Cipher = 1027074
(4)   WLAN-AKM-Suite = 1027073
(4)   Framed-MTU = 1400
(4) WARNING: Outer and inner identities are the same.  User privacy is
compromised.
(4) server inner-tunnel {
(4)   # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(4)     authorize {
(4)       update control {
(4)         Proxy-To-Realm := LOCAL
(4)       } # update control = noop
(4) eap: No EAP-Message, not doing EAP
(4)       [eap] = noop
(4)       [pap] = noop
(4)       if (User-Password) {
(4)       if (User-Password)  -> TRUE
(4)       if (User-Password)  {
(4)         update control {
(4)           Auth-Type := ldap
(4)         } # update control = noop
(4)       } # if (User-Password)  = noop
(4)     } # authorize = noop
(4)   Found Auth-Type = ldap
(4)   # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(4)     authenticate {
rlm_ldap (ldap): Closing connection (0): Hit idle_timeout, was idle for 153
seconds
rlm_ldap (ldap): Closing connection (1): Hit idle_timeout, was idle for 152
seconds
rlm_ldap (ldap): Closing connection (2): Hit idle_timeout, was idle for 151
seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): Closing connection (3): Hit idle_timeout, was idle for 150
seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): Closing connection (4): Hit idle_timeout, was idle for 149
seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): 0 of 0 connections in use.  You  may need to increase
"spare"
rlm_ldap (ldap): Opening additional connection (5), 1 of 32 pending slots
used
rlm_ldap (ldap): Connecting to ldap://contentful.ldap.oktapreview.com:636
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Reserved connection (5)
(4) ldap: Login attempt by "oktaradius at contentful.com"
(4) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(4) ldap:    --> (uid=oktaradius at contentful.com)
(4) ldap: Performing search in "ou=users,dc=contentful, dc=oktapreview,
dc=com" with filter "(uid=oktaradius at contentful.com)", scope "sub"
(4) ldap: Waiting for search result...
(4) ldap: User object found at DN "uid=oktaradius at contentful.com
,ou=users,dc=contentful,dc=oktapreview,dc=com"
(4) ldap: Waiting for bind result...
(4) ldap: Bind successful
(4) ldap: Bind as user
"uid=oktaradius at contentful.com,ou=users,dc=contentful,dc=oktapreview,dc=com"
was successful
rlm_ldap (ldap): Released connection (5)
Need 2 more connections to reach min connections (3)
rlm_ldap (ldap): Opening additional connection (6), 1 of 31 pending slots
used
rlm_ldap (ldap): Connecting to ldap://contentful.ldap.oktapreview.com:636
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(4)       [ldap] = ok
(4)     } # authenticate = ok
(4)   # Executing section post-auth from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(4) } # server inner-tunnel
(4) Virtual server sending reply
(4) eap_ttls: Got tunneled Access-Accept
(4) eap: Sending EAP Success (code 3) ID 26 length 4
(4) eap: Freeing handler
(4)     [eap] = ok
(4)   } # authenticate = ok
(4) # Executing section post-auth from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(4) Sent Access-Accept Id 8 from 192.168.1.10:1812 to 192.168.1.6:44463 length
0
(4)   MS-MPPE-Recv-Key =
0x8c05d9a6191d353cf4101fe02b866e7a91dc69e4192eacd39647f6167f7cfd41
(4)   MS-MPPE-Send-Key =
0x6e524da319bdd251d5f4b702316813dfed52e1ee2eb530ff93e742b8d1be8df4
(4)   EAP-Message = 0x031a0004
(4)   Message-Authenticator = 0x00000000000000000000000000000000
(4)   User-Name = "oktaradius at contentful.com"
(4) Finished request
Waking up in 2.1 seconds.
Waking up in 2.1 seconds.
(0) Cleaning up request packet ID 4 with timestamp +149
(1) Cleaning up request packet ID 5 with timestamp +149
(2) Cleaning up request packet ID 6 with timestamp +149
(3) Cleaning up request packet ID 7 with timestamp +149
Waking up in 7.7 seconds.
(4) Cleaning up request packet ID 8 with timestamp +149
Ready to process requests

-- 
Nawar Al Tarazi
IT Working Student

nawar.tarazi at contentful.com
+4915787991702

www.contentful.com


More information about the Freeradius-Users mailing list