MS-CHAP2-Request is rejected

william steen wjsteen at talktalk.net
Tue May 21 21:33:51 CEST 2019


Matthew

Thank you for the observations. Mea cupla - the password was wrong. Having corrected that I am getting a WICED 1064 error back on the device which I believe means EAPOL_KEY_FAILURE. I am really struggling the read the full debug and understand why it is not working. I can’t see anything in the output that says it is not working in fact I see at the end SUCCESS - so is this a device issue?

(36) Received Access-Request Id 208 from 192.168.1.38:55602 to 192.168.1.33:1812 length 174
(36)   User-Name = "anonymous"
(36)   NAS-IP-Address = 192.168.1.38
(36)   NAS-Identifier = "b4fbe4c348ab"
(36)   NAS-Port = 0
(36)   Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2"
(36)   Calling-Station-Id = "E0-4F-43-36-B1-F1"
(36)   Framed-MTU = 1400
(36)   NAS-Port-Type = Wireless-802.11
(36)   Connect-Info = "CONNECT 0Mbps 802.11b"
(36)   EAP-Message = 0x02b5000e01616e6f6e796d6f7573
(36)   Message-Authenticator = 0x25509f16a2da40b886f964a9fb289b2a
(36) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(36)   authorize {
(36)     policy filter_username {
(36)       if (&User-Name) {
(36)       if (&User-Name)  -> TRUE
(36)       if (&User-Name)  {
(36)         if (&User-Name =~ / /) {
(36)         if (&User-Name =~ / /)  -> FALSE
(36)         if (&User-Name =~ /@[^@]*@/ ) {
(36)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(36)         if (&User-Name =~ /\.\./ ) {
(36)         if (&User-Name =~ /\.\./ )  -> FALSE
(36)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(36)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(36)         if (&User-Name =~ /\.$/)  {
(36)         if (&User-Name =~ /\.$/)   -> FALSE
(36)         if (&User-Name =~ /@\./)  {
(36)         if (&User-Name =~ /@\./)   -> FALSE
(36)       } # if (&User-Name)  = notfound
(36)     } # policy filter_username = notfound
(36)     [preprocess] = ok
(36)     [chap] = noop
(36)     [mschap] = noop
(36)     [digest] = noop
(36) suffix: Checking for suffix after "@"
(36) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(36) suffix: No such realm "NULL"
(36)     [suffix] = noop
(36) eap: Peer sent EAP Response (code 2) ID 181 length 14
(36) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(36)     [eap] = ok
(36)   } # authorize = ok
(36) Found Auth-Type = eap
(36) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(36)   authenticate {
(36) eap: Peer sent packet with method EAP Identity (1)
(36) eap: Calling submodule eap_md5 to process data
(36) eap_md5: Issuing MD5 Challenge
(36) eap: Sending EAP Request (code 1) ID 182 length 22
(36) eap: EAP session adding &reply:State = 0x2a8581bd2a3385df
(36)     [eap] = handled
(36)   } # authenticate = handled
(36) Using Post-Auth-Type Challenge
(36) Post-Auth-Type sub-section not found.  Ignoring.
(36) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(36) Sent Access-Challenge Id 208 from 192.168.1.33:1812 to 192.168.1.38:55602 length 0
(36)   EAP-Message = 0x01b600160410ff129213cf36dc9899010133da42091f
(36)   Message-Authenticator = 0x00000000000000000000000000000000
(36)   State = 0x2a8581bd2a3385df1e814808369ac970
(36) Finished request
Waking up in 4.9 seconds.
(37) Received Access-Request Id 209 from 192.168.1.38:55602 to 192.168.1.33:1812 length 184
(37)   User-Name = "anonymous"
(37)   NAS-IP-Address = 192.168.1.38
(37)   NAS-Identifier = "b4fbe4c348ab"
(37)   NAS-Port = 0
(37)   Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2"
(37)   Calling-Station-Id = "E0-4F-43-36-B1-F1"
(37)   Framed-MTU = 1400
(37)   NAS-Port-Type = Wireless-802.11
(37)   Connect-Info = "CONNECT 0Mbps 802.11b"
(37)   EAP-Message = 0x02b600060319
(37)   State = 0x2a8581bd2a3385df1e814808369ac970
(37)   Message-Authenticator = 0x8119d40b649a68faa58453efa4c195eb
(37) session-state: No cached attributes
(37) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(37)   authorize {
(37)     policy filter_username {
(37)       if (&User-Name) {
(37)       if (&User-Name)  -> TRUE
(37)       if (&User-Name)  {
(37)         if (&User-Name =~ / /) {
(37)         if (&User-Name =~ / /)  -> FALSE
(37)         if (&User-Name =~ /@[^@]*@/ ) {
(37)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(37)         if (&User-Name =~ /\.\./ ) {
(37)         if (&User-Name =~ /\.\./ )  -> FALSE
(37)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(37)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(37)         if (&User-Name =~ /\.$/)  {
(37)         if (&User-Name =~ /\.$/)   -> FALSE
(37)         if (&User-Name =~ /@\./)  {
(37)         if (&User-Name =~ /@\./)   -> FALSE
(37)       } # if (&User-Name)  = notfound
(37)     } # policy filter_username = notfound
(37)     [preprocess] = ok
(37)     [chap] = noop
(37)     [mschap] = noop
(37)     [digest] = noop
(37) suffix: Checking for suffix after "@"
(37) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(37) suffix: No such realm "NULL"
(37)     [suffix] = noop
(37) eap: Peer sent EAP Response (code 2) ID 182 length 6
(37) eap: No EAP Start, assuming it's an on-going EAP conversation
(37)     [eap] = updated
(37)     [files] = noop
(37)     [expiration] = noop
(37)     [logintime] = noop
(37) pap: WARNING: No "known good" password found for the user.  Not setting Auth-Type
(37) pap: WARNING: Authentication will fail unless a "known good" password is available
(37)     [pap] = noop
(37)   } # authorize = updated
(37) Found Auth-Type = eap
(37) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(37)   authenticate {
(37) eap: Expiring EAP session with state 0x2a8581bd2a3385df
(37) eap: Finished EAP session with state 0x2a8581bd2a3385df
(37) eap: Previous EAP request found for state 0x2a8581bd2a3385df, released from the list
(37) eap: Peer sent packet with method EAP NAK (3)
(37) eap: Found mutually acceptable type PEAP (25)
(37) eap: Calling submodule eap_peap to process data
(37) eap_peap: Initiating new EAP-TLS session
(37) eap_peap: [eaptls start] = request
(37) eap: Sending EAP Request (code 1) ID 183 length 6
(37) eap: EAP session adding &reply:State = 0x2a8581bd2b3298df
(37)     [eap] = handled
(37)   } # authenticate = handled
(37) Using Post-Auth-Type Challenge
(37) Post-Auth-Type sub-section not found.  Ignoring.
(37) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(37) Sent Access-Challenge Id 209 from 192.168.1.33:1812 to 192.168.1.38:55602 length 0
(37)   EAP-Message = 0x01b700061920
(37)   Message-Authenticator = 0x00000000000000000000000000000000
(37)   State = 0x2a8581bd2b3298df1e814808369ac970
(37) Finished request
Waking up in 4.9 seconds.
(38) Received Access-Request Id 210 from 192.168.1.38:55602 to 192.168.1.33:1812 length 274
(38)   User-Name = "anonymous"
(38)   NAS-IP-Address = 192.168.1.38
(38)   NAS-Identifier = "b4fbe4c348ab"
(38)   NAS-Port = 0
(38)   Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2"
(38)   Calling-Station-Id = "E0-4F-43-36-B1-F1"
(38)   Framed-MTU = 1400
(38)   NAS-Port-Type = Wireless-802.11
(38)   Connect-Info = "CONNECT 0Mbps 802.11b"
(38)   EAP-Message = 0x02b7006019800000005616030300510100004d0303000000281cdc9b2252c07aa2864276d5d684b9f771cff5a17b5c280169d1bf8a000004003c002f01000020000a000400020017000b00020100000d000e000c020102030301030304010403
(38)   State = 0x2a8581bd2b3298df1e814808369ac970
(38)   Message-Authenticator = 0xb616b97bb086ec34a2c8ef9911d0ea09
(38) session-state: No cached attributes
(38) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(38)   authorize {
(38)     policy filter_username {
(38)       if (&User-Name) {
(38)       if (&User-Name)  -> TRUE
(38)       if (&User-Name)  {
(38)         if (&User-Name =~ / /) {
(38)         if (&User-Name =~ / /)  -> FALSE
(38)         if (&User-Name =~ /@[^@]*@/ ) {
(38)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(38)         if (&User-Name =~ /\.\./ ) {
(38)         if (&User-Name =~ /\.\./ )  -> FALSE
(38)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(38)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(38)         if (&User-Name =~ /\.$/)  {
(38)         if (&User-Name =~ /\.$/)   -> FALSE
(38)         if (&User-Name =~ /@\./)  {
(38)         if (&User-Name =~ /@\./)   -> FALSE
(38)       } # if (&User-Name)  = notfound
(38)     } # policy filter_username = notfound
(38)     [preprocess] = ok
(38)     [chap] = noop
(38)     [mschap] = noop
(38)     [digest] = noop
(38) suffix: Checking for suffix after "@"
(38) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(38) suffix: No such realm "NULL"
(38)     [suffix] = noop
(38) eap: Peer sent EAP Response (code 2) ID 183 length 96
(38) eap: Continuing tunnel setup
(38)     [eap] = ok
(38)   } # authorize = ok
(38) Found Auth-Type = eap
(38) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(38)   authenticate {
(38) eap: Expiring EAP session with state 0x2a8581bd2b3298df
(38) eap: Finished EAP session with state 0x2a8581bd2b3298df
(38) eap: Previous EAP request found for state 0x2a8581bd2b3298df, released from the list
(38) eap: Peer sent packet with method EAP PEAP (25)
(38) eap: Calling submodule eap_peap to process data
(38) eap_peap: Continuing EAP-TLS
(38) eap_peap: Peer indicated complete TLS record size will be 86 bytes
(38) eap_peap: Got complete TLS record (86 bytes)
(38) eap_peap: [eaptls verify] = length included
(38) eap_peap: (other): before SSL initialization
(38) eap_peap: TLS_accept: before SSL initialization
(38) eap_peap: TLS_accept: before SSL initialization
(38) eap_peap: <<< recv TLS 1.2  [length 0051] 
(38) eap_peap: TLS_accept: SSLv3/TLS read client hello
(38) eap_peap: >>> send TLS 1.2  [length 002a] 
(38) eap_peap: TLS_accept: SSLv3/TLS write server hello
(38) eap_peap: >>> send TLS 1.2  [length 02f1] 
(38) eap_peap: TLS_accept: SSLv3/TLS write certificate
(38) eap_peap: >>> send TLS 1.2  [length 0004] 
(38) eap_peap: TLS_accept: SSLv3/TLS write server done
(38) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done
(38) eap_peap: In SSL Handshake Phase
(38) eap_peap: In SSL Accept mode
(38) eap_peap: [eaptls process] = handled
(38) eap: Sending EAP Request (code 1) ID 184 length 820
(38) eap: EAP session adding &reply:State = 0x2a8581bd283d98df
(38)     [eap] = handled
(38)   } # authenticate = handled
(38) Using Post-Auth-Type Challenge
(38) Post-Auth-Type sub-section not found.  Ignoring.
(38) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(38) Sent Access-Challenge Id 210 from 192.168.1.33:1812 to 192.168.1.38:55602 length 0
(38)   EAP-Message = 0x01b803341900160303002a020000260303cf3c4b0e5ed60e104aad4ed9b51fb76b9896b63ef4a31d3e772041f6e35b257200003c0016030302f10b0002ed0002ea0002e7308202e3308201cba003020102020900a170e33eaa8a04e7300d06092a864886f70d01010b0500301b3119301706035504030c
(38)   Message-Authenticator = 0x00000000000000000000000000000000
(38)   State = 0x2a8581bd283d98df1e814808369ac970
(38) Finished request
Waking up in 4.9 seconds.
(39) Received Access-Request Id 211 from 192.168.1.38:55602 to 192.168.1.33:1812 length 548
(39)   User-Name = "anonymous"
(39)   NAS-IP-Address = 192.168.1.38
(39)   NAS-Identifier = "b4fbe4c348ab"
(39)   NAS-Port = 0
(39)   Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2"
(39)   Calling-Station-Id = "E0-4F-43-36-B1-F1"
(39)   Framed-MTU = 1400
(39)   NAS-Port-Type = Wireless-802.11
(39)   Connect-Info = "CONNECT 0Mbps 802.11b"
(39)   EAP-Message = 0x02b80170198000000166160303010610000102010071e19621b125c24ad8dad747ca68b5f71eedd73d928788b92dcffb97d102f453587e37ecc1fa3d8fd8b80b6db2ef5bb91b0452e39652df4324e7251c3ca8401dc5d7565b8b87187452af469f979e0f7e89441a02251a4da163c0cd6fcd7faa357fac
(39)   State = 0x2a8581bd283d98df1e814808369ac970
(39)   Message-Authenticator = 0x04bed256ea91148ae84b66643a916080
(39) session-state: No cached attributes
(39) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(39)   authorize {
(39)     policy filter_username {
(39)       if (&User-Name) {
(39)       if (&User-Name)  -> TRUE
(39)       if (&User-Name)  {
(39)         if (&User-Name =~ / /) {
(39)         if (&User-Name =~ / /)  -> FALSE
(39)         if (&User-Name =~ /@[^@]*@/ ) {
(39)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(39)         if (&User-Name =~ /\.\./ ) {
(39)         if (&User-Name =~ /\.\./ )  -> FALSE
(39)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(39)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(39)         if (&User-Name =~ /\.$/)  {
(39)         if (&User-Name =~ /\.$/)   -> FALSE
(39)         if (&User-Name =~ /@\./)  {
(39)         if (&User-Name =~ /@\./)   -> FALSE
(39)       } # if (&User-Name)  = notfound
(39)     } # policy filter_username = notfound
(39)     [preprocess] = ok
(39)     [chap] = noop
(39)     [mschap] = noop
(39)     [digest] = noop
(39) suffix: Checking for suffix after "@"
(39) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(39) suffix: No such realm "NULL"
(39)     [suffix] = noop
(39) eap: Peer sent EAP Response (code 2) ID 184 length 368
(39) eap: Continuing tunnel setup
(39)     [eap] = ok
(39)   } # authorize = ok
(39) Found Auth-Type = eap
(39) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(39)   authenticate {
(39) eap: Expiring EAP session with state 0x2a8581bd283d98df
(39) eap: Finished EAP session with state 0x2a8581bd283d98df
(39) eap: Previous EAP request found for state 0x2a8581bd283d98df, released from the list
(39) eap: Peer sent packet with method EAP PEAP (25)
(39) eap: Calling submodule eap_peap to process data
(39) eap_peap: Continuing EAP-TLS
(39) eap_peap: Peer indicated complete TLS record size will be 358 bytes
(39) eap_peap: Got complete TLS record (358 bytes)
(39) eap_peap: [eaptls verify] = length included
(39) eap_peap: TLS_accept: SSLv3/TLS write server done
(39) eap_peap: <<< recv TLS 1.2  [length 0106] 
(39) eap_peap: TLS_accept: SSLv3/TLS read client key exchange
(39) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec
(39) eap_peap: <<< recv TLS 1.2  [length 0010] 
(39) eap_peap: TLS_accept: SSLv3/TLS read finished
(39) eap_peap: >>> send TLS 1.2  [length 0001] 
(39) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec
(39) eap_peap: >>> send TLS 1.2  [length 0010] 
(39) eap_peap: TLS_accept: SSLv3/TLS write finished
(39) eap_peap: (other): SSL negotiation finished successfully
(39) eap_peap: SSL Connection Established
(39) eap_peap: [eaptls process] = handled
(39) eap: Sending EAP Request (code 1) ID 185 length 97
(39) eap: EAP session adding &reply:State = 0x2a8581bd293c98df
(39)     [eap] = handled
(39)   } # authenticate = handled
(39) Using Post-Auth-Type Challenge
(39) Post-Auth-Type sub-section not found.  Ignoring.
(39) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(39) Sent Access-Challenge Id 211 from 192.168.1.33:1812 to 192.168.1.38:55602 length 0
(39)   EAP-Message = 0x01b9006119001403030001011603030050b0b0d9af69f459f35b4b47f71ed961ad39a4d03368daf9ae1b1438e2c5f6586f3396151c1e6d9b8d815db52d93a0b1df8be145d56c2a3dd6b1133e231ee64be468f9dafc1529bac1bb8da84d57fe81d0
(39)   Message-Authenticator = 0x00000000000000000000000000000000
(39)   State = 0x2a8581bd293c98df1e814808369ac970
(39) Finished request
Waking up in 4.8 seconds.
(40) Received Access-Request Id 212 from 192.168.1.38:55602 to 192.168.1.33:1812 length 184
(40)   User-Name = "anonymous"
(40)   NAS-IP-Address = 192.168.1.38
(40)   NAS-Identifier = "b4fbe4c348ab"
(40)   NAS-Port = 0
(40)   Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2"
(40)   Calling-Station-Id = "E0-4F-43-36-B1-F1"
(40)   Framed-MTU = 1400
(40)   NAS-Port-Type = Wireless-802.11
(40)   Connect-Info = "CONNECT 0Mbps 802.11b"
(40)   EAP-Message = 0x02b900061900
(40)   State = 0x2a8581bd293c98df1e814808369ac970
(40)   Message-Authenticator = 0xe886a2afdad2cabad78f25fbe33d4914
(40) session-state: No cached attributes
(40) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(40)   authorize {
(40)     policy filter_username {
(40)       if (&User-Name) {
(40)       if (&User-Name)  -> TRUE
(40)       if (&User-Name)  {
(40)         if (&User-Name =~ / /) {
(40)         if (&User-Name =~ / /)  -> FALSE
(40)         if (&User-Name =~ /@[^@]*@/ ) {
(40)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(40)         if (&User-Name =~ /\.\./ ) {
(40)         if (&User-Name =~ /\.\./ )  -> FALSE
(40)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(40)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(40)         if (&User-Name =~ /\.$/)  {
(40)         if (&User-Name =~ /\.$/)   -> FALSE
(40)         if (&User-Name =~ /@\./)  {
(40)         if (&User-Name =~ /@\./)   -> FALSE
(40)       } # if (&User-Name)  = notfound
(40)     } # policy filter_username = notfound
(40)     [preprocess] = ok
(40)     [chap] = noop
(40)     [mschap] = noop
(40)     [digest] = noop
(40) suffix: Checking for suffix after "@"
(40) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(40) suffix: No such realm "NULL"
(40)     [suffix] = noop
(40) eap: Peer sent EAP Response (code 2) ID 185 length 6
(40) eap: Continuing tunnel setup
(40)     [eap] = ok
(40)   } # authorize = ok
(40) Found Auth-Type = eap
(40) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(40)   authenticate {
(40) eap: Expiring EAP session with state 0x2a8581bd293c98df
(40) eap: Finished EAP session with state 0x2a8581bd293c98df
(40) eap: Previous EAP request found for state 0x2a8581bd293c98df, released from the list
(40) eap: Peer sent packet with method EAP PEAP (25)
(40) eap: Calling submodule eap_peap to process data
(40) eap_peap: Continuing EAP-TLS
(40) eap_peap: Peer ACKed our handshake fragment.  handshake is finished
(40) eap_peap: [eaptls verify] = success
(40) eap_peap: [eaptls process] = success
(40) eap_peap: Session established.  Decoding tunneled attributes
(40) eap_peap: PEAP state TUNNEL ESTABLISHED
(40) eap: Sending EAP Request (code 1) ID 186 length 75
(40) eap: EAP session adding &reply:State = 0x2a8581bd2e3f98df
(40)     [eap] = handled
(40)   } # authenticate = handled
(40) Using Post-Auth-Type Challenge
(40) Post-Auth-Type sub-section not found.  Ignoring.
(40) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(40) Sent Access-Challenge Id 212 from 192.168.1.33:1812 to 192.168.1.38:55602 length 0
(40)   EAP-Message = 0x01ba004b1900170303004050c7ff5a029d65ebb5f58ad75a43ea64eac1cd728a20be159fe3b332033e212a25fff20cf216db3542a33712cec541299cc1be4e818a681e6170a7ef0f0b36fd
(40)   Message-Authenticator = 0x00000000000000000000000000000000
(40)   State = 0x2a8581bd2e3f98df1e814808369ac970
(40) Finished request
Waking up in 4.7 seconds.
(41) Received Access-Request Id 213 from 192.168.1.38:55602 to 192.168.1.33:1812 length 253
(41)   User-Name = "anonymous"
(41)   NAS-IP-Address = 192.168.1.38
(41)   NAS-Identifier = "b4fbe4c348ab"
(41)   NAS-Port = 0
(41)   Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2"
(41)   Calling-Station-Id = "E0-4F-43-36-B1-F1"
(41)   Framed-MTU = 1400
(41)   NAS-Port-Type = Wireless-802.11
(41)   Connect-Info = "CONNECT 0Mbps 802.11b"
(41)   EAP-Message = 0x02ba004b190017030300400afc0335cdebda0b8aedef718917f7a9266c20e51e93d29843d1d72b4692f912508ecd700311673ed582be464091945f62ecef71c226614b11d7520ed1411b3e
(41)   State = 0x2a8581bd2e3f98df1e814808369ac970
(41)   Message-Authenticator = 0x9fb73be30fe0f94516f4b1eb6ca07baf
(41) session-state: No cached attributes
(41) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(41)   authorize {
(41)     policy filter_username {
(41)       if (&User-Name) {
(41)       if (&User-Name)  -> TRUE
(41)       if (&User-Name)  {
(41)         if (&User-Name =~ / /) {
(41)         if (&User-Name =~ / /)  -> FALSE
(41)         if (&User-Name =~ /@[^@]*@/ ) {
(41)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(41)         if (&User-Name =~ /\.\./ ) {
(41)         if (&User-Name =~ /\.\./ )  -> FALSE
(41)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(41)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(41)         if (&User-Name =~ /\.$/)  {
(41)         if (&User-Name =~ /\.$/)   -> FALSE
(41)         if (&User-Name =~ /@\./)  {
(41)         if (&User-Name =~ /@\./)   -> FALSE
(41)       } # if (&User-Name)  = notfound
(41)     } # policy filter_username = notfound
(41)     [preprocess] = ok
(41)     [chap] = noop
(41)     [mschap] = noop
(41)     [digest] = noop
(41) suffix: Checking for suffix after "@"
(41) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(41) suffix: No such realm "NULL"
(41)     [suffix] = noop
(41) eap: Peer sent EAP Response (code 2) ID 186 length 75
(41) eap: Continuing tunnel setup
(41)     [eap] = ok
(41)   } # authorize = ok
(41) Found Auth-Type = eap
(41) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(41)   authenticate {
(41) eap: Expiring EAP session with state 0x2a8581bd2e3f98df
(41) eap: Finished EAP session with state 0x2a8581bd2e3f98df
(41) eap: Previous EAP request found for state 0x2a8581bd2e3f98df, released from the list
(41) eap: Peer sent packet with method EAP PEAP (25)
(41) eap: Calling submodule eap_peap to process data
(41) eap_peap: Continuing EAP-TLS
(41) eap_peap: [eaptls verify] = ok
(41) eap_peap: Done initial handshake
(41) eap_peap: [eaptls process] = ok
(41) eap_peap: Session established.  Decoding tunneled attributes
(41) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(41) eap_peap: Identity - particle
(41) eap_peap: Got inner identity 'particle'
(41) eap_peap: Setting default EAP type for tunneled EAP session
(41) eap_peap: Got tunneled request
(41) eap_peap:   EAP-Message = 0x02ba000d017061727469636c65
(41) eap_peap: Setting User-Name to particle
(41) eap_peap: Sending tunneled request to inner-tunnel
(41) eap_peap:   EAP-Message = 0x02ba000d017061727469636c65
(41) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(41) eap_peap:   User-Name = "particle"
(41) Virtual server inner-tunnel received request
(41)   EAP-Message = 0x02ba000d017061727469636c65
(41)   FreeRADIUS-Proxied-To = 127.0.0.1
(41)   User-Name = "particle"
(41) server inner-tunnel {
(41)   # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(41)     authorize {
(41)       policy filter_username {
(41)         if (&User-Name) {
(41)         if (&User-Name)  -> TRUE
(41)         if (&User-Name)  {
(41)           if (&User-Name =~ / /) {
(41)           if (&User-Name =~ / /)  -> FALSE
(41)           if (&User-Name =~ /@[^@]*@/ ) {
(41)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(41)           if (&User-Name =~ /\.\./ ) {
(41)           if (&User-Name =~ /\.\./ )  -> FALSE
(41)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(41)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(41)           if (&User-Name =~ /\.$/)  {
(41)           if (&User-Name =~ /\.$/)   -> FALSE
(41)           if (&User-Name =~ /@\./)  {
(41)           if (&User-Name =~ /@\./)   -> FALSE
(41)         } # if (&User-Name)  = notfound
(41)       } # policy filter_username = notfound
(41)       [chap] = noop
(41)       [mschap] = noop
(41) suffix: Checking for suffix after "@"
(41) suffix: No '@' in User-Name = "particle", looking up realm NULL
(41) suffix: No such realm "NULL"
(41)       [suffix] = noop
(41)       update control {
(41)         &Proxy-To-Realm := LOCAL
(41)       } # update control = noop
(41) eap: Peer sent EAP Response (code 2) ID 186 length 13
(41) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(41)       [eap] = ok
(41)     } # authorize = ok
(41)   Found Auth-Type = eap
(41)   # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(41)     authenticate {
(41) eap: Peer sent packet with method EAP Identity (1)
(41) eap: Calling submodule eap_mschapv2 to process data
(41) eap_mschapv2: Issuing Challenge
(41) eap: Sending EAP Request (code 1) ID 187 length 43
(41) eap: EAP session adding &reply:State = 0xc826a0d6c89dba78
(41)       [eap] = handled
(41)     } # authenticate = handled
(41) } # server inner-tunnel
(41) Virtual server sending reply
(41)   EAP-Message = 0x01bb002b1a01bb0026106f4ce167e77644b791c3f64990af9d0a667265657261646975732d332e302e3132
(41)   Message-Authenticator = 0x00000000000000000000000000000000
(41)   State = 0xc826a0d6c89dba78a72f2090812f4b12
(41) eap_peap: Got tunneled reply code 11
(41) eap_peap:   EAP-Message = 0x01bb002b1a01bb0026106f4ce167e77644b791c3f64990af9d0a667265657261646975732d332e302e3132
(41) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(41) eap_peap:   State = 0xc826a0d6c89dba78a72f2090812f4b12
(41) eap_peap: Got tunneled reply RADIUS code 11
(41) eap_peap:   EAP-Message = 0x01bb002b1a01bb0026106f4ce167e77644b791c3f64990af9d0a667265657261646975732d332e302e3132
(41) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(41) eap_peap:   State = 0xc826a0d6c89dba78a72f2090812f4b12
(41) eap_peap: Got tunneled Access-Challenge
(41) eap: Sending EAP Request (code 1) ID 187 length 107
(41) eap: EAP session adding &reply:State = 0x2a8581bd2f3e98df
(41)     [eap] = handled
(41)   } # authenticate = handled
(41) Using Post-Auth-Type Challenge
(41) Post-Auth-Type sub-section not found.  Ignoring.
(41) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(41) Sent Access-Challenge Id 213 from 192.168.1.33:1812 to 192.168.1.38:55602 length 0
(41)   EAP-Message = 0x01bb006b1900170303006079feffc6710fc43792c394a4889d930fe8c6c16d764af16d1d3976d6e621e36843745d0bffc55524283b9bd53ea806ced6df2dbbdde549e3e5cc38979d5cb49ad0da91db6f806722c0e8a4d302d8271e25e76be953888bdd43cae59c2735c288
(41)   Message-Authenticator = 0x00000000000000000000000000000000
(41)   State = 0x2a8581bd2f3e98df1e814808369ac970
(41) Finished request
Waking up in 4.7 seconds.
(42) Received Access-Request Id 214 from 192.168.1.38:55602 to 192.168.1.33:1812 length 301
(42)   User-Name = "anonymous"
(42)   NAS-IP-Address = 192.168.1.38
(42)   NAS-Identifier = "b4fbe4c348ab"
(42)   NAS-Port = 0
(42)   Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2"
(42)   Calling-Station-Id = "E0-4F-43-36-B1-F1"
(42)   Framed-MTU = 1400
(42)   NAS-Port-Type = Wireless-802.11
(42)   Connect-Info = "CONNECT 0Mbps 802.11b"
(42)   EAP-Message = 0x02bb007b190017030300700afc0335cdebda0b8aedef718917f7a9c3609e53fed2947c5461a170ad04e646ead20718e53d64b3e64bfa32cbc4920565fd84e50ee59a599ef81f5b234f495ceb2429aed13228f79886d1231139863a94e38688d4bf00844977159f1ab54839398774564992f36bdca50f16
(42)   State = 0x2a8581bd2f3e98df1e814808369ac970
(42)   Message-Authenticator = 0x03cd878b5c6e2070f2fe065228980db3
(42) session-state: No cached attributes
(42) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(42)   authorize {
(42)     policy filter_username {
(42)       if (&User-Name) {
(42)       if (&User-Name)  -> TRUE
(42)       if (&User-Name)  {
(42)         if (&User-Name =~ / /) {
(42)         if (&User-Name =~ / /)  -> FALSE
(42)         if (&User-Name =~ /@[^@]*@/ ) {
(42)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(42)         if (&User-Name =~ /\.\./ ) {
(42)         if (&User-Name =~ /\.\./ )  -> FALSE
(42)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(42)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(42)         if (&User-Name =~ /\.$/)  {
(42)         if (&User-Name =~ /\.$/)   -> FALSE
(42)         if (&User-Name =~ /@\./)  {
(42)         if (&User-Name =~ /@\./)   -> FALSE
(42)       } # if (&User-Name)  = notfound
(42)     } # policy filter_username = notfound
(42)     [preprocess] = ok
(42)     [chap] = noop
(42)     [mschap] = noop
(42)     [digest] = noop
(42) suffix: Checking for suffix after "@"
(42) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(42) suffix: No such realm "NULL"
(42)     [suffix] = noop
(42) eap: Peer sent EAP Response (code 2) ID 187 length 123
(42) eap: Continuing tunnel setup
(42)     [eap] = ok
(42)   } # authorize = ok
(42) Found Auth-Type = eap
(42) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(42)   authenticate {
(42) eap: Expiring EAP session with state 0xc826a0d6c89dba78
(42) eap: Finished EAP session with state 0x2a8581bd2f3e98df
(42) eap: Previous EAP request found for state 0x2a8581bd2f3e98df, released from the list
(42) eap: Peer sent packet with method EAP PEAP (25)
(42) eap: Calling submodule eap_peap to process data
(42) eap_peap: Continuing EAP-TLS
(42) eap_peap: [eaptls verify] = ok
(42) eap_peap: Done initial handshake
(42) eap_peap: [eaptls process] = ok
(42) eap_peap: Session established.  Decoding tunneled attributes
(42) eap_peap: PEAP state phase2
(42) eap_peap: EAP method MSCHAPv2 (26)
(42) eap_peap: Got tunneled request
(42) eap_peap:   EAP-Message = 0x02bb00431a02bb003e312f2fa421ed073e5f4e6ffa2ac0392cf50000000000000000fd328695c49903d233c34dacdd44570b0aa2ef23d5078df9007061727469636c65
(42) eap_peap: Setting User-Name to particle
(42) eap_peap: Sending tunneled request to inner-tunnel
(42) eap_peap:   EAP-Message = 0x02bb00431a02bb003e312f2fa421ed073e5f4e6ffa2ac0392cf50000000000000000fd328695c49903d233c34dacdd44570b0aa2ef23d5078df9007061727469636c65
(42) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(42) eap_peap:   User-Name = "particle"
(42) eap_peap:   State = 0xc826a0d6c89dba78a72f2090812f4b12
(42) Virtual server inner-tunnel received request
(42)   EAP-Message = 0x02bb00431a02bb003e312f2fa421ed073e5f4e6ffa2ac0392cf50000000000000000fd328695c49903d233c34dacdd44570b0aa2ef23d5078df9007061727469636c65
(42)   FreeRADIUS-Proxied-To = 127.0.0.1
(42)   User-Name = "particle"
(42)   State = 0xc826a0d6c89dba78a72f2090812f4b12
(42) server inner-tunnel {
(42)   session-state: No cached attributes
(42)   # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(42)     authorize {
(42)       policy filter_username {
(42)         if (&User-Name) {
(42)         if (&User-Name)  -> TRUE
(42)         if (&User-Name)  {
(42)           if (&User-Name =~ / /) {
(42)           if (&User-Name =~ / /)  -> FALSE
(42)           if (&User-Name =~ /@[^@]*@/ ) {
(42)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(42)           if (&User-Name =~ /\.\./ ) {
(42)           if (&User-Name =~ /\.\./ )  -> FALSE
(42)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(42)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(42)           if (&User-Name =~ /\.$/)  {
(42)           if (&User-Name =~ /\.$/)   -> FALSE
(42)           if (&User-Name =~ /@\./)  {
(42)           if (&User-Name =~ /@\./)   -> FALSE
(42)         } # if (&User-Name)  = notfound
(42)       } # policy filter_username = notfound
(42)       [chap] = noop
(42)       [mschap] = noop
(42) suffix: Checking for suffix after "@"
(42) suffix: No '@' in User-Name = "particle", looking up realm NULL
(42) suffix: No such realm "NULL"
(42)       [suffix] = noop
(42)       update control {
(42)         &Proxy-To-Realm := LOCAL
(42)       } # update control = noop
(42) eap: Peer sent EAP Response (code 2) ID 187 length 67
(42) eap: No EAP Start, assuming it's an on-going EAP conversation
(42)       [eap] = updated
(42) files: users: Matched entry particle at line 1
(42)       [files] = ok
(42)       [expiration] = noop
(42)       [logintime] = noop
(42) pap: WARNING: Auth-Type already set.  Not setting to PAP
(42)       [pap] = noop
(42)     } # authorize = updated
(42)   Found Auth-Type = eap
(42)   # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(42)     authenticate {
(42) eap: Expiring EAP session with state 0xc826a0d6c89dba78
(42) eap: Finished EAP session with state 0xc826a0d6c89dba78
(42) eap: Previous EAP request found for state 0xc826a0d6c89dba78, released from the list
(42) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(42) eap: Calling submodule eap_mschapv2 to process data
(42) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(42) eap_mschapv2:   authenticate {
(42) mschap: Found Cleartext-Password, hashing to create NT-Password
(42) mschap: Found Cleartext-Password, hashing to create LM-Password
(42) mschap: Creating challenge hash with username: particle
(42) mschap: Client is using MS-CHAPv2
(42) mschap: Adding MS-CHAPv2 MPPE keys
(42)     [mschap] = ok
(42)   } # authenticate = ok
(42) MSCHAP Success
(42) eap: Sending EAP Request (code 1) ID 188 length 51
(42) eap: EAP session adding &reply:State = 0xc826a0d6c99aba78
(42)       [eap] = handled
(42)     } # authenticate = handled
(42) } # server inner-tunnel
(42) Virtual server sending reply
(42)   EAP-Message = 0x01bc00331a03bb002e533d46394438374233353045373638353639363642334230453831344530314234394638393739463836
(42)   Message-Authenticator = 0x00000000000000000000000000000000
(42)   State = 0xc826a0d6c99aba78a72f2090812f4b12
(42) eap_peap: Got tunneled reply code 11
(42) eap_peap:   EAP-Message = 0x01bc00331a03bb002e533d46394438374233353045373638353639363642334230453831344530314234394638393739463836
(42) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(42) eap_peap:   State = 0xc826a0d6c99aba78a72f2090812f4b12
(42) eap_peap: Got tunneled reply RADIUS code 11
(42) eap_peap:   EAP-Message = 0x01bc00331a03bb002e533d46394438374233353045373638353639363642334230453831344530314234394638393739463836
(42) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(42) eap_peap:   State = 0xc826a0d6c99aba78a72f2090812f4b12
(42) eap_peap: Got tunneled Access-Challenge
(42) eap: Sending EAP Request (code 1) ID 188 length 107
(42) eap: EAP session adding &reply:State = 0x2a8581bd2c3998df
(42)     [eap] = handled
(42)   } # authenticate = handled
(42) Using Post-Auth-Type Challenge
(42) Post-Auth-Type sub-section not found.  Ignoring.
(42) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(42) Sent Access-Challenge Id 214 from 192.168.1.33:1812 to 192.168.1.38:55602 length 0
(42)   EAP-Message = 0x01bc006b19001703030060b9f4e0a42efec0bee4d249cc360bda244ef5eb4368b4b4f327f7a7f7576312b11aae4a061cc97e76ec3e4c0e9082190d0bc9a581a909759c1c2baf22bb29c97fc63d71bd9b875c4bddb657eaa082997f34f48f5fce577bf5132ae26e47af86da
(42)   Message-Authenticator = 0x00000000000000000000000000000000
(42)   State = 0x2a8581bd2c3998df1e814808369ac970
(42) Finished request
Waking up in 4.7 seconds.
(43) Received Access-Request Id 215 from 192.168.1.38:55602 to 192.168.1.33:1812 length 253
(43)   User-Name = "anonymous"
(43)   NAS-IP-Address = 192.168.1.38
(43)   NAS-Identifier = "b4fbe4c348ab"
(43)   NAS-Port = 0
(43)   Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2"
(43)   Calling-Station-Id = "E0-4F-43-36-B1-F1"
(43)   Framed-MTU = 1400
(43)   NAS-Port-Type = Wireless-802.11
(43)   Connect-Info = "CONNECT 0Mbps 802.11b"
(43)   EAP-Message = 0x02bc004b190017030300400afc0335cdebda0b8aedef718917f7a9b9754affb9dde8383a0f060aa61ccd734c8dbe21fb029818558ea1f8df0577fb7e74b2b1209df846f6fc5555f5161caf
(43)   State = 0x2a8581bd2c3998df1e814808369ac970
(43)   Message-Authenticator = 0xbf55ee3fc671fa161a966a884ed075db
(43) session-state: No cached attributes
(43) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(43)   authorize {
(43)     policy filter_username {
(43)       if (&User-Name) {
(43)       if (&User-Name)  -> TRUE
(43)       if (&User-Name)  {
(43)         if (&User-Name =~ / /) {
(43)         if (&User-Name =~ / /)  -> FALSE
(43)         if (&User-Name =~ /@[^@]*@/ ) {
(43)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(43)         if (&User-Name =~ /\.\./ ) {
(43)         if (&User-Name =~ /\.\./ )  -> FALSE
(43)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(43)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(43)         if (&User-Name =~ /\.$/)  {
(43)         if (&User-Name =~ /\.$/)   -> FALSE
(43)         if (&User-Name =~ /@\./)  {
(43)         if (&User-Name =~ /@\./)   -> FALSE
(43)       } # if (&User-Name)  = notfound
(43)     } # policy filter_username = notfound
(43)     [preprocess] = ok
(43)     [chap] = noop
(43)     [mschap] = noop
(43)     [digest] = noop
(43) suffix: Checking for suffix after "@"
(43) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(43) suffix: No such realm "NULL"
(43)     [suffix] = noop
(43) eap: Peer sent EAP Response (code 2) ID 188 length 75
(43) eap: Continuing tunnel setup
(43)     [eap] = ok
(43)   } # authorize = ok
(43) Found Auth-Type = eap
(43) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(43)   authenticate {
(43) eap: Expiring EAP session with state 0xc826a0d6c99aba78
(43) eap: Finished EAP session with state 0x2a8581bd2c3998df
(43) eap: Previous EAP request found for state 0x2a8581bd2c3998df, released from the list
(43) eap: Peer sent packet with method EAP PEAP (25)
(43) eap: Calling submodule eap_peap to process data
(43) eap_peap: Continuing EAP-TLS
(43) eap_peap: [eaptls verify] = ok
(43) eap_peap: Done initial handshake
(43) eap_peap: [eaptls process] = ok
(43) eap_peap: Session established.  Decoding tunneled attributes
(43) eap_peap: PEAP state phase2
(43) eap_peap: EAP method MSCHAPv2 (26)
(43) eap_peap: Got tunneled request
(43) eap_peap:   EAP-Message = 0x02bc00061a03
(43) eap_peap: Setting User-Name to particle
(43) eap_peap: Sending tunneled request to inner-tunnel
(43) eap_peap:   EAP-Message = 0x02bc00061a03
(43) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(43) eap_peap:   User-Name = "particle"
(43) eap_peap:   State = 0xc826a0d6c99aba78a72f2090812f4b12
(43) Virtual server inner-tunnel received request
(43)   EAP-Message = 0x02bc00061a03
(43)   FreeRADIUS-Proxied-To = 127.0.0.1
(43)   User-Name = "particle"
(43)   State = 0xc826a0d6c99aba78a72f2090812f4b12
(43) server inner-tunnel {
(43)   session-state: No cached attributes
(43)   # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(43)     authorize {
(43)       policy filter_username {
(43)         if (&User-Name) {
(43)         if (&User-Name)  -> TRUE
(43)         if (&User-Name)  {
(43)           if (&User-Name =~ / /) {
(43)           if (&User-Name =~ / /)  -> FALSE
(43)           if (&User-Name =~ /@[^@]*@/ ) {
(43)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(43)           if (&User-Name =~ /\.\./ ) {
(43)           if (&User-Name =~ /\.\./ )  -> FALSE
(43)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(43)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(43)           if (&User-Name =~ /\.$/)  {
(43)           if (&User-Name =~ /\.$/)   -> FALSE
(43)           if (&User-Name =~ /@\./)  {
(43)           if (&User-Name =~ /@\./)   -> FALSE
(43)         } # if (&User-Name)  = notfound
(43)       } # policy filter_username = notfound
(43)       [chap] = noop
(43)       [mschap] = noop
(43) suffix: Checking for suffix after "@"
(43) suffix: No '@' in User-Name = "particle", looking up realm NULL
(43) suffix: No such realm "NULL"
(43)       [suffix] = noop
(43)       update control {
(43)         &Proxy-To-Realm := LOCAL
(43)       } # update control = noop
(43) eap: Peer sent EAP Response (code 2) ID 188 length 6
(43) eap: No EAP Start, assuming it's an on-going EAP conversation
(43)       [eap] = updated
(43) files: users: Matched entry particle at line 1
(43)       [files] = ok
(43)       [expiration] = noop
(43)       [logintime] = noop
(43) pap: WARNING: Auth-Type already set.  Not setting to PAP
(43)       [pap] = noop
(43)     } # authorize = updated
(43)   Found Auth-Type = eap
(43)   # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(43)     authenticate {
(43) eap: Expiring EAP session with state 0xc826a0d6c99aba78
(43) eap: Finished EAP session with state 0xc826a0d6c99aba78
(43) eap: Previous EAP request found for state 0xc826a0d6c99aba78, released from the list
(43) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(43) eap: Calling submodule eap_mschapv2 to process data
(43) eap: Sending EAP Success (code 3) ID 188 length 4
(43) eap: Freeing handler
(43)       [eap] = ok
(43)     } # authenticate = ok
(43)   # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(43)     post-auth { ... } # empty sub-section is ignored
(43) } # server inner-tunnel
(43) Virtual server sending reply
(43)   MS-MPPE-Encryption-Policy = Encryption-Allowed
(43)   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(43)   MS-MPPE-Send-Key = 0xa3fa08811509145500a1ebcdf3d7eb5d
(43)   MS-MPPE-Recv-Key = 0xc972a035aa182fad81e28936609efb98
(43)   EAP-Message = 0x03bc0004
(43)   Message-Authenticator = 0x00000000000000000000000000000000
(43)   User-Name = "particle"
(43) eap_peap: Got tunneled reply code 2
(43) eap_peap:   MS-MPPE-Encryption-Policy = Encryption-Allowed
(43) eap_peap:   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(43) eap_peap:   MS-MPPE-Send-Key = 0xa3fa08811509145500a1ebcdf3d7eb5d
(43) eap_peap:   MS-MPPE-Recv-Key = 0xc972a035aa182fad81e28936609efb98
(43) eap_peap:   EAP-Message = 0x03bc0004
(43) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(43) eap_peap:   User-Name = "particle"
(43) eap_peap: Got tunneled reply RADIUS code 2
(43) eap_peap:   MS-MPPE-Encryption-Policy = Encryption-Allowed
(43) eap_peap:   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(43) eap_peap:   MS-MPPE-Send-Key = 0xa3fa08811509145500a1ebcdf3d7eb5d
(43) eap_peap:   MS-MPPE-Recv-Key = 0xc972a035aa182fad81e28936609efb98
(43) eap_peap:   EAP-Message = 0x03bc0004
(43) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(43) eap_peap:   User-Name = "particle"
(43) eap_peap: Tunneled authentication was successful
(43) eap_peap: SUCCESS
(43) eap: Sending EAP Request (code 1) ID 189 length 75
(43) eap: EAP session adding &reply:State = 0x2a8581bd2d3898df
(43)     [eap] = handled
(43)   } # authenticate = handled
(43) Using Post-Auth-Type Challenge
(43) Post-Auth-Type sub-section not found.  Ignoring.
(43) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(43) Sent Access-Challenge Id 215 from 192.168.1.33:1812 to 192.168.1.38:55602 length 0
(43)   EAP-Message = 0x01bd004b19001703030040b9bfa8da3c157aefbb79072add6550d5c358cb82d3e35524a00affd2bac853f94e6bab78f4d1ff4a9a67f2887ef428052762834010a626cdf516ba109ff8dd11
(43)   Message-Authenticator = 0x00000000000000000000000000000000
(43)   State = 0x2a8581bd2d3898df1e814808369ac970
(43) Finished request


William Steen
wjsteen at talktalk.net


> On 20 May 2019, at 09:45, william steen via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> 
> First time using freeradius, attempting to setup freeradius server on a RPi to create a testing environment for WPA2 Enterprise use on an IoT device. Any help to understand where I am going wrong gratefully received.
> 
> Included below is the debug output on startup and when an attempt to connect using PEAP-MSCHAPv2 using just username and password (no certificate). The startup contains a few warnings which I assume are not material. The login debug has an error MS-CHAP2-Response is incorrect which comes after a WARNING: Auth-Type already set.  Not setting to PAP?
> 
> FreeRADIUS Version 3.0.12
> 
> [/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay"               found in filter list for realm "DEFAULT". 
> [/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec"   found in filter list for realm "DEFAULT". 
> 
> Ready to process requests
> 
> Below is what debug output when trying to connect to the WAP.
> 
> (0) Received Access-Request Id 37 from 192.168.1.38:52437 to 192.168.1.33:1812 length 172
> (0)   User-Name = "particle"
> (0)   NAS-IP-Address = 192.168.1.38
> (0)   NAS-Identifier = "b4fbe4c348ab"
> (0)   NAS-Port = 0
> (0)   Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2"
> (0)   Calling-Station-Id = "E0-4F-43-36-B1-F1"
> (0)   Framed-MTU = 1400
> (0)   NAS-Port-Type = Wireless-802.11
> (0)   Connect-Info = "CONNECT 0Mbps 802.11b"
> (0)   EAP-Message = 0x0205000d017061727469636c65
> (0)   Message-Authenticator = 0x3d7c5462881eb85ae3c3e8b1e7f2dcd8
> (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
> (0)   authorize {
> (0)     policy filter_username {
> (0)       if (&User-Name) {
> (0)       if (&User-Name)  -> TRUE
> (0)       if (&User-Name)  {
> (0)         if (&User-Name =~ / /) {
> (0)         if (&User-Name =~ / /)  -> FALSE
> (0)         if (&User-Name =~ /@[^@]*@/ ) {
> (0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
> (0)         if (&User-Name =~ /\.\./ ) {
> (0)         if (&User-Name =~ /\.\./ )  -> FALSE
> (0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
> (0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
> (0)         if (&User-Name =~ /\.$/)  {
> (0)         if (&User-Name =~ /\.$/)   -> FALSE
> (0)         if (&User-Name =~ /@\./)  {
> (0)         if (&User-Name =~ /@\./)   -> FALSE
> (0)       } # if (&User-Name)  = notfound
> (0)     } # policy filter_username = notfound
> (0)     [preprocess] = ok
> (0)     [chap] = noop
> (0)     [mschap] = noop
> (0)     [digest] = noop
> (0) suffix: Checking for suffix after "@"
> (0) suffix: No '@' in User-Name = "particle", looking up realm NULL
> (0) suffix: No such realm "NULL"
> (0)     [suffix] = noop
> (0) eap: Peer sent EAP Response (code 2) ID 5 length 13
> (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
> (0)     [eap] = ok
> (0)   } # authorize = ok
> (0) Found Auth-Type = eap
> (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (0)   authenticate {
> (0) eap: Peer sent packet with method EAP Identity (1)
> (0) eap: Calling submodule eap_md5 to process data
> (0) eap_md5: Issuing MD5 Challenge
> (0) eap: Sending EAP Request (code 1) ID 6 length 22
> (0) eap: EAP session adding &reply:State = 0x792e584479285c88
> (0)     [eap] = handled
> (0)   } # authenticate = handled
> (0) Using Post-Auth-Type Challenge
> (0) Post-Auth-Type sub-section not found.  Ignoring.
> (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (0) Sent Access-Challenge Id 37 from 192.168.1.33:1812 to 192.168.1.38:52437 length 0
> (0)   EAP-Message = 0x0106001604101e0a216dfaac8434a1e13f61d8e18c5f
> (0)   Message-Authenticator = 0x00000000000000000000000000000000
> (0)   State = 0x792e584479285c88d729d5f4b5ba04a4
> (0) Finished request
> Waking up in 4.9 seconds.
> (1) Received Access-Request Id 38 from 192.168.1.38:52437 to 192.168.1.33:1812 length 183
> (1)   User-Name = "particle"
> (1)   NAS-IP-Address = 192.168.1.38
> (1)   NAS-Identifier = "b4fbe4c348ab"
> (1)   NAS-Port = 0
> (1)   Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2"
> (1)   Calling-Station-Id = "E0-4F-43-36-B1-F1"
> (1)   Framed-MTU = 1400
> (1)   NAS-Port-Type = Wireless-802.11
> (1)   Connect-Info = "CONNECT 0Mbps 802.11b"
> (1)   EAP-Message = 0x020600060319
> (1)   State = 0x792e584479285c88d729d5f4b5ba04a4
> (1)   Message-Authenticator = 0x81a3bc304acaf36767e74474836e1265
> (1) session-state: No cached attributes
> (1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
> (1)   authorize {
> (1)     policy filter_username {
> (1)       if (&User-Name) {
> (1)       if (&User-Name)  -> TRUE
> (1)       if (&User-Name)  {
> (1)         if (&User-Name =~ / /) {
> (1)         if (&User-Name =~ / /)  -> FALSE
> (1)         if (&User-Name =~ /@[^@]*@/ ) {
> (1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
> (1)         if (&User-Name =~ /\.\./ ) {
> (1)         if (&User-Name =~ /\.\./ )  -> FALSE
> (1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
> (1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
> (1)         if (&User-Name =~ /\.$/)  {
> (1)         if (&User-Name =~ /\.$/)   -> FALSE
> (1)         if (&User-Name =~ /@\./)  {
> (1)         if (&User-Name =~ /@\./)   -> FALSE
> (1)       } # if (&User-Name)  = notfound
> (1)     } # policy filter_username = notfound
> (1)     [preprocess] = ok
> (1)     [chap] = noop
> (1)     [mschap] = noop
> (1)     [digest] = noop
> (1) suffix: Checking for suffix after "@"
> (1) suffix: No '@' in User-Name = "particle", looking up realm NULL
> (1) suffix: No such realm "NULL"
> (1)     [suffix] = noop
> (1) eap: Peer sent EAP Response (code 2) ID 6 length 6
> (1) eap: No EAP Start, assuming it's an on-going EAP conversation
> (1)     [eap] = updated
> (1) files: users: Matched entry particle at line 1
> (1)     [files] = ok
> (1)     [expiration] = noop
> (1)     [logintime] = noop
> (1) pap: WARNING: Auth-Type already set.  Not setting to PAP
> (1)     [pap] = noop
> (1)   } # authorize = updated
> (1) Found Auth-Type = eap
> (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (1)   authenticate {
> (1) eap: Expiring EAP session with state 0x792e584479285c88
> (1) eap: Finished EAP session with state 0x792e584479285c88
> (1) eap: Previous EAP request found for state 0x792e584479285c88, released from the list
> (1) eap: Peer sent packet with method EAP NAK (3)
> (1) eap: Found mutually acceptable type PEAP (25)
> (1) eap: Calling submodule eap_peap to process data
> (1) eap_peap: Initiating new EAP-TLS session
> (1) eap_peap: [eaptls start] = request
> (1) eap: Sending EAP Request (code 1) ID 7 length 6
> (1) eap: EAP session adding &reply:State = 0x792e584478294188
> (1)     [eap] = handled
> (1)   } # authenticate = handled
> (1) Using Post-Auth-Type Challenge
> (1) Post-Auth-Type sub-section not found.  Ignoring.
> (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (1) Sent Access-Challenge Id 38 from 192.168.1.33:1812 to 192.168.1.38:52437 length 0
> (1)   EAP-Message = 0x010700061920
> (1)   Message-Authenticator = 0x00000000000000000000000000000000
> (1)   State = 0x792e584478294188d729d5f4b5ba04a4
> (1) Finished request
> Waking up in 4.9 seconds.
> (2) Received Access-Request Id 39 from 192.168.1.38:52437 to 192.168.1.33:1812 length 273
> (2)   User-Name = "particle"
> (2)   NAS-IP-Address = 192.168.1.38
> (2)   NAS-Identifier = "b4fbe4c348ab"
> (2)   NAS-Port = 0
> (2)   Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2"
> (2)   Calling-Station-Id = "E0-4F-43-36-B1-F1"
> (2)   Framed-MTU = 1400
> (2)   NAS-Port-Type = Wireless-802.11
> (2)   Connect-Info = "CONNECT 0Mbps 802.11b"
> (2)   EAP-Message = 0x0207006019800000005616030300510100004d030300000013d1a5ed06c133a6582eb8f8b59713a271b38c51af54d5ef2e0cc8b6d6000004003c002f01000020000a000400020017000b00020100000d000e000c020102030301030304010403
> (2)   State = 0x792e584478294188d729d5f4b5ba04a4
> (2)   Message-Authenticator = 0xbf54c5bcfb0c4aae623b313a7cec24bf
> (2) session-state: No cached attributes
> (2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
> (2)   authorize {
> (2)     policy filter_username {
> (2)       if (&User-Name) {
> (2)       if (&User-Name)  -> TRUE
> (2)       if (&User-Name)  {
> (2)         if (&User-Name =~ / /) {
> (2)         if (&User-Name =~ / /)  -> FALSE
> (2)         if (&User-Name =~ /@[^@]*@/ ) {
> (2)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
> (2)         if (&User-Name =~ /\.\./ ) {
> (2)         if (&User-Name =~ /\.\./ )  -> FALSE
> (2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
> (2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
> (2)         if (&User-Name =~ /\.$/)  {
> (2)         if (&User-Name =~ /\.$/)   -> FALSE
> (2)         if (&User-Name =~ /@\./)  {
> (2)         if (&User-Name =~ /@\./)   -> FALSE
> (2)       } # if (&User-Name)  = notfound
> (2)     } # policy filter_username = notfound
> (2)     [preprocess] = ok
> (2)     [chap] = noop
> (2)     [mschap] = noop
> (2)     [digest] = noop
> (2) suffix: Checking for suffix after "@"
> (2) suffix: No '@' in User-Name = "particle", looking up realm NULL
> (2) suffix: No such realm "NULL"
> (2)     [suffix] = noop
> (2) eap: Peer sent EAP Response (code 2) ID 7 length 96
> (2) eap: Continuing tunnel setup
> (2)     [eap] = ok
> (2)   } # authorize = ok
> (2) Found Auth-Type = eap
> (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (2)   authenticate {
> (2) eap: Expiring EAP session with state 0x792e584478294188
> (2) eap: Finished EAP session with state 0x792e584478294188
> (2) eap: Previous EAP request found for state 0x792e584478294188, released from the list
> (2) eap: Peer sent packet with method EAP PEAP (25)
> (2) eap: Calling submodule eap_peap to process data
> (2) eap_peap: Continuing EAP-TLS
> (2) eap_peap: Peer indicated complete TLS record size will be 86 bytes
> (2) eap_peap: Got complete TLS record (86 bytes)
> (2) eap_peap: [eaptls verify] = length included
> (2) eap_peap: (other): before SSL initialization
> (2) eap_peap: TLS_accept: before SSL initialization
> (2) eap_peap: TLS_accept: before SSL initialization
> (2) eap_peap: <<< recv TLS 1.2  [length 0051] 
> (2) eap_peap: TLS_accept: SSLv3/TLS read client hello
> (2) eap_peap: >>> send TLS 1.2  [length 002a] 
> (2) eap_peap: TLS_accept: SSLv3/TLS write server hello
> (2) eap_peap: >>> send TLS 1.2  [length 02f1] 
> (2) eap_peap: TLS_accept: SSLv3/TLS write certificate
> (2) eap_peap: >>> send TLS 1.2  [length 0004] 
> (2) eap_peap: TLS_accept: SSLv3/TLS write server done
> (2) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done
> (2) eap_peap: In SSL Handshake Phase
> (2) eap_peap: In SSL Accept mode
> (2) eap_peap: [eaptls process] = handled
> (2) eap: Sending EAP Request (code 1) ID 8 length 820
> (2) eap: EAP session adding &reply:State = 0x792e58447b264188
> (2)     [eap] = handled
> (2)   } # authenticate = handled
> (2) Using Post-Auth-Type Challenge
> (2) Post-Auth-Type sub-section not found.  Ignoring.
> (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (2) Sent Access-Challenge Id 39 from 192.168.1.33:1812 to 192.168.1.38:52437 length 0
> (2)   EAP-Message = 0x010803341900160303002a0200002603035010c628e6c3e571ecdfcb7ed14e02f944e131af1f1483cff17b618c02935b4200003c0016030302f10b0002ed0002ea0002e7308202e3308201cba003020102020900a170e33eaa8a04e7300d06092a864886f70d01010b0500301b3119301706035504030c
> (2)   Message-Authenticator = 0x00000000000000000000000000000000
> (2)   State = 0x792e58447b264188d729d5f4b5ba04a4
> (2) Finished request
> Waking up in 4.9 seconds.
> (3) Received Access-Request Id 40 from 192.168.1.38:52437 to 192.168.1.33:1812 length 547
> (3)   User-Name = "particle"
> (3)   NAS-IP-Address = 192.168.1.38
> (3)   NAS-Identifier = "b4fbe4c348ab"
> (3)   NAS-Port = 0
> (3)   Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2"
> (3)   Calling-Station-Id = "E0-4F-43-36-B1-F1"
> (3)   Framed-MTU = 1400
> (3)   NAS-Port-Type = Wireless-802.11
> (3)   Connect-Info = "CONNECT 0Mbps 802.11b"
> (3)   EAP-Message = 0x02080170198000000166160303010610000102010070ac8a7222a41f5fab40c2a114f343932b699e7629ee25a0ef96616b1582f4e105812e9efb79e3696823f69a931188eeb04bd2f4d9b67869db2d585364c2515a1d44414cc41bc6d87ba8df2ad36e6ba1e57e10fbeb14fc76837d57b50d95a780dc67
> (3)   State = 0x792e58447b264188d729d5f4b5ba04a4
> (3)   Message-Authenticator = 0xe80722a96c83d29962b7c6216f7a1b24
> (3) session-state: No cached attributes
> (3) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
> (3)   authorize {
> (3)     policy filter_username {
> (3)       if (&User-Name) {
> (3)       if (&User-Name)  -> TRUE
> (3)       if (&User-Name)  {
> (3)         if (&User-Name =~ / /) {
> (3)         if (&User-Name =~ / /)  -> FALSE
> (3)         if (&User-Name =~ /@[^@]*@/ ) {
> (3)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
> (3)         if (&User-Name =~ /\.\./ ) {
> (3)         if (&User-Name =~ /\.\./ )  -> FALSE
> (3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
> (3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
> (3)         if (&User-Name =~ /\.$/)  {
> (3)         if (&User-Name =~ /\.$/)   -> FALSE
> (3)         if (&User-Name =~ /@\./)  {
> (3)         if (&User-Name =~ /@\./)   -> FALSE
> (3)       } # if (&User-Name)  = notfound
> (3)     } # policy filter_username = notfound
> (3)     [preprocess] = ok
> (3)     [chap] = noop
> (3)     [mschap] = noop
> (3)     [digest] = noop
> (3) suffix: Checking for suffix after "@"
> (3) suffix: No '@' in User-Name = "particle", looking up realm NULL
> (3) suffix: No such realm "NULL"
> (3)     [suffix] = noop
> (3) eap: Peer sent EAP Response (code 2) ID 8 length 368
> (3) eap: Continuing tunnel setup
> (3)     [eap] = ok
> (3)   } # authorize = ok
> (3) Found Auth-Type = eap
> (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (3)   authenticate {
> (3) eap: Expiring EAP session with state 0x792e58447b264188
> (3) eap: Finished EAP session with state 0x792e58447b264188
> (3) eap: Previous EAP request found for state 0x792e58447b264188, released from the list
> (3) eap: Peer sent packet with method EAP PEAP (25)
> (3) eap: Calling submodule eap_peap to process data
> (3) eap_peap: Continuing EAP-TLS
> (3) eap_peap: Peer indicated complete TLS record size will be 358 bytes
> (3) eap_peap: Got complete TLS record (358 bytes)
> (3) eap_peap: [eaptls verify] = length included
> (3) eap_peap: TLS_accept: SSLv3/TLS write server done
> (3) eap_peap: <<< recv TLS 1.2  [length 0106] 
> (3) eap_peap: TLS_accept: SSLv3/TLS read client key exchange
> (3) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec
> (3) eap_peap: <<< recv TLS 1.2  [length 0010] 
> (3) eap_peap: TLS_accept: SSLv3/TLS read finished
> (3) eap_peap: >>> send TLS 1.2  [length 0001] 
> (3) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec
> (3) eap_peap: >>> send TLS 1.2  [length 0010] 
> (3) eap_peap: TLS_accept: SSLv3/TLS write finished
> (3) eap_peap: (other): SSL negotiation finished successfully
> (3) eap_peap: SSL Connection Established
> (3) eap_peap: [eaptls process] = handled
> (3) eap: Sending EAP Request (code 1) ID 9 length 97
> (3) eap: EAP session adding &reply:State = 0x792e58447a274188
> (3)     [eap] = handled
> (3)   } # authenticate = handled
> (3) Using Post-Auth-Type Challenge
> (3) Post-Auth-Type sub-section not found.  Ignoring.
> (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (3) Sent Access-Challenge Id 40 from 192.168.1.33:1812 to 192.168.1.38:52437 length 0
> (3)   EAP-Message = 0x0109006119001403030001011603030050e4ccfeb29d521f23bceec5b5a6d2086989af54bf30c104ebd10fcadeda3e144e401aeac50e2f2d6fb28711841f9bff03cac82c6e94eb8082d4da10ef0950f6eae7f637b23f93d14e28952fa0735e8273
> (3)   Message-Authenticator = 0x00000000000000000000000000000000
> (3)   State = 0x792e58447a274188d729d5f4b5ba04a4
> (3) Finished request
> Waking up in 4.8 seconds.
> (4) Received Access-Request Id 41 from 192.168.1.38:52437 to 192.168.1.33:1812 length 183
> (4)   User-Name = "particle"
> (4)   NAS-IP-Address = 192.168.1.38
> (4)   NAS-Identifier = "b4fbe4c348ab"
> (4)   NAS-Port = 0
> (4)   Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2"
> (4)   Calling-Station-Id = "E0-4F-43-36-B1-F1"
> (4)   Framed-MTU = 1400
> (4)   NAS-Port-Type = Wireless-802.11
> (4)   Connect-Info = "CONNECT 0Mbps 802.11b"
> (4)   EAP-Message = 0x020900061900
> (4)   State = 0x792e58447a274188d729d5f4b5ba04a4
> (4)   Message-Authenticator = 0x95b4fe0eef8a5368d718ba97543624d1
> (4) session-state: No cached attributes
> (4) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
> (4)   authorize {
> (4)     policy filter_username {
> (4)       if (&User-Name) {
> (4)       if (&User-Name)  -> TRUE
> (4)       if (&User-Name)  {
> (4)         if (&User-Name =~ / /) {
> (4)         if (&User-Name =~ / /)  -> FALSE
> (4)         if (&User-Name =~ /@[^@]*@/ ) {
> (4)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
> (4)         if (&User-Name =~ /\.\./ ) {
> (4)         if (&User-Name =~ /\.\./ )  -> FALSE
> (4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
> (4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
> (4)         if (&User-Name =~ /\.$/)  {
> (4)         if (&User-Name =~ /\.$/)   -> FALSE
> (4)         if (&User-Name =~ /@\./)  {
> (4)         if (&User-Name =~ /@\./)   -> FALSE
> (4)       } # if (&User-Name)  = notfound
> (4)     } # policy filter_username = notfound
> (4)     [preprocess] = ok
> (4)     [chap] = noop
> (4)     [mschap] = noop
> (4)     [digest] = noop
> (4) suffix: Checking for suffix after "@"
> (4) suffix: No '@' in User-Name = "particle", looking up realm NULL
> (4) suffix: No such realm "NULL"
> (4)     [suffix] = noop
> (4) eap: Peer sent EAP Response (code 2) ID 9 length 6
> (4) eap: Continuing tunnel setup
> (4)     [eap] = ok
> (4)   } # authorize = ok
> (4) Found Auth-Type = eap
> (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (4)   authenticate {
> (4) eap: Expiring EAP session with state 0x792e58447a274188
> (4) eap: Finished EAP session with state 0x792e58447a274188
> (4) eap: Previous EAP request found for state 0x792e58447a274188, released from the list
> (4) eap: Peer sent packet with method EAP PEAP (25)
> (4) eap: Calling submodule eap_peap to process data
> (4) eap_peap: Continuing EAP-TLS
> (4) eap_peap: Peer ACKed our handshake fragment.  handshake is finished
> (4) eap_peap: [eaptls verify] = success
> (4) eap_peap: [eaptls process] = success
> (4) eap_peap: Session established.  Decoding tunneled attributes
> (4) eap_peap: PEAP state TUNNEL ESTABLISHED
> (4) eap: Sending EAP Request (code 1) ID 10 length 75
> (4) eap: EAP session adding &reply:State = 0x792e58447d244188
> (4)     [eap] = handled
> (4)   } # authenticate = handled
> (4) Using Post-Auth-Type Challenge
> (4) Post-Auth-Type sub-section not found.  Ignoring.
> (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (4) Sent Access-Challenge Id 41 from 192.168.1.33:1812 to 192.168.1.38:52437 length 0
> (4)   EAP-Message = 0x010a004b19001703030040876f919e5b6f69b08d7d8082925085f96d9d4dc5d287be8a2220d788f3d81410117ac9b30cfe5bf1fdbd3fa127a1c59c9f43f811e9a1ed62184e6b52111b2cc9
> (4)   Message-Authenticator = 0x00000000000000000000000000000000
> (4)   State = 0x792e58447d244188d729d5f4b5ba04a4
> (4) Finished request
> Waking up in 4.8 seconds.
> (5) Received Access-Request Id 42 from 192.168.1.38:52437 to 192.168.1.33:1812 length 252
> (5)   User-Name = "particle"
> (5)   NAS-IP-Address = 192.168.1.38
> (5)   NAS-Identifier = "b4fbe4c348ab"
> (5)   NAS-Port = 0
> (5)   Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2"
> (5)   Calling-Station-Id = "E0-4F-43-36-B1-F1"
> (5)   Framed-MTU = 1400
> (5)   NAS-Port-Type = Wireless-802.11
> (5)   Connect-Info = "CONNECT 0Mbps 802.11b"
> (5)   EAP-Message = 0x020a004b19001703030040fdcdeff9a7da7077eb3784b51917dbb3f4b705b340e03a3feaf97f3de31941cb2864a9b7a6363f305b5c239727284a9e38bf34deab83141d8393bbc165f2cee7
> (5)   State = 0x792e58447d244188d729d5f4b5ba04a4
> (5)   Message-Authenticator = 0x16e198c5d18d50d6db5da8dc8ea94e23
> (5) session-state: No cached attributes
> (5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
> (5)   authorize {
> (5)     policy filter_username {
> (5)       if (&User-Name) {
> (5)       if (&User-Name)  -> TRUE
> (5)       if (&User-Name)  {
> (5)         if (&User-Name =~ / /) {
> (5)         if (&User-Name =~ / /)  -> FALSE
> (5)         if (&User-Name =~ /@[^@]*@/ ) {
> (5)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
> (5)         if (&User-Name =~ /\.\./ ) {
> (5)         if (&User-Name =~ /\.\./ )  -> FALSE
> (5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
> (5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
> (5)         if (&User-Name =~ /\.$/)  {
> (5)         if (&User-Name =~ /\.$/)   -> FALSE
> (5)         if (&User-Name =~ /@\./)  {
> (5)         if (&User-Name =~ /@\./)   -> FALSE
> (5)       } # if (&User-Name)  = notfound
> (5)     } # policy filter_username = notfound
> (5)     [preprocess] = ok
> (5)     [chap] = noop
> (5)     [mschap] = noop
> (5)     [digest] = noop
> (5) suffix: Checking for suffix after "@"
> (5) suffix: No '@' in User-Name = "particle", looking up realm NULL
> (5) suffix: No such realm "NULL"
> (5)     [suffix] = noop
> (5) eap: Peer sent EAP Response (code 2) ID 10 length 75
> (5) eap: Continuing tunnel setup
> (5)     [eap] = ok
> (5)   } # authorize = ok
> (5) Found Auth-Type = eap
> (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (5)   authenticate {
> (5) eap: Expiring EAP session with state 0x792e58447d244188
> (5) eap: Finished EAP session with state 0x792e58447d244188
> (5) eap: Previous EAP request found for state 0x792e58447d244188, released from the list
> (5) eap: Peer sent packet with method EAP PEAP (25)
> (5) eap: Calling submodule eap_peap to process data
> (5) eap_peap: Continuing EAP-TLS
> (5) eap_peap: [eaptls verify] = ok
> (5) eap_peap: Done initial handshake
> (5) eap_peap: [eaptls process] = ok
> (5) eap_peap: Session established.  Decoding tunneled attributes
> (5) eap_peap: PEAP state WAITING FOR INNER IDENTITY
> (5) eap_peap: Identity - particle
> (5) eap_peap: Got inner identity 'particle'
> (5) eap_peap: Setting default EAP type for tunneled EAP session
> (5) eap_peap: Got tunneled request
> (5) eap_peap:   EAP-Message = 0x020a000d017061727469636c65
> (5) eap_peap: Setting User-Name to particle
> (5) eap_peap: Sending tunneled request to inner-tunnel
> (5) eap_peap:   EAP-Message = 0x020a000d017061727469636c65
> (5) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
> (5) eap_peap:   User-Name = "particle"
> (5) Virtual server inner-tunnel received request
> (5)   EAP-Message = 0x020a000d017061727469636c65
> (5)   FreeRADIUS-Proxied-To = 127.0.0.1
> (5)   User-Name = "particle"
> (5) WARNING: Outer and inner identities are the same.  User privacy is compromised.
> (5) server inner-tunnel {
> (5)   # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
> (5)     authorize {
> (5)       policy filter_username {
> (5)         if (&User-Name) {
> (5)         if (&User-Name)  -> TRUE
> (5)         if (&User-Name)  {
> (5)           if (&User-Name =~ / /) {
> (5)           if (&User-Name =~ / /)  -> FALSE
> (5)           if (&User-Name =~ /@[^@]*@/ ) {
> (5)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
> (5)           if (&User-Name =~ /\.\./ ) {
> (5)           if (&User-Name =~ /\.\./ )  -> FALSE
> (5)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
> (5)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
> (5)           if (&User-Name =~ /\.$/)  {
> (5)           if (&User-Name =~ /\.$/)   -> FALSE
> (5)           if (&User-Name =~ /@\./)  {
> (5)           if (&User-Name =~ /@\./)   -> FALSE
> (5)         } # if (&User-Name)  = notfound
> (5)       } # policy filter_username = notfound
> (5)       [chap] = noop
> (5)       [mschap] = noop
> (5) suffix: Checking for suffix after "@"
> (5) suffix: No '@' in User-Name = "particle", looking up realm NULL
> (5) suffix: No such realm "NULL"
> (5)       [suffix] = noop
> (5)       update control {
> (5)         &Proxy-To-Realm := LOCAL
> (5)       } # update control = noop
> (5) eap: Peer sent EAP Response (code 2) ID 10 length 13
> (5) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
> (5)       [eap] = ok
> (5)     } # authorize = ok
> (5)   Found Auth-Type = eap
> (5)   # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
> (5)     authenticate {
> (5) eap: Peer sent packet with method EAP Identity (1)
> (5) eap: Calling submodule eap_mschapv2 to process data
> (5) eap_mschapv2: Issuing Challenge
> (5) eap: Sending EAP Request (code 1) ID 11 length 43
> (5) eap: EAP session adding &reply:State = 0x9ed5137a9ede0992
> (5)       [eap] = handled
> (5)     } # authenticate = handled
> (5) } # server inner-tunnel
> (5) Virtual server sending reply
> (5)   EAP-Message = 0x010b002b1a010b002610add748736b59d05b7cac342e03bc00fa667265657261646975732d332e302e3132
> (5)   Message-Authenticator = 0x00000000000000000000000000000000
> (5)   State = 0x9ed5137a9ede099241d17dbdaa28bbf3
> (5) eap_peap: Got tunneled reply code 11
> (5) eap_peap:   EAP-Message = 0x010b002b1a010b002610add748736b59d05b7cac342e03bc00fa667265657261646975732d332e302e3132
> (5) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
> (5) eap_peap:   State = 0x9ed5137a9ede099241d17dbdaa28bbf3
> (5) eap_peap: Got tunneled reply RADIUS code 11
> (5) eap_peap:   EAP-Message = 0x010b002b1a010b002610add748736b59d05b7cac342e03bc00fa667265657261646975732d332e302e3132
> (5) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
> (5) eap_peap:   State = 0x9ed5137a9ede099241d17dbdaa28bbf3
> (5) eap_peap: Got tunneled Access-Challenge
> (5) eap: Sending EAP Request (code 1) ID 11 length 107
> (5) eap: EAP session adding &reply:State = 0x792e58447c254188
> (5)     [eap] = handled
> (5)   } # authenticate = handled
> (5) Using Post-Auth-Type Challenge
> (5) Post-Auth-Type sub-section not found.  Ignoring.
> (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (5) Sent Access-Challenge Id 42 from 192.168.1.33:1812 to 192.168.1.38:52437 length 0
> (5)   EAP-Message = 0x010b006b19001703030060427e72f2a75ff426efd53ee1f42bf29ba4aae389d83bc4b7e8f1257e772430ede3cb69944b24e4f7b6280ffa62e224b27be20c2c641b0fbf6a77cab9ef38ba1f47e79470ecca8368ca25beda56349c1e21e3d49b1db8bc2bd749aab8bf3aa3cb
> (5)   Message-Authenticator = 0x00000000000000000000000000000000
> (5)   State = 0x792e58447c254188d729d5f4b5ba04a4
> (5) Finished request
> Waking up in 4.7 seconds.
> (6) Received Access-Request Id 43 from 192.168.1.38:52437 to 192.168.1.33:1812 length 300
> (6)   User-Name = "particle"
> (6)   NAS-IP-Address = 192.168.1.38
> (6)   NAS-Identifier = "b4fbe4c348ab"
> (6)   NAS-Port = 0
> (6)   Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2"
> (6)   Calling-Station-Id = "E0-4F-43-36-B1-F1"
> (6)   Framed-MTU = 1400
> (6)   NAS-Port-Type = Wireless-802.11
> (6)   Connect-Info = "CONNECT 0Mbps 802.11b"
> (6)   EAP-Message = 0x020b007b19001703030070fdcdeff9a7da7077eb3784b51917dbb344ede7b63a9b0f5b11eb7701e504139b09564427efbb43c2ec17f8b42b4124f8fbfc5b440c1c050ff8aa9b8badfaedf539c727f4dfa655815cc469a0812b494ea16db3c4e1ffb49720bdf58408642e7387e7d103393cc91e2db29818
> (6)   State = 0x792e58447c254188d729d5f4b5ba04a4
> (6)   Message-Authenticator = 0x9d932302c8a3d3979d08ad610dcc59e7
> (6) session-state: No cached attributes
> (6) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
> (6)   authorize {
> (6)     policy filter_username {
> (6)       if (&User-Name) {
> (6)       if (&User-Name)  -> TRUE
> (6)       if (&User-Name)  {
> (6)         if (&User-Name =~ / /) {
> (6)         if (&User-Name =~ / /)  -> FALSE
> (6)         if (&User-Name =~ /@[^@]*@/ ) {
> (6)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
> (6)         if (&User-Name =~ /\.\./ ) {
> (6)         if (&User-Name =~ /\.\./ )  -> FALSE
> (6)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
> (6)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
> (6)         if (&User-Name =~ /\.$/)  {
> (6)         if (&User-Name =~ /\.$/)   -> FALSE
> (6)         if (&User-Name =~ /@\./)  {
> (6)         if (&User-Name =~ /@\./)   -> FALSE
> (6)       } # if (&User-Name)  = notfound
> (6)     } # policy filter_username = notfound
> (6)     [preprocess] = ok
> (6)     [chap] = noop
> (6)     [mschap] = noop
> (6)     [digest] = noop
> (6) suffix: Checking for suffix after "@"
> (6) suffix: No '@' in User-Name = "particle", looking up realm NULL
> (6) suffix: No such realm "NULL"
> (6)     [suffix] = noop
> (6) eap: Peer sent EAP Response (code 2) ID 11 length 123
> (6) eap: Continuing tunnel setup
> (6)     [eap] = ok
> (6)   } # authorize = ok
> (6) Found Auth-Type = eap
> (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (6)   authenticate {
> (6) eap: Expiring EAP session with state 0x9ed5137a9ede0992
> (6) eap: Finished EAP session with state 0x792e58447c254188
> (6) eap: Previous EAP request found for state 0x792e58447c254188, released from the list
> (6) eap: Peer sent packet with method EAP PEAP (25)
> (6) eap: Calling submodule eap_peap to process data
> (6) eap_peap: Continuing EAP-TLS
> (6) eap_peap: [eaptls verify] = ok
> (6) eap_peap: Done initial handshake
> (6) eap_peap: [eaptls process] = ok
> (6) eap_peap: Session established.  Decoding tunneled attributes
> (6) eap_peap: PEAP state phase2
> (6) eap_peap: EAP method MSCHAPv2 (26)
> (6) eap_peap: Got tunneled request
> (6) eap_peap:   EAP-Message = 0x020b00431a020b003e313f35b2f66fb9de0bdb693df43f40afd200000000000000005984d1f879ab5fb509b4d544552cb8d100815e7b9445e381007061727469636c65
> (6) eap_peap: Setting User-Name to particle
> (6) eap_peap: Sending tunneled request to inner-tunnel
> (6) eap_peap:   EAP-Message = 0x020b00431a020b003e313f35b2f66fb9de0bdb693df43f40afd200000000000000005984d1f879ab5fb509b4d544552cb8d100815e7b9445e381007061727469636c65
> (6) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
> (6) eap_peap:   User-Name = "particle"
> (6) eap_peap:   State = 0x9ed5137a9ede099241d17dbdaa28bbf3
> (6) Virtual server inner-tunnel received request
> (6)   EAP-Message = 0x020b00431a020b003e313f35b2f66fb9de0bdb693df43f40afd200000000000000005984d1f879ab5fb509b4d544552cb8d100815e7b9445e381007061727469636c65
> (6)   FreeRADIUS-Proxied-To = 127.0.0.1
> (6)   User-Name = "particle"
> (6)   State = 0x9ed5137a9ede099241d17dbdaa28bbf3
> (6) WARNING: Outer and inner identities are the same.  User privacy is compromised.
> (6) server inner-tunnel {
> (6)   session-state: No cached attributes
> (6)   # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
> (6)     authorize {
> (6)       policy filter_username {
> (6)         if (&User-Name) {
> (6)         if (&User-Name)  -> TRUE
> (6)         if (&User-Name)  {
> (6)           if (&User-Name =~ / /) {
> (6)           if (&User-Name =~ / /)  -> FALSE
> (6)           if (&User-Name =~ /@[^@]*@/ ) {
> (6)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
> (6)           if (&User-Name =~ /\.\./ ) {
> (6)           if (&User-Name =~ /\.\./ )  -> FALSE
> (6)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
> (6)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
> (6)           if (&User-Name =~ /\.$/)  {
> (6)           if (&User-Name =~ /\.$/)   -> FALSE
> (6)           if (&User-Name =~ /@\./)  {
> (6)           if (&User-Name =~ /@\./)   -> FALSE
> (6)         } # if (&User-Name)  = notfound
> (6)       } # policy filter_username = notfound
> (6)       [chap] = noop
> (6)       [mschap] = noop
> (6) suffix: Checking for suffix after "@"
> (6) suffix: No '@' in User-Name = "particle", looking up realm NULL
> (6) suffix: No such realm "NULL"
> (6)       [suffix] = noop
> (6)       update control {
> (6)         &Proxy-To-Realm := LOCAL
> (6)       } # update control = noop
> (6) eap: Peer sent EAP Response (code 2) ID 11 length 67
> (6) eap: No EAP Start, assuming it's an on-going EAP conversation
> (6)       [eap] = updated
> (6) files: users: Matched entry particle at line 1
> (6)       [files] = ok
> (6)       [expiration] = noop
> (6)       [logintime] = noop
> (6) pap: WARNING: Auth-Type already set.  Not setting to PAP
> (6)       [pap] = noop
> (6)     } # authorize = updated
> (6)   Found Auth-Type = eap
> (6)   # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
> (6)     authenticate {
> (6) eap: Expiring EAP session with state 0x9ed5137a9ede0992
> (6) eap: Finished EAP session with state 0x9ed5137a9ede0992
> (6) eap: Previous EAP request found for state 0x9ed5137a9ede0992, released from the list
> (6) eap: Peer sent packet with method EAP MSCHAPv2 (26)
> (6) eap: Calling submodule eap_mschapv2 to process data
> (6) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
> (6) eap_mschapv2:   authenticate {
> (6) mschap: Found Cleartext-Password, hashing to create NT-Password
> (6) mschap: Found Cleartext-Password, hashing to create LM-Password
> (6) mschap: Creating challenge hash with username: particle
> (6) mschap: Client is using MS-CHAPv2
> (6) mschap: ERROR: MS-CHAP2-Response is incorrect
> (6)     [mschap] = reject
> (6)   } # authenticate = reject
> (6) eap: Sending EAP Failure (code 4) ID 11 length 4
> (6) eap: Freeing handler
> (6)       [eap] = reject
> (6)     } # authenticate = reject
> (6)   Failed to authenticate the user
> (6)   Using Post-Auth-Type Reject
> (6)   # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
> (6)     Post-Auth-Type REJECT {
> (6) attr_filter.access_reject: EXPAND %{User-Name}
> (6) attr_filter.access_reject:    --> particle
> (6) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (6)       [attr_filter.access_reject] = updated
> (6)       update outer.session-state {
> (6)         &Module-Failure-Message := &request:Module-Failure-Message -> 'mschap: MS-CHAP2-Response is incorrect'
> (6)       } # update outer.session-state = noop
> (6)     } # Post-Auth-Type REJECT = updated
> (6) } # server inner-tunnel
> (6) Virtual server sending reply
> (6)   MS-CHAP-Error = "\013E=691 R=1 C=7e3c197e14ea1c252b48f6f0f1769c48 V=3 M=Authentication failed"
> (6)   EAP-Message = 0x040b0004
> (6)   Message-Authenticator = 0x00000000000000000000000000000000
> (6) eap_peap: Got tunneled reply code 3
> (6) eap_peap:   MS-CHAP-Error = "\013E=691 R=1 C=7e3c197e14ea1c252b48f6f0f1769c48 V=3 M=Authentication failed"
> (6) eap_peap:   EAP-Message = 0x040b0004
> (6) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
> (6) eap_peap: Got tunneled reply RADIUS code 3
> (6) eap_peap:   MS-CHAP-Error = "\013E=691 R=1 C=7e3c197e14ea1c252b48f6f0f1769c48 V=3 M=Authentication failed"
> (6) eap_peap:   EAP-Message = 0x040b0004
> (6) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
> (6) eap_peap: Tunneled authentication was rejected
> (6) eap_peap: FAILURE
> (6) eap: Sending EAP Request (code 1) ID 12 length 75
> (6) eap: EAP session adding &reply:State = 0x792e58447f224188
> (6)     [eap] = handled
> (6)   } # authenticate = handled
> (6) Using Post-Auth-Type Challenge
> (6) Post-Auth-Type sub-section not found.  Ignoring.
> (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (6) session-state: Saving cached attributes
> (6)   Module-Failure-Message := "mschap: MS-CHAP2-Response is incorrect"
> (6) Sent Access-Challenge Id 43 from 192.168.1.33:1812 to 192.168.1.38:52437 length 0
> (6)   EAP-Message = 0x010c004b190017030300400c78fe983c5dd192db59da8240896c96033a7305a8f101405d8d1c04a6b8b77542214f016ab70bfe1a2c9039ff65e7c215f722faedc84912623688cb283b2cbd
> (6)   Message-Authenticator = 0x00000000000000000000000000000000
> (6)   State = 0x792e58447f224188d729d5f4b5ba04a4
> (6) Finished request
> Waking up in 4.7 seconds.
> (7) Received Access-Request Id 44 from 192.168.1.38:52437 to 192.168.1.33:1812 length 252
> (7)   User-Name = "particle"
> (7)   NAS-IP-Address = 192.168.1.38
> (7)   NAS-Identifier = "b4fbe4c348ab"
> (7)   NAS-Port = 0
> (7)   Called-Station-Id = "B4-FB-E4-C4-48-AB:Armorwpa2"
> (7)   Calling-Station-Id = "E0-4F-43-36-B1-F1"
> (7)   Framed-MTU = 1400
> (7)   NAS-Port-Type = Wireless-802.11
> (7)   Connect-Info = "CONNECT 0Mbps 802.11b"
> (7)   EAP-Message = 0x020c004b19001703030040fdcdeff9a7da7077eb3784b51917dbb315f7e335a9c8a19767c1033ff9329c5f037450eba6f2eb7a9b9347ed8606cef0ce75ae3f03a9518a7ecf3c4b642716ea
> (7)   State = 0x792e58447f224188d729d5f4b5ba04a4
> (7)   Message-Authenticator = 0xc6525ab028d9d5e9459c8d3d25442ff7
> (7) Restoring &session-state
> (7)   &session-state:Module-Failure-Message := "mschap: MS-CHAP2-Response is incorrect"
> (7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
> (7)   authorize {
> (7)     policy filter_username {
> (7)       if (&User-Name) {
> (7)       if (&User-Name)  -> TRUE
> (7)       if (&User-Name)  {
> (7)         if (&User-Name =~ / /) {
> (7)         if (&User-Name =~ / /)  -> FALSE
> (7)         if (&User-Name =~ /@[^@]*@/ ) {
> (7)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
> (7)         if (&User-Name =~ /\.\./ ) {
> (7)         if (&User-Name =~ /\.\./ )  -> FALSE
> (7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
> (7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
> (7)         if (&User-Name =~ /\.$/)  {
> (7)         if (&User-Name =~ /\.$/)   -> FALSE
> (7)         if (&User-Name =~ /@\./)  {
> (7)         if (&User-Name =~ /@\./)   -> FALSE
> (7)       } # if (&User-Name)  = notfound
> (7)     } # policy filter_username = notfound
> (7)     [preprocess] = ok
> (7)     [chap] = noop
> (7)     [mschap] = noop
> (7)     [digest] = noop
> (7) suffix: Checking for suffix after "@"
> (7) suffix: No '@' in User-Name = "particle", looking up realm NULL
> (7) suffix: No such realm "NULL"
> (7)     [suffix] = noop
> (7) eap: Peer sent EAP Response (code 2) ID 12 length 75
> (7) eap: Continuing tunnel setup
> (7)     [eap] = ok
> (7)   } # authorize = ok
> (7) Found Auth-Type = eap
> (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (7)   authenticate {
> (7) eap: Expiring EAP session with state 0x792e58447f224188
> (7) eap: Finished EAP session with state 0x792e58447f224188
> (7) eap: Previous EAP request found for state 0x792e58447f224188, released from the list
> (7) eap: Peer sent packet with method EAP PEAP (25)
> (7) eap: Calling submodule eap_peap to process data
> (7) eap_peap: Continuing EAP-TLS
> (7) eap_peap: [eaptls verify] = ok
> (7) eap_peap: Done initial handshake
> (7) eap_peap: [eaptls process] = ok
> (7) eap_peap: Session established.  Decoding tunneled attributes
> (7) eap_peap: PEAP state send tlv failure
> (7) eap_peap: Received EAP-TLV response
> (7) eap_peap:   The users session was previously rejected: returning reject (again.)
> (7) eap_peap:   This means you need to read the PREVIOUS messages in the debug output
> (7) eap_peap:   to find out the reason why the user was rejected
> (7) eap_peap:   Look for "reject" or "fail".  Those earlier messages will tell you
> (7) eap_peap:   what went wrong, and how to fix the problem
> (7) eap: ERROR: Failed continuing EAP PEAP (25) session.  EAP sub-module failed
> (7) eap: Sending EAP Failure (code 4) ID 12 length 4
> (7) eap: Failed in EAP select
> (7)     [eap] = invalid
> (7)   } # authenticate = invalid
> (7) Failed to authenticate the user
> (7) Using Post-Auth-Type Reject
> (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (7)   Post-Auth-Type REJECT {
> (7) attr_filter.access_reject: EXPAND %{User-Name}
> (7) attr_filter.access_reject:    --> particle
> (7) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (7)     [attr_filter.access_reject] = updated
> (7)     [eap] = noop
> (7)     policy remove_reply_message_if_eap {
> (7)       if (&reply:EAP-Message && &reply:Reply-Message) {
> (7)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
> (7)       else {
> (7)         [noop] = noop
> (7)       } # else = noop
> (7)     } # policy remove_reply_message_if_eap = noop
> (7)   } # Post-Auth-Type REJECT = updated
> (7) Delaying response for 1.000000 seconds
> Waking up in 0.3 seconds.
> Waking up in 0.6 seconds.
> (7) Sending delayed response
> (7) Sent Access-Reject Id 44 from 192.168.1.33:1812 to 192.168.1.38:52437 length 44
> (7)   EAP-Message = 0x040c0004
> (7)   Message-Authenticator = 0x00000000000000000000000000000000
> Waking up in 3.7 seconds.
> (0) Cleaning up request packet ID 37 with timestamp +37
> (1) Cleaning up request packet ID 38 with timestamp +37
> (2) Cleaning up request packet ID 39 with timestamp +37
> Waking up in 0.1 seconds.
> (3) Cleaning up request packet ID 40 with timestamp +37
> (4) Cleaning up request packet ID 41 with timestamp +37
> (5) Cleaning up request packet ID 42 with timestamp +37
> (6) Cleaning up request packet ID 43 with timestamp +37
> (7) Cleaning up request packet ID 44 with timestamp +37
> 
> Thanks in advance for any help.
> 
> Will
> 
> wjsteen at talktalk.net
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list