<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:times new roman,new york,times,serif;font-size:14pt"><div>Hi all,<br><br>I have a functional question about freeradius and the ldap lookups. We currently run cisco wlc440x with WPA2-AES-PEAP-MSCHAPv2 against freeradius, and it is taking a while to authenticate - roughly 35 seconds. It seems most of this is being chewed up by our slow ldap lookups (about 4-6 seconds each, this is an ldap server issue), in combination with the number of ldap lookups freeradius does per session (5-6). Is it normal for the freeradius server to perform this many ldap lookups, or do I have a configuration error? It seems like it does ldap calls each time it receives an access-request from an access-challenge. I've played with the controller auth timeouts, it doesn't seem to make a difference. Here is the debug output from a single
session:<br><br>rad_recv: Access-Request packet from host 192.168.21.130 port 32769, id=5, length=196<br> User-Name = "test"<br> Calling-Station-Id = "00-21-00-D9-10-DB"<br> Called-Station-Id = "00-23-EA-7F-85-40:TFWAPR"<br> NAS-Port = 1<br> NAS-IP-Address = 192.168.21.130<br> NAS-Identifier = "AIR-WLC4404-DK-1"<br> Airespace-Wlan-Id = 2<br> Service-Type = Framed-User<br> Framed-MTU = 1300<br> NAS-Port-Type = Wireless-802.11<br> EAP-Message = (trimmed)<br>
Message-Authenticator = 0x8dd02304de9a3c5e3c732d1a622be134<br>+- entering group authorize {...}<br>[preprocess] expand: %{Called-Station-Id} -> 00-23-EA-7F-85-40:TFWAPR<br>++[preprocess] returns ok<br>[auth_log] expand: (trimmed)<br>[auth_log](trimmed)<br>[auth_log] expand: %t -> Wed Jun 17 10:00:10 2009<br>++[auth_log] returns ok<br>++[mschap] returns noop<br>[suffix] No '@' in User-Name = "test", looking up realm NULL<br>[suffix] No such realm "NULL"<br>++[suffix] returns noop<br>[ntdomain] Looking up realm "company" for User-Name = "test"<br>[ntdomain] Found realm "company"<br>[ntdomain] Adding Stripped-User-Name = "test"<br>[ntdomain] Adding Realm = "company"<br>[ntdomain] Authentication realm is LOCAL.<br>++[ntdomain] returns ok<br>[eap] EAP packet type response id 2 length 27<br>[eap] No EAP Start, assuming it's an on-going EAP conversation<br>++[eap] returns
updated<br>[files] users: Matched entry DEFAULT at line 178<br>++[files] returns ok<br>++- entering redundant-load-balance group redundant-load-balance {...}<br>[LDAPsvr2] performing user authorization for test<br>[LDAPsvr2] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details<br>[LDAPsvr2] expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=test)<br>[LDAPsvr2] expand: t=company -> t=company<br>rlm_ldap: ldap_get_conn: Checking Id: 0<br>rlm_ldap: ldap_get_conn: Got Id: 0<br>rlm_ldap: performing search in t=company, with filter (cn=test)<br>[LDAPsvr2] Added the eDirectory password password in check items as Cleartext-Password<br>[LDAPsvr2] No default NMAS login sequence<br>[LDAPsvr2] looking for check items in directory...<br>[LDAPsvr2] looking for reply items in directory...<br>[LDAPsvr2] user test authorized to use remote access<br>rlm_ldap: ldap_release_conn: Release Id:
0<br>+++[LDAPsvr2] returns ok<br>++- redundant-load-balance group redundant-load-balance returns ok<br>++[expiration] returns noop<br>++[logintime] returns noop<br>Found Auth-Type = EAP<br>+- entering group authenticate {...}<br>[eap] EAP Identity<br>[eap] processing type mschapv2<br>rlm_eap_mschapv2: Issuing Challenge<br>++[eap] returns handled<br>Sending Access-Challenge of id 5 to 192.168.21.130 port 32769<br> EAP-Message = (trimmed)<br> Message-Authenticator = 0x00000000000000000000000000000000<br> State = 0xfea96b9cfeaa7186011d5bcc3cb2528f<br>Finished request 67.<br>Going to the next request<br>Waking up in 9.9 seconds.<br>rad_recv: Access-Request packet from host 192.168.21.130 port 32769, id=6, length=193<br> User-Name = "test"<br>
Calling-Station-Id = "00-21-00-D9-10-DB"<br> Called-Station-Id = "00-23-EA-7F-85-40:TFWAPR"<br> NAS-Port = 1<br> NAS-IP-Address = 192.168.21.130<br> NAS-Identifier = "AIR-WLC4404-DK-1"<br> Airespace-Wlan-Id = 2<br> Service-Type = Framed-User<br> Framed-MTU = 1300<br> NAS-Port-Type = Wireless-802.11<br> EAP-Message = 0x020300060319<br> State = 0xfea96b9cfeaa7186011d5bcc3cb2528f<br> Message-Authenticator = 0x7efad720ed506e1d3324a14c5f001a4c<br>+- entering group authorize
{...}<br>[preprocess] expand: %{Called-Station-Id} -> 00-23-EA-7F-85-40:TFWAPR<br>++[preprocess] returns ok<br>[auth_log] expand: (trimmed)<br>[auth_log] (trimmed)<br>[auth_log] expand: (trimmed)<br>++[auth_log] returns ok<br>++[mschap] returns noop<br>[suffix] No '@' in User-Name = "test", looking up realm NULL<br>[suffix] No such realm "NULL"<br>++[suffix] returns noop<br>[ntdomain] Looking up realm "company" for User-Name = "test"<br>[ntdomain] Found realm "company"<br>[ntdomain] Adding Stripped-User-Name = "test"<br>[ntdomain] Adding Realm = "company"<br>[ntdomain] Authentication realm is LOCAL.<br>++[ntdomain] returns ok<br>[eap] EAP packet type response id 3 length 6<br>[eap] No EAP Start, assuming it's an on-going EAP conversation<br>++[eap] returns updated<br>[files] users: Matched entry DEFAULT at line 178<br>++[files] returns ok<br>++- entering
redundant-load-balance group redundant-load-balance {...}<br>[LDAPsvr1] performing user authorization for test<br>[LDAPsvr1] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details<br>[LDAPsvr1] expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=test)<br>[LDAPsvr1] expand: t=company -> t=company<br>rlm_ldap: ldap_get_conn: Checking Id: 0<br>rlm_ldap: ldap_get_conn: Got Id: 0<br>rlm_ldap: performing search in t=company, with filter (cn=test)<br>[LDAPsvr1] Added the eDirectory password password in check items as Cleartext-Password<br>[LDAPsvr1] No default NMAS login sequence<br>[LDAPsvr1] looking for check items in directory...<br>[LDAPsvr1] looking for reply items in directory...<br>[LDAPsvr1] user test authorized to use remote access<br>rlm_ldap: ldap_release_conn: Release Id: 0<br>+++[LDAPsvr1] returns ok<br>++- redundant-load-balance group redundant-load-balance returns
ok<br>++[expiration] returns noop<br>++[logintime] returns noop<br>Found Auth-Type = EAP<br>+- entering group authenticate {...}<br>[eap] Request found, released from the list<br>[eap] EAP NAK<br>[eap] EAP-NAK asked for EAP-Type/peap<br>[eap] processing type tls<br>[tls] Initiate<br>[tls] Start returned 1<br>++[eap] returns handled<br>Sending Access-Challenge of id 6 to 192.168.21.130 port 32769<br> EAP-Message = 0x010400061920<br> Message-Authenticator = 0x00000000000000000000000000000000<br> State = 0xfea96b9cffad7286011d5bcc3cb2528f<br>Finished request 68.<br>Going to the next request<br>Waking up in 5.2 seconds.<br>rad_recv: Access-Request packet from host 192.168.21.130 port 32769, id=7, length=267<br> User-Name = "test"<br>
Calling-Station-Id = "00-21-00-D9-10-DB"<br> Called-Station-Id = "00-23-EA-7F-85-40:TFWAPR"<br> NAS-Port = 1<br> NAS-IP-Address = 192.168.21.130<br> NAS-Identifier = "AIR-WLC4404-DK-1"<br> Airespace-Wlan-Id = 2<br> Service-Type = Framed-User<br> Framed-MTU = 1300<br> NAS-Port-Type = Wireless-802.11<br> EAP-Message = (trimmed)<br> State = 0xfea96b9cffad7286011d5bcc3cb2528f<br> Message-Authenticator = 0x4564af3d0b691c04f6aaab9311bcdff3<br>+- entering group authorize
{...}<br>[preprocess] expand: %{Called-Station-Id} -> 00-23-EA-7F-85-40:TFWAPR<br>++[preprocess] returns ok<br>[auth_log] expand: (trimmed)<br>[auth_log] (trimmed)<br>[auth_log] expand: (trimmed)<br>++[auth_log] returns ok<br>++[mschap] returns noop<br>[suffix] No '@' in User-Name = "test", looking up realm NULL<br>[suffix] No such realm "NULL"<br>++[suffix] returns noop<br>[ntdomain] Looking up realm "company" for User-Name = "test"<br>[ntdomain] Found realm "company"<br>[ntdomain] Adding Stripped-User-Name = "test"<br>[ntdomain] Adding Realm = "company"<br>[ntdomain] Authentication realm is LOCAL.<br>++[ntdomain] returns ok<br>[eap] EAP packet type response id 4 length 80<br>[eap] Continuing tunnel setup.<br>++[eap] returns ok<br>Found Auth-Type = EAP<br>+- entering group authenticate {...}<br>[eap] Request found, released from the list<br>[eap] EAP/peap<br>[eap]
processing type peap<br>[peap] processing EAP-TLS<br> TLS Length 70<br>[peap] Length Included<br>[peap] eaptls_verify returned 11<br>[peap] (other): before/accept initialization<br>[peap] TLS_accept: before/accept initialization<br>[peap] <<< TLS 1.0 Handshake [length 0041], ClientHello<br>[peap] TLS_accept: SSLv3 read client hello A<br>[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello<br>[peap] TLS_accept: SSLv3 write server hello A<br>[peap] >>> TLS 1.0 Handshake [length 0889], Certificate<br>[peap] TLS_accept: SSLv3 write certificate A<br>[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone<br>[peap] TLS_accept: SSLv3 write server done A<br>[peap] TLS_accept: SSLv3 flush data<br>[peap] TLS_accept: Need to
read more data: SSLv3 read client certificate A<br>In SSL Handshake Phase<br>In SSL Accept mode<br>[peap] eaptls_process returned 13<br>[peap] EAPTLS_HANDLED<br>++[eap] returns handled<br>Sending Access-Challenge of id 7 to 192.168.21.130 port 32769<br> EAP-Message = (trimmed)<br> EAP-Message = (trimmed)<br> EAP-Message = (trimmed)<br> EAP-Message = (trimmed)<br> EAP-Message = (trimmed)<br> Message-Authenticator = 0x00000000000000000000000000000000<br> State = 0xfea96b9cfcac7286011d5bcc3cb2528f<br>Finished request 69.<br>Going to the next request<br>Waking up in 5.2 seconds.<br>rad_recv: Access-Request packet from host 192.168.21.130 port 32769, id=8,
length=193<br> User-Name = "test"<br> Calling-Station-Id = "00-21-00-D9-10-DB"<br> Called-Station-Id = "00-23-EA-7F-85-40:TFWAPR"<br> NAS-Port = 1<br> NAS-IP-Address = 192.168.21.130<br> NAS-Identifier = "AIR-WLC4404-DK-1"<br> Airespace-Wlan-Id = 2<br> Service-Type = Framed-User<br> Framed-MTU = 1300<br> NAS-Port-Type = Wireless-802.11<br> EAP-Message = 0x020500061900<br> State = 0xfea96b9cfcac7286011d5bcc3cb2528f<br>
Message-Authenticator = 0xbebcefc1657154e59fa5a56953d3e83e<br>+- entering group authorize {...}<br>[preprocess] expand: %{Called-Station-Id} -> 00-23-EA-7F-85-40:TFWAPR<br>++[preprocess] returns ok<br>[auth_log] expand: (trimmed)<br>[auth_log] (trimmed)<br>[auth_log] expand: (trimmed)<br>++[auth_log] returns ok<br>++[mschap] returns noop<br>[suffix] No '@' in User-Name = "test", looking up realm NULL<br>[suffix] No such realm "NULL"<br>++[suffix] returns noop<br>[ntdomain] Looking up realm "company" for User-Name = "test"<br>[ntdomain] Found realm "company"<br>[ntdomain] Adding Stripped-User-Name = "test"<br>[ntdomain] Adding Realm = "company"<br>[ntdomain] Authentication realm is LOCAL.<br>++[ntdomain] returns ok<br>[eap] EAP packet type response id 5 length 6<br>[eap] Continuing tunnel setup.<br>++[eap] returns ok<br>Found Auth-Type = EAP<br>+- entering group authenticate
{...}<br>[eap] Request found, released from the list<br>[eap] EAP/peap<br>[eap] processing type peap<br>[peap] processing EAP-TLS<br>[peap] Received TLS ACK<br>[peap] ACK handshake fragment handler<br>[peap] eaptls_verify returned 1<br>[peap] eaptls_process returned 13<br>[peap] EAPTLS_HANDLED<br>++[eap] returns handled<br>Sending Access-Challenge of id 8 to 192.168.21.130 port 32769<br> EAP-Message = (trimmed)<br> EAP-Message = (trimmed)<br> EAP-Message = (trimmed)<br> EAP-Message = (trimmed)<br> EAP-Message = 0x4f8b38b8c2084860<br> Message-Authenticator = 0x00000000000000000000000000000000<br> State = 0xfea96b9cfdaf7286011d5bcc3cb2528f<br>Finished request
70.<br>Going to the next request<br>Waking up in 5.2 seconds.<br>rad_recv: Access-Request packet from host 192.168.21.130 port 32769, id=9, length=193<br> User-Name = "test"<br> Calling-Station-Id = "00-21-00-D9-10-DB"<br> Called-Station-Id = "00-23-EA-7F-85-40:TFWAPR"<br> NAS-Port = 1<br> NAS-IP-Address = 192.168.21.130<br> NAS-Identifier = "AIR-WLC4404-DK-1"<br> Airespace-Wlan-Id = 2<br> Service-Type = Framed-User<br> Framed-MTU = 1300<br> NAS-Port-Type = Wireless-802.11<br> EAP-Message =
0x020600061900<br> State = 0xfea96b9cfdaf7286011d5bcc3cb2528f<br> Message-Authenticator = 0x6c144e58a145ed24b615ed7080939873<br>+- entering group authorize {...}<br>[preprocess] expand: %{Called-Station-Id} -> 00-23-EA-7F-85-40:TFWAPR<br>++[preprocess] returns ok<br>[auth_log] expand: (trimmed)<br>[auth_log] (trimmed)<br>[auth_log] expand: (trimmed)<br>++[auth_log] returns ok<br>++[mschap] returns noop<br>[suffix] No '@' in User-Name = "test", looking up realm NULL<br>[suffix] No such realm "NULL"<br>++[suffix] returns noop<br>[ntdomain] Looking up realm "company" for User-Name = "test"<br>[ntdomain] Found realm "company"<br>[ntdomain] Adding Stripped-User-Name = "test"<br>[ntdomain] Adding Realm = "company"<br>[ntdomain] Authentication realm is LOCAL.<br>++[ntdomain] returns ok<br>[eap] EAP
packet type response id 6 length 6<br>[eap] Continuing tunnel setup.<br>++[eap] returns ok<br>Found Auth-Type = EAP<br>+- entering group authenticate {...}<br>[eap] Request found, released from the list<br>[eap] EAP/peap<br>[eap] processing type peap<br>[peap] processing EAP-TLS<br>[peap] Received TLS ACK<br>[peap] ACK handshake fragment handler<br>[peap] eaptls_verify returned 1<br>[peap] eaptls_process returned 13<br>[peap] EAPTLS_HANDLED<br>++[eap] returns handled<br>Sending Access-Challenge of id 9 to 192.168.21.130 port 32769<br> EAP-Message = (trimmed)<br> Message-Authenticator = 0x00000000000000000000000000000000<br> State = 0xfea96b9cfaae7286011d5bcc3cb2528f<br>Finished request 71.<br>Going to the next request<br>Waking up in 5.2 seconds.<br>rad_recv: Access-Request packet from host 192.168.21.130 port 32769, id=10,
length=509<br> User-Name = "test"<br> Calling-Station-Id = "00-21-00-D9-10-DB"<br> Called-Station-Id = "00-23-EA-7F-85-40:TFWAPR"<br> NAS-Port = 1<br> NAS-IP-Address = 192.168.21.130<br> NAS-Identifier = "AIR-WLC4404-DK-1"<br> Airespace-Wlan-Id = 2<br> Service-Type = Framed-User<br> Framed-MTU = 1300<br> NAS-Port-Type = Wireless-802.11<br> EAP-Message = (trimmed)<br> EAP-Message = (trimmed)<br> State =
0xfea96b9cfaae7286011d5bcc3cb2528f<br> Message-Authenticator = 0x86b2b14c7b15cfcf3ed534de74b3e379<br>+- entering group authorize {...}<br>[preprocess] expand: %{Called-Station-Id} -> 00-23-EA-7F-85-40:TFWAPR<br>++[preprocess] returns ok<br>[auth_log] expand: (trimmed)<br>[auth_log] (trimmed)<br>[auth_log] expand: (trimmed)<br>++[auth_log] returns ok<br>++[mschap] returns noop<br>[suffix] No '@' in User-Name = "test", looking up realm NULL<br>[suffix] No such realm "NULL"<br>++[suffix] returns noop<br>[ntdomain] Looking up realm "company" for User-Name = "test"<br>[ntdomain] Found realm "company"<br>[ntdomain] Adding Stripped-User-Name = "test"<br>[ntdomain] Adding Realm = "company"<br>[ntdomain] Authentication realm is LOCAL.<br>++[ntdomain] returns ok<br>[eap] EAP packet type response id 7 length 253<br>[eap] Continuing tunnel
setup.<br>++[eap] returns ok<br>Found Auth-Type = EAP<br>+- entering group authenticate {...}<br>[eap] Request found, released from the list<br>[eap] EAP/peap<br>[eap] processing type peap<br>[peap] processing EAP-TLS<br> TLS Length 310<br>[peap] Length Included<br>[peap] eaptls_verify returned 11<br>[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange<br>[peap] TLS_accept: SSLv3 read client key exchange A<br>[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]<br>[peap] <<< TLS 1.0 Handshake [length 0010], Finished<br>[peap] TLS_accept: SSLv3 read finished A<br>[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]<br>[peap] TLS_accept: SSLv3 write change cipher spec A<br>[peap] >>> TLS 1.0 Handshake [length 0010], Finished<br>[peap] TLS_accept: SSLv3 write finished A<br>[peap]
TLS_accept: SSLv3 flush data<br>[peap] (other): SSL negotiation finished successfully<br>SSL Connection Established<br>[peap] eaptls_process returned 13<br>[peap] EAPTLS_HANDLED<br>++[eap] returns handled<br>Sending Access-Challenge of id 10 to 192.168.21.130 port 32769<br> EAP-Message = (trimmed)<br> Message-Authenticator = 0x00000000000000000000000000000000<br> State = 0xfea96b9cfba17286011d5bcc3cb2528f<br>Finished request 72.<br>Going to the next request<br>Waking up in 5.2 seconds.<br>rad_recv: Access-Request packet from host 192.168.21.130 port 32769, id=11, length=193<br> User-Name = "test"<br> Calling-Station-Id = "00-21-00-D9-10-DB"<br> Called-Station-Id =
"00-23-EA-7F-85-40:TFWAPR"<br> NAS-Port = 1<br> NAS-IP-Address = 192.168.21.130<br> NAS-Identifier = "AIR-WLC4404-DK-1"<br> Airespace-Wlan-Id = 2<br> Service-Type = Framed-User<br> Framed-MTU = 1300<br> NAS-Port-Type = Wireless-802.11<br> EAP-Message = 0x020800061900<br> State = 0xfea96b9cfba17286011d5bcc3cb2528f<br> Message-Authenticator = 0xa23b09f3a29bebaba1465480b07feef9<br>+- entering group authorize {...}<br>[preprocess] expand: %{Called-Station-Id} -> 00-23-EA-7F-85-40:TFWAPR<br>++[preprocess] returns
ok<br>[auth_log] expand: (trimmed)<br>[auth_log] (trimmed)<br>[auth_log] expand: (trimmed)<br>++[auth_log] returns ok<br>++[mschap] returns noop<br>[suffix] No '@' in User-Name = "test", looking up realm NULL<br>[suffix] No such realm "NULL"<br>++[suffix] returns noop<br>[ntdomain] Looking up realm "company" for User-Name = "test"<br>[ntdomain] Found realm "company"<br>[ntdomain] Adding Stripped-User-Name = "test"<br>[ntdomain] Adding Realm = "company"<br>[ntdomain] Authentication realm is LOCAL.<br>++[ntdomain] returns ok<br>[eap] EAP packet type response id 8 length 6<br>[eap] Continuing tunnel setup.<br>++[eap] returns ok<br>Found Auth-Type = EAP<br>+- entering group authenticate {...}<br>[eap] Request found, released from the list<br>[eap] EAP/peap<br>[eap] processing type peap<br>[peap] processing EAP-TLS<br>[peap] Received TLS ACK<br>[peap] ACK handshake is finished<br>[peap]
eaptls_verify returned 3<br>[peap] eaptls_process returned 3<br>[peap] EAPTLS_SUCCESS<br>++[eap] returns handled<br>Sending Access-Challenge of id 11 to 192.168.21.130 port 32769<br> EAP-Message = (trimmed)<br> Message-Authenticator = 0x00000000000000000000000000000000<br> State = 0xfea96b9cf8a07286011d5bcc3cb2528f<br>Finished request 73.<br>Going to the next request<br>Waking up in 5.2 seconds.<br>rad_recv: Access-Request packet from host 192.168.21.130 port 32769, id=12, length=237<br> User-Name = "test"<br> Calling-Station-Id = "00-21-00-D9-10-DB"<br> Called-Station-Id = "00-23-EA-7F-85-40:TFWAPR"<br> NAS-Port = 1<br>
NAS-IP-Address = 192.168.21.130<br> NAS-Identifier = "AIR-WLC4404-DK-1"<br> Airespace-Wlan-Id = 2<br> Service-Type = Framed-User<br> Framed-MTU = 1300<br> NAS-Port-Type = Wireless-802.11<br> EAP-Message = (trimmed)<br> State = 0xfea96b9cf8a07286011d5bcc3cb2528f<br> Message-Authenticator = 0xcee77e000cf68223253caa68e05da122<br>+- entering group authorize {...}<br>[preprocess] expand: %{Called-Station-Id} -> 00-23-EA-7F-85-40:TFWAPR<br>++[preprocess] returns ok<br>[auth_log] expand: (trimmed)<br>[auth_log] (trimmed)<br>[auth_log] expand:
(trimmed)<br>++[auth_log] returns ok<br>++[mschap] returns noop<br>[suffix] No '@' in User-Name = "test", looking up realm NULL<br>[suffix] No such realm "NULL"<br>++[suffix] returns noop<br>[ntdomain] Looking up realm "company" for User-Name = "test"<br>[ntdomain] Found realm "company"<br>[ntdomain] Adding Stripped-User-Name = "test"<br>[ntdomain] Adding Realm = "company"<br>[ntdomain] Authentication realm is LOCAL.<br>++[ntdomain] returns ok<br>[eap] EAP packet type response id 9 length 50<br>[eap] Continuing tunnel setup.<br>++[eap] returns ok<br>Found Auth-Type = EAP<br>+- entering group authenticate {...}<br>[eap] Request found, released from the list<br>[eap] EAP/peap<br>[eap] processing type peap<br>[peap] processing EAP-TLS<br>[peap] eaptls_verify returned 7<br>[peap] Done initial handshake<br>[peap] eaptls_process returned 7<br>[peap] EAPTLS_OK<br>[peap] Session established. Decoding tunneled attributes.<br>[peap] Identity -
test<br>[peap] Got tunneled request<br> EAP-Message = (trimmed)<br>server {<br> PEAP: Got tunneled identity of test<br> PEAP: Setting default EAP type for tunneled EAP session.<br> PEAP: Setting User-Name to test<br>Sending tunneled request<br> EAP-Message = (trimmed)<br> FreeRADIUS-Proxied-To = 127.0.0.1<br> User-Name = "test"<br>server {<br>+- entering group authorize {...}<br>++[preprocess] returns ok<br>[auth_log] expand: (trimmed)<br>[auth_log] (trimmed)<br>[auth_log] expand: (trimmed)<br>++[auth_log] returns ok<br>++[mschap] returns noop<br>[suffix] No '@' in User-Name = "test", looking up realm NULL<br>[suffix] No such realm "NULL"<br>++[suffix] returns noop<br>[ntdomain] Looking up realm
"company" for User-Name = "test"<br>[ntdomain] Found realm "company"<br>[ntdomain] Adding Stripped-User-Name = "test"<br>[ntdomain] Adding Realm = "company"<br>[ntdomain] Authentication realm is LOCAL.<br>++[ntdomain] returns ok<br>[eap] EAP packet type response id 9 length 27<br>[eap] No EAP Start, assuming it's an on-going EAP conversation<br>++[eap] returns updated<br>[files] users: Matched entry DEFAULT at line 178<br>++[files] returns ok<br>++- entering redundant-load-balance group redundant-load-balance {...}<br>[LDAPsvr2] performing user authorization for test<br>[LDAPsvr2] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details<br>[LDAPsvr2] expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=test)<br>[LDAPsvr2] expand: t=company -> t=company<br>rlm_ldap: ldap_get_conn: Checking Id: 0<br>rlm_ldap: ldap_get_conn: Got Id: 0<br>rlm_ldap: performing search in t=company, with
filter (cn=test)<br>[LDAPsvr2] Added the eDirectory password password in check items as Cleartext-Password<br>[LDAPsvr2] No default NMAS login sequence<br>[LDAPsvr2] looking for check items in directory...<br>[LDAPsvr2] looking for reply items in directory...<br>[LDAPsvr2] user test authorized to use remote access<br>rlm_ldap: ldap_release_conn: Release Id: 0<br>+++[LDAPsvr2] returns ok<br>++- redundant-load-balance group redundant-load-balance returns ok<br>++[expiration] returns noop<br>++[logintime] returns noop<br>Found Auth-Type = EAP<br>+- entering group authenticate {...}<br>[eap] EAP Identity<br>[eap] processing type mschapv2<br>rlm_eap_mschapv2: Issuing Challenge<br>++[eap] returns handled<br>} # server<br>[peap] Got tunneled reply code 11<br> EAP-Message = (trimmed)<br> Message-Authenticator =
0x00000000000000000000000000000000<br> State = 0x3203b3053209a96aacfd5d3ebe154b12<br>[peap] Got tunneled reply RADIUS code 11<br> EAP-Message = (trimmed)<br> Message-Authenticator = 0x00000000000000000000000000000000<br> State = 0x3203b3053209a96aacfd5d3ebe154b12<br>[peap] Got tunneled Access-Challenge<br>++[eap] returns handled<br>Sending Access-Challenge of id 12 to 192.168.21.130 port 32769<br> EAP-Message = (trimmed)<br> Message-Authenticator = 0x00000000000000000000000000000000<br> State = 0xfea96b9cf9a37286011d5bcc3cb2528f<br>Finished request 74.<br>Going to the next request<br>Waking up in 0.4 seconds.<br>rad_recv: Access-Request packet from host
192.168.21.130 port 32769, id=13, length=291<br> User-Name = "test"<br> Calling-Station-Id = "00-21-00-D9-10-DB"<br> Called-Station-Id = "00-23-EA-7F-85-40:TFWAPR"<br> NAS-Port = 1<br> NAS-IP-Address = 192.168.21.130<br> NAS-Identifier = "AIR-WLC4404-DK-1"<br> Airespace-Wlan-Id = 2<br> Service-Type = Framed-User<br> Framed-MTU = 1300<br> NAS-Port-Type = Wireless-802.11<br> EAP-Message = (trimmed)<br> State =
0xfea96b9cf9a37286011d5bcc3cb2528f<br> Message-Authenticator = 0x45f0df4032fed071cefcab99032b1d3d<br>+- entering group authorize {...}<br>[preprocess] expand: %{Called-Station-Id} -> 00-23-EA-7F-85-40:TFWAPR<br>++[preprocess] returns ok<br>[auth_log] expand: (trimmed)<br>[auth_log] (trimmed)<br>[auth_log] expand: (trimmed)<br>++[auth_log] returns ok<br>++[mschap] returns noop<br>[suffix] No '@' in User-Name = "test", looking up realm NULL<br>[suffix] No such realm "NULL"<br>++[suffix] returns noop<br>[ntdomain] Looking up realm "company" for User-Name = "test"<br>[ntdomain] Found realm "company"<br>[ntdomain] Adding Stripped-User-Name = "test"<br>[ntdomain] Adding Realm = "company"<br>[ntdomain] Authentication realm is LOCAL.<br>++[ntdomain] returns ok<br>[eap] EAP packet type response id 10 length 104<br>[eap] Continuing tunnel
setup.<br>++[eap] returns ok<br>Found Auth-Type = EAP<br>+- entering group authenticate {...}<br>[eap] Request found, released from the list<br>[eap] EAP/peap<br>[eap] processing type peap<br>[peap] processing EAP-TLS<br>[peap] eaptls_verify returned 7<br>[peap] Done initial handshake<br>[peap] eaptls_process returned 7<br>[peap] EAPTLS_OK<br>[peap] Session established. Decoding tunneled attributes.<br>[peap] EAP type mschapv2<br>[peap] Got tunneled request<br> EAP-Message = (trimmed)<br>server {<br> PEAP: Setting User-Name to test<br>Sending tunneled request<br> EAP-Message = (trimmed)<br> FreeRADIUS-Proxied-To = 127.0.0.1<br> User-Name = "test"<br> State = 0x3203b3053209a96aacfd5d3ebe154b12<br>server {<br>+- entering
group authorize {...}<br>++[preprocess] returns ok<br>[auth_log] expand: (trimmed)<br>[auth_log] (trimmed)<br>[auth_log] expand: (trimmed)<br>++[auth_log] returns ok<br>++[mschap] returns noop<br>[suffix] No '@' in User-Name = "test", looking up realm NULL<br>[suffix] No such realm "NULL"<br>++[suffix] returns noop<br>[ntdomain] Looking up realm "company" for User-Name = "test"<br>[ntdomain] Found realm "company"<br>[ntdomain] Adding Stripped-User-Name = "test"<br>[ntdomain] Adding Realm = "company"<br>[ntdomain] Authentication realm is LOCAL.<br>++[ntdomain] returns ok<br>[eap] EAP packet type response id 10 length 81<br>[eap] No EAP Start, assuming it's an on-going EAP conversation<br>++[eap] returns updated<br>[files] users: Matched entry DEFAULT at line 178<br>++[files] returns ok<br>++- entering redundant-load-balance group redundant-load-balance {...}<br>[LDAPsvr1] performing user
authorization for test<br>[LDAPsvr1] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details<br>[LDAPsvr1] expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=test)<br>[LDAPsvr1] expand: t=company -> t=company<br>rlm_ldap: ldap_get_conn: Checking Id: 0<br>rlm_ldap: ldap_get_conn: Got Id: 0<br>rlm_ldap: performing search in t=company, with filter (cn=test)<br>[LDAPsvr1] Added the eDirectory password password in check items as Cleartext-Password<br>[LDAPsvr1] No default NMAS login sequence<br>[LDAPsvr1] looking for check items in directory...<br>[LDAPsvr1] looking for reply items in directory...<br>[LDAPsvr1] user test authorized to use remote access<br>rlm_ldap: ldap_release_conn: Release Id: 0<br>+++[LDAPsvr1] returns ok<br>++- redundant-load-balance group redundant-load-balance returns ok<br>++[expiration] returns noop<br>++[logintime] returns noop<br>Found Auth-Type = EAP<br>+-
entering group authenticate {...}<br>[eap] Request found, released from the list<br>[eap] EAP/mschapv2<br>[eap] processing type mschapv2<br>[mschapv2] +- entering group MS-CHAP {...}<br>[mschap] Told to do MS-CHAPv2 for test with NT-Password<br>[mschap] adding MS-CHAPv2 MPPE keys<br>++[mschap] returns ok<br>MSCHAP Success<br>++[eap] returns handled<br>} # server<br>[peap] Got tunneled reply code 11<br> EAP-Message = (trimmed)<br> Message-Authenticator = 0x00000000000000000000000000000000<br> State = 0x3203b3053308a96aacfd5d3ebe154b12<br>[peap] Got tunneled reply RADIUS code 11<br> EAP-Message = (trimmed)<br> Message-Authenticator = 0x00000000000000000000000000000000<br> State =
0x3203b3053308a96aacfd5d3ebe154b12<br>[peap] Got tunneled Access-Challenge<br>++[eap] returns handled<br>Sending Access-Challenge of id 13 to 192.168.21.130 port 32769<br> EAP-Message = (trimmed)<br> Message-Authenticator = 0x00000000000000000000000000000000<br> State = 0xfea96b9cf6a27286011d5bcc3cb2528f<br>Finished request 75.<br>Going to the next request<br>Cleaning up request 67 ID 5 with timestamp +1805<br>Waking up in 0.4 seconds.<br>rad_recv: Access-Request packet from host 192.168.21.130 port 32769, id=14, length=216<br> User-Name = "test"<br> Calling-Station-Id = "00-21-00-D9-10-DB"<br> Called-Station-Id = "00-23-EA-7F-85-40:TFWAPR"<br> NAS-Port =
1<br> NAS-IP-Address = 192.168.21.130<br> NAS-Identifier = "AIR-WLC4404-DK-1"<br> Airespace-Wlan-Id = 2<br> Service-Type = Framed-User<br> Framed-MTU = 1300<br> NAS-Port-Type = Wireless-802.11<br> EAP-Message = (trimmed)<br> State = 0xfea96b9cf6a27286011d5bcc3cb2528f<br> Message-Authenticator = 0xa49cac12cdb0cec38ff0d7e51bf95eb6<br>+- entering group authorize {...}<br>[preprocess] expand: %{Called-Station-Id} -> 00-23-EA-7F-85-40:TFWAPR<br>++[preprocess] returns ok<br>[auth_log] expand: (trimmed)<br>[auth_log]
(trimmed)<br>[auth_log] expand: (trimmed)<br>++[auth_log] returns ok<br>++[mschap] returns noop<br>[suffix] No '@' in User-Name = "test", looking up realm NULL<br>[suffix] No such realm "NULL"<br>++[suffix] returns noop<br>[ntdomain] Looking up realm "company" for User-Name = "test"<br>[ntdomain] Found realm "company"<br>[ntdomain] Adding Stripped-User-Name = "test"<br>[ntdomain] Adding Realm = "company"<br>[ntdomain] Authentication realm is LOCAL.<br>++[ntdomain] returns ok<br>[eap] EAP packet type response id 11 length 29<br>[eap] Continuing tunnel setup.<br>++[eap] returns ok<br>Found Auth-Type = EAP<br>+- entering group authenticate {...}<br>[eap] Request found, released from the list<br>[eap] EAP/peap<br>[eap] processing type peap<br>[peap] processing EAP-TLS<br>[peap] eaptls_verify returned 7<br>[peap] Done initial handshake<br>[peap] eaptls_process returned 7<br>[peap] EAPTLS_OK<br>[peap] Session established.
Decoding tunneled attributes.<br>[peap] EAP type mschapv2<br>[peap] Got tunneled request<br> EAP-Message = 0x020b00061a03<br>server {<br> PEAP: Setting User-Name to test<br>Sending tunneled request<br> EAP-Message = 0x020b00061a03<br> FreeRADIUS-Proxied-To = 127.0.0.1<br> User-Name = "test"<br> State = 0x3203b3053308a96aacfd5d3ebe154b12<br>server {<br>+- entering group authorize {...}<br>++[preprocess] returns ok<br>[auth_log] expand: (trimmed)<br>[auth_log] (trimmed)<br>[auth_log] expand: (trimmed)<br>++[auth_log] returns ok<br>++[mschap] returns noop<br>[suffix] No '@' in User-Name = "test", looking up realm NULL<br>[suffix] No such realm "NULL"<br>++[suffix] returns
noop<br>[ntdomain] Looking up realm "company" for User-Name = "test"<br>[ntdomain] Found realm "company"<br>[ntdomain] Adding Stripped-User-Name = "test"<br>[ntdomain] Adding Realm = "company"<br>[ntdomain] Authentication realm is LOCAL.<br>++[ntdomain] returns ok<br>[eap] EAP packet type response id 11 length 6<br>[eap] No EAP Start, assuming it's an on-going EAP conversation<br>++[eap] returns updated<br>[files] users: Matched entry DEFAULT at line 178<br>++[files] returns ok<br>++- entering redundant-load-balance group redundant-load-balance {...}<br>[LDAPsvr1] performing user authorization for test<br>[LDAPsvr1] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details<br>[LDAPsvr1] expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=test)<br>[LDAPsvr1] expand: t=company -> t=company<br>rlm_ldap: ldap_get_conn: Checking Id: 0<br>rlm_ldap: ldap_get_conn: Got Id: 0<br>rlm_ldap:
performing search in t=company, with filter (cn=test)<br>[LDAPsvr1] Added the eDirectory password password in check items as Cleartext-Password<br>[LDAPsvr1] No default NMAS login sequence<br>[LDAPsvr1] looking for check items in directory...<br>[LDAPsvr1] looking for reply items in directory...<br>[LDAPsvr1] user test authorized to use remote access<br>rlm_ldap: ldap_release_conn: Release Id: 0<br>+++[LDAPsvr1] returns ok<br>++- redundant-load-balance group redundant-load-balance returns ok<br>++[expiration] returns noop<br>++[logintime] returns noop<br>Found Auth-Type = EAP<br>+- entering group authenticate {...}<br>[eap] Request found, released from the list<br>[eap] EAP/mschapv2<br>[eap] processing type mschapv2<br>[eap] Freeing handler<br>++[eap] returns ok<br>+- entering group post-auth {...}<br>[reply_log] expand: (trimmed)<br>[reply_log] (trimmed)<br>[reply_log] expand:
%t User-Name = "%{User-Name}" -> Wed Jun 17 10:00:29 2009 User-Name = "test"<br>++[reply_log] returns ok<br>} # server<br>[peap] Got tunneled reply code 2<br> EAP-Message = 0x030b0004<br> Message-Authenticator = 0x00000000000000000000000000000000<br> User-Name = "test"<br>[peap] Got tunneled reply RADIUS code 2<br> EAP-Message = 0x030b0004<br> Message-Authenticator = 0x00000000000000000000000000000000<br> User-Name = "test"<br>[peap] Tunneled authentication was successful.<br>[peap] SUCCESS<br>++[eap] returns handled<br>Sending Access-Challenge of id 14 to 192.168.21.130 port 32769<br> EAP-Message =
(trimmed)<br> Message-Authenticator = 0x00000000000000000000000000000000<br> State = 0xfea96b9cf7a57286011d5bcc3cb2528f<br>Finished request 76.<br>Going to the next request<br>Cleaning up request 68 ID 6 with timestamp +1809<br>Cleaning up request 69 ID 7 with timestamp +1814<br>Cleaning up request 70 ID 8 with timestamp +1814<br>Cleaning up request 71 ID 9 with timestamp +1814<br>Cleaning up request 72 ID 10 with timestamp +1814<br>Cleaning up request 73 ID 11 with timestamp +1814<br>Waking up in 0.6 seconds.<br>rad_recv: Access-Request packet from host 192.168.21.130 port 32769, id=15, length=225<br> User-Name = "test"<br> Calling-Station-Id = "00-21-00-D9-10-DB"<br> Called-Station-Id =
"00-23-EA-7F-85-40:TFWAPR"<br> NAS-Port = 1<br> NAS-IP-Address = 192.168.21.130<br> NAS-Identifier = "AIR-WLC4404-DK-1"<br> Airespace-Wlan-Id = 2<br> Service-Type = Framed-User<br> Framed-MTU = 1300<br> NAS-Port-Type = Wireless-802.11<br> EAP-Message = (trimmed)<br> State = 0xfea96b9cf7a57286011d5bcc3cb2528f<br> Message-Authenticator = 0xa8b037f67e9531b8a502cca033121149<br>+- entering group authorize {...}<br>[preprocess] expand: %{Called-Station-Id} -> 00-23-EA-7F-85-40:TFWAPR<br>++[preprocess] returns
ok<br>[auth_log] expand: (trimmed)<br>[auth_log] (trimmed)<br>[auth_log] expand: (trimmed)<br>++[auth_log] returns ok<br>++[mschap] returns noop<br>[suffix] No '@' in User-Name = "test", looking up realm NULL<br>[suffix] No such realm "NULL"<br>++[suffix] returns noop<br>[ntdomain] Looking up realm "company" for User-Name = "test"<br>[ntdomain] Found realm "company"<br>[ntdomain] Adding Stripped-User-Name = "test"<br>[ntdomain] Adding Realm = "company"<br>[ntdomain] Authentication realm is LOCAL.<br>++[ntdomain] returns ok<br>[eap] EAP packet type response id 12 length 38<br>[eap] Continuing tunnel setup.<br>++[eap] returns ok<br>Found Auth-Type = EAP<br>+- entering group authenticate {...}<br>[eap] Request found, released from the list<br>[eap] EAP/peap<br>[eap] processing type peap<br>[peap] processing EAP-TLS<br>[peap] eaptls_verify returned 7<br>[peap] Done initial handshake<br>[peap]
eaptls_process returned 7<br>[peap] EAPTLS_OK<br>[peap] Session established. Decoding tunneled attributes.<br>[peap] Received EAP-TLV response.<br>[peap] Success<br>[eap] Freeing handler<br>++[eap] returns ok<br>+- entering group post-auth {...}<br>[reply_log] expand: (trimmed)<br>[reply_log] (trimmed)<br>[reply_log] expand: %t User-Name = "%{User-Name}" -> Wed Jun 17 10:00:33 2009 User-Name = "test"<br>++[reply_log] returns ok<br>Sending Access-Accept of id 15 to 192.168.21.130 port 32769<br> MS-MPPE-Recv-Key = (trimmed)<br> MS-MPPE-Send-Key = (trimmed)<br> EAP-Message = 0x030c0004<br> Message-Authenticator = 0x00000000000000000000000000000000<br>
User-Name = "test"<br>Finished request 77.<br>Going to the next request<br>Waking up in 0.6 seconds.<br>Cleaning up request 74 ID 12 with timestamp +1814<br>Waking up in 4.7 seconds.<br>rad_recv: Accounting-Request packet from host 192.168.21.130 port 32769, id=165, length=154<br> User-Name = "test"<br> NAS-Port = 1<br> NAS-IP-Address = 192.168.21.130<br> Framed-IP-Address = 192.168.21.65<br> NAS-Identifier = "AIR-WLC4404-DK-1"<br> Airespace-Wlan-Id = 2<br> Acct-Session-Id = "4a38a2a4/00:21:00:d9:10:db/103"<br> Acct-Authentic = RADIUS<br> Acct-Status-Type =
Start<br> Calling-Station-Id = "192.168.21.65"<br> Called-Station-Id = "192.168.21.130"<br>+- entering group preacct {...}<br>[preprocess] expand: %{Called-Station-Id} -> 192.168.21.130<br>++[preprocess] returns ok<br>[acct_unique] Hashing 'NAS-Port = 1,Client-IP-Address = 192.168.21.130,NAS-IP-Address = 192.168.21.130,Acct-Session-Id = "4a38a2a4/00:21:00:d9:10:db/103",User-Name = "test"'<br>[acct_unique] Acct-Unique-Session-ID = "241f1d6c7aaf3e38".<br>++[acct_unique] returns ok<br>[suffix] No '@' in User-Name = "test", looking up realm NULL<br>[suffix] No such realm "NULL"<br>++[suffix] returns noop<br>++[files] returns noop<br>+- entering group accounting {...}<br>[detail] expand: (trimmed)<br>[detail] (trimmed)<br>[detail] expand: (trimmed)<br>++[detail] returns
ok<br>++[unix] returns ok<br>[radutmp] expand: /usr/local/var/log/radius/radutmp -> /usr/local/var/log/radius/radutmp<br>[radutmp] expand: %{User-Name} -> test<br>++[radutmp] returns ok<br>[attr_filter.accounting_response] expand: %{User-Name} -> test<br> attr_filter: Matched entry DEFAULT at line 12<br>++[attr_filter.accounting_response] returns updated<br>Sending Accounting-Response of id 165 to 192.168.21.130 port 32769<br>Finished request 78.<br>Cleaning up request 78 ID 165 with timestamp +1831<br>Going to the next request<br>Waking up in 2.3 seconds.<br>Cleaning up request 75 ID 13 with timestamp +1819<br>Waking up in 4.5 seconds.<br>Cleaning up request 76 ID 14 with timestamp +1824<br>Cleaning up request 77 ID 15 with timestamp +1828<br>Ready to process requests.<br><br><br></div></div><br>
</body></html>