FreeRADIUS Version 2.1.7, for host i386-redhat-linux-gnu, built on Dec 30 2009 at 13:47:58 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/krb5 including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/ldap including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/ldap_domain including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/inner-tunnel including configuration file /etc/raddb/sites-enabled/control-socket including configuration file /etc/raddb/sites-enabled/default group = radiusd user = radiusd including dictionary file /etc/raddb/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/radius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 512000 allow_core_dumps = no pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "ZeroOne,ZeroOne" nastype = "other" } client cumulus.domain.ca { require_message_authenticator = no secret = "ZeroOne,ZeroOne" shortname = "LOCAL/LOCALTEST" } client ldap1.domain.ca { require_message_authenticator = no secret = "ZeroOne,ZeroOne" shortname = "LOCAL/LOCALTEST" } client ldap2.domain.ca { require_message_authenticator = no secret = "ZeroOne,ZeroOne" shortname = "LOCAL/LOCALTEST" } client rorschach.domain.ca { require_message_authenticator = no secret = "rorschach+cumulus" shortname = "rorschach" } client e1-viper-private.domain.ca { require_message_authenticator = no secret = "Un1x_Rawks!" shortname = "NEG/VPN" } client ac-03-6-lb813.net.domain.ca { require_message_authenticator = no secret = "4xMy+Sharona" shortname = "ac-03-6-lb813" } client 10.103.0.116 { require_message_authenticator = no secret = "cisco-test" shortname = "test-03-00-lb827" } client specto.domain.ca { require_message_authenticator = no secret = "cisco-test" shortname = "wireless-wlse" } client batman.net.domain.ca { require_message_authenticator = no secret = "cisco-test" shortname = "wireless-mesh-batman" } client robin.net.domain.ca { require_message_authenticator = no secret = "cisco-test" shortname = "wireless-mesh-robin" } client firestorm.net.domain.ca { require_message_authenticator = no secret = "cisco-test" shortname = "wireless-lwapp-firestorm" } client sandman.net.domain.ca { require_message_authenticator = no secret = "cisco-test" shortname = "wireless-lwapp-sandman" } client flash.net.domain.ca { require_message_authenticator = no secret = "cisco-test" shortname = "wireless-lwapp-flash" } client question.net.domain.ca { require_message_authenticator = no secret = "cisco-test" shortname = "wireless-lwapp-question" } client red-tornado2.net.domain.ca { require_message_authenticator = no secret = "cisco-test" shortname = "wireless-mesh-red-tornado2" } client vixen.net.domain.ca { require_message_authenticator = no secret = "cisco-test" shortname = "wireless-lwapp-vixen" } client zatanna.net.domain.ca { require_message_authenticator = no secret = "cisco-test" shortname = "wireless-lwapp-zatanna" } client 10.69.103.28 { require_message_authenticator = no secret = "cisco-test" shortname = "lb820testing" } client 10.69.198.43 { require_message_authenticator = no secret = "cisco-test" shortname = "wireless-lwapp-bench-wlc" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Instantiating ntlm_auth exec ntlm_auth { wait = yes program = "/usr/bin/ntlm_auth --request-nt-key --domain=domain --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = yes } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "ttls" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/raddb/certs/cumulus_private.pem" certificate_file = "/etc/raddb/certs/cumulus.pem" CA_file = "/etc/raddb/certs/CA/cacert.pem" private_key_password = "whatever" dh_file = "/etc/raddb/certs/dh" random_file = "/etc/raddb/certs/rand.dat" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" cache { enable = no lifetime = 24 max_entries = 255 } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/etc/raddb/users" acctusersfile = "/etc/raddb/acct_users" preproxy_usersfile = "/etc/raddb/preproxy_users" compat = "no" } Module: Linked to module rlm_ldap Module: Instantiating ldap_vpn ldap ldap_vpn { server = "ldap1.domain.ca ldap2.domain.ca" port = 389 password = "w1re'le5s" identity = "cn=iits_neg,ou=AdminRoles,dc=domain,dc=ca" net_timeout = 1 timeout = 4 timelimit = 3 tls_mode = no start_tls = no tls_require_cert = "allow" tls { start_tls = no require_cert = "allow" } basedn = "ou=people,dc=domain,dc=ca" filter = "(&(cn=%{%{Stripped-User-Name}:-%{User-Name}})(objectClass=domainPerson)(|(memberOf=cn=role_active_emp,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_ce_student_reg,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_conted_instructor,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_faculty,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_on_leave_emp,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_retired_emp,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_sis_student_reg,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_vpn_user,ou=portal_role,ou=Groups,dc=domain,dc=ca)))" base_filter = "(objectclass=domainPerson)" password_attribute = "userPassword" auto_header = no access_attr_used_for_allow = yes groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" dictionary_mapping = "/etc/raddb/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes set_auth_type = yes } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Creating new attribute ldap_vpn-Ldap-Group rlm_ldap: Registering ldap_groupcmp for ldap_vpn-Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap_vpn rlm_ldap: Over-riding set_auth_type, as there is no module ldap_vpn listed in the "authenticate" section. rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id conns: 0x9adb3d0 Module: Instantiating ldap_wireless ldap ldap_wireless { server = "ldap1.domain.ca ldap2.domain.ca" port = 389 password = "w1re'le5s" identity = "cn=iits_neg,ou=AdminRoles,dc=domain,dc=ca" net_timeout = 2 timeout = 8 timelimit = 4 tls_mode = no start_tls = no tls_require_cert = "allow" tls { start_tls = no require_cert = "allow" } basedn = "ou=people,dc=domain,dc=ca" filter = "(&(cn=%{%{Stripped-User-Name}:-%{User-Name}})(objectClass=domainPerson)(|(memberOf=cn=role_active_emp,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_ce_student_reg,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_conted_instructor,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_faculty,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_on_leave_emp,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_retired_emp,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_service_wireless,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_sis_student_reg,ou=portal_role,ou=Groups,dc=domain,dc=ca)))" base_filter = "(objectclass=domainPerson)" password_attribute = "userPassword" auto_header = no access_attr_used_for_allow = yes groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" dictionary_mapping = "/etc/raddb/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 8 compare_check_items = no do_xlat = yes set_auth_type = yes } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Creating new attribute ldap_wireless-Ldap-Group rlm_ldap: Registering ldap_groupcmp for ldap_wireless-Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap_wireless rlm_ldap: Over-riding set_auth_type, as there is no module ldap_wireless listed in the "authenticate" section. rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id conns: 0x9adc038 Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } # modules } # server server { modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/etc/raddb/huntgroups" hints = "/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = yes with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "control" listen { socket = "/var/run/radiusd/radiusd.sock" } } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.69.198.43 port 32770, id=140, length=185 User-Name = "username" Calling-Station-Id = "00-00-00-00-00-00" Called-Station-Id = "01-01-01-01-01-01:domainPEAP" NAS-Port = 5 NAS-IP-Address = 10.69.198.43 NAS-Identifier = "bench-wlc" Airespace-Wlan-Id = 10 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "268" EAP-Message = 0x0201000d016e6d636461766974 Message-Authenticator = 0xddd65c1939bfcf746e85eb96e9ae3805 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "username", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 13 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++? if (NAS-IP-Address == 127.0.0.1) ? Evaluating (NAS-IP-Address == 127.0.0.1) -> FALSE ++? if (NAS-IP-Address == 127.0.0.1) -> FALSE ++? elsif (NAS-IP-Address == 10.69.10.52) ? Evaluating (NAS-IP-Address == 10.69.10.52) -> FALSE ++? elsif (NAS-IP-Address == 10.69.10.52) -> FALSE ++? elsif (NAS-IP-Address == 10.69.198.43) ? Evaluating (NAS-IP-Address == 10.69.198.43) -> TRUE ++? elsif (NAS-IP-Address == 10.69.198.43) -> TRUE ++- entering elsif (NAS-IP-Address == 10.69.198.43) {...} [ldap_wireless] performing user authorization for username [ldap_wireless] expand: %{Stripped-User-Name} -> [ldap_wireless] expand: %{User-Name} -> username [ldap_wireless] expand: (&(cn=%{%{Stripped-User-Name}:-%{User-Name}})(objectClass=domainPerson)(|(memberOf=cn=role_active_emp,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_ce_student_reg,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_conted_instructor,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_faculty,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_on_leave_emp,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_retired_emp,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_service_wireless,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_sis_student_reg,ou=portal_role,ou=Groups,dc=domain,dc=ca))) -> (&(cn=username)(objectClass=domainPerson)(|(memberOf=cn=role_active_emp,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_ce_student_reg,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_conted_instructor,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_faculty,ou=porta [ldap_wireless] expand: ou=people,dc=domain,dc=ca -> ou=people,dc=domain,dc=ca rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap1.domain.ca ldap2.domain.ca:389, authentication 0 rlm_ldap: bind as cn=iits_neg,ou=AdminRoles,dc=domain,dc=ca/w1re'le5s to ldap1.domain.ca ldap2.domain.ca:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=people,dc=domain,dc=ca, with filter (&(cn=username)(objectClass=domainPerson)(|(memberOf=cn=role_active_emp,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_ce_student_reg,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_conted_instructor,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_faculty,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_on_leave_emp,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_retired_emp,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_service_wireless,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_sis_student_reg,ou=portal_role,ou=Groups,dc=domain,dc=ca))) [ldap_wireless] Added User-Password = {SSHA}JN3SzzGrXIEjYBy6E7rnx/feETIlJFV5Kkt0cg== in check items [ldap_wireless] looking for check items in directory... [ldap_wireless] looking for reply items in directory... [ldap_wireless] user username authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[ldap_wireless] returns ok ++- elsif (NAS-IP-Address == 10.69.198.43) returns ok ++ ... skipping elsif for request 0: Preceding "if" was taken ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 140 to 10.69.198.43 port 32770 EAP-Message = 0x010200061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x84c1c06384c3d56bf4c68065e434d068 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.69.198.43 port 32770, id=141, length=196 User-Name = "username" Calling-Station-Id = "00-00-00-00-00-00" Called-Station-Id = "01-01-01-01-01-01:domainPEAP" NAS-Port = 5 NAS-IP-Address = 10.69.198.43 NAS-Identifier = "bench-wlc" Airespace-Wlan-Id = 10 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "268" EAP-Message = 0x020200060319 State = 0x84c1c06384c3d56bf4c68065e434d068 Message-Authenticator = 0x4f4a5d129b2745ae8319e2ed9f50258a +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "username", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++? if (NAS-IP-Address == 127.0.0.1) ? Evaluating (NAS-IP-Address == 127.0.0.1) -> FALSE ++? if (NAS-IP-Address == 127.0.0.1) -> FALSE ++? elsif (NAS-IP-Address == 10.69.10.52) ? Evaluating (NAS-IP-Address == 10.69.10.52) -> FALSE ++? elsif (NAS-IP-Address == 10.69.10.52) -> FALSE ++? elsif (NAS-IP-Address == 10.69.198.43) ? Evaluating (NAS-IP-Address == 10.69.198.43) -> TRUE ++? elsif (NAS-IP-Address == 10.69.198.43) -> TRUE ++- entering elsif (NAS-IP-Address == 10.69.198.43) {...} [ldap_wireless] performing user authorization for username [ldap_wireless] expand: %{Stripped-User-Name} -> [ldap_wireless] expand: %{User-Name} -> username [ldap_wireless] expand: (&(cn=%{%{Stripped-User-Name}:-%{User-Name}})(objectClass=domainPerson)(|(memberOf=cn=role_active_emp,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_ce_student_reg,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_conted_instructor,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_faculty,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_on_leave_emp,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_retired_emp,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_service_wireless,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_sis_student_reg,ou=portal_role,ou=Groups,dc=domain,dc=ca))) -> (&(cn=username)(objectClass=domainPerson)(|(memberOf=cn=role_active_emp,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_ce_student_reg,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_conted_instructor,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_faculty,ou=porta [ldap_wireless] expand: ou=people,dc=domain,dc=ca -> ou=people,dc=domain,dc=ca rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,dc=domain,dc=ca, with filter (&(cn=username)(objectClass=domainPerson)(|(memberOf=cn=role_active_emp,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_ce_student_reg,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_conted_instructor,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_faculty,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_on_leave_emp,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_retired_emp,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_service_wireless,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_sis_student_reg,ou=portal_role,ou=Groups,dc=domain,dc=ca))) [ldap_wireless] Added User-Password = {SSHA}JN3SzzGrXIEjYBy6E7rnx/feETIlJFV5Kkt0cg== in check items [ldap_wireless] looking for check items in directory... [ldap_wireless] looking for reply items in directory... [ldap_wireless] user username authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[ldap_wireless] returns ok ++- elsif (NAS-IP-Address == 10.69.198.43) returns ok ++ ... skipping elsif for request 1: Preceding "if" was taken ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 141 to 10.69.198.43 port 32770 EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x84c1c06385c2d96bf4c68065e434d068 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.69.198.43 port 32770, id=142, length=354 User-Name = "username" Calling-Station-Id = "00-00-00-00-00-00" Called-Station-Id = "01-01-01-01-01-01:domainPEAP" NAS-Port = 5 NAS-IP-Address = 10.69.198.43 NAS-Identifier = "bench-wlc" Airespace-Wlan-Id = 10 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "268" EAP-Message = 0x020300a419800000009a16030100950100009103014bc5c3ad82fc79614fd55252eca56351127e7644ee8c0aace4b64e0249e1f4d6000056c00ac009c007c008c013c014c011c012c004c005c002c003c00ec00fc00cc00d002f000500040035000a000900030008000600320033003800390016001500140013001200110034003a0018001b001a00170019000101000012000a00080006001700180019000b00020100 State = 0x84c1c06385c2d96bf4c68065e434d068 Message-Authenticator = 0x9c52e3033791a70c2e70cbcf9ac01b6c +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "username", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 164 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 154 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0095], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 0953], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 142 to 10.69.198.43 port 32770 EAP-Message = 0x0104040019c000000990160301002a0200002603014bc5c3ade2068f240d0edaab52ac06c977c75fcdd8ddf869192855b882db9c5100002f0016030109530b00094f00094c0004ca308204c63082042fa00302010202015a300d06092a864886f70d01010405003081c2310b3009060355040613024341310f300d060355040813065175656265633111300f060355040713084d6f6e747265616c311d301b060355040a1314436f6e636f7264696120556e6976657273697479310d300b060355040b130449495453313830360603550403132f436f6e636f726469612049495453205353472043657274696669636174696f6e20417574686f726974 EAP-Message = 0x7920323030393127302506092a864886f70d0109011618696974732d7373672d636140636f6e636f726469612e6361301e170d3130303430363135303534365a170d3135303430353135303534365a30819a310b3009060355040613024341310f300d06035504081306517565626563311d301b060355040a1314436f6e636f7264696120556e6976657273697479310d300b060355040b130449495453311d301b0603550403131463756d756c75732e636f6e636f726469612e6361312d302b06092a864886f70d010901161e7765626d61737465724063756d756c75732e636f6e636f726469612e636130819f300d06092a864886f70d01010105 EAP-Message = 0x0003818d0030818902818100cdd3d31de3d9e73e73686e1b7ecdc09661d7a140600c498a68fb834cb2cf979b6e7aae9148570ec4c0a3336f1285858d5ba8f770129f27264791e0f859a0923da749da38fc8c3f5a7f4d502013f926829ba538e1c953c0a6d606d5aa65d2f925ae0f48a4ddba5f46611660eafb0e2a9b0739deb4ff5a88e9f0b2929482c708310203010001a38201f0308201ec30090603551d1304023000300b0603551d0f0404030205e0303906096086480186f842010d042c162a436f6e636f7264696120556e69766572736974792047656e657261746564204365727469666963617465301d0603551d0e04160414cfdca02f9b17 EAP-Message = 0xed819f8284483513143782e0c9c03081ef0603551d230481e73081e48014129d1fb3d33fab2e2aaaaaef6fd554fa0c15b778a181c8a481c53081c2310b3009060355040613024341310f300d060355040813065175656265633111300f060355040713084d6f6e747265616c311d301b060355040a1314436f6e636f7264696120556e6976657273697479310d300b060355040b130449495453313830360603550403132f436f6e636f726469612049495453205353472043657274696669636174696f6e20417574686f7269747920323030393127302506092a864886f70d0109011618696974732d7373672d636140636f6e636f726469612e6361 EAP-Message = 0x82010030290603551d110422 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x84c1c06386c5d96bf4c68065e434d068 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.69.198.43 port 32770, id=143, length=196 User-Name = "username" Calling-Station-Id = "00-00-00-00-00-00" Called-Station-Id = "01-01-01-01-01-01:domainPEAP" NAS-Port = 5 NAS-IP-Address = 10.69.198.43 NAS-Identifier = "bench-wlc" Airespace-Wlan-Id = 10 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "268" EAP-Message = 0x020400061900 State = 0x84c1c06386c5d96bf4c68065e434d068 Message-Authenticator = 0x075a2826ca8dd09a845cbd5c18459be8 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "username", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 143 to 10.69.198.43 port 32770 EAP-Message = 0x010503fc19403020811e7765626d61737465724063756d756c75732e636f6e636f726469612e636130230603551d12041c301a8118696974732d7373672d636140636f6e636f726469612e6361303606096086480186f842010404291627687474703a2f2f636c7964652e636f6e636f726469612e63612f43412f63612d63726c2e70656d300d06092a864886f70d010104050003818100756be17ac2ed022af319d8760ca4c702f1fbd5e79d4b5809833faebe196bbee8829db8c5802e1453f0750669d793c12c098c2997766bdf232ac844576c129316161324dcdca67b61700c9b938b9aeb98de7ec88ae1778a640616657e521d4bae667b752c52 EAP-Message = 0xbdef6486f91770807dbb98a33e499dd026c6e3f51aff7b8de6b82c00047c30820478308203e1a003020102020100300d06092a864886f70d01010405003081c2310b3009060355040613024341310f300d060355040813065175656265633111300f060355040713084d6f6e747265616c311d301b060355040a1314436f6e636f7264696120556e6976657273697479310d300b060355040b130449495453313830360603550403132f436f6e636f726469612049495453205353472043657274696669636174696f6e20417574686f7269747920323030393127302506092a864886f70d0109011618696974732d7373672d636140636f6e636f7264 EAP-Message = 0x69612e6361301e170d3039303931353034303430315a170d3239303931303034303430315a3081c2310b3009060355040613024341310f300d060355040813065175656265633111300f060355040713084d6f6e747265616c311d301b060355040a1314436f6e636f7264696120556e6976657273697479310d300b060355040b130449495453313830360603550403132f436f6e636f726469612049495453205353472043657274696669636174696f6e20417574686f7269747920323030393127302506092a864886f70d0109011618696974732d7373672d636140636f6e636f726469612e636130819f300d06092a864886f70d010101050003 EAP-Message = 0x818d0030818902818100a63a7fa1253df5444841a6e767baffc8bbf61d98478f1bf48a7239ab8f4eedbec458999fcad8db820640352f7ced2852a55e0bd2d0c43596e46e5c280a76f0ae1d02fb2bdcd1884760399eb26553ea27b9a98ca257beb0798ebe3c6fe703ab02291a2e7a51f81dfad16ee00b32d61d717d6ba56a8b8fc2db5920799246583e230203010001a382017a30820176301d0603551d0e04160414129d1fb3d33fab2e2aaaaaef6fd554fa0c15b7783081ef0603551d230481e73081e48014129d1fb3d33fab2e2aaaaaef6fd554fa0c15b778a181c8a481c53081c2310b3009060355040613024341310f300d060355040813065175 EAP-Message = 0x656265633111300f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x84c1c06387c4d96bf4c68065e434d068 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.69.198.43 port 32770, id=144, length=196 User-Name = "username" Calling-Station-Id = "00-00-00-00-00-00" Called-Station-Id = "01-01-01-01-01-01:domainPEAP" NAS-Port = 5 NAS-IP-Address = 10.69.198.43 NAS-Identifier = "bench-wlc" Airespace-Wlan-Id = 10 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "268" EAP-Message = 0x020500061900 State = 0x84c1c06387c4d96bf4c68065e434d068 Message-Authenticator = 0x0c4138c1ae2c1921dd48e3d9c6ef44df +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "username", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 144 to 10.69.198.43 port 32770 EAP-Message = 0x010601aa1900060355040713084d6f6e747265616c311d301b060355040a1314436f6e636f7264696120556e6976657273697479310d300b060355040b130449495453313830360603550403132f436f6e636f726469612049495453205353472043657274696669636174696f6e20417574686f7269747920323030393127302506092a864886f70d0109011618696974732d7373672d636140636f6e636f726469612e6361820100300c0603551d13040530030101ff300b0603551d0f04040302010630230603551d11041c301a8118696974732d7373672d636140636f6e636f726469612e636130230603551d12041c301a8118696974732d7373 EAP-Message = 0x672d636140636f6e636f726469612e6361300d06092a864886f70d01010405000381810039c974cdca19ba03a1b655f8e8e2537bbe9705d203857fabd1bdbba659c4910e2c599a0d5e8f150da0a490def4e919e86fa73e1ac022587127617016c3f0fc0c908373fe16ffb2ea5b86ec2f11783f1665abfd6c824f022a01f23c9e3b67c72698eb18405f904d30ca02837b04d15ae63c57397bc0f23fadcb126c39cc0a088816030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x84c1c06380c7d96bf4c68065e434d068 Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.69.198.43 port 32770, id=145, length=398 User-Name = "username" Calling-Station-Id = "00-00-00-00-00-00" Called-Station-Id = "01-01-01-01-01-01:domainPEAP" NAS-Port = 5 NAS-IP-Address = 10.69.198.43 NAS-Identifier = "bench-wlc" Airespace-Wlan-Id = 10 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "268" EAP-Message = 0x020600d01980000000c6160301008610000082008067d3b1812ace3a7c58c25ceebd7e2e22f2a9dad9406558f95cf8cd68bb46e943029faa2f9863365381a9bc7c3c31761f864733bd23905d6eddc36f7ca84c1016246740fe19ea23d9d7a42eef1d0ebe2298eaf888784a9b8f1cd9e55fe7f7ecedfa1471aa45fe28757ea8a7a8aba21ae4b59549c2c93f58f75b1a87467ff2a6621403010001011603010030c723798053986df29e24d068063feff80522eea0c38f747ebc6090147973b71fb50ec443b600d4a9f42889cb6ff12e2f State = 0x84c1c06380c7d96bf4c68065e434d068 Message-Authenticator = 0xe08bcfd3f84059d4b5a36d1f6aa10b70 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "username", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 208 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 198 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 145 to 10.69.198.43 port 32770 EAP-Message = 0x0107004119001403010001011603010030c1a995dad255ead7ba0dd5253719124fd1a0e63b0265ec2fb6bafa36c6c944b9addfe3ba455437a81029473344158b8b Message-Authenticator = 0x00000000000000000000000000000000 State = 0x84c1c06381c6d96bf4c68065e434d068 Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.69.198.43 port 32770, id=146, length=196 User-Name = "username" Calling-Station-Id = "00-00-00-00-00-00" Called-Station-Id = "01-01-01-01-01-01:domainPEAP" NAS-Port = 5 NAS-IP-Address = 10.69.198.43 NAS-Identifier = "bench-wlc" Airespace-Wlan-Id = 10 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "268" EAP-Message = 0x020700061900 State = 0x84c1c06381c6d96bf4c68065e434d068 Message-Authenticator = 0xc7f6972ca983e15d96cba22a8ee56a7c +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "username", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 146 to 10.69.198.43 port 32770 EAP-Message = 0x0108002b1900170301002088b149f9c21f1da946aa2e725de5b79837ea0695fd1114f76f76114073590406 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x84c1c06382c9d96bf4c68065e434d068 Finished request 6. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.69.198.43 port 32770, id=147, length=233 User-Name = "username" Calling-Station-Id = "00-00-00-00-00-00" Called-Station-Id = "01-01-01-01-01-01:domainPEAP" NAS-Port = 5 NAS-IP-Address = 10.69.198.43 NAS-Identifier = "bench-wlc" Airespace-Wlan-Id = 10 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "268" EAP-Message = 0x0208002b19001703010020358242154fc3f955188861034667c7e9d1b86351d5e43dcc541f9882c84ebe83 State = 0x84c1c06382c9d96bf4c68065e434d068 Message-Authenticator = 0x5973346d2679e80396d7870eb4e8a04c +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "username", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Identity - username [peap] Got tunneled request EAP-Message = 0x0208000d016e6d636461766974 server { PEAP: Got tunneled identity of username PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to username Sending tunneled request EAP-Message = 0x0208000d016e6d636461766974 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "username" server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "username", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 8 length 13 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++? if (outer.NAS-IP-Address == 127.0.0.1) ? Evaluating (outer.NAS-IP-Address == 127.0.0.1) -> FALSE ++? if (outer.NAS-IP-Address == 127.0.0.1) -> FALSE ++? elsif (outer.NAS-IP-Address == 10.69.5.6) ? Evaluating (outer.NAS-IP-Address == 10.69.5.6) -> FALSE ++? elsif (outer.NAS-IP-Address == 10.69.5.6) -> FALSE ++? elsif (outer.NAS-IP-Address == 10.69.3.6) ? Evaluating (outer.NAS-IP-Address == 10.69.3.6) -> FALSE ++? elsif (outer.NAS-IP-Address == 10.69.3.6) -> FALSE ++? elsif (outer.NAS-IP-Address == 10.69.2.2) ? Evaluating (outer.NAS-IP-Address == 10.69.2.2) -> FALSE ++? elsif (outer.NAS-IP-Address == 10.69.2.2) -> FALSE ++? elsif (outer.NAS-IP-Address == 10.69.2.4) ? Evaluating (outer.NAS-IP-Address == 10.69.2.4) -> FALSE ++? elsif (outer.NAS-IP-Address == 10.69.2.4) -> FALSE ++? elsif (outer.NAS-IP-Address == 10.69.3.2) ? Evaluating (outer.NAS-IP-Address == 10.69.3.2) -> FALSE ++? elsif (outer.NAS-IP-Address == 10.69.3.2) -> FALSE ++? elsif (outer.NAS-IP-Address == 10.69.3.4) ? Evaluating (outer.NAS-IP-Address == 10.69.3.4) -> FALSE ++? elsif (outer.NAS-IP-Address == 10.69.3.4) -> FALSE ++? elsif (outer.NAS-IP-Address == 10.69.198.43) ? Evaluating (outer.NAS-IP-Address == 10.69.198.43) -> TRUE ++? elsif (outer.NAS-IP-Address == 10.69.198.43) -> TRUE ++- entering elsif (outer.NAS-IP-Address == 10.69.198.43) {...} [ldap_wireless] performing user authorization for username [ldap_wireless] expand: %{Stripped-User-Name} -> [ldap_wireless] expand: %{User-Name} -> username [ldap_wireless] expand: (&(cn=%{%{Stripped-User-Name}:-%{User-Name}})(objectClass=domainPerson)(|(memberOf=cn=role_active_emp,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_ce_student_reg,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_conted_instructor,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_faculty,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_on_leave_emp,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_retired_emp,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_service_wireless,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_sis_student_reg,ou=portal_role,ou=Groups,dc=domain,dc=ca))) -> (&(cn=username)(objectClass=domainPerson)(|(memberOf=cn=role_active_emp,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_ce_student_reg,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_conted_instructor,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_faculty,ou=porta [ldap_wireless] expand: ou=people,dc=domain,dc=ca -> ou=people,dc=domain,dc=ca rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,dc=domain,dc=ca, with filter (&(cn=username)(objectClass=domainPerson)(|(memberOf=cn=role_active_emp,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_ce_student_reg,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_conted_instructor,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_faculty,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_on_leave_emp,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_retired_emp,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_service_wireless,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_sis_student_reg,ou=portal_role,ou=Groups,dc=domain,dc=ca))) [ldap_wireless] Added User-Password = {SSHA}JN3SzzGrXIEjYBy6E7rnx/feETIlJFV5Kkt0cg== in check items [ldap_wireless] looking for check items in directory... [ldap_wireless] looking for reply items in directory... [ldap_wireless] user username authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[ldap_wireless] returns ok ++- elsif (outer.NAS-IP-Address == 10.69.198.43) returns ok ++ ... skipping elsif for request 7: Preceding "if" was taken ++ ... skipping elsif for request 7: Preceding "if" was taken ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010900221a0109001d101b125541ca67bee9205ef46999d35d226e6d636461766974 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x046fcd910466d775a7642ff9e01164b0 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010900221a0109001d101b125541ca67bee9205ef46999d35d226e6d636461766974 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x046fcd910466d775a7642ff9e01164b0 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 147 to 10.69.198.43 port 32770 EAP-Message = 0x0109004b19001703010040b7b3133c8d7fe778f9c32bc39e855210c3bad00a7c9f7b278513935d57bd468b1026c9c61333140f2d20f753de92814d57d7339ade15c3740013cf4eaa89b74c Message-Authenticator = 0x00000000000000000000000000000000 State = 0x84c1c06383c8d96bf4c68065e434d068 Finished request 7. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.69.198.43 port 32770, id=148, length=297 User-Name = "username" Calling-Station-Id = "00-00-00-00-00-00" Called-Station-Id = "01-01-01-01-01-01:domainPEAP" NAS-Port = 5 NAS-IP-Address = 10.69.198.43 NAS-Identifier = "bench-wlc" Airespace-Wlan-Id = 10 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "268" EAP-Message = 0x0209006b19001703010060d16c533a4b189c106e1a8e186338904c03ead1294a3d5739e16671dad80f5d54b59b6f13facd7d23bcf87feb020d1ed96d1e8676fb9f62e6099da3ebac67c0fe79f2d066730fb3f78002b77ea3ef9362802024b989b0827aa86e2efb42d19c2f State = 0x84c1c06383c8d96bf4c68065e434d068 Message-Authenticator = 0x6f1de6190d2113751304c73fa89d6282 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "username", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 9 length 107 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020900431a0209003e31f6ee78f0388d1906ff9df9db7ddf1122000000000000000040f58f14a51d206a372949bc25e665b336d4bdc9623a4f89006e6d636461766974 server { PEAP: Setting User-Name to username Sending tunneled request EAP-Message = 0x020900431a0209003e31f6ee78f0388d1906ff9df9db7ddf1122000000000000000040f58f14a51d206a372949bc25e665b336d4bdc9623a4f89006e6d636461766974 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "username" State = 0x046fcd910466d775a7642ff9e01164b0 server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "username", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 9 length 67 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++? if (outer.NAS-IP-Address == 127.0.0.1) ? Evaluating (outer.NAS-IP-Address == 127.0.0.1) -> FALSE ++? if (outer.NAS-IP-Address == 127.0.0.1) -> FALSE ++? elsif (outer.NAS-IP-Address == 10.69.5.6) ? Evaluating (outer.NAS-IP-Address == 10.69.5.6) -> FALSE ++? elsif (outer.NAS-IP-Address == 10.69.5.6) -> FALSE ++? elsif (outer.NAS-IP-Address == 10.69.3.6) ? Evaluating (outer.NAS-IP-Address == 10.69.3.6) -> FALSE ++? elsif (outer.NAS-IP-Address == 10.69.3.6) -> FALSE ++? elsif (outer.NAS-IP-Address == 10.69.2.2) ? Evaluating (outer.NAS-IP-Address == 10.69.2.2) -> FALSE ++? elsif (outer.NAS-IP-Address == 10.69.2.2) -> FALSE ++? elsif (outer.NAS-IP-Address == 10.69.2.4) ? Evaluating (outer.NAS-IP-Address == 10.69.2.4) -> FALSE ++? elsif (outer.NAS-IP-Address == 10.69.2.4) -> FALSE ++? elsif (outer.NAS-IP-Address == 10.69.3.2) ? Evaluating (outer.NAS-IP-Address == 10.69.3.2) -> FALSE ++? elsif (outer.NAS-IP-Address == 10.69.3.2) -> FALSE ++? elsif (outer.NAS-IP-Address == 10.69.3.4) ? Evaluating (outer.NAS-IP-Address == 10.69.3.4) -> FALSE ++? elsif (outer.NAS-IP-Address == 10.69.3.4) -> FALSE ++? elsif (outer.NAS-IP-Address == 10.69.198.43) ? Evaluating (outer.NAS-IP-Address == 10.69.198.43) -> TRUE ++? elsif (outer.NAS-IP-Address == 10.69.198.43) -> TRUE ++- entering elsif (outer.NAS-IP-Address == 10.69.198.43) {...} [ldap_wireless] performing user authorization for username [ldap_wireless] expand: %{Stripped-User-Name} -> [ldap_wireless] expand: %{User-Name} -> username [ldap_wireless] expand: (&(cn=%{%{Stripped-User-Name}:-%{User-Name}})(objectClass=domainPerson)(|(memberOf=cn=role_active_emp,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_ce_student_reg,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_conted_instructor,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_faculty,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_on_leave_emp,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_retired_emp,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_service_wireless,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_sis_student_reg,ou=portal_role,ou=Groups,dc=domain,dc=ca))) -> (&(cn=username)(objectClass=domainPerson)(|(memberOf=cn=role_active_emp,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_ce_student_reg,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_conted_instructor,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_faculty,ou=porta [ldap_wireless] expand: ou=people,dc=domain,dc=ca -> ou=people,dc=domain,dc=ca rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,dc=domain,dc=ca, with filter (&(cn=username)(objectClass=domainPerson)(|(memberOf=cn=role_active_emp,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_ce_student_reg,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_conted_instructor,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_faculty,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_on_leave_emp,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_retired_emp,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_service_wireless,ou=portal_role,ou=Groups,dc=domain,dc=ca)(memberOf=cn=role_sis_student_reg,ou=portal_role,ou=Groups,dc=domain,dc=ca))) [ldap_wireless] Added User-Password = {SSHA}JN3SzzGrXIEjYBy6E7rnx/feETIlJFV5Kkt0cg== in check items [ldap_wireless] looking for check items in directory... [ldap_wireless] looking for reply items in directory... [ldap_wireless] user username authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[ldap_wireless] returns ok ++- elsif (outer.NAS-IP-Address == 10.69.198.43) returns ok ++ ... skipping elsif for request 8: Preceding "if" was taken ++ ... skipping elsif for request 8: Preceding "if" was taken ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for username with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. Login incorrect: [username] (from client wireless-lwapp-bench-wlc port 0 via TLS tunnel) } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\tE=691 R=1" EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\tE=691 R=1" EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 148 to 10.69.198.43 port 32770 EAP-Message = 0x010a002b19001703010020e3e3a6d6505fb05e3f507711a7e9b78d8f1c27085e8e3991813ae73e76b69c9e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x84c1c0638ccbd96bf4c68065e434d068 Finished request 8. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.69.198.43 port 32770, id=149, length=233 User-Name = "username" Calling-Station-Id = "00-00-00-00-00-00" Called-Station-Id = "01-01-01-01-01-01:domainPEAP" NAS-Port = 5 NAS-IP-Address = 10.69.198.43 NAS-Identifier = "bench-wlc" Airespace-Wlan-Id = 10 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "268" EAP-Message = 0x020a002b190017030100208bf739727b3858c81140379291fa8e43a13b4381ee88727815f81907c0fcd31f State = 0x84c1c0638ccbd96bf4c68065e434d068 Message-Authenticator = 0x746a61a68672e7c70cc3057833de2091 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "username", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 10 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Had sent TLV failure. User was rejected earlier in this session. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [username] (from client wireless-lwapp-bench-wlc port 5 cli 00-00-00-00-00-00) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> username attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 9 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 9 Sending Access-Reject of id 149 to 10.69.198.43 port 32770 EAP-Message = 0x040a0004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.8 seconds. Cleaning up request 0 ID 140 with timestamp +94 Cleaning up request 1 ID 141 with timestamp +94 Cleaning up request 2 ID 142 with timestamp +94 Cleaning up request 3 ID 143 with timestamp +94 Cleaning up request 4 ID 144 with timestamp +94 Cleaning up request 5 ID 145 with timestamp +94 Cleaning up request 6 ID 146 with timestamp +94 Cleaning up request 7 ID 147 with timestamp +94 Cleaning up request 8 ID 148 with timestamp +94 Waking up in 1.0 seconds. Cleaning up request 9 ID 149 with timestamp +94 Ready to process requests.