5. Debug output - radiusd -X Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /private/etc/raddb/radiusd.conf including configuration file /private/etc/raddb/proxy.conf including files in directory /private/etc/raddb/modules/ including configuration file /private/etc/raddb/modules/acct_unique including configuration file /private/etc/raddb/modules/always including configuration file /private/etc/raddb/modules/attr_filter including configuration file /private/etc/raddb/modules/attr_rewrite including configuration file /private/etc/raddb/modules/chap including configuration file /private/etc/raddb/modules/checkval including configuration file /private/etc/raddb/modules/counter including configuration file /private/etc/raddb/modules/detail including configuration file /private/etc/raddb/modules/detail.example.com including configuration file /private/etc/raddb/modules/detail.log including configuration file /private/etc/raddb/modules/digest including configuration file /private/etc/raddb/modules/echo including configuration file /private/etc/raddb/modules/etc_group including configuration file /private/etc/raddb/modules/exec including configuration file /private/etc/raddb/modules/expiration including configuration file /private/etc/raddb/modules/expr including configuration file /private/etc/raddb/modules/files including configuration file /private/etc/raddb/modules/inner-eap including configuration file /private/etc/raddb/modules/ippool including configuration file /private/etc/raddb/modules/krb5 including configuration file /private/etc/raddb/modules/ldap including configuration file /private/etc/raddb/modules/linelog including configuration file /private/etc/raddb/modules/logintime including configuration file /private/etc/raddb/modules/mac2ip including configuration file /private/etc/raddb/modules/mac2vlan including configuration file /private/etc/raddb/modules/mschap including configuration file /private/etc/raddb/modules/opendirectory including configuration file /private/etc/raddb/modules/pam including configuration file /private/etc/raddb/modules/pap including configuration file /private/etc/raddb/modules/passwd including configuration file /private/etc/raddb/modules/perl including configuration file /private/etc/raddb/modules/policy including configuration file /private/etc/raddb/modules/preprocess including configuration file /private/etc/raddb/modules/radutmp including configuration file /private/etc/raddb/modules/realm including configuration file /private/etc/raddb/modules/smbpasswd including configuration file /private/etc/raddb/modules/sql_log including configuration file /private/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /private/etc/raddb/modules/sradutmp including configuration file /private/etc/raddb/modules/unix including configuration file /private/etc/raddb/modules/wimax including configuration file /private/etc/raddb/eap.conf including configuration file /private/etc/raddb/sql.conf including configuration file /private/etc/raddb/sql/sqlite/dialup.conf including configuration file /private/etc/raddb/sql/mysql/counter.conf including configuration file /private/etc/raddb/policy.conf including files in directory /private/etc/raddb/sites-enabled/ including configuration file /private/etc/raddb/sites-enabled/default including configuration file /private/etc/raddb/sites-enabled/inner-tunnel including dictionary file /private/etc/raddb/dictionary main { prefix = "/usr" localstatedir = "/private/var" logdir = "/private/var/log/radius" libdir = "/usr/lib/freeradius" radacctdir = "/private/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 32768 allow_core_dumps = no pidfile = "/private/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = no log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } realm lab.com { } realm LOCAL { } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } Module: Linked to module rlm_sql Module: Instantiating sql sql { driver = "rlm_sql_sqlite" server = "localhost" port = "" login = "radius" password = "radpass" radius_db = "radius" read_groups = yes sqltrace = no sqltracefile = "/private/var/log/radius/sqltrace.sql" readclients = yes deletestalesessions = yes num_sql_socks = 5 sql_user_name = "%{User-Name}" default_user_profile = "" nas_query = "SELECT id,nasname,shortname,type,secret FROM nas" authorize_check_query = "" authorize_group_check_query = "" authorize_group_reply_query = "" accounting_onoff_query = "" accounting_update_query = "" accounting_update_query_alt = "" accounting_start_query = "" accounting_start_query_alt = "" accounting_stop_query = "" accounting_stop_query_alt = "" connect_failure_retry_delay = 60 simul_count_query = "" simul_verify_query = "" postauth_query = "" safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" } rlm_sql (sql): Driver rlm_sql_sqlite (module rlm_sql_sqlite) loaded and linked rlm_sql (sql): Attempting to connect to radius@localhost:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_sqlite #0 rlm_sql_sqlite: Opening sqlite database /private/etc/raddb/sqlite_radius_client_database for #0 rlm_sql_sqlite: sqlite3_open() = 0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_sqlite #1 rlm_sql_sqlite: Opening sqlite database /private/etc/raddb/sqlite_radius_client_database for #1 rlm_sql_sqlite: sqlite3_open() = 0 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_sqlite #2 rlm_sql_sqlite: Opening sqlite database /private/etc/raddb/sqlite_radius_client_database for #2 rlm_sql_sqlite: sqlite3_open() = 0 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_sqlite #3 rlm_sql_sqlite: Opening sqlite database /private/etc/raddb/sqlite_radius_client_database for #3 rlm_sql_sqlite: sqlite3_open() = 0 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_sqlite #4 rlm_sql_sqlite: Opening sqlite database /private/etc/raddb/sqlite_radius_client_database for #4 rlm_sql_sqlite: sqlite3_open() = 0 rlm_sql (sql): Connected new DB handle, #4 rlm_sql (sql): Processing generate_sql_clients rlm_sql (sql) in generate_sql_clients: query is SELECT id,nasname,shortname,type,secret FROM nas rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_sqlite: sqlite3_prepare() = 0 rlm_sql_sqlite: sqlite3_step = 100 rlm_sql (sql): Read entry nasname=10.10.100.100,shortname=local,secret=123 rlm_sql (sql): Adding client 10.10.100.100 (local, server=) to clients list rlm_sql_sqlite: sqlite3_step = 100 rlm_sql (sql): Read entry nasname=10.10.100.1,shortname=hpnet,secret=123 rlm_sql (sql): Adding client 10.10.100.1 (hpnet, server=) to clients list rlm_sql_sqlite: sqlite3_step = 101 rlm_sql_sqlite: sqlite3_finalize() = 0 rlm_sql (sql): Released sql socket id: 4 } radiusd: #### Loading Virtual Servers #### server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = yes require_strong = yes with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" use_open_directory = yes } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/certificates/radsrv.lab.com.23C900DA0044BDB9E24ACE1BCFAFFB0747756C25.key.pem" certificate_file = "/etc/certificates/radsrv.lab.com.23C900DA0044BDB9E24ACE1BCFAFFB0747756C25.cert.pem" CA_file = "/etc/certificates/radsrv.lab.com.23C900DA0044BDB9E24ACE1BCFAFFB0747756C25.chain.pem" private_key_password = "Apple:UseCertAdmin" dh_file = "/etc/raddb/certs/dh" random_file = "/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/private/etc/raddb/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } } rlm_eap: Getting private key passphrase using command "/usr/sbin/certadmin --get-private-key-passphrase "/etc/certificates/radsrv.lab.com.23C900DA0044BDB9E24ACE1BCFAFFB0747756C25.key.pem"" rlm_eap: Password from command = "11587086-8AE5-42EB-B0A1-1363F8EF4643" Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = yes proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = yes } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_ldap Module: Instantiating ldap ldap { server = "radsrv.lab.com" port = 389 password = "abc123" identity = "uid=diradmin,cn=users,dc=radsrv,dc=lab,dc=com" net_timeout = 1 timeout = 4 timelimit = 3 tls_mode = no start_tls = no tls_require_cert = "allow" tls { start_tls = no require_cert = "allow" } basedn = "dc=radsrv,dc=lab,dc=com" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" auto_header = no access_attr_used_for_allow = yes groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" dictionary_mapping = "/private/etc/raddb/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes set_auth_type = no } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /private/etc/raddb/ldap.attrmap rlm_ldap: LDAP uid mapped to RADIUS User-Name rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message conns: 0x1001d6210 Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/private/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "/private/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } } modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/private/etc/raddb/huntgroups" hints = "/private/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_opendirectory Module: Instantiating opendirectory Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/private/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/private/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = 10.10.100.100 port = 0 } listen { type = "acct" ipaddr = 10.10.100.100 port = 0 } Listening on authentication address 10.10.100.100 port 1812 Listening on accounting address 10.10.100.100 port 1813 Ready to process requests. 6. PEAP/mschapv2 supplicant test. rad_recv: Access-Request packet from host 10.10.100.1 port 43916, id=2, length=316 Framed-MTU = 1480 NAS-IP-Address = 10.10.100.1 NAS-Identifier = "LABSW" User-Name = "onex" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = "1" Called-Station-Id = "68-b5-99-0f-18-c0" Calling-Station-Id = "c4-2c-03-1b-12-8c" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "40" EAP-Message = 0x02030009016f6e6578 Message-Authenticator = 0x2a85ddbf4895a0fe4adb47857675c3af MS-RAS-Vendor = 11 HP-Attr-255 = 0x011a0000000b28 HP-Attr-255 = 0x011a0000000b2e HP-Attr-255 = 0x011a0000000b30 HP-Attr-255 = 0x011a0000000b3d HP-Attr-255 = 0x0138 HP-Attr-255 = 0x013a HP-Attr-255 = 0x0140 HP-Attr-255 = 0x0141 HP-Attr-255 = 0x0151 +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "onex", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated rlm_opendirectory: The SACL group "com.apple.access_radius" does not exist on this system. rlm_opendirectory: The host 10.10.100.1 does not have an access group. rlm_opendirectory: no access control groups, all users allowed. ++[opendirectory] returns ok ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 2 to 10.10.100.1 port 43916 EAP-Message = 0x010400061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc8a932bec8ad2bbc13f627bcf8239a6d Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.10.100.1 port 43916, id=3, length=489 Framed-MTU = 1480 NAS-IP-Address = 10.10.100.1 NAS-Identifier = "LABSW" User-Name = "onex" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = "1" Called-Station-Id = "68-b5-99-0f-18-c0" Calling-Station-Id = "c4-2c-03-1b-12-8c" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "40" State = 0xc8a932bec8ad2bbc13f627bcf8239a6d EAP-Message = 0x020400a419800000009a16030100950100009103014ec12bb70b4762dc8603d3de7ab73b64c251752a7daa733519848d78c57eae23000056c00ac009c007c008c013c014c011c012c004c005c002c003c00ec00fc00cc00d002f000500040035000a000900030008000600320033003800390016001500140013001200110034003a0018001b001a00170019000101000012000a00080006001700180019000b00020100 Message-Authenticator = 0xdb5f96f673c8f4eabc68667576256e8a MS-RAS-Vendor = 11 HP-Attr-255 = 0x011a0000000b28 HP-Attr-255 = 0x011a0000000b2e HP-Attr-255 = 0x011a0000000b30 HP-Attr-255 = 0x011a0000000b3d HP-Attr-255 = 0x0138 HP-Attr-255 = 0x013a HP-Attr-255 = 0x0140 HP-Attr-255 = 0x0141 HP-Attr-255 = 0x0151 +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "onex", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 164 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 154 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0095], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 02fd], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 3 to 10.10.100.1 port 43916 EAP-Message = 0x010503401900160301002a0200002603014ec12bb7063e5e749e264cfc75e0985dbfaeb25eebd771762319fa1014d94c0600002f0016030102fd0b0002f90002f60002f3308202ef308201d7a003020102020101300b06092a864886f70d01010530263117301506035504030c0e7261647372762e6c61622e636f6d310b3009060355040613025553301e170d3131313130393039313234385a170d3132313130383039313234385a30263117301506035504030c0e7261647372762e6c61622e636f6d310b300906035504061302555330820122300d06092a864886f70d01010105000382010f003082010a0282010100c7dcddefbc51ab15e513b7 EAP-Message = 0x6e1f3e2c2da3ce61178f0c317f37ae97f52d8a3762d1951628a4e6541649979f85b73d85c4378cf514acc8491c9561c2ddabd3af3304c9b539ef99367d1850f5c2a0a2d3fb1dbc3867b897bd03c9a3736320c6e51bfd51300c62e07632fa3c0c4fe5cb4177f0f5b7100d04bcc50ff8c38d516c680e8d8820734f9b781ffddc25e363b69fe6624dced437b0343adaf0e1a6eeb8f500d0c8fd48b714799625ad2431bd147b3c7e6cbf7853710a61d609d82e8c4599f2ba0a664c534cd0e59d57954da9727ee77eaee296ddddb6f3a31406465ee173bfd71607a53366969a442370d9eda82ef15862c7c9a8ed8fbcc0390cf0beaf3a0f0203010001a32a30 EAP-Message = 0x28300e0603551d0f0101ff04040302029430160603551d250101ff040c300a06082b06010505070301300d06092a864886f70d010105050003820101008be0d0252d195b33abc09cd6f460cdae7cbd9ebfa836378df73c164f0f758cc836921a5a46c41710323fc475f05edfa9514a0d58ed20df35e896530a1744429128c408d8dc50f2374eb7ee7a40c22f79ee39c7fbdbcc2c08f346bfdabe3633266b6606f82428110c9ee3fddfe0e475a26b5b6807df089751a86c8a525297aba6042a9da1d6ae3fd07b75570247eb79f66901751974fea7b28a7cb23622c1d17444073698ef0dc95fb55cf13da928c4f4b4c0bc09c545d746acd607a394594139 EAP-Message = 0x5c9d004b6d92b76e959c233aa8799bfc541a16fc38fb95a1dbfe047119bcf82519908408010c6597fd432943e07472beac54424cfa3c6b185337e35009a19cb416030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc8a932bec9ac2bbc13f627bcf8239a6d Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.10.100.1 port 43916, id=4, length=663 Framed-MTU = 1480 NAS-IP-Address = 10.10.100.1 NAS-Identifier = "LABSW" User-Name = "onex" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = "1" Called-Station-Id = "68-b5-99-0f-18-c0" Calling-Station-Id = "c4-2c-03-1b-12-8c" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "40" State = 0xc8a932bec9ac2bbc13f627bcf8239a6d EAP-Message = 0x0205015019800000014616030101061000010201003ddb53a4d082890ecf5fa2a0ba8e6bb0096f9a7a967a41c7f13b1d434612677ff26b7acc0a633dd9110bfc78b6852d6c9c893cd4f2ba964493d842cf5725fdf364cef94a491f63791caeca0c8435f14982a6ac9d21abb7a6beecfcfb601715455b91135e1f4c593b5db28d28020fd8dd7ccd8f515d7abe199a0a2613d395ccf80a3b2226b949ab47f03a8b43180ab95dec4c6c95ab060ae2e117a9eac3ea806111092d7c0535d4a39b617f92f0fdba6923ca11042647b2da0cc5f254e26b677deabfb4f57df64561fccb6ae7197a80901bc1270aa4d7d0dfe9c7a2b64a7ef6fe1bf7b18de648b821 EAP-Message = 0xcbe0af6c27de902cdb2410a00abece48fe5dd17e646dd11814030100010116030100300e38e826d93f941afde9d7b60bc29a1cfb4fc90c6ccdd01eb7a7df6382f3b2069f3eea6d2d48309f93209e4515ae0188 Message-Authenticator = 0x698888789fa67f499517dbc825a3f7fb MS-RAS-Vendor = 11 HP-Attr-255 = 0x011a0000000b28 HP-Attr-255 = 0x011a0000000b2e HP-Attr-255 = 0x011a0000000b30 HP-Attr-255 = 0x011a0000000b3d HP-Attr-255 = 0x0138 HP-Attr-255 = 0x013a HP-Attr-255 = 0x0140 HP-Attr-255 = 0x0141 HP-Attr-255 = 0x0151 +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "onex", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 326 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 4 to 10.10.100.1 port 43916 EAP-Message = 0x0106004119001403010001011603010030803865985ce1e9807fa98909c4b3855fd1f12e44fbc6dba8cb765a075be2e47e07877f7c2b9decd0bec9aecef0e97d1f Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc8a932becaaf2bbc13f627bcf8239a6d Finished request 2. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 2 with timestamp +421 Cleaning up request 1 ID 3 with timestamp +421 Cleaning up request 2 ID 4 with timestamp +421 Ready to process requests. rad_recv: Access-Request packet from host 10.10.100.1 port 43916, id=5, length=331 Framed-MTU = 1480 NAS-IP-Address = 10.10.100.1 NAS-Identifier = "LABSW" User-Name = "onex" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = "1" Called-Station-Id = "68-b5-99-0f-18-c0" Calling-Station-Id = "c4-2c-03-1b-12-8c" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "40" State = 0xc8a932becaaf2bbc13f627bcf8239a6d EAP-Message = 0x020600061900 Message-Authenticator = 0xd480558ee95ac00355dab5f2b5c5c95d MS-RAS-Vendor = 11 HP-Attr-255 = 0x011a0000000b28 HP-Attr-255 = 0x011a0000000b2e HP-Attr-255 = 0x011a0000000b30 HP-Attr-255 = 0x011a0000000b3d HP-Attr-255 = 0x0138 HP-Attr-255 = 0x013a HP-Attr-255 = 0x0140 HP-Attr-255 = 0x0141 HP-Attr-255 = 0x0151 +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "onex", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS ++[eap] returns handled Sending Access-Challenge of id 5 to 10.10.100.1 port 43916 EAP-Message = 0x0107002b1900170301002003e1c4dde423b6b0a6d66d847761039cfe4bb7c080e21baf78a57718df092c9e Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc8a932becbae2bbc13f627bcf8239a6d Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.10.100.1 port 43916, id=6, length=368 Framed-MTU = 1480 NAS-IP-Address = 10.10.100.1 NAS-Identifier = "LABSW" User-Name = "onex" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = "1" Called-Station-Id = "68-b5-99-0f-18-c0" Calling-Station-Id = "c4-2c-03-1b-12-8c" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "40" State = 0xc8a932becbae2bbc13f627bcf8239a6d EAP-Message = 0x0207002b190017030100201ef476116f80024510f1abb51b03097f3e4678c9d347fd21b1bb73116f6fe067 Message-Authenticator = 0xae0645af6b7e0c3296d52caa3b708e22 MS-RAS-Vendor = 11 HP-Attr-255 = 0x011a0000000b28 HP-Attr-255 = 0x011a0000000b2e HP-Attr-255 = 0x011a0000000b30 HP-Attr-255 = 0x011a0000000b3d HP-Attr-255 = 0x0138 HP-Attr-255 = 0x013a HP-Attr-255 = 0x0140 HP-Attr-255 = 0x0141 HP-Attr-255 = 0x0151 +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "onex", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Identity - onex [peap] Got tunneled request EAP-Message = 0x02070009016f6e6578 server { PEAP: Got tunneled identity of onex PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to onex Sending tunneled request EAP-Message = 0x02070009016f6e6578 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "onex" server inner-tunnel { +- entering group authorize {...} ++[control] returns notfound [eap] EAP packet type response id 7 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [ldap] performing user authorization for onex [ldap] expand: %{Stripped-User-Name} -> [ldap] expand: %{User-Name} -> onex [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=onex) [ldap] expand: dc=radsrv,dc=lab,dc=com -> dc=radsrv,dc=lab,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to radsrv.lab.com:389, authentication 0 rlm_ldap: bind as uid=diradmin,cn=users,dc=radsrv,dc=lab,dc=com/abc123 to radsrv.lab.com:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=radsrv,dc=lab,dc=com, with filter (uid=onex) [ldap] looking for check items in directory... rlm_ldap: uid -> User-Name == "onex" [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user onex authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x0108001e1a01080019106afec1602453c0057d7c334805a9e05e6f6e6578 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x46f92f2046f13502f59798f4fe1046a3 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x0108001e1a01080019106afec1602453c0057d7c334805a9e05e6f6e6578 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x46f92f2046f13502f59798f4fe1046a3 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 6 to 10.10.100.1 port 43916 EAP-Message = 0x0108003b19001703010030d168745a70c8f4bd29f463f34c268aa19b1ac850586cb8a6f233366e63436da98ff8502d8fa96bbdbc69a18651b3a2fb Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc8a932becca12bbc13f627bcf8239a6d Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.10.100.1 port 43916, id=7, length=416 Framed-MTU = 1480 NAS-IP-Address = 10.10.100.1 NAS-Identifier = "LABSW" User-Name = "onex" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = "1" Called-Station-Id = "68-b5-99-0f-18-c0" Calling-Station-Id = "c4-2c-03-1b-12-8c" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "40" State = 0xc8a932becca12bbc13f627bcf8239a6d EAP-Message = 0x0208005b19001703010050a72c388a44b55fa570a6e9f99603897abf4f63ae94df562bd235fcfe36dfb979c1167b3a75cf7d0b50ffb3f6ba5975ec98094fcc655a60fb0cd1b0184d89328a0d194e59bc8624eb18b38310bc5c0cd7 Message-Authenticator = 0xe2f611b17522c2ac38e9dfdc775af5f8 MS-RAS-Vendor = 11 HP-Attr-255 = 0x011a0000000b28 HP-Attr-255 = 0x011a0000000b2e HP-Attr-255 = 0x011a0000000b30 HP-Attr-255 = 0x011a0000000b3d HP-Attr-255 = 0x0138 HP-Attr-255 = 0x013a HP-Attr-255 = 0x0140 HP-Attr-255 = 0x0141 HP-Attr-255 = 0x0151 +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "onex", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 91 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x0208003f1a0208003a31482aff2ee303991bec74da963c8b97ff00000000000000007e149641c6691fc006eef640912cd3c8e650eade54a0b944006f6e6578 server { PEAP: Setting User-Name to onex Sending tunneled request EAP-Message = 0x0208003f1a0208003a31482aff2ee303991bec74da963c8b97ff00000000000000007e149641c6691fc006eef640912cd3c8e650eade54a0b944006f6e6578 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "onex" State = 0x46f92f2046f13502f59798f4fe1046a3 server inner-tunnel { +- entering group authorize {...} ++[control] returns notfound [eap] EAP packet type response id 8 length 63 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [ldap] performing user authorization for onex [ldap] expand: %{Stripped-User-Name} -> [ldap] expand: %{User-Name} -> onex [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=onex) [ldap] expand: dc=radsrv,dc=lab,dc=com -> dc=radsrv,dc=lab,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=radsrv,dc=lab,dc=com, with filter (uid=onex) [ldap] looking for check items in directory... rlm_ldap: uid -> User-Name == "onex" [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user onex authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] No NT-Password configured. Trying OpenDirectory Authentication. [mschap] OD username_string = onex, OD shortUserName=onex (length = 4) [mschap] dsDoDirNodeAuth returns stepbuff: S=D134BC291881FAF31275724FE84FEA40648F64C6 (len=40) ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010900331a0308002e533d44313334424332393138383146414633313237353732344645383446454134303634384636344336 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x46f92f2047f03502f59798f4fe1046a3 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010900331a0308002e533d44313334424332393138383146414633313237353732344645383446454134303634384636344336 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x46f92f2047f03502f59798f4fe1046a3 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 7 to 10.10.100.1 port 43916 EAP-Message = 0x0109005b190017030100508dc83e881f0cd40e50685b4a7796d3fe4d5e112f0df9f869bb1069d92e12b7b32ee12bb4095358ecc99a90c421fe4bc0061866719bd569876a1daef7eb9b9581e3e41ab50fe46c9f5181b97339ad0395 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc8a932becda02bbc13f627bcf8239a6d Finished request 5. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.10.100.1 port 43916, id=8, length=368 Framed-MTU = 1480 NAS-IP-Address = 10.10.100.1 NAS-Identifier = "LABSW" User-Name = "onex" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = "1" Called-Station-Id = "68-b5-99-0f-18-c0" Calling-Station-Id = "c4-2c-03-1b-12-8c" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "40" State = 0xc8a932becda02bbc13f627bcf8239a6d EAP-Message = 0x0209002b1900170301002018ad9a27bbf9db0cb5041ae1ac19feabc2c80accfeafd843bbab86f9ba3c77fc Message-Authenticator = 0x1061625f1ad774427c2530183470876c MS-RAS-Vendor = 11 HP-Attr-255 = 0x011a0000000b28 HP-Attr-255 = 0x011a0000000b2e HP-Attr-255 = 0x011a0000000b30 HP-Attr-255 = 0x011a0000000b3d HP-Attr-255 = 0x0138 HP-Attr-255 = 0x013a HP-Attr-255 = 0x0140 HP-Attr-255 = 0x0141 HP-Attr-255 = 0x0151 +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "onex", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 9 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020900061a03 server { PEAP: Setting User-Name to onex Sending tunneled request EAP-Message = 0x020900061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "onex" State = 0x46f92f2047f03502f59798f4fe1046a3 server inner-tunnel { +- entering group authorize {...} ++[control] returns notfound [eap] EAP packet type response id 9 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [ldap] performing user authorization for onex [ldap] expand: %{Stripped-User-Name} -> [ldap] expand: %{User-Name} -> onex [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=onex) [ldap] expand: dc=radsrv,dc=lab,dc=com -> dc=radsrv,dc=lab,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=radsrv,dc=lab,dc=com, with filter (uid=onex) [ldap] looking for check items in directory... rlm_ldap: uid -> User-Name == "onex" [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user onex authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] returns ok +- entering group post-auth {...} rlm_ldap: - ldap_xlat expand: ldap:///dc=radsrv,dc=lab,dc=com?radiusTunnelPrivateGroupId?sub?(&(cn=vl*)(memberUid=%{User-Name})) -> ldap:///dc=radsrv,dc=lab,dc=com?radiusTunnelPrivateGroupId?sub?(&(cn=vl*)(memberUid=onex)) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=radsrv,dc=lab,dc=com, with filter (&(cn=vl*)(memberUid=onex)) rlm_ldap: Adding attribute radiusTunnelPrivateGroupId, value: 10 rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: - ldap_xlat end expand: %{ldap:ldap:///dc=radsrv,dc=lab,dc=com?radiusTunnelPrivateGroupId?sub?(&(cn=vl*)(memberUid=%{User-Name}))} -> 10 ++[reply] returns noop } # server inner-tunnel [peap] Got tunneled reply code 2 EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "onex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "10" [peap] Got tunneled reply RADIUS code 2 EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "onex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "10" [peap] Tunneled authentication was successful. [peap] SUCCESS [peap] Saving tunneled attributes for later ++[eap] returns handled Sending Access-Challenge of id 8 to 10.10.100.1 port 43916 EAP-Message = 0x010a002b190017030100207017c3a362f633d14eea5f1e776f1e09d0739d328acd60f5d221d035f60625a9 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc8a932becea32bbc13f627bcf8239a6d Finished request 6. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.10.100.1 port 43916, id=9, length=368 Framed-MTU = 1480 NAS-IP-Address = 10.10.100.1 NAS-Identifier = "LABSW" User-Name = "onex" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = "1" Called-Station-Id = "68-b5-99-0f-18-c0" Calling-Station-Id = "c4-2c-03-1b-12-8c" Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "40" State = 0xc8a932becea32bbc13f627bcf8239a6d EAP-Message = 0x020a002b19001703010020ab54d9487316319243d697f09db19d7fa2117ca7d1e9203299b28aac57ad92e0 Message-Authenticator = 0x4d37b6b4614880c702e7005e0f7ebfc3 MS-RAS-Vendor = 11 HP-Attr-255 = 0x011a0000000b28 HP-Attr-255 = 0x011a0000000b2e HP-Attr-255 = 0x011a0000000b30 HP-Attr-255 = 0x011a0000000b3d HP-Attr-255 = 0x0138 HP-Attr-255 = 0x013a HP-Attr-255 = 0x0140 HP-Attr-255 = 0x0141 HP-Attr-255 = 0x0151 +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop [suffix] No '@' in User-Name = "onex", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 10 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Success [peap] Using saved attributes from the original Access-Accept [eap] Freeing handler ++[eap] returns ok +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 9 to 10.10.100.1 port 43916 User-Name = "onex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "10" MS-MPPE-Recv-Key = 0xde17c33d18df85bf4255d597592739fc88f04e8317c07dcf39c9e79a91285ab5 MS-MPPE-Send-Key = 0xc545bf7527c58b753ccaa1b35703fdc34e9d53f38f65a6a71684558c81cde7b7 EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 Finished request 7. Going to the next request Waking up in 4.8 seconds. rad_recv: Accounting-Request packet from host 10.10.100.1 port 55065, id=10, length=114 Acct-Session-Id = "000A00000001" Acct-Status-Type = Start Service-Type = Framed-User Acct-Authentic = RADIUS NAS-Port = 1 Calling-Station-Id = "C4-2C-03-1B-12-8C" NAS-IP-Address = 10.10.100.1 NAS-Identifier = "LABSW" User-Name = "onex" MS-RAS-Vendor = 11 Acct-Delay-Time = 0 +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 1,Client-IP-Address = 10.10.100.1,NAS-IP-Address = 10.10.100.1,Acct-Session-Id = "000A00000001",User-Name = "onex"' [acct_unique] Acct-Unique-Session-ID = "8b2f617b07d02e3d". ++[acct_unique] returns ok [suffix] No '@' in User-Name = "onex", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop +- entering group accounting {...} [detail] expand: /private/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> /private/var/log/radius/radacct/10.10.100.1/detail-20111114 [detail] /private/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /private/var/log/radius/radacct/10.10.100.1/detail-20111114 [detail] expand: %t -> Mon Nov 14 16:54:56 2011 ++[detail] returns ok [radutmp] expand: /private/var/log/radius/radutmp -> /private/var/log/radius/radutmp [radutmp] expand: %{User-Name} -> onex ++[radutmp] returns ok [attr_filter.accounting_response] expand: %{User-Name} -> onex attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] returns updated Sending Accounting-Response of id 10 to 10.10.100.1 port 55065 Finished request 8. Cleaning up request 8 ID 10 with timestamp +430 Going to the next request Waking up in 4.8 seconds. Cleaning up request 3 ID 5 with timestamp +430 Cleaning up request 4 ID 6 with timestamp +430 Cleaning up request 5 ID 7 with timestamp +430 Cleaning up request 6 ID 8 with timestamp +430 Cleaning up request 7 ID 9 with timestamp +430 Ready to process requests. rad_recv: Accounting-Request packet from host 10.10.100.1 port 55065, id=11, length=150 Acct-Session-Id = "000A00000001" Acct-Status-Type = Stop Service-Type = Framed-User Acct-Authentic = RADIUS NAS-Port = 1 Calling-Station-Id = "C4-2C-03-1B-12-8C" NAS-IP-Address = 10.10.100.1 NAS-Identifier = "LABSW" User-Name = "onex" Acct-Terminate-Cause = User-Request Acct-Session-Time = 453 Acct-Input-Octets = 28252 Acct-Output-Octets = 3668 Acct-Input-Packets = 233 Acct-Output-Packets = 21 MS-RAS-Vendor = 11 Acct-Delay-Time = 0 +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 1,Client-IP-Address = 10.10.100.1,NAS-IP-Address = 10.10.100.1,Acct-Session-Id = "000A00000001",User-Name = "onex"' [acct_unique] Acct-Unique-Session-ID = "8b2f617b07d02e3d". ++[acct_unique] returns ok [suffix] No '@' in User-Name = "onex", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop +- entering group accounting {...} [detail] expand: /private/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> /private/var/log/radius/radacct/10.10.100.1/detail-20111114 [detail] /private/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /private/var/log/radius/radacct/10.10.100.1/detail-20111114 [detail] expand: %t -> Mon Nov 14 17:02:29 2011 ++[detail] returns ok [radutmp] expand: /private/var/log/radius/radutmp -> /private/var/log/radius/radutmp [radutmp] expand: %{User-Name} -> onex ++[radutmp] returns ok [attr_filter.accounting_response] expand: %{User-Name} -> onex attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] returns updated Sending Accounting-Response of id 11 to 10.10.100.1 port 55065 Finished request 9. Cleaning up request 9 ID 11 with timestamp +883 Going to the next request Ready to process requests.