<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hi,<br>
<br>
I've stumbled upon a nasty problem:<br>
- I need to set up FreeRadius as an authentication server where I
have to authenticate users from two external databases. I've set up
FreeRadius to use ntlm_auth module and swapped the 'ntlm_auth'
command with my own script (see debug output). This script must be
called with full username and password in cleartext so that I can
then connect to the databases and check if user's credentials are
correct and (s)he is allowed to connect to service. Both databases
save user passwords encrypted according to their rules (SHA256 with
and without salt) and for that reason I need a password supplied
from the Radius client in cleartext. <br>
<br>
However, when everything is set up, somehow '%{User-Password}' or
'%{Cleartext-Password}' (I've tried them both) does not expand to
anything when executing ntlm_auth authentication and my script
always rejects the user. For testing purposes, I've set up a bash
script that exits with status 0 if the username is
'<a class="moz-txt-link-abbreviated" href="mailto:testuser@med.bg.ac.rs">testuser@med.bg.ac.rs</a>' and password is 'proba.321' or with status 1
otherwise. The script works when called from command line.<br>
<br>
The OS is CentOS 5.8 64-bit and FreeRADIUS version is 2.1.12. I have
tried to check the auth with 'eapol_test' with the following
configuration:<br>
<br>
network={<br>
key_mgmt=IEEE8021X<br>
eap=TTLS<br>
identity=<a class="moz-txt-link-rfc2396E" href="mailto:testuser@med.bg.ac.rs">"testuser@med.bg.ac.rs"</a><br>
password="proba.321"<br>
anonymous_identity="anonymous"<br>
phase2="auth=MD5"<br>
ca_cert="/etc/raddb/certs/ca.pem"<br>
}<br>
<br>
<br>
The output from the 'radiusd -X' is as follows:<br>
<br>
FreeRADIUS Version 2.1.12, for host x86_64-redhat-linux-gnu, built
on Feb 22 2012 at 14:59:35<br>
Copyright (C) 1999-2009 The FreeRADIUS server project and
contributors. <br>
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
<br>
PARTICULAR PURPOSE. <br>
You may redistribute copies of FreeRADIUS under the terms of the <br>
GNU General Public License v2. <br>
Starting - reading configuration files ...<br>
including configuration file /etc/raddb/radiusd.conf<br>
including configuration file /etc/raddb/proxy.conf<br>
including configuration file /etc/raddb/clients.conf<br>
including files in directory /etc/raddb/modules/<br>
including configuration file /etc/raddb/modules/logintime<br>
including configuration file /etc/raddb/modules/ntlm_auth<br>
including configuration file /etc/raddb/modules/files<br>
including configuration file /etc/raddb/modules/inner-eap<br>
including configuration file /etc/raddb/modules/counter<br>
including configuration file /etc/raddb/modules/detail<br>
including configuration file /etc/raddb/modules/attr_rewrite<br>
including configuration file /etc/raddb/modules/expr<br>
including configuration file /etc/raddb/modules/realm<br>
including configuration file /etc/raddb/modules/always<br>
including configuration file /etc/raddb/modules/policy<br>
including configuration file /etc/raddb/modules/replicate<br>
including configuration file /etc/raddb/modules/radutmp<br>
including configuration file /etc/raddb/modules/pap<br>
including configuration file /etc/raddb/modules/perl<br>
including configuration file /etc/raddb/modules/smbpasswd<br>
including configuration file /etc/raddb/modules/dynamic_clients<br>
including configuration file /etc/raddb/modules/detail.example.com<br>
including configuration file /etc/raddb/modules/sradutmp<br>
including configuration file /etc/raddb/modules/exec<br>
including configuration file /etc/raddb/modules/detail.log<br>
including configuration file /etc/raddb/modules/echo<br>
including configuration file /etc/raddb/modules/preprocess<br>
including configuration file /etc/raddb/modules/checkval<br>
including configuration file /etc/raddb/modules/mac2ip<br>
including configuration file /etc/raddb/modules/redis<br>
including configuration file /etc/raddb/modules/sql_log<br>
including configuration file /etc/raddb/modules/mac2vlan<br>
including configuration file /etc/raddb/modules/acct_unique<br>
including configuration file /etc/raddb/modules/etc_group<br>
including configuration file /etc/raddb/modules/digest<br>
including configuration file /etc/raddb/modules/chap<br>
including configuration file /etc/raddb/modules/attr_filter<br>
including configuration file /etc/raddb/modules/unix<br>
including configuration file /etc/raddb/modules/passwd<br>
including configuration file /etc/raddb/modules/ippool<br>
including configuration file /etc/raddb/modules/opendirectory<br>
including configuration file /etc/raddb/modules/linelog<br>
including configuration file /etc/raddb/modules/smsotp<br>
including configuration file /etc/raddb/modules/cui<br>
including configuration file /etc/raddb/modules/mschap<br>
including configuration file /etc/raddb/modules/otp<br>
including configuration file
/etc/raddb/modules/sqlcounter_expire_on_login<br>
including configuration file /etc/raddb/modules/soh<br>
including configuration file /etc/raddb/modules/pam<br>
including configuration file /etc/raddb/modules/rediswho<br>
including configuration file /etc/raddb/modules/expiration<br>
including configuration file /etc/raddb/modules/wimax<br>
including configuration file /etc/raddb/eap.conf<br>
including configuration file /etc/raddb/policy.conf<br>
including files in directory /etc/raddb/sites-enabled/<br>
including configuration file /etc/raddb/sites-enabled/eduroam<br>
including configuration file /etc/raddb/sites-enabled/control-socket<br>
including configuration file /etc/raddb/sites-enabled/default<br>
including configuration file
/etc/raddb/sites-enabled/eduroam-inner-tunnel<br>
including configuration file /etc/raddb/sites-enabled/inner-tunnel<br>
main {<br>
user = "radiusd"<br>
group = "radiusd"<br>
allow_core_dumps = no<br>
}<br>
including dictionary file /etc/raddb/dictionary<br>
main {<br>
name = "radiusd"<br>
prefix = "/usr"<br>
localstatedir = "/var"<br>
sbindir = "/usr/sbin"<br>
logdir = "/var/log/radius"<br>
run_dir = "/var/run/radiusd"<br>
libdir = "/usr/lib64/freeradius"<br>
radacctdir = "/var/log/radius/radacct"<br>
hostname_lookups = no<br>
max_request_time = 30<br>
cleanup_delay = 5<br>
max_requests = 1024<br>
pidfile = "/var/run/radiusd/radiusd.pid"<br>
checkrad = "/usr/sbin/checkrad"<br>
debug_level = 0<br>
proxy_requests = yes<br>
log {<br>
stripped_names = no<br>
auth = yes<br>
auth_badpass = yes<br>
auth_goodpass = yes<br>
}<br>
security {<br>
max_attributes = 200<br>
reject_delay = 1<br>
status_server = yes<br>
}<br>
}<br>
radiusd: #### Loading Realms and Home Servers ####<br>
proxy server {<br>
retry_delay = 5<br>
retry_count = 3<br>
default_fallback = no<br>
dead_time = 120<br>
wake_all_if_all_dead = no<br>
}<br>
home_server localhost {<br>
ipaddr = 127.0.0.1<br>
port = 1812<br>
type = "auth+acct"<br>
secret = "testing123"<br>
response_window = 20<br>
max_outstanding = 65536<br>
require_message_authenticator = yes<br>
zombie_period = 40<br>
status_check = "status-server"<br>
ping_interval = 30<br>
check_interval = 30<br>
num_answers_to_alive = 3<br>
num_pings_to_alive = 3<br>
revive_interval = 120<br>
status_check_timeout = 4<br>
}<br>
realm med.bg.ac.rs {<br>
authhost = LOCAL<br>
accthost = LOCAL<br>
}<br>
realm LOCAL {<br>
}<br>
realm NULL {<br>
}<br>
radiusd: #### Loading Clients ####<br>
client localhost {<br>
ipaddr = 127.0.0.1<br>
require_message_authenticator = no<br>
secret = "testing123"<br>
nastype = "other"<br>
virtual_server = "eduroam"<br>
}<br>
client ftlr1.ac.rs {<br>
ipaddr = 147.91.4.204<br>
require_message_authenticator = no<br>
secret = "******"<br>
shortname = "ftlr1"<br>
nastype = "other"<br>
virtual_server = "eduroam"<br>
}<br>
client ftlr2.ac.rs {<br>
ipaddr = 147.91.1.101<br>
require_message_authenticator = no<br>
secret = "******"<br>
shortname = "ftlr2"<br>
nastype = "other"<br>
virtual_server = "eduroam"<br>
}<br>
client netiis.monitor {<br>
ipaddr = 147.91.3.12<br>
require_message_authenticator = no<br>
secret = "******"<br>
shortname = "netiis"<br>
nastype = "other"<br>
virtual_server = "eduroam"<br>
}<br>
radiusd: #### Instantiating modules ####<br>
instantiate {<br>
Module: Linked to module rlm_exec<br>
Module: Instantiating module "exec" from file
/etc/raddb/modules/exec<br>
exec {<br>
wait = no<br>
input_pairs = "request"<br>
shell_escape = yes<br>
}<br>
Module: Linked to module rlm_expr<br>
Module: Instantiating module "expr" from file
/etc/raddb/modules/expr<br>
Module: Linked to module rlm_expiration<br>
Module: Instantiating module "expiration" from file
/etc/raddb/modules/expiration<br>
expiration {<br>
reply-message = "Password Has Expired "<br>
}<br>
Module: Linked to module rlm_logintime<br>
Module: Instantiating module "logintime" from file
/etc/raddb/modules/logintime<br>
logintime {<br>
reply-message = "You are calling outside your allowed timespan
"<br>
minimum-timeout = 60<br>
}<br>
}<br>
radiusd: #### Loading Virtual Servers ####<br>
server { # from file /etc/raddb/radiusd.conf<br>
modules {<br>
Module: Creating Auth-Type = digest<br>
Module: Creating Post-Auth-Type = REJECT<br>
Module: Checking authenticate {...} for more modules to load<br>
Module: Linked to module rlm_pap<br>
Module: Instantiating module "pap" from file /etc/raddb/modules/pap<br>
pap {<br>
encryption_scheme = "auto"<br>
auto_header = no<br>
}<br>
Module: Linked to module rlm_chap<br>
Module: Instantiating module "chap" from file
/etc/raddb/modules/chap<br>
Module: Linked to module rlm_mschap<br>
Module: Instantiating module "mschap" from file
/etc/raddb/modules/mschap<br>
mschap {<br>
use_mppe = yes<br>
require_encryption = no<br>
require_strong = no<br>
with_ntdomain_hack = no<br>
allow_retry = yes<br>
}<br>
Module: Linked to module rlm_digest<br>
Module: Instantiating module "digest" from file
/etc/raddb/modules/digest<br>
Module: Linked to module rlm_unix<br>
Module: Instantiating module "unix" from file
/etc/raddb/modules/unix<br>
unix {<br>
radwtmp = "/var/log/radius/radwtmp"<br>
}<br>
Module: Linked to module rlm_eap<br>
Module: Instantiating module "eap" from file /etc/raddb/eap.conf<br>
eap {<br>
default_eap_type = "ttls"<br>
timer_expire = 60<br>
ignore_unknown_eap_types = no<br>
cisco_accounting_username_bug = no<br>
max_sessions = 4096<br>
}<br>
Module: Linked to sub-module rlm_eap_md5<br>
Module: Instantiating eap-md5<br>
Module: Linked to sub-module rlm_eap_leap<br>
Module: Instantiating eap-leap<br>
Module: Linked to sub-module rlm_eap_gtc<br>
Module: Instantiating eap-gtc<br>
gtc {<br>
challenge = "Password: "<br>
auth_type = "PAP"<br>
}<br>
Module: Linked to sub-module rlm_eap_tls<br>
Module: Instantiating eap-tls<br>
tls {<br>
rsa_key_exchange = no<br>
dh_key_exchange = yes<br>
rsa_key_length = 512<br>
dh_key_length = 512<br>
verify_depth = 0<br>
CA_path = "/etc/raddb/certs"<br>
pem_file_type = yes<br>
private_key_file = "/etc/raddb/certs/server.key"<br>
certificate_file = "/etc/raddb/certs/server.pem"<br>
CA_file = "/etc/raddb/certs/ca.pem"<br>
private_key_password = "******"<br>
dh_file = "/etc/raddb/certs/dh"<br>
random_file = "/dev/urandom"<br>
fragment_size = 1024<br>
include_length = yes<br>
check_crl = no<br>
cipher_list = "DEFAULT"<br>
make_cert_command = "/etc/raddb/certs/bootstrap"<br>
cache {<br>
enable = no<br>
lifetime = 24<br>
max_entries = 255<br>
}<br>
verify {<br>
}<br>
}<br>
Module: Linked to sub-module rlm_eap_ttls<br>
Module: Instantiating eap-ttls<br>
ttls {<br>
default_eap_type = "md5"<br>
copy_request_to_tunnel = no<br>
use_tunneled_reply = no<br>
virtual_server = "eduroam-inner-tunnel"<br>
include_length = yes<br>
}<br>
Module: Linked to sub-module rlm_eap_peap<br>
Module: Instantiating eap-peap<br>
peap {<br>
default_eap_type = "mschapv2"<br>
copy_request_to_tunnel = no<br>
use_tunneled_reply = no<br>
proxy_tunneled_request_as_eap = yes<br>
virtual_server = "eduroam-inner-tunnel"<br>
soh = no<br>
}<br>
Module: Linked to sub-module rlm_eap_mschapv2<br>
Module: Instantiating eap-mschapv2<br>
mschapv2 {<br>
with_ntdomain_hack = no<br>
send_error = no<br>
}<br>
Module: Checking authorize {...} for more modules to load<br>
Module: Linked to module rlm_preprocess<br>
Module: Instantiating module "preprocess" from file
/etc/raddb/modules/preprocess<br>
preprocess {<br>
huntgroups = "/etc/raddb/huntgroups"<br>
hints = "/etc/raddb/hints"<br>
with_ascend_hack = no<br>
ascend_channels_per_line = 23<br>
with_ntdomain_hack = no<br>
with_specialix_jetstream_hack = no<br>
with_cisco_vsa_hack = no<br>
with_alvarion_vsa_hack = no<br>
}<br>
Module: Linked to module rlm_realm<br>
Module: Instantiating module "suffix" from file
/etc/raddb/modules/realm<br>
realm suffix {<br>
format = "suffix"<br>
delimiter = "@"<br>
ignore_default = no<br>
ignore_null = no<br>
}<br>
Module: Linked to module rlm_files<br>
Module: Instantiating module "files" from file
/etc/raddb/modules/files<br>
files {<br>
usersfile = "/etc/raddb/users"<br>
acctusersfile = "/etc/raddb/acct_users"<br>
preproxy_usersfile = "/etc/raddb/preproxy_users"<br>
compat = "no"<br>
}<br>
Module: Checking preacct {...} for more modules to load<br>
Module: Linked to module rlm_acct_unique<br>
Module: Instantiating module "acct_unique" from file
/etc/raddb/modules/acct_unique<br>
acct_unique {<br>
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"<br>
}<br>
Module: Checking accounting {...} for more modules to load<br>
Module: Linked to module rlm_detail<br>
Module: Instantiating module "detail" from file
/etc/raddb/modules/detail<br>
detail {<br>
detailfile =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"<br>
header = "%t"<br>
detailperm = 384<br>
dirperm = 493<br>
locking = no<br>
log_packet_header = no<br>
}<br>
Module: Linked to module rlm_radutmp<br>
Module: Instantiating module "radutmp" from file
/etc/raddb/modules/radutmp<br>
radutmp {<br>
filename = "/var/log/radius/radutmp"<br>
username = "%{User-Name}"<br>
case_sensitive = yes<br>
check_with_nas = yes<br>
perm = 384<br>
callerid = yes<br>
}<br>
Module: Linked to module rlm_attr_filter<br>
Module: Instantiating module "attr_filter.accounting_response" from
file /etc/raddb/modules/attr_filter<br>
attr_filter attr_filter.accounting_response {<br>
attrsfile = "/etc/raddb/attrs.accounting_response"<br>
key = "%{User-Name}"<br>
relaxed = no<br>
}<br>
Module: Checking session {...} for more modules to load<br>
Module: Checking post-proxy {...} for more modules to load<br>
Module: Checking post-auth {...} for more modules to load<br>
Module: Instantiating module "attr_filter.access_reject" from file
/etc/raddb/modules/attr_filter<br>
attr_filter attr_filter.access_reject {<br>
attrsfile = "/etc/raddb/attrs.access_reject"<br>
key = "%{User-Name}"<br>
relaxed = no<br>
}<br>
} # modules<br>
} # server<br>
server eduroam { # from file /etc/raddb/sites-enabled/eduroam<br>
modules {<br>
Module: Checking authenticate {...} for more modules to load<br>
Module: Checking authorize {...} for more modules to load<br>
Module: Instantiating module "auth_log" from file
/etc/raddb/modules/detail.log<br>
detail auth_log {<br>
detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d"<br>
header = "%t"<br>
detailperm = 384<br>
dirperm = 493<br>
locking = no<br>
log_packet_header = no<br>
}<br>
Module: Checking preacct {...} for more modules to load<br>
Module: Checking accounting {...} for more modules to load<br>
Module: Checking session {...} for more modules to load<br>
Module: Checking pre-proxy {...} for more modules to load<br>
Module: Instantiating module "pre_proxy_log" from file
/etc/raddb/modules/detail.log<br>
detail pre_proxy_log {<br>
detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d"<br>
header = "%t"<br>
detailperm = 384<br>
dirperm = 493<br>
locking = no<br>
log_packet_header = no<br>
}<br>
Module: Checking post-proxy {...} for more modules to load<br>
Module: Instantiating module "post_proxy_log" from file
/etc/raddb/modules/detail.log<br>
detail post_proxy_log {<br>
detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/post-proxy-detail-%Y%m%d"<br>
header = "%t"<br>
detailperm = 384<br>
dirperm = 493<br>
locking = no<br>
log_packet_header = no<br>
}<br>
Module: Checking post-auth {...} for more modules to load<br>
Module: Instantiating module "reply_log" from file
/etc/raddb/modules/detail.log<br>
detail reply_log {<br>
detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d"<br>
header = "%t"<br>
detailperm = 384<br>
dirperm = 493<br>
locking = no<br>
log_packet_header = no<br>
}<br>
} # modules<br>
} # server<br>
server eduroam-inner-tunnel { # from file
/etc/raddb/sites-enabled/eduroam-inner-tunnel<br>
modules {<br>
Module: Creating Auth-Type = ntlm_auth<br>
Module: Checking authenticate {...} for more modules to load<br>
Module: Instantiating module "ntlm_auth" from file
/etc/raddb/modules/ntlm_auth<br>
exec ntlm_auth {<br>
wait = yes<br>
program = "/usr/local/sbin/medauth %{User-Name}
%{Cleartext-Password} >& /dev/null"<br>
input_pairs = "request"<br>
shell_escape = yes<br>
}<br>
Module: Checking authorize {...} for more modules to load<br>
Module: Checking session {...} for more modules to load<br>
Module: Checking pre-proxy {...} for more modules to load<br>
Module: Checking post-proxy {...} for more modules to load<br>
Module: Checking post-auth {...} for more modules to load<br>
} # modules<br>
} # server<br>
server inner-tunnel { # from file
/etc/raddb/sites-enabled/inner-tunnel<br>
modules {<br>
Module: Checking authenticate {...} for more modules to load<br>
Module: Checking authorize {...} for more modules to load<br>
Module: Checking session {...} for more modules to load<br>
Module: Checking post-proxy {...} for more modules to load<br>
Module: Checking post-auth {...} for more modules to load<br>
} # modules<br>
} # server<br>
radiusd: #### Opening IP addresses and Ports ####<br>
listen {<br>
type = "auth"<br>
ipaddr = *<br>
port = 0<br>
}<br>
listen {<br>
type = "acct"<br>
ipaddr = *<br>
port = 0<br>
}<br>
listen {<br>
type = "control"<br>
listen {<br>
socket = "/var/run/radiusd/radiusd.sock"<br>
}<br>
}<br>
listen {<br>
type = "auth"<br>
ipaddr = 127.0.0.1<br>
port = 18120<br>
}<br>
... adding new socket proxy address * port 36934<br>
... adding new socket proxy address * port 33386<br>
Listening on authentication address * port 1812<br>
Listening on accounting address * port 1813<br>
Listening on command file /var/run/radiusd/radiusd.sock<br>
Listening on authentication address 127.0.0.1 port 18120 as server
inner-tunnel<br>
Listening on proxy address * port 1814<br>
Ready to process requests.<br>
rad_recv: Access-Request packet from host 127.0.0.1 port 57434,
id=0, length=126<br>
User-Name = "anonymous"<br>
NAS-IP-Address = 127.0.0.1<br>
Calling-Station-Id = "02-00-00-00-00-01"<br>
Framed-MTU = 1400<br>
NAS-Port-Type = Wireless-802.11<br>
Connect-Info = "CONNECT 11Mbps 802.11b"<br>
EAP-Message = 0x0200000e01616e6f6e796d6f7573<br>
Message-Authenticator = 0x1ce7f102551d22fcc6ba9815d29d098f<br>
server eduroam {<br>
# Executing section authorize from file
/etc/raddb/sites-enabled/eduroam<br>
+- entering group authorize {...}<br>
++[preprocess] returns ok<br>
[auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
-> /var/log/radius/radacct/127.0.0.1/auth-detail-20120618<br>
[auth_log]
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20120618<br>
[auth_log] expand: %t -> Mon Jun 18 11:59:38 2012<br>
++[auth_log] returns ok<br>
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL<br>
[suffix] Found realm "NULL"<br>
[suffix] Adding Stripped-User-Name = "anonymous"<br>
[suffix] Adding Realm = "NULL"<br>
[suffix] Authentication realm is LOCAL.<br>
++[suffix] returns ok<br>
[eap] EAP packet type response id 0 length 14<br>
[eap] No EAP Start, assuming it's an on-going EAP conversation<br>
++[eap] returns updated<br>
++[expiration] returns noop<br>
++[logintime] returns noop<br>
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.<br>
++[pap] returns noop<br>
Found Auth-Type = EAP<br>
# Executing group from file /etc/raddb/sites-enabled/eduroam<br>
+- entering group authenticate {...}<br>
[eap] EAP Identity<br>
[eap] processing type tls<br>
[tls] Initiate<br>
[tls] Start returned 1<br>
++[eap] returns handled<br>
} # server eduroam<br>
Sending Access-Challenge of id 0 to 127.0.0.1 port 57434<br>
EAP-Message = 0x010100061520<br>
Message-Authenticator = 0x00000000000000000000000000000000<br>
State = 0x453e5638453f433c1dde145a555d75ae<br>
Finished request 0.<br>
Going to the next request<br>
Waking up in 4.9 seconds.<br>
rad_recv: Access-Request packet from host 127.0.0.1 port 57434,
id=1, length=225<br>
User-Name = "anonymous"<br>
NAS-IP-Address = 127.0.0.1<br>
Calling-Station-Id = "02-00-00-00-00-01"<br>
Framed-MTU = 1400<br>
NAS-Port-Type = Wireless-802.11<br>
Connect-Info = "CONNECT 11Mbps 802.11b"<br>
EAP-Message =
0x0201005f150016030100540100005003014fdefc0a35aa637e8a3b2e436e90f60e9e83e5b6c5631ebb720ffbd5e117812800002800390038003500160013000a00330032002f000500040015001200090014001100080006000300ff020100<br>
State = 0x453e5638453f433c1dde145a555d75ae<br>
Message-Authenticator = 0x960996a07cd20c784ce8b254694b6c90<br>
server eduroam {<br>
# Executing section authorize from file
/etc/raddb/sites-enabled/eduroam<br>
+- entering group authorize {...}<br>
++[preprocess] returns ok<br>
[auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
-> /var/log/radius/radacct/127.0.0.1/auth-detail-20120618<br>
[auth_log]
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20120618<br>
[auth_log] expand: %t -> Mon Jun 18 11:59:38 2012<br>
++[auth_log] returns ok<br>
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL<br>
[suffix] Found realm "NULL"<br>
[suffix] Adding Stripped-User-Name = "anonymous"<br>
[suffix] Adding Realm = "NULL"<br>
[suffix] Authentication realm is LOCAL.<br>
++[suffix] returns ok<br>
[eap] EAP packet type response id 1 length 95<br>
[eap] Continuing tunnel setup.<br>
++[eap] returns ok<br>
Found Auth-Type = EAP<br>
# Executing group from file /etc/raddb/sites-enabled/eduroam<br>
+- entering group authenticate {...}<br>
[eap] Request found, released from the list<br>
[eap] EAP/ttls<br>
[eap] processing type ttls<br>
[ttls] Authenticate<br>
[ttls] processing EAP-TLS<br>
[ttls] eaptls_verify returned 7 <br>
[ttls] Done initial handshake<br>
[ttls] (other): before/accept initialization<br>
[ttls] TLS_accept: before/accept initialization<br>
[ttls] <<< TLS 1.0 Handshake [length 0054], ClientHello <br>
[ttls] TLS_accept: SSLv3 read client hello A<br>
[ttls] >>> TLS 1.0 Handshake [length 0031], ServerHello <br>
[ttls] TLS_accept: SSLv3 write server hello A<br>
[ttls] >>> TLS 1.0 Handshake [length 0920], Certificate <br>
[ttls] TLS_accept: SSLv3 write certificate A<br>
[ttls] >>> TLS 1.0 Handshake [length 020d],
ServerKeyExchange <br>
[ttls] TLS_accept: SSLv3 write key exchange A<br>
[ttls] >>> TLS 1.0 Handshake [length 0004],
ServerHelloDone <br>
[ttls] TLS_accept: SSLv3 write server done A<br>
[ttls] TLS_accept: SSLv3 flush data<br>
[ttls] TLS_accept: Need to read more data: SSLv3 read client
certificate A<br>
In SSL Handshake Phase <br>
In SSL Accept mode <br>
[ttls] eaptls_process returned 13 <br>
++[eap] returns handled<br>
} # server eduroam<br>
Sending Access-Challenge of id 1 to 127.0.0.1 port 57434<br>
EAP-Message =
0x0102040015c000000b7616030100310200002d03014fdefc0a8aff87adf2ab470247564a15f475076cf5c27c0b81400b87be48c892000039010005ff0100010016030109200b00091c0009190003e8308203e4308202cca003020102020101300d06092a864886f70d01010505003081bd310b3009060355040613025253310f300d060355040813065365726269613111300f0603550407130842656c677261646531333031060355040a132a5363686f6f6c206f66204d65646963696e652c20556e6976657273697479206f662042656c67726164653120301e06092a864886f70d010901161163696b74406d65642e62672e61632e727331333031<br>
EAP-Message =
0x0603550403132a5363686f6f6c206f66204d65646963696e652043657274696669636174696f6e20417574686f72697479301e170d3132303631363032343733355a170d3132303831353032343733355a308193310b3009060355040613025253310f300d0603550408130653657262696131333031060355040a132a5363686f6f6c206f66204d65646963696e652c20556e6976657273697479206f662042656c6772616465311c301a060355040313137261646975732e6d65642e62672e61632e72733120301e06092a864886f70d010901161163696b74406d65642e62672e61632e727330820122300d06092a864886f70d0101010500038201<br>
EAP-Message =
0x0f003082010a0282010100d7b1a23166efda162efe3b619671dc16aa89e337d70c55b4deb769d0b5136e8f7a098d83f6d30b7a60896ca1067f5b94de49d56bc1db3a7c874eab1f41101061886a1ef7d1f3b184cea254719a9f5781e8305cf2cd06921923b964ec94020e95fd53a9f7b8b00dad9c821901e53705f9763fdae2d9cb72167b4c770bc9c5b527fd3f11bd83ebbf957716c36764743ef8e3a93b8e8392ef4b5e0f1c3fcc6196d5796f444633c397f350367aa16d85db0dff74d66c3f7d664fbd1c64690e41e15b23a0dae9fabcb439455eb91054f348b605156f6167c4010fdc57e0fd286bd93ae5a31636c2b601f360191384afc480131583<br>
EAP-Message =
0x33a45b144e4308383fd57a8630730203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101050500038201010044b74245061b3b22760405c9d5f91cbd59e99c6c69716a2b9e73709f453bc962760dfde83c429c28970c9360e03760886604d99c33a9ea869a4a415bb2eb288421c193583e8fd440af40feda2db008a03160be444eb111e8441b4ff3f072dda6b456b52e0270aa9bacd3a08226f6ad01b0f480b5656433b56fabea5484f2eb2b0900aaea34603de355fc1084c7fe7ed3762e506a4da9188dc04616785bf3f42562ad4f9871df0d7559f0b42380995a4cd5167b2b1a6456b0585bce4a82<br>
EAP-Message = 0xc332ff74a92620533a7b61da<br>
Message-Authenticator = 0x00000000000000000000000000000000<br>
State = 0x453e5638443c433c1dde145a555d75ae<br>
Finished request 1.<br>
Going to the next request<br>
Waking up in 4.9 seconds.<br>
rad_recv: Access-Request packet from host 127.0.0.1 port 57434,
id=2, length=136<br>
User-Name = "anonymous"<br>
NAS-IP-Address = 127.0.0.1<br>
Calling-Station-Id = "02-00-00-00-00-01"<br>
Framed-MTU = 1400<br>
NAS-Port-Type = Wireless-802.11<br>
Connect-Info = "CONNECT 11Mbps 802.11b"<br>
EAP-Message = 0x020200061500<br>
State = 0x453e5638443c433c1dde145a555d75ae<br>
Message-Authenticator = 0xa3b3094ac897f879e1f4d836e982f0ee<br>
server eduroam {<br>
# Executing section authorize from file
/etc/raddb/sites-enabled/eduroam<br>
+- entering group authorize {...}<br>
++[preprocess] returns ok<br>
[auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
-> /var/log/radius/radacct/127.0.0.1/auth-detail-20120618<br>
[auth_log]
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20120618<br>
[auth_log] expand: %t -> Mon Jun 18 11:59:38 2012<br>
++[auth_log] returns ok<br>
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL<br>
[suffix] Found realm "NULL"<br>
[suffix] Adding Stripped-User-Name = "anonymous"<br>
[suffix] Adding Realm = "NULL"<br>
[suffix] Authentication realm is LOCAL.<br>
++[suffix] returns ok<br>
[eap] EAP packet type response id 2 length 6<br>
[eap] Continuing tunnel setup.<br>
++[eap] returns ok<br>
Found Auth-Type = EAP<br>
# Executing group from file /etc/raddb/sites-enabled/eduroam<br>
+- entering group authenticate {...}<br>
[eap] Request found, released from the list<br>
[eap] EAP/ttls<br>
[eap] processing type ttls<br>
[ttls] Authenticate<br>
[ttls] processing EAP-TLS<br>
[ttls] Received TLS ACK<br>
[ttls] ACK handshake fragment handler<br>
[ttls] eaptls_verify returned 1 <br>
[ttls] eaptls_process returned 13 <br>
++[eap] returns handled<br>
} # server eduroam<br>
Sending Access-Challenge of id 2 to 127.0.0.1 port 57434<br>
EAP-Message =
0x0103040015c000000b767190effa7c037121c8eaa8702f555ead739aceed753b5959e59bc050b756d274cc85e5d6e6701f3981baae062502de1480a1695c0f54d500052b308205273082040fa003020102020900cb73058e093a87dc300d06092a864886f70d01010505003081bd310b3009060355040613025253310f300d060355040813065365726269613111300f0603550407130842656c677261646531333031060355040a132a5363686f6f6c206f66204d65646963696e652c20556e6976657273697479206f662042656c67726164653120301e06092a864886f70d010901161163696b74406d65642e62672e61632e727331333031060355<br>
EAP-Message =
0x0403132a5363686f6f6c206f66204d65646963696e652043657274696669636174696f6e20417574686f72697479301e170d3132303631363032343733355a170d3132303831353032343733355a3081bd310b3009060355040613025253310f300d060355040813065365726269613111300f0603550407130842656c677261646531333031060355040a132a5363686f6f6c206f66204d65646963696e652c20556e6976657273697479206f662042656c67726164653120301e06092a864886f70d010901161163696b74406d65642e62672e61632e7273313330310603550403132a5363686f6f6c206f66204d65646963696e6520436572746966<br>
EAP-Message =
0x69636174696f6e20417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100cd1d33bc86769aab2584b35488d4adbb56935d320ca011116d7a3da9aa7b331cd98db824215b4328f742a62825df0cc2b8cf7a0e3599e5cf54080334bca0d7360bec4961d34c58525302fb74a140b32e2815c67ebdf46d470759c6e55398bbe822efb14fb1e94338cb37cf12814f6c2c69af576bda232a01cbe7ba1a2f48f740f44a2942c7ea50c3be896372d6a972b0c29fc39e8de188891c9b273a90bcf8021d6185fb679d77f482bee8d8ec727535aaf66c93b41bb8c4e5499e3b7f7894cbbd1505c5fa9c3e4c8d1166<br>
EAP-Message =
0x9c58ce4f2d041fc783d9397acf87d083a5041a77a534f0fb5dfe8d8d85cc011fb63af7060a54ebcd5e1667a9874284430c3be348e90203010001a382012630820122301d0603551d0e04160414b7dc49418f1a1fe4235e3a3a53de7b35691c8c9c3081f20603551d230481ea3081e78014b7dc49418f1a1fe4235e3a3a53de7b35691c8c9ca181c3a481c03081bd310b3009060355040613025253310f300d060355040813065365726269613111300f0603550407130842656c677261646531333031060355040a132a5363686f6f6c206f66204d65646963696e652c20556e6976657273697479206f662042656c67726164653120301e06092a8648<br>
EAP-Message = 0x86f70d010901161163696b74<br>
Message-Authenticator = 0x00000000000000000000000000000000<br>
State = 0x453e5638473d433c1dde145a555d75ae<br>
Finished request 2.<br>
Going to the next request<br>
Waking up in 4.9 seconds.<br>
rad_recv: Access-Request packet from host 127.0.0.1 port 57434,
id=3, length=136<br>
User-Name = "anonymous"<br>
NAS-IP-Address = 127.0.0.1<br>
Calling-Station-Id = "02-00-00-00-00-01"<br>
Framed-MTU = 1400<br>
NAS-Port-Type = Wireless-802.11<br>
Connect-Info = "CONNECT 11Mbps 802.11b"<br>
EAP-Message = 0x020300061500<br>
State = 0x453e5638473d433c1dde145a555d75ae<br>
Message-Authenticator = 0xab683dac1c19264b7cefbfb39f1036e4<br>
server eduroam {<br>
# Executing section authorize from file
/etc/raddb/sites-enabled/eduroam<br>
+- entering group authorize {...}<br>
++[preprocess] returns ok<br>
[auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
-> /var/log/radius/radacct/127.0.0.1/auth-detail-20120618<br>
[auth_log]
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20120618<br>
[auth_log] expand: %t -> Mon Jun 18 11:59:38 2012<br>
++[auth_log] returns ok<br>
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL<br>
[suffix] Found realm "NULL"<br>
[suffix] Adding Stripped-User-Name = "anonymous"<br>
[suffix] Adding Realm = "NULL"<br>
[suffix] Authentication realm is LOCAL.<br>
++[suffix] returns ok<br>
[eap] EAP packet type response id 3 length 6<br>
[eap] Continuing tunnel setup.<br>
++[eap] returns ok<br>
Found Auth-Type = EAP<br>
# Executing group from file /etc/raddb/sites-enabled/eduroam<br>
+- entering group authenticate {...}<br>
[eap] Request found, released from the list<br>
[eap] EAP/ttls<br>
[eap] processing type ttls<br>
[ttls] Authenticate<br>
[ttls] processing EAP-TLS<br>
[ttls] Received TLS ACK<br>
[ttls] ACK handshake fragment handler<br>
[ttls] eaptls_verify returned 1 <br>
[ttls] eaptls_process returned 13 <br>
++[eap] returns handled<br>
} # server eduroam<br>
Sending Access-Challenge of id 3 to 127.0.0.1 port 57434<br>
EAP-Message =
0x01040394158000000b76406d65642e62672e61632e7273313330310603550403132a5363686f6f6c206f66204d65646963696e652043657274696669636174696f6e20417574686f72697479820900cb73058e093a87dc300c0603551d13040530030101ff300d06092a864886f70d010105050003820101006069bb5c8707f0caca80d1998f57a5ab0bf43843b6359b91085100a3fcd29348b669e5cfdff8ef56a583af32823d20a34f213a0bee64d360319eab9b6cb936a78f4345e96139b36caa0f394e850a20e9b2b96cbda103eabf7533af89f84731b82d7599a592455a0d8f10c6fc3eaebff1939d74609589fc820372df3d16414aa5c4f14e0d<br>
EAP-Message =
0xe6d9375f29d21aa334834aefe4de97c9076f6f59d538c973884a5929440962f02c1f05692564b636bd8f2b33dab7e387c5190e0d4a9894304d4c41651ff78feec39bba7d9590ac6e5a423cc83a63c26d47bea741cb0af86017727c7d2a16b611a9374d3d8c2a7d6773eef0d0a3f15b0288d7d4d2f0d0376d9dc0d91b160301020d0c00020900809581c2d77458ae39e8ced3fc1c136cdf0e5c874f0145a1ba3b1cadd518c96731cf5ce5ffdb56d03d05fd3920b7e19d3bd0435ca1ae9bd7c7888e953c4f4c572bb511a70579b804f7f7cc5392222e6fe69cac502f39bf2166c7281fd6ddedfc9a5934dbdb44133155fe1f89cf6b33db04059e65164fb0<br>
EAP-Message =
0xf060679b652950dab40b00010200800ed41ea9a51c998c4f28af7bfa7e70b31a5baf43a288bf5c40ed11226423740f5a79393a18b936d417fe3156726fd8d3017faa90807b1924beb8ba713b585c03fdd8e401576caee1d777b6b7e876afd14a5b4fc9902484c04a28cb14a04718f45e294c86bdb06bce91c9002d345bd7411e77bc4e07cea999589bbdebc0f20c1701004b5fac779365dafeca7ef4696018786c2fa7c9b70579b45182df31d5c1f70751076524d3196265774ed43c460fa8991a6aad5506125c17f46614d8ec7ad5ad621aab6be4f7cf7d21d17f37b3bad0bcb1a8206a77a3c2f1789ef2bebf81926b429255f1e513f97e00c71540b6<br>
EAP-Message =
0x2f4821bea23b5cff0a7d3990578d637d2644223669454da8f87a85d22cb30008a01230edcfeee10c19cab0697e3c1e98ca88ec691eebb16e6b3ecba362ed16e0d01690f4264191dc2e3d77f4af8a6481968a0c936d3e69c9f818d724f1c7e8cda71a1d424b016c9c669c153607d196eaa753a20ef07ee60b920849cd38087231067a53bc5cde17c3664302856b61f434968c22bf16030100040e000000<br>
Message-Authenticator = 0x00000000000000000000000000000000<br>
State = 0x453e5638463a433c1dde145a555d75ae<br>
Finished request 3.<br>
Going to the next request<br>
Waking up in 4.9 seconds.<br>
rad_recv: Access-Request packet from host 127.0.0.1 port 57434,
id=4, length=334<br>
User-Name = "anonymous"<br>
NAS-IP-Address = 127.0.0.1<br>
Calling-Station-Id = "02-00-00-00-00-01"<br>
Framed-MTU = 1400<br>
NAS-Port-Type = Wireless-802.11<br>
Connect-Info = "CONNECT 11Mbps 802.11b"<br>
EAP-Message =
0x020400cc150016030100861000008200804947f508ab581679165a93c50e5588f04e8e34bef4b96e49115c604a5012d77ed91e7003b1e5d72cd2585c830fe047329ece54be7e4b482d67ead0b996de2c7036893af0bf556b8c2d0a345756b5f4f6c34ef3d7a438ef6596de4b722eebc538222a1ae3141433123867a99fca7debea94caf233eee09c4d1f8fc4986355b771140301000101160301003024c728b211d0593f1a575c7f570f7cd38dfbfe14c76a92baf855b3d245407a1ac4497e4349e0450a70857a9685355d39<br>
State = 0x453e5638463a433c1dde145a555d75ae<br>
Message-Authenticator = 0x6cb71a422ffeaad397d8c36e03ff6703<br>
server eduroam {<br>
# Executing section authorize from file
/etc/raddb/sites-enabled/eduroam<br>
+- entering group authorize {...}<br>
++[preprocess] returns ok<br>
[auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
-> /var/log/radius/radacct/127.0.0.1/auth-detail-20120618<br>
[auth_log]
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20120618<br>
[auth_log] expand: %t -> Mon Jun 18 11:59:38 2012<br>
++[auth_log] returns ok<br>
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL<br>
[suffix] Found realm "NULL"<br>
[suffix] Adding Stripped-User-Name = "anonymous"<br>
[suffix] Adding Realm = "NULL"<br>
[suffix] Authentication realm is LOCAL.<br>
++[suffix] returns ok<br>
[eap] EAP packet type response id 4 length 204<br>
[eap] Continuing tunnel setup.<br>
++[eap] returns ok<br>
Found Auth-Type = EAP<br>
# Executing group from file /etc/raddb/sites-enabled/eduroam<br>
+- entering group authenticate {...}<br>
[eap] Request found, released from the list<br>
[eap] EAP/ttls<br>
[eap] processing type ttls<br>
[ttls] Authenticate<br>
[ttls] processing EAP-TLS<br>
[ttls] eaptls_verify returned 7 <br>
[ttls] Done initial handshake<br>
[ttls] <<< TLS 1.0 Handshake [length 0086],
ClientKeyExchange <br>
[ttls] TLS_accept: SSLv3 read client key exchange A<br>
[ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001] <br>
[ttls] <<< TLS 1.0 Handshake [length 0010], Finished <br>
[ttls] TLS_accept: SSLv3 read finished A<br>
[ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001] <br>
[ttls] TLS_accept: SSLv3 write change cipher spec A<br>
[ttls] >>> TLS 1.0 Handshake [length 0010], Finished <br>
[ttls] TLS_accept: SSLv3 write finished A<br>
[ttls] TLS_accept: SSLv3 flush data<br>
[ttls] (other): SSL negotiation finished successfully<br>
SSL Connection Established <br>
[ttls] eaptls_process returned 13 <br>
++[eap] returns handled<br>
} # server eduroam<br>
Sending Access-Challenge of id 4 to 127.0.0.1 port 57434<br>
EAP-Message =
0x0105004515800000003b1403010001011603010030d13042ffaa9f5208530f9d196691755fe795dbe60c277e81e11947821f2698414cce5df41150a18716654f9fee2c4068<br>
Message-Authenticator = 0x00000000000000000000000000000000<br>
State = 0x453e5638413b433c1dde145a555d75ae<br>
Finished request 4.<br>
Going to the next request<br>
Waking up in 4.9 seconds.<br>
rad_recv: Access-Request packet from host 127.0.0.1 port 57434,
id=5, length=242<br>
User-Name = "anonymous"<br>
NAS-IP-Address = 127.0.0.1<br>
Calling-Station-Id = "02-00-00-00-00-01"<br>
Framed-MTU = 1400<br>
NAS-Port-Type = Wireless-802.11<br>
Connect-Info = "CONNECT 11Mbps 802.11b"<br>
EAP-Message =
0x02050070150017030100202b83edb5b87ff66b7b5d13339196f62f8e44061ac02821a6ab8f5fe44aa5ff6b17030100404de9cda8169d8c9e0969a9fb2245697166f27290ce6f23473c57364c7d5ae08e85039938f8cbb126727f888bf92807c008c7f46f8b1e0f9c42e504b25f8c3bb2<br>
State = 0x453e5638413b433c1dde145a555d75ae<br>
Message-Authenticator = 0x6197eff33cfffb5b484c44e49735b5d4<br>
server eduroam {<br>
# Executing section authorize from file
/etc/raddb/sites-enabled/eduroam<br>
+- entering group authorize {...}<br>
++[preprocess] returns ok<br>
[auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
-> /var/log/radius/radacct/127.0.0.1/auth-detail-20120618<br>
[auth_log]
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20120618<br>
[auth_log] expand: %t -> Mon Jun 18 11:59:38 2012<br>
++[auth_log] returns ok<br>
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL<br>
[suffix] Found realm "NULL"<br>
[suffix] Adding Stripped-User-Name = "anonymous"<br>
[suffix] Adding Realm = "NULL"<br>
[suffix] Authentication realm is LOCAL.<br>
++[suffix] returns ok<br>
[eap] EAP packet type response id 5 length 112<br>
[eap] Continuing tunnel setup.<br>
++[eap] returns ok<br>
Found Auth-Type = EAP<br>
# Executing group from file /etc/raddb/sites-enabled/eduroam<br>
+- entering group authenticate {...}<br>
[eap] Request found, released from the list<br>
[eap] EAP/ttls<br>
[eap] processing type ttls<br>
[ttls] Authenticate<br>
[ttls] processing EAP-TLS<br>
[ttls] eaptls_verify returned 7 <br>
[ttls] Done initial handshake<br>
[ttls] eaptls_process returned 7 <br>
[ttls] Session established. Proceeding to decode tunneled
attributes.<br>
[ttls] Got tunneled request<br>
EAP-Message =
0x0200001a017465737475736572406d65642e62672e61632e7273<br>
FreeRADIUS-Proxied-To = 127.0.0.1<br>
[ttls] Got tunneled identity of <a class="moz-txt-link-abbreviated" href="mailto:testuser@med.bg.ac.rs">testuser@med.bg.ac.rs</a><br>
[ttls] Setting default EAP type for tunneled EAP session.<br>
[ttls] Sending tunneled request<br>
EAP-Message =
0x0200001a017465737475736572406d65642e62672e61632e7273<br>
FreeRADIUS-Proxied-To = 127.0.0.1<br>
User-Name = <a class="moz-txt-link-rfc2396E" href="mailto:testuser@med.bg.ac.rs">"testuser@med.bg.ac.rs"</a><br>
server eduroam-inner-tunnel {<br>
# Executing section authorize from file
/etc/raddb/sites-enabled/eduroam-inner-tunnel<br>
+- entering group authorize {...}<br>
[auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
-> /var/log/radius/radacct/127.0.0.1/auth-detail-20120618<br>
[auth_log]
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20120618<br>
[auth_log] expand: %t -> Mon Jun 18 11:59:38 2012<br>
++[auth_log] returns ok<br>
[suffix] Looking up realm "med.bg.ac.rs" for User-Name =
<a class="moz-txt-link-rfc2396E" href="mailto:testuser@med.bg.ac.rs">"testuser@med.bg.ac.rs"</a><br>
[suffix] Found realm "med.bg.ac.rs"<br>
[suffix] Adding Stripped-User-Name = "testuser"<br>
[suffix] Adding Realm = "med.bg.ac.rs"<br>
[suffix] Authentication realm is LOCAL.<br>
++[suffix] returns ok<br>
++[control] returns ok<br>
[eap] EAP packet type response id 0 length 26<br>
[eap] No EAP Start, assuming it's an on-going EAP conversation<br>
++[eap] returns updated<br>
++[files] returns noop<br>
++[expiration] returns noop<br>
++[logintime] returns noop<br>
[ntlm_auth] expand: %{User-Name} -> <a class="moz-txt-link-abbreviated" href="mailto:testuser@med.bg.ac.rs">testuser@med.bg.ac.rs</a><br>
[ntlm_auth] expand: %{Cleartext-Password} -> <br>
Exec-Program output: <br>
Exec-Program: returned: 1<br>
++[ntlm_auth] returns reject<br>
Invalid user: [<a class="moz-txt-link-abbreviated" href="mailto:testuser@med.bg.ac.rs/">testuser@med.bg.ac.rs/</a><via Auth-Type =
ntlm_auth>] (from client localhost port 0 via TLS tunnel)<br>
} # server eduroam-inner-tunnel<br>
[ttls] Got tunneled reply code 3<br>
[ttls] Got tunneled Access-Reject<br>
[eap] Handler failed in EAP/ttls<br>
rlm_eap_ttls: Freeing handler for user <a class="moz-txt-link-abbreviated" href="mailto:testuser@med.bg.ac.rs">testuser@med.bg.ac.rs</a><br>
[eap] Failed in EAP select<br>
++[eap] returns invalid<br>
Failed to authenticate the user.<br>
Login incorrect: [anonymous/<via Auth-Type = EAP>] (from
client localhost port 0 cli 02-00-00-00-00-01)<br>
} # server eduroam<br>
Using Post-Auth-Type Reject<br>
# Executing group from file /etc/raddb/sites-enabled/eduroam<br>
+- entering group REJECT {...}<br>
[attr_filter.access_reject] expand: %{User-Name} -> anonymous<br>
attr_filter: Matched entry DEFAULT at line 11<br>
++[attr_filter.access_reject] returns updated<br>
Delaying reject of request 5 for 1 seconds<br>
Going to the next request<br>
Waking up in 0.9 seconds.<br>
Sending delayed reject for request 5<br>
Sending Access-Reject of id 5 to 127.0.0.1 port 57434<br>
EAP-Message = 0x04050004<br>
Message-Authenticator = 0x00000000000000000000000000000000<br>
Waking up in 3.9 seconds.<br>
Cleaning up request 0 ID 0 with timestamp +5<br>
Cleaning up request 1 ID 1 with timestamp +5<br>
Cleaning up request 2 ID 2 with timestamp +5<br>
Cleaning up request 3 ID 3 with timestamp +5<br>
Cleaning up request 4 ID 4 with timestamp +5<br>
Waking up in 1.0 seconds.<br>
Cleaning up request 5 ID 5 with timestamp +5<br>
Ready to process requests.<br>
<div class="moz-signature">-- <br>
<b>Veselin Mijušković</b><br>
Senior System Administrator<br>
School of Electrical Engineering's Computing Centre<br>
University of Belgrade * Serbia * <a class="moz-txt-link-abbreviated" href="http://www.etf.bg.ac.rs">www.etf.bg.ac.rs</a><br>
</div>
</body>
</html>