<div dir="ltr">Here is the debug. For some reason my user dfleming is being accepted even though the cisco-avpair does not match. Please see debug and layout of mysql tables below. My aplogies to the moderator as I trimmed the message to under 100kb.<br>
<br>khadmin@BSpa-KH-DaloRadius01:~$ sudo freeradius -X<br>FreeRADIUS Version 2.1.12, for host i686-pc-linux-gnu, built on Feb 24 2014 at 15:00:10<br>....<br>Ready to process requests.<br><br>! Connecting client that should be rejected dfleming<br>
<br>Going to the next request<br>Waking up in 4.9 seconds.<br>rad_recv: Access-Request packet from host 10.10.5.10 port 1645, id=104, length=224<br>User-Name = "dfleming"<br>Framed-MTU = 1400<br>Called-Station-Id = "A8-B1-D4-21-73-41:BSpa-KH-Mgmt"<br>
Calling-Station-Id = "80-1F-02-D3-97-74"<br>Cisco-AVPair = "ssid=BSpa-KH-Mgmt"<br>Service-Type = Login-User<br>Cisco-AVPair = "service-type=Login"<br>Message-Authenticator = 0x56c8d1976c38d0c15b3b7510788d1114<br>
EAP-Message = 0x020300060319<br>NAS-Port-Type = Wireless-802.11<br>NAS-Port = 366<br>NAS-Port-Id = "366"<br>State = 0xe398c72ae39bc3112b2facf2414ef68a<br>NAS-IP-Address = 10.10.5.10<br>NAS-Identifier = "BSpa-KH-AP1"<br>
# Executing section authorize from file /etc/freeradius/sites-enabled/default<br>+- entering group authorize {...}<br>++[preprocess] returns ok<br>++[chap] returns noop<br>++[mschap] returns noop<br>++[digest] returns noop<br>
[suffix] No '@' in User-Name = "dfleming", looking up realm NULL<br>[suffix] No such realm "NULL"<br>++[suffix] returns noop<br>[eap] EAP packet type response id 3 length 6<br>[eap] No EAP Start, assuming it's an on-going EAP conversation<br>
++[eap] returns updated<br>[sql] expand: %{User-Name} -> dfleming<br>[sql] sql_set_user escaped user --> 'dfleming'<br>rlm_sql (sql): Reserving sql socket id: 4<br>[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'dfleming' ORDER BY id<br>
rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'dfleming' ORDER BY id<br>[sql] User found in radcheck table<br>[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'dfleming' ORDER BY id<br>
rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'dfleming' ORDER BY id<br>[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'dfleming' ORDER BY priority<br>
rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = 'dfleming' ORDER BY priority<br>[sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Test' ORDER BY id<br>
rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Test' ORDER BY id<br>rlm_sql (sql): Released sql socket id: 4<br>++[sql] returns ok<br>
++[expiration] returns noop<br>++[logintime] returns noop<br>[pap] WARNING: Auth-Type already set. Not setting to PAP<br>++[pap] returns noop<br>Found Auth-Type = EAP<br># Executing group from file /etc/freeradius/sites-enabled/default<br>
+- entering group authenticate {...}<br>[eap] Request found, released from the list<br>[eap] EAP NAK<br>[eap] EAP-NAK asked for EAP-Type/peap<br>[eap] processing type tls<br>[tls] Initiate<br>[tls] Start returned 1<br>++[eap] returns handled<br>
Sending Access-Challenge of id 104 to 10.10.5.10 port 1645<br>EAP-Message = 0x010400061920<br>Message-Authenticator = 0x00000000000000000000000000000000<br>State = 0xe398c72ae29cde112b2facf2414ef68a<br>Finished request 9.<br>
Going to the next request<br>Waking up in 4.9 seconds.<br>rad_recv: Access-Request packet from host 10.10.5.10 port 1645, id=105, length=323<br>User-Name = "dfleming"<br>Framed-MTU = 1400<br>Called-Station-Id = "A8-B1-D4-21-73-41:BSpa-KH-Mgmt"<br>
Calling-Station-Id = "80-1F-02-D3-97-74"<br>Cisco-AVPair = "ssid=BSpa-KH-Mgmt"<br>Service-Type = Login-User<br>Cisco-AVPair = "service-type=Login"<br>Message-Authenticator = 0x705abcc41bc6453d98e488076368d5b0<br>
EAP-Message = 0x0204006919800000005f160301005a01000056030153d0fc4150ae5171e308a2672ae8b0c2c02f72ec78a1f46b4988a1b7e7f83e73000018002f00350005000ac013c014c009c00a003200380013000401000015ff01000100000a0006000400170018000b00020100<br>
NAS-Port-Type = Wireless-802.11<br>NAS-Port = 366<br>NAS-Port-Id = "366"<br>State = 0xe398c72ae29cde112b2facf2414ef68a<br>NAS-IP-Address = 10.10.5.10<br>NAS-Identifier = "BSpa-KH-AP1"<br># Executing section authorize from file /etc/freeradius/sites-enabled/default<br>
+- entering group authorize {...}<br>++[preprocess] returns ok<br>++[chap] returns noop<br>++[mschap] returns noop<br>++[digest] returns noop<br>[suffix] No '@' in User-Name = "dfleming", looking up realm NULL<br>
[suffix] No such realm "NULL"<br>++[suffix] returns noop<br>[eap] EAP packet type response id 4 length 105<br>[eap] Continuing tunnel setup.<br>++[eap] returns ok<br>Found Auth-Type = EAP<br># Executing group from file /etc/freeradius/sites-enabled/default<br>
+- entering group authenticate {...}<br>[eap] Request found, released from the list<br>[eap] EAP/peap<br>[eap] processing type peap<br>[peap] processing EAP-TLS<br> TLS Length 95<br>[peap] Length Included<br>[peap] eaptls_verify returned 11 <br>
[peap] (other): before/accept initialization<br>[peap] TLS_accept: before/accept initialization<br>[peap] <<< TLS 1.0 Handshake [length 005a], ClientHello <br>[peap] TLS_accept: SSLv3 read client hello A<br>
[peap] >>> TLS 1.0 Handshake [length 0031], ServerHello <br>[peap] TLS_accept: SSLv3 write server hello A<br>[peap] >>> TLS 1.0 Handshake [length 02dc], Certificate <br>[peap] TLS_accept: SSLv3 write certificate A<br>
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone <br>[peap] TLS_accept: SSLv3 write server done A<br>[peap] TLS_accept: SSLv3 flush data<br>[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A<br>
In SSL Handshake Phase <br>In SSL Accept mode <br>[peap] eaptls_process returned 13 <br>[peap] EAPTLS_HANDLED<br>++[eap] returns handled<br>Sending Access-Challenge of id 105 to 10.10.5.10 port 1645<br>EAP-Message = 0x01050326190016030100310200002d03010c97450f25def4ced7dc7df384079486f3542d07e6833013a884eb6bfb0bb94100002f000005ff0100010016030102dc0b0002d80002d50002d2308202ce308201b6a003020102020900822e76b7f4e676e6300d06092a864886f70d01010b0500301f311d301b06035504031314425370612d4b482d44616c6f5261646975733031301e170d3134303731363139303331345a170d3234303731333139303331345a301f311d301b06035504031314425370612d4b482d44616c6f526164697573303130820122300d06092a864886f70d01010105000382010f003082010a0282010100bd678d84e6eea050<br>
EAP-Message = 0xf696bcf0d3ea9ac8dcc3895e630b82e19179fdf0bc32cbb9e38b749f7972e9b587116ef4e0962859d179ce4f59861167882f74aeef86e4a0e1fa808b84d034d0d0948f0a121690d58ba805a62fd3212cdabc26599ac01f6ae0f992d111e052a8cf5b3147301f63d76591be067e58d7939d0434bc135c606ae8843f81d47db30f2e2ec75faa656ee1744d1bcddbfaab9c25fbd573d82c024841e3fb98da541915e7d21c6f08dd7eddb9dc03fc8062512d649fc96be72a51b62fc05d3cadd285ee4858cdc52b90823c99de6130157151d0b12bbaee10bb574671052ef36786e9ccdad6be4209150df2db1b6c57ae25e0310ff2de90399678610203010001<br>
EAP-Message = 0xa30d300b30090603551d1304023000300d06092a864886f70d01010b050003820101004e8a90c9aa3f6aab067342e1a11faf0c678c2f7f4674372f9964687580fe9bb6185570fbe203d7f03a7140c607e0e3a4c76463754f380db2fe4f1e59eb759cb64ee43c51fb22f1d8f2027b8b695bae6185bbccf927a29b3c4cf96de82394521bbe90cc6467d05546c04e76cedb9483ab55de6450f06a924e176f532ebb75688d32f4b2d901db683c6deced70d56c6f811311d104b18720ab7c62803dbda5126ad15fe966ad36171fe6cf6f4f75b7eded5b4bee5f6ac5be52943cd9ae276d7a7f4ca26fb40bd4c92c12fb907f121b78c071f386f84ada8fa48a0c<br>
EAP-Message = 0x97087d75ba9109d5bc56a0df73634094328e929b39a58e2c31b88b38be212a5dfd8544d0a63c16030100040e000000<br>Message-Authenticator = 0x00000000000000000000000000000000<br>State = 0xe398c72ae19dde112b2facf2414ef68a<br>
Finished request 10.<br>Going to the next request<br>Waking up in 4.9 seconds.<br>rad_recv: Access-Request packet from host 10.10.5.10 port 1645, id=106, length=556<br>User-Name = "dfleming"<br>Framed-MTU = 1400<br>
Called-Station-Id = "A8-B1-D4-21-73-41:BSpa-KH-Mgmt"<br>Calling-Station-Id = "80-1F-02-D3-97-74"<br>Cisco-AVPair = "ssid=BSpa-KH-Mgmt"<br>Service-Type = Login-User<br>Cisco-AVPair = "service-type=Login"<br>
Message-Authenticator = 0xcd089534fccab7db28693d5b9d86a442<br>EAP-Message = 0x02050150198000000146160301010610000102010022bd3a65d01781fa46b75b886bad8c50420d06048d350a244d2a70f4d676c8000374ebc77170059405c33a7910fd709d2829a1471f91a01c4a2a44adec666eb77a5d05995485115cb1d6854ca0fcf370ae2108ca25706257a7af922ec783a8442a9838e03496200e8bec1214d3f5c6af905c2a2e080f0354f9f37e29e96a6b23ad4ea4a7048bec25a870f3c53bceb0b95ed97e2d145b506ced5a94a1e6b2d79a031a58c445a698ec388e48abd18c466c2f1170d400b2d78cbb5c150f2c69d1889a84e4a20251457d3b3edd8d9d2ceb2b681b4ab9e926ae41b07380e6d44405cedf893b39da921314<br>
EAP-Message = 0x94b437e41da7e053b8335b25d4f8a846c4554efb002cc8ec14030100010116030100304b985086678690c358d8a71cca3bd01d6792bf0f15f1387921d08f3ab7ebc8c8d27604abcc1facbd4e0674db9dd3925c<br>NAS-Port-Type = Wireless-802.11<br>
NAS-Port = 366<br>NAS-Port-Id = "366"<br>State = 0xe398c72ae19dde112b2facf2414ef68a<br>NAS-IP-Address = 10.10.5.10<br>NAS-Identifier = "BSpa-KH-AP1"<br># Executing section authorize from file /etc/freeradius/sites-enabled/default<br>
+- entering group authorize {...}<br>++[preprocess] returns ok<br>++[chap] returns noop<br>++[mschap] returns noop<br>++[digest] returns noop<br>[suffix] No '@' in User-Name = "dfleming", looking up realm NULL<br>
[suffix] No such realm "NULL"<br>++[suffix] returns noop<br>[eap] EAP packet type response id 5 length 253<br>[eap] Continuing tunnel setup.<br>++[eap] returns ok<br>Found Auth-Type = EAP<br># Executing group from file /etc/freeradius/sites-enabled/default<br>
+- entering group authenticate {...}<br>[eap] Request found, released from the list<br>[eap] EAP/peap<br>[eap] processing type peap<br>[peap] processing EAP-TLS<br> TLS Length 326<br>[peap] Length Included<br>[peap] eaptls_verify returned 11 <br>
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange <br>[peap] TLS_accept: SSLv3 read client key exchange A<br>[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] <br>[peap] <<< TLS 1.0 Handshake [length 0010], Finished <br>
[peap] TLS_accept: SSLv3 read finished A<br>[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] <br>[peap] TLS_accept: SSLv3 write change cipher spec A<br>[peap] >>> TLS 1.0 Handshake [length 0010], Finished <br>
[peap] TLS_accept: SSLv3 write finished A<br>[peap] TLS_accept: SSLv3 flush data<br>[peap] (other): SSL negotiation finished successfully<br>SSL Connection Established <br>[peap] eaptls_process returned 13 <br>
[peap] EAPTLS_HANDLED<br>++[eap] returns handled<br>Sending Access-Challenge of id 106 to 10.10.5.10 port 1645<br>EAP-Message = 0x01060041190014030100010116030100309e49c5fe400c66b74f39bfdcaf566e506165f4805af06d42706bd2ca4160016223229a71052b67ec2140e7bcedb29055<br>
Message-Authenticator = 0x00000000000000000000000000000000<br>State = 0xe398c72ae09ede112b2facf2414ef68a<br>Finished request 11.<br>Going to the next request<br>Waking up in 4.8 seconds.<br>rad_recv: Access-Request packet from host 10.10.5.10 port 1645, id=107, length=224<br>
User-Name = "dfleming"<br>Framed-MTU = 1400<br>Called-Station-Id = "A8-B1-D4-21-73-41:BSpa-KH-Mgmt"<br>Calling-Station-Id = "80-1F-02-D3-97-74"<br>Cisco-AVPair = "ssid=BSpa-KH-Mgmt"<br>
Service-Type = Login-User<br>Cisco-AVPair = "service-type=Login"<br>Message-Authenticator = 0x903e413386202060c488c16f2f3e84de<br>EAP-Message = 0x020600061900<br>NAS-Port-Type = Wireless-802.11<br>NAS-Port = 366<br>
NAS-Port-Id = "366"<br>State = 0xe398c72ae09ede112b2facf2414ef68a<br>NAS-IP-Address = 10.10.5.10<br>NAS-Identifier = "BSpa-KH-AP1"<br># Executing section authorize from file /etc/freeradius/sites-enabled/default<br>
+- entering group authorize {...}<br>++[preprocess] returns ok<br>++[chap] returns noop<br>++[mschap] returns noop<br>++[digest] returns noop<br>[suffix] No '@' in User-Name = "dfleming", looking up realm NULL<br>
[suffix] No such realm "NULL"<br>++[suffix] returns noop<br>[eap] EAP packet type response id 6 length 6<br>[eap] Continuing tunnel setup.<br>++[eap] returns ok<br>Found Auth-Type = EAP<br># Executing group from file /etc/freeradius/sites-enabled/default<br>
+- entering group authenticate {...}<br>[eap] Request found, released from the list<br>[eap] EAP/peap<br>[eap] processing type peap<br>[peap] processing EAP-TLS<br>[peap] Received TLS ACK<br>[peap] ACK handshake is finished<br>
[peap] eaptls_verify returned 3 <br>[peap] eaptls_process returned 3 <br>[peap] EAPTLS_SUCCESS<br>[peap] Session established. Decoding tunneled attributes.<br>[peap] Peap state TUNNEL ESTABLISHED<br>++[eap] returns handled<br>
Sending Access-Challenge of id 107 to 10.10.5.10 port 1645<br>EAP-Message = 0x0107002b1900170301002072b66494c00c9860d7ae27b5bdc316d95c67942e3d6909bd14b8e95144dad15c<br>Message-Authenticator = 0x00000000000000000000000000000000<br>
State = 0xe398c72ae79fde112b2facf2414ef68a<br>Finished request 12.<br>Going to the next request<br>Waking up in 4.8 seconds.<br>rad_recv: Access-Request packet from host 10.10.5.10 port 1645, id=108, length=261<br>User-Name = "dfleming"<br>
Framed-MTU = 1400<br>Called-Station-Id = "A8-B1-D4-21-73-41:BSpa-KH-Mgmt"<br>Calling-Station-Id = "80-1F-02-D3-97-74"<br>Cisco-AVPair = "ssid=BSpa-KH-Mgmt"<br>Service-Type = Login-User<br>Cisco-AVPair = "service-type=Login"<br>
Message-Authenticator = 0xd80759bc82877237c5ee00bb4982f0d3<br>EAP-Message = 0x0207002b190017030100200229e07a3163accabbf9d63f151206bdfe56866c6c0908833f0dc931a9e143a8<br>NAS-Port-Type = Wireless-802.11<br>NAS-Port = 366<br>
NAS-Port-Id = "366"<br>State = 0xe398c72ae79fde112b2facf2414ef68a<br>NAS-IP-Address = 10.10.5.10<br>NAS-Identifier = "BSpa-KH-AP1"<br># Executing section authorize from file /etc/freeradius/sites-enabled/default<br>
+- entering group authorize {...}<br>++[preprocess] returns ok<br>++[chap] returns noop<br>++[mschap] returns noop<br>++[digest] returns noop<br>[suffix] No '@' in User-Name = "dfleming", looking up realm NULL<br>
[suffix] No such realm "NULL"<br>++[suffix] returns noop<br>[eap] EAP packet type response id 7 length 43<br>[eap] Continuing tunnel setup.<br>++[eap] returns ok<br>Found Auth-Type = EAP<br># Executing group from file /etc/freeradius/sites-enabled/default<br>
+- entering group authenticate {...}<br>[eap] Request found, released from the list<br>[eap] EAP/peap<br>[eap] processing type peap<br>[peap] processing EAP-TLS<br>[peap] eaptls_verify returned 7 <br>[peap] Done initial handshake<br>
[peap] eaptls_process returned 7 <br>[peap] EAPTLS_OK<br>[peap] Session established. Decoding tunneled attributes.<br>[peap] Peap state WAITING FOR INNER IDENTITY<br>[peap] Identity - dfleming<br>[peap] Got inner identity 'dfleming'<br>
[peap] Setting default EAP type for tunneled EAP session.<br>[peap] Got tunneled request<br>EAP-Message = 0x0207000d0164666c656d696e67<br>server {<br>[peap] Setting User-Name to dfleming<br>Sending tunneled request<br>EAP-Message = 0x0207000d0164666c656d696e67<br>
FreeRADIUS-Proxied-To = 127.0.0.1<br>User-Name = "dfleming"<br>server inner-tunnel {<br># Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel<br>+- entering group authorize {...}<br>
++[chap] returns noop<br>++[mschap] returns noop<br>[suffix] No '@' in User-Name = "dfleming", looking up realm NULL<br>[suffix] No such realm "NULL"<br>++[suffix] returns noop<br>++[control] returns noop<br>
[eap] EAP packet type response id 7 length 13<br>[eap] No EAP Start, assuming it's an on-going EAP conversation<br>++[eap] returns updated<br>++[files] returns noop<br>[sql] expand: %{User-Name} -> dfleming<br>[sql] sql_set_user escaped user --> 'dfleming'<br>
rlm_sql (sql): Reserving sql socket id: 3<br>[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'dfleming' ORDER BY id<br>
rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'dfleming' ORDER BY id<br>[sql] User found in radcheck table<br>[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'dfleming' ORDER BY id<br>
rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'dfleming' ORDER BY id<br>[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'dfleming' ORDER BY priority<br>
rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = 'dfleming' ORDER BY priority<br>[sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Test' ORDER BY id<br>
rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Test' ORDER BY id<br>rlm_sql (sql): Released sql socket id: 3<br>++[sql] returns ok<br>
++[expiration] returns noop<br>++[logintime] returns noop<br>[pap] WARNING: Auth-Type already set. Not setting to PAP<br>++[pap] returns noop<br>Found Auth-Type = EAP<br># Executing group from file /etc/freeradius/sites-enabled/inner-tunnel<br>
+- entering group authenticate {...}<br>[eap] EAP Identity<br>[eap] processing type mschapv2<br>rlm_eap_mschapv2: Issuing Challenge<br>++[eap] returns handled<br>} # server inner-tunnel<br>[peap] Got tunneled reply code 11<br>
EAP-Message = 0x010800221a0108001d10922d3619e3e3ae7153865670afca067064666c656d696e67<br>Message-Authenticator = 0x00000000000000000000000000000000<br>State = 0xc9b7eee2c9bff40721db4de2f5e8d831<br>[peap] Got tunneled reply RADIUS code 11<br>
EAP-Message = 0x010800221a0108001d10922d3619e3e3ae7153865670afca067064666c656d696e67<br>Message-Authenticator = 0x00000000000000000000000000000000<br>State = 0xc9b7eee2c9bff40721db4de2f5e8d831<br>[peap] Got tunneled Access-Challenge<br>
++[eap] returns handled<br>Sending Access-Challenge of id 108 to 10.10.5.10 port 1645<br>EAP-Message = 0x0108004b19001703010040e354ae24f8e5f9d802fd99a568a505148dae956713eeee1fe29b6cf13ab582b5c7e15342748bc0b5cf4794a5c47774cede06c276834338ff8f7187e268d2e6d8<br>
Message-Authenticator = 0x00000000000000000000000000000000<br>State = 0xe398c72ae690de112b2facf2414ef68a<br>Finished request 13.<br>Going to the next request<br>Waking up in 4.8 seconds.<br>rad_recv: Access-Request packet from host 10.10.5.10 port 1645, id=109, length=325<br>
User-Name = "dfleming"<br>Framed-MTU = 1400<br>Called-Station-Id = "A8-B1-D4-21-73-41:BSpa-KH-Mgmt"<br>Calling-Station-Id = "80-1F-02-D3-97-74"<br>Cisco-AVPair = "ssid=BSpa-KH-Mgmt"<br>
Service-Type = Login-User<br>Cisco-AVPair = "service-type=Login"<br>Message-Authenticator = 0xb4f91fc4a74780dd8d59ca37a367f017<br>EAP-Message = 0x0208006b190017030100606d6568104b85243dc9d97a2a632d19fd9a8d232a88d86ef8b1322f3a74f5946692b8fc279afe278b92f8085b48136721801cbc31a68be167d8e697af0ad1262c2b84c00849d98fe5380ea6eb61f193f27fbd396e781c8e847be168312372effb<br>
NAS-Port-Type = Wireless-802.11<br>NAS-Port = 366<br>NAS-Port-Id = "366"<br>State = 0xe398c72ae690de112b2facf2414ef68a<br>NAS-IP-Address = 10.10.5.10<br>NAS-Identifier = "BSpa-KH-AP1"<br># Executing section authorize from file /etc/freeradius/sites-enabled/default<br>
+- entering group authorize {...}<br>++[preprocess] returns ok<br>++[chap] returns noop<br>++[mschap] returns noop<br>++[digest] returns noop<br>[suffix] No '@' in User-Name = "dfleming", looking up realm NULL<br>
[suffix] No such realm "NULL"<br>++[suffix] returns noop<br>[eap] EAP packet type response id 8 length 107<br>[eap] Continuing tunnel setup.<br>++[eap] returns ok<br>Found Auth-Type = EAP<br># Executing group from file /etc/freeradius/sites-enabled/default<br>
+- entering group authenticate {...}<br>[eap] Request found, released from the list<br>[eap] EAP/peap<br>[eap] processing type peap<br>[peap] processing EAP-TLS<br>[peap] eaptls_verify returned 7 <br>[peap] Done initial handshake<br>
[peap] eaptls_process returned 7 <br>[peap] EAPTLS_OK<br>[peap] Session established. Decoding tunneled attributes.<br>[peap] Peap state phase2<br>[peap] EAP type mschapv2<br>[peap] Got tunneled request<br>EAP-Message = 0x020800431a0208003e3168b2631d0a7e9207d78112c36e6c9aeb00000000000000000d2ffe427cf7f4b21ba561639b16ea0fac9ec0fd7619f0980064666c656d696e67<br>
server {<br>[peap] Setting User-Name to dfleming<br>Sending tunneled request<br>EAP-Message = 0x020800431a0208003e3168b2631d0a7e9207d78112c36e6c9aeb00000000000000000d2ffe427cf7f4b21ba561639b16ea0fac9ec0fd7619f0980064666c656d696e67<br>
FreeRADIUS-Proxied-To = 127.0.0.1<br>User-Name = "dfleming"<br>State = 0xc9b7eee2c9bff40721db4de2f5e8d831<br>server inner-tunnel {<br># Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel<br>
+- entering group authorize {...}<br>++[chap] returns noop<br>++[mschap] returns noop<br>[suffix] No '@' in User-Name = "dfleming", looking up realm NULL<br>[suffix] No such realm "NULL"<br>++[suffix] returns noop<br>
++[control] returns noop<br>[eap] EAP packet type response id 8 length 67<br>[eap] No EAP Start, assuming it's an on-going EAP conversation<br>++[eap] returns updated<br>++[files] returns noop<br>[sql] expand: %{User-Name} -> dfleming<br>
[sql] sql_set_user escaped user --> 'dfleming'<br>rlm_sql (sql): Reserving sql socket id: 2<br>[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'dfleming' ORDER BY id<br>
rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'dfleming' ORDER BY id<br>[sql] User found in radcheck table<br>[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'dfleming' ORDER BY id<br>
rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'dfleming' ORDER BY id<br>[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'dfleming' ORDER BY priority<br>
rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = 'dfleming' ORDER BY priority<br>[sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Test' ORDER BY id<br>
rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Test' ORDER BY id<br>rlm_sql (sql): Released sql socket id: 2<br>++[sql] returns ok<br>
++[expiration] returns noop<br>++[logintime] returns noop<br>[pap] WARNING: Auth-Type already set. Not setting to PAP<br>++[pap] returns noop<br>Found Auth-Type = EAP<br># Executing group from file /etc/freeradius/sites-enabled/inner-tunnel<br>
+- entering group authenticate {...}<br>[eap] Request found, released from the list<br>[eap] EAP/mschapv2<br>[eap] processing type mschapv2<br>[mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel<br>
[mschapv2] +- entering group MS-CHAP {...}<br>[mschap] Creating challenge hash with username: dfleming<br>[mschap] Told to do MS-CHAPv2 for dfleming with NT-Password<br>[mschap] adding MS-CHAPv2 MPPE keys<br>++[mschap] returns ok<br>
MSCHAP Success <br>++[eap] returns handled<br>} # server inner-tunnel<br>[peap] Got tunneled reply code 11<br>EAP-Message = 0x010900331a0308002e533d43464330373236373634334537313837364241463430433441443939374431343844394531393832<br>
Message-Authenticator = 0x00000000000000000000000000000000<br>State = 0xc9b7eee2c8bef40721db4de2f5e8d831<br>[peap] Got tunneled reply RADIUS code 11<br>EAP-Message = 0x010900331a0308002e533d43464330373236373634334537313837364241463430433441443939374431343844394531393832<br>
Message-Authenticator = 0x00000000000000000000000000000000<br>State = 0xc9b7eee2c8bef40721db4de2f5e8d831<br>[peap] Got tunneled Access-Challenge<br>++[eap] returns handled<br>Sending Access-Challenge of id 109 to 10.10.5.10 port 1645<br>
EAP-Message = 0x0109005b190017030100506185ff39cb0494708efdc81974e25f277642b11486bfe766086d403b0f9e0a544ff9b3c52790e64e9b993633880722ce7da761ac18a7fe587e831cdf7a964c10ef0f0b652c6a73635173e6875e54f4af<br>Message-Authenticator = 0x00000000000000000000000000000000<br>
State = 0xe398c72ae591de112b2facf2414ef68a<br>Finished request 14.<br>Going to the next request<br>Waking up in 4.7 seconds.<br>rad_recv: Access-Request packet from host 10.10.5.10 port 1645, id=110, length=261<br>User-Name = "dfleming"<br>
Framed-MTU = 1400<br>Called-Station-Id = "A8-B1-D4-21-73-41:BSpa-KH-Mgmt"<br>Calling-Station-Id = "80-1F-02-D3-97-74"<br>Cisco-AVPair = "ssid=BSpa-KH-Mgmt"<br>Service-Type = Login-User<br>Cisco-AVPair = "service-type=Login"<br>
Message-Authenticator = 0x212023c32292d56925e14f1147bdabe4<br>EAP-Message = 0x0209002b19001703010020ac7315140c4adcdef21a749af693f0a7b8a7efda8ddb0f82bd692b1d8a7c8465<br>NAS-Port-Type = Wireless-802.11<br>NAS-Port = 366<br>
NAS-Port-Id = "366"<br>State = 0xe398c72ae591de112b2facf2414ef68a<br>NAS-IP-Address = 10.10.5.10<br>NAS-Identifier = "BSpa-KH-AP1"<br># Executing section authorize from file /etc/freeradius/sites-enabled/default<br>
+- entering group authorize {...}<br>++[preprocess] returns ok<br>++[chap] returns noop<br>++[mschap] returns noop<br>++[digest] returns noop<br>[suffix] No '@' in User-Name = "dfleming", looking up realm NULL<br>
[suffix] No such realm "NULL"<br>++[suffix] returns noop<br>[eap] EAP packet type response id 9 length 43<br>[eap] Continuing tunnel setup.<br>++[eap] returns ok<br>Found Auth-Type = EAP<br># Executing group from file /etc/freeradius/sites-enabled/default<br>
+- entering group authenticate {...}<br>[eap] Request found, released from the list<br>[eap] EAP/peap<br>[eap] processing type peap<br>[peap] processing EAP-TLS<br>[peap] eaptls_verify returned 7 <br>[peap] Done initial handshake<br>
[peap] eaptls_process returned 7 <br>[peap] EAPTLS_OK<br>[peap] Session established. Decoding tunneled attributes.<br>[peap] Peap state phase2<br>[peap] EAP type mschapv2<br>[peap] Got tunneled request<br>EAP-Message = 0x020900061a03<br>
server {<br>[peap] Setting User-Name to dfleming<br>Sending tunneled request<br>EAP-Message = 0x020900061a03<br>FreeRADIUS-Proxied-To = 127.0.0.1<br>User-Name = "dfleming"<br>State = 0xc9b7eee2c8bef40721db4de2f5e8d831<br>
server inner-tunnel {<br># Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel<br>+- entering group authorize {...}<br>++[chap] returns noop<br>++[mschap] returns noop<br>[suffix] No '@' in User-Name = "dfleming", looking up realm NULL<br>
[suffix] No such realm "NULL"<br>++[suffix] returns noop<br>++[control] returns noop<br>[eap] EAP packet type response id 9 length 6<br>[eap] No EAP Start, assuming it's an on-going EAP conversation<br>++[eap] returns updated<br>
++[files] returns noop<br>[sql] expand: %{User-Name} -> dfleming<br>[sql] sql_set_user escaped user --> 'dfleming'<br>rlm_sql (sql): Reserving sql socket id: 1<br>[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'dfleming' ORDER BY id<br>
rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'dfleming' ORDER BY id<br>[sql] User found in radcheck table<br>[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'dfleming' ORDER BY id<br>
rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'dfleming' ORDER BY id<br>[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'dfleming' ORDER BY priority<br>
rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = 'dfleming' ORDER BY priority<br>[sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Test' ORDER BY id<br>
rlm_sql_mysql: query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Test' ORDER BY id<br>rlm_sql (sql): Released sql socket id: 1<br>++[sql] returns ok<br>
++[expiration] returns noop<br>++[logintime] returns noop<br>[pap] WARNING: Auth-Type already set. Not setting to PAP<br>++[pap] returns noop<br>Found Auth-Type = EAP<br># Executing group from file /etc/freeradius/sites-enabled/inner-tunnel<br>
+- entering group authenticate {...}<br>[eap] Request found, released from the list<br>[eap] EAP/mschapv2<br>[eap] processing type mschapv2<br>[eap] Freeing handler<br>++[eap] returns ok<br># Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel<br>
+- entering group post-auth {...}<br>[sql] expand: %{User-Name} -> dfleming<br>[sql] sql_set_user escaped user --> 'dfleming'<br>[sql] expand: %{User-Password} -> <br>[sql] ... expanding second conditional<br>
[sql] expand: %{Chap-Password} -> <br>[sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'dfleming', '', 'Access-Accept', '2014-07-24 08:28:17')<br>
[sql] expand: /var/log/freeradius/sqltrace.sql -> /var/log/freeradius/sqltrace.sql<br>rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'dfleming', '', 'Access-Accept', '2014-07-24 08:28:17')<br>
rlm_sql (sql): Reserving sql socket id: 0<br>rlm_sql_mysql: query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'dfleming', '', 'Access-Accept', '2014-07-24 08:28:17')<br>
rlm_sql (sql): Released sql socket id: 0<br>++[sql] returns ok<br>} # server inner-tunnel<br>[peap] Got tunneled reply code 2<br>MS-MPPE-Encryption-Policy = 0x00000001<br>MS-MPPE-Encryption-Types = 0x00000006<br>MS-MPPE-Send-Key = 0x21b836e93eff70f6d6b2ec627ea1fbaf<br>
MS-MPPE-Recv-Key = 0xa73e45851d20023ff89a50e099c7ac0a<br>EAP-Message = 0x03090004<br>Message-Authenticator = 0x00000000000000000000000000000000<br>User-Name = "dfleming"<br>[peap] Got tunneled reply RADIUS code 2<br>
MS-MPPE-Encryption-Policy = 0x00000001<br>MS-MPPE-Encryption-Types = 0x00000006<br>MS-MPPE-Send-Key = 0x21b836e93eff70f6d6b2ec627ea1fbaf<br>MS-MPPE-Recv-Key = 0xa73e45851d20023ff89a50e099c7ac0a<br>EAP-Message = 0x03090004<br>
Message-Authenticator = 0x00000000000000000000000000000000<br>User-Name = "dfleming"<br>[peap] Tunneled authentication was successful.<br>[peap] SUCCESS<br>++[eap] returns handled<br>Sending Access-Challenge of id 110 to 10.10.5.10 port 1645<br>
EAP-Message = 0x010a002b19001703010020ffd2d4391027944a955f2a80e75582385d2bb77d88a0da77a3c35e870ab878e6<br>Message-Authenticator = 0x00000000000000000000000000000000<br>State = 0xe398c72ae492de112b2facf2414ef68a<br>Finished request 15.<br>
Going to the next request<br>Waking up in 4.7 seconds.<br>rad_recv: Access-Request packet from host 10.10.5.10 port 1645, id=111, length=261<br>User-Name = "dfleming"<br>Framed-MTU = 1400<br>Called-Station-Id = "A8-B1-D4-21-73-41:BSpa-KH-Mgmt"<br>
Calling-Station-Id = "80-1F-02-D3-97-74"<br>Cisco-AVPair = "ssid=BSpa-KH-Mgmt"<br>Service-Type = Login-User<br>Cisco-AVPair = "service-type=Login"<br>Message-Authenticator = 0x9ad507ccd512242f7bf2caec1f20c3d7<br>
EAP-Message = 0x020a002b190017030100203e355252ae01ca7b5f1465ce21b3bb9285bba4ef32e64818a0cd5cc8143b5fd5<br>NAS-Port-Type = Wireless-802.11<br>NAS-Port = 366<br>NAS-Port-Id = "366"<br>State = 0xe398c72ae492de112b2facf2414ef68a<br>
NAS-IP-Address = 10.10.5.10<br>NAS-Identifier = "BSpa-KH-AP1"<br># Executing section authorize from file /etc/freeradius/sites-enabled/default<br>+- entering group authorize {...}<br>++[preprocess] returns ok<br>
++[chap] returns noop<br>++[mschap] returns noop<br>++[digest] returns noop<br>[suffix] No '@' in User-Name = "dfleming", looking up realm NULL<br>[suffix] No such realm "NULL"<br>++[suffix] returns noop<br>
[eap] EAP packet type response id 10 length 43<br>[eap] Continuing tunnel setup.<br>++[eap] returns ok<br>Found Auth-Type = EAP<br># Executing group from file /etc/freeradius/sites-enabled/default<br>+- entering group authenticate {...}<br>
[eap] Request found, released from the list<br>[eap] EAP/peap<br>[eap] processing type peap<br>[peap] processing EAP-TLS<br>[peap] eaptls_verify returned 7 <br>[peap] Done initial handshake<br>[peap] eaptls_process returned 7 <br>
[peap] EAPTLS_OK<br>[peap] Session established. Decoding tunneled attributes.<br>[peap] Peap state send tlv success<br>[peap] Received EAP-TLV response.<br>[peap] Success<br>[eap] Freeing handler<br>++[eap] returns ok<br>
# Executing section post-auth from file /etc/freeradius/sites-enabled/default<br>+- entering group post-auth {...}<br>[sql] expand: %{User-Name} -> dfleming<br>[sql] sql_set_user escaped user --> 'dfleming'<br>
[sql] expand: %{User-Password} -> <br>[sql] ... expanding second conditional<br>[sql] expand: %{Chap-Password} -> <br>[sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'dfleming', '', 'Access-Accept', '2014-07-24 08:28:17')<br>
[sql] expand: /var/log/freeradius/sqltrace.sql -> /var/log/freeradius/sqltrace.sql<br>rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'dfleming', '', 'Access-Accept', '2014-07-24 08:28:17')<br>
rlm_sql (sql): Reserving sql socket id: 4<br>rlm_sql_mysql: query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'dfleming', '', 'Access-Accept', '2014-07-24 08:28:17')<br>
rlm_sql (sql): Released sql socket id: 4<br>++[sql] returns ok<br>++[exec] returns noop<br>Sending Access-Accept of id 111 to 10.10.5.10 port 1645<br>MS-MPPE-Recv-Key = 0x5b480d2d4a8cde312f61c2c611543f1aebcc8abae61eb9155cda840760c3cea0<br>
MS-MPPE-Send-Key = 0x56ec6be73861d6e421949f14631c05facadbeff6689370618d373d2b633ce24d<br>EAP-Message = 0x030a0004<br>Message-Authenticator = 0x00000000000000000000000000000000<br>User-Name = "dfleming"<br>Finished request 16.<br>
Going to the next request<br>mysql> select * from radgroupcheck;<br>+----+---------------------------+-------------------+----+-----------------------+<br>| id | groupname | attribute | op | value |<br>
+----+---------------------------+-------------------+----+-----------------------+<br>| 1 | daloRADIUS-Disabled-Users | Auth-Type | := | Reject |<br>| 7 | Mgmt-Wireless | Cisco-AVPair | == | "ssid=1BSpa-KH-Mgmt1" |<br>
| 8 | Mgmt-Wireless | Called-Station-Id | := | *BSpa |<br>| 9 | Test | Cisco-AVPair | == | df |<br>+----+---------------------------+-------------------+----+-----------------------+<br>
mysql> select * from userinfo;<br>+----+-----------+-----------+----------+-------+------------+---------+-----------+-----------+-------------+---------+------+-------+---------+------+-------+----------------+---------------------+-------------------+---------------------+---------------+---------------------+----------+<br>
| id | username | firstname | lastname | email | department | company | workphone | homephone | mobilephone | address | city | state | country | zip | notes | changeuserinfo | portalloginpassword | enableportallogin | creationdate | creationby | updatedate | updateby |<br>
+----+-----------+-----------+----------+-------+------------+---------+-----------+-----------+-------------+---------+------+-------+---------+------+-------+----------------+---------------------+-------------------+---------------------+---------------+---------------------+----------+<br>
| 1 | dfleming | | | | | | | | | | | | | | | 0 | | 0 | 2014-07-16 15:24:47 | administrator | 2014-07-23 15:50:42 | admin |<br>
| 2 | mefleming | | | | | | | | | | | | | | | 0 | | 0 | 2014-07-16 16:57:27 | administrator | 2014-07-23 16:40:28 | admin |<br>
+----+-----------+-----------+----------+-------+------------+---------+-----------+-----------+-------------+---------+------+-------+---------+------+-------+----------------+---------------------+-------------------+---------------------+---------------+---------------------+----------+<br>
mysql> select * from userinfo;radusergroup;<br>+-----------+---------------+----------+<br>| username | groupname | priority |<br>+-----------+---------------+----------+<br>| dfleming | Test | 0 |<br>
| mefleming | Mgmt-Wireless | 1 |<br>+-----------+---------------+----------+<br><br><br>On Wed, Jul 23, 2014 at 5:20 PM, Dan Fleming <<a href="mailto:flemingdp@gmail.com">flemingdp@gmail.com</a>> wrote:<br>
><br>
> Hello,<br>><br>> I am using daloradius with free radius 2.1.12 on Ubuntu 14.04.<br>><br>> I have configured users and passwords and sucessfully authenticate users connecting to a standalone cisco 1142 accesspoint. I can see in the debug that the cisco-avpair is sending the ssid to the free radius server in the debug but I dont think it is being checked.<br>
><br>> No matter what I put in av pair the user gets Access-Accept.<br>><br>> I have tried both operator == and =: but neither make a difference.<br>><br>> Any help is greatly appreciated.<br>><br>> Regards,<br>
><br>> Daniel</div>