haus-meister@KRATOS:/etc/freeradius$ sudo freeradius -X FreeRADIUS Version 2.1.12, for host x86_64-pc-linux-gnu, built on Feb 24 2014 at 14:57:57 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/redis including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/replicate including configuration file /etc/freeradius/modules/opendirectory including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/soh including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/rediswho including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/dynamic_clients including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/inner-tunnel including configuration file /etc/freeradius/sites-enabled/default main { user = "freerad" group = "freerad" allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { name = "freeradius" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } realm OBLAN { } home_server_pool my_auth_failover { type = fail-over home_server = localhost } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 192.168.2.135 { require_message_authenticator = no secret = "testing123" shortname = "192.168.2.135" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/freeradius/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/freeradius/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file /etc/freeradius/radiusd.conf modules { Module: Creating Auth-Type = ntlm_auth Module: Creating Auth-Type = digest Module: Creating Post-Auth-Type = REJECT Module: Checking authenticate {...} for more modules to load Module: Instantiating module "ntlm_auth" from file /etc/freeradius/modules/ntlm_auth exec ntlm_auth { wait = yes program = "/usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/freeradius/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/freeradius/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes ntlm_auth = " /usr/bin/ntlm_auth --request-nt-key --domain=OBLAN --username==%{%{User-Name}:-None}}" allow_retry = yes } Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /etc/freeradius/modules/digest Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/freeradius/modules/unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/freeradius/eap.conf eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/freeradius/certs" pem_file_type = yes private_key_file = "/etc/freeradius/certs/server.key" certificate_file = "/etc/freeradius/certs/server.pem" CA_file = "/etc/freeradius/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/freeradius/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/freeradius/certs/bootstrap" ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = yes with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/freeradius/modules/files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /etc/freeradius/modules/detail detail { detailfile = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" relaxed = no } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" relaxed = no } } # modules } # server server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel modules { Module: Creating Auth-Type = ntml_auth Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } ... adding new socket proxy address * port 48894 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.2.135 port 32768, id=252, length=176 User-Name = "hausmeister@oblan" NAS-IP-Address = 192.168.2.135 NAS-Port = 0 Called-Station-Id = "64-70-02-DF-6A-BA:OB-AIRLAN" Calling-Station-Id = "F0-27-65-89-E2-96" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x021f001601686175736d656973746572406f626c616e Message-Authenticator = 0x14193587b7c4b85761d23f2283192067 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm "oblan" for User-Name = "hausmeister@oblan" [suffix] Found realm "OBLAN" [suffix] Adding Stripped-User-Name = "hausmeister" [suffix] Adding Realm = "OBLAN" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 31 length 22 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 252 to 192.168.2.135 port 32768 EAP-Message = 0x012000061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xed8d8d25edad94e22e7c777d3a3d78e0 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.2.135 port 32768, id=253, length=380 User-Name = "hausmeister@oblan" NAS-IP-Address = 192.168.2.135 NAS-Port = 0 Called-Station-Id = "64-70-02-DF-6A-BA:OB-AIRLAN" Calling-Station-Id = "F0-27-65-89-E2-96" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x022000d01980000000c616030100c1010000bd030153eb8658bc9c7f4f6ec350575179bcdd6fc30912066d905739162a63116ab2e6000054c014c00ac022c02100390038c00fc0050035c012c008c01cc01b00160013c00dc003000ac013c009c01fc01e00330032c00ec004002fc011c007c00cc002000500040015001200090014001100080006000300ff01000040000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500120013000100020003000f00100011 State = 0xed8d8d25edad94e22e7c777d3a3d78e0 Message-Authenticator = 0xfcb5bfab3f24c36e0a385fea84f0a9ef # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm "oblan" for User-Name = "hausmeister@oblan" [suffix] Found realm "OBLAN" [suffix] Adding Stripped-User-Name = "hausmeister" [suffix] Adding Realm = "OBLAN" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 32 length 208 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 198 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 00c1], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0039], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 02c0], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 253 to 192.168.2.135 port 32768 EAP-Message = 0x0121040019c00000045c16030100390200003503019c88a24fe3e8da345023b451b6a75b18d19bfdf86ddb40c95a3d78443a59a48600c01400000dff01000100000b00040300010216030102c00b0002bc0002b90002b6308202b23082019aa003020102020900f349c1d40d1d50ee300d06092a864886f70d01010b05003011310f300d060355040313064b5241544f53301e170d3134303830383135313933365a170d3234303830353135313933365a3011310f300d060355040313064b5241544f5330820122300d06092a864886f70d01010105000382010f003082010a0282010100d1b845087d1818ccf594d91354c4663ffd77f9594545494a EAP-Message = 0x6933a94d74204f387d09c538e6e60c89dc5c8c256b98ce525c7c347038f6e79c736123b95094166da4a72403511262399331362c9e71b9e93076be37c0309d861da4d8b68bd948886b70d079e322119a9fadd045347e1d0386ba46b3cd7e9520e9940f3ccdd802199e3f861259f33c8639cebef505dcc358a010500eee5ef0977b9ed0d88f2d34d0700609dd7d8512158daee745103f0efa9f0dd155bb4cf8377ce36d925ee67be0d94aba909b64f1d94166ce67c37b65d278c4f23013610c9f6c2bbf8db4a70a54d8f2e911028198ad48ee0ac6e6eb0bdbabc3218da98dfe041426194863057c7d0203010001a30d300b30090603551d130402300030 EAP-Message = 0x0d06092a864886f70d01010b05000382010100af2e7a028d7cfb404264d1d5683102fc224d8a95a9a2a80240be4659011cbeb586de63d09f502569decb94c0a1f5971978603b623ac1c7f6e6b31cd4215881bae2dd8fa5839f45b982c9426c1dde971185eb1ae20253723bda27305a3b0a092dff0b9ffd8058b3eda1ae84f82992bdb92d5da75d1c2204cfd39fa990a20f2ae4072edc0cfbf0ff8a7bcd5221297611bcab8932757ff5fde368eabf75c85949b76850f5ab578a4423a78b5afe4e414f47fee7a1e18c074d87bd4072391e8f59fa976269a58fd6ed17d66fa25b6d5fb57bf75b9b73f2e59696a493fae910482922f4bac178cebe8c4be1fa EAP-Message = 0x69e8ce3b677364578ae436635b183425eaac1f02dc71160301014b0c00014703001741048985aa66ae475911468f31fa70e56a206a302615f1de08f5f682c5bae2d98fcd828350c9d87973c5aef14f6ea590663b5fafdba4d64592cc2c49c76cb4a5a31f01000dd4e09858ac6b78a47851674e981d595be8724c71f1392c6edffd755d4a69cf9cbf934225eb470a3d16ffb250f84f4387a602fcba25c7f889ee4d85f9f7c196986d540fd30e2465c53ef94c8c46903d53b7e8ec2af594c99de93d7ca088a1ce52ecb9f128b9006bcf8b9fa727e0504e3c0783256e7dcc1a8d0322a5ca09f7705cfe353e8a0829ba0513016bcbc33d3fbd0743154aab6c EAP-Message = 0x9823c7dfad528c1e1033b649 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xed8d8d25ecac94e22e7c777d3a3d78e0 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.2.135 port 32768, id=254, length=178 User-Name = "hausmeister@oblan" NAS-IP-Address = 192.168.2.135 NAS-Port = 0 Called-Station-Id = "64-70-02-DF-6A-BA:OB-AIRLAN" Calling-Station-Id = "F0-27-65-89-E2-96" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x022100061900 State = 0xed8d8d25ecac94e22e7c777d3a3d78e0 Message-Authenticator = 0xf1d0f97881282050c5f11a4e38032ff9 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm "oblan" for User-Name = "hausmeister@oblan" [suffix] Found realm "OBLAN" [suffix] Adding Stripped-User-Name = "hausmeister" [suffix] Adding Realm = "OBLAN" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 33 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 254 to 192.168.2.135 port 32768 EAP-Message = 0x0122006c190010ec5aa01d4b64e8ab822810a74f59befbcdf5982ff4b9a90094c08a0f63bc963af8500a4b66b5285b105bdc0bb0b469f3a7178da565b16f076c89810d923083e3ec1002c8f2e0d360d78bbb8b73cdeef868902653663d5d5567b0d52416030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xed8d8d25efaf94e22e7c777d3a3d78e0 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.2.135 port 32768, id=255, length=316 User-Name = "hausmeister@oblan" NAS-IP-Address = 192.168.2.135 NAS-Port = 0 Called-Station-Id = "64-70-02-DF-6A-BA:OB-AIRLAN" Calling-Station-Id = "F0-27-65-89-E2-96" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x022200901980000000861603010046100000424104a69a6050794da0a7b376df6012e6900db849f74016032ceb949401d30659719cf31c97e195a61376ada039b96f78fc021ed78f369daa1645058e3bc2b12d171914030100010116030100300a5ab0df409eb3602a230b4c9bffb799e7242fbc1bb2f3de33fb388bb25d56a7c93ac3cd5ad171964ca7b5d44608a09e State = 0xed8d8d25efaf94e22e7c777d3a3d78e0 Message-Authenticator = 0x54644533deb5e0cadd4e4e92189e9161 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm "oblan" for User-Name = "hausmeister@oblan" [suffix] Found realm "OBLAN" [suffix] Adding Stripped-User-Name = "hausmeister" [suffix] Adding Realm = "OBLAN" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 34 length 144 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 134 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 255 to 192.168.2.135 port 32768 EAP-Message = 0x0123004119001403010001011603010030857c6b5ac72ce7eb238404b07408436465da7f30931ff119f24bf54d899269a848f9a3ace82590f27b191751980b938c Message-Authenticator = 0x00000000000000000000000000000000 State = 0xed8d8d25eeae94e22e7c777d3a3d78e0 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.2.135 port 32768, id=0, length=178 User-Name = "hausmeister@oblan" NAS-IP-Address = 192.168.2.135 NAS-Port = 0 Called-Station-Id = "64-70-02-DF-6A-BA:OB-AIRLAN" Calling-Station-Id = "F0-27-65-89-E2-96" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x022300061900 State = 0xed8d8d25eeae94e22e7c777d3a3d78e0 Message-Authenticator = 0x1dd6ad568c5c0ea64396c2b00c301e95 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm "oblan" for User-Name = "hausmeister@oblan" [suffix] Found realm "OBLAN" [suffix] Adding Stripped-User-Name = "hausmeister" [suffix] Adding Realm = "OBLAN" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 35 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.2.135 port 32768 EAP-Message = 0x0124002b1900170301002092acd5d87a14707093b89c3b3839ea5d463cb79b12794e5e44725e93981b2f54 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xed8d8d25e9a994e22e7c777d3a3d78e0 Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.2.135 port 32768, id=1, length=268 User-Name = "hausmeister@oblan" NAS-IP-Address = 192.168.2.135 NAS-Port = 0 Called-Station-Id = "64-70-02-DF-6A-BA:OB-AIRLAN" Calling-Station-Id = "F0-27-65-89-E2-96" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x0224006019001703010020d9ec9d2a27b3f43fe8d96fa7f1bd56756cbd83d952a16d61afc9d7a9ec7539211703010030b9f7b2793a62d55773c07749bc4018ca18e74976aa3e86c952b8361d45fcb6af8f35e7eb42e26362e7402b0c82fcfae5 State = 0xed8d8d25e9a994e22e7c777d3a3d78e0 Message-Authenticator = 0x5217035d26a5a4a8097222e854e47cf8 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm "oblan" for User-Name = "hausmeister@oblan" [suffix] Found realm "OBLAN" [suffix] Adding Stripped-User-Name = "hausmeister" [suffix] Adding Realm = "OBLAN" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 36 length 96 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - hausmeister@oblan [peap] Got inner identity 'hausmeister@oblan' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x0224001601686175736d656973746572406f626c616e server { [peap] Setting User-Name to hausmeister@oblan Sending tunneled request EAP-Message = 0x0224001601686175736d656973746572406f626c616e FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "hausmeister@oblan" server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "oblan" for User-Name = "hausmeister@oblan" [suffix] Found realm "OBLAN" [suffix] Adding Stripped-User-Name = "hausmeister" [suffix] Adding Realm = "OBLAN" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok ++[control] returns ok [eap] EAP packet type response id 36 length 22 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist! Cancelling invalid proxy request. Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x0125002b1a0125002610e2067d29015105f513fdf161e577e07a686175736d656973746572406f626c616e Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcd213dd9cd04270a3a8cee835632571e [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x0125002b1a0125002610e2067d29015105f513fdf161e577e07a686175736d656973746572406f626c616e Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcd213dd9cd04270a3a8cee835632571e [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 1 to 192.168.2.135 port 32768 EAP-Message = 0x0125004b190017030100403f97725c2bc665a54f9dc63a50930f0f9306d98317b40009771872d10e934329fbb00fd3d0105ce41e511077eea1ee4725ff9be10f64cb0b9eff5c8cabae2a22 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xed8d8d25e8a894e22e7c777d3a3d78e0 Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.2.135 port 32768, id=2, length=316 User-Name = "hausmeister@oblan" NAS-IP-Address = 192.168.2.135 NAS-Port = 0 Called-Station-Id = "64-70-02-DF-6A-BA:OB-AIRLAN" Calling-Station-Id = "F0-27-65-89-E2-96" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x0225009019001703010020c9f82d51d4ebe0b22c966d4e328518bd79b5ee3291f6862068aba357286bb191170301006033aaee0003af8e9ea388abb743ebd52206d1e479aad8929f58b636e5b82eeed4448444ceaa0c0abfd9e192e3b9ee7774a937463b9c4db1b38005778784eb038a0b59884c0dae3fab951fbda3de4e49076ea17ab933df7db864f428aee443f495 State = 0xed8d8d25e8a894e22e7c777d3a3d78e0 Message-Authenticator = 0xe717d70af487454559b3dd952d6f4472 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm "oblan" for User-Name = "hausmeister@oblan" [suffix] Found realm "OBLAN" [suffix] Adding Stripped-User-Name = "hausmeister" [suffix] Adding Realm = "OBLAN" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 37 length 144 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x0225004c1a022500473161a587fb5bbd314bbe62c6881aa4ad870000000000000000c1def1a729a79569e5f81cc3da24995f0a0635067c3d1d7000686175736d656973746572406f626c616e server { [peap] Setting User-Name to hausmeister@oblan Sending tunneled request EAP-Message = 0x0225004c1a022500473161a587fb5bbd314bbe62c6881aa4ad870000000000000000c1def1a729a79569e5f81cc3da24995f0a0635067c3d1d7000686175736d656973746572406f626c616e FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "hausmeister@oblan" State = 0xcd213dd9cd04270a3a8cee835632571e server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "oblan" for User-Name = "hausmeister@oblan" [suffix] Found realm "OBLAN" [suffix] Adding Stripped-User-Name = "hausmeister" [suffix] Adding Realm = "OBLAN" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok ++[control] returns ok [eap] EAP packet type response id 37 length 76 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist! Cancelling invalid proxy request. Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] Creating challenge hash with username: hausmeister@oblan [mschap] Told to do MS-CHAPv2 for hausmeister@oblan with NT-Password [mschap] expand: %{User-Name} -> hausmeister@oblan [mschap] expand: --username==%{%{User-Name}:-None}} -> --username==hausmeister@oblan} Exec-Program output: Password: NT_STATUS_NO_SUCH_USER: No such user (0xc0000064) Exec-Program-Wait: plaintext: Password: NT_STATUS_NO_SUCH_USER: No such user (0xc0000064) Exec-Program: returned: 1 [mschap] External script failed. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "%E=691 R=1" EAP-Message = 0x04250004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "%E=691 R=1" EAP-Message = 0x04250004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 2 to 192.168.2.135 port 32768 EAP-Message = 0x0126002b19001703010020a2a3bb37a782922027359762ce7a8b4d24c7860f492b6fad69aa23ca7ae4445f Message-Authenticator = 0x00000000000000000000000000000000 State = 0xed8d8d25ebab94e22e7c777d3a3d78e0 Finished request 6. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.2.135 port 32768, id=3, length=252 User-Name = "hausmeister@oblan" NAS-IP-Address = 192.168.2.135 NAS-Port = 0 Called-Station-Id = "64-70-02-DF-6A-BA:OB-AIRLAN" Calling-Station-Id = "F0-27-65-89-E2-96" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x02260050190017030100200d4a1695bea020a8a829de6d9682e3c09c38a637424b336602b4b529fa4360ee170301002072f8ef2c4ea36cd5446fdcdd425cb2a9a342e7b8118cb9f078ae1e102df9cd88 State = 0xed8d8d25ebab94e22e7c777d3a3d78e0 Message-Authenticator = 0x22b36db4f56e330918a55e3ffe0fbf64 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm "oblan" for User-Name = "hausmeister@oblan" [suffix] Found realm "OBLAN" [suffix] Adding Stripped-User-Name = "hausmeister" [suffix] Adding Realm = "OBLAN" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 38 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv failure [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> hausmeister@oblan attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 7 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 7 Sending Access-Reject of id 3 to 192.168.2.135 port 32768 EAP-Message = 0x04260004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. Cleaning up request 0 ID 252 with timestamp +23 Cleaning up request 1 ID 253 with timestamp +23 Cleaning up request 2 ID 254 with timestamp +23 Cleaning up request 3 ID 255 with timestamp +23 Cleaning up request 4 ID 0 with timestamp +23 Cleaning up request 5 ID 1 with timestamp +23 Cleaning up request 6 ID 2 with timestamp +23 Waking up in 1.0 seconds. Cleaning up request 7 ID 3 with timestamp +23 Ready to process requests.