haus-meister@KRATOS:/etc/freeradius/modules$ sudo freeradius -X FreeRADIUS Version 2.1.12, for host x86_64-pc-linux-gnu, built on Feb 24 2014 at 14:57:57 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/redis including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/replicate including configuration file /etc/freeradius/modules/opendirectory including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/soh including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/rediswho including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/dynamic_clients including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/inner-tunnel including configuration file /etc/freeradius/sites-enabled/default main { user = "freerad" group = "freerad" allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { name = "freeradius" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } realm OBLAN { } home_server_pool my_auth_failover { type = fail-over home_server = localhost } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 192.168.2.135 { require_message_authenticator = no secret = "testing123" shortname = "192.168.2.135" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/freeradius/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/freeradius/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file /etc/freeradius/radiusd.conf modules { Module: Creating Auth-Type = ntlm_auth Module: Creating Auth-Type = digest Module: Creating Post-Auth-Type = REJECT Module: Checking authenticate {...} for more modules to load Module: Instantiating module "ntlm_auth" from file /etc/freeradius/modules/ntlm_auth exec ntlm_auth { wait = yes program = "/etc/freeradius/modules/ntlm_auth --request-nt-key --username=%{%{mschap:User-Name}:-%{%{Stripped-User-Name}:-%{User-Name:-None}}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/freeradius/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/freeradius/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00} --domain=OBLAN" allow_retry = yes } Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /etc/freeradius/modules/digest Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/freeradius/modules/unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/freeradius/eap.conf eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/freeradius/certs" pem_file_type = yes private_key_file = "/etc/freeradius/certs/server.key" certificate_file = "/etc/freeradius/certs/server.pem" CA_file = "/etc/freeradius/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/freeradius/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/freeradius/certs/bootstrap" ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = yes with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/freeradius/modules/files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /etc/freeradius/modules/detail detail { detailfile = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" relaxed = no } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" relaxed = no } } # modules } # server server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } ... adding new socket proxy address * port 33493 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.2.135 port 32768, id=212, length=176 User-Name = "hausmeister@oblan" NAS-IP-Address = 192.168.2.135 NAS-Port = 0 Called-Station-Id = "64-70-02-DF-6A-BA:OB-AIRLAN" Calling-Station-Id = "F0-27-65-89-E2-96" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x02ae001601686175736d656973746572406f626c616e Message-Authenticator = 0xfe39da42fd0b026928fd61f28e44012e # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm "oblan" for User-Name = "hausmeister@oblan" [suffix] Found realm "OBLAN" [suffix] Adding Stripped-User-Name = "hausmeister" [suffix] Adding Realm = "OBLAN" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 174 length 22 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 212 to 192.168.2.135 port 32768 EAP-Message = 0x01af00061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x76cb5ad27664435bf3345afb5d690783 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.2.135 port 32768, id=213, length=380 User-Name = "hausmeister@oblan" NAS-IP-Address = 192.168.2.135 NAS-Port = 0 Called-Station-Id = "64-70-02-DF-6A-BA:OB-AIRLAN" Calling-Station-Id = "F0-27-65-89-E2-96" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x02af00d01980000000c616030100c1010000bd030153ede4d0481d87099d6b75849f121efd9319938a8b8c2cbd91c34c58232f260a000054c014c00ac022c02100390038c00fc0050035c012c008c01cc01b00160013c00dc003000ac013c009c01fc01e00330032c00ec004002fc011c007c00cc002000500040015001200090014001100080006000300ff01000040000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500120013000100020003000f00100011 State = 0x76cb5ad27664435bf3345afb5d690783 Message-Authenticator = 0xdb89c33d4f2c7ac04c4222a7a483d46f # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm "oblan" for User-Name = "hausmeister@oblan" [suffix] Found realm "OBLAN" [suffix] Adding Stripped-User-Name = "hausmeister" [suffix] Adding Realm = "OBLAN" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 175 length 208 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 198 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 00c1], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0039], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 02c0], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 213 to 192.168.2.135 port 32768 EAP-Message = 0x01b0040019c00000045c16030100390200003503018cbc906cbeeaa7d925d73472c8f871a0b4bf3af60115ec295186af567e0d2b8f00c01400000dff01000100000b00040300010216030102c00b0002bc0002b90002b6308202b23082019aa003020102020900f349c1d40d1d50ee300d06092a864886f70d01010b05003011310f300d060355040313064b5241544f53301e170d3134303830383135313933365a170d3234303830353135313933365a3011310f300d060355040313064b5241544f5330820122300d06092a864886f70d01010105000382010f003082010a0282010100d1b845087d1818ccf594d91354c4663ffd77f9594545494a EAP-Message = 0x6933a94d74204f387d09c538e6e60c89dc5c8c256b98ce525c7c347038f6e79c736123b95094166da4a72403511262399331362c9e71b9e93076be37c0309d861da4d8b68bd948886b70d079e322119a9fadd045347e1d0386ba46b3cd7e9520e9940f3ccdd802199e3f861259f33c8639cebef505dcc358a010500eee5ef0977b9ed0d88f2d34d0700609dd7d8512158daee745103f0efa9f0dd155bb4cf8377ce36d925ee67be0d94aba909b64f1d94166ce67c37b65d278c4f23013610c9f6c2bbf8db4a70a54d8f2e911028198ad48ee0ac6e6eb0bdbabc3218da98dfe041426194863057c7d0203010001a30d300b30090603551d130402300030 EAP-Message = 0x0d06092a864886f70d01010b05000382010100af2e7a028d7cfb404264d1d5683102fc224d8a95a9a2a80240be4659011cbeb586de63d09f502569decb94c0a1f5971978603b623ac1c7f6e6b31cd4215881bae2dd8fa5839f45b982c9426c1dde971185eb1ae20253723bda27305a3b0a092dff0b9ffd8058b3eda1ae84f82992bdb92d5da75d1c2204cfd39fa990a20f2ae4072edc0cfbf0ff8a7bcd5221297611bcab8932757ff5fde368eabf75c85949b76850f5ab578a4423a78b5afe4e414f47fee7a1e18c074d87bd4072391e8f59fa976269a58fd6ed17d66fa25b6d5fb57bf75b9b73f2e59696a493fae910482922f4bac178cebe8c4be1fa EAP-Message = 0x69e8ce3b677364578ae436635b183425eaac1f02dc71160301014b0c0001470300174104b575154b94c2f97cc088aba3215a17b26bc633154f52331c96a5da238ecaccf9aab908fb9e4abab8726c6f0659ad143a07a6ccb568e6f89f12ad7e31b93616d40100649f4336e096ccf80f3c14882d7474c0da7f9c0ab8950e79ec9140c913c17bd5ee08046bc509ee8338b6eb522f31037944574338d5aabd3a36480f2b0b20b1ad3c5fb832d4c14ba0093e51a1e94383f7d4b7151aae74a16f7e8098a3d8462e334fd98227df08f6500d351c7ddccaa1d795b2138a2d317e555e01f57b8e57303b10ae66daa6bf82d8ab8098de0839ceacb56f3dc3986e7e EAP-Message = 0x7c20f209add0aa970a284aae Message-Authenticator = 0x00000000000000000000000000000000 State = 0x76cb5ad2777b435bf3345afb5d690783 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.2.135 port 32768, id=214, length=178 User-Name = "hausmeister@oblan" NAS-IP-Address = 192.168.2.135 NAS-Port = 0 Called-Station-Id = "64-70-02-DF-6A-BA:OB-AIRLAN" Calling-Station-Id = "F0-27-65-89-E2-96" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x02b000061900 State = 0x76cb5ad2777b435bf3345afb5d690783 Message-Authenticator = 0xf54b89c1da9274666e2323a3e0f36fad # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm "oblan" for User-Name = "hausmeister@oblan" [suffix] Found realm "OBLAN" [suffix] Adding Stripped-User-Name = "hausmeister" [suffix] Adding Realm = "OBLAN" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 176 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 214 to 192.168.2.135 port 32768 EAP-Message = 0x01b1006c1900b0691e7bcbaf06936dbf73bc669fcb0dbe90b742cc369488a77ad8a5cd5b1eedbfedb35c09bd2d2c9f6dac0a71ee9884a34e1df0da8f69609af7a5efb575392d8e11dea2cd42be3a08ce12bc8f7270fd94608738b918f64930c99f1f6816030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x76cb5ad2747a435bf3345afb5d690783 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.2.135 port 32768, id=215, length=316 User-Name = "hausmeister@oblan" NAS-IP-Address = 192.168.2.135 NAS-Port = 0 Called-Station-Id = "64-70-02-DF-6A-BA:OB-AIRLAN" Calling-Station-Id = "F0-27-65-89-E2-96" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x02b10090198000000086160301004610000042410490d8ee89c0ac9da0f79989b79d39473e798740279a2762bd51d92e7338fd0480e0b20da439e7e9e66e9cb46d9dc5852675229b2ecd75c87145dfb3e3ddadf32e14030100010116030100302a16ea8e7a064eb3f28f21937335c301dc31527c260ce85e9260cba81b9447683c7cd51140ed4998f6db43977556f986 State = 0x76cb5ad2747a435bf3345afb5d690783 Message-Authenticator = 0x7a820632cf0862e04c60808e9b3dcb02 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm "oblan" for User-Name = "hausmeister@oblan" [suffix] Found realm "OBLAN" [suffix] Adding Stripped-User-Name = "hausmeister" [suffix] Adding Realm = "OBLAN" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 177 length 144 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 134 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 215 to 192.168.2.135 port 32768 EAP-Message = 0x01b200411900140301000101160301003088aa10535ec19c5ff5e0208f7aad5cdbe39c8f82f56b03a5767aa0d0bcee6a3fdb5ecace3b5d594ada00baecb2f2ac71 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x76cb5ad27579435bf3345afb5d690783 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.2.135 port 32768, id=216, length=178 User-Name = "hausmeister@oblan" NAS-IP-Address = 192.168.2.135 NAS-Port = 0 Called-Station-Id = "64-70-02-DF-6A-BA:OB-AIRLAN" Calling-Station-Id = "F0-27-65-89-E2-96" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x02b200061900 State = 0x76cb5ad27579435bf3345afb5d690783 Message-Authenticator = 0x3cc530bc622d89b4af82b896c54ffd34 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm "oblan" for User-Name = "hausmeister@oblan" [suffix] Found realm "OBLAN" [suffix] Adding Stripped-User-Name = "hausmeister" [suffix] Adding Realm = "OBLAN" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 178 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] returns handled Sending Access-Challenge of id 216 to 192.168.2.135 port 32768 EAP-Message = 0x01b3002b190017030100206779c43f633c58b73cbbfa327b839b521ce87af4f11313f2daa1dbf31624c07e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x76cb5ad27278435bf3345afb5d690783 Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.2.135 port 32768, id=217, length=268 User-Name = "hausmeister@oblan" NAS-IP-Address = 192.168.2.135 NAS-Port = 0 Called-Station-Id = "64-70-02-DF-6A-BA:OB-AIRLAN" Calling-Station-Id = "F0-27-65-89-E2-96" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x02b3006019001703010020d350e4d0052a4970c632db295a7e2355774b2509d95b743692d53e58558ab735170301003011ec3ea12785e60cdedaec4b02d6820677ad2f3a23c586da6d498ee9e400c075a0ed6aeedad5c5e48b986b697e2cf173 State = 0x76cb5ad27278435bf3345afb5d690783 Message-Authenticator = 0xd53fa0ec8b34fe3902a89c55008a6201 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm "oblan" for User-Name = "hausmeister@oblan" [suffix] Found realm "OBLAN" [suffix] Adding Stripped-User-Name = "hausmeister" [suffix] Adding Realm = "OBLAN" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 179 length 96 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - hausmeister@oblan [peap] Got inner identity 'hausmeister@oblan' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x02b3001601686175736d656973746572406f626c616e server { [peap] Setting User-Name to hausmeister@oblan Sending tunneled request EAP-Message = 0x02b3001601686175736d656973746572406f626c616e FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "hausmeister@oblan" server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "oblan" for User-Name = "hausmeister@oblan" [suffix] Found realm "OBLAN" [suffix] Adding Stripped-User-Name = "hausmeister" [suffix] Adding Realm = "OBLAN" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok ++[control] returns ok [eap] EAP packet type response id 179 length 22 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist! Cancelling invalid proxy request. Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x01b4002b1a01b4002610fb15ecb60688adc2b15f8718ec0a7822686175736d656973746572406f626c616e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x703e38cb708a22a87107198ebe778ea5 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x01b4002b1a01b4002610fb15ecb60688adc2b15f8718ec0a7822686175736d656973746572406f626c616e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x703e38cb708a22a87107198ebe778ea5 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 217 to 192.168.2.135 port 32768 EAP-Message = 0x01b4004b190017030100404eac752a6f616b95f866bba0cf39b6b3f19196e5bbb43176f1c73cb3bb24ffaf26af3acc7e2dc4b0f679ebf8f8ef7dfc653da8f5ad846e632488324ed0583ad0 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x76cb5ad2737f435bf3345afb5d690783 Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.2.135 port 32768, id=218, length=316 User-Name = "hausmeister@oblan" NAS-IP-Address = 192.168.2.135 NAS-Port = 0 Called-Station-Id = "64-70-02-DF-6A-BA:OB-AIRLAN" Calling-Station-Id = "F0-27-65-89-E2-96" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x02b4009019001703010020dd9e50f2408f59962b7970320f15eee923b8648fcac5e784deeea3e8a2237bb917030100600df15d59637b226251dd865fcd17dbc74eb8c66c35cb2b0568085f7eb21ed47e54069963fac070bfdd98bf3ebf7b796d3b71dd0fcd7955819ac5eadb5816d3bc4d27d574927b212837406a51cf0e94022dd1d8e6273899c63c2c0d98e2f39098 State = 0x76cb5ad2737f435bf3345afb5d690783 Message-Authenticator = 0x82cc437e76ec25b1bc4e1b885322ea1e # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm "oblan" for User-Name = "hausmeister@oblan" [suffix] Found realm "OBLAN" [suffix] Adding Stripped-User-Name = "hausmeister" [suffix] Adding Realm = "OBLAN" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 180 length 144 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x02b4004c1a02b4004731dd86f1c05df87c33630d727c0b0ff0fb000000000000000046ced655ef1738b05dad84aaa9fea60fc7cfa22f9c6c563b00686175736d656973746572406f626c616e server { [peap] Setting User-Name to hausmeister@oblan Sending tunneled request EAP-Message = 0x02b4004c1a02b4004731dd86f1c05df87c33630d727c0b0ff0fb000000000000000046ced655ef1738b05dad84aaa9fea60fc7cfa22f9c6c563b00686175736d656973746572406f626c616e FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "hausmeister@oblan" State = 0x703e38cb708a22a87107198ebe778ea5 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "oblan" for User-Name = "hausmeister@oblan" [suffix] Found realm "OBLAN" [suffix] Adding Stripped-User-Name = "hausmeister" [suffix] Adding Realm = "OBLAN" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok ++[control] returns ok [eap] EAP packet type response id 180 length 76 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist! Cancelling invalid proxy request. Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] Creating challenge hash with username: hausmeister@oblan [mschap] Told to do MS-CHAPv2 for hausmeister@oblan with NT-Password [mschap] expand: %{Stripped-User-Name} -> hausmeister [mschap] expand: --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} -> --username=hausmeister [mschap] Creating challenge hash with username: hausmeister@oblan [mschap] expand: %{mschap:Challenge} -> fffc6d74f50463ee [mschap] expand: --challenge=%{%{mschap:Challenge}:-00} -> --challenge=fffc6d74f50463ee [mschap] expand: %{mschap:NT-Response} -> 46ced655ef1738b05dad84aaa9fea60fc7cfa22f9c6c563b [mschap] expand: --nt-response=%{%{mschap:NT-Response}:-00} -> --nt-response=46ced655ef1738b05dad84aaa9fea60fc7cfa22f9c6c563b Exec-Program output: Reading winbind reply failed! (0xc0000001) Exec-Program-Wait: plaintext: Reading winbind reply failed! (0xc0000001) Exec-Program: returned: 1 [mschap] External script failed. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\264E=691 R=1" EAP-Message = 0x04b40004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\264E=691 R=1" EAP-Message = 0x04b40004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 218 to 192.168.2.135 port 32768 EAP-Message = 0x01b5002b19001703010020da3bf9daa85b007be8cf3e7d69484b8c20a0d79bfe864ff8c9a4b698fa2641e8 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x76cb5ad2707e435bf3345afb5d690783 Finished request 6. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.2.135 port 32768, id=219, length=252 User-Name = "hausmeister@oblan" NAS-IP-Address = 192.168.2.135 NAS-Port = 0 Called-Station-Id = "64-70-02-DF-6A-BA:OB-AIRLAN" Calling-Station-Id = "F0-27-65-89-E2-96" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x02b50050190017030100203b34f8063f17ea56153b585bb1dbc06569557a801aeaeef567bc6ea14c6e86a11703010020efa86a3d9de84d0af5846d0e631b6e1a50438ee72e5863f15998b20f73bf585a State = 0x76cb5ad2707e435bf3345afb5d690783 Message-Authenticator = 0x8c84b4d8f29ac17ee76da545eb23c162 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm "oblan" for User-Name = "hausmeister@oblan" [suffix] Found realm "OBLAN" [suffix] Adding Stripped-User-Name = "hausmeister" [suffix] Adding Realm = "OBLAN" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 181 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv failure [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> hausmeister@oblan attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 7 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 7 Sending Access-Reject of id 219 to 192.168.2.135 port 32768 EAP-Message = 0x04b50004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. Cleaning up request 0 ID 212 with timestamp +33 Cleaning up request 1 ID 213 with timestamp +33 Cleaning up request 2 ID 214 with timestamp +33 Cleaning up request 3 ID 215 with timestamp +33 Cleaning up request 4 ID 216 with timestamp +33 Cleaning up request 5 ID 217 with timestamp +33 Cleaning up request 6 ID 218 with timestamp +33 Waking up in 1.0 seconds. Cleaning up request 7 ID 219 with timestamp +33 Ready to process requests. ^Chaus-meister@KRATOS:/etc/freeradius/modules$ [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschap] Creating challenge hash with username: hausmeister@oblan [mschap] Told to do MS-CHAPv2 for hausmeister@oblan with NT-Password [mschap] expand: %{Stripped-User-Name} -> hausmeister [mschap] expand: --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} -> --username=hausmeister [mschap] Creating challenge hash with username: hausmeister@oblan [mschap] expand: %{mschap:Challenge} -> fffc6d74f50463ee [mschap] expand: --challenge=%{%{mschap:Challenge}:-00} -> --challenge=fffc6d74f50463ee [mschap] expand: %{mschap:NT-Response} -> 46ced655ef1738b05dad84aaa9fea60fc7cfa22f9c6c563b [mschap] expand: --nt-response=%{%{mschap:NT-Response}:-00} -> --nt-response=46ced655ef1738b05dad84aaa9fea60fc7cfa22f9c6c563b Exec-Program output: Reading winbind reply failed! (0xc0000001) Exec-Program-Wait: plaintext: Reading winbind reply failed! (0xc0000001) Exec-Program: returned: 1 [mschap] External script failed. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [mschapv2]: Befehl nicht gefunden.