root@KRATOS:/var/run/samba# freeradius -X FreeRADIUS Version 2.1.12, for host x86_64-pc-linux-gnu, built on Feb 24 2014 at 14:57:57 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/soh including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/rediswho including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/dynamic_clients including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/redis including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/replicate including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/opendirectory including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/inner-tunnel including configuration file /etc/freeradius/sites-enabled/default main { user = "freerad" group = "freerad" allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { name = "freeradius" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } realm OBLAN { } home_server_pool my_auth_failover { type = fail-over home_server = localhost } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 192.168.2.135 { require_message_authenticator = no secret = "testing123" shortname = "192.168.2.135" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/freeradius/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/freeradius/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file /etc/freeradius/radiusd.conf modules { Module: Creating Auth-Type = ntlm_auth Module: Creating Auth-Type = digest Module: Creating Post-Auth-Type = REJECT Module: Checking authenticate {...} for more modules to load Module: Instantiating module "ntlm_auth" from file /etc/freeradius/modules/ntlm_auth exec ntlm_auth { wait = yes program = "/etc/freeradius/modules/ntlm_auth --request-nt-key --username=%{%{mschap:User-Name}:-%{%{Stripped-User-Name}:-%{User-Name:-None}}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/freeradius/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/freeradius/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}" allow_retry = yes } Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /etc/freeradius/modules/digest Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/freeradius/modules/unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/freeradius/eap.conf eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/freeradius/certs" pem_file_type = yes private_key_file = "/etc/freeradius/certs/server.key" certificate_file = "/etc/freeradius/certs/server.pem" CA_file = "/etc/freeradius/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/freeradius/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/freeradius/certs/bootstrap" ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = yes with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/freeradius/modules/files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /etc/freeradius/modules/detail detail { detailfile = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" relaxed = no } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" relaxed = no } } # modules } # server server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } ... adding new socket proxy address * port 34812 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.2.135 port 32768, id=17, length=176 User-Name = "hausmeister@OBLAN" NAS-IP-Address = 192.168.2.135 NAS-Port = 0 Called-Station-Id = "64-70-02-DF-6A-BA:OB-AIRLAN" Calling-Station-Id = "F0-27-65-89-E2-96" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x02f6001601686175736d656973746572404f424c414e Message-Authenticator = 0xfe9e9e40318a6c743d5adb1ea313b691 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm "OBLAN" for User-Name = "hausmeister@OBLAN" [suffix] Found realm "OBLAN" [suffix] Adding Stripped-User-Name = "hausmeister" [suffix] Adding Realm = "OBLAN" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 246 length 22 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 17 to 192.168.2.135 port 32768 EAP-Message = 0x01f700061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb17a9082b18d8938d8d96a0a8f303dad Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.2.135 port 32768, id=18, length=380 User-Name = "hausmeister@OBLAN" NAS-IP-Address = 192.168.2.135 NAS-Port = 0 Called-Station-Id = "64-70-02-DF-6A-BA:OB-AIRLAN" Calling-Station-Id = "F0-27-65-89-E2-96" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x02f700d01980000000c616030100c1010000bd030153f2175a15e84c55fa8465d612fdb5f9ee0fefd27b2d8355a1554f5f40c7b995000054c014c00ac022c02100390038c00fc0050035c012c008c01cc01b00160013c00dc003000ac013c009c01fc01e00330032c00ec004002fc011c007c00cc002000500040015001200090014001100080006000300ff01000040000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500120013000100020003000f00100011 State = 0xb17a9082b18d8938d8d96a0a8f303dad Message-Authenticator = 0x666802b56fd8262e7229b56b27f1ef20 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm "OBLAN" for User-Name = "hausmeister@OBLAN" [suffix] Found realm "OBLAN" [suffix] Adding Stripped-User-Name = "hausmeister" [suffix] Adding Realm = "OBLAN" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 247 length 208 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 198 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 00c1], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0039], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 02c0], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 18 to 192.168.2.135 port 32768 EAP-Message = 0x01f8040019c00000045c1603010039020000350301c97ed1840e8dfad6d9f7929dd3f4556e49842cbfd387ec86efd90b7b29d7e74200c01400000dff01000100000b00040300010216030102c00b0002bc0002b90002b6308202b23082019aa003020102020900d0afefce8e90fb73300d06092a864886f70d01010b05003011310f300d060355040313064b5241544f53301e170d3134303831383134313933395a170d3234303831353134313933395a3011310f300d060355040313064b5241544f5330820122300d06092a864886f70d01010105000382010f003082010a0282010100c147c62406c585a341d2a85d6fa5411969f2b76395f76b8b EAP-Message = 0x6a17b0bc11565b4c0588c041a19884372daac95226cd51157d0949c39dd020ae527cfe220e4bdb343f39a81067f1f3d430fc352336a4dbb94769e4c13593e9b1a00adecffc8b718707d43f87c31732bdc78f26add5b5f267cafe9da82f48d3591d58e9faa44fbaffdeffec6e036b07804456ad925edc1e993ea74500512cdc76f29adf2864b3d22eed8565cf85fd26893d42d9347369c1e300c90acf1cb8e4539548a2591298bcc6212dbada1f8739c11c0d50de8431fab3e3edb5ae7207ef6d629fafa0a3d46b03da7ac7dc7ec35679c6f1c65e3f082480955088f85174ee1d7458336e58a7d7d90203010001a30d300b30090603551d130402300030 EAP-Message = 0x0d06092a864886f70d01010b050003820101003f19c461a4ff3b64425f9881616bde172f290b231e1964d4b32e6840efe057d6f5673c511321ebc9b3d07d2af3f2385d9ccd469269f541135330418fa3278ba1253edaff0aeca9f6c307d59550c63416dd9046ce0e8696bab9e0b68967b5388fdc0d45febd5d53a90273fe4a59d9d4b428b3ae784194cc9fbc9432e46e851854ea6828992adddc618f853d918014d979ee4912cdea472c93af22726748f4f2eeed66944e507188397be3a60c24699c2fc29936fb21b7001901286367dc4430ff94ec4a46ae062f555baf1897978046507f30747a617b338f232cfbfbe1598eabf56eec917ddfbd5254d9 EAP-Message = 0x4dba41ab368edf7c12be72047812000c2e4356f93b3f160301014b0c000147030017410462bb65a5842c4960e543628fa05416eef5e44af7ee9de2f38542967da9556cea5c3f96823a5ec2278892242db84120139f0b464b8e427f3072b83699e0822e7801002f09caf7f86b3c9eab10cbdd2cd6925106f18595a40562d40dabd373a3faaa4e82a176ddc1befc4591ff3cc4ebd78b21b99df1bcc61fa5ebf244daba24be7f315c459641b186c94df6866e5f1fa376f36aabf178d44393a25ec3a75eddda6c9f5b6864b570cf6716bc77d59654ae2b0ad35d061506a443558a4340b28dd6108b270aa4894ec55f3685949fdf674ecd9a001c8cc223217a EAP-Message = 0x89c231b7c8c54ad5c2ba7f4e Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb17a9082b0828938d8d96a0a8f303dad Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.2.135 port 32768, id=19, length=178 User-Name = "hausmeister@OBLAN" NAS-IP-Address = 192.168.2.135 NAS-Port = 0 Called-Station-Id = "64-70-02-DF-6A-BA:OB-AIRLAN" Calling-Station-Id = "F0-27-65-89-E2-96" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x02f800061900 State = 0xb17a9082b0828938d8d96a0a8f303dad Message-Authenticator = 0xb55157990403cfc4bb42ffa220e60baf # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm "OBLAN" for User-Name = "hausmeister@OBLAN" [suffix] Found realm "OBLAN" [suffix] Adding Stripped-User-Name = "hausmeister" [suffix] Adding Realm = "OBLAN" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 248 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 19 to 192.168.2.135 port 32768 EAP-Message = 0x01f9006c190047344b674273934b4c70136f821ac3960e71041431817053104b1b931f0dfe835e19277b7e71889fc2a27877bbe49996cf31fa95372645b628daa2ecf4519f3307f7a57182994c1fed7299d9ee05d7a8ba5d7bd76dda8f48f338ee3d2516030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb17a9082b3838938d8d96a0a8f303dad Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.2.135 port 32768, id=20, length=316 User-Name = "hausmeister@OBLAN" NAS-IP-Address = 192.168.2.135 NAS-Port = 0 Called-Station-Id = "64-70-02-DF-6A-BA:OB-AIRLAN" Calling-Station-Id = "F0-27-65-89-E2-96" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x02f900901980000000861603010046100000424104a4faa958b411a8815d578e182c68f7f87726da159f982a4a4402b0223b5afd5aa25bc7ec985e77c69ed0379ad4f8bac3d571fd1451eb8c4f24a214cdea838d9f1403010001011603010030123a39865dd4a5c9219e197ddab12e2daab8ac8992f9400fa706ddb7b180c710ac5a688ac314e7000aee45f547616945 State = 0xb17a9082b3838938d8d96a0a8f303dad Message-Authenticator = 0x7c65b09e11c12eb4e2238cb8c9558ba9 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm "OBLAN" for User-Name = "hausmeister@OBLAN" [suffix] Found realm "OBLAN" [suffix] Adding Stripped-User-Name = "hausmeister" [suffix] Adding Realm = "OBLAN" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 249 length 144 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 134 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 20 to 192.168.2.135 port 32768 EAP-Message = 0x01fa00411900140301000101160301003039a840d024ef3d47cbc8127b14c520042c6e1013eb1f1ff1a350898ff8af46d5277ba8dff9759bd55dddb92909a07b47 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb17a9082b2808938d8d96a0a8f303dad Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.2.135 port 32768, id=21, length=178 User-Name = "hausmeister@OBLAN" NAS-IP-Address = 192.168.2.135 NAS-Port = 0 Called-Station-Id = "64-70-02-DF-6A-BA:OB-AIRLAN" Calling-Station-Id = "F0-27-65-89-E2-96" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x02fa00061900 State = 0xb17a9082b2808938d8d96a0a8f303dad Message-Authenticator = 0xeeb39aac8959b99f5af89d0f11a848ad # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm "OBLAN" for User-Name = "hausmeister@OBLAN" [suffix] Found realm "OBLAN" [suffix] Adding Stripped-User-Name = "hausmeister" [suffix] Adding Realm = "OBLAN" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 250 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] returns handled Sending Access-Challenge of id 21 to 192.168.2.135 port 32768 EAP-Message = 0x01fb002b19001703010020f1d30ecf9eb6e84ba2bcd89b713a29ab0c6caa1d20a143568304cc4dce0771bc Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb17a9082b5818938d8d96a0a8f303dad Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.2.135 port 32768, id=22, length=268 User-Name = "hausmeister@OBLAN" NAS-IP-Address = 192.168.2.135 NAS-Port = 0 Called-Station-Id = "64-70-02-DF-6A-BA:OB-AIRLAN" Calling-Station-Id = "F0-27-65-89-E2-96" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x02fb006019001703010020d910cff73456d3375f8e54ac4b737566f77431f55a04d8d964392b86c0b76ae11703010030cddd267b166d1a51e8d58a8dfe87e3b62ed5292f490cff657253c353c7a3ac3be346111d86e61c03a1380edb78ea439b State = 0xb17a9082b5818938d8d96a0a8f303dad Message-Authenticator = 0xf88b18ff99e554cc444ffde05a7fe7c9 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm "OBLAN" for User-Name = "hausmeister@OBLAN" [suffix] Found realm "OBLAN" [suffix] Adding Stripped-User-Name = "hausmeister" [suffix] Adding Realm = "OBLAN" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 251 length 96 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - hausmeister@OBLAN [peap] Got inner identity 'hausmeister@OBLAN' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x02fb001601686175736d656973746572404f424c414e server { [peap] Setting User-Name to hausmeister@OBLAN Sending tunneled request EAP-Message = 0x02fb001601686175736d656973746572404f424c414e FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "hausmeister@OBLAN" server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "OBLAN" for User-Name = "hausmeister@OBLAN" [suffix] Found realm "OBLAN" [suffix] Adding Stripped-User-Name = "hausmeister" [suffix] Adding Realm = "OBLAN" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok ++[control] returns ok [eap] EAP packet type response id 251 length 22 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist! Cancelling invalid proxy request. Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x01fc002b1a01fc002610d9a3dd6baf4ffbc592f51acebe3fae09686175736d656973746572404f424c414e Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb081e7e1b07dfd1eae01a9846c284fc8 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x01fc002b1a01fc002610d9a3dd6baf4ffbc592f51acebe3fae09686175736d656973746572404f424c414e Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb081e7e1b07dfd1eae01a9846c284fc8 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 22 to 192.168.2.135 port 32768 EAP-Message = 0x01fc004b190017030100401d3af9d0863baf5e1733ee7e58cd4d8d9e777de890cd5fa77758bed293e34c98b34d2924b2de317812bca749ca345375963e6288aa6773e0d5d1ff9bb1853616 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb17a9082b4868938d8d96a0a8f303dad Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.2.135 port 32768, id=23, length=316 User-Name = "hausmeister@OBLAN" NAS-IP-Address = 192.168.2.135 NAS-Port = 0 Called-Station-Id = "64-70-02-DF-6A-BA:OB-AIRLAN" Calling-Station-Id = "F0-27-65-89-E2-96" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x02fc009019001703010020506215b9693181bafd300c0f7085b403ee74408fd856d1d8221a475b2751dbea1703010060a8154b4760dcdada3e437aa88afd398c21e186fe5595b4b633159345548dd3e13e24f026d37f6e4435bd693a752f2199a7bae3849f8b9742919b25c5ccc7891c71710a6780f78437fa29604faa7deafc65839b37bc56839ba2ed0d32803ec7d7 State = 0xb17a9082b4868938d8d96a0a8f303dad Message-Authenticator = 0x7e3d7debabe895ac541cd9d3388523d0 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm "OBLAN" for User-Name = "hausmeister@OBLAN" [suffix] Found realm "OBLAN" [suffix] Adding Stripped-User-Name = "hausmeister" [suffix] Adding Realm = "OBLAN" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 252 length 144 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x02fc004c1a02fc004731eeca1564dad8c6f24c56450b47553dbc0000000000000000cfebe53922a2a18a8e0f423e8562a651148d2b18cd4fbc3e00686175736d656973746572404f424c414e server { [peap] Setting User-Name to hausmeister@OBLAN Sending tunneled request EAP-Message = 0x02fc004c1a02fc004731eeca1564dad8c6f24c56450b47553dbc0000000000000000cfebe53922a2a18a8e0f423e8562a651148d2b18cd4fbc3e00686175736d656973746572404f424c414e FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "hausmeister@OBLAN" State = 0xb081e7e1b07dfd1eae01a9846c284fc8 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "OBLAN" for User-Name = "hausmeister@OBLAN" [suffix] Found realm "OBLAN" [suffix] Adding Stripped-User-Name = "hausmeister" [suffix] Adding Realm = "OBLAN" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok ++[control] returns ok [eap] EAP packet type response id 252 length 76 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist! Cancelling invalid proxy request. Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] Creating challenge hash with username: hausmeister@OBLAN [mschap] Told to do MS-CHAPv2 for hausmeister@OBLAN with NT-Password [mschap] expand: %{Stripped-User-Name} -> hausmeister [mschap] expand: --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} -> --username=hausmeister [mschap] Creating challenge hash with username: hausmeister@OBLAN [mschap] expand: %{mschap:Challenge} -> 01b99ad5745936be [mschap] expand: --challenge=%{%{mschap:Challenge}:-00} -> --challenge=01b99ad5745936be [mschap] expand: %{mschap:NT-Response} -> cfebe53922a2a18a8e0f423e8562a651148d2b18cd4fbc3e [mschap] expand: --nt-response=%{%{mschap:NT-Response}:-00} -> --nt-response=cfebe53922a2a18a8e0f423e8562a651148d2b18cd4fbc3e Exec-Program output: Reading winbind reply failed! (0xc0000001) Exec-Program-Wait: plaintext: Reading winbind reply failed! (0xc0000001) Exec-Program: returned: 1 [mschap] External script failed. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\374E=691 R=1" EAP-Message = 0x04fc0004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\374E=691 R=1" EAP-Message = 0x04fc0004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 23 to 192.168.2.135 port 32768 EAP-Message = 0x01fd002b19001703010020387a6d62f940dd38ae122570fbfffac1d87827eb4ad6bdfaf67278f517a961bd Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb17a9082b7878938d8d96a0a8f303dad Finished request 6. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.2.135 port 32768, id=24, length=252 User-Name = "hausmeister@OBLAN" NAS-IP-Address = 192.168.2.135 NAS-Port = 0 Called-Station-Id = "64-70-02-DF-6A-BA:OB-AIRLAN" Calling-Station-Id = "F0-27-65-89-E2-96" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x02fd005019001703010020777322650587e9cdc89198400c6ed2c33a0c0715c59563eef1a474e520121c50170301002021d06813c3f65c929472dbc4eaee1ae73027e196d0599657a4fc0ffb4de037bc State = 0xb17a9082b7878938d8d96a0a8f303dad Message-Authenticator = 0x684114fcca34f97eb5fb30d89e742723 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm "OBLAN" for User-Name = "hausmeister@OBLAN" [suffix] Found realm "OBLAN" [suffix] Adding Stripped-User-Name = "hausmeister" [suffix] Adding Realm = "OBLAN" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 253 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv failure [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> hausmeister@OBLAN attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 7 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 7 Sending Access-Reject of id 24 to 192.168.2.135 port 32768 EAP-Message = 0x04fd0004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. Cleaning up request 0 ID 17 with timestamp +21 Cleaning up request 1 ID 18 with timestamp +21 Cleaning up request 2 ID 19 with timestamp +21 Cleaning up request 3 ID 20 with timestamp +21 Cleaning up request 4 ID 21 with timestamp +21 Cleaning up request 5 ID 22 with timestamp +21 Cleaning up request 6 ID 23 with timestamp +21 Waking up in 1.0 seconds. Cleaning up request 7 ID 24 with timestamp +21 Ready to process requests. Exec-Program output: Reading winbind reply failed! (0xc0000001) Exec-Program-Wait: plaintext: Reading winbind reply failed! (0xc0000001) Exec-Program: returned: 1 ^C^C root@KRATOS:/home/haus-meister# su haus-meister haus-meister@KRATOS:~$ sudo usermod -aG backup freerad haus-meister libuuid mail news root sys www-data bin games irc list man nobody sshd syslog daemon gnats landscape lp messagebus proxy sync uucp