Hello,
I would like to authorize windows clients access to 3com Baseline
Switch 2948 SFP against FreeRADIUS server 2.0.5.
Windows are cofigured to use PEAP - EAP-MSCHAPv2.
Server certificate was created with bootstrap script (xpextensions
are included).
I tried windows xp sp3 and linux (wpa_supplicant) client and both
cause the same server output and authorization can't pass.
Testing tools eapol_test, radeapclient and jRadiusSimulator can pass
all tests fine.
EAP - MD5 Challenge works fine.
Attaching radiusd.conf and radius -X output.
Thanks for help.
--
Lukas Lisa
prefix = /usr
exec_prefix = ${prefix}
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
log_auth = yes
run_dir = ${localstatedir}/run/radiusd
db_dir = $(raddbdir)
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/radiusd.pid
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
listen {
type = auth
ipaddr = *
port = 0
}
listen {
ipaddr = *
port = 0
type = acct
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log {
destination = files
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
proxy_requests = yes
##### proxy #####
# $INCLUDE proxy.conf
realm NULL {
type = radius
authhost = LOCAL
accthost = LOCAL
secret = ss
}
###### clients ######
# $INCLUDE clients.conf
client 127.0.0.1 {
secret = ss
shortname = localhost
nastype = other
}
client 10.1.11.0{
netmask = 24
secret = ss
shortname = LAN_clients
nastype = other
}
snmp = no
$INCLUDE snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
# $INCLUDE ${confdir}/modules/
#### acct_unique ####
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
### detail ####
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
header = "%t"
}
#### files ####
files {
usersfile = ${confdir}/users
#acctusersfile = ${confdir}/acct_users
#preproxy_usersfile = ${confdir}/preproxy_users
compat = no
}
#### mschap ####
mschap {
authtype = MS-CHAP
}
#### pap ####
pap {
auto_header = no
}
#### preprocess ####
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
#### realm ####
realm suffix {
format = suffix
delimiter = "@"
}
######## eap #######
eap {
default_eap_type = md5
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = whatever
private_key_file = ${certdir}/server.pem
certificate_file = ${certdir}/server.pem
CA_file = ${cadir}/ca.pem
dh_file = ${certdir}/dh
random_file = ${certdir}/random
cipher_list = "DEFAULT"
#make_cert_command = "${certdir}/bootstrap"
fragment_size = 1024
include_length = yes
}
ttls {
default_eap_type = md5
#copy_request_to_tunnel = no
#use_tunneled_reply = no
use_tunneled_reply = yes
#virtual_server = "inner-tunnel"
}
peap {
default_eap_type = mschapv2
proxy_tunneled_request_as_eap = yes
#copy_request_to_tunnel = no
#use_tunneled_reply = no
use_tunneled_reply = yes
#virtual_server = "inner-tunnel"
}
mschapv2 {
}
}
# $INCLUDE sql.conf
# $INCLUDE sql/mysql/counter.conf
}
# instantiate {
# exec
# expr
# expiration
# logintime
# }
#
# $INCLUDE policy.conf
#### sites enabled ####
# $INCLUDE sites-enabled/
authorize {
preprocess
mschap
suffix
eap
#chap
#eap {
# ok = return
#}
#unix
files
#expiration
#logintime
#pap
}
authenticate {
Auth-Type PAP {
pap
}
#Auth-Type CHAP {
# chap
#}
Auth-Type MS-CHAP {
mschap
}
#unix
eap
}
preacct {
preprocess
acct_unique
#suffix
files
}
accounting {
detail
#unix
#radutmp
#attr_filter.accounting_response
}
#session {
# radutmp
#}
#post-auth {
# exec
# Post-Auth-Type REJECT {
# attr_filter.access_reject
# }
#}
#pre-proxy {
#}
#post-proxy {
# eap
#}
FreeRADIUS Version 2.0.5, for host i686-pc-linux-gnu, built on Jul 29 2008 at 14:10:17
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/snmp.conf
including dictionary file /etc/raddb/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
log_auth = yes
}
client 127.0.0.1 {
require_message_authenticator = no
secret = "ss"
shortname = "localhost"
nastype = "other"
}
client 10.1.11.0 {
netmask = 24
require_message_authenticator = no
secret = "ss"
shortname = "LAN_clients"
nastype = "other"
}
radiusd: #### Loading Realms and Home Servers ####
realm NULL {
authhost = LOCAL
accthost = LOCAL
}
radiusd: #### Instantiating modules ####
radiusd: #### Loading Virtual Servers ####
server {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server.pem"
certificate_file = "/etc/raddb/certs/server.pem"
CA_file = "/etc/raddb/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/etc/raddb/certs/dh"
random_file = "/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = "/etc/raddb/huntgroups"
hints = "/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_realm
Module: Instantiating suffix
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating files
files {
usersfile = "/etc/raddb/users"
compat = "no"
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating detail
detail {
detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
}
}
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
main {
snmp = no
smux_password = ""
snmp_write_access = no
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.1.11.254 port 1678, id=86, length=92
NAS-IP-Address = 10.1.11.254
NAS-Port = 13
NAS-Port-Type = Ethernet
Calling-Station-Id = "00-1E-C9-5D-12-E8"
User-Name = "pepa"
EAP-Message = 0x020100090170657061
Message-Authenticator = 0x6966eee3e16f3dbca48d1d0940ee8092
+- entering group authorize
++[preprocess] returns ok
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "pepa", looking up realm NULL
rlm_realm: Found realm "NULL"
rlm_realm: Adding Stripped-User-Name = "pepa"
rlm_realm: Adding Realm = "NULL"
rlm_realm: Authentication realm is LOCAL.
++[suffix] returns ok
rlm_eap: EAP packet type response id 1 length 9
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
users: Matched entry pepa at line 63
++[files] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: EAP Identity
rlm_eap: processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 86 to 10.1.11.254 port 1678
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1"
Tunnel-Type:0 = VLAN
EAP-Message = 0x01020016041039cd7461637ef88b1917e73e9f7454c0
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc12a17dec12813be64a3903fd78b27a2
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.1.11.254 port 1678, id=87, length=107
NAS-IP-Address = 10.1.11.254
NAS-Port = 13
NAS-Port-Type = Ethernet
Calling-Station-Id = "00-1E-C9-5D-12-E8"
User-Name = "pepa"
EAP-Message = 0x020200060319
State = 0xc12a17dec12813be64a3903fd78b27a2
Message-Authenticator = 0xa707c2539eb95c1920974e7a99366818
+- entering group authorize
++[preprocess] returns ok
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "pepa", looking up realm NULL
rlm_realm: Found realm "NULL"
rlm_realm: Adding Stripped-User-Name = "pepa"
rlm_realm: Adding Realm = "NULL"
rlm_realm: Authentication realm is LOCAL.
++[suffix] returns ok
rlm_eap: EAP packet type response id 2 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
users: Matched entry pepa at line 63
++[files] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP NAK
rlm_eap: EAP-NAK asked for EAP-Type/peap
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 87 to 10.1.11.254 port 1678
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1"
Tunnel-Type:0 = VLAN
EAP-Message = 0x010300061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc12a17dec0290ebe64a3903fd78b27a2
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.1.11.254 port 1678, id=88, length=213
NAS-IP-Address = 10.1.11.254
NAS-Port = 13
NAS-Port-Type = Ethernet
Calling-Station-Id = "00-1E-C9-5D-12-E8"
User-Name = "pepa"
EAP-Message = 0x0203007019800000006616030100610100005d03014905f33e53294d50e965048da5c85d5a54078b2ca1eca3ede7dd82bebb20cd2e203ab15972a43e9953c3140d9f8068bc75e2eff3a94af4b2a7bbf43fde181f93ce001600040005000a000900640062000300060013001200630100
State = 0xc12a17dec0290ebe64a3903fd78b27a2
Message-Authenticator = 0xa80ad48264377d85ed6cca3d48beb8a8
+- entering group authorize
++[preprocess] returns ok
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "pepa", looking up realm NULL
rlm_realm: Found realm "NULL"
rlm_realm: Adding Stripped-User-Name = "pepa"
rlm_realm: Adding Realm = "NULL"
rlm_realm: Authentication realm is LOCAL.
++[suffix] returns ok
rlm_eap: EAP packet type response id 3 length 112
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
users: Matched entry pepa at line 63
++[files] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
TLS Length 102
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0061], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 085e], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
TLS_accept: SSLv3 write server done A
TLS_accept: SSLv3 flush data
TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 88 to 10.1.11.254 port 1678
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1"
Tunnel-Type:0 = VLAN
EAP-Message = 0x0104040019c0000008bb160301004a0200004603014905f340ca71458a4f8eef21bef0a72853f3d1431af934867c4c847bab632ca920ed2b962c1a418d7eeb9a84e10a8291d32e29821fc64642d9787a9b7bfa0a041d000400160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406035504
EAP-Message = 0x03131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3038313031333136313335375a170d3039313031333136313335375a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100b89c61b7b2480f72d2438a52212f4ebb8ab8bf94fe0b25bc3de955b7175f
EAP-Message = 0x45766a706a40b5170baf82cfc8622479a835169b94891b5e435c45b942a9ca833bbe1509f09831cd7e17d71110ee5a050221ca79216e9a09a537f2696a3126a3c4684a2b8f641abede9eb178859679ac7c16ece760ad637d31c0b0ce2b49f70f74b9d5168bc40d96a5c6b2e59c139fdaf5e06d71064cf8a28af40e1749a6c97441513fb1b1e5cb1d7db8d1b31217b5c5bc29622d75ce017da3a12227587946bb3345d6fe14af05d16b476782315851ecd00e070c17f8938985f8e0e64c2f49ec0b70495745447c7f8d94d58949b358214a0fc085dbe2acde64fb164cb57e902481a70203010001a317301530130603551d25040c300a06082b06010505
EAP-Message = 0x070301300d06092a864886f70d010104050003820101002d7a145511474c09898d85ec8157862965467bcb83ebc6af106c06584f73b42e9dfcff6d8e2c85dad3e8bc710db690ba6a465ea6a36dbc35ed5a968a2a5deeb6f61ccf3a5d9c5b3a655f97596fd49114dba554e5cf4e7320b1507688e82b4206017050dfbb4860a1a827e027141625f91bb9db31bdf479c107fb72fcf30fd284d35677e1df77d283992e0af591db69620ee16168031d61f449853f2561a06c7467b5e87bc9c9af007e0b994059218f8a574269471b0bbf65048523c1d33d82512b61f38d6042f6b9ec083e83ab8d68b1404af602cc8dd5004448d6b28e6fe00b5973b4a0d67d
EAP-Message = 0xf5cc5ef0da4ee34196020d2d
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc12a17dec32e0ebe64a3903fd78b27a2
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.1.11.254 port 1678, id=89, length=107
NAS-IP-Address = 10.1.11.254
NAS-Port = 13
NAS-Port-Type = Ethernet
Calling-Station-Id = "00-1E-C9-5D-12-E8"
User-Name = "pepa"
EAP-Message = 0x020400061900
State = 0xc12a17dec32e0ebe64a3903fd78b27a2
Message-Authenticator = 0xab4f01388e23132589dadf9f65db9679
+- entering group authorize
++[preprocess] returns ok
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "pepa", looking up realm NULL
rlm_realm: Found realm "NULL"
rlm_realm: Adding Stripped-User-Name = "pepa"
rlm_realm: Adding Realm = "NULL"
rlm_realm: Authentication realm is LOCAL.
++[suffix] returns ok
rlm_eap: EAP packet type response id 4 length 6
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
users: Matched entry pepa at line 63
++[files] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 89 to 10.1.11.254 port 1678
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1"
Tunnel-Type:0 = VLAN
EAP-Message = 0x010503fc194030dd35e7732524f5bee6b4c97d820004ab308204a73082038fa003020102020900d78413b623ba23d7300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3038313031333136313335365a170d3038313131323136313335365a308193310b30090603
EAP-Message = 0x55040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100d5c7e3aa2abb3f430ac169b53b66e9a22718e126dba0470333185c8b96365de4d7c54bee4451027b619c27169275f0eba07c2de1f8548abd6fbb7170d59a1897fa47d868769403f60ff2d368db47f8
EAP-Message = 0xd37f6eca5998f6ffea4c956948b9ea9527d2e052da8c186bffc415d4e57cfa758f66802777defc4503850d21c42ee6a0ac0babb38cd65bb4f1355a81632c92c71ffeb0037949dd944dfc5569cb81403987cda1c95378f709c00ef31b5076097db8959481ed465a1014615013ad809e00028a58f2d852fb975720dbcb0ce32f0d6c56a4231e5297b92ab698914750a2b4571b7bee836c400ed21dceeb7dec88bb170d0b9bdc04d641e498cf64278b1374d90203010001a381fb3081f8301d0603551d0e04160414727a098357bfd22b4680cfb84356363747a750483081c80603551d230481c03081bd8014727a098357bfd22b4680cfb84356363747a7
EAP-Message = 0x5048a18199a48196308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900d78413b623ba23d7300c0603551d13040530030101ff300d06092a864886f70d010105050003820101007bc90ed54235fc8c171f1876f27b34541a67b82ace8367522ce93522a6fb72f32d7cb470fa649dc44a5aa5c1e1c7947235b3
EAP-Message = 0xe494691a8395c6a4
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc12a17dec22f0ebe64a3903fd78b27a2
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.1.11.254 port 1678, id=90, length=107
NAS-IP-Address = 10.1.11.254
NAS-Port = 13
NAS-Port-Type = Ethernet
Calling-Station-Id = "00-1E-C9-5D-12-E8"
User-Name = "pepa"
EAP-Message = 0x020500061900
State = 0xc12a17dec22f0ebe64a3903fd78b27a2
Message-Authenticator = 0x7dcfbca510f5d2afadbcb2d4022e9fac
+- entering group authorize
++[preprocess] returns ok
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "pepa", looking up realm NULL
rlm_realm: Found realm "NULL"
rlm_realm: Adding Stripped-User-Name = "pepa"
rlm_realm: Adding Realm = "NULL"
rlm_realm: Authentication realm is LOCAL.
++[suffix] returns ok
rlm_eap: EAP packet type response id 5 length 6
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
users: Matched entry pepa at line 63
++[files] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 90 to 10.1.11.254 port 1678
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1"
Tunnel-Type:0 = VLAN
EAP-Message = 0x010600d51900b7cdda23960c130380f9fd68693b47ea5a21a0f40c232669cd2bceb27a0b050b728fac4d99abcfa01c89c25fb3bfa0126752307379f601d9a397917fc4d3028e76786a30fe41c6b7a56caa8dcef2e11d11b68c946050f859ade7048e7b7f24d1a0457bd59203f675643e45356023ef33a54a2479086258bb16bf47f06843f999d1c1d01fb7c776b1f46ea8b5ba2971871573f8732f62320df5ac4e5c114fe52ec0090dd9ab84451c6eb8a5c9ce1fe683c12a2a6ede934e245c78a07318af10b5cafa7995b1fa16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc12a17dec52c0ebe64a3903fd78b27a2
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.1.11.254 port 1678, id=91, length=423
NAS-IP-Address = 10.1.11.254
NAS-Port = 13
NAS-Port-Type = Ethernet
Calling-Station-Id = "00-1E-C9-5D-12-E8"
User-Name = "pepa"
EAP-Message = 0x0206014019800000013616030101061000010201003bca0f75f1f302a91302341697a459f3f961bead4d54bf79199b56dea8f01d88ef5ef77c7ecdb2b4d18fbfb7b397181be165926b963737ac0c7f7051221ae0b8ff6f36bff1348c349f1b9f1b076d3cec038d72c0f4665815d6fec1830db190f9ba42b9d74190dba1807b40a1974dcfc6ea6cb9f04bde43b7a7086019ede4f760de013f8bfef8f5353e72ea42be2bf013771f6ca320c97c2ab7063c6917d8035848adb11d59a8adf020f1cd38eaad6df5e8b044551d3246fb8d28860904c4a1e85658cfc2ac3274c15e2c242f4ff7aa9e2c2bf39bc6e727ce638c551e07d71558127926c9787f9116
EAP-Message = 0x29b89554fcb8b5f83c86729c02f7372fc289e3387f984dbe1403010001011603010020cfb473a793569c59b602e68442c0e06084d4bebed0231fd225b852aa2905ae47
State = 0xc12a17dec52c0ebe64a3903fd78b27a2
Message-Authenticator = 0x206d99bfc01aa0eb76cf7d74f9ebea80
+- entering group authorize
++[preprocess] returns ok
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "pepa", looking up realm NULL
rlm_realm: Found realm "NULL"
rlm_realm: Adding Stripped-User-Name = "pepa"
rlm_realm: Adding Realm = "NULL"
rlm_realm: Authentication realm is LOCAL.
++[suffix] returns ok
rlm_eap: EAP packet type response id 6 length 253
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
users: Matched entry pepa at line 63
++[files] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
TLS Length 310
rlm_eap_tls: Length Included
eaptls_verify returned 11
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
TLS_accept: SSLv3 read client key exchange A
rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 read finished A
rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
TLS_accept: SSLv3 write change cipher spec A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 write finished A
TLS_accept: SSLv3 flush data
(other): SSL negotiation finished successfully
SSL Connection Established
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 91 to 10.1.11.254 port 1678
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1"
Tunnel-Type:0 = VLAN
EAP-Message = 0x0107003119001403010001011603010020ff7e97bac4dc133a2c7f1372d480d9069a8ef3cc9c305ec508719bde15f64e0b
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc12a17dec42d0ebe64a3903fd78b27a2
Finished request 5.
Going to the next request
Waking up in 4.8 seconds.
Cleaning up request 0 ID 86 with timestamp +22
Cleaning up request 1 ID 87 with timestamp +22
Cleaning up request 2 ID 88 with timestamp +22
Cleaning up request 3 ID 89 with timestamp +22
Cleaning up request 4 ID 90 with timestamp +22
Cleaning up request 5 ID 91 with timestamp +22
Ready to process requests.
pepa Cleartext-Password := "zdepa"
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = 1,
Tunnel-Type = VLAN,
DEFAULT Auth-Type = Local
Fall-Through = 1