Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
September 2010
- 137 participants
- 194 discussions
To clarify :
> I'm using free radius 2.1.9 as a client to connect to a
> distant server (not freeradius).
I'm using API for client access not the freeradius as a server
> We are facing a problem for Tunnel-Server-Endpoint
> attribute :
>
> RFC http://www.ietf.org/rfc/rfc2868.txt
> indicates for Tunnel-Server-Endpoint :
>
> Tag
> The Tag field is one octet in length and is intended to provide a
> means of grouping attributes in the same packet which refer to the
> same tunnel. If the value of the Tag field is greater than 0x00
> and less than or equal to 0x1F, it SHOULD be interpreted as
> indicating which tunnel (of several alternatives) this attribute
> pertains. If the Tag field is greater than 0x1F, it SHOULD be
> interpreted as the first byte of the following String field.
>
> So, there is no explicit prohibition of use of 0x00 as a Tag value.
>
> What we see in freeradius is that this values makes as ignore the value of the atrtribute.
This means :
- if we receive a Tunnel-Server-Endpoint with a Tag 0x01 value and that contains an IP@, the IP is taken into consideration and its value is returned by the API. Applicative layer uses it.
- But if we receive a Tunnel-Server-Endpoint with a Tag 0x00 value and that contains an IP@, the IP is just ignored, its value is not returned by the API. The call to recv_one_paquet returns an empty Tunnel-Server-Endpoint value
The no tag, is may be whell managed at server part, but misused by client part ?
> Is there some other RFCs that show explicitely that the
> 0x00 tag should lead to this behavior ?
> Is it a freeradius bug ?
> Any help about where is it managed in the code ?
>
> Thanks for help
2
1
Hello
I'm trying to do WDS WPA2-EAP TLS authentication of 2 RB600
Simple WDS AP+station without EAP is working.
I've already searched forum for related topics. but they didn't help me.
So what do i have:
2x RB600
CentOS 5.5 => freeradius2-2.1.7-7.el5 + mysql Ver 14.12 Distrib
5.0.77, + daloRADIUS 0.9.8 (SVN 0.9.9)
This setup works perfectly with Ubiquiti Nanobridge M5 EAP-TTLS.
What i've done on RB's:
Wireless interface: WDS static, AP bridge + station on other RB.
SSID,FQ,Band = same
Time and date adjusted for proper cert authentication.
Most things i'm doing through winbox gui.
AP bridge security profile and rad. server:
[admin@RB600_test1] > /radius print
Flags: X - disabled
# SERVICE CALLED-ID DOMAIN ADDRESS SECRET
0 wireless 192.168.0.29 secret
Here's debug of radius:
It's says that it can't identify username. what should i write in db
as username? as i knew EAP-TLS is using certificate authentication
without usernames and passwords like EAP-TTLS is doing.
FreeRADIUS Version 2.1.7, for host i686-redhat-linux-gnu, built on Mar
31 2010 at 00:25:31
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/sql.conf
including configuration file /etc/raddb/sql/mysql/dialup.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/control-socket
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/inner-tunnel
group = radiusd
user = radiusd
including dictionary file /etc/raddb/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = no
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server inner-tunnel {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = "ttls"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server_keycert.pem"
certificate_file = "/etc/raddb/certs/server_keycert.pem"
CA_file = "/etc/raddb/certs/cacert.pem"
private_key_password = "lettheserverin"
dh_file = "/etc/raddb/certs/dh"
random_file = "/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/raddb/certs/bootstrap"
cache {
enable = no
lifetime = 24
max_entries = 255
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating suffix
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating files
files {
usersfile = "/etc/raddb/users"
acctusersfile = "/etc/raddb/acct_users"
preproxy_usersfile = "/etc/raddb/preproxy_users"
compat = "no"
}
Module: Linked to module rlm_sql
Module: Instantiating sql
sql {
driver = "rlm_sql_mysql"
server = "localhost"
port = ""
login = "radius"
password = "radpass"
radius_db = "radiusdb"
read_groups = yes
sqltrace = no
sqltracefile = "/var/log/radius/sqltrace.sql"
readclients = yes
deletestalesessions = yes
num_sql_socks = 5
lifetime = 0
max_queries = 0
sql_user_name = "%{User-Name}"
default_user_profile = ""
nas_query = "SELECT id, nasname, shortname, type, secret FROM nas"
authorize_check_query = "SELECT id, username, attribute, value, op
FROM radcheck WHERE username = '%{SQL-User-Name}'
ORDER BY id"
authorize_reply_query = "SELECT id, username, attribute, value, op
FROM radreply WHERE username = '%{SQL-User-Name}'
ORDER BY id"
authorize_group_check_query = "SELECT id, groupname, attribute,
Value, op FROM radgroupcheck WHERE groupname =
'%{Sql-Group}' ORDER BY id"
authorize_group_reply_query = "SELECT id, groupname, attribute,
value, op FROM radgroupreply WHERE groupname =
'%{Sql-Group}' ORDER BY id"
accounting_onoff_query = " UPDATE radacct SET
acctstoptime = '%S', acctsessiontime =
unix_timestamp('%S') -
unix_timestamp(acctstarttime), acctterminatecause =
'%{Acct-Terminate-Cause}', acctstopdelay =
%{%{Acct-Delay-Time}:-0} WHERE acctstoptime IS NULL
AND nasipaddress = '%{NAS-IP-Address}' AND
acctstarttime <= '%S'"
accounting_update_query = " UPDATE radacct SET
framedipaddress = '%{Framed-IP-Address}',
acctsessiontime = '%{Acct-Session-Time}',
acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 |
'%{%{Acct-Input-Octets}:-0}',
acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 |
'%{%{Acct-Output-Octets}:-0}'
WHERE acctsessionid = '%{Acct-Session-Id}' AND username
= '%{SQL-User-Name}' AND nasipaddress =
'%{NAS-IP-Address}'"
accounting_update_query_alt = " INSERT INTO radacct
(acctsessionid, acctuniqueid, username,
realm, nasipaddress, nasportid,
nasporttype, acctstarttime, acctsessiontime,
acctauthentic, connectinfo_start, acctinputoctets,
acctoutputoctets, calledstationid, callingstationid,
servicetype, framedprotocol, framedipaddress,
acctstartdelay, xascendsessionsvrkey) VALUES
('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}',
'%{NAS-Port}', '%{NAS-Port-Type}',
DATE_SUB('%S', INTERVAL
(%{%{Acct-Session-Time}:-0} +
%{%{Acct-Delay-Time}:-0}) SECOND),
'%{Acct-Session-Time}', '%{Acct-Authentic}', '',
'%{%{Acct-Input-Gigawords}:-0}' << 32 |
'%{%{Acct-Input-Octets}:-0}',
'%{%{Acct-Output-Gigawords}:-0}' << 32 |
'%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}',
'%{Calling-Station-Id}', '%{Service-Type}',
'%{Framed-Protocol}', '%{Framed-IP-Address}',
'0', '%{X-Ascend-Session-Svr-Key}')"
accounting_start_query = " INSERT INTO radacct
(acctsessionid, acctuniqueid, username, realm,
nasipaddress, nasportid, nasporttype,
acctstarttime, acctstoptime, acctsessiontime,
acctauthentic, connectinfo_start, connectinfo_stop,
acctinputoctets, acctoutputoctets, calledstationid,
callingstationid, acctterminatecause, servicetype,
framedprotocol, framedipaddress, acctstartdelay,
acctstopdelay, xascendsessionsvrkey) VALUES
('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}',
'%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL,
'0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0',
'0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '',
'%{Service-Type}', '%{Framed-Protocol}',
'%{Framed-IP-Address}', '%{%{Acct-Delay-Time}:-0}', '0',
'%{X-Ascend-Session-Svr-Key}')"
accounting_start_query_alt = " UPDATE radacct SET
acctstarttime = '%S', acctstartdelay =
'%{%{Acct-Delay-Time}:-0}', connectinfo_start =
'%{Connect-Info}' WHERE acctsessionid =
'%{Acct-Session-Id}' AND username =
'%{SQL-User-Name}' AND nasipaddress =
'%{NAS-IP-Address}'"
accounting_stop_query = " UPDATE radacct SET
acctstoptime = '%S', acctsessiontime =
'%{Acct-Session-Time}', acctinputoctets =
'%{%{Acct-Input-Gigawords}:-0}' << 32 |
'%{%{Acct-Input-Octets}:-0}', acctoutputoctets =
'%{%{Acct-Output-Gigawords}:-0}' << 32 |
'%{%{Acct-Output-Octets}:-0}', acctterminatecause =
'%{Acct-Terminate-Cause}', acctstopdelay =
'%{%{Acct-Delay-Time}:-0}', connectinfo_stop =
'%{Connect-Info}' WHERE acctsessionid =
'%{Acct-Session-Id}' AND username =
'%{SQL-User-Name}' AND nasipaddress =
'%{NAS-IP-Address}'"
accounting_stop_query_alt = " INSERT INTO radacct
(acctsessionid, acctuniqueid, username, realm,
nasipaddress, nasportid, nasporttype, acctstarttime,
acctstoptime, acctsessiontime, acctauthentic,
connectinfo_start, connectinfo_stop, acctinputoctets,
acctoutputoctets, calledstationid, callingstationid,
acctterminatecause, servicetype, framedprotocol,
framedipaddress, acctstartdelay, acctstopdelay)
VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', '%{Realm}',
'%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}',
DATE_SUB('%S', INTERVAL
(%{%{Acct-Session-Time}:-0} +
%{%{Acct-Delay-Time}:-0}) SECOND), '%S',
'%{Acct-Session-Time}', '%{Acct-Authentic}', '',
'%{Connect-Info}', '%{%{Acct-Input-Gigawords}:-0}' << 32
| '%{%{Acct-Input-Octets}:-0}',
'%{%{Acct-Output-Gigawords}:-0}' << 32 |
'%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}',
'%{Calling-Station-Id}', '%{Acct-Terminate-Cause}',
'%{Service-Type}', '%{Framed-Protocol}',
'%{Framed-IP-Address}', '0', '%{%{Acct-Delay-Time}:-0}')"
group_membership_query = "SELECT groupname FROM
radusergroup WHERE username = '%{SQL-User-Name}'
ORDER BY priority"
connect_failure_retry_delay = 60
simul_count_query = ""
simul_verify_query = "SELECT radacctid, acctsessionid, username,
nasipaddress, nasportid, framedipaddress,
callingstationid, framedprotocol
FROM radacct WHERE
username = '%{SQL-User-Name}' AND
acctstoptime IS NULL"
postauth_query = "INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES (
'%{User-Name}',
'%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S')"
safe-characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/"
}
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
rlm_sql (sql): Attempting to connect to radius@localhost:/radiusdb
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
rlm_sql_mysql: Starting connect to MySQL server for #0
rlm_sql (sql): Connected new DB handle, #0
rlm_sql (sql): starting 1
rlm_sql (sql): Attempting to connect rlm_sql_mysql #1
rlm_sql_mysql: Starting connect to MySQL server for #1
rlm_sql (sql): Connected new DB handle, #1
rlm_sql (sql): starting 2
rlm_sql (sql): Attempting to connect rlm_sql_mysql #2
rlm_sql_mysql: Starting connect to MySQL server for #2
rlm_sql (sql): Connected new DB handle, #2
rlm_sql (sql): starting 3
rlm_sql (sql): Attempting to connect rlm_sql_mysql #3
rlm_sql_mysql: Starting connect to MySQL server for #3
rlm_sql (sql): Connected new DB handle, #3
rlm_sql (sql): starting 4
rlm_sql (sql): Attempting to connect rlm_sql_mysql #4
rlm_sql_mysql: Starting connect to MySQL server for #4
rlm_sql (sql): Connected new DB handle, #4
rlm_sql (sql): Processing generate_sql_clients
rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname,
shortname, type, secret FROM nas
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql (sql): Read entry
nasname=192.168.0.140,shortname=ubntAP,secret=secret123
rlm_sql (sql): Adding client 192.168.0.140 (ubntAP, server=<none>) to
clients list
rlm_sql (sql): Read entry
nasname=192.168.0.22,shortname=RB600_test1,secret=secret
rlm_sql (sql): Adding client 192.168.0.22 (RB600_test1, server=<none>)
to clients list
rlm_sql (sql): Released sql socket id: 4
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating attr_filter.access_reject
attr_filter attr_filter.access_reject {
attrsfile = "/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
}
} # modules
} # server
server {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = "/etc/raddb/huntgroups"
hints = "/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating detail
detail {
detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating attr_filter.accounting_response
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "control"
listen {
socket = "/var/run/radiusd/radiusd.sock"
}
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.0.22 port 41953,
id=93, length=201
Service-Type = Framed-User
Framed-MTU = 1400
Acct-Session-Id = "82100859"
Acct-Multi-Session-Id =
"00-0C-42-31-5C-70-00-0C-42-23-48-0A-82-10-00-00-00-00-08-59"
Calling-Station-Id = "00-0C-42-23-48-0A"
Called-Station-Id = "00-0C-42-31-5C-70:MikroTik-test"
EAP-Message = 0x0200000501
Message-Authenticator = 0x99441f609c780c7b28d234de47b36283
NAS-Identifier = "RB600_test1"
NAS-IP-Address = 192.168.0.22
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Proxy reply, or no User-Name. Ignoring.
++[suffix] returns ok
[eap] EAP packet type response id 0 length 5
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns noop
++[files] returns noop
[sql] expand: %{User-Name} ->
[sql] sql_set_user escaped user --> ''
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = '%{SQL-User-Name}'
ORDER BY id -> SELECT id, username, attribute, value, op
FROM radcheck WHERE username = '' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority ->
SELECT groupname FROM radusergroup WHERE username
= '' ORDER BY priority
rlm_sql (sql): Released sql socket id: 3
[sql] User not found
++[sql] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] UserIdentity Unknown
[eap] Identity Unknown, authentication failed
[eap] Failed in handler
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [<no User-Name attribute>] (from client RB600_test1
port 0 cli 00-0C-42-23-48-0A)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} ->
++[attr_filter.access_reject] returns noop
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.22 port 41953,
id=93, length=201
Waiting to send Access-Reject to client RB600_test1 port 41953 - ID: 93
Waking up in 0.5 seconds.
rad_recv: Access-Request packet from host 192.168.0.22 port 41953,
id=93, length=201
Waiting to send Access-Reject to client RB600_test1 port 41953 - ID: 93
Sending delayed reject for request 0
Sending Access-Reject of id 93 to 192.168.0.22 port 41953
Waking up in 4.9 seconds.
Cleaning up request 0 ID 93 with timestamp +35
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.0.22 port 54462,
id=94, length=201
Service-Type = Framed-User
Framed-MTU = 1400
Acct-Session-Id = "8210085a"
Acct-Multi-Session-Id =
"00-0C-42-31-5C-70-00-0C-42-23-48-0A-82-10-00-00-00-00-08-5A"
Calling-Station-Id = "00-0C-42-23-48-0A"
Called-Station-Id = "00-0C-42-31-5C-70:MikroTik-test"
EAP-Message = 0x0200000501
Message-Authenticator = 0xed7b325c353b295032cd7532f1b225cb
NAS-Identifier = "RB600_test1"
NAS-IP-Address = 192.168.0.22
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Proxy reply, or no User-Name. Ignoring.
++[suffix] returns ok
[eap] EAP packet type response id 0 length 5
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns noop
++[files] returns noop
[sql] expand: %{User-Name} ->
[sql] sql_set_user escaped user --> ''
rlm_sql (sql): Reserving sql socket id: 2
[sql] expand: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = '%{SQL-User-Name}'
ORDER BY id -> SELECT id, username, attribute, value, op
FROM radcheck WHERE username = '' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority ->
SELECT groupname FROM radusergroup WHERE username
= '' ORDER BY priority
rlm_sql (sql): Released sql socket id: 2
[sql] User not found
++[sql] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] UserIdentity Unknown
[eap] Identity Unknown, authentication failed
[eap] Failed in handler
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [<no User-Name attribute>] (from client RB600_test1
port 0 cli 00-0C-42-23-48-0A)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} ->
++[attr_filter.access_reject] returns noop
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.22 port 54462,
id=94, length=201
Waiting to send Access-Reject to client RB600_test1 port 54462 - ID: 94
Waking up in 0.4 seconds.
Sending delayed reject for request 1
Sending Access-Reject of id 94 to 192.168.0.22 port 54462
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.22 port 54462,
id=94, length=201
Sending duplicate reply to client RB600_test1 port 54462 - ID: 94
Sending Access-Reject of id 94 to 192.168.0.22 port 54462
Waking up in 4.9 seconds.
Cleaning up request 1 ID 94 with timestamp +73
Ready to process requests.
2
1
Hi,
I'm using free radius 2.1.9 as a client to connect to a distant server (not freeradius).
We are facing a problem for Tunnel-Server-Endpoint attribute :
RFC http://www.ietf.org/rfc/rfc2868.txt indicates for Tunnel-Server-Endpoint :
Tag
The Tag field is one octet in length and is intended to provide a
means of grouping attributes in the same packet which refer to the
same tunnel. If the value of the Tag field is greater than 0x00
and less than or equal to 0x1F, it SHOULD be interpreted as
indicating which tunnel (of several alternatives) this attribute
pertains. If the Tag field is greater than 0x1F, it SHOULD be
interpreted as the first byte of the following String field.
So, there is no explicit prohibition of use of 0x00 as a Tag value.
What we see in freeradius is that this values makes as ignore the value of the atrtribute.
Is there some other RFCs that show explicitely that the 0x00 tag should lead to this behavior ?
Is it a freeradius bug ?
Any help about where is it managed in the code ?
Thanks for help
2
1
2.1.3 is very old now , 2.1.9 is current and has many fixes over that - check its changelog .. this error message suggests that you've got a slow backend somewhere - be that ldap, sql or even a bit of perl
----- Reply message -----
From: "Mike Diggins" <mike.diggins(a)mcmaster.ca>
Date: Wed, Sep 15, 2010 16:22
Subject: Error: "Discarding duplicate request..."
To: "FreeRadius users mailing list" <freeradius-users(a)lists.freeradius.org>
Our students have returned this week, and I've noticed a couple new
messages logged to my FreeRadius 2.1.3 server. When it happens, my
controllers fail over to the secondary Radius server. This has happened
a few times. My Radius servers are only lightly loaded, and only
configured to do authentication. No databases. Any idea what might be
causing this?
Sep 15 10:06:44 prad02 radiusd[10632]: Discarding duplicate request from
client wlc-8 port 32769 - ID: 218 due to unfinished request 35236
Sep 15 10:07:01 prad02 radiusd[10632]: Discarding duplicate request from
client wlc-8 port 32769 - ID: 219 due to unfinished request 35237
Sep 15 10:07:24 prad02 radiusd[10632]: Discarding duplicate request from
client wlc-8 port 32769 - ID: 220 due to unfinished request 35239
Sep 15 10:07:41 prad02 radiusd[10632]: WARNING: Unresponsive child for
request 35239, in module component
Sep 15 10:07:52 prad02 radiusd[10632]: WARNING: Unresponsive child for
request 35240, in module component
Sep 15 10:07:53 prad02 radiusd[10632]: Discarding duplicate request from
client wlc-7 port 32769 - ID: 173 due to unfinished request 35240
Sep 15 10:07:53 prad02 radiusd[10632]: Discarding duplicate request from
client wlc-8 port 32769 - ID: 220 due to unfinished request 35239
Sep 15 10:07:53 prad02 radiusd[10632]: Discarding duplicate request from
client wlc-7 port 32769 - ID: 173 due to unfinished request 35240
Sep 15 10:07:53 prad02 radiusd[10632]: Discarding duplicate request from
client wlc-8 port 32769 - ID: 220 due to unfinished request 35239
Sep 15 10:07:53 prad02 radiusd[10632]: Discarding duplicate request from
client wlc-8 port 32769 - ID: 221 due to unfinished request 35244
Sep 15 10:07:53 prad02 radiusd[10632]: Discarding duplicate request from
client wlc-8 port 32769 - ID: 221 due to unfinished request 35244
Sep 15 10:07:53 prad02 radiusd[10632]: Discarding duplicate request from
client FHSWLC-1 port 32768 - ID: 205 due to unfinished request 35245
-Mike
3
2
Hi
i m using freeradius 2.1.9 and i have some problems with making dynamic
vlan assignment based on vlan.
here what i have in my users file
DEFAULT User-Category == "student"
Reply-Message = "Your a member of the student Group",
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = 902,
Fall-Through = No
DEFAULT User-Category == "employee"
Reply-Message = "Your a member of the employee Group",
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = 903,
Fall-Through = No
But as you can see in the following debug file my user is authenticated
his radius item User-Category is employee but he never get the
attributes of vlan in the request
i should have miss somzthing in the config but i really don't know what
it would
if someone could help it would be nice of him
thanks in advance
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 157.159.21.100 port 54360,
id=0, length=156
User-Name = "anonymous(a)it-sudparis.eu"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x0200001d01616e6f6e796d6f75734069742d73756470617269732e6575
Message-Authenticator = 0x655a4cf276129e501708baa724ba2f45
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "it-sudparis.eu" for User-Name =
"anonymous(a)it-sudparis.eu"
[suffix] Found realm "it-sudparis.eu"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "it-sudparis.eu"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 0 length 29
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 0 to 157.159.21.100 port 54360
EAP-Message = 0x010100061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xcad2c248cad3dbc77d62ac2477a6a4d7
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 157.159.21.100 port 54360,
id=1, length=267
User-Name = "anonymous(a)it-sudparis.eu"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x0201007a198000000070160301006b0100006703014c913a474dd515c94c7a11b6c82fb05b485f0fb7ad9e99eea7d57dae2727462b00003a00390038008800870035008400160013000a00330032009a009900450044002f00960041000500040015001200090014001100080006000300ff0100000400230000
State = 0xcad2c248cad3dbc77d62ac2477a6a4d7
Message-Authenticator = 0x82417f0f4dca6902ac81a953b6b49945
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "it-sudparis.eu" for User-Name =
"anonymous(a)it-sudparis.eu"
[suffix] Found realm "it-sudparis.eu"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "it-sudparis.eu"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 1 length 122
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 112
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 006b], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0031], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 0501], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 018d], ServerKeyExchange
[peap] TLS_accept: SSLv3 write key exchange A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 1 to 157.159.21.100 port 54360
EAP-Message =
0x0102040019c0000006d716030100310200002d03014c913a24c6bdba8fbaf1358e676eb8e8cd31103d42e65fcd42b43890a0cf78b9000039000005ff0100010016030105010b0004fd0004fa0004f7308204f3308203dba003020102021100e03d6494c48a6582b19e99ddbf443528300d06092a864886f70d01010505003036310b3009060355040613024e4c310f300d060355040a1306544552454e41311630140603550403130d544552454e412053534c204341301e170d3130303930393030303030305a170d3133303930383233353935395a3075310b3009060355040613024652310d300b060355040713044576727931283026060355040a
EAP-Message =
0x0c1f54c3a96cc3a9636f6d2026204d616e6167656d656e74205375645061726973310d300b060355040b130444495349311e301c060355040313157261646975732e69742d73756470617269732e657530819f300d06092a864886f70d010101050003818d0030818902818100c55737ea4c14a7e16b93f65f6b9f672078e843bdbf1359e41f1a9dc14830eb2c1aeba9e90baa84a10ec41ccd24344f0b27d7ca8ca9580b7d0a41bcecf32b09ed5396b60c3fcbd9d0f386adee4d528bedeca7e5e5f497937966dcbbb0baeb703f9ca1e165c0cd713c8394eeac27108fa1d7d5abad255d50c7f886e56e067c4c2b0203010001a382023f3082023b301f06
EAP-Message =
0x03551d230418301680140cbd93680cf3deaba3496b2b375747ea90e3b9ed301d0603551d0e041604147380c4ebd5a0c9efd8be000147723c859656176b300e0603551d0f0101ff0404030205a0300c0603551d130101ff04023000301d0603551d250416301406082b0601050507030106082b0601050507030230180603551d200411300f300d060b2b06010401b2310102021d303a0603551d1f04333031302fa02da02b8629687474703a2f2f63726c2e7463732e746572656e612e6f72672f544552454e4153534c43412e63726c306d06082b060105050701010461305f303506082b060105050730028629687474703a2f2f6372742e7463732e
EAP-Message =
0x746572656e612e6f72672f544552454e4153534c43412e637274302606082b06010505073001861a687474703a2f2f6f6373702e7463732e746572656e612e6f72673081f60603551d110481ee3081eb82157261646975732e69742d73756470617269732e65758213617574682e69742d73756470617269732e65758212617574682e74656c65636f6d2d656d2e65758218617574682e74656c65636f6d2d73756470617269732e65758216656475726f616d2e69742d73756470617269732e65758215656475726f616d2e74656c65636f6d2d656d2e6575821b656475726f616d2e74656c65636f6d2d73756470617269732e657582157261646669
EAP-Message = 0x6c7475782e696e742d657672
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xcad2c248cbd0dbc77d62ac2477a6a4d7
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 157.159.21.100 port 54360,
id=2, length=151
User-Name = "anonymous(a)it-sudparis.eu"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020200061900
State = 0xcad2c248cbd0dbc77d62ac2477a6a4d7
Message-Authenticator = 0xe739f49b077f5fe66833b1c06c6aa246
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "it-sudparis.eu" for User-Name =
"anonymous(a)it-sudparis.eu"
[suffix] Found realm "it-sudparis.eu"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "it-sudparis.eu"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 2 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 2 to 157.159.21.100 port 54360
EAP-Message =
0x010302e71900792e6672821872616466696c7475782e69742d73756470617269732e657582127261646975732e696e742d657672792e6672300d06092a864886f70d01010505000382010100981110a5a967ab5239ad83c6cc8a052e076b549711efbfd8a1849832633cc3c1d320e78b73df288e2be7e1db2849caea0d08447cb4d6a5c861a2e8f2c522388795b9e0c0a67cf23e28e6ede9ab76d61030fe4d4728ca4a2aa009f027ee71029f0ed72a124e4b0d6d5780eedeb7366b66a944f399d040652561bb82898163a273c8cc84f00c5ff323f3eeaefbf0901d889f88250f40ec69738d14807c44a0bcc1188849cd50ca19ab2b68f9b0a20b5f9e1d
EAP-Message =
0xb494542aa9f68a6458324fe737befaad83e80dfe79accb5468b7a16add16b138ce64eca73c7b8bdc6ac7e509623dd1416e58e2e66b0eb20f581c69f8ab66daeb745ba875d98c2e9e5b4c9227cad3d7160301018d0c0001890080e65ec2fd868598b9e50b7a44362e8377790373dd047b7e26e1aee4c5fc8ec05662adb9fdef3963c5829b6d126c3f8c55e633e870b773163b4308aa305e3dc6cabcdc3e0133addd332b35b98f57e201174f1217e27ea2d3dad122897d90ae8df27cfee20a17880976f4bfda7aa37f97d80e3048d766a7c314e2d25611836b698300010200809d4a3e7def72f63446bc291600b35fd7866651354389b6dcbf96c787a6a4
EAP-Message =
0x66ecbe55ed6ba388aa4899548001a777f0a2faf056dafd96c46f2cec581c53c34dea87dc6dc8b2b67c871891044e2a8ab8e88e58b4126c59bb62f1085c1c332fbb3750970f7dd208c76cd69cf7a2fcd413fa55b091960d5c14d91f9dbd046353a4bc00804f3b061d2054dd3a82a28085b92cb1815b48323acdd863da4d6bd13014d7013e044a5a88feaa98d886d6d9619054c15f7e8b3d3dbc7d556f259b17993cc9834875223555107d0e3292f6b21a8e3f0072fadda38d5b644eba9a34e942b81a036e747875f369a9de4dad45b5c86a212ff6b8b11ba553c6317b17bc74c807a8635a16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xcad2c248c8d1dbc77d62ac2477a6a4d7
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 157.159.21.100 port 54360,
id=3, length=353
User-Name = "anonymous(a)it-sudparis.eu"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x020300d01980000000c616030100861000008200801514cc8cef421b9251bf1f6f7c646d816d5b2254643002e1daba2843c2d9dbe6bebf083ab05ffbfc72928ad595a9ac8bba8e8265abfb5dcd92cadbcad419ada21df214eebc010828408f5000258dd841343c4f056d0135b7f4155368a7a71ee4a5d4f7ef974084404ccce579a2d04a6c59c5dc0944eedce2f45279c6739a927514030100010116030100304fcfcb5a0aaa9d0205a9a8a007488ffd1ca740968a757ec27fe5f91290ac662df2628e3545cdc6f8b91978a18c58799b
State = 0xcad2c248c8d1dbc77d62ac2477a6a4d7
Message-Authenticator = 0x1cc3c284b278964dbab9cd7ad5709711
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "it-sudparis.eu" for User-Name =
"anonymous(a)it-sudparis.eu"
[suffix] Found realm "it-sudparis.eu"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "it-sudparis.eu"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 3 length 208
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 198
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 3 to 157.159.21.100 port 54360
EAP-Message =
0x0104004119001403010001011603010030482e3d1d05e8d58e4731a13bd683be33e5acb5d9407e5c200cdb7ee466c7d7a97a798b9ff29acef48814300adfc28d76
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xcad2c248c9d6dbc77d62ac2477a6a4d7
Finished request 3.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 157.159.21.100 port 54360,
id=4, length=151
User-Name = "anonymous(a)it-sudparis.eu"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020400061900
State = 0xcad2c248c9d6dbc77d62ac2477a6a4d7
Message-Authenticator = 0xab8b466de748a32884881aedd0cf14ef
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "it-sudparis.eu" for User-Name =
"anonymous(a)it-sudparis.eu"
[suffix] Found realm "it-sudparis.eu"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "it-sudparis.eu"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 4 to 157.159.21.100 port 54360
EAP-Message =
0x0105002b19001703010020b2fd227a527903cc82e50d617a832244f7311b1458336ee185e9d8ee80aa6253
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xcad2c248ced7dbc77d62ac2477a6a4d7
Finished request 4.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 157.159.21.100 port 54360,
id=5, length=225
User-Name = "anonymous(a)it-sudparis.eu"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x020500501900170301002002602c7db9a8fef22b9476f78b9034f00ec1aa4a84ffd12bb66b175278593b6f1703010020da03a9cf77e5f9050a0ef374989e7dcd54d8a8b3f7e8df59f2d13889f7397836
State = 0xcad2c248ced7dbc77d62ac2477a6a4d7
Message-Authenticator = 0x7d1bb565a68021a8e14e1b76d6e05d4e
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "it-sudparis.eu" for User-Name =
"anonymous(a)it-sudparis.eu"
[suffix] Found realm "it-sudparis.eu"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "it-sudparis.eu"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 5 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Identity - doutrele
[peap] Got tunneled request
EAP-Message = 0x0205000d01646f757472656c65
server {
PEAP: Got tunneled identity of doutrele
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to doutrele
Sending tunneled request
EAP-Message = 0x0205000d01646f757472656c65
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "doutrele"
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "doutrele", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "doutrele"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
++[control] returns ok
[eap] EAP packet type response id 5 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for doutrele
[ldap] expand: %{Stripped-User-Name} -> doutrele
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=doutrele)
[ldap] expand: dc=int-evry,dc=fr -> dc=int-evry,dc=fr
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to ldapdev.int-evry.fr:389, authentication 0
[ldap] bind as cn=admin,dc=int-evry,dc=fr/admldap to
ldapdev.int-evry.fr:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in dc=int-evry,dc=fr, with filter (uid=doutrele)
[ldap] looking for check items in directory...
[ldap] sambaNtPassword -> NT-Password ==
0x3846343134354531463530334232353337443430363846343942363633434143
[ldap] sambaLmPassword -> LM-Password ==
0x4434413632394242394536303843323438423045413541374446313335423033
[ldap] looking for reply items in directory...
[ldap] eduPersonPrimaryAffiliation -> User-Category = "employee"
WARNING: No "known good" password was found in LDAP. Are you sure that
the user is configured correctly?
[ldap] user doutrele authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing LM-Password from hex encoding
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
User-Category = "employee"
EAP-Message =
0x010600221a0106001d10772702eafa9c1ba832502c45eff3eb34646f757472656c65
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xbd5ae7b1bd5cfd560e8d64f9174929bb
[peap] Got tunneled reply RADIUS code 11
User-Category = "employee"
EAP-Message =
0x010600221a0106001d10772702eafa9c1ba832502c45eff3eb34646f757472656c65
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xbd5ae7b1bd5cfd560e8d64f9174929bb
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 5 to 157.159.21.100 port 54360
EAP-Message =
0x0106004b190017030100400c86e6dc207e2cc7603991c7a1ca4e9e4c93e74004010a6fb62efdaec1e55783fef484c83973c964c31d5ee8d31d773625345fab5aa74c4f53c6becd0f1dcbcf
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xcad2c248cfd4dbc77d62ac2477a6a4d7
Finished request 5.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 157.159.21.100 port 54360,
id=6, length=289
User-Name = "anonymous(a)it-sudparis.eu"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x0206009019001703010020c49c71ba6a0ad62564b8a94ee33c3233374ee4e20affb6377e64d687bbc939b11703010060248cc1e2e0c15c8f8cc4500d3de900956d807d60cf18be6450c81a1998f59938229ed4130b8b70b590d382f72420941d775beb2d95db65aeb961c0e5b936fc801a7d6aa5ed180878c2f6f34cc69538fe90c72b9f40085fdcf23881d2201c2112
State = 0xcad2c248cfd4dbc77d62ac2477a6a4d7
Message-Authenticator = 0x748598f4105e6fd40ff0f2d220aa3eb9
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "it-sudparis.eu" for User-Name =
"anonymous(a)it-sudparis.eu"
[suffix] Found realm "it-sudparis.eu"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "it-sudparis.eu"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 6 length 144
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message =
0x020600431a0206003e31ad80725308b05eb4b1a1c08cf773d7600000000000000000e09cf3637ec00ccc4fb3fc2ed07bdd7e96e434c654ebaf3a00646f757472656c65
server {
PEAP: Setting User-Name to doutrele
Sending tunneled request
EAP-Message =
0x020600431a0206003e31ad80725308b05eb4b1a1c08cf773d7600000000000000000e09cf3637ec00ccc4fb3fc2ed07bdd7e96e434c654ebaf3a00646f757472656c65
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "doutrele"
State = 0xbd5ae7b1bd5cfd560e8d64f9174929bb
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "doutrele", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "doutrele"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
++[control] returns ok
[eap] EAP packet type response id 6 length 67
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for doutrele
[ldap] expand: %{Stripped-User-Name} -> doutrele
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=doutrele)
[ldap] expand: dc=int-evry,dc=fr -> dc=int-evry,dc=fr
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=int-evry,dc=fr, with filter (uid=doutrele)
[ldap] looking for check items in directory...
[ldap] sambaNtPassword -> NT-Password ==
0x3846343134354531463530334232353337443430363846343942363633434143
[ldap] sambaLmPassword -> LM-Password ==
0x4434413632394242394536303843323438423045413541374446313335423033
[ldap] looking for reply items in directory...
[ldap] eduPersonPrimaryAffiliation -> User-Category = "employee"
WARNING: No "known good" password was found in LDAP. Are you sure that
the user is configured correctly?
[ldap] user doutrele authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing LM-Password from hex encoding
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Found LM-Password
[mschap] Found NT-Password
[mschap] Told to do MS-CHAPv2 for doutrele with NT-Password
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
User-Category = "employee"
EAP-Message =
0x010700331a0306002e533d37424233333344414638344334353234373345434636363634343638453932333837444536463846
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xbd5ae7b1bc5dfd560e8d64f9174929bb
[peap] Got tunneled reply RADIUS code 11
User-Category = "employee"
EAP-Message =
0x010700331a0306002e533d37424233333344414638344334353234373345434636363634343638453932333837444536463846
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xbd5ae7b1bc5dfd560e8d64f9174929bb
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 6 to 157.159.21.100 port 54360
EAP-Message =
0x0107005b19001703010050ec249a0c4d32e6def6e9aeb3357a17a1d09b28cc525ab8723d6a2ae20fd7066a17d11f6659d0806edeea86ed0f931d84abdc0b63571700eada94ce21112c405cdbf3505898e13ac6648737fe3a98faf4
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xcad2c248ccd5dbc77d62ac2477a6a4d7
Finished request 6.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 157.159.21.100 port 54360,
id=7, length=225
User-Name = "anonymous(a)it-sudparis.eu"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x0207005019001703010020dd3585a2fd072451d06cbff7c672598a7828eeb3ca9906009627abdd66e07bee170301002065a6b4951d3a3c4bf66102b8d2cded42880a5980ccbc9f6876b82f9d4b5f4c57
State = 0xcad2c248ccd5dbc77d62ac2477a6a4d7
Message-Authenticator = 0x0198edb8c100054204965aff380de732
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "it-sudparis.eu" for User-Name =
"anonymous(a)it-sudparis.eu"
[suffix] Found realm "it-sudparis.eu"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "it-sudparis.eu"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 7 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x020700061a03
server {
PEAP: Setting User-Name to doutrele
Sending tunneled request
EAP-Message = 0x020700061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "doutrele"
State = 0xbd5ae7b1bc5dfd560e8d64f9174929bb
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "doutrele", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "doutrele"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
++[control] returns ok
[eap] EAP packet type response id 7 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for doutrele
[ldap] expand: %{Stripped-User-Name} -> doutrele
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=doutrele)
[ldap] expand: dc=int-evry,dc=fr -> dc=int-evry,dc=fr
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=int-evry,dc=fr, with filter (uid=doutrele)
[ldap] looking for check items in directory...
[ldap] sambaNtPassword -> NT-Password ==
0x3846343134354531463530334232353337443430363846343942363633434143
[ldap] sambaLmPassword -> LM-Password ==
0x4434413632394242394536303843323438423045413541374446313335423033
[ldap] looking for reply items in directory...
[ldap] eduPersonPrimaryAffiliation -> User-Category = "employee"
WARNING: No "known good" password was found in LDAP. Are you sure that
the user is configured correctly?
[ldap] user doutrele authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing LM-Password from hex encoding
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] returns ok
+- entering group post-auth {...}
++[files] returns noop
} # server inner-tunnel
[peap] Got tunneled reply code 2
User-Category = "employee"
EAP-Message = 0x03070004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "doutrele"
[peap] Got tunneled reply RADIUS code 2
User-Category = "employee"
EAP-Message = 0x03070004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "doutrele"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 7 to 157.159.21.100 port 54360
EAP-Message =
0x0108002b19001703010020929b1abc3e1705cbf933e7e801a5354ae3a6f3399037480a464f2a2550b98f7f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xcad2c248cddadbc77d62ac2477a6a4d7
Finished request 7.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 157.159.21.100 port 54360,
id=8, length=225
User-Name = "anonymous(a)it-sudparis.eu"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x02080050190017030100207ec1199edf4cf1834a3e8e7a858fff1a28c3ce3cf2b04ac072813cc2f3c90f67170301002030bcc0f7c0addcc364b1dbef6349769ec9e4200c23e3092502c65ec6c64f3ab4
State = 0xcad2c248cddadbc77d62ac2477a6a4d7
Message-Authenticator = 0x356e2d5f5a5a58689d1111a18270f65a
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "it-sudparis.eu" for User-Name =
"anonymous(a)it-sudparis.eu"
[suffix] Found realm "it-sudparis.eu"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "it-sudparis.eu"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 8 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Success
[eap] Freeing handler
++[eap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 8 to 157.159.21.100 port 54360
MS-MPPE-Recv-Key =
0x22d62fec650e593576a03a40cbcad77e540cdd3ba53b4a757d5c469cb40d1d15
MS-MPPE-Send-Key =
0xc1d6f7b5504b2595ce899f1cb2e0abfb68fe5224695c9d3b7157cdd5727ed058
EAP-Message = 0x03080004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "anonymous"
Finished request 8.
Going to the next request
Waking up in 4.6 seconds.
rad_recv: Access-Request packet from host 157.159.21.100 port 54360,
id=9, length=156
User-Name = "anonymous(a)it-sudparis.eu"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x0200001d01616e6f6e796d6f75734069742d73756470617269732e6575
Message-Authenticator = 0x209c9f1654d33cc3294474a7f994cfb7
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "it-sudparis.eu" for User-Name =
"anonymous(a)it-sudparis.eu"
[suffix] Found realm "it-sudparis.eu"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "it-sudparis.eu"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 0 length 29
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 9 to 157.159.21.100 port 54360
EAP-Message = 0x010100061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x268659fd268740823ac0ee159d033676
Finished request 9.
Going to the next request
Waking up in 4.5 seconds.
rad_recv: Access-Request packet from host 157.159.21.100 port 54360,
id=10, length=267
User-Name = "anonymous(a)it-sudparis.eu"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x0201007a198000000070160301006b0100006703014c913a477d4a75e0cddafcb5987734716c23a52fbbbcb4ba3c65ede4ef78fee800003a00390038008800870035008400160013000a00330032009a009900450044002f00960041000500040015001200090014001100080006000300ff0100000400230000
State = 0x268659fd268740823ac0ee159d033676
Message-Authenticator = 0x1a5b6f8f646acb964649c60dd57e8503
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "it-sudparis.eu" for User-Name =
"anonymous(a)it-sudparis.eu"
[suffix] Found realm "it-sudparis.eu"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "it-sudparis.eu"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 1 length 122
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 112
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 006b], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0031], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 0501], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 018d], ServerKeyExchange
[peap] TLS_accept: SSLv3 write key exchange A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 10 to 157.159.21.100 port 54360
EAP-Message =
0x0102040019c0000006d716030100310200002d03014c913a248cf8b802e852566db88e91550ceb93e3316b48d3f714169b2b013d83000039000005ff0100010016030105010b0004fd0004fa0004f7308204f3308203dba003020102021100e03d6494c48a6582b19e99ddbf443528300d06092a864886f70d01010505003036310b3009060355040613024e4c310f300d060355040a1306544552454e41311630140603550403130d544552454e412053534c204341301e170d3130303930393030303030305a170d3133303930383233353935395a3075310b3009060355040613024652310d300b060355040713044576727931283026060355040a
EAP-Message =
0x0c1f54c3a96cc3a9636f6d2026204d616e6167656d656e74205375645061726973310d300b060355040b130444495349311e301c060355040313157261646975732e69742d73756470617269732e657530819f300d06092a864886f70d010101050003818d0030818902818100c55737ea4c14a7e16b93f65f6b9f672078e843bdbf1359e41f1a9dc14830eb2c1aeba9e90baa84a10ec41ccd24344f0b27d7ca8ca9580b7d0a41bcecf32b09ed5396b60c3fcbd9d0f386adee4d528bedeca7e5e5f497937966dcbbb0baeb703f9ca1e165c0cd713c8394eeac27108fa1d7d5abad255d50c7f886e56e067c4c2b0203010001a382023f3082023b301f06
EAP-Message =
0x03551d230418301680140cbd93680cf3deaba3496b2b375747ea90e3b9ed301d0603551d0e041604147380c4ebd5a0c9efd8be000147723c859656176b300e0603551d0f0101ff0404030205a0300c0603551d130101ff04023000301d0603551d250416301406082b0601050507030106082b0601050507030230180603551d200411300f300d060b2b06010401b2310102021d303a0603551d1f04333031302fa02da02b8629687474703a2f2f63726c2e7463732e746572656e612e6f72672f544552454e4153534c43412e63726c306d06082b060105050701010461305f303506082b060105050730028629687474703a2f2f6372742e7463732e
EAP-Message =
0x746572656e612e6f72672f544552454e4153534c43412e637274302606082b06010505073001861a687474703a2f2f6f6373702e7463732e746572656e612e6f72673081f60603551d110481ee3081eb82157261646975732e69742d73756470617269732e65758213617574682e69742d73756470617269732e65758212617574682e74656c65636f6d2d656d2e65758218617574682e74656c65636f6d2d73756470617269732e65758216656475726f616d2e69742d73756470617269732e65758215656475726f616d2e74656c65636f6d2d656d2e6575821b656475726f616d2e74656c65636f6d2d73756470617269732e657582157261646669
EAP-Message = 0x6c7475782e696e742d657672
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x268659fd278440823ac0ee159d033676
Finished request 10.
Going to the next request
Waking up in 4.5 seconds.
rad_recv: Access-Request packet from host 157.159.21.100 port 54360,
id=11, length=151
User-Name = "anonymous(a)it-sudparis.eu"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020200061900
State = 0x268659fd278440823ac0ee159d033676
Message-Authenticator = 0x67328520e6fdbf6163942511315364f2
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "it-sudparis.eu" for User-Name =
"anonymous(a)it-sudparis.eu"
[suffix] Found realm "it-sudparis.eu"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "it-sudparis.eu"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 2 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 11 to 157.159.21.100 port 54360
EAP-Message =
0x010302e71900792e6672821872616466696c7475782e69742d73756470617269732e657582127261646975732e696e742d657672792e6672300d06092a864886f70d01010505000382010100981110a5a967ab5239ad83c6cc8a052e076b549711efbfd8a1849832633cc3c1d320e78b73df288e2be7e1db2849caea0d08447cb4d6a5c861a2e8f2c522388795b9e0c0a67cf23e28e6ede9ab76d61030fe4d4728ca4a2aa009f027ee71029f0ed72a124e4b0d6d5780eedeb7366b66a944f399d040652561bb82898163a273c8cc84f00c5ff323f3eeaefbf0901d889f88250f40ec69738d14807c44a0bcc1188849cd50ca19ab2b68f9b0a20b5f9e1d
EAP-Message =
0xb494542aa9f68a6458324fe737befaad83e80dfe79accb5468b7a16add16b138ce64eca73c7b8bdc6ac7e509623dd1416e58e2e66b0eb20f581c69f8ab66daeb745ba875d98c2e9e5b4c9227cad3d7160301018d0c0001890080e65ec2fd868598b9e50b7a44362e8377790373dd047b7e26e1aee4c5fc8ec05662adb9fdef3963c5829b6d126c3f8c55e633e870b773163b4308aa305e3dc6cabcdc3e0133addd332b35b98f57e201174f1217e27ea2d3dad122897d90ae8df27cfee20a17880976f4bfda7aa37f97d80e3048d766a7c314e2d25611836b698300010200806312b064d432faa984ffa915f8cb2088a7285974a96135d68dce37a85701
EAP-Message =
0x357443dafae946cb8583e130e0352ebc0209678bd9615b4ea9b19c9f3300d86087c38a2e32f9ace7053804c11b9639ee62a32642357df913fad79ee9f8767d3101f039c272436c0d9fd6f0127a36bfa3f15c1f7c05e5964dc49edccbc07e430fdc86008096ff6f76a0017fcdcd2b9f49571f9329f5e2646407cd5ca2ad5a107f40fce50309a4bfd7f301bd26da8e7a287862684c06a5c5d91bf179a6652676f55f51d8303361a3b5c06acc228f0c1a88b5c8d85e159d9c769c5fe3db2c365d26ddfbe63acca015129d6d4f3441ca010c5f48e6f626e3456fd5ee90231cfd9eeb46c2996f16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x268659fd248540823ac0ee159d033676
Finished request 11.
Going to the next request
Waking up in 4.4 seconds.
rad_recv: Access-Request packet from host 157.159.21.100 port 54360,
id=12, length=353
User-Name = "anonymous(a)it-sudparis.eu"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x020300d01980000000c61603010086100000820080a532d539c23b716fd99967cca03ca383b4a9964c07b863f5fecfc9cb854a72e079b4d045665f5675f4dc03d8565282bad8fef82e912a5b031f148cf90234bbc92e5ffcacbbfc4d7e91477bae66bd95e22f465b530fbb0017da53cfb69b8c95da7114ad1900cab4e19e4cbcad18209735266a33114bf75efc04082f5d23239a55140301000101160301003098dc3a9750d9b3e46edeabed8465d9f021a3de531ebd757475c7720e075e003bdb6601a68070fdd3a9d24a01210a255c
State = 0x268659fd248540823ac0ee159d033676
Message-Authenticator = 0xe7361cb0dcb8744cd2e3c79a1e3397e3
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "it-sudparis.eu" for User-Name =
"anonymous(a)it-sudparis.eu"
[suffix] Found realm "it-sudparis.eu"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "it-sudparis.eu"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 3 length 208
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 198
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 12 to 157.159.21.100 port 54360
EAP-Message =
0x01040041190014030100010116030100305434b4505f9e38783bce6ccd9077ed706c6136fb44420c636820a7462bdce7ea959c6ea9c4fb093604e78cb213722a2c
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x268659fd258240823ac0ee159d033676
Finished request 12.
Going to the next request
Waking up in 4.4 seconds.
rad_recv: Access-Request packet from host 157.159.21.100 port 54360,
id=13, length=151
User-Name = "anonymous(a)it-sudparis.eu"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020400061900
State = 0x268659fd258240823ac0ee159d033676
Message-Authenticator = 0x71d88f3eff06b67f64686e7dd6fb475b
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "it-sudparis.eu" for User-Name =
"anonymous(a)it-sudparis.eu"
[suffix] Found realm "it-sudparis.eu"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "it-sudparis.eu"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 13 to 157.159.21.100 port 54360
EAP-Message =
0x0105002b19001703010020c27c36e26c7a210558ff69f8b13b888aef215bbf2ce97d69f4cb0521433b0a6d
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x268659fd228340823ac0ee159d033676
Finished request 13.
Going to the next request
Waking up in 4.4 seconds.
rad_recv: Access-Request packet from host 157.159.21.100 port 54360,
id=14, length=225
User-Name = "anonymous(a)it-sudparis.eu"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x020500501900170301002068a3b06ae07eae4e0dc0a06ed9af4fc0cdebf4128489b7e45bab1c7f20cf79691703010020ab74a837a52917a8caafedeae7a26271f80d3d9c97e539eddc779d2c7b0ab546
State = 0x268659fd228340823ac0ee159d033676
Message-Authenticator = 0xbc0903a9455d85bc3717e62e28cc713a
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "it-sudparis.eu" for User-Name =
"anonymous(a)it-sudparis.eu"
[suffix] Found realm "it-sudparis.eu"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "it-sudparis.eu"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 5 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Identity - doutrele
[peap] Got tunneled request
EAP-Message = 0x0205000d01646f757472656c65
server {
PEAP: Got tunneled identity of doutrele
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to doutrele
Sending tunneled request
EAP-Message = 0x0205000d01646f757472656c65
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "doutrele"
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "doutrele", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "doutrele"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
++[control] returns ok
[eap] EAP packet type response id 5 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for doutrele
[ldap] expand: %{Stripped-User-Name} -> doutrele
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=doutrele)
[ldap] expand: dc=int-evry,dc=fr -> dc=int-evry,dc=fr
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=int-evry,dc=fr, with filter (uid=doutrele)
[ldap] looking for check items in directory...
[ldap] sambaNtPassword -> NT-Password ==
0x3846343134354531463530334232353337443430363846343942363633434143
[ldap] sambaLmPassword -> LM-Password ==
0x4434413632394242394536303843323438423045413541374446313335423033
[ldap] looking for reply items in directory...
[ldap] eduPersonPrimaryAffiliation -> User-Category = "employee"
WARNING: No "known good" password was found in LDAP. Are you sure that
the user is configured correctly?
[ldap] user doutrele authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing LM-Password from hex encoding
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
User-Category = "employee"
EAP-Message =
0x010600221a0106001d10a246c3c6516b9d77ea1d3015a7a84abb646f757472656c65
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb69c907bb69a8aaa3577bd2d0d1d3df6
[peap] Got tunneled reply RADIUS code 11
User-Category = "employee"
EAP-Message =
0x010600221a0106001d10a246c3c6516b9d77ea1d3015a7a84abb646f757472656c65
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb69c907bb69a8aaa3577bd2d0d1d3df6
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 14 to 157.159.21.100 port 54360
EAP-Message =
0x0106004b19001703010040c9ce0f68b431ebd559ed9175c87b80c001d5c5c4269aa5a0da2615fa72da470cf0641e9f5505789cd55c146b11b90bc11cae625a450a5b5cadc16e3540b1e52c
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x268659fd238040823ac0ee159d033676
Finished request 14.
Going to the next request
Waking up in 4.3 seconds.
rad_recv: Access-Request packet from host 157.159.21.100 port 54360,
id=15, length=289
User-Name = "anonymous(a)it-sudparis.eu"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x0206009019001703010020597cb64242f127a633edf6d83d9f753ad475e95f379a7a1efdc0d7dd62776011170301006090b9ad6ba6fa6c3042576000705030c6afed7e1d1dec688985936692dedd820826a1ceb87fa6867d05c7b7bc67f49c73338f2309f538172daddaf15656cef2172c77db8da21d259b53e7e8f9dbbab4282754f556c079b04defe4c92ce4374818
State = 0x268659fd238040823ac0ee159d033676
Message-Authenticator = 0x7d1093b42b7c313f5eb3aaad4e29921e
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "it-sudparis.eu" for User-Name =
"anonymous(a)it-sudparis.eu"
[suffix] Found realm "it-sudparis.eu"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "it-sudparis.eu"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 6 length 144
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message =
0x020600431a0206003e310cc550d72183ae211d145eb7177df37000000000000000002fcfa8c1e0adf00cb92ed7a9aa47cc7b5f28dc099c500ad500646f757472656c65
server {
PEAP: Setting User-Name to doutrele
Sending tunneled request
EAP-Message =
0x020600431a0206003e310cc550d72183ae211d145eb7177df37000000000000000002fcfa8c1e0adf00cb92ed7a9aa47cc7b5f28dc099c500ad500646f757472656c65
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "doutrele"
State = 0xb69c907bb69a8aaa3577bd2d0d1d3df6
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "doutrele", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "doutrele"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
++[control] returns ok
[eap] EAP packet type response id 6 length 67
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for doutrele
[ldap] expand: %{Stripped-User-Name} -> doutrele
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=doutrele)
[ldap] expand: dc=int-evry,dc=fr -> dc=int-evry,dc=fr
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=int-evry,dc=fr, with filter (uid=doutrele)
[ldap] looking for check items in directory...
[ldap] sambaNtPassword -> NT-Password ==
0x3846343134354531463530334232353337443430363846343942363633434143
[ldap] sambaLmPassword -> LM-Password ==
0x4434413632394242394536303843323438423045413541374446313335423033
[ldap] looking for reply items in directory...
[ldap] eduPersonPrimaryAffiliation -> User-Category = "employee"
WARNING: No "known good" password was found in LDAP. Are you sure that
the user is configured correctly?
[ldap] user doutrele authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing LM-Password from hex encoding
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Found LM-Password
[mschap] Found NT-Password
[mschap] Told to do MS-CHAPv2 for doutrele with NT-Password
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
User-Category = "employee"
EAP-Message =
0x010700331a0306002e533d33303532464242454231393239443232383846343545353937433343453944383146344642363543
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb69c907bb79b8aaa3577bd2d0d1d3df6
[peap] Got tunneled reply RADIUS code 11
User-Category = "employee"
EAP-Message =
0x010700331a0306002e533d33303532464242454231393239443232383846343545353937433343453944383146344642363543
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb69c907bb79b8aaa3577bd2d0d1d3df6
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 15 to 157.159.21.100 port 54360
EAP-Message =
0x0107005b19001703010050e632c5330ad9f069d55ce38adf081de60ffff8938c3878638e7f5099feb365b46747f065e913f9aa378b80d67149abad23532bc66a0b54fb9cdfb6c1d55deb1315b640f0bff8492abc792a5f3e6c36a1
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x268659fd208140823ac0ee159d033676
Finished request 15.
Going to the next request
Waking up in 4.3 seconds.
rad_recv: Access-Request packet from host 157.159.21.100 port 54360,
id=16, length=225
User-Name = "anonymous(a)it-sudparis.eu"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x02070050190017030100205537c71649b782859d409fc6d9470580de6ea4ff25c7d8f29b7b3474d87f4e9a17030100203bc3e97a5dab221d36cfef355c2e12f1397b296ca95c9eca15bdf19251ff5f2a
State = 0x268659fd208140823ac0ee159d033676
Message-Authenticator = 0xb76c598918241bc7970283f80dae8b9f
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "it-sudparis.eu" for User-Name =
"anonymous(a)it-sudparis.eu"
[suffix] Found realm "it-sudparis.eu"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "it-sudparis.eu"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 7 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x020700061a03
server {
PEAP: Setting User-Name to doutrele
Sending tunneled request
EAP-Message = 0x020700061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "doutrele"
State = 0xb69c907bb79b8aaa3577bd2d0d1d3df6
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "doutrele", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "doutrele"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
++[control] returns ok
[eap] EAP packet type response id 7 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for doutrele
[ldap] expand: %{Stripped-User-Name} -> doutrele
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=doutrele)
[ldap] expand: dc=int-evry,dc=fr -> dc=int-evry,dc=fr
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=int-evry,dc=fr, with filter (uid=doutrele)
[ldap] looking for check items in directory...
[ldap] sambaNtPassword -> NT-Password ==
0x3846343134354531463530334232353337443430363846343942363633434143
[ldap] sambaLmPassword -> LM-Password ==
0x4434413632394242394536303843323438423045413541374446313335423033
[ldap] looking for reply items in directory...
[ldap] eduPersonPrimaryAffiliation -> User-Category = "employee"
WARNING: No "known good" password was found in LDAP. Are you sure that
the user is configured correctly?
[ldap] user doutrele authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing LM-Password from hex encoding
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] returns ok
+- entering group post-auth {...}
++[files] returns noop
} # server inner-tunnel
[peap] Got tunneled reply code 2
User-Category = "employee"
EAP-Message = 0x03070004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "doutrele"
[peap] Got tunneled reply RADIUS code 2
User-Category = "employee"
EAP-Message = 0x03070004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "doutrele"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 16 to 157.159.21.100 port 54360
EAP-Message =
0x0108002b190017030100201bc2994f26ea599852815a48852b623a8a708485dfd96258e03a85adf942b362
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x268659fd218e40823ac0ee159d033676
Finished request 16.
Going to the next request
Waking up in 4.3 seconds.
rad_recv: Access-Request packet from host 157.159.21.100 port 54360,
id=17, length=225
User-Name = "anonymous(a)it-sudparis.eu"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x02080050190017030100201b6bb71d045bbd397aab6948baac2fb2b76c4195d9654d7f29ff68628e26524b1703010020090ab9ed9dcd6032948f868e18f79c4e4befd935c4bf295f70ad0370772a986e
State = 0x268659fd218e40823ac0ee159d033676
Message-Authenticator = 0x77d82030e53af4f2c9b848972bae2188
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "it-sudparis.eu" for User-Name =
"anonymous(a)it-sudparis.eu"
[suffix] Found realm "it-sudparis.eu"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "it-sudparis.eu"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 8 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Success
[eap] Freeing handler
++[eap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 17 to 157.159.21.100 port 54360
MS-MPPE-Recv-Key =
0x4dd99a0dc82263a2c33055682f321f5c8f87b27b19da448cf0854ded5f242689
MS-MPPE-Send-Key =
0x996340b45c88e53f2dd54aff5270ad77d58d66b608cfb312c7c824dfe0dcef65
EAP-Message = 0x03080004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "anonymous"
Finished request 17.
Going to the next request
Waking up in 4.2 seconds.
4
8
Hi everybody!
I'm a new subcriber of this list. I'm trying to setup a radius server with LDAP authentication; I've managed to authenticate a user (from a Cisco Device),
but my fellows from Security Department think that we should have a two-step authentication:
1. User/password authentication, searching in cn=users,ou=pepe,ou=jose,c=es
2. A compare request, searching a specific objectclass in the LDAP tree.
So, the idea is the following one: depending on the NAS-IP-Address, not only to check for a correct password, but search the uid in an objectclass called
owner in the entry cn=deviceX,ou=pepe,ou=jose,c=es.
deviceX is the one with the source NAS-IP-Address. I Know how to unlang using swicht statements, configuring differents ldap's modules in the radius
server, so I can write the basedn I want.
But how can do the step 2?
Thank you and sorry for my english.
2
1
It's been a few weeks since the last "pre" release of 2.1.10. I've
put another one up on the web at:
http://git.freeradius.org/pre/
Please test it out, and give feedback on issues / benefits. The file
doc/ChangeLog contains all of the changes and new features in the server.
For a "stable" release, this one has an unfortunate number of feature
enhancements. However, some have been demanded for a very long time,
and they could be added in an "isolated" fashion.
The only change I see affecting anything is the handling of dead home
servers when proxying. This was a bug fix to prevent the home servers
from being marked dead/alive/dead/alive in quick sequence. This change
has been tested to work, but please give it additional scrutiny.
Alan DeKok.
4
7
Hello,
any idea why I don't see no connection start and stop into mysql
radacct table (other infos are ok) while in the
/var/log/radius/radacct/nas-ip-address/detail-date is ok?
Thanks a lot.
Matteo
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
3
2
Hi,
We have implemented a freeradius server on ubuntu 10.04 connecting to AD on windows 2003 to allow our users to auth against for wirless access.
This morning it all broke. And we don’t know why.
So I started looking to build a new server to fault find.
I am trying to find some documentation to help me.
Looking through the wiki and Alan’s website I found some documentation but it does not quite match the files and config I find In the freeradius directory.
I am not sure how best to continue, can someone tell me how these two document site atch up?
Thanks in advance
Lance
--
Lance Haig
Virtualisation Engineer
Forward
Floor 1, Centro 3
19 Mandela Street
London NW1 0DU
T: 020 7121 1199
F: 020 7121 1196
M: 07786167805
W: www.forward.co.uk
----------------------------------------------------
This message contains confidential information and is intended only for
the individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify Forward
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. E-mail transmission cannot be
guaranteed to be secure or error-free as information could be
intercepted, corrupted, lost, destroyed, arrive late or incomplete, or
contain viruses. Forward does not accept liability for any errors
or omissions in the contents of this message, which arise as a result of
e-mail transmission. Opinions expressed in this email are those of
Lance Haig, and do not necessarily reflect those of Forward.
If verification is required please request a hard-copy version.
Forward Internet Group, a company incorporated in England with
registered company number 05199774.
Registered address: 1 Conduit Street, London W1S 2XA, United Kingdom;
VAT Number: 844386209.
5
10
Hi!
I would like to auth my users from my own script.
radiusd -X debug
[otp_auth] expand: %{User-Name} -> qtgame
[otp_auth] expand: %{User-Password} -> ?O????:J?? ?r
[otp_auth] expand: %{reply:Secret} -> 8bd1f2fc2c2f68bb
[otp_auth] expand: %{reply:Pin} -> 1616
[otp_auth] expand: %{reply:Offset} -> 0
my script don't understand this user-password :( how can i use cleartext
password?
and the other hand the ENV variable :
USER_PASSWORD="3!\333$\026\276\362\202\002\2522\231\355\302[\374"
how can i create this password from cleartext or can i decrypt to cleartext?
QTGame
2
1