Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
January 2011
- 121 participants
- 144 discussions
14 Jan '11
Ok, I connect to the wireless with my client cert installed, I get a see an eap exchange but cannot connect.
I've been looking over this for days now, just wanted to get some advice/help because I'm honestly lost at this point.
Feel free to ask me for anything else you need to see.
Jason Hall
-- begin -X output --
FreeRADIUS Version 2.1.1, for host x86_64-suse-linux-gnu, built on Feb 23 2009 at 21:43:09
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/krb5
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/sql.conf
including configuration file /etc/raddb/sql/mysql/dialup.conf
including configuration file /etc/raddb/sql/mysql/counter.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/inner-tunnel
group = radiusd
user = radiusd
including dictionary file /etc/raddb/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
libdir = "/usr/lib64/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
shortname = "(domain).com"
nastype = "other"
}
client 10.40.2.11/24 {
require_message_authenticator = no
secret = "(secret)"
shortname = "private-network-1"
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
realm (domain) {
}
realm LOCAL {
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server inner-tunnel {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server.pem"
certificate_file = "/etc/raddb/certs/server.pem"
CA_file = "/etc/raddb/certs/ca.pem"
private_key_password = "(root key password)"
dh_file = "/etc/raddb/certs/dh"
random_file = "/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
cache {
enable = no
lifetime = 24
max_entries = 255
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating suffix
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Instantiating ntdomain
realm ntdomain {
format = "prefix"
delimiter = "\"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating files
files {
usersfile = "/etc/raddb/users"
acctusersfile = "/etc/raddb/acct_users"
preproxy_usersfile = "/etc/raddb/preproxy_users"
compat = "no"
}
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating attr_filter.access_reject
attr_filter attr_filter.access_reject {
attrsfile = "/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
}
}
}
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = "/etc/raddb/huntgroups"
hints = "/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating detail
detail {
detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating attr_filter.accounting_response
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
}
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.40.2.11 port 32769, id=212, length=174
User-Name = "(domain)\\(username)"
Calling-Station-Id = "00-24-D7-29-45-30"
Called-Station-Id = "00-1D-70-02-20-70:(domain)"
NAS-Port = 29
NAS-IP-Address = 10.40.2.11
NAS-Identifier = "Cisco_b2:3f:03"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x02020011015353505f43435c4a48616c6c
Message-Authenticator = 0x3e4f70b0ba4049be59b248ac79b67555
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "(domain)\(username)", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 17
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 212 to 10.40.2.11 port 32769
EAP-Message = 0x0103001604105d2f7ac821c18b3dda4fc5a730446754
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa900c63aa903c2d5a3d2ff9a18384d61
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.40.2.11 port 32769, id=213, length=181
User-Name = "(domain)\\(username)"
Calling-Station-Id = "00-24-D7-29-45-30"
Called-Station-Id = "00-1D-70-02-20-70:(domain)"
NAS-Port = 29
NAS-IP-Address = 10.40.2.11
NAS-Identifier = "Cisco_b2:3f:03"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020300060319
State = 0xa900c63aa903c2d5a3d2ff9a18384d61
Message-Authenticator = 0x8cce320615eaa79d7a6c8a2041a0a494
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "(domain)\(username)", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 213 to 10.40.2.11 port 32769
EAP-Message = 0x010400061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa900c63aa804dfd5a3d2ff9a18384d61
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.40.2.11 port 32769, id=214, length=301
User-Name = "(domain)\\(username)"
Calling-Station-Id = "00-24-D7-29-45-30"
Called-Station-Id = "00-1D-70-02-20-70:(domain)"
NAS-Port = 29
NAS-IP-Address = 10.40.2.11
NAS-Identifier = "Cisco_b2:3f:03"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0204007e198000000074160301006f0100006b03014d2f9202942c3269ed5eaade3623eed7959631bdb8b3599f2d872fe0ad7cbab9000018002f00350005000ac013c014c009c00a00320038001300040100002aff0100010000000011000f00000c7373705f63635c6a68616c6c000a0006000400170018000b00020100
State = 0xa900c63aa804dfd5a3d2ff9a18384d61
Message-Authenticator = 0xa0ca7cf59c8e8dc3f81e213053c9a17e
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "(domain)\(username)", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 126
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 116
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 006f], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0031], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 0ae0], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 214 to 10.40.2.11 port 32769
EAP-Message = 0x0105040019c000000b2416030100310200002d03014d2f91b5c8c10b6de09f4b353486dc7b23e5d4fc7d504ad599a8380cf337bb7400002f000005ff010001001603010ae00b000adc000ad90005643082056030820448a003020102020101300d06092a864886f70d01010505003081a4310b3009060355040613025553310e300c060355040813055465786173311e301c060355040a131553757373657220486f6c64696e67732c204c4c432e314230400603550403133953757373657220486f6c64696e67732c204c4c432e2053656375726520576972656c65737320547275737465642043657274696669636174653121301f06092a864886f7
EAP-Message = 0x0d0109011612697461646d696e407375737365722e636f6d301e170d3131303131303230333134325a170d3231303130363230333134325a3081a3310b3009060355040613025553310e300c060355040813055465786173311e301c060355040a131553757373657220486f6c64696e67732c204c4c432e3141303f0603550403133853757373657220486f6c64696e67732c204c4c432e2053656375726520576972656c657373205365727665722043657274696669636174653121301f06092a864886f70d0109011612697461646d696e407375737365722e636f6d30820122300d06092a864886f70d01010105000382010f003082010a028201
EAP-Message = 0x0100bcace3a1736baa41e7b28a9779bc5505649c2ac7055c1748827d678fe5762f8e815088097070ec4d063dc5f5b0ce4905f53d191fca459147e11b8bda3215e6e75ecbcd3e6a2097809c60370572236f79d114648251b3b6951e7d7ad8b386047adb1c73d8465a4fbe3755f4fd9758f5648917c95f8657997dfb435d32cd264771b07b8f1ffef2169b25809fb515d092f0d805488f8b0240b04bc91c9e8c4d80b5a9dd6eafd4424f68dc89cd0061f778c176bce198cdaf16f8bb683d6ec8c79b6b7401dbe928f549f8445cd77e489c9bd96a78ac6f4cfa42f0b6ad70f5676a284be39d51137c1524e920ed9e7b26b25bbf1d5b149a66bcc13384dd39
EAP-Message = 0x83c898a4dd0203010001a382019a3082019630090603551d1304023000303006096086480186f842010d04231621596153542047656e65726174656420536572766572204365727469666963617465301106096086480186f8420101040403020640300b0603551d0f0404030205a0301d0603551d0e041604146bfc53ec4d8c1de2655e487f85462269cfa0fe273081d90603551d230481d13081ce801414b80c1e8732c50053300194e1d8b6e1c4aed5e2a181aaa481a73081a4310b3009060355040613025553310e300c060355040813055465786173311e301c060355040a131553757373657220486f6c64696e67732c204c4c432e3142304006
EAP-Message = 0x035504031339537573736572
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa900c63aab05dfd5a3d2ff9a18384d61
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.40.2.11 port 32769, id=215, length=181
User-Name = "(domain)\\(username)"
Calling-Station-Id = "00-24-D7-29-45-30"
Called-Station-Id = "00-1D-70-02-20-70:(domain)"
NAS-Port = 29
NAS-IP-Address = 10.40.2.11
NAS-Identifier = "Cisco_b2:3f:03"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020500061900
State = 0xa900c63aab05dfd5a3d2ff9a18384d61
Message-Authenticator = 0x9f5b906f012841434b8c0b92aef12acc
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "(domain)\(username)", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 215 to 10.40.2.11 port 32769
EAP-Message = 0x010603fc194020486f6c64696e67732c204c4c432e2053656375726520576972656c65737320547275737465642043657274696669636174653121301f06092a864886f70d0109011612697461646d696e407375737365722e636f6d82090089a2f8f8346912ee301d0603551d11041630148112697461646d696e407375737365722e636f6d301d0603551d12041630148112697461646d696e407375737365722e636f6d300d06092a864886f70d01010505000382010100db045c6fca66795e0f54111e406e5896d6e31d483c32db0c93d7fbf25b60cdb0698bc63300e4d3f44d2c73fac15ec3d41edd36b011a3ad9a87f0171885ff5646c86ba4e8
EAP-Message = 0x596bca83e15f117235ae85ea5e09c9c0bb6b0834ae94e9effc9585f147139f9b7889d460f4fa7ce5a2d0198bf01f2beb25be74b61c9d947b1fb3786f5ce17de32cc542bf3a72cf7ad43aa76fba5e7ae9c797290b99fe7864f48bccbc982e498a335f229be5d96c7ca1882051d38b433f63483c36faa619fc8c786fc209e4aac95a8dfd8fe159db33ae5d1992b3726c5af714983cbd894140833c4893da99beb55d06c6f0995e9d2777c5a1e9b3f32b5ad7d9d12ed479fef3679fdaa400056f3082056b30820453a00302010202090089a2f8f8346912ee300d06092a864886f70d01010505003081a4310b3009060355040613025553310e300c060355
EAP-Message = 0x040813055465786173311e301c060355040a131553757373657220486f6c64696e67732c204c4c432e314230400603550403133953757373657220486f6c64696e67732c204c4c432e2053656375726520576972656c65737320547275737465642043657274696669636174653121301f06092a864886f70d0109011612697461646d696e407375737365722e636f6d301e170d3131303131303230323932305a170d3231303130373230323932305a3081a4310b3009060355040613025553310e300c060355040813055465786173311e301c060355040a131553757373657220486f6c64696e67732c204c4c432e31423040060355040313395375
EAP-Message = 0x7373657220486f6c64696e67732c204c4c432e2053656375726520576972656c65737320547275737465642043657274696669636174653121301f06092a864886f70d0109011612697461646d696e407375737365722e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100de30822d81162b33fefec5a17b1b571c521487e99c20d212a8ce11298d2a34eadc2a6f4f721b5f95c7e45e94aca99df5a60dfbcdeeeac9dcde35585cf1ab350e2a426ee3e8cfe65c041f42b2fcc2a30e689120b6d5bd289d272b95a46ecf0cb610a1f8d767cb735addc6ad8b392b073790c9b8dafe857e3810c33065491d159883b9
EAP-Message = 0x538fce96e6f0bcc3
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa900c63aaa06dfd5a3d2ff9a18384d61
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.40.2.11 port 32769, id=216, length=181
User-Name = "(domain)\\(username)"
Calling-Station-Id = "00-24-D7-29-45-30"
Called-Station-Id = "00-1D-70-02-20-70:(domain)"
NAS-Port = 29
NAS-IP-Address = 10.40.2.11
NAS-Identifier = "Cisco_b2:3f:03"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020600061900
State = 0xa900c63aaa06dfd5a3d2ff9a18384d61
Message-Authenticator = 0xb0a93c1c5de441689c546bff953552ac
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "(domain)\(username)", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 216 to 10.40.2.11 port 32769
EAP-Message = 0x0107033e19009acb9a429750087b478f4f28df800790b0fe850a08ed684bf275aef974f7cf1d695a2ae22a042dd7213978179a2afa8026e80e3c665f0e291c6cb49bd67d9b310fa31642c4a6743021a544285809c4253b3d8ba4bdfa1db0d84a324146733d6fd57ebe6fff1a01d57533ee7d7945a57a922bdca5c7830203010001a382019c30820198300f0603551d130101ff040530030101ff302c06096086480186f842010d041f161d596153542047656e657261746564204341204365727469666963617465301106096086480186f8420101040403020106300b0603551d0f040403020106301d0603551d0e0416041414b80c1e8732c5005330
EAP-Message = 0x0194e1d8b6e1c4aed5e23081d90603551d230481d13081ce801414b80c1e8732c50053300194e1d8b6e1c4aed5e2a181aaa481a73081a4310b3009060355040613025553310e300c060355040813055465786173311e301c060355040a131553757373657220486f6c64696e67732c204c4c432e314230400603550403133953757373657220486f6c64696e67732c204c4c432e2053656375726520576972656c65737320547275737465642043657274696669636174653121301f06092a864886f70d0109011612697461646d696e407375737365722e636f6d82090089a2f8f8346912ee301d0603551d11041630148112697461646d696e407375
EAP-Message = 0x737365722e636f6d301d0603551d12041630148112697461646d696e407375737365722e636f6d300d06092a864886f70d01010505000382010100ca48048305b23d2e01dc30838e24ae8dfe74dd335c421ab1b054ee3afb25bf6376f2c1d7da4dda99e414acc1bbe8a4d2e0da6bc7880a6628300f33a2b0170f558dcb606b161eed7b7e53bb10356c56af6b34c48a1de0fad2e23ccb81bac25fdf1a3985ddbd33ddea7f52206425852bf3cd6f9c04598a09143ce6041be582b5a66637b8e7b2359cac82d0950362fde436325c790321f54b5881d57c18e9a2f4c3605402e3b50da27645ed0b32f358fd4ad9fc933718125f31bd6e2ad41747d637792a
EAP-Message = 0xdb511a797d44a5272c4694fd77e0336aab254d1cf3655ac4eec005d52428d0aac5786d8572150662155d42a8401f044faa97d650ed5e9f189eae9ea81ddf16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa900c63aad07dfd5a3d2ff9a18384d61
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.40.2.11 port 32769, id=217, length=513
User-Name = "(domain)\\(username)"
Calling-Station-Id = "00-24-D7-29-45-30"
Called-Station-Id = "00-1D-70-02-20-70:(domain)"
NAS-Port = 29
NAS-IP-Address = 10.40.2.11
NAS-Identifier = "Cisco_b2:3f:03"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0207015019800000014616030101061000010201009a78a32ab69ac47fd717688c8e5f5b673aabe81f8d2021a4829398faa5f1cec667b9317950d7edd93808eb55f56ad23124b940a2c00e18dec4e82ea50af0a9fd127e6ae2985c319eec98078ef361dd63a3802d16f58ce99580c2bf3dd1ecfdacdf8a58b8ea94954afcda8eb14b57d67b0b3b813bba5cd80a9818c44ddb9b2213381e2dccc4768904ecc733be2cdb19fa371815a6f3b902e8d95d279b1832d2aab0cfaf194e091f00771eec0ee88ef766f373e93d84624eb0a3ab1804795535ce2b08ccdd8ca7f78a2288d8bc27651e9c706a9e597651366d5cc94c036138e47181e9788a57a5a916
EAP-Message = 0x4bc098427e639d833761b5bdfed6b316a55406d42d8a19bd14030100010116030100306656570ba40bb3282b036c3c969ac8f7e9511f50550ced6b21a082a886cfb3ae209d4109bd193cc0f0def9395faf7618
State = 0xa900c63aad07dfd5a3d2ff9a18384d61
Message-Authenticator = 0x3a4f1365b73bada36da646a0671428cb
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "(domain)\(username)", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 326
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 217 to 10.40.2.11 port 32769
EAP-Message = 0x0108004119001403010001011603010030161865cc699da89650f3e7ce640e6b086e573dd17514716c46d50498bb3e5d02e040f450e614f19e2feafa1af0186cc8
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa900c63aac08dfd5a3d2ff9a18384d61
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.40.2.11 port 32769, id=218, length=181
User-Name = "(domain)\\(username)"
Calling-Station-Id = "00-24-D7-29-45-30"
Called-Station-Id = "00-1D-70-02-20-70:(domain)"
NAS-Port = 29
NAS-IP-Address = 10.40.2.11
NAS-Identifier = "Cisco_b2:3f:03"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020800061900
State = 0xa900c63aac08dfd5a3d2ff9a18384d61
Message-Authenticator = 0xa0943465f1407909729911da8fb5b48c
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "(domain)\(username)", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 218 to 10.40.2.11 port 32769
EAP-Message = 0x0109002b1900170301002084ee051f9779be59188d096034de18a7a94be3a5ca72647d4f79ab554b6fec9d
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa900c63aaf09dfd5a3d2ff9a18384d61
Finished request 6.
Going to the next request
Waking up in 3.7 seconds.
rad_recv: Access-Request packet from host 10.40.2.11 port 32769, id=219, length=234
User-Name = "(domain)\\(username)"
Calling-Station-Id = "00-24-D7-29-45-30"
Called-Station-Id = "00-1D-70-02-20-70:(domain)"
NAS-Port = 29
NAS-IP-Address = 10.40.2.11
NAS-Identifier = "Cisco_b2:3f:03"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0209003b190017030100306f7bab96d6d63036e0bb725d1949089071153172a6e25cfba4744a58cd5a6372e9cf3a3475a07a2b902df17f763cb274
State = 0xa900c63aaf09dfd5a3d2ff9a18384d61
Message-Authenticator = 0x97434ca49bae047c3ea91ff71064950d
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "(domain)\(username)", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 9 length 59
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Identity - (domain)\(username)
[peap] Got tunnled request
EAP-Message = 0x02090011015353505f43435c4a48616c6c
server (null) {
PEAP: Got tunneled identity of (domain)\(username)
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to (domain)\(username)
Sending tunneled request
EAP-Message = 0x02090011015353505f43435c4a48616c6c
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "(domain)\\(username)"
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "(domain)\(username)", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] Looking up realm "(domain)" for User-Name = "(domain)\(username)"
[ntdomain] Found realm "(domain)"
[ntdomain] Adding Stripped-User-Name = "(username)"
[ntdomain] Adding Realm = "(domain)"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
++[control] returns ok
[eap] EAP packet type response id 9 length 17
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message = 0x010a00261a010a002110b8d8b7f2698d6c4547c89393a90171365353505f43435c4a48616c6c
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd2c630a7d2cc2a826808083c20a703b8
[peap] Got tunneled reply RADIUS code 11
EAP-Message = 0x010a00261a010a002110b8d8b7f2698d6c4547c89393a90171365353505f43435c4a48616c6c
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd2c630a7d2cc2a826808083c20a703b8
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 219 to 10.40.2.11 port 32769
EAP-Message = 0x010a004b19001703010040195ae6d9f978634a3e75a51c482927b5b7db06ed62edeed6afe234cab520a6e7c0ae90f474c0cbf29d316410ce7822c700cca659da41f0c4533b059ac2be0115
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa900c63aae0adfd5a3d2ff9a18384d61
Finished request 7.
Going to the next request
Waking up in 3.7 seconds.
rad_recv: Access-Request packet from host 10.40.2.11 port 32769, id=220, length=282
User-Name = "(domain)\\(username)"
Calling-Station-Id = "00-24-D7-29-45-30"
Called-Station-Id = "00-1D-70-02-20-70:(domain)"
NAS-Port = 29
NAS-IP-Address = 10.40.2.11
NAS-Identifier = "Cisco_b2:3f:03"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020a006b1900170301006030bf25d92f9528dbe9f11937d488bc75fbf25c7feb986c834b15010317ce3eda4935cf61a665d86730d7434fae79336dc652360792e8694274b94b6e2844039f2f88708d5cc2d3e588dec660648661dea641fb62e476ffe68cebef782ab8399d
State = 0xa900c63aae0adfd5a3d2ff9a18384d61
Message-Authenticator = 0x83e9623e00b31de770019d9c60b90fea
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "(domain)\(username)", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 10 length 107
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunnled request
EAP-Message = 0x020a00471a020a0042314d0b9d8cd906abc30c6c3a605d6f42b40000000000000000c089c6a1e5b21d8d8671904d0c3003e6db1a66d3f2b7db28005353505f43435c4a48616c6c
server (null) {
PEAP: Setting User-Name to (domain)\(username)
Sending tunneled request
EAP-Message = 0x020a00471a020a0042314d0b9d8cd906abc30c6c3a605d6f42b40000000000000000c089c6a1e5b21d8d8671904d0c3003e6db1a66d3f2b7db28005353505f43435c4a48616c6c
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "(domain)\\(username)"
State = 0xd2c630a7d2cc2a826808083c20a703b8
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "(domain)\(username)", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] Looking up realm "(domain)" for User-Name = "(domain)\(username)"
[ntdomain] Found realm "(domain)"
[ntdomain] Adding Stripped-User-Name = "(username)"
[ntdomain] Adding Realm = "(domain)"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
++[control] returns ok
[eap] EAP packet type response id 10 length 71
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] NT Domain delimeter found, should we have enabled with_ntdomain_hack?
[mschap] Told to do MS-CHAPv2 for (domain)\(username) with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
MS-CHAP-Error = "\nE=691 R=1"
EAP-Message = 0x040a0004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
MS-CHAP-Error = "\nE=691 R=1"
EAP-Message = 0x040a0004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 220 to 10.40.2.11 port 32769
EAP-Message = 0x010b002b19001703010020ae3ca0fedfe440153cb7b49364e200704bf8486f1399f0b4ea8ba62cccb9efa1
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa900c63aa10bdfd5a3d2ff9a18384d61
Finished request 8.
Going to the next request
Waking up in 3.7 seconds.
rad_recv: Access-Request packet from host 10.40.2.11 port 32769, id=221, length=218
User-Name = "(domain)\\(username)"
Calling-Station-Id = "00-24-D7-29-45-30"
Called-Station-Id = "00-1D-70-02-20-70:(domain)"
NAS-Port = 29
NAS-IP-Address = 10.40.2.11
NAS-Identifier = "Cisco_b2:3f:03"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020b002b1900170301002078eaf4d8bdc40da5bfc684b788aa859165524f3e8da0fc61999428c2c89cf710
State = 0xa900c63aa10bdfd5a3d2ff9a18384d61
Message-Authenticator = 0x4940f9f48b205143a5ba104ea9da0d72
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "(domain)\(username)", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 11 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Had sent TLV failure. User was rejected earlier in this session.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> (domain)\(username)
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 9 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 9
Sending Access-Reject of id 221 to 10.40.2.11 port 32769
EAP-Message = 0x040b0004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 2.7 seconds.
Cleaning up request 0 ID 212 with timestamp +6
Cleaning up request 1 ID 213 with timestamp +6
Cleaning up request 2 ID 214 with timestamp +6
Cleaning up request 3 ID 215 with timestamp +6
Cleaning up request 4 ID 216 with timestamp +6
Cleaning up request 5 ID 217 with timestamp +6
Waking up in 1.2 seconds.
Cleaning up request 6 ID 218 with timestamp +8
Cleaning up request 7 ID 219 with timestamp +8
Cleaning up request 8 ID 220 with timestamp +8
Waking up in 1.0 seconds.
Cleaning up request 9 ID 221 with timestamp +8
Ready to process requests.
2
1
Has anyone gotten freeradius EAP-MSCHAPV2 authentication to work properly in samba versions beyond 3.0.30? On samba 3.3.8 I still get the same type of error I'd get as if I didn't have the xpextensions on my cert (Even though I do.) No response to access-challenge. If I go back to 3.0.30 it immediately works....Starting to run into a problem because 3.0.30 won't work will 2008 r2 domain controllers. Again my cert does have the xpextensions. And it does this to all clients,, not just Microsoft. Here's the end of my debug:
[mschap] expand: --username=%{mschap:User-Name:-None} -> --username=tomtom
[mschap] expand: %{mschap:NT-Domain} -> ADS
[mschap] expand: --domain=%{%{mschap:NT-Domain}:-ADS} -> --domain=ADS
[mschap] mschap2: d3
[mschap] Creating challenge hash with username: tomtom
[mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=ba19d84bdab789ef
[mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=27a757e4b32c51011216ac7fff78219563fc14af067f3d05
Exec-Program output: NT_KEY: D988C0C63F2D4C8034172DCBEB7B317F
Exec-Program-Wait: plaintext: NT_KEY: D988C0C63F2D4C8034172DCBEB7B317F
Exec-Program: returned: 0
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message = 0x010c00331a030b002e533d33333133453034393739353130383137303633423342413033324339383343383832413937323736
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x3f8a0cb23e86164f4ea2f66ef66aa4ed
[peap] Got tunneled reply RADIUS code 11
EAP-Message = 0x010c00331a030b002e533d33333133453034393739353130383137303633423342413033324339383343383832413937323736
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x3f8a0cb23e86164f4ea2f66ef66aa4ed
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 17 to 172.20.4.253 port 32769
EAP-Message = 0x010c005b19001703010050e5f53b91a3b5214c1a0f1ee21b46045f6992732a92d882e4359ed17b1dfffcb69d20d4645caa74a94ea448cd54c76c041c642d05801fa0a4f830247b30f9723884d6fbaa35f6b11398741f833bc68f08
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xedeb59b2eae740f09f949186981dc8bc
Finished request 10.
Going to the next request
Waking up in 4.7 seconds.
Cleaning up request 3 ID 10 with timestamp +11
Cleaning up request 4 ID 11 with timestamp +11
Cleaning up request 5 ID 12 with timestamp +11
Cleaning up request 6 ID 13 with timestamp +11
Cleaning up request 7 ID 14 with timestamp +11
Cleaning up request 8 ID 15 with timestamp +11
Waking up in 0.1 seconds.
Cleaning up request 9 ID 16 with timestamp +11
Cleaning up request 10 ID 17 with timestamp +11
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0xedeb59b2eae740f0 did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Thomas E. Casartello, Jr.
Staff Assistant - Wireless/Linux Administrator
Information Technology
Wilson 105A
Westfield State College
(413) 572-8245
Red Hat Certified Technician (RHCT)
Cisco Certified Network Associate (CCNA)
3
9
Shameless bump.
My apologies for the newbie question, but my searches have all been circular.
I just want to know if dialup-admin is all that is available on the Open Source side for GUI based administration of FreeRadius?
Please, and thank you!
--- On Wed, 1/12/11, Jim Rice <jmrice6640(a)yahoo.com> wrote:
> From: Jim Rice <jmrice6640(a)yahoo.com>
> Subject: Freeradius GUI Interfaces Available?
> To: freeradius-users(a)lists.freeradius.org
> Date: Wednesday, January 12, 2011, 11:47 AM
> New to freeradius list.
> Greetings.
>
> Can someone direct me to more information about Radius GUI
> Interfaces?
>
> Is dialup-admin all there is? (Does not seem to be
> included in rpm pkg.)
> freeradius2-2.1.7-7.el5 (CentOS 5)
>
> Thanks.
>
>
3
2
Hi,
I am configuring a freeradius for a institution for eduroam purposes, using
Fedora 13 and with freeradius 2.1.10. The only EAP type supported is
EAP-TTLS/PAP. I attach the radius -X output:
FreeRADIUS Version 2.1.10, for host x86_64-redhat-linux-gnu, built on Oct 19
2010 at 20:00:35
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/dynamic_clients
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/opendirectory
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/control-socket
including configuration file /etc/raddb/sites-enabled/inner-tunnel
main {
user = "radiusd"
group = "radiusd"
allow_core_dumps = no
}
including dictionary file /etc/raddb/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
libdir = "/usr/lib64/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = yes
auth_goodpass = yes
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = yes
dead_time = 120
wake_all_if_all_dead = no
}
realm NULL {
nostrip
authhost = LOCAL
accthost = LOCAL
}
realm DEFAULT {
nostrip
authhost = X.X.X.X:1812
accthost = X.X.X.X:1813
secret = verysecret
}
realm irta.cat {
nostrip
authhost = 192.168.1.34
accthost = 192.168.1.34
secret = ******
}
realm irta.es {
nostrip
authhost = 192.168.1.34
accthost = 192.168.1.34
secret = ******
}
realm IRTA_NT {
nostrip
authhost = 192.168.1.34
accthost = 192.168.1.34
secret = ******
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
client X.X.X.X {
require_message_authenticator = no
secret = "******"
shortname = "RADIUS_Anella"
}
client X.X.X.X0 {
require_message_authenticator = no
secret = "******"
shortname = "ISA"
}
client X.X.X.X1 {
require_message_authenticator = no
secret = "******"
shortname = "ISA"
}
client X.X.X.X2 {
require_message_authenticator = no
secret = "******"
shortname = "ISA"
}
client 172.18.1.10 {
require_message_authenticator = no
secret = "******"
shortname = "WLC_SSCC"
}
client 172.18.2.10 {
require_message_authenticator = no
secret = "******"
shortname = "WLC_Cabrils"
}
client 172.18.3.10 {
require_message_authenticator = no
secret = "******"
shortname = "WLC_Monells"
}
client 172.18.5.10 {
require_message_authenticator = no
secret = "******"
shortname = "WLC_Lleida"
}
client 172.18.6.10 {
require_message_authenticator = no
secret = "******"
shortname = "WLC_Mas_de_Bover"
}
client 172.18.8.10 {
require_message_authenticator = no
secret = "******"
shortname = "WLC_Sant_Carles_Rapita_Ebre"
}
client 172.18.10.10 {
require_message_authenticator = no
secret = "******"
shortname = "WLC_Torra_Marimon"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file /etc/raddb/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file /etc/raddb/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file
/etc/raddb/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file
/etc/raddb/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file /etc/raddb/modules/pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file /etc/raddb/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file /etc/raddb/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file /etc/raddb/modules/unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /etc/raddb/eap.conf
eap {
default_eap_type = "ttls"
timer_expire = 60
ignore_unknown_eap_types = yes
cisco_accounting_username_bug = yes
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/etc/raddb/certs/sr013_irta_es.key"
certificate_file = "/etc/raddb/certs/certificat_es.cer"
CA_file = "/etc/raddb/certs/ca.pem"
private_key_password = "******"
dh_file = "/etc/raddb/certs/dh"
random_file = "/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
cache {
enable = no
lifetime = 24
max_entries = 255
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file /etc/raddb/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Instantiating module "ntdomain" from file /etc/raddb/modules/realm
realm ntdomain {
format = "prefix"
delimiter = "\"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file /etc/raddb/modules/files
files {
usersfile = "/etc/raddb/users"
acctusersfile = "/etc/raddb/acct_users"
preproxy_usersfile = "/etc/raddb/preproxy_users"
compat = "no"
}
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file /etc/raddb/modules/radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking pre-proxy {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "pre_proxy_log" from file
/etc/raddb/modules/detail.log
detail pre_proxy_log {
detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Checking post-proxy {...} for more modules to load
Module: Instantiating module "post_proxy_log" from file
/etc/raddb/modules/detail.log
detail post_proxy_log {
detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/post-proxy-detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.access_reject" from file
/etc/raddb/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
}
} # modules
} # server
server { # from file /etc/raddb/radiusd.conf
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_digest
Module: Instantiating module "digest" from file /etc/raddb/modules/digest
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file
/etc/raddb/modules/preprocess
preprocess {
huntgroups = "/etc/raddb/huntgroups"
hints = "/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file
/etc/raddb/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Instantiating module "detail" from file /etc/raddb/modules/detail
detail {
detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating module "attr_filter.accounting_response" from file
/etc/raddb/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = X.X.X.X
port = 1812
}
listen {
type = "acct"
ipaddr = X.X.X.X
port = 1813
}
listen {
type = "control"
listen {
socket = "/var/run/radiusd/radiusd.sock"
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on authentication address X.X.X.X port 1812
Listening on accounting address X.X.X.X port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server
inner-tunnel
Listening on proxy address X.X.X.X port 1814
Ready to process requests.
Using a client with Windows 7 and supplicant SecureW2 I get the next
warning:
rad_recv: Access-Request packet from host X.X.X.X port 46577, id=9,
length=203
User-Name = ************
Calling-Station-Id = "00-26-B6-59-F1-EA"
Called-Station-Id = "00-22-55-F1-80-B0:eduroam"
NAS-Port = 1
NAS-IP-Address = 172.18.1.10
NAS-Identifier = "WLC_SSCC"
Airespace-Wlan-Id = 1
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "50"
EAP-Message = 0x0203001a0170726f7665735f697274614063657363612e636174
Message-Authenticator = 0xce819241867a6c729cd1ce2fbc6f1871
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] Looking up realm "cesca.cat" for User-Name = ************
[suffix] Found realm "DEFAULT"
[suffix] Adding Realm = "DEFAULT"
[suffix] Proxying request from user ************ to realm DEFAULT
[suffix] Preparing to proxy authentication request to realm "DEFAULT"
++[suffix] returns updated
[eap] Request is supposed to be proxied to Realm DEFAULT. Not doing EAP.
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
WARNING: Empty pre-proxy section. Using default return values.
Sending Access-Request of id 158 to 84.88.0.19 port 1812
User-Name = ************
Calling-Station-Id = "00-26-B6-59-F1-EA"
Called-Station-Id = "00-22-55-F1-80-B0:eduroam"
NAS-Port = 1
NAS-IP-Address = 172.18.1.10
NAS-Identifier = "WLC_SSCC"
Airespace-Wlan-Id = 1
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "50"
EAP-Message = 0x0203001a0170726f7665735f697274614063657363612e636174
Message-Authenticator = 0x00000000000000000000000000000000
Proxy-State = 0x39
Proxying request 2 to home server 84.88.0.19 port 1812
Sending Access-Request of id 158 to 84.88.0.19 port 1812
User-Name = ************
Calling-Station-Id = "00-26-B6-59-F1-EA"
Called-Station-Id = "00-22-55-F1-80-B0:eduroam"
NAS-Port = 1
NAS-IP-Address = 172.18.1.10
NAS-Identifier = "WLC_SSCC"
Airespace-Wlan-Id = 1
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "50"
EAP-Message = 0x0203001a0170726f7665735f697274614063657363612e636174
Message-Authenticator = 0x00000000000000000000000000000000
Proxy-State = 0x39
Going to the next request
Waking up in 0.9 seconds.
Waking up in 12.9 seconds.
rad_recv: Access-Request packet from host X.X.X.X port 46577, id=9,
length=203
Sending duplicate proxied request to home server 84.88.0.19 port 1812 - ID:
158
Sending Access-Request of id 158 to 84.88.0.19 port 1812
User-Name = ************
Calling-Station-Id = "00-26-B6-59-F1-EA"
Called-Station-Id = "00-22-55-F1-80-B0:eduroam"
NAS-Port = 1
NAS-IP-Address = 172.18.1.10
NAS-Identifier = "WLC_SSCC"
Airespace-Wlan-Id = 1
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "50"
EAP-Message = 0x0203001a0170726f7665735f697274614063657363612e636174
Message-Authenticator = 0x00000000000000000000000000000000
Proxy-State = 0x39
Waking up in 11.9 seconds.
rad_recv: Access-Request packet from host X.X.X.X port 46577, id=9,
length=203
Sending duplicate proxied request to home server 84.88.0.19 port 1812 - ID:
158
Sending Access-Request of id 158 to 84.88.0.19 port 1812
User-Name = ************
Calling-Station-Id = "00-26-B6-59-F1-EA"
Called-Station-Id = "00-22-55-F1-80-B0:eduroam"
NAS-Port = 1
NAS-IP-Address = 172.18.1.10
NAS-Identifier = "WLC_SSCC"
Airespace-Wlan-Id = 1
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "50"
EAP-Message = 0x0203001a0170726f7665735f697274614063657363612e636174
Message-Authenticator = 0x00000000000000000000000000000000
Proxy-State = 0x39
Waking up in 9.9 seconds.
rad_recv: Access-Request packet from host X.X.X.X port 46577, id=9,
length=203
Sending duplicate proxied request to home server 84.88.0.19 port 1812 - ID:
158
Sending Access-Request of id 158 to 84.88.0.19 port 1812
User-Name = ************
Calling-Station-Id = "00-26-B6-59-F1-EA"
Called-Station-Id = "00-22-55-F1-80-B0:eduroam"
NAS-Port = 1
NAS-IP-Address = 172.18.1.10
NAS-Identifier = "WLC_SSCC"
Airespace-Wlan-Id = 1
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "50"
EAP-Message = 0x0203001a0170726f7665735f697274614063657363612e636174
Message-Authenticator = 0x00000000000000000000000000000000
Proxy-State = 0x39
Waking up in 7.9 seconds.
rad_recv: Access-Request packet from host X.X.X.X port 46577, id=9,
length=203
Sending duplicate proxied request to home server 84.88.0.19 port 1812 - ID:
158
Sending Access-Request of id 158 to 84.88.0.19 port 1812
User-Name = ************
Calling-Station-Id = "00-26-B6-59-F1-EA"
Called-Station-Id = "00-22-55-F1-80-B0:eduroam"
NAS-Port = 1
NAS-IP-Address = 172.18.1.10
NAS-Identifier = "WLC_SSCC"
Airespace-Wlan-Id = 1
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "50"
EAP-Message = 0x0203001a0170726f7665735f697274614063657363612e636174
Message-Authenticator = 0x00000000000000000000000000000000
Proxy-State = 0x39
Waking up in 5.9 seconds.
rad_recv: Access-Request packet from host X.X.X.X port 46577, id=9,
length=203
Sending duplicate proxied request to home server 84.88.0.19 port 1812 - ID:
158
Sending Access-Request of id 158 to 84.88.0.19 port 1812
User-Name = ************
Calling-Station-Id = "00-26-B6-59-F1-EA"
Called-Station-Id = "00-22-55-F1-80-B0:eduroam"
NAS-Port = 1
NAS-IP-Address = 172.18.1.10
NAS-Identifier = "WLC_SSCC"
Airespace-Wlan-Id = 1
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "50"
EAP-Message = 0x0203001a0170726f7665735f697274614063657363612e636174
Message-Authenticator = 0x00000000000000000000000000000000
Proxy-State = 0x39
Waking up in 3.9 seconds.
WARNING: Internal sanity check failed in event handler for request 2:
Discarding the request!
Ready to process requests.
So I have mainly tho doubts:
First, one why this warning happens and how to solve it.
Second one, is it normal that EAP-TTLS does not begin?
Thanks in advance,
Joan.
--
View this message in context: http://freeradius.1045715.n5.nabble.com/freeradius-2-1-10-WARNING-Internal-…
Sent from the FreeRadius - User mailing list archive at Nabble.com.
3
4
Dear all,
I am using Fedora 12 + Freeradius to do some CoA tests.
One is : AAA sends Disconnect request to Client.
My packet.txt content is as:
----------------------------------------------------------------------------
-----
Acct-Session-Id="00000001"
Calling-Station-Id="001E310008CC"
User-Name="wimax"
X-Ascend-Session-Svr-Key="0123456789"
NAS-IP-Address=100.1.6.4
NAS-Identifier=CATR
WiMAX-DM-Action-Code="0"
WiMAX-AAA-Session-Id="00000002"
----------------------------------------------------------------------------
-----
But when I run it in the command terminal, the screen said as below:
----------------------------------------------------------------------------
-----
[root@AAA bin]# cat packet.txt | radclient -x 100.1.6.4:3799 disconnect
0123456789
Sending Disconnect-Request of id 53 to 100.1.6.4 port 3799
Acct-Session-Id = "00000001"
Calling-Station-Id = "001E310008CC"
User-Name = "wimax"
X-Ascend-Session-Svr-Key = "0123456789"
NAS-IP-Address = 100.1.6.4
NAS-Identifier = "CATR"
WiMAX-DM-Action-Code = 0x30
WiMAX-AAA-Session-Id = 0x3030303030303032
rad_recv: Disconnect-NAK packet from host 100.1.6.4 port 3799, id=53,
length=20
----------------------------------------------------------------------------
-----
I don't know why WiMAX-DM-Action-Code content was changed. If I change the
value in packetet.txt to 0xffff, I can get the decoded content in screen as
0xff. The Wireshark can also get the changed content.
Can you give me any suggestions?
Thanks for your help.
Xiaochen
13/1/2011
3
2
http://freeradius.org/radiusd/doc/tuning_guide
(also in the distro)
LDAP MODULE
o Enable caching in the ldap module ...
I can find no such feature, does this actually exist in the ldap module
or is there another way to cache ldap results? Did it used to exist?
Ideally I'd like to be able to consult ldap but after a configured
timeout simply use a cached result. Obviously I could do this with
a script but why not have it all built-in.
thanks.
3
2
Sending an attribute with the Access-Accept instead of Access-Challenge
by Vivek Umasuthan 12 Jan '11
by Vivek Umasuthan 12 Jan '11
12 Jan '11
Hi All,
I am testing 802.1x support on our platform and I'm having trouble
figuring out how to include some attributes with Access-Accept. I read
the 'users' file man page but could not get the answer.
So my user is as shown below in the users file
qatester Cleartext-Password := "qatester"
Session-Timeout = 20,
Termination-Action = 1
Now the authorization works fine but the Session-Timeout attribute is
ncluded in the Access-Challenge message as I understand. I want to
send it with the Access-Accept message. I have copied debug
information below.
############## Debug Infor Starts ##################
rad_recv: Access-Request packet from host 192.168.0.159 port 4999,
id=66, length=106
Calling-Station-Id = "00-1A-6B-66-DD-7E"
NAS-Port = 1
User-Name = "qatester"
NAS-IP-Address = 192.168.0.159
Service-Type = Framed-User
Framed-MTU = 1500
EAP-Message = 0x0202000d017161746573746572
Message-Authenticator = 0x29d87ac1ec4ca82352df5fe82cc5849e
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "qatester", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry qatester at line 139
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 66 to 192.168.0.159 port 4999
Session-Timeout = 20
Termination-Action = RADIUS-Request
EAP-Message = 0x0103001604109e9fffb0d5e6393e5ef410df900b8d2f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x68cd38bb68ce3cd51b0b4c1f6b1aa976
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.159 port 4999,
id=67, length=117
Calling-Station-Id = "00-1A-6B-66-DD-7E"
NAS-Port = 1
User-Name = "qatester"
NAS-IP-Address = 192.168.0.159
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x68cd38bb68ce3cd51b0b4c1f6b1aa976
EAP-Message = 0x020300060319
Message-Authenticator = 0x7a4fba042bc71fbee8de9b56077c2ca8
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "qatester", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry qatester at line 139
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 67 to 192.168.0.159 port 4999
Session-Timeout = 20
Termination-Action = RADIUS-Request
EAP-Message = 0x010400061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x68cd38bb69c921d51b0b4c1f6b1aa976
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.159 port 4999,
id=68, length=233
Calling-Station-Id = "00-1A-6B-66-DD-7E"
NAS-Port = 1
User-Name = "qatester"
NAS-IP-Address = 192.168.0.159
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x68cd38bb69c921d51b0b4c1f6b1aa976
EAP-Message =
0x0204007a198000000070160301006b0100006703014d2dbcb9a99cbfaf828b78feb5deaaf1ee341152fe91df965d169a89dee7048e000018002f00350005000ac013c014c009c00a003200380013000401000026ff010001000000000d000b0000087161746573746572000a0006000400170018000b00020100
Message-Authenticator = 0xa246d84f9ddb81f240afcf2e322c88c9
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "qatester", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 122
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 112
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 006b], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0031], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 01c7], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 68 to 192.168.0.159 port 4999
EAP-Message =
0x01050211190016030100310200002d03014d2dbc97022caaaf6f23f7d5d4e29a0f9294e529db827c96c177be0d019bd6c100002f000005ff0100010016030101c70b0001c30001c00001bd308201b930820122020900bad757ba2ede8781300d06092a864886f70d01010505003021311f301d06035504031316766976656b756d6173757468616e2e656e672e6c616e301e170d3130303931363137313930315a170d3230303931333137313930315a3021311f301d06035504031316766976656b756d6173757468616e2e656e672e6c616e30819f300d06092a864886f70d010101050003818d0030818902818100d854b0ba17df1998fca8e87872
EAP-Message =
0xc937f5c12631f52874b71e65b035a7093b2039ca4b71e1692fc977d675d2b659cc9fa7a80c29c0defd5708afd9b2308d4088a7674eed45076bda8431628be016bda82783d9257d996e01287937e84110d1845029f8bd4a25d36ad2b9e4e9c2d37089512ce1d4b513d88d16f39879bbb955abfb0203010001300d06092a864886f70d01010505000381810050a6fbba9b6a9ed741a81d213d04f1d9dd2ad62d8653c48165019586c1a909e567d37c79300c82cc98945e4075dc8fb55c5cbf1aa2d2b50a8cb5f6b00c49704a9e7c72b9cbbb1bf5637a24450d0ff7a178b3eb679136a0af2374115cb12d8cbf40c7c982e6bc9e0538ca4a4f47c4eae0c2c6
EAP-Message = 0x28fe6ccf30d72506f8a836ce1ffa16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x68cd38bb6ac821d51b0b4c1f6b1aa976
Finished request 2.
Going to the next request
Waking up in 4.4 seconds.
rad_recv: Access-Request packet from host 192.168.0.159 port 4999,
id=69, length=319
Calling-Station-Id = "00-1A-6B-66-DD-7E"
NAS-Port = 1
User-Name = "qatester"
NAS-IP-Address = 192.168.0.159
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x68cd38bb6ac821d51b0b4c1f6b1aa976
EAP-Message =
0x020500d01980000000c6160301008610000082008034f094933081749819a81c8fc561c2ef8a60263d6acf6360211b5ae43c840a0f74e7392817971a93c55bbf9e76443b1500fc80031616f4991ddd18dc6917b02e0a4e5ddfa781c99d7f46025694de47cf7f3df537b78ea541b395b749fbece93ea68e0ef09d913a59215b1a73e3d2917b3cd65d2e4fafa57084f19a33ad3cc9a6140301000101160301003004981ccf99aada36e602deaff108ab6754718d2795fbdb47cb4aef2a266e9129956f2f6816bdb11c99e69cdeb356f95f
Message-Authenticator = 0x43bb361280528e5b0bb8ffeaa6066664
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "qatester", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 208
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 198
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 69 to 192.168.0.159 port 4999
EAP-Message =
0x01060041190014030100010116030100307f0fc86e3f93a5310b3546c6dc6a9ff101bd3fac208a68e94852b0e862a0185c93e84bd423a01047b3a71b584c95e305
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x68cd38bb6bcb21d51b0b4c1f6b1aa976
Finished request 3.
Going to the next request
Waking up in 3.8 seconds.
rad_recv: Access-Request packet from host 192.168.0.159 port 4999,
id=70, length=117
Calling-Station-Id = "00-1A-6B-66-DD-7E"
NAS-Port = 1
User-Name = "qatester"
NAS-IP-Address = 192.168.0.159
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x68cd38bb6bcb21d51b0b4c1f6b1aa976
EAP-Message = 0x020600061900
Message-Authenticator = 0x55a47ca2aa8532afc337360c4d4ea55b
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "qatester", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] returns handled
Sending Access-Challenge of id 70 to 192.168.0.159 port 4999
EAP-Message =
0x0107002b190017030100205302a790bac2f45d29df768df9b13962d86effcc264c8bc1cca510c72513b6ec
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x68cd38bb6cca21d51b0b4c1f6b1aa976
Finished request 4.
Going to the next request
Waking up in 3.4 seconds.
rad_recv: Access-Request packet from host 192.168.0.159 port 4999,
id=71, length=154
Calling-Station-Id = "00-1A-6B-66-DD-7E"
NAS-Port = 1
User-Name = "qatester"
NAS-IP-Address = 192.168.0.159
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x68cd38bb6cca21d51b0b4c1f6b1aa976
EAP-Message =
0x0207002b190017030100209decffdfd6c00699e24cd793265f30028937c7c50808936f717fa81d148593ce
Message-Authenticator = 0x257a80aa49d86acb1f3112cfa102da7e
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "qatester", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - qatester
[peap] Got inner identity 'qatester'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
EAP-Message = 0x0207000d017161746573746572
server {
PEAP: Setting User-Name to qatester
Sending tunneled request
EAP-Message = 0x0207000d017161746573746572
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "qatester"
server inner-tunnel {
# Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "qatester", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 7 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry qatester at line 139
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
Session-Timeout = 20
Termination-Action = RADIUS-Request
EAP-Message =
0x010800221a0108001d106ef613ff24d68155ebabf27c814008277161746573746572
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x45767b5d457e612613612e72d3be89f8
[peap] Got tunneled reply RADIUS code 11
Session-Timeout = 20
Termination-Action = RADIUS-Request
EAP-Message =
0x010800221a0108001d106ef613ff24d68155ebabf27c814008277161746573746572
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x45767b5d457e612613612e72d3be89f8
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 71 to 192.168.0.159 port 4999
EAP-Message =
0x0108004b19001703010040e22d2314e64447e30cfe5df1f66c8391a523f942bc14beec164f6793729ebfb63bcaa3b43194b5c505d3c0f33e7bd905c52a608bac1b1dd45550b8a8a56a308a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x68cd38bb6dc521d51b0b4c1f6b1aa976
Finished request 5.
Going to the next request
Waking up in 2.8 seconds.
rad_recv: Access-Request packet from host 192.168.0.159 port 4999,
id=72, length=218
Calling-Station-Id = "00-1A-6B-66-DD-7E"
NAS-Port = 1
User-Name = "qatester"
NAS-IP-Address = 192.168.0.159
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x68cd38bb6dc521d51b0b4c1f6b1aa976
EAP-Message =
0x0208006b19001703010060c71b73411e3216a7308b5d4572da3a1c384b630541eec6dd6988ca61eb2c379fe85e31dc56ac14c694e32d0ccbefe65ec892a307d2e45e30fd1f8164ac7289717daebc94eca9e36ac18e13febf45ef974774b1f08a7426a56c482d2deed5a966
Message-Authenticator = 0xb2002fa406169f6f73889c6d9d1cec50
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "qatester", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 107
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message =
0x020800431a0208003e31744787c6cd670c93abf03715268692ca00000000000000000d103f579e41477a49f40c4793ce60099c480ff0a423c097007161746573746572
server {
PEAP: Setting User-Name to qatester
Sending tunneled request
EAP-Message =
0x020800431a0208003e31744787c6cd670c93abf03715268692ca00000000000000000d103f579e41477a49f40c4793ce60099c480ff0a423c097007161746573746572
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "qatester"
State = 0x45767b5d457e612613612e72d3be89f8
server inner-tunnel {
# Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "qatester", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 8 length 67
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry qatester at line 139
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file
/etc/freeradius/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: qatester
[mschap] Told to do MS-CHAPv2 for qatester with NT-Password
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
Session-Timeout = 20
Termination-Action = RADIUS-Request
EAP-Message =
0x010900331a0308002e533d42414242313046414244344530424136373936393141433033334636383132353043414142383734
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x45767b5d447f612613612e72d3be89f8
[peap] Got tunneled reply RADIUS code 11
Session-Timeout = 20
Termination-Action = RADIUS-Request
EAP-Message =
0x010900331a0308002e533d42414242313046414244344530424136373936393141433033334636383132353043414142383734
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x45767b5d447f612613612e72d3be89f8
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 72 to 192.168.0.159 port 4999
EAP-Message =
0x0109005b19001703010050f89f3653bfbac15816fac0abbf255ae7afe338b35de7b934b9ce3c84d4c67f24f4f8768a7433bb41fbcf164c5c4cd2511fdd798fee758f69a1a10b04740f5337155c3cb5a687e5ec73bd8aa936d941bd
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x68cd38bb6ec421d51b0b4c1f6b1aa976
Finished request 6.
Going to the next request
Waking up in 2.3 seconds.
rad_recv: Access-Request packet from host 192.168.0.159 port 4999,
id=73, length=154
Calling-Station-Id = "00-1A-6B-66-DD-7E"
NAS-Port = 1
User-Name = "qatester"
NAS-IP-Address = 192.168.0.159
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x68cd38bb6ec421d51b0b4c1f6b1aa976
EAP-Message =
0x0209002b190017030100202573df7fb9bf03b8ccab9c0809819fe243d5fa88d1bb02e8da133f894de24698
Message-Authenticator = 0x40a32142c983f273e58599f32177233d
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "qatester", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 9 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x020900061a03
server {
PEAP: Setting User-Name to qatester
Sending tunneled request
EAP-Message = 0x020900061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "qatester"
State = 0x45767b5d447f612613612e72d3be89f8
server inner-tunnel {
# Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "qatester", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 9 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry qatester at line 139
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] returns ok
WARNING: Empty post-auth section. Using default return values.
# Executing section post-auth from file
/etc/freeradius/sites-enabled/inner-tunnel
} # server inner-tunnel
[peap] Got tunneled reply code 2
Session-Timeout = 20
Termination-Action = RADIUS-Request
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
MS-MPPE-Send-Key = 0xba82eb99732d9db96c70b08d7bdafddc
MS-MPPE-Recv-Key = 0xb4088afb08704fb8ca64720c6fcbc77c
EAP-Message = 0x03090004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "qatester"
[peap] Got tunneled reply RADIUS code 2
Session-Timeout = 20
Termination-Action = RADIUS-Request
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
MS-MPPE-Send-Key = 0xba82eb99732d9db96c70b08d7bdafddc
MS-MPPE-Recv-Key = 0xb4088afb08704fb8ca64720c6fcbc77c
EAP-Message = 0x03090004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "qatester"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 73 to 192.168.0.159 port 4999
EAP-Message =
0x010a002b190017030100208045b3ae000c06c0abbe9948be6d301bd29b591b723b0edcd2a2d6e9c49c2558
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x68cd38bb6fc721d51b0b4c1f6b1aa976
Finished request 7.
Going to the next request
Waking up in 1.8 seconds.
rad_recv: Access-Request packet from host 192.168.0.159 port 4999,
id=74, length=154
Calling-Station-Id = "00-1A-6B-66-DD-7E"
NAS-Port = 1
User-Name = "qatester"
NAS-IP-Address = 192.168.0.159
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x68cd38bb6fc721d51b0b4c1f6b1aa976
EAP-Message =
0x020a002b190017030100202a8bde6d671d1e7f8012e74ef38a2dccefc668364f730701c793ced2e0f3736a
Message-Authenticator = 0x5101b1681c2454098b702a833e4cdc7e
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "qatester", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 10 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv success
[peap] Received EAP-TLV response.
[peap] Success
[eap] Freeing handler
++[eap] returns ok
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 74 to 192.168.0.159 port 4999
MS-MPPE-Recv-Key =
0x21bfe2d7387e3b7cbabb239220361ad29d9930221ad77fb58301d592f56b2fce
MS-MPPE-Send-Key =
0x2a1c63b2a37cb6d46334461bf0bc561c90cf310e7f9d226e9b33b203975b274b
EAP-Message = 0x030a0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "qatester"
Finished request 8.
Going to the next request
Waking up in 1.3 seconds.
Cleaning up request 0 ID 66 with timestamp +6
Cleaning up request 1 ID 67 with timestamp +6
Waking up in 0.5 seconds.
Cleaning up request 2 ID 68 with timestamp +7
Waking up in 0.5 seconds.
Cleaning up request 3 ID 69 with timestamp +7
Waking up in 0.4 seconds.
Cleaning up request 4 ID 70 with timestamp +8
Waking up in 0.5 seconds.
Cleaning up request 5 ID 71 with timestamp +8
Waking up in 0.5 seconds.
Cleaning up request 6 ID 72 with timestamp +9
Waking up in 0.5 seconds.
Cleaning up request 7 ID 73 with timestamp +9
Waking up in 0.5 seconds.
Cleaning up request 8 ID 74 with timestamp +10
Ready to process requests.
############# Debug info Ends ################
>From what I see above I do not think the Access-Accept message has the
Session timeout attribute. What am I doing wrong?
Thanks,
Vivek Umasuthan
2
4
New to freeradius list. Greetings.
Can someone direct me to more information about Radius GUI Interfaces?
Is dialup-admin all there is? (Does not seem to be included in rpm pkg.)
freeradius2-2.1.7-7.el5 (CentOS 5)
Thanks.
1
0
Hi there,
I have freeradius 2.1.10 working with a OTP yubikey.
If i test it with radtest user password+OTP etc i get ACCEPT-ACCEPT
But when we want to test it with a website ( http://breul.swp.nl )
Get this :
rad_recv: Access-Request packet from host 192.168.5.1 port 4345, id=3,
length=94
Service-Type = Login-User
User-Name = "kekl(a)administratie.net"
User-Password =
"NM\346\301\023\251\261[IW\310\"\260\375\344\007"
NAS-IP-Address = 192.168.5.16
NAS-Identifier = "192.168.5.16"
NAS-Port-Type = Virtual
Why is it giving the [blablabla]
And not like the radtest :
rad_recv: Access-Request packet from host 127.0.0.1 port 45296, id=208,
length=122
User-Name = "kekl(a)administratie.net"
User-Password =
"henkcccccccbnghevltlvivrtdtedeehvckvhrenlkeudugr"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Gr kloenie
And this is the whole log file :
FreeRADIUS Version 2.1.10, for host i486-pc-linux-gnu, built on Nov 17
2010 at 04:06:04
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/opendirectory
including configuration file
/etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/ntlm_auth
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/dynamic_clients
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/cui
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
main {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
including dictionary file /etc/freeradius/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
client 192.168.5.1 {
require_message_authenticator = no
secret = "herman"
shortname = "dcad"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file
/etc/freeradius/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file
/etc/freeradius/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file
/etc/freeradius/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file
/etc/freeradius/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan
"
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server inner-tunnel { # from file
/etc/freeradius/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file
/etc/freeradius/modules/pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file
/etc/freeradius/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file
/etc/freeradius/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file
/etc/freeradius/modules/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file
/etc/freeradius/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file
/etc/freeradius/modules/files
files {
usersfile = "/etc/freeradius/users"
acctusersfile = "/etc/freeradius/acct_users"
preproxy_usersfile = "/etc/freeradius/preproxy_users"
compat = "no"
}
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file
/etc/freeradius/modules/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.access_reject" from file
/etc/freeradius/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/etc/freeradius/attrs.access_reject"
key = "%{User-Name}"
}
} # modules
} # server
server { # from file /etc/freeradius/radiusd.conf
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pam
Module: Instantiating module "pam" from file
/etc/freeradius/modules/pam
pam {
pam_auth = "radiusd"
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file
/etc/freeradius/modules/preprocess
preprocess {
huntgroups = "/etc/freeradius/huntgroups"
hints = "/etc/freeradius/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file
/etc/freeradius/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file
/etc/freeradius/modules/detail
detail {
detailfile =
"/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating module "attr_filter.accounting_response" from
file /etc/freeradius/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/freeradius/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 45296, id=208,
length=122
User-Name = "kekl(a)administratie.net"
User-Password =
"henkcccccccbnghevltlvivrtdtedeehvckvhrenlkeudugr"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "administratie.net" for User-Name =
"kekl(a)administratie.net"
[suffix] No such realm "administratie.net"
++[suffix] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 145
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = PAM
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
pam_pass: using pamauth string <radiusd> for pam.conf lookup
pam_pass: authentication succeeded for <kekl(a)administratie.net>
++[pam] returns ok
# Executing section post-auth from file
/etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 208 to 127.0.0.1 port 45296
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 208 with timestamp +24
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.5.1 port 4345, id=3,
length=94
Service-Type = Login-User
User-Name = "kekl(a)administratie.net"
User-Password =
"NM\346\301\023\251\261[IW\310\"\260\375\344\007"
NAS-IP-Address = 192.168.5.16
NAS-Identifier = "192.168.5.16"
NAS-Port-Type = Virtual
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "administratie.net" for User-Name =
"kekl(a)administratie.net"
[suffix] No such realm "administratie.net"
++[suffix] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 145
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = PAM
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
pam_pass: using pamauth string <radiusd> for pam.conf lookup
pam_pass: function pam_authenticate FAILED for <kekl(a)administratie.net>.
Reason: Authentication failure
++[pam] returns reject
Failed to authenticate the user.
WARNING: Unprintable characters in the password. Double-check
the shared secret on the server and the NAS!
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} ->
kekl(a)administratie.net
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 1
Sending Access-Reject of id 3 to 192.168.5.1 port 4345
Waking up in 4.9 seconds.
Cleaning up request 1 ID 3 with timestamp +47
Ready to process requests.
2
1
Hi,
I am trying to do the same things but I am not able to success. I am
getting rejected after user Max-Total-Octets is reached. below is my config
file in /etc/freeradius/site-enable/default
authorize {
..
Auth-Type LDAP {
ldap
}
#
# Allow EAP authentication.
#eap
}
noresetbytescounter{
reject = 1
}
if(reject) {
update reply {
Reply-Message := "You have reached your data volume limit.
Connecting with Limited Bandwidth."
Filter-Id := "64/64"
}
update control {
Auth-Type := "Accept"
}
ok
}
--
View this message in context: http://freeradius.1045715.n5.nabble.com/RESOLVED-customize-Post-Auth-Type-R…
Sent from the FreeRadius - User mailing list archive at Nabble.com.
1
0