Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
April 2011
- 114 participants
- 147 discussions
Hi,
with my FR 1.x installation I'am authenticating via EAP-TLS Computers
against my Switches. User are authenticated with PEAP, all are held in
the users-textfile in $RADDB/users
But with rising number of PCs and Users the edit of the users file is a
bit uncomfortable. I want to upgrade everything to FR 2.1 on my
Debian-Squeeze-Box, using LDAP, because I have already all Users and PCs
in my OpenLDAP (for the use of Samba).
I'am a bit unsure about the doc, which says no EAP-TLS while using LDAP
and no crypted passwords. If I read here, I have the impression that
this is something what some people already do.
I like to authenticate PCs with EAP-TLS, which are in the LDAP List by
name, there is no need to extract an cert from the LDAP-Tree. Just check
the name and if the cert matches to the server-cert the access is
granted. As I already do now.
The users should be checked by uid and the password should be checked,
but I have of course no cleartext-password in my LDAP, they are all
crypt or MD5 (depends on tree).
Is this possible or not?
TIA
Alex
4
9
After my first install of FR (2.1.10) I quickly got into a twisty maze of config files, all different. I resolved, after quite a bit of research and poking around, to wipe the install clean and start over. Which I did.
So now I've got, by carefully following the help pages on the site, the ability to login and enable on my switches using our Active Directory credentials, and the ability to do port authorization using the same credentials - provided that the user information is cached on the workstation of course. I generated the certificates and installed the root cert on the clients and they appear to be working correctly. I'm really quite happy with the results so far. What I'm looking for now is the last step, authenticating the hosts so that AD users whose credentials haven't been cached can still log in and then port authorize.
Like the man says, other people are doing it so I know it's not impossible. What seems to be happening from reading the debug is that domain/user requests are coming in using EAP, doing the TLS interchange, then using MSCHAPv2 to verify the credentials. The host requests, on the other hand, do the TLS side but never seem to progress to the mschap portion. I've gone mildly crosseyed reading the debugs but I don't see where it is that I've gone wrong. I'm very new to RADIUS but I've been doing Linux and Windows for a while so I know that this *should* work.
The configuration is: AD 2008 with a Slackware Linux server running the lastest Samba and Kerberos as well as obviously FR. The client is a Windows XP box with the latest service pack. Below is a mildly sanitized copy of radiusd -X with both failed machine logins (LP-0010 is the host) and a successful user (myuser) login.
Thanks for having a look at this.
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2011.04.18 15:25:43 =~=~=~=~=~=~=~=~=~=~=~=
rad_recv: Access-Request packet from host 192.168.999.7 port 4815, id=190, length=237
Framed-MTU = 1480
NAS-IP-Address = 192.168.999.7
NAS-Identifier = "myorg-bnew"
User-Name = "host/LP-0010.myorg.org"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 61
NAS-Port-Type = Ethernet
NAS-Port-Id = "C13"
Called-Station-Id = "00-19-bb-a7-7e-43"
Calling-Station-Id = "00-1b-78-b5-f7-a0"
Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "12"
EAP-Message = 0x0201001b01686f73742f4c502d303031302e70666663752e6f7267
Message-Authenticator = 0x9b19fa15e960a41e27e211d8f1b33a10
# Executing section authorize from file /etc//raddb/sites-enabled/default
+- entering group authorize {...}
[preprocess] hints: Matched DEFAULT at 36
++[preprocess] returns ok
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.999.7/auth-detail-20110418
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.999.7/auth-detail-20110418
[auth_log] expand: %t -> Mon Apr 18 15:26:38 2011
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "/LP-0010.myorg.org", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Setting Stripped-User-Name = "/LP-0010.myorg.org"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied. Ignoring.
++[ntdomain] returns ok
[eap] EAP packet type response id 1 length 27
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 176
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc//raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 190 to 192.168.999.7 port 4815
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4f47b7a34f45aeed84d0f0a572607961
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.999.7 port 4815, id=191, length=315
Framed-MTU = 1480
NAS-IP-Address = 192.168.999.7
NAS-Identifier = "myorg-bnew"
User-Name = "host/LP-0010.myorg.org"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 61
NAS-Port-Type = Ethernet
NAS-Port-Id = "C13"
Called-Station-Id = "00-19-bb-a7-7e-43"
Calling-Station-Id = "00-1b-78-b5-f7-a0"
Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "12"
State = 0x4f47b7a34f45aeed84d0f0a572607961
EAP-Message = 0x0202005719800000004d16030100480100004403014dac90982dabda3d66a5f26d5da94e79cd801480e05dc321acbf9a30f85fe45000001600040005000a0009006400620003000600130012006301000005ff01000100
Message-Authenticator = 0xc430c8a708ade14f4e3e71aefbaba831
# Executing section authorize from file /etc//raddb/sites-enabled/default
+- entering group authorize {...}
[preprocess] hints: Matched DEFAULT at 36
++[preprocess] returns ok
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.999.7/auth-detail-20110418
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.999.7/auth-detail-20110418
[auth_log] expand: %t -> Mon Apr 18 15:26:38 2011
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "/LP-0010.myorg.org", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Setting Stripped-User-Name = "/LP-0010.myorg.org"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied. Ignoring.
++[ntdomain] returns ok
[eap] EAP packet type response id 2 length 87
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc//raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 77
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0048], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 0883], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 191 to 192.168.999.7 port 4815
EAP-Message = 0x0103040019c0000008c0160301002a0200002603014dac906e63451b67f59266bd8f3c0b11c93f0e91e1379a7c5fef9506ed97dcf30000040016030108830b00087f00087c0003b5308203b130820299a003020102020102300d06092a864886f70d010104050030819a310b3009060355040613025553311530130603550408130c50656e6e73796c76616e6961311530130603550407130c5068696c6164656c70686961311c301a060355040a1313506f6c69636520616e642046697265204643553123302106092a864886f70d0109011614706f73746d61737465724070666663752e6f7267311a3018060355040313116d6966666c696e2e7066
EAP-Message = 0x6663752e6f7267301e170d3131303431383136313132345a170d3132303431373136313132345a308183310b3009060355040613025553311530130603550408130c50656e6e73796c76616e6961311c301a060355040a1313506f6c69636520616e64204669726520464355311a3018060355040313116d6966666c696e2e70666663752e6f72673123302106092a864886f70d0109011614706f73746d61737465724070666663752e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100ad3cc6d602bac5213757cd07b59881ae01cfb16ce8f0affd755a2e2ea0dbcd1a60fb5142fe4288b48b96c07498e569
EAP-Message = 0xab2601b42a73a161b0e171d2957d082cabffde39e5e6e9058e958f7b32349efb8765425bc3822ad39287bef9cb5b67369f886d1439c1876e15f057c6a329a52d2f9e23625678497d6945485768447b5903a84a9b2c6c6287291b1b60366ae4e3f0809c8d38f24ea9c040692c2bbd117eeda78fac45695a9e3b8b4a85b3b7fa9f8c7a19d7ad77fe40dbf573c6c573866f926d1a9ca4391ad47d1489526504ea76893c1a39b033ec72a59cad35f9a8e749a0259e787c03cec0df7d7c7763565afeafd06f450afdc881115dcb2f77f3fdb5cb0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405
EAP-Message = 0x000382010100cd1bcf97d2ab9635403f1732591d98606e95cc939882656b198bf7b7bf585e159f950e7db747b25720ea1e4b05d91fa6a8bc7b367ed21d749731a803f726438a4942d49bb298322f278163435b6ec5ef9f810f5195ab021dd0aac53cc53494cccf30e6ed6186e9d32cd9cd41c2953173a01e7a7c82998ac7bf0f30451887dd5c0b8750d8bd6afac032a70eab0ea2704f277a0067f102b9e5ad68f9723a3ad65e439f90b782e5cdf2c2a21e5e1ac9ebf1e0d4fdeb370dec3538bd91f4cb925c2b52639e4fcd260462a10b54dc5e04e4110a94bd9fe6a3fe16b28abfb3370aa23b378d60f6fbf461f0e22ce4d988603f88b160210ed7a1e8
EAP-Message = 0xcdc08eb134ef355d3f0004c1
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4f47b7a34e44aeed84d0f0a572607961
Finished request 7.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.999.7 port 4815, id=192, length=234
Framed-MTU = 1480
NAS-IP-Address = 192.168.999.7
NAS-Identifier = "myorg-bnew"
User-Name = "host/LP-0010.myorg.org"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 61
NAS-Port-Type = Ethernet
NAS-Port-Id = "C13"
Called-Station-Id = "00-19-bb-a7-7e-43"
Calling-Station-Id = "00-1b-78-b5-f7-a0"
Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "12"
State = 0x4f47b7a34e44aeed84d0f0a572607961
EAP-Message = 0x020300061900
Message-Authenticator = 0x68ae528241948aee7a09919d712b4b26
# Executing section authorize from file /etc//raddb/sites-enabled/default
+- entering group authorize {...}
[preprocess] hints: Matched DEFAULT at 36
++[preprocess] returns ok
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.999.7/auth-detail-20110418
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.999.7/auth-detail-20110418
[auth_log] expand: %t -> Mon Apr 18 15:26:38 2011
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "/LP-0010.myorg.org", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Setting Stripped-User-Name = "/LP-0010.myorg.org"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied. Ignoring.
++[ntdomain] returns ok
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc//raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 192 to 192.168.999.7 port 4815
EAP-Message = 0x010403fc1940308204bd308203a5a003020102020900ad8d39f4fcae271a300d06092a864886f70d010105050030819a310b3009060355040613025553311530130603550408130c50656e6e73796c76616e6961311530130603550407130c5068696c6164656c70686961311c301a060355040a1313506f6c69636520616e642046697265204643553123302106092a864886f70d0109011614706f73746d61737465724070666663752e6f7267311a3018060355040313116d6966666c696e2e70666663752e6f7267301e170d3131303431383136313132345a170d3132303431373136313132345a30819a310b3009060355040613025553311530
EAP-Message = 0x130603550408130c50656e6e73796c76616e6961311530130603550407130c5068696c6164656c70686961311c301a060355040a1313506f6c69636520616e642046697265204643553123302106092a864886f70d0109011614706f73746d61737465724070666663752e6f7267311a3018060355040313116d6966666c696e2e70666663752e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100e43cf5fcf5abf3d6beec6062d1709cd3ccf6bd5d6ba2f54c0f9ec9fa708defdaec3974d3315737519d86b114191dcda2811b89e9b8d2d7ca7ea04002c8c934cde3d550d3bf018f1583026bab19a4a38c5ae5
EAP-Message = 0xa53548a0a1652dc0908a9e06f58d9c473ec7ec55fcefa9c443311684ad6e9dd09ea14cb3d9fcb04a2429f9d1995c062f5b215658143eafdd0116334b0f1849cfef9a24579ea1d6ca31421f52b70d9d00a961408f747f2f2066231124d83c63c3c8b1d69b6f4b5ea50588b2f33b8a40ba8781455db36472bd9b4e85f81f1b82ebf326cd3ac504eb2dea1c5a9e7496f485a62d63d11bead3a4b79ce85453d6617c8b8fca4e1d3e5bb0c68c041c948f0203010001a38201023081ff301d0603551d0e041604146fb361c7649ba640bdf6ea8870cac051daeb9a9e3081cf0603551d230481c73081c480146fb361c7649ba640bdf6ea8870cac051daeb9a9e
EAP-Message = 0xa181a0a4819d30819a310b3009060355040613025553311530130603550408130c50656e6e73796c76616e6961311530130603550407130c5068696c6164656c70686961311c301a060355040a1313506f6c69636520616e642046697265204643553123302106092a864886f70d0109011614706f73746d61737465724070666663752e6f7267311a3018060355040313116d6966666c696e2e70666663752e6f7267820900ad8d39f4fcae271a300c0603551d13040530030101ff300d06092a864886f70d010105050003820101008584a10eba26e3bac7f3a37b0250a525185f77e4cbe920d0d0e3a617dfe22e62954eb79a73d781e27f55c5e1b7
EAP-Message = 0x3c6900c0e5fd63fc
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4f47b7a34d43aeed84d0f0a572607961
Finished request 8.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.999.7 port 4815, id=193, length=234
Framed-MTU = 1480
NAS-IP-Address = 192.168.999.7
NAS-Identifier = "myorg-bnew"
User-Name = "host/LP-0010.myorg.org"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 61
NAS-Port-Type = Ethernet
NAS-Port-Id = "C13"
Called-Station-Id = "00-19-bb-a7-7e-43"
Calling-Station-Id = "00-1b-78-b5-f7-a0"
Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "12"
State = 0x4f47b7a34d43aeed84d0f0a572607961
EAP-Message = 0x020400061900
Message-Authenticator = 0x8eb6e8c023218ae06d7e860ea6207ee4
# Executing section authorize from file /etc//raddb/sites-enabled/default
+- entering group authorize {...}
[preprocess] hints: Matched DEFAULT at 36
++[preprocess] returns ok
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.999.7/auth-detail-20110418
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.999.7/auth-detail-20110418
[auth_log] expand: %t -> Mon Apr 18 15:26:38 2011
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "/LP-0010.myorg.org", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Setting Stripped-User-Name = "/LP-0010.myorg.org"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied. Ignoring.
++[ntdomain] returns ok
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc//raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 193 to 192.168.999.7 port 4815
EAP-Message = 0x010500da190000e668530fe5cdedf1fff694c02a985e9dbdaaaaf9915bb3b297c4ddf1ee0601670f0ad3a6b34f9b5959d25b8624147171fc575436a01288e78f2d4344841dd5307a83e6c1d553dbc0731016c4bb35ef324e49b727ccfe896f56ef9603188886b9cf2c7423c77fd441bfa16636772db885276f42a39801d6a334fc20074352933ff6cecfa79ed4b11493ed5a2db327e4b421c3c7fac2f636766698ba79a0cef62a2413ad01d9c31ff9599414e30b6d9d974f2d5430117e202bda0b60bbd6c920c65f7ed6bd1e87e7513d9f16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4f47b7a34c42aeed84d0f0a572607961
Finished request 9.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.999.7 port 4815, id=194, length=234
Framed-MTU = 1480
NAS-IP-Address = 192.168.999.7
NAS-Identifier = "myorg-bnew"
User-Name = "host/LP-0010.myorg.org"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 61
NAS-Port-Type = Ethernet
NAS-Port-Id = "C13"
Called-Station-Id = "00-19-bb-a7-7e-43"
Calling-Station-Id = "00-1b-78-b5-f7-a0"
Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "12"
State = 0x4f47b7a34c42aeed84d0f0a572607961
EAP-Message = 0x020500061900
Message-Authenticator = 0xc3110d80e879e2d17c0e27c3579b7ffa
# Executing section authorize from file /etc//raddb/sites-enabled/default
+- entering group authorize {...}
[preprocess] hints: Matched DEFAULT at 36
++[preprocess] returns ok
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.999.7/auth-detail-20110418
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.999.7/auth-detail-20110418
[auth_log] expand: %t -> Mon Apr 18 15:26:38 2011
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "/LP-0010.myorg.org", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Setting Stripped-User-Name = "/LP-0010.myorg.org"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied. Ignoring.
++[ntdomain] returns ok
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc//raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 194 to 192.168.999.7 port 4815
EAP-Message = 0x010600061900
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4f47b7a34b41aeed84d0f0a572607961
Finished request 10.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.999.7 port 4815, id=195, length=221
Framed-MTU = 1480
NAS-IP-Address = 192.168.999.7
NAS-Identifier = "myorg-bnew"
User-Name = "myorg\\myuser"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 61
NAS-Port-Type = Ethernet
NAS-Port-Id = "C13"
Called-Station-Id = "00-19-bb-a7-7e-43"
Calling-Station-Id = "00-1b-78-b5-f7-a0"
Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "12"
EAP-Message = 0x020100130150464643555c69732d61646d696e
Message-Authenticator = 0x499c467deab737e75c9aeb71373291f0
# Executing section authorize from file /etc//raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.999.7/auth-detail-20110418
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.999.7/auth-detail-20110418
[auth_log] expand: %t -> Mon Apr 18 15:26:38 2011
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "myorg\myuser", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "myorg\myuser"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied. Ignoring.
++[ntdomain] returns ok
[eap] EAP packet type response id 1 length 19
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 176
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc//raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 195 to 192.168.999.7 port 4815
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x3d92c46b3d90dd76a0f8adddfc0e8388
Finished request 11.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 192.168.999.7 port 4815, id=196, length=307
Framed-MTU = 1480
NAS-IP-Address = 192.168.999.7
NAS-Identifier = "myorg-bnew"
User-Name = "myorg\\myuser"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 61
NAS-Port-Type = Ethernet
NAS-Port-Id = "C13"
Called-Station-Id = "00-19-bb-a7-7e-43"
Calling-Station-Id = "00-1b-78-b5-f7-a0"
Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "12"
State = 0x3d92c46b3d90dd76a0f8adddfc0e8388
EAP-Message = 0x0202005719800000004d16030100480100004403014dac9098bb5794a6b42e6acdac8cc80598817ec40f55e96ca15c25849e70539f00001600040005000a0009006400620003000600130012006301000005ff01000100
Message-Authenticator = 0x432a5b1dba6a2d810a407f4446ec9607
# Executing section authorize from file /etc//raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.999.7/auth-detail-20110418
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.999.7/auth-detail-20110418
[auth_log] expand: %t -> Mon Apr 18 15:26:38 2011
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "myorg\myuser", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "myorg\myuser"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied. Ignoring.
++[ntdomain] returns ok
[eap] EAP packet type response id 2 length 87
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc//raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 77
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0048], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 0883], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 196 to 192.168.999.7 port 4815
EAP-Message = 0x0103040019c0000008c0160301002a0200002603014dac906ee7a8c363c834c5e2a9317a2844710cf666f003ae6244e933862998960000040016030108830b00087f00087c0003b5308203b130820299a003020102020102300d06092a864886f70d010104050030819a310b3009060355040613025553311530130603550408130c50656e6e73796c76616e6961311530130603550407130c5068696c6164656c70686961311c301a060355040a1313506f6c69636520616e642046697265204643553123302106092a864886f70d0109011614706f73746d61737465724070666663752e6f7267311a3018060355040313116d6966666c696e2e7066
EAP-Message = 0x6663752e6f7267301e170d3131303431383136313132345a170d3132303431373136313132345a308183310b3009060355040613025553311530130603550408130c50656e6e73796c76616e6961311c301a060355040a1313506f6c69636520616e64204669726520464355311a3018060355040313116d6966666c696e2e70666663752e6f72673123302106092a864886f70d0109011614706f73746d61737465724070666663752e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100ad3cc6d602bac5213757cd07b59881ae01cfb16ce8f0affd755a2e2ea0dbcd1a60fb5142fe4288b48b96c07498e569
EAP-Message = 0xab2601b42a73a161b0e171d2957d082cabffde39e5e6e9058e958f7b32349efb8765425bc3822ad39287bef9cb5b67369f886d1439c1876e15f057c6a329a52d2f9e23625678497d6945485768447b5903a84a9b2c6c6287291b1b60366ae4e3f0809c8d38f24ea9c040692c2bbd117eeda78fac45695a9e3b8b4a85b3b7fa9f8c7a19d7ad77fe40dbf573c6c573866f926d1a9ca4391ad47d1489526504ea76893c1a39b033ec72a59cad35f9a8e749a0259e787c03cec0df7d7c7763565afeafd06f450afdc881115dcb2f77f3fdb5cb0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405
EAP-Message = 0x000382010100cd1bcf97d2ab9635403f1732591d98606e95cc939882656b198bf7b7bf585e159f950e7db747b25720ea1e4b05d91fa6a8bc7b367ed21d749731a803f726438a4942d49bb298322f278163435b6ec5ef9f810f5195ab021dd0aac53cc53494cccf30e6ed6186e9d32cd9cd41c2953173a01e7a7c82998ac7bf0f30451887dd5c0b8750d8bd6afac032a70eab0ea2704f277a0067f102b9e5ad68f9723a3ad65e439f90b782e5cdf2c2a21e5e1ac9ebf1e0d4fdeb370dec3538bd91f4cb925c2b52639e4fcd260462a10b54dc5e04e4110a94bd9fe6a3fe16b28abfb3370aa23b378d60f6fbf461f0e22ce4d988603f88b160210ed7a1e8
EAP-Message = 0xcdc08eb134ef355d3f0004c1
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x3d92c46b3c91dd76a0f8adddfc0e8388
Finished request 12.
Going to the next request
Waking up in 4.6 seconds.
rad_recv: Access-Request packet from host 192.168.999.7 port 4815, id=197, length=226
Framed-MTU = 1480
NAS-IP-Address = 192.168.999.7
NAS-Identifier = "myorg-bnew"
User-Name = "myorg\\myuser"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 61
NAS-Port-Type = Ethernet
NAS-Port-Id = "C13"
Called-Station-Id = "00-19-bb-a7-7e-43"
Calling-Station-Id = "00-1b-78-b5-f7-a0"
Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "12"
State = 0x3d92c46b3c91dd76a0f8adddfc0e8388
EAP-Message = 0x020300061900
Message-Authenticator = 0x62380d61685d98ab29fbcaf67d069608
# Executing section authorize from file /etc//raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.999.7/auth-detail-20110418
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.999.7/auth-detail-20110418
[auth_log] expand: %t -> Mon Apr 18 15:26:38 2011
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "myorg\myuser", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "myorg\myuser"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied. Ignoring.
++[ntdomain] returns ok
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc//raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 197 to 192.168.999.7 port 4815
EAP-Message = 0x010403fc1940308204bd308203a5a003020102020900ad8d39f4fcae271a300d06092a864886f70d010105050030819a310b3009060355040613025553311530130603550408130c50656e6e73796c76616e6961311530130603550407130c5068696c6164656c70686961311c301a060355040a1313506f6c69636520616e642046697265204643553123302106092a864886f70d0109011614706f73746d61737465724070666663752e6f7267311a3018060355040313116d6966666c696e2e70666663752e6f7267301e170d3131303431383136313132345a170d3132303431373136313132345a30819a310b3009060355040613025553311530
EAP-Message = 0x130603550408130c50656e6e73796c76616e6961311530130603550407130c5068696c6164656c70686961311c301a060355040a1313506f6c69636520616e642046697265204643553123302106092a864886f70d0109011614706f73746d61737465724070666663752e6f7267311a3018060355040313116d6966666c696e2e70666663752e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100e43cf5fcf5abf3d6beec6062d1709cd3ccf6bd5d6ba2f54c0f9ec9fa708defdaec3974d3315737519d86b114191dcda2811b89e9b8d2d7ca7ea04002c8c934cde3d550d3bf018f1583026bab19a4a38c5ae5
EAP-Message = 0xa53548a0a1652dc0908a9e06f58d9c473ec7ec55fcefa9c443311684ad6e9dd09ea14cb3d9fcb04a2429f9d1995c062f5b215658143eafdd0116334b0f1849cfef9a24579ea1d6ca31421f52b70d9d00a961408f747f2f2066231124d83c63c3c8b1d69b6f4b5ea50588b2f33b8a40ba8781455db36472bd9b4e85f81f1b82ebf326cd3ac504eb2dea1c5a9e7496f485a62d63d11bead3a4b79ce85453d6617c8b8fca4e1d3e5bb0c68c041c948f0203010001a38201023081ff301d0603551d0e041604146fb361c7649ba640bdf6ea8870cac051daeb9a9e3081cf0603551d230481c73081c480146fb361c7649ba640bdf6ea8870cac051daeb9a9e
EAP-Message = 0xa181a0a4819d30819a310b3009060355040613025553311530130603550408130c50656e6e73796c76616e6961311530130603550407130c5068696c6164656c70686961311c301a060355040a1313506f6c69636520616e642046697265204643553123302106092a864886f70d0109011614706f73746d61737465724070666663752e6f7267311a3018060355040313116d6966666c696e2e70666663752e6f7267820900ad8d39f4fcae271a300c0603551d13040530030101ff300d06092a864886f70d010105050003820101008584a10eba26e3bac7f3a37b0250a525185f77e4cbe920d0d0e3a617dfe22e62954eb79a73d781e27f55c5e1b7
EAP-Message = 0x3c6900c0e5fd63fc
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x3d92c46b3f96dd76a0f8adddfc0e8388
Finished request 13.
Going to the next request
Waking up in 4.6 seconds.
rad_recv: Access-Request packet from host 192.168.999.7 port 4815, id=198, length=226
Framed-MTU = 1480
NAS-IP-Address = 192.168.999.7
NAS-Identifier = "myorg-bnew"
User-Name = "myorg\\myuser"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 61
NAS-Port-Type = Ethernet
NAS-Port-Id = "C13"
Called-Station-Id = "00-19-bb-a7-7e-43"
Calling-Station-Id = "00-1b-78-b5-f7-a0"
Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "12"
State = 0x3d92c46b3f96dd76a0f8adddfc0e8388
EAP-Message = 0x020400061900
Message-Authenticator = 0xbe92f79b327d12d9b52860a6da585020
# Executing section authorize from file /etc//raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.999.7/auth-detail-20110418
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.999.7/auth-detail-20110418
[auth_log] expand: %t -> Mon Apr 18 15:26:38 2011
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "myorg\myuser", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "myorg\myuser"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied. Ignoring.
++[ntdomain] returns ok
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc//raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 198 to 192.168.999.7 port 4815
EAP-Message = 0x010500da190000e668530fe5cdedf1fff694c02a985e9dbdaaaaf9915bb3b297c4ddf1ee0601670f0ad3a6b34f9b5959d25b8624147171fc575436a01288e78f2d4344841dd5307a83e6c1d553dbc0731016c4bb35ef324e49b727ccfe896f56ef9603188886b9cf2c7423c77fd441bfa16636772db885276f42a39801d6a334fc20074352933ff6cecfa79ed4b11493ed5a2db327e4b421c3c7fac2f636766698ba79a0cef62a2413ad01d9c31ff9599414e30b6d9d974f2d5430117e202bda0b60bbd6c920c65f7ed6bd1e87e7513d9f16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x3d92c46b3e97dd76a0f8adddfc0e8388
Finished request 14.
Going to the next request
Waking up in 4.6 seconds.
rad_recv: Access-Request packet from host 192.168.999.7 port 4815, id=199, length=542
Framed-MTU = 1480
NAS-IP-Address = 192.168.999.7
NAS-Identifier = "myorg-bnew"
User-Name = "myorg\\myuser"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 61
NAS-Port-Type = Ethernet
NAS-Port-Id = "C13"
Called-Station-Id = "00-19-bb-a7-7e-43"
Calling-Station-Id = "00-1b-78-b5-f7-a0"
Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "12"
State = 0x3d92c46b3e97dd76a0f8adddfc0e8388
EAP-Message = 0x0205014019800000013616030101061000010201006f3085720008d8d84e3e49acdfdb2edec1b2139b24961fe1b740b3dfa7dd3876317b31dc7d7dcf506c896db4e566f7b6f55a1a825b3008c0c636394b3632598f21c2007deeae355a9dd4620a77497b690af33e80ceee1858d0c7e22c4127351a232ebf2945cb67c1453d7821c0fbe4c43ab16dd9ee4548b47b88543d6446c937607906643e5e493cdf71cf314ce118067defa2699f3f526d434fd35738d7ceea27c5c81dbe467121ae4c0211b01125ae5cd69c1fa072b55555cc88ba5ef88d36b5dffd61f3910d33d03ae34a98f6cdf8464450246091f0476ba2f23fa508cbb5fd6d8af78bcb8340
EAP-Message = 0xb20cc9d052c17e90a85a712c54bbccc60db4d3b1143c0def1403010001011603010020c2a4b53b6f7ae074212b6efafa58fca2e7159d0ec9ad7fb722fd656cee822266
Message-Authenticator = 0xc4d2b44c19f412c19124768f90452aeb
# Executing section authorize from file /etc//raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.999.7/auth-detail-20110418
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.999.7/auth-detail-20110418
[auth_log] expand: %t -> Mon Apr 18 15:26:38 2011
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "myorg\myuser", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "myorg\myuser"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied. Ignoring.
++[ntdomain] returns ok
[eap] EAP packet type response id 5 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc//raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 310
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 199 to 192.168.999.7 port 4815
EAP-Message = 0x010600311900140301000101160301002011bb05ad7601c21b044169fdeaeb8b742d8c77b1f3a0e1d6aa0ca99275d8e4fd
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x3d92c46b3994dd76a0f8adddfc0e8388
Finished request 15.
Going to the next request
Waking up in 4.5 seconds.
rad_recv: Access-Request packet from host 192.168.999.7 port 4815, id=200, length=226
Framed-MTU = 1480
NAS-IP-Address = 192.168.999.7
NAS-Identifier = "myorg-bnew"
User-Name = "myorg\\myuser"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 61
NAS-Port-Type = Ethernet
NAS-Port-Id = "C13"
Called-Station-Id = "00-19-bb-a7-7e-43"
Calling-Station-Id = "00-1b-78-b5-f7-a0"
Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "12"
State = 0x3d92c46b3994dd76a0f8adddfc0e8388
EAP-Message = 0x020600061900
Message-Authenticator = 0x1441f574c8d8fe4deb67ac4c93b1c97b
# Executing section authorize from file /etc//raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.999.7/auth-detail-20110418
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.999.7/auth-detail-20110418
[auth_log] expand: %t -> Mon Apr 18 15:26:38 2011
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "myorg\myuser", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "myorg\myuser"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied. Ignoring.
++[ntdomain] returns ok
[eap] EAP packet type response id 6 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc//raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] returns handled
Sending Access-Challenge of id 200 to 192.168.999.7 port 4815
EAP-Message = 0x0107002019001703010015438cdf4b76ee410201b7404f9201ba2ab57b21c23e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x3d92c46b3895dd76a0f8adddfc0e8388
Finished request 16.
Going to the next request
Waking up in 4.3 seconds.
rad_recv: Access-Request packet from host 192.168.999.7 port 4815, id=201, length=262
Framed-MTU = 1480
NAS-IP-Address = 192.168.999.7
NAS-Identifier = "myorg-bnew"
User-Name = "myorg\\myuser"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 61
NAS-Port-Type = Ethernet
NAS-Port-Id = "C13"
Called-Station-Id = "00-19-bb-a7-7e-43"
Calling-Station-Id = "00-1b-78-b5-f7-a0"
Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "12"
State = 0x3d92c46b3895dd76a0f8adddfc0e8388
EAP-Message = 0x0207002a1900170301001ffd2903eef345b285a1ea830ae034d81b0c82d07536e6d1910d73f6ca91ae35
Message-Authenticator = 0xfc42b5e789ca1adf1799d547666a52df
# Executing section authorize from file /etc//raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.999.7/auth-detail-20110418
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.999.7/auth-detail-20110418
[auth_log] expand: %t -> Mon Apr 18 15:26:38 2011
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "myorg\myuser", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "myorg\myuser"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied. Ignoring.
++[ntdomain] returns ok
[eap] EAP packet type response id 7 length 42
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc//raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - myorg\myuser
[peap] Got inner identity 'myorg\myuser'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
EAP-Message = 0x020700130150464643555c69732d61646d696e
server {
PEAP: Setting User-Name to myorg\myuser
Sending tunneled request
EAP-Message = 0x020700130150464643555c69732d61646d696e
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "myorg\\myuser"
server inner-tunnel {
# Executing section authorize from file /etc//raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "myorg\myuser", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "myorg\myuser"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied. Ignoring.
++[ntdomain] returns ok
++[control] returns ok
[eap] EAP packet type response id 7 length 19
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc//raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message = 0x010800281a01080023104f51f22477b092be11ff22d4cd5c6abd50464643555c69732d61646d696e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x151e107415160ab1898b0ca5f8a4a93e
[peap] Got tunneled reply RADIUS code 11
EAP-Message = 0x010800281a01080023104f51f22477b092be11ff22d4cd5c6abd50464643555c69732d61646d696e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x151e107415160ab1898b0ca5f8a4a93e
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 201 to 192.168.999.7 port 4815
EAP-Message = 0x0108003f19001703010034c0b213ed0ee5b7a85bc3b1a2795bbd8fa105c03e75258645b4842b0e0a65cdec603d3a4db1b16449aad6f7fde592a34c05cb2746
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x3d92c46b3b9add76a0f8adddfc0e8388
Finished request 17.
Going to the next request
Waking up in 4.3 seconds.
rad_recv: Access-Request packet from host 192.168.999.7 port 4815, id=202, length=316
Framed-MTU = 1480
NAS-IP-Address = 192.168.999.7
NAS-Identifier = "myorg-bnew"
User-Name = "myorg\\myuser"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 61
NAS-Port-Type = Ethernet
NAS-Port-Id = "C13"
Called-Station-Id = "00-19-bb-a7-7e-43"
Calling-Station-Id = "00-1b-78-b5-f7-a0"
Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "12"
State = 0x3d92c46b3b9add76a0f8adddfc0e8388
EAP-Message = 0x0208006019001703010055e80d55e2567140412faecb44f85ce51c49c6ce3e2c3e8b73ba60ed0b7cf182f53da766607dfe9d409a74fb5275d5bb81ed88c916b8fa6afb2e28282a9c177cc338508dcc51ddb71938d39fd37e23e8e43ecf831f15
Message-Authenticator = 0x89540286b863857c3664ed55104b225d
# Executing section authorize from file /etc//raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.999.7/auth-detail-20110418
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.999.7/auth-detail-20110418
[auth_log] expand: %t -> Mon Apr 18 15:26:38 2011
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "myorg\myuser", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "myorg\myuser"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied. Ignoring.
++[ntdomain] returns ok
[eap] EAP packet type response id 8 length 96
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc//raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x020800491a0208004431eae3cd7d62cb47eca74974d095ae9da70000000000000000dfeddce5e49617ac7128b51bef69ce9e271abaa6ac3b7dae0050464643555c69732d61646d696e
server {
PEAP: Setting User-Name to myorg\myuser
Sending tunneled request
EAP-Message = 0x020800491a0208004431eae3cd7d62cb47eca74974d095ae9da70000000000000000dfeddce5e49617ac7128b51bef69ce9e271abaa6ac3b7dae0050464643555c69732d61646d696e
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "myorg\\myuser"
State = 0x151e107415160ab1898b0ca5f8a4a93e
server inner-tunnel {
# Executing section authorize from file /etc//raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "myorg\myuser", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "myorg\myuser"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied. Ignoring.
++[ntdomain] returns ok
++[control] returns ok
[eap] EAP packet type response id 8 length 73
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc//raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc//raddb/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: myuser
[mschap] Told to do MS-CHAPv2 for myuser with NT-Password
[mschap] expand: %{Stripped-User-Name} -> myorg\myuser
[mschap] expand: --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} -> --username=myorg\myuser
[mschap] mschap2: 4f
[mschap] Creating challenge hash with username: myuser
[mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=82b995da529436e0
[mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=dfeddce5e49617ac7128b51bef69ce9e271abaa6ac3b7dae
Exec-Program output: NT_KEY: 1BAAAFEF1E3822F616E15241938525DC
Exec-Program-Wait: plaintext: NT_KEY: 1BAAAFEF1E3822F616E15241938525DC
Exec-Program: returned: 0
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message = 0x010900331a0308002e533d36443436343830433435353933413732323439383332373641363141323339374233313539413132
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x151e107414170ab1898b0ca5f8a4a93e
[peap] Got tunneled reply RADIUS code 11
EAP-Message = 0x010900331a0308002e533d36443436343830433435353933413732323439383332373641363141323339374233313539413132
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x151e107414170ab1898b0ca5f8a4a93e
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 202 to 192.168.999.7 port 4815
EAP-Message = 0x0109004a1900170301003f4f528fe339896d23fe771e1f9f7fe77d6b4d695277a8f1585ff0cf3e256516785532dc7dfd9aaa3c8c7b940757cb6ecbe2d743c5e381501f2ba957eb8ee213
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x3d92c46b3a9bdd76a0f8adddfc0e8388
Finished request 18.
Going to the next request
Waking up in 4.2 seconds.
rad_recv: Access-Request packet from host 192.168.999.7 port 4815, id=203, length=249
Framed-MTU = 1480
NAS-IP-Address = 192.168.999.7
NAS-Identifier = "myorg-bnew"
User-Name = "myorg\\myuser"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 61
NAS-Port-Type = Ethernet
NAS-Port-Id = "C13"
Called-Station-Id = "00-19-bb-a7-7e-43"
Calling-Station-Id = "00-1b-78-b5-f7-a0"
Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "12"
State = 0x3d92c46b3a9bdd76a0f8adddfc0e8388
EAP-Message = 0x0209001d19001703010012c68330f131d90e4af9f81e2a224a8c358e08
Message-Authenticator = 0x3a7b6a277e150a15ef3f5951c1b9c313
# Executing section authorize from file /etc//raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.999.7/auth-detail-20110418
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.999.7/auth-detail-20110418
[auth_log] expand: %t -> Mon Apr 18 15:26:38 2011
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "myorg\myuser", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "myorg\myuser"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied. Ignoring.
++[ntdomain] returns ok
[eap] EAP packet type response id 9 length 29
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc//raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x020900061a03
server {
PEAP: Setting User-Name to myorg\myuser
Sending tunneled request
EAP-Message = 0x020900061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "myorg\\myuser"
State = 0x151e107414170ab1898b0ca5f8a4a93e
server inner-tunnel {
# Executing section authorize from file /etc//raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "myorg\myuser", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "myorg\myuser"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied. Ignoring.
++[ntdomain] returns ok
++[control] returns ok
[eap] EAP packet type response id 9 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc//raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] returns ok
WARNING: Empty post-auth section. Using default return values.
# Executing section post-auth from file /etc//raddb/sites-enabled/inner-tunnel
} # server inner-tunnel
[peap] Got tunneled reply code 2
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
MS-MPPE-Send-Key = 0x9e6cb700b77e844276069b269d3c1b37
MS-MPPE-Recv-Key = 0xc82905aec792709a3642047a3d62838d
EAP-Message = 0x03090004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "myorg\\myuser"
[peap] Got tunneled reply RADIUS code 2
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
MS-MPPE-Send-Key = 0x9e6cb700b77e844276069b269d3c1b37
MS-MPPE-Recv-Key = 0xc82905aec792709a3642047a3d62838d
EAP-Message = 0x03090004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "myorg\\myuser"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 203 to 192.168.999.7 port 4815
EAP-Message = 0x010a00261900170301001b207b604ded7004ba0319fd90d80c86b17cdf338926b80d306d8521
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x3d92c46b3598dd76a0f8adddfc0e8388
Finished request 19.
Going to the next request
Waking up in 4.2 seconds.
rad_recv: Access-Request packet from host 192.168.999.7 port 4815, id=204, length=258
Framed-MTU = 1480
NAS-IP-Address = 192.168.999.7
NAS-Identifier = "myorg-bnew"
User-Name = "myorg\\myuser"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 61
NAS-Port-Type = Ethernet
NAS-Port-Id = "C13"
Called-Station-Id = "00-19-bb-a7-7e-43"
Calling-Station-Id = "00-1b-78-b5-f7-a0"
Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "12"
State = 0x3d92c46b3598dd76a0f8adddfc0e8388
EAP-Message = 0x020a00261900170301001b989382337853c33578978735c0d8632c85d97f0a686d6f3a70597b
Message-Authenticator = 0xe244ae36d26ee73331bd16e5a793bd0a
# Executing section authorize from file /etc//raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.999.7/auth-detail-20110418
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.999.7/auth-detail-20110418
[auth_log] expand: %t -> Mon Apr 18 15:26:38 2011
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "myorg\myuser", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "myorg\myuser"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied. Ignoring.
++[ntdomain] returns ok
[eap] EAP packet type response id 10 length 38
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc//raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv success
[peap] Received EAP-TLV response.
[peap] Success
[eap] Freeing handler
++[eap] returns ok
# Executing section post-auth from file /etc//raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 204 to 192.168.999.7 port 4815
MS-MPPE-Recv-Key = 0xb5a4c3987e6371edff7724448002a092d5ad569107fbabc158e48b9b1fb43373
MS-MPPE-Send-Key = 0xef43cb62397ba7304927b0679072f3289ff3bf10e1ec22b8789fea4d2c608490
EAP-Message = 0x030a0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "myorg\\myuser"
Finished request 20.
Going to the next request
Waking up in 4.2 seconds.
Cleaning up request 6 ID 190 with timestamp +439
Cleaning up request 7 ID 191 with timestamp +439
Cleaning up request 8 ID 192 with timestamp +439
Cleaning up request 9 ID 193 with timestamp +439
Cleaning up request 10 ID 194 with timestamp +439
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0x4f47b7a34b41aeed did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Waking up in 0.2 seconds.
Cleaning up request 11 ID 195 with timestamp +439
Cleaning up request 12 ID 196 with timestamp +439
Cleaning up request 13 ID 197 with timestamp +439
Cleaning up request 14 ID 198 with timestamp +439
Waking up in 0.1 seconds.
Cleaning up request 15 ID 199 with timestamp +439
Waking up in 0.1 seconds.
Cleaning up request 16 ID 200 with timestamp +439
Cleaning up request 17 ID 201 with timestamp +439
Cleaning up request 18 ID 202 with timestamp +439
Cleaning up request 19 ID 203 with timestamp +439
Cleaning up request 20 ID 204 with timestamp +439
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.999.7 port 4815, id=205, length=237
Framed-MTU = 1480
NAS-IP-Address = 192.168.999.7
NAS-Identifier = "myorg-bnew"
User-Name = "host/LP-0010.myorg.org"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 61
NAS-Port-Type = Ethernet
NAS-Port-Id = "C13"
Called-Station-Id = "00-19-bb-a7-7e-43"
Calling-Station-Id = "00-1b-78-b5-f7-a0"
Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "12"
EAP-Message = 0x020b001b01686f73742f4c502d303031302e70666663752e6f7267
Message-Authenticator = 0x3f05cfc6636623f2cfe8900c91dd38b5
# Executing section authorize from file /etc//raddb/sites-enabled/default
+- entering group authorize {...}
[preprocess] hints: Matched DEFAULT at 36
++[preprocess] returns ok
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.999.7/auth-detail-20110418
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.999.7/auth-detail-20110418
[auth_log] expand: %t -> Mon Apr 18 15:27:04 2011
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "/LP-0010.myorg.org", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Setting Stripped-User-Name = "/LP-0010.myorg.org"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied. Ignoring.
++[ntdomain] returns ok
[eap] EAP packet type response id 11 length 27
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 176
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc//raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 205 to 192.168.999.7 port 4815
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
EAP-Message = 0x010c00061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xaab75260aabb4bbc8e4a8681cc46cd51
Finished request 21.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.999.7 port 4815, id=206, length=315
Framed-MTU = 1480
NAS-IP-Address = 192.168.999.7
NAS-Identifier = "myorg-bnew"
User-Name = "host/LP-0010.myorg.org"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 61
NAS-Port-Type = Ethernet
NAS-Port-Id = "C13"
Called-Station-Id = "00-19-bb-a7-7e-43"
Calling-Station-Id = "00-1b-78-b5-f7-a0"
Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "12"
State = 0xaab75260aabb4bbc8e4a8681cc46cd51
EAP-Message = 0x020c005719800000004d16030100480100004403014dac90b3dbf3a100e9cc156249c13486d33b8d5f8cd231a33e07d153b72fb80200001600040005000a0009006400620003000600130012006301000005ff01000100
Message-Authenticator = 0xf19c20fbafcc270b34c45415b946fd6b
# Executing section authorize from file /etc//raddb/sites-enabled/default
+- entering group authorize {...}
[preprocess] hints: Matched DEFAULT at 36
++[preprocess] returns ok
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.999.7/auth-detail-20110418
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.999.7/auth-detail-20110418
[auth_log] expand: %t -> Mon Apr 18 15:27:04 2011
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "/LP-0010.myorg.org", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Setting Stripped-User-Name = "/LP-0010.myorg.org"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied. Ignoring.
++[ntdomain] returns ok
[eap] EAP packet type response id 12 length 87
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc//raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 77
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0048], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 0883], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 206 to 192.168.999.7 port 4815
EAP-Message = 0x010d040019c0000008c0160301002a0200002603014dac9088e0ca376ad4cff92b3b099dccd4c9469795ef1a8703b5201389c5771c0000040016030108830b00087f00087c0003b5308203b130820299a003020102020102300d06092a864886f70d010104050030819a310b3009060355040613025553311530130603550408130c50656e6e73796c76616e6961311530130603550407130c5068696c6164656c70686961311c301a060355040a1313506f6c69636520616e642046697265204643553123302106092a864886f70d0109011614706f73746d61737465724070666663752e6f7267311a3018060355040313116d6966666c696e2e7066
EAP-Message = 0x6663752e6f7267301e170d3131303431383136313132345a170d3132303431373136313132345a308183310b3009060355040613025553311530130603550408130c50656e6e73796c76616e6961311c301a060355040a1313506f6c69636520616e64204669726520464355311a3018060355040313116d6966666c696e2e70666663752e6f72673123302106092a864886f70d0109011614706f73746d61737465724070666663752e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100ad3cc6d602bac5213757cd07b59881ae01cfb16ce8f0affd755a2e2ea0dbcd1a60fb5142fe4288b48b96c07498e569
EAP-Message = 0xab2601b42a73a161b0e171d2957d082cabffde39e5e6e9058e958f7b32349efb8765425bc3822ad39287bef9cb5b67369f886d1439c1876e15f057c6a329a52d2f9e23625678497d6945485768447b5903a84a9b2c6c6287291b1b60366ae4e3f0809c8d38f24ea9c040692c2bbd117eeda78fac45695a9e3b8b4a85b3b7fa9f8c7a19d7ad77fe40dbf573c6c573866f926d1a9ca4391ad47d1489526504ea76893c1a39b033ec72a59cad35f9a8e749a0259e787c03cec0df7d7c7763565afeafd06f450afdc881115dcb2f77f3fdb5cb0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405
EAP-Message = 0x000382010100cd1bcf97d2ab9635403f1732591d98606e95cc939882656b198bf7b7bf585e159f950e7db747b25720ea1e4b05d91fa6a8bc7b367ed21d749731a803f726438a4942d49bb298322f278163435b6ec5ef9f810f5195ab021dd0aac53cc53494cccf30e6ed6186e9d32cd9cd41c2953173a01e7a7c82998ac7bf0f30451887dd5c0b8750d8bd6afac032a70eab0ea2704f277a0067f102b9e5ad68f9723a3ad65e439f90b782e5cdf2c2a21e5e1ac9ebf1e0d4fdeb370dec3538bd91f4cb925c2b52639e4fcd260462a10b54dc5e04e4110a94bd9fe6a3fe16b28abfb3370aa23b378d60f6fbf461f0e22ce4d988603f88b160210ed7a1e8
EAP-Message = 0xcdc08eb134ef355d3f0004c1
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xaab75260abba4bbc8e4a8681cc46cd51
Finished request 22.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.999.7 port 4815, id=207, length=234
Framed-MTU = 1480
NAS-IP-Address = 192.168.999.7
NAS-Identifier = "myorg-bnew"
User-Name = "host/LP-0010.myorg.org"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 61
NAS-Port-Type = Ethernet
NAS-Port-Id = "C13"
Called-Station-Id = "00-19-bb-a7-7e-43"
Calling-Station-Id = "00-1b-78-b5-f7-a0"
Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "12"
State = 0xaab75260abba4bbc8e4a8681cc46cd51
EAP-Message = 0x020d00061900
Message-Authenticator = 0x7ba4454596896d7ff8ba0314a9c3d05e
# Executing section authorize from file /etc//raddb/sites-enabled/default
+- entering group authorize {...}
[preprocess] hints: Matched DEFAULT at 36
++[preprocess] returns ok
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.999.7/auth-detail-20110418
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.999.7/auth-detail-20110418
[auth_log] expand: %t -> Mon Apr 18 15:27:04 2011
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "/LP-0010.myorg.org", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Setting Stripped-User-Name = "/LP-0010.myorg.org"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied. Ignoring.
++[ntdomain] returns ok
[eap] EAP packet type response id 13 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc//raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 207 to 192.168.999.7 port 4815
EAP-Message = 0x010e03fc1940308204bd308203a5a003020102020900ad8d39f4fcae271a300d06092a864886f70d010105050030819a310b3009060355040613025553311530130603550408130c50656e6e73796c76616e6961311530130603550407130c5068696c6164656c70686961311c301a060355040a1313506f6c69636520616e642046697265204643553123302106092a864886f70d0109011614706f73746d61737465724070666663752e6f7267311a3018060355040313116d6966666c696e2e70666663752e6f7267301e170d3131303431383136313132345a170d3132303431373136313132345a30819a310b3009060355040613025553311530
EAP-Message = 0x130603550408130c50656e6e73796c76616e6961311530130603550407130c5068696c6164656c70686961311c301a060355040a1313506f6c69636520616e642046697265204643553123302106092a864886f70d0109011614706f73746d61737465724070666663752e6f7267311a3018060355040313116d6966666c696e2e70666663752e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100e43cf5fcf5abf3d6beec6062d1709cd3ccf6bd5d6ba2f54c0f9ec9fa708defdaec3974d3315737519d86b114191dcda2811b89e9b8d2d7ca7ea04002c8c934cde3d550d3bf018f1583026bab19a4a38c5ae5
EAP-Message = 0xa53548a0a1652dc0908a9e06f58d9c473ec7ec55fcefa9c443311684ad6e9dd09ea14cb3d9fcb04a2429f9d1995c062f5b215658143eafdd0116334b0f1849cfef9a24579ea1d6ca31421f52b70d9d00a961408f747f2f2066231124d83c63c3c8b1d69b6f4b5ea50588b2f33b8a40ba8781455db36472bd9b4e85f81f1b82ebf326cd3ac504eb2dea1c5a9e7496f485a62d63d11bead3a4b79ce85453d6617c8b8fca4e1d3e5bb0c68c041c948f0203010001a38201023081ff301d0603551d0e041604146fb361c7649ba640bdf6ea8870cac051daeb9a9e3081cf0603551d230481c73081c480146fb361c7649ba640bdf6ea8870cac051daeb9a9e
EAP-Message = 0xa181a0a4819d30819a310b3009060355040613025553311530130603550408130c50656e6e73796c76616e6961311530130603550407130c5068696c6164656c70686961311c301a060355040a1313506f6c69636520616e642046697265204643553123302106092a864886f70d0109011614706f73746d61737465724070666663752e6f7267311a3018060355040313116d6966666c696e2e70666663752e6f7267820900ad8d39f4fcae271a300c0603551d13040530030101ff300d06092a864886f70d010105050003820101008584a10eba26e3bac7f3a37b0250a525185f77e4cbe920d0d0e3a617dfe22e62954eb79a73d781e27f55c5e1b7
EAP-Message = 0x3c6900c0e5fd63fc
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xaab75260a8b94bbc8e4a8681cc46cd51
Finished request 23.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.999.7 port 4815, id=208, length=234
Framed-MTU = 1480
NAS-IP-Address = 192.168.999.7
NAS-Identifier = "myorg-bnew"
User-Name = "host/LP-0010.myorg.org"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 61
NAS-Port-Type = Ethernet
NAS-Port-Id = "C13"
Called-Station-Id = "00-19-bb-a7-7e-43"
Calling-Station-Id = "00-1b-78-b5-f7-a0"
Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "12"
State = 0xaab75260a8b94bbc8e4a8681cc46cd51
EAP-Message = 0x020e00061900
Message-Authenticator = 0xc294987d5f65ce57c6fb1a37ba5b158d
# Executing section authorize from file /etc//raddb/sites-enabled/default
+- entering group authorize {...}
[preprocess] hints: Matched DEFAULT at 36
++[preprocess] returns ok
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.999.7/auth-detail-20110418
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.999.7/auth-detail-20110418
[auth_log] expand: %t -> Mon Apr 18 15:27:04 2011
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "/LP-0010.myorg.org", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Setting Stripped-User-Name = "/LP-0010.myorg.org"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied. Ignoring.
++[ntdomain] returns ok
[eap] EAP packet type response id 14 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc//raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 208 to 192.168.999.7 port 4815
EAP-Message = 0x010f00da190000e668530fe5cdedf1fff694c02a985e9dbdaaaaf9915bb3b297c4ddf1ee0601670f0ad3a6b34f9b5959d25b8624147171fc575436a01288e78f2d4344841dd5307a83e6c1d553dbc0731016c4bb35ef324e49b727ccfe896f56ef9603188886b9cf2c7423c77fd441bfa16636772db885276f42a39801d6a334fc20074352933ff6cecfa79ed4b11493ed5a2db327e4b421c3c7fac2f636766698ba79a0cef62a2413ad01d9c31ff9599414e30b6d9d974f2d5430117e202bda0b60bbd6c920c65f7ed6bd1e87e7513d9f16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xaab75260a9b84bbc8e4a8681cc46cd51
Finished request 24.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.999.7 port 4815, id=209, length=234
Framed-MTU = 1480
NAS-IP-Address = 192.168.999.7
NAS-Identifier = "myorg-bnew"
User-Name = "host/LP-0010.myorg.org"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 61
NAS-Port-Type = Ethernet
NAS-Port-Id = "C13"
Called-Station-Id = "00-19-bb-a7-7e-43"
Calling-Station-Id = "00-1b-78-b5-f7-a0"
Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "12"
State = 0xaab75260a9b84bbc8e4a8681cc46cd51
EAP-Message = 0x020f00061900
Message-Authenticator = 0x22fb3754a0bb3845bde16f0734b7ff6a
# Executing section authorize from file /etc//raddb/sites-enabled/default
+- entering group authorize {...}
[preprocess] hints: Matched DEFAULT at 36
++[preprocess] returns ok
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.999.7/auth-detail-20110418
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.999.7/auth-detail-20110418
[auth_log] expand: %t -> Mon Apr 18 15:27:04 2011
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "/LP-0010.myorg.org", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Setting Stripped-User-Name = "/LP-0010.myorg.org"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied. Ignoring.
++[ntdomain] returns ok
[eap] EAP packet type response id 15 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc//raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 209 to 192.168.999.7 port 4815
EAP-Message = 0x011000061900
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xaab75260aea74bbc8e4a8681cc46cd51
Finished request 25.
Going to the next request
Waking up in 4.8 seconds.
Cleaning up request 21 ID 205 with timestamp +465
Cleaning up request 22 ID 206 with timestamp +465
Cleaning up request 23 ID 207 with timestamp +465
Cleaning up request 24 ID 208 with timestamp +465
Cleaning up request 25 ID 209 with timestamp +465
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0xaab75260aea74bbc did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.999.7 port 4815, id=210, length=237
Framed-MTU = 1480
NAS-IP-Address = 192.168.999.7
NAS-Identifier = "myorg-bnew"
User-Name = "host/LP-0010.myorg.org"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 61
NAS-Port-Type = Ethernet
NAS-Port-Id = "C13"
Called-Station-Id = "00-19-bb-a7-7e-43"
Calling-Station-Id = "00-1b-78-b5-f7-a0"
Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "12"
EAP-Message = 0x0201001b01686f73742f4c502d303031302e70666663752e6f7267
Message-Authenticator = 0x7f18b5ce40762fc7ce1336cd53901e5e
# Executing section authorize from file /etc//raddb/sites-enabled/default
+- entering group authorize {...}
[preprocess] hints: Matched DEFAULT at 36
++[preprocess] returns ok
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.999.7/auth-detail-20110418
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.999.7/auth-detail-20110418
[auth_log] expand: %t -> Mon Apr 18 15:28:03 2011
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "/LP-0010.myorg.org", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Setting Stripped-User-Name = "/LP-0010.myorg.org"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied. Ignoring.
++[ntdomain] returns ok
[eap] EAP packet type response id 1 length 27
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 176
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc//raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 210 to 192.168.999.7 port 4815
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5fa5dbd85fa7c2ccdff397606527fb6f
Finished request 26.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.999.7 port 4815, id=211, length=315
Framed-MTU = 1480
NAS-IP-Address = 192.168.999.7
NAS-Identifier = "myorg-bnew"
User-Name = "host/LP-0010.myorg.org"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 61
NAS-Port-Type = Ethernet
NAS-Port-Id = "C13"
Called-Station-Id = "00-19-bb-a7-7e-43"
Calling-Station-Id = "00-1b-78-b5-f7-a0"
Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "12"
State = 0x5fa5dbd85fa7c2ccdff397606527fb6f
EAP-Message = 0x0202005719800000004d16030100480100004403014dac90edd5d5ae7aeae2db199e6027cd395ca67651fa8010563678a47f88f5de00001600040005000a0009006400620003000600130012006301000005ff01000100
Message-Authenticator = 0xdf0705f30f8684c3201167c51a249414
# Executing section authorize from file /etc//raddb/sites-enabled/default
+- entering group authorize {...}
[preprocess] hints: Matched DEFAULT at 36
++[preprocess] returns ok
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.999.7/auth-detail-20110418
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.999.7/auth-detail-20110418
[auth_log] expand: %t -> Mon Apr 18 15:28:03 2011
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "/LP-0010.myorg.org", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Setting Stripped-User-Name = "/LP-0010.myorg.org"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied. Ignoring.
++[ntdomain] returns ok
[eap] EAP packet type response id 2 length 87
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc//raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 77
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0048], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 0883], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 211 to 192.168.999.7 port 4815
EAP-Message = 0x0103040019c0000008c0160301002a0200002603014dac90c37120de69c11067791b75cad05959a3ab5ceaf8cc0d64f51ed3f833600000040016030108830b00087f00087c0003b5308203b130820299a003020102020102300d06092a864886f70d010104050030819a310b3009060355040613025553311530130603550408130c50656e6e73796c76616e6961311530130603550407130c5068696c6164656c70686961311c301a060355040a1313506f6c69636520616e642046697265204643553123302106092a864886f70d0109011614706f73746d61737465724070666663752e6f7267311a3018060355040313116d6966666c696e2e7066
EAP-Message = 0x6663752e6f7267301e170d3131303431383136313132345a170d3132303431373136313132345a308183310b3009060355040613025553311530130603550408130c50656e6e73796c76616e6961311c301a060355040a1313506f6c69636520616e64204669726520464355311a3018060355040313116d6966666c696e2e70666663752e6f72673123302106092a864886f70d0109011614706f73746d61737465724070666663752e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100ad3cc6d602bac5213757cd07b59881ae01cfb16ce8f0affd755a2e2ea0dbcd1a60fb5142fe4288b48b96c07498e569
EAP-Message = 0xab2601b42a73a161b0e171d2957d082cabffde39e5e6e9058e958f7b32349efb8765425bc3822ad39287bef9cb5b67369f886d1439c1876e15f057c6a329a52d2f9e23625678497d6945485768447b5903a84a9b2c6c6287291b1b60366ae4e3f0809c8d38f24ea9c040692c2bbd117eeda78fac45695a9e3b8b4a85b3b7fa9f8c7a19d7ad77fe40dbf573c6c573866f926d1a9ca4391ad47d1489526504ea76893c1a39b033ec72a59cad35f9a8e749a0259e787c03cec0df7d7c7763565afeafd06f450afdc881115dcb2f77f3fdb5cb0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405
EAP-Message = 0x000382010100cd1bcf97d2ab9635403f1732591d98606e95cc939882656b198bf7b7bf585e159f950e7db747b25720ea1e4b05d91fa6a8bc7b367ed21d749731a803f726438a4942d49bb298322f278163435b6ec5ef9f810f5195ab021dd0aac53cc53494cccf30e6ed6186e9d32cd9cd41c2953173a01e7a7c82998ac7bf0f30451887dd5c0b8750d8bd6afac032a70eab0ea2704f277a0067f102b9e5ad68f9723a3ad65e439f90b782e5cdf2c2a21e5e1ac9ebf1e0d4fdeb370dec3538bd91f4cb925c2b52639e4fcd260462a10b54dc5e04e4110a94bd9fe6a3fe16b28abfb3370aa23b378d60f6fbf461f0e22ce4d988603f88b160210ed7a1e8
EAP-Message = 0xcdc08eb134ef355d3f0004c1
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5fa5dbd85ea6c2ccdff397606527fb6f
Finished request 27.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.999.7 port 4815, id=212, length=234
Framed-MTU = 1480
NAS-IP-Address = 192.168.999.7
NAS-Identifier = "myorg-bnew"
User-Name = "host/LP-0010.myorg.org"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 61
NAS-Port-Type = Ethernet
NAS-Port-Id = "C13"
Called-Station-Id = "00-19-bb-a7-7e-43"
Calling-Station-Id = "00-1b-78-b5-f7-a0"
Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "12"
State = 0x5fa5dbd85ea6c2ccdff397606527fb6f
EAP-Message = 0x020300061900
Message-Authenticator = 0x08975501af22ecabb6af227dd54fd96e
# Executing section authorize from file /etc//raddb/sites-enabled/default
+- entering group authorize {...}
[preprocess] hints: Matched DEFAULT at 36
++[preprocess] returns ok
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.999.7/auth-detail-20110418
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.999.7/auth-detail-20110418
[auth_log] expand: %t -> Mon Apr 18 15:28:03 2011
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "/LP-0010.myorg.org", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Setting Stripped-User-Name = "/LP-0010.myorg.org"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied. Ignoring.
++[ntdomain] returns ok
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc//raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 212 to 192.168.999.7 port 4815
EAP-Message = 0x010403fc1940308204bd308203a5a003020102020900ad8d39f4fcae271a300d06092a864886f70d010105050030819a310b3009060355040613025553311530130603550408130c50656e6e73796c76616e6961311530130603550407130c5068696c6164656c70686961311c301a060355040a1313506f6c69636520616e642046697265204643553123302106092a864886f70d0109011614706f73746d61737465724070666663752e6f7267311a3018060355040313116d6966666c696e2e70666663752e6f7267301e170d3131303431383136313132345a170d3132303431373136313132345a30819a310b3009060355040613025553311530
EAP-Message = 0x130603550408130c50656e6e73796c76616e6961311530130603550407130c5068696c6164656c70686961311c301a060355040a1313506f6c69636520616e642046697265204643553123302106092a864886f70d0109011614706f73746d61737465724070666663752e6f7267311a3018060355040313116d6966666c696e2e70666663752e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100e43cf5fcf5abf3d6beec6062d1709cd3ccf6bd5d6ba2f54c0f9ec9fa708defdaec3974d3315737519d86b114191dcda2811b89e9b8d2d7ca7ea04002c8c934cde3d550d3bf018f1583026bab19a4a38c5ae5
EAP-Message = 0xa53548a0a1652dc0908a9e06f58d9c473ec7ec55fcefa9c443311684ad6e9dd09ea14cb3d9fcb04a2429f9d1995c062f5b215658143eafdd0116334b0f1849cfef9a24579ea1d6ca31421f52b70d9d00a961408f747f2f2066231124d83c63c3c8b1d69b6f4b5ea50588b2f33b8a40ba8781455db36472bd9b4e85f81f1b82ebf326cd3ac504eb2dea1c5a9e7496f485a62d63d11bead3a4b79ce85453d6617c8b8fca4e1d3e5bb0c68c041c948f0203010001a38201023081ff301d0603551d0e041604146fb361c7649ba640bdf6ea8870cac051daeb9a9e3081cf0603551d230481c73081c480146fb361c7649ba640bdf6ea8870cac051daeb9a9e
EAP-Message = 0xa181a0a4819d30819a310b3009060355040613025553311530130603550408130c50656e6e73796c76616e6961311530130603550407130c5068696c6164656c70686961311c301a060355040a1313506f6c69636520616e642046697265204643553123302106092a864886f70d0109011614706f73746d61737465724070666663752e6f7267311a3018060355040313116d6966666c696e2e70666663752e6f7267820900ad8d39f4fcae271a300c0603551d13040530030101ff300d06092a864886f70d010105050003820101008584a10eba26e3bac7f3a37b0250a525185f77e4cbe920d0d0e3a617dfe22e62954eb79a73d781e27f55c5e1b7
EAP-Message = 0x3c6900c0e5fd63fc
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5fa5dbd85da1c2ccdff397606527fb6f
Finished request 28.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.999.7 port 4815, id=213, length=234
Framed-MTU = 1480
NAS-IP-Address = 192.168.999.7
NAS-Identifier = "myorg-bnew"
User-Name = "host/LP-0010.myorg.org"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 61
NAS-Port-Type = Ethernet
NAS-Port-Id = "C13"
Called-Station-Id = "00-19-bb-a7-7e-43"
Calling-Station-Id = "00-1b-78-b5-f7-a0"
Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "12"
State = 0x5fa5dbd85da1c2ccdff397606527fb6f
EAP-Message = 0x020400061900
Message-Authenticator = 0x2879f66153ca0f29f077d7ee441341e6
# Executing section authorize from file /etc//raddb/sites-enabled/default
+- entering group authorize {...}
[preprocess] hints: Matched DEFAULT at 36
++[preprocess] returns ok
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.999.7/auth-detail-20110418
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.999.7/auth-detail-20110418
[auth_log] expand: %t -> Mon Apr 18 15:28:03 2011
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "/LP-0010.myorg.org", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Setting Stripped-User-Name = "/LP-0010.myorg.org"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied. Ignoring.
++[ntdomain] returns ok
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc//raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 213 to 192.168.999.7 port 4815
EAP-Message = 0x010500da190000e668530fe5cdedf1fff694c02a985e9dbdaaaaf9915bb3b297c4ddf1ee0601670f0ad3a6b34f9b5959d25b8624147171fc575436a01288e78f2d4344841dd5307a83e6c1d553dbc0731016c4bb35ef324e49b727ccfe896f56ef9603188886b9cf2c7423c77fd441bfa16636772db885276f42a39801d6a334fc20074352933ff6cecfa79ed4b11493ed5a2db327e4b421c3c7fac2f636766698ba79a0cef62a2413ad01d9c31ff9599414e30b6d9d974f2d5430117e202bda0b60bbd6c920c65f7ed6bd1e87e7513d9f16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5fa5dbd85ca0c2ccdff397606527fb6f
Finished request 29.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.999.7 port 4815, id=214, length=234
Framed-MTU = 1480
NAS-IP-Address = 192.168.999.7
NAS-Identifier = "myorg-bnew"
User-Name = "host/LP-0010.myorg.org"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 61
NAS-Port-Type = Ethernet
NAS-Port-Id = "C13"
Called-Station-Id = "00-19-bb-a7-7e-43"
Calling-Station-Id = "00-1b-78-b5-f7-a0"
Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "12"
State = 0x5fa5dbd85ca0c2ccdff397606527fb6f
EAP-Message = 0x020500061900
Message-Authenticator = 0x3b40bb8b2b7e40c2b99ea8b4202b9c17
# Executing section authorize from file /etc//raddb/sites-enabled/default
+- entering group authorize {...}
[preprocess] hints: Matched DEFAULT at 36
++[preprocess] returns ok
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.999.7/auth-detail-20110418
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.999.7/auth-detail-20110418
[auth_log] expand: %t -> Mon Apr 18 15:28:03 2011
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "/LP-0010.myorg.org", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Setting Stripped-User-Name = "/LP-0010.myorg.org"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied. Ignoring.
++[ntdomain] returns ok
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc//raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 214 to 192.168.999.7 port 4815
EAP-Message = 0x010600061900
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5fa5dbd85ba3c2ccdff397606527fb6f
Finished request 30.
Going to the next request
Waking up in 4.8 seconds.
Cleaning up request 26 ID 210 with timestamp +524
Cleaning up request 27 ID 211 with timestamp +524
Cleaning up request 28 ID 212 with timestamp +524
Cleaning up request 29 ID 213 with timestamp +524
Waking up in 0.1 seconds.
Cleaning up request 30 ID 214 with timestamp +524
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0x5fa5dbd85ba3c2cc did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Ready to process requests.
This E-mail, along with any attachments, is considered confidential and may well be legally privileged. If you have received it in error, you are on notice of its status. Please notify us immediately by reply e-mail or call 215-931-0300 / 800-228-8801 and then delete this message from your system. Please do not copy it or use it for any purposes, or disclose its contents to any other person. Thank you for your cooperation.
3
7
Hi All,
Please help me to fix the below isse.
The problem is related to the scenario, where a network server
triggers first authentication over Radius and then a freeRadius server
makes a LDAP query towards an openLDAP server
containing the user password. After the successful authentication
(Access-Accept received), the network server initiates an
authorization request over LDAP. For the second request the OpenLDAP
server requests the password for the second time (and the second
request doesn't contain any user password).
Thanks for all your help.
Regards,
Neo
2
1
Hi,
I want to setup a PPTP server with EAP TLS and authentication by FreeRadius. I've
seen in a documentation that we must set Auth-type, but the documentation is
out-dated and on freeradius.org, it's specified that Auth-type shouldn't be set
manually.
So, I don't know which data I must set in which table, MySQL-side. Can anyone
help me ?
Thanks,
Regards,
Grégoire Leroy
2
1
Hi,
Anyone here managed to setup a hotspot service using freeradius and a
captive portal?
I'd like to hire someone to do a setup for me.
--
View this message in context: http://freeradius.1045715.n5.nabble.com/setup-service-needed-tp4315197p4315…
Sent from the FreeRadius - User mailing list archive at Nabble.com.
2
3
All,
I have spent the last few days writing the code to allow rlm_mschap and
rlm_eap_mschapv2 to support password changes.
Rather than slinging tarballs around, the patches are in a branch here:
https://github.com/philmayers/freeradius-server/tree/v2.1.x-mschap-changepa…
It basically works for me; I've tried it with a Windows XP client on a
wired 802.1x port, but it needs extensive testing given the scope of the
changes. It supports both password changes via samba/ntlm_auth and also
locally if you have NT-Password/Cleartext-Password.
I've tried to split the patches up into logical units, which should make
the review easier.
Particularly, the first patch in the set interferes with src/main/exec.c
so that we can re-use the code to open a process with a pipe on both
stdin and stdout. This change will need very careful review.
Testing and comments are very welcome, but I'll be offline for most of
the next two weeks enjoying the weather!
Cheers,
Phil
2
1
19 Apr '11
I'm using Freeradius 2.1.10. I need to reply to NAS same attributes with
tags using rlm_sql and rlm_perl. But in result number of tags is missing
and in reply only attributes with ":0".
mysql> select * from radreply;
+----+--------------+-------------------+----+----------+
| id | username | attribute | op | value |
+----+--------------+-------------------+----+----------+
| 1 | testuser@new | Context-Name | = | Internet |
| 2 | testuser@new | Service-Name:1 | += | GUEST |
| 3 | testuser@new | Service-Options:1 | += | 0 |
| 4 | testuser@new | Service-Name:2 | += | INET |
| 5 | testuser@new | Service-Options:2 | += | 1 |
+----+--------------+-------------------+----+----------+
5 rows in set (0.00 sec)
Debug: rlm_perl: Added pair NAS-Port-Type = Virtual
Debug: rlm_perl: Added pair CHAP-Password =
0x01d5b5364721d124b36c2fcaf86dc1289b
Debug: rlm_perl: Added pair Acct-Session-Id = 0000FFFF6802B4D0-4DAC4ACD
Debug: rlm_perl: Added pair Proxy-State = 0x313538
Debug: rlm_perl: Added pair Service-Type = Framed-User
Debug: rlm_perl: Added pair CHAP-Challenge =
0xa87b4c6f31d9b71f63a5b54b9482bf1f
Debug: rlm_perl: Added pair NAS-IP-Address = 172.26.201.21
Debug: rlm_perl: Added pair NAS-Real-Port = 285216672
Debug: rlm_perl: Added pair Medium-Type = 11
Debug: rlm_perl: Added pair Framed-Protocol = PPP
Debug: rlm_perl: Added pair User-Name = testuser@new
Debug: rlm_perl: Added pair NAS-Port = 16842752
Debug: rlm_perl: Added pair Acct-Interim-Interval = 1800
Debug: rlm_perl: Added pair Service-Name = GUEST
Debug: rlm_perl: Added pair Service-Name = INET
Debug: rlm_perl: Added pair Context-Name = Internet
Debug: rlm_perl: Added pair Service-Type = Framed-User
Debug: rlm_perl: Added pair Framed-IP-Address = 255.255.255.254
Debug: rlm_perl: Added pair Service-Options = 0
Debug: rlm_perl: Added pair Service-Options = 1
Debug: rlm_perl: Added pair Cleartext-Password = testpass
Debug: rlm_perl: Added pair Auth-Type = CHAP
Info: ++[perl] returns ok
Sending Access-Accept of id 180 to 127.0.0.1 port 11113
Acct-Interim-Interval = 1800
Service-Name:0 += "GUEST"
Service-Name:0 += "INET"
Context-Name = "Internet"
Service-Type = Framed-User
Framed-IP-Address = 255.255.255.254
Service-Options:0 += 0
Service-Options:0 += 1
Proxy-State = 0x313538
Mon Apr 18 17:29:33 2011 : Info: Finished request 3.
Mon Apr 18 17:29:33 2011 : Debug: Going to the next request
1
0
19 Apr '11
Hi,
I would like to know what does the attribute PW_DIGEST_NONCE (1064)
represent in rlm_digest module in radius server?
My radius log information is given here.
<------the radius log information for the authentication packet starts
here---------->
Received radius packet:
NAS-Identifier = "localhost.localdomain"
Digest-Attributes = "\003\010INVITE"
Digest-Attributes = "\006\005MD5"
Digest-Attributes = "\002*60d9d2b7b8ab7b4da4014bcdac1724b7320068d6"
Digest-Attributes = "\n\0146599999970"
User-Name = "6599999970(a)192.168.104.239"
Digest-Attributes = "\004 sip:6599999508@192.168.104.240"
Digest-Response = "1ee3c49572b6fcd4a9e0438bba8810dc"
Digest-Attributes = "\001\021192.168.104.239"
rlm_sql in rlm_sql_authenticate
<------the radius log information ends here---------->
The Digest-Attributes = "\002*60d9d2b7b8ab7b4da4014bcdac1724b7320068d6" is
the PW_DIGEST_NONCE with 60d9d2b7b8ab7b4da4014bcdac1724b7320068d6 as the
value.
In my setup, the radius client uses SIP. I want to know whether the
PW_DIGEST_NONCE in the digest attributes can be used as a Session ID of the
SIP call or the Call-Reference of the authentication packet?
Or, only after receiving the RLM_MODULE_OK for the digest request, the
radius client will send the further SIP call information in the next packet?
A little background about the problem I face:
I have a customized radius source(taken from freeradius few years back) to
work with radius clients to perform authentication and accounting with only
rlm_detail, rlm_preprocess, rlm_sql (with unixodbc) modules.
Now, I have a requirement for the radius server to work with a radius client
which has SIP. And I have found that radius client with SIP uses
'rlm_digest' module as part of authentication. This is when I have the
following issues:
a) I can not just integrate 'rlm_digest' module source to the existing
radius server source to work since the changes are quite a lot.
b)I have very limited or no details about how the radius client with the SIP
works.
This is why I wanted to get more information about the role of rlm_digest
module and how to handle it in my situation.
Thanks.
./maximus
--
View this message in context: http://freeradius.1045715.n5.nabble.com/what-does-the-attribute-PW-DIGEST-N…
Sent from the FreeRadius - User mailing list archive at Nabble.com.
2
3
Hello.
I have a FreeRADIUS setup using PEAP/MSCHAPv2 to authenticate wireless clients against an Active Directory environment. We've recently purchased a new wildcard certificate from DigiCert for our organization. The RADIUS server is not covered by the wildcard common name on the certificate, however I have a subject alternative name specifying the RADIUS server hostname on it as well. On my new cert, connection to the system fails when I try validating the new cert (I have all the possible cert authorities checked off.) If I uncheck validate the cert, I am then able to connect. As soon as I place the old cert back in place validation works fine. The old cert was a free signal name cert from IPS CA. The new cert is a wildcard duplicate issued from DigiCert that has the server name as a subject alternative name as it is not covered by the wild card common name we are using - I generated the CSR for this certificate copy using the tools in freeradius (XPExtensions and whatnot.) Should this kind of a cert work, or does 802.1x/PEAP/mschapv2 not support validating by subject alternative names. I tried including the CA Cert in a chain file and not including it and had the same results either way. I know the CA is trusted by Microsoft as this same wildcard cert works in our web applications.
Tom
Thomas E. Casartello, Jr.
Staff Assistant - Wireless/Linux Administrator
Information Technology
Wilson 105A
Westfield State University
(413) 572-8245
Red Hat Certified Technician (RHCT)
Cisco Certified Network Associate (CCNA)
2
5
Hi All,
I'm new in FreeRadius. I have install freeRadius and ChillSpot on Debian
with squid and iptables. Everything is ok, but I want to make a Group with
port permissions. For exampel first group "Low" with only HTTP(S)
permission, the second group "Mittel" with HTTP(S), POP(S), IMAP, SMTP(S)
and the third group "Hi" with all permission (all ports).
How can I do this? I have my hotspot in my caffe-bar and only customers can
have a internet.
Thanks for your help!
PS: Sorry for my englisch :-)
--
View this message in context: http://freeradius.1045715.n5.nabble.com/groups-with-port-permissions-tp4300…
Sent from the FreeRadius - User mailing list archive at Nabble.com.
2
2