Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
May 2011
- 128 participants
- 164 discussions
Hi all i have freeradius 2.1.10 setup on a SLES server. When the workstation boots it sends an mschapv2 request in the form host/machinename. What is the best way to convert this to machinename$ ? Sorry if this has been asked before Im stumped and cannot find the answer.
Here is part of the log:
Ready to process requests.
rad_recv: Access-Request packet from host 10.152.0.100 port 32819, id=79, length=203
NAS-IP-Address = 10.152.0.100
NAS-Port = 0
NAS-Port-Type = Wireless-802.11
User-Name = "host/TECH-11501"
Calling-Station-Id = "00265EE9B2CA"
Called-Station-Id = "000B86611894"
MS-CHAP-Challenge = 0x0568442cb1608fce03cb2662dcf52694
MS-CHAP2-Response = 0x07007e63e9fa7fb503e4cfff2a2c00568698000000000000000057f0c5ece05913c5eeaf48096b25dcbd01f39d20a71404e1
Service-Type = Login-User
Aruba-Essid-Name = "HPSD_RAD2"
Aruba-Location-Id = "Tech 01"
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = "host/TECH-11501", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[ldap] performing user authorization for host/TECH-11501
[ldap] expand: (uid=%{mschap:User-Name:-%{User-Name}}) -> (uid=TECH-11501$)
[ldap] expand: o=hpsd_48 -> o=hpsd_48
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in o=hpsd_48, with filter (uid=TECH-11501$)
[ldap] Added the eDirectory password xxxxx in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
[ldap] user host/TECH-11501 authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: host/TECH-11501
[mschap] Told to do MS-CHAPv2 for host/TECH-11501 with NT-Password
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> host/TECH-11501
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 13 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 13
Sending Access-Reject of id 79 to 10.152.0.100 port 32819
Waking up in 4.9 seconds.
Cleaning up request 13 ID 79 with timestamp +926
Ready to process requests.
Here is the log from same machine after logging in:
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.152.0.100 port 32819, id=82, length=194
NAS-IP-Address = 10.152.0.100
NAS-Port = 0
NAS-Port-Type = Wireless-802.11
User-Name = "mjones"
Calling-Station-Id = "00265EE9B2CA"
Called-Station-Id = "000B86611894"
MS-CHAP-Challenge = 0xe744e26bd3741ff3a339f931e5d541cc
MS-CHAP2-Response = 0x070001ee52a851770be78f667189c6bdec3b000000000000000050e99570745eb5a68f290dfe79879837d3997b7aa9b7b3cc
Service-Type = Login-User
Aruba-Essid-Name = "HPSD_RAD2"
Aruba-Location-Id = "Tech 01"
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = "mjones", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[ldap] performing user authorization for mjones
[ldap] expand: (uid=%{mschap:User-Name:-%{User-Name}}) -> (uid=mjones)
[ldap] expand: o=hpsd_48 -> o=hpsd_48
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in o=hpsd_48, with filter (uid=mjones)
[ldap] Added the eDirectory password xxxx in check items as Cleartext-Password
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
[ldap] user mjones authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: mjones
[mschap] Told to do MS-CHAPv2 for mjones with NT-Password
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 82 to 10.152.0.100 port 32819
MS-CHAP2-Success = 0x07533d41344438423931334434454244384437463634353436353933374137343737324136433138463139
MS-MPPE-Recv-Key = 0x263a0e89b5a8a78aa7e728c79ea3844f
MS-MPPE-Send-Key = 0xfef0768ff8ca7d3a76d43ce8feb4189b
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
Finished request 16.
Going to the next request
Waking up in 3.7 seconds.
Cleaning up request 15 ID 81 with timestamp +1049
Waking up in 1.2 seconds.
Cleaning up request 16 ID 82 with timestamp +1051
Ready to process requests.
Thanks all
Mark
This communication is intended for the use of the recipient to which it is addressed and may contain confidential, personal and/or privileged information. If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately.
2
3
Greetings,
I have a FreeRadius 1.1.5 that I'm using in a Wimax network. I'd like to
upgrade it so I've installed a FreeRadius 2.1.7. Authentication is EAP-TTLS
on both. The network architecture is the same on both side.
My issue is that some users attributes are missing from Access accept
messages coming from the FreeRadius 2, whereas the FreeRadius 1 is working
perfectly.
Here below the config of both of its:
FREE RADIUS 1.1.5: ACCESS ACCEPT OK WITH ALL ATTRIBUTES REQUESTED
rad_recv: Access-Request packet from host 192.168.1.111:33102, id=185,
length=210
User-Name = "ABCDEFGHIJKL"
Calling-Station-Id = "\000\037\373"\214@"
NAS-IP-Address = 192.168.1.111
NAS-Port = 1
Framed-MTU = 1400
Service-Type = Framed-User
Called-Station-Id = "000084800711"
NAS-Identifier = "636170632D73632D70726F64"
NAS-Port-Type = 27
Attr-89 = 0x00
NWG-WiMAX-Capability = 0x000106312e3000020301
NWG-GMT-Time-Zone-Offset = 0x0000000000
NWG-BS-ID = 0x00000084800711
NWG-NSP-ID = 0x000001f9
EAP-Message = 0x029d001101423836313646303044333437
Message-Authenticator = 0x163079cdfd5e95cbbdf12114567d5225
Tue May 10 12:28:23 2011 : Debug: Processing the authorize section of
radiusd.conf
Sending Access-Challenge of id 185 to 192.168.1.111 port 33102
Session-Timeout = 64800
NWG-AAA-Session-Id = 0x00000001
Motorola-WiMAX-Convergence-Sublayer = 0x00
Motorola-WiMAX-Network-Domain-Name = "wimax.test"
Motorola-WiMAX-EMS-Address = 10.10.10.1
Motorola-WiMAX-NTP-Server = 0x0171c54402
Motorola-WiMAX-HO-SVC-CLASS = 0x02
Motorola-WiMAX-DNS-Server-IP-Address = 0x71c2250421c22522
Motorola-WiMAX-Service-Flows = "2|Default"
Motorola-WiMAX-VLAN-ID = 0x0111
Motorola-WiMAX-Maximum-Total-Bandwidth = 0x0000c3500000c350
Motorola-WiMAX-Maximum-Commit-Bandwidth = 0x0000c3500000c350
EAP-Message = 0x019e00060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x42dd4346756c2acf80fbc1fd8ab0560f
Tue May 10 12:28:23 2011 : Debug: Finished request 0
Tue May 10 12:28:23 2011 : Debug: Going to the next request
Tue May 10 12:28:23 2011 : Debug: --- Walking the entire request list ---
Tue May 10 12:28:23 2011 : Debug: Waking up in 3 seconds...
rad_recv: Access-Request packet from host 192.168.1.111:33102, id=186,
length=217
User-Name = "ABCDEFGHIJKL"
Calling-Station-Id = "\000\037\373"\214@"
NAS-IP-Address = 192.168.1.111
State = 0x42dd4346756c2acf80fbc1fd8ab0560f
NAS-Port = 1
Framed-MTU = 1400
Service-Type = Framed-User
Called-Station-Id = "000084800711"
NAS-Identifier = "636170632D73632D70726F64"
NAS-Port-Type = 27
Attr-89 = 0x00
NWG-WiMAX-Capability = 0x000106312e3000020301
NWG-GMT-Time-Zone-Offset = 0x0000000000
NWG-BS-ID = 0x00000084800711
NWG-NSP-ID = 0x000001f9
EAP-Message = 0x029e00060315
Message-Authenticator = 0x07cec79be43d3d5bf70a09d2210054f9
Tue May 10 12:28:23 2011 : Debug: Processing the authorize section of
radiusd.conf
Sending Access-Challenge of id 186 to 192.168.1.111 port 33102
Session-Timeout = 64800
NWG-AAA-Session-Id = 0x00000001
Motorola-WiMAX-Convergence-Sublayer = 0x00
Motorola-WiMAX-Network-Domain-Name = "wimax.test"
Motorola-WiMAX-EMS-Address = 10.10.10.1
Motorola-WiMAX-NTP-Server = 0x0171c54402
Motorola-WiMAX-HO-SVC-CLASS = 0x02
Motorola-WiMAX-DNS-Server-IP-Address = 0x71c2250421c22522
Motorola-WiMAX-Service-Flows = "2|Default"
Motorola-WiMAX-VLAN-ID = 0x0111
Motorola-WiMAX-Maximum-Total-Bandwidth = 0x0000c3500000c350
Motorola-WiMAX-Maximum-Commit-Bandwidth = 0x0000c3500000c350
EAP-Message = 0x019f00061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd5efd74ea5bf2690ca9b30b80c0c0d1f
Tue May 10 12:28:23 2011 : Debug: Finished request 1
Tue May 10 12:28:23 2011 : Debug: Going to the next request
Tue May 10 12:28:23 2011 : Debug: Waking up in 3 seconds...
rad_recv: Access-Request packet from host 192.168.1.111:33102, id=187,
length=291
User-Name = "ABCDEFGHIJKL"
Calling-Station-Id = "\000\037\373"\214@"
NAS-IP-Address = 192.168.1.111
State = 0xd5efd74ea5bf2690ca9b30b80c0c0d1f
NAS-Port = 1
Framed-MTU = 1400
Service-Type = Framed-User
Called-Station-Id = "000084800711"
NAS-Identifier = "636170632D73632D70726F64"
NAS-Port-Type = 27
Attr-89 = 0x00
NWG-WiMAX-Capability = 0x000106312e3000020301
NWG-GMT-Time-Zone-Offset = 0x0000000000
NWG-BS-ID = 0x00000084800711
NWG-NSP-ID = 0x000001f9
EAP-Message =
0x029f005015001603010045010000410301bd274996a0d2a8dfc66a64a99828716e17e9b2f7
0921563de9b960534980670600001a0015001600330009000a002f000700670039006b003c00
35003d0100
Message-Authenticator = 0xc84be94975c1643cb9bb387a864959b5
Tue May 10 12:28:23 2011 : Debug: rlm_eap: EAP/ttls
Sending Access-Challenge of id 187 to 192.168.1.111 port 33102
Session-Timeout = 64800
NWG-AAA-Session-Id = 0x00000001
Motorola-WiMAX-Convergence-Sublayer = 0x00
Motorola-WiMAX-Network-Domain-Name = "wimax.test"
Motorola-WiMAX-EMS-Address = 10.10.10.1
Motorola-WiMAX-NTP-Server = 0x0171c54402
Motorola-WiMAX-HO-SVC-CLASS = 0x02
Motorola-WiMAX-DNS-Server-IP-Address = 0x71c2250421c22522
Motorola-WiMAX-Service-Flows = "2|Default"
Motorola-WiMAX-VLAN-ID = 0x0111
Motorola-WiMAX-Maximum-Total-Bandwidth = 0x0000c3500000c350
Motorola-WiMAX-Maximum-Commit-Bandwidth = 0x0000c3500000c350
EAP-Message =
0x01a004051580000003fb160301004a0200004603014dc9bc07dbe88ec6106c4f128ef68386
473398aca2842adc3a4eaaee8614ce8e20779bcc1aa204f5d6e489f46ea6322950177f6a81a1
c45bde9741076dd5052144000900160301039e0b00039a0003970003943082039030820278a0
0302010202070100195ec9d00e300d06092a864886f70d0101050500307b310b300906035504
061302555331173015060355040a130e4d6f746f726f6c612c20496e632e312b302906035504
0b132257694d41582044657669636520436572746966696361746520417574686f7269747931
2630240603550403131d4d6f746f726f6c612057694d41582044
EAP-Message =
0x657669636520526f6f74204341301e170d3036303932383230353034335a170d3336303932
383230353034335a3072310b300906035504061302555331173015060355040a130e4d6f746f
726f6c612c20496e632e31153013060355040b130c57694d415820446576696365311c301a06
0355040b13134d6f746f726f6c6120504b492043656e746572311530130603550403130c3030
3139354543394430304530819f300d06092a864886f70d010101050003818d00308189028181
00e054813a6131a8ffa8212b75685f7e57c5e0f5194f33774b417b9d81178d7303e4983bf393
41386ccceac0cf3cd39da83ba27377b9dc3199edb43d4dd109d0
EAP-Message =
0x318893741855abca98290310bb50b41cc6e09d586c0ff98015f48ca02732b8f29f8e69661f
769e72690dcd3c71b1397a6cc235cbeff011123669c77eb24206171b0203010001a381a53081
a2300e0603551d0f0101ff0404030205a030200603551d250101ff0416301406082b06010505
07030206082b06010505070301301f0603551d23041830168014749ff62c2b6080531779a039
6d7784fdbad88865304d0603551d1f044630443042a040a03e863c687474703a2f2f7777772e
6174736563656e672e636f6d2f43524c2f4d6f746f57694d4158446576696365526f6f744341
2f6465766963652e63726c300d06092a864886f70d0101050500
EAP-Message =
0x038201010021be251ae9a0a1a428b5c9475eed95e4b5d9fc5493cd7ab2975a0344d39af891
9ace14bff5f39d2fb8aa235356d99e2b23d2ba1747cc383a2c4ae672c6ed98f8fce46043ff63
013ed19d6f6854c571ac22eb4725f45480b7983b93c8ee76114cad7ada64e32ae96ffc9b215f
68089bc11f2583194eee2d5dedb453868e9c688f3d48a0fbd2d5f0808c51b99e4967dc330200
8a2199c5bc2056ed2341140aff7389a2fdcbab3d5ce2ce9ce265cf1655263b9b8850c61b2199
fa4ac19fee01414de48b4b3955c213e4aa39571b2ff09713ae1a761e0b281d64f81e09ff8b65
fa47b39c54e0d8daf943c62040cc1ce13b950a4f340d4d918896
EAP-Message = 0xccf661e6b9980fdd16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x797d6859978d85bd05c3d3563531b789
Tue May 10 12:28:23 2011 : Debug: Finished request 2
Tue May 10 12:28:23 2011 : Debug: Going to the next request
Tue May 10 12:28:23 2011 : Debug: Waking up in 3 seconds...
rad_recv: Access-Request packet from host 192.168.1.111:33102, id=188,
length=407
User-Name = "ABCDEFGHIJKL"
Calling-Station-Id = "\000\037\373"\214@"
NAS-IP-Address = 192.168.1.111
State = 0x797d6859978d85bd05c3d3563531b789
NAS-Port = 1
Framed-MTU = 1400
Service-Type = Framed-User
Called-Station-Id = "000084800711"
NAS-Identifier = "636170632D73632D70726F64"
NAS-Port-Type = 27
Attr-89 = 0x00
NWG-WiMAX-Capability = 0x000106312e3000020301
NWG-GMT-Time-Zone-Offset = 0x0000000000
NWG-BS-ID = 0x00000084800711
NWG-NSP-ID = 0x000001f9
EAP-Message =
0x02a000c41500160301008610000082008023d40d3c7050fd4d414fd95cc39d8a810fdc5b69
7b964512b3d1e1fee2c67bef3a77995ae8276347a07162e17fef80092e3ae3f6a9a33af95c79
0e37a01c4648e2702a16b3c72f778f21488658fa2fd9d6e013da3d0fb15654c9df9f1d8ade55
c0d94c8d05a022c2509602e93cfc688ecbb9c4ef5e622b4f8c14c356dcd6eef4140301000101
1603010028721f3b5868dd99ea3a9d91dc70f8da97cf8c817432503dce2b7a147446b932dd2d
96d683b9ce6ae0
Message-Authenticator = 0xb83011d6deee1bc5a068aca1cf7d3401
Sending Access-Challenge of id 188 to 192.168.1.111 port 33102
Session-Timeout = 64800
NWG-AAA-Session-Id = 0x00000001
Motorola-WiMAX-Convergence-Sublayer = 0x00
Motorola-WiMAX-Network-Domain-Name = "wimax.test"
Motorola-WiMAX-EMS-Address = 10.10.10.1
Motorola-WiMAX-NTP-Server = 0x0171c54402
Motorola-WiMAX-HO-SVC-CLASS = 0x02
Motorola-WiMAX-DNS-Server-IP-Address = 0x71c2250421c22522
Motorola-WiMAX-Service-Flows = "2|Default"
Motorola-WiMAX-VLAN-ID = 0x0111
Motorola-WiMAX-Maximum-Total-Bandwidth = 0x0000c3500000c350
Motorola-WiMAX-Maximum-Commit-Bandwidth = 0x0000c3500000c350
EAP-Message =
0x01a1003d1580000000331403010001011603010028c4fc69856441301a816285f1754f1b17
c76dce7f6a0452fc56f9975a51aa58b6babbf545b2c8b4a4
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa131f428a180d28e0d94a607853650a7
rad_recv: Access-Request packet from host 192.168.1.111:33102, id=189,
length=358
User-Name = "ABCDEFGHIJKL"
Calling-Station-Id = "\000\037\373"\214@"
NAS-IP-Address = 192.168.1.111
State = 0xa131f428a180d28e0d94a607853650a7
NAS-Port = 1
Framed-MTU = 1400
Service-Type = Framed-User
Called-Station-Id = "000084800711"
NAS-Identifier = "636170632D73632D70726F64"
NAS-Port-Type = 27
Attr-89 = 0x00
NWG-WiMAX-Capability = 0x000106312e3000020301
NWG-GMT-Time-Zone-Offset = 0x0000000000
NWG-BS-ID = 0x00000084800711
NWG-NSP-ID = 0x000001f9
EAP-Message =
0x02a10093150017030100886f506af88817f95f825287a053de88848946a8e8d5e919f0742d
42a8e8f7726d8d45374503e98fe12c9bba9a574e97b9e78018a011894d17ea6bb64913009155
6fb3f810250bdf0deac74be2ea6bfe7957284df32385b135cab5ab624f39f08ee91ae5f266e4
a5e0af9e032575bdd0ff182c8ceb229b331bf833b6b83cb50e77e148c0eceed741fa
Message-Authenticator = 0x682093618c0d9a0717464733d93bcafb
Sending Access-Challenge of id 189 to 192.168.1.111 port 33102
Session-Timeout = 64800
NWG-AAA-Session-Id = 0x00000001
Motorola-WiMAX-Convergence-Sublayer = 0x00
Motorola-WiMAX-Network-Domain-Name = "wimax.test"
Motorola-WiMAX-EMS-Address = 10.10.10.1
Motorola-WiMAX-NTP-Server = 0x0171c54402
Motorola-WiMAX-HO-SVC-CLASS = 0x02
Motorola-WiMAX-DNS-Server-IP-Address = 0x71c2250421c22522
Motorola-WiMAX-Service-Flows = "2|Default"
Motorola-WiMAX-VLAN-ID = 0x0111
Motorola-WiMAX-Maximum-Total-Bandwidth = 0x0000c3500000c350
Motorola-WiMAX-Maximum-Commit-Bandwidth = 0x0000c3500000c350
EAP-Message =
0x01a2005f1580000000551703010050ebd22c76d84467560a7c9ec2d14f85378b6a0198e137
820df6d48e338ae7df4e01ac57ee64ca1d63e8841c093bd8df4812b2309ee039a4e9402a595c
7363d31d58c17b61c20b49fab7182f38a5529517
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xbfb482684b5f736f6a4520780d45024c
Tue May 10 12:28:23 2011 : Debug: Finished request 4
Tue May 10 12:28:23 2011 : Debug: Going to the next request
Tue May 10 12:28:23 2011 : Debug: Waking up in 3 seconds...
rad_recv: Access-Request packet from host 192.168.1.111:33102, id=190,
length=217
User-Name = "ABCDEFGHIJKL"
Calling-Station-Id = "\000\037\373"\214@"
NAS-IP-Address = 192.168.1.111
State = 0xbfb482684b5f736f6a4520780d45024c
NAS-Port = 1
Framed-MTU = 1400
Service-Type = Framed-User
Called-Station-Id = "000084800711"
NAS-Identifier = "636170632D73632D70726F64"
NAS-Port-Type = 27
Attr-89 = 0x00
NWG-WiMAX-Capability = 0x000106312e3000020301
NWG-GMT-Time-Zone-Offset = 0x0000000000
NWG-BS-ID = 0x00000084800711
NWG-NSP-ID = 0x000001f9
EAP-Message = 0x02a200061500
Message-Authenticator = 0x01a65022fbcbf916e7db8a9aec5d11d6
Sending Access-Accept of id 190 to 192.168.1.111 port 33102
Session-Timeout = 64800
NWG-AAA-Session-Id = 0x00000001
Motorola-WiMAX-Convergence-Sublayer = 0x00
Motorola-WiMAX-Network-Domain-Name = "wimax.test"
Motorola-WiMAX-EMS-Address = 10.10.10.1
Motorola-WiMAX-NTP-Server = 0x0171c54402
Motorola-WiMAX-HO-SVC-CLASS = 0x02
Motorola-WiMAX-DNS-Server-IP-Address = 0x71c2250421c22522
Motorola-WiMAX-Service-Flows = "2|Default"
Motorola-WiMAX-VLAN-ID = 0x0111
Motorola-WiMAX-Maximum-Total-Bandwidth = 0x0000c3500000c350
Motorola-WiMAX-Maximum-Commit-Bandwidth = 0x0000c3500000c350
MS-MPPE-Recv-Key =
0xac420687cf25af1258037359ed46a9fb206ef03923fd295b058d7b7bb057bcc3
MS-MPPE-Send-Key =
0x53c8e311cf376e6d6482197c2c000c48cc09232f9c3ef821f2b393322da32db2
EAP-Message = 0x03a20004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "ABCDEFGHIJKL"
FREERADIUS 2: ACCESS ACCEPT MESSAGE NOK, Missing attributes
rad_recv: Access-Request packet from host 192.168.1.111 port 33096, id=169,
length=210
User-Name = "ABCDEFGHIJKL"
Calling-Station-Id = "\000\037\373\"\214@"
NAS-IP-Address = 192.168.1.111
NAS-Port = 1
Framed-MTU = 1400
Service-Type = Framed-User
Called-Station-Id = "000084800711"
NAS-Identifier = "636170632D73632D70726F64"
NAS-Port-Type = 27
Chargeable-User-Identity = ""
NWG-WiMAX-Capability = 0x000106312e3000020301
NWG-GMT-Time-Zone-Offset = 0x0000000000
NWG-BS-ID = 0x00000084800711
NWG-NSP-ID = 0x000001f9
EAP-Message = 0x0289001101423836313646303044333437
Message-Authenticator = 0x9f9f3cbb6a2b7487bfa5feba9e7191e9
Sending Access-Challenge of id 169 to 192.168.1.111 port 33096
Session-Timeout = 64800
NWG-AAA-Session-Id = 0x00000001
Motorola-WiMAX-Convergence-Sublayer = 0x00
Motorola-WiMAX-Network-Domain-Name = "wimax.test"
Motorola-WiMAX-EMS-Address = 10.10.10.1
Motorola-WiMAX-NTP-Server = 0x0171c54402
Motorola-WiMAX-HO-SVC-CLASS = 0x02
Motorola-WiMAX-DNS-Server-IP-Address = 0x71c2250421c22522
Motorola-WiMAX-Service-Flows = "2|Default"
Motorola-WiMAX-VLAN-ID = 0x0111
Motorola-WiMAX-Maximum-Total-Bandwidth = 0x0000c3500000c350
Motorola-WiMAX-Maximum-Commit-Bandwidth = 0x0000c3500000c350
EAP-Message = 0x018a00060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x1f1aab301f90a699efb30c2336a4a7f8
rad_recv: Access-Request packet from host 192.168.1.111 port 33096, id=170,
length=217
User-Name = "ABCDEFGHIJKL"
Calling-Station-Id = "\000\037\373\"\214@"
NAS-IP-Address = 192.168.1.111
State = 0x1f1aab301f90a699efb30c2336a4a7f8
NAS-Port = 1
Framed-MTU = 1400
Service-Type = Framed-User
Called-Station-Id = "000084800711"
NAS-Identifier = "636170632D73632D70726F64"
NAS-Port-Type = 27
Chargeable-User-Identity = ""
NWG-WiMAX-Capability = 0x000106312e3000020301
NWG-GMT-Time-Zone-Offset = 0x0000000000
NWG-BS-ID = 0x00000084800711
NWG-NSP-ID = 0x000001f9
EAP-Message = 0x028a00060315
Message-Authenticator = 0x9bfe543a80d2b666c535ecec4716540c
Sending Access-Challenge of id 170 to 192.168.1.111 port 33096
Session-Timeout = 64800
NWG-AAA-Session-Id = 0x00000001
Motorola-WiMAX-Convergence-Sublayer = 0x00
Motorola-WiMAX-Network-Domain-Name = "wimax.test"
Motorola-WiMAX-EMS-Address = 10.10.10.1
Motorola-WiMAX-NTP-Server = 0x0171c54402
Motorola-WiMAX-HO-SVC-CLASS = 0x02
Motorola-WiMAX-DNS-Server-IP-Address = 0x71c2250421c22522
Motorola-WiMAX-Service-Flows = "2|Default"
Motorola-WiMAX-VLAN-ID = 0x0111
Motorola-WiMAX-Maximum-Total-Bandwidth = 0x0000c3500000c350
Motorola-WiMAX-Maximum-Commit-Bandwidth = 0x0000c3500000c350
EAP-Message = 0x018b00061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x1f1aab301e91be99efb30c2336a4a7f8
rad_recv: Access-Request packet from host 192.168.1.111 port 33096, id=171,
length=291
User-Name = "ABCDEFGHIJKL"
Calling-Station-Id = "\000\037\373\"\214@"
NAS-IP-Address = 192.168.1.111
State = 0x1f1aab301e91be99efb30c2336a4a7f8
NAS-Port = 1
Framed-MTU = 1400
Service-Type = Framed-User
Called-Station-Id = "000084800711"
NAS-Identifier = "636170632D73632D70726F64"
NAS-Port-Type = 27
Chargeable-User-Identity = ""
NWG-WiMAX-Capability = 0x000106312e3000020301
NWG-GMT-Time-Zone-Offset = 0x0000000000
NWG-BS-ID = 0x00000084800711
NWG-NSP-ID = 0x000001f9
EAP-Message =
0x028b0050150016030100450100004103010fc6de0dabfd728862b435215018375f0925555c
a0c3841817c989017b4e208a00001a0015001600330009000a002f000700670039006b003c00
35003d0100
Message-Authenticator = 0xe8a191b0ed61fc61e1d2ef3bdaf83cc3
Tue May 10 12:32:06 2011 : Debug: rlm_wimax: Fixing WiMAX binary
Calling-Station-Id to 00-1f-fb-22-8c-40
Tue May 10 12:32:06 2011 : Info: ++[wimax] returns ok
Tue May 10 12:32:06 2011 : Info: [suffix] No '@' in User-Name =
"ABCDEFGHIJKL", looking up realm NULL
Tue May 10 12:32:06 2011 : Info: [eap] Request found, released from the list
Tue May 10 12:32:06 2011 : Info: [eap] EAP/ttls
Tue May 10 12:32:06 2011 : Info: [eap] processing type ttls
Tue May 10 12:32:06 2011 : Info: [ttls] Authenticate
Tue May 10 12:32:06 2011 : Info: [ttls] processing EAP-TLS
Tue May 10 12:32:06 2011 : Info: [ttls] eaptls_verify returned 7
Tue May 10 12:32:06 2011 : Info: [ttls] Done initial handshake
Tue May 10 12:32:06 2011 : Info: [ttls] (other): before/accept
initialization
Tue May 10 12:32:07 2011 : Info: [ttls] TLS_accept: before/accept
initialization
Tue May 10 12:32:07 2011 : Info: [ttls] <<< TLS 1.0 Handshake [length 0045],
ClientHello
Tue May 10 12:32:07 2011 : Info: [ttls] TLS_accept: SSLv3 read client
hello A
Tue May 10 12:32:07 2011 : Info: [ttls] >>> TLS 1.0 Handshake [length 002a],
ServerHello
Tue May 10 12:32:07 2011 : Info: [ttls] TLS_accept: SSLv3 write server
hello A
Tue May 10 12:32:07 2011 : Info: [ttls] >>> TLS 1.0 Handshake [length 07a4],
Certificate
Tue May 10 12:32:07 2011 : Info: [ttls] TLS_accept: SSLv3 write
certificate A
Tue May 10 12:32:07 2011 : Info: [ttls] >>> TLS 1.0 Handshake [length 018d],
ServerKeyExchange
Tue May 10 12:32:07 2011 : Info: [ttls] TLS_accept: SSLv3 write key
exchange A
Tue May 10 12:32:07 2011 : Info: [ttls] >>> TLS 1.0 Handshake [length 0004],
ServerHelloDone
Tue May 10 12:32:07 2011 : Info: [ttls] TLS_accept: SSLv3 write server
done A
Tue May 10 12:32:07 2011 : Info: [ttls] TLS_accept: SSLv3 flush data
Tue May 10 12:32:07 2011 : Info: [ttls] TLS_accept: Need to read more
data: SSLv3 read client certificate A
Tue May 10 12:32:07 2011 : Debug: In SSL Handshake Phase
Tue May 10 12:32:07 2011 : Debug: In SSL Accept mode
Tue May 10 12:32:07 2011 : Info: [ttls] eaptls_process returned 13
Tue May 10 12:32:07 2011 : Info: ++[eap] returns handled
Sending Access-Challenge of id 171 to 192.168.1.111 port 33096
EAP-Message =
0x018c057415c000000973160301002a0200002603014dc9bce7d40cda888a43688210a00314
9c994d366a65124da0269c9e686e5c220000150016030107a40b0007a000079d0003c9308203
c53082032ea003020102020102300d06092a864886f70d01010505003081a5310b3009060355
04061302504631193017060355040813104672656e636820506f6c796e65736961310f300d06
035504071306546168697469310d300b060355040a13045669546931253023060355040b131c
566954692043657274696669636174696f6e20417574686f726974793110300e060355040313
07566954692043413122302006092a864886f70d010901161373
EAP-Message =
0x75706572766973696f6e40766974692e7066301e170d3131303531303139303630305a170d
3231303531303139303530305a3081a4310b3009060355040613025046311930170603550408
13104672656e636820506f6c796e65736961310f300d06035504071306546168697469310d30
0b060355040a1304566954693120301e060355040b1317566954692044657669636520436572
7469666963617465311430120603550403130b56695469204465766963653122302006092a86
4886f70d01090116137375706572766973696f6e40766974692e706630819f300d06092a8648
86f70d010101050003818d0030818902818100cf146e3aec377c
EAP-Message =
0xf2e1bec0453263b1b4127e0027a8adb9c3b4ccef2b8d855c0f961a7a25d10150dd7a33aa19
1576f0f33d2caf6645138cc5e8746320af632696db3a13daccc1a48eae75162b2eba2a9458a5
4d005203f2c70380c3be402b08118a92bee2c0325459cd31e666bd160a5d479adaaa079aa683
ae42ce4f5d05c9210203010001a38201023081ff30090603551d1304023000301d0603551d0e
04160414a4c6acab08366f6bb61fd9b8a4ed15b92112846c3081d20603551d230481ca3081c7
80148e5db1d2720ee7812a816ef4617fab6a05fbe5cda181aba481a83081a5310b3009060355
04061302504631193017060355040813104672656e636820506f
EAP-Message =
0x6c796e65736961310f300d06035504071306546168697469310d300b060355040a13045669
546931253023060355040b131c566954692043657274696669636174696f6e20417574686f72
6974793110300e06035504031307566954692043413122302006092a864886f70d0109011613
7375706572766973696f6e40766974692e7066820101300d06092a864886f70d010105050003
8181005851ca7ba587bbd42a7be05bb08e6b5498828d647ea5dde26637c7534f7744aa6b4f66
d4b74d32445c14cf62aa98ee96d0ba6315eddbbfa2aa53d572c42cfa9a833f527082a874beae
39d5afce6a81c86b2538ddabb7186f2bd1ed3dc041b15a15387b
EAP-Message =
0xeb64a2f8b9f7eb4f88196b08bea65dd215b15c8257c7164f86f99298190003ce308203ca30
820333a003020102020101300d06092a864886f70d01010505003081a5310b30090603550406
1302504631193017060355040813104672656e636820506f6c796e65736961310f300d060355
04071306546168697469310d300b060355040a13045669546931253023060355040b131c5669
54692043657274696669636174696f6e20417574686f726974793110300e0603550403130756
6954692043413122302006092a864886f70d01090116137375706572766973696f6e40766974
692e7066301e170d3131303531303139303530305a170d323130
EAP-Message =
0x3531303139303530305a3081a5310b30090603550406130250463119301706035504081310
4672656e636820506f6c796e65736961310f300d06035504071306546168697469310d300b06
0355040a13045669546931253023060355040b131c566954692043657274696669636174696f
6e20417574686f726974793110300e060355
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x1f1aab301d96be99efb30c2336a4a7f8
rad_recv: Access-Request packet from host 192.168.1.111 port 33096, id=172,
length=217
User-Name = "ABCDEFGHIJKL"
Calling-Station-Id = "\000\037\373\"\214@"
NAS-IP-Address = 192.168.1.111
State = 0x1f1aab301d96be99efb30c2336a4a7f8
NAS-Port = 1
Framed-MTU = 1400
Service-Type = Framed-User
Called-Station-Id = "000084800711"
NAS-Identifier = "636170632D73632D70726F64"
NAS-Port-Type = 27
Chargeable-User-Identity = ""
NWG-WiMAX-Capability = 0x000106312e3000020301
NWG-GMT-Time-Zone-Offset = 0x0000000000
NWG-BS-ID = 0x00000084800711
NWG-NSP-ID = 0x000001f9
EAP-Message = 0x028c00061500
Message-Authenticator = 0x4feb13773e367f2f9bb82e5476b30c4e
Tue May 10 12:32:07 2011 : Info: [eap] EAP/ttls
Tue May 10 12:32:07 2011 : Info: [eap] processing type ttls
Tue May 10 12:32:07 2011 : Info: [ttls] Authenticate
Tue May 10 12:32:07 2011 : Info: [ttls] processing EAP-TLS
Tue May 10 12:32:07 2011 : Info: [ttls] Received TLS ACK
Tue May 10 12:32:07 2011 : Info: [ttls] ACK handshake fragment handler
Tue May 10 12:32:07 2011 : Info: [ttls] eaptls_verify returned 1
Tue May 10 12:32:07 2011 : Info: [ttls] eaptls_process returned 13
Tue May 10 12:32:07 2011 : Info: ++[eap] returns handled
Sending Access-Challenge of id 172 to 192.168.1.111 port 33096
EAP-Message =
0x018d041315800000097304031307566954692043413122302006092a864886f70d01090116
137375706572766973696f6e40766974692e706630819f300d06092a864886f70d0101010500
03818d0030818902818100b7ac51ec399b15d7cf0643216d5306d93aa4452657d7fbe44d1fa3
1af4075d73a4a3a35ef85ae05c447ffa77af62936416062468c17c15786ae6ee8550515693f0
c7f65607bf195f36099fe3d109055734f0ed3cff4aee4dc47f151985ba949b3f5a3777cae7b0
524d668f2037ebba783780f2713dadbf11a705f98de8c0a21b0203010001a382010630820102
300c0603551d13040530030101ff301d0603551d0e041604148e
EAP-Message =
0x5db1d2720ee7812a816ef4617fab6a05fbe5cd3081d20603551d230481ca3081c780148e5d
b1d2720ee7812a816ef4617fab6a05fbe5cda181aba481a83081a5310b300906035504061302
504631193017060355040813104672656e636820506f6c796e65736961310f300d0603550407
1306546168697469310d300b060355040a13045669546931253023060355040b131c56695469
2043657274696669636174696f6e20417574686f726974793110300e06035504031307566954
692043413122302006092a864886f70d01090116137375706572766973696f6e40766974692e
7066820101300d06092a864886f70d01010505000381810090c8
EAP-Message =
0x0c65f81c8ceb5b62904cff1b80456c04f697c3adc26a164949a51dfdfdd3edc5f3533a9c66
f49823621c06ba4a3b336f79bb2359cf9f141a1f56d32461dc5b035ccdf96bcc0f9a8a16f59b
6fe8ad12eb5e52d2f0e801a502b003623d3e58a857cdff666ab7109ba20d97374cf24605ba50
4399f3fa0aa349a78d2690c75e160301018d0c000189008096c63659641fe69224a150344e09
f5640eff816b755ed2919b4abdd624f52b357de4d8eed363296dec7f49cab77e5d3fa71100a6
31ea006653da6da4b01b5ef0a8716ac1f8358a78d24862c2b79390e0e94a8e31c4192197b95f
eaa631910015d7494823fa06817313a5f9e7cb46982abc4a59a1
EAP-Message =
0x98eb701ea03966bc5233a08300010200803b555aa3c5417163d1d890a41131b06ad88dfef4
9ffd1fc3c2547845112efce1b818a21b6ed46bad7ae412cd100a23b10162c372ec7f618dbd1f
50812450f4b60addefc8fb2698a27fbbc5abdc1a5eb137aec15bdccd596b1d52d1d69ef9f206
4f0be3de750413eb6508f19c8e2cf4807f57e1e3aaef4232d1c4f5f6450e6c980080ae642d91
204dc58bcf2de45a3a2dcc1a92ffcdfeb5d9bc1832e969528b42b5b0b12350a995e1219874f5
0717be1cb7f42f4d7a664134d1a479e34ae3ee7f0136dff6b37edc3021ad865783e0a868f23b
2ffcee78f99b32d2d4f16db950159c29964d51711b82826258d9
EAP-Message =
0xbd4a4e36d91b7047288f4f78254763134f61152f942816030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x1f1aab301c97be99efb30c2336a4a7f8
rad_recv: Access-Request packet from host 192.168.1.111 port 33096, id=173,
length=407
User-Name = "ABCDEFGHIJKL"
Calling-Station-Id = "\000\037\373\"\214@"
NAS-IP-Address = 192.168.1.111
State = 0x1f1aab301c97be99efb30c2336a4a7f8
NAS-Port = 1
Framed-MTU = 1400
Service-Type = Framed-User
Called-Station-Id = "000084800711"
NAS-Identifier = "636170632D73632D70726F64"
NAS-Port-Type = 27
Chargeable-User-Identity = ""
NWG-WiMAX-Capability = 0x000106312e3000020301
NWG-GMT-Time-Zone-Offset = 0x0000000000
NWG-BS-ID = 0x00000084800711
NWG-NSP-ID = 0x000001f9
EAP-Message =
0x028d00c415001603010086100000820080041043d5921043658e7021b4dc0c4766668c5254
518f4c66ef3aee6c5b050bd710b8a99b4d2efed361a5aee69673ee2f497ea993705b8ca5c95a
b86e00d96882a9e249b225b91bf7ce5ed734164ac29e17fc55de89e345444bd241a875e22d4c
51b6fb7318e376938005ed77138d2836b648a59c38cb0ebd681998473d06ad57140301000101
1603010028fb9cb199122793285220fa9435f91dfe2c8106081c1761645cde53593aa9bc0104
ebccc13f74afee
Message-Authenticator = 0x72753965c681bd3edfb36ef6b39909ae
Tue May 10 12:32:07 2011 : Info: +- entering group authorize {...}
Tue May 10 12:32:07 2011 : Info: ++[preprocess] returns ok
Tue May 10 12:32:07 2011 : Info: [auth_log] expand: %t -> Tue May 10
12:32:07 2011
Tue May 10 12:32:07 2011 : Info: ++[auth_log] returns ok
Tue May 10 12:32:07 2011 : Info: ++[chap] returns noop
Tue May 10 12:32:07 2011 : Info: ++[mschap] returns noop
Tue May 10 12:32:07 2011 : Debug: rlm_wimax: Fixing WiMAX binary
Calling-Station-Id to 00-1f-fb-22-8c-40
Tue May 10 12:32:07 2011 : Info: ++[wimax] returns ok
Tue May 10 12:32:07 2011 : Info: [eap] EAP/ttls
Tue May 10 12:32:07 2011 : Info: [eap] processing type ttls
Tue May 10 12:32:07 2011 : Info: [ttls] Authenticate
Tue May 10 12:32:07 2011 : Info: [ttls] processing EAP-TLS
Tue May 10 12:32:07 2011 : Info: [ttls] eaptls_verify returned 7
Tue May 10 12:32:07 2011 : Info: [ttls] Done initial handshake
Tue May 10 12:32:07 2011 : Info: [ttls] <<< TLS 1.0 Handshake [length 0086],
ClientKeyExchange
Tue May 10 12:32:07 2011 : Info: [ttls] TLS_accept: SSLv3 read client
key exchange A
Tue May 10 12:32:07 2011 : Info: [ttls] <<< TLS 1.0 ChangeCipherSpec [length
0001]
Tue May 10 12:32:07 2011 : Info: [ttls] <<< TLS 1.0 Handshake [length 0010],
Finished
Tue May 10 12:32:07 2011 : Info: [ttls] TLS_accept: SSLv3 read finished
A
Tue May 10 12:32:07 2011 : Info: [ttls] >>> TLS 1.0 ChangeCipherSpec [length
0001]
Tue May 10 12:32:07 2011 : Info: [ttls] TLS_accept: SSLv3 write change
cipher spec A
Tue May 10 12:32:07 2011 : Info: [ttls] >>> TLS 1.0 Handshake [length 0010],
Finished
Tue May 10 12:32:07 2011 : Info: [ttls] TLS_accept: SSLv3 write finished
A
Tue May 10 12:32:07 2011 : Info: [ttls] TLS_accept: SSLv3 flush data
Tue May 10 12:32:07 2011 : Info: [ttls] (other): SSL negotiation
finished successfully
Tue May 10 12:32:07 2011 : Debug: SSL Connection Established
Tue May 10 12:32:07 2011 : Info: [ttls] eaptls_process returned 13
Tue May 10 12:32:07 2011 : Info: ++[eap] returns handled
Sending Access-Challenge of id 173 to 192.168.1.111 port 33096
EAP-Message =
0x018e003d158000000033140301000101160301002836597205ba27c7eb6f6c282853dfcd01
b4a82000561ad791379a623c527aabadff705be58f4392b9
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x1f1aab301b94be99efb30c2336a4a7f8
rad_recv: Access-Request packet from host 192.168.1.111 port 33096, id=174,
length=358
User-Name = "ABCDEFGHIJKL"
Calling-Station-Id = "\000\037\373\"\214@"
NAS-IP-Address = 192.168.1.111
State = 0x1f1aab301b94be99efb30c2336a4a7f8
NAS-Port = 1
Framed-MTU = 1400
Service-Type = Framed-User
Called-Station-Id = "000084800711"
NAS-Identifier = "636170632D73632D70726F64"
NAS-Port-Type = 27
Chargeable-User-Identity = ""
NWG-WiMAX-Capability = 0x000106312e3000020301
NWG-GMT-Time-Zone-Offset = 0x0000000000
NWG-BS-ID = 0x00000084800711
NWG-NSP-ID = 0x000001f9
EAP-Message =
0x028e0093150017030100880c7f64a5f5184085fb897a83be464d3c99883f7949f8c30d76e7
09e44c3154dcd14dbdcc0f76ef33368959613f398b868bf96f797187b9edcc0a280b20994284
6660822fd2efa60ea39da6ada99dc8ce28cc7caaaaa26fd10308af7fbf16d1421e4cda944739
bddeb2474188f0017d24ec3f657301733ddd1229c0a031a2462ee9cfc5f67e2d0df5
Message-Authenticator = 0x0f0f1ba3f356aa9b52e19c3f338f57f9
Tue May 10 12:32:07 2011 : Debug: rlm_wimax: Fixing WiMAX binary
Calling-Station-Id to 00-1f-fb-22-8c-40
Tue May 10 12:32:07 2011 : Info: ++[wimax] returns ok
Tue May 10 12:32:07 2011 : Info: [suffix] No '@' in User-Name =
"ABCDEFGHIJKL", looking up realm NULL
Tue May 10 12:32:07 2011 : Info: [eap] EAP/ttls
Tue May 10 12:32:07 2011 : Info: [eap] processing type ttls
Tue May 10 12:32:07 2011 : Info: [ttls] Authenticate
Tue May 10 12:32:07 2011 : Info: [ttls] processing EAP-TLS
Tue May 10 12:32:07 2011 : Info: [ttls] eaptls_verify returned 7
Tue May 10 12:32:07 2011 : Info: [ttls] Done initial handshake
Tue May 10 12:32:07 2011 : Info: [ttls] eaptls_process returned 7
Tue May 10 12:32:07 2011 : Info: [ttls] Session established. Proceeding to
decode tunneled attributes.
Tue May 10 12:32:07 2011 : Info: [ttls] Got tunneled request
User-Name = "usertest"
MS-CHAP-Challenge = 0x4f40452a49e66f3394fe5472d7a6c8a3
MS-CHAP2-Response =
0x730014ff97bffc0a475fbe7d800f95b76e9e00000000000000008873ec5c5e2f2abe748678
133c983a865c80980b3b532e24
FreeRADIUS-Proxied-To = 127.0.0.1
Tue May 10 12:32:07 2011 : Info: [ttls] Sending tunneled request
User-Name = "usertest"
MS-CHAP-Challenge = 0x4f40452a49e66f3394fe5472d7a6c8a3
MS-CHAP2-Response =
0x730014ff97bffc0a475fbe7d800f95b76e9e00000000000000008873ec5c5e2f2abe748678
133c983a865c80980b3b532e24
FreeRADIUS-Proxied-To = 127.0.0.1
server inner-tunnel {
Tue May 10 12:32:07 2011 : Info: [mschap] Told to do MS-CHAPv2 for usertest
with NT-Password
Tue May 10 12:32:07 2011 : Info: [mschap] adding MS-CHAPv2 MPPE keys
Tue May 10 12:32:07 2011 : Info: ++[mschap] returns ok
Tue May 10 12:32:07 2011 : Info: WARNING: Empty section. Using default
return values.
} # server inner-tunnel
Tue May 10 12:32:07 2011 : Info: [ttls] Got tunneled reply code 2
MS-CHAP2-Success =
0x73533d45434435323936393145304539454433384342423831354245354644433446384631
384533454139
MS-MPPE-Recv-Key = 0x2dacf31b4e71f823de59fbab96d683d3
MS-MPPE-Send-Key = 0x4e126126cbeee506002c7e8b418b7c37
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
Tue May 10 12:32:07 2011 : Info: [ttls] Got tunneled Access-Accept
Tue May 10 12:32:07 2011 : Info: [ttls] Got MS-CHAP2-Success, tunneling it
to the client in a challenge.
Tue May 10 12:32:07 2011 : Info: ++[eap] returns handled
Sending Access-Challenge of id 174 to 192.168.1.111 port 33096
EAP-Message =
0x018f005f1580000000551703010050a7dd22c4c960fac1b93edcce9e2caa6bc6cd1c3daf00
b30b64cb7ca999bac133b6bf01f33f00c8848a60de395ec93a2abaa09cd35fbaaf4e357c8cd1
4ab7e499121d53cb61cd60ad8e4efc534b0a1b5b
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x1f1aab301a95be99efb30c2336a4a7f8
Tue May 10 12:32:07 2011 : Info: Finished request 8.
Tue May 10 12:32:07 2011 : Debug: Going to the next request
Tue May 10 12:32:07 2011 : Debug: Waking up in 1.3 seconds.
rad_recv: Access-Request packet from host 192.168.1.111 port 33096, id=175,
length=217
User-Name = "ABCDEFGHIJKL"
Calling-Station-Id = "\000\037\373\"\214@"
NAS-IP-Address = 192.168.1.111
State = 0x1f1aab301a95be99efb30c2336a4a7f8
NAS-Port = 1
Framed-MTU = 1400
Service-Type = Framed-User
Called-Station-Id = "000084800711"
NAS-Identifier = "636170632D73632D70726F64"
NAS-Port-Type = 27
Chargeable-User-Identity = ""
NWG-WiMAX-Capability = 0x000106312e3000020301
NWG-GMT-Time-Zone-Offset = 0x0000000000
NWG-BS-ID = 0x00000084800711
NWG-NSP-ID = 0x000001f9
EAP-Message = 0x028f00061500
Message-Authenticator = 0x39b7c4e6f117eeb2972893b5de5fa739
Tue May 10 12:32:07 2011 : Info: +- entering group authorize {...}
Tue May 10 12:32:07 2011 : Info: ++[preprocess] returns ok
Tue May 10 12:32:07 2011 : Info: ++[chap] returns noop
Tue May 10 12:32:07 2011 : Info: ++[mschap] returns noop
Tue May 10 12:32:07 2011 : Debug: rlm_wimax: Fixing WiMAX binary
Calling-Station-Id to 00-1f-fb-22-8c-40
Tue May 10 12:32:07 2011 : Info: ++[wimax] returns ok
Tue May 10 12:32:07 2011 : Info: [eap] Freeing handler
Tue May 10 12:32:07 2011 : Info: ++[eap] returns ok
Tue May 10 12:32:07 2011 : Info: [wimax] MIP-RK =
0xb53187ac09a8638b39ccece5d545ddcddfe9039dd4ca0d87fbfb11eb8d28bfed72fd0b846c
b227a4bfef736b776521f1f9f65399d97663622de78645392e829a
Tue May 10 12:32:07 2011 : Info: [wimax] MIP-SPI = c3962fc7
Tue May 10 12:32:07 2011 : Info: [wimax] WARNING: WiMAX-MN-NAI was not found
in the request or in the reply.
Tue May 10 12:32:07 2011 : Info: [wimax] WARNING: We cannot calculate MN-HA
keys.
Tue May 10 12:32:07 2011 : Info: [wimax] WARNING: WiMAX-IP-Technology not
found in reply.
Tue May 10 12:32:07 2011 : Info: [wimax] WARNING: Not calculating MN-HA keys
Tue May 10 12:32:07 2011 : Info: ++[wimax] returns updated
Sending Access-Accept of id 175 to 192.168.1.111 port 33096
MS-MPPE-Recv-Key =
0x6ac20e0ae330ec47259e11c1c88604adaf0bf8b2fed16dcd36676a114f989c50
MS-MPPE-Send-Key =
0x6c6881e76c18bae61afc53895744ccee92b7c95acc83cff8f59fcad428930e68
EAP-Message = 0x038f0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "ABCDEFGHIJKL"
If you have some clues please let me know.
Regards,
2
1
Hi,
I would like to setup LDAP module with different settings for different
clients.
How can I do this?
Can I setup multiple LDAP module settings and specify which one I would like
to use for a site or client?
Can I define some of the LDAP settings inside the site or client config?
thanks,
Herbert
3
5
MSCHAP / NTLM_AUTH failure on "expired" AD password; out of sync cached creds / AD password.
by Gary Gatten 13 May '11
by Gary Gatten 13 May '11
13 May '11
Hello,
We're struggling with Windows 7 and PEAP/MSCHAP auth.. There are several scenarios where ones AD password will expire. FR is configured to send the auth request to AD (MSCHAP only, Aruba terminates PEAP) using NTLM_AUTH. If the password is not expired everything works great. If it IS expired, MSCHAP (or NTLM_AUTH) "seems" to always return a reject. Now, users should NOT allow their password to expire - but we all know it happens. Also, with new users an account is created with a temp / one time password and their account is set to "user must change password at first logon". This results in a similar failure - the supplicant never pops a box prompting to CHANGE password, it just prompts to reenter because of the failure - which is obviously worthless.
I THOUGHT MSCHAPv2 can recognize a "password expired" state and actually allow a user to change it via MSCHAPv2 functions. Is this not correct, or are there settings in AD or the ntlm_auth/samba I need to tweak? Or should I be using LDAP? And will it work at all using a "basic" MS supplicant, or do I need a third party one that handles this better?
We have a similar failure when the laptops "cached credentials" are out of sync with AD. Ie, the user changed their AD password using their desktop on Friday. Monday AM they bring in their laptop and try to login. Well, it's not "connected" to the domain, so they enter their old password just to get access to their laptop. So far so good, until the supplicant (which is configured to "use my windows login info" ) grabs the old password and tries to auth - which of course fails because it's the old (now incorrect) password. There seems to be some bug with Windows 7, because it WILL pop a box to allow the user to manually enter a password, but even when the new / correct password is entered - MSCHAP/NTLM_AUTH STILL fails. It's as if even though Windows 7 pops the box and allows one to enter a different password, it ignores it and ALWAYS uses the windows login credentials - which are invalid. FWIW: if we REQUIRE the user to ALWAYS enter their credentials (don't try to use windows) I THINK everything works OK, BUT the powers that be say it's unacceptable for a user to have to login twice - once to "windows" and then again to the "network".
My colleague has been messing with this for many hours to no avail. I've spent several hours myself trying various configs, googling, etc. Tomorrow I intend to take a more controlled / methodical approach to the testing scenarios and see what that may reveal. In the mean time any advice would be greatly appreciated. SURELY we're not the only ones to encounter this - it's a pretty common environment. I don't THINK the problem, or at least the same problem exist on XP - but I'm not 100% sure at this point. FR is 2.1.10 and Samba is 3.0.33-3.7.el5. I THINK our DC's are running 2003.
Below are FR debugs for (3) auth attempts, (1) success and (2) failures... I expected the middle (2nd) request to fail, 'cause windows automatically tried using the old/wrong creds - but the last / 3rd attempt should have worked...
TIA - Gary
#Working
rad_recv: Access-Request packet from host 1.1.2.4 port 33350, id=50, length=241
NAS-IP-Address = 1.1.2.4
NAS-Port = 0
NAS-Port-Type = Wireless-802.11
User-Name = "netengtest"
Calling-Station-Id = "58946BB9F738"
Called-Station-Id = "000B8661BF34"
MS-CHAP-Challenge = 0x65f0e3833007ea3603cb7a74a97d905a
MS-CHAP2-Response = 0x0600c3fb5dab7b3c82d77669020e64574a790000000000000000b656fe75b45fb03fcdb6cd0c1e7675da77b79296fb32e768
Service-Type = Login-User
Aruba-Essid-Name = "Bob"
Aruba-Location-Id = "00:24:6c:c3:43:d3"
NAS-Identifier = "Aruba-WLAN-1"
Message-Authenticator = 0x43ab558afb7057dd052430f8829bf0e1
# Executing section authorize from file /devel/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = "netengtest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /devel/sites-enabled/default
+- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: netengtest
[mschap] Told to do MS-CHAPv2 for netengtest with NT-Password
[mschap] expand: %{mschap:User-Name} -> netengtest
[mschap] expand: --username=%{%{mschap:User-Name}:-%{User-Name:-None}} -> --username=netengtest
[mschap] mschap2: 65
[mschap] Creating challenge hash with username: netengtest
[mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=80f102377e0b1914
[mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=b656fe75b45fb03fcdb6cd0c1e7675da77b79296fb32e768
Exec-Program output: NT_KEY: B2E9713382580CAFC4C5EAE9B83F6461
Exec-Program-Wait: plaintext: NT_KEY: B2E9713382580CAFC4C5EAE9B83F6461
Exec-Program: returned: 0
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
# Executing section post-auth from file /devel/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 50 to 1.1.2.4 port 33350
MS-CHAP2-Success = 0x06533d38383935363335453339443030353230304644393132383945323846323245424242423042453530
MS-MPPE-Recv-Key = 0xc5abbc0bad0bf488c01523801f46f494
MS-MPPE-Send-Key = 0x48e3498b39788d95b47add261796c57d
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
Finished request 4.
#Not Working, windows auto retry
rad_recv: Access-Request packet from host 1.1.2.4 port 33350, id=51, length=249
NAS-IP-Address = 1.1.2.4
NAS-Port = 0
NAS-Port-Type = Wireless-802.11
User-Name = "WADDELL\\netengtest"
Calling-Station-Id = "58946BB9F738"
Called-Station-Id = "000B8661BF34"
MS-CHAP-Challenge = 0x311d0b69fd0ee15bf605dda7b0c7da0e
MS-CHAP2-Response = 0x06008b488ab132a5a2ee7d3051bf0f75858700000000000000003bc8b876f0e5171fc2aef6667fbe2a038cb846368d395fa5
Service-Type = Login-User
Aruba-Essid-Name = "Bob"
Aruba-Location-Id = "00:24:6c:c3:43:d3"
NAS-Identifier = "Aruba-WLAN-1"
Message-Authenticator = 0x9f6bc9ad403b95afd3506155e9e44761
# Executing section authorize from file /devel/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = "WADDELL\netengtest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /devel/sites-enabled/default
+- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: netengtest
[mschap] Told to do MS-CHAPv2 for netengtest with NT-Password
[mschap] expand: %{mschap:User-Name} -> netengtest
[mschap] expand: --username=%{%{mschap:User-Name}:-%{User-Name:-None}} -> --username=netengtest
[mschap] mschap2: 31
[mschap] Creating challenge hash with username: netengtest
[mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=c118e8c6818033b1
[mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=3bc8b876f0e5171fc2aef6667fbe2a038cb846368d395fa5
Exec-Program output: Logon failure (0xc000006d)
Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /devel/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> WADDELL\netengtest
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 5 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 5
Sending Access-Reject of id 51 to 1.1.2.4 port 33350
#Not Working, Manually entered password
rad_recv: Access-Request packet from host 1.1.2.4 port 33350, id=52, length=249
NAS-IP-Address = 1.1.2.4
NAS-Port = 0
NAS-Port-Type = Wireless-802.11
User-Name = "WADDELL\\netengtest"
Calling-Station-Id = "58946BB9F738"
Called-Station-Id = "000B8661BF34"
MS-CHAP-Challenge = 0xda7118673bd18b3563feedff1107cc3f
MS-CHAP2-Response = 0x070026aa6bd893de1a79db494843ad54b22e0000000000000000844ffd37fcda8bb1053320572de943678762ac51805a9170
Service-Type = Login-User
Aruba-Essid-Name = "Bob"
Aruba-Location-Id = "00:24:6c:c3:43:d3"
NAS-Identifier = "Aruba-WLAN-1"
Message-Authenticator = 0xd61275e77c4c589d7dea376d07ed6a57
# Executing section authorize from file /devel/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = "WADDELL\netengtest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /devel/sites-enabled/default
+- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: netengtest
[mschap] Told to do MS-CHAPv2 for netengtest with NT-Password
[mschap] expand: %{mschap:User-Name} -> netengtest
[mschap] expand: --username=%{%{mschap:User-Name}:-%{User-Name:-None}} -> --username=netengtest
[mschap] mschap2: da
[mschap] Creating challenge hash with username: netengtest
[mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=a2e2cf9f927f511c
[mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=844ffd37fcda8bb1053320572de943678762ac51805a9170
Exec-Program output: Logon failure (0xc000006d)
Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /devel/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> WADDELL\netengtest
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 6 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 6
Sending Access-Reject of id 52 to 1.1.2.4 port 33350
Waking up in 4.9 seconds.
<font size="1">
<div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'>
</div>
"This email is intended to be reviewed by only the intended recipient
and may contain information that is privileged and/or confidential.
If you are not the intended recipient, you are hereby notified that
any review, use, dissemination, disclosure or copying of this email
and its attachments, if any, is strictly prohibited. If you have
received this email in error, please immediately notify the sender by
return email and delete this email from your system."
</font>
3
4
Hello
I want to create radacct, radacct_2010 and radacct_2011 as an inherited
childs and the trigger that will separate acc records by year in year
tables. With postauth is simple enough cause it has postauthdate as a single
timestamp and the radacct has the stoptime and starttime columns. Any advice
is welcome.
t.
--
View this message in context: http://freeradius.1045715.n5.nabble.com/freeradius-radacct-table-postgres-t…
Sent from the FreeRadius - User mailing list archive at Nabble.com.
1
0
I've been searching the docs/wiki, and can't seem to find an answer to
this...
what variables are available to store in the rad post auth?
the sql query shows username, password, reply and date/time...
Sorry if this is documented somewhere, I just couldn't find it.
Steve
3
6
Has anyone been able to get the Alvarion BreezeMAX to apply a service
profile for a subscriber through radius?
or has anyone been able to get debug logging out of the BreezeMAX perhaps
via syslog?
I believe I've got the service interfaces, service groups etc configured the
same in both products.
The BreezeMAX works if I disable RADIUS but doesn't work with the following
radius reply.
The following access accept works with the Alvarion 4Motion product but not
with the BreezeMAX.
Sending Access-Accept of id 13 to 10.12.15.50 port 49154
Session-Timeout = 3600
Termination-Action = RADIUS-Request
Filter-Id = "SP1"
EAP-Message = 0x03080004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "{am=1}test(a)test.com.au"
WiMAX-MSK =
0x18bffebb46ac2e95ee730b7ecc0eaa5eb4b586fe29e5113f97f1ab794b4405f9d77aaa432c
bb91eb9e4d3ea7e65dded2bb765e18491c62530cf3edee80c644a1
4
4
I have downloaded and installed the git repo version of what will become
2.1.11 on May 10 because of a proxy bug that is fixed in this version.
In our current testing setup freeradius takes all information from the
realm and passes in to a MS network policy server for authentication
into AD. The authentication portion appears to work and we get an
accept, but we are not getting any of the group information passed from
the freeradius server to the wireless controller. It appears that
freeradius is receiving it, just not passing it along. Mostly we are
looking to see if this is a config error or if its an issue in the dev
code. Radius -X output is below.
FreeRADIUS Version 2.1.11, for host x86_64-unknown-linux-gnu, built on
May 10 2011 at 11:21:52
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr/local/etc/raddb/modules/wimax
including configuration file /usr/local/etc/raddb/modules/soh
including configuration file /usr/local/etc/raddb/modules/krb5
including configuration file /usr/local/etc/raddb/modules/pam
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration
file /usr/local/etc/raddb/modules/detail.example.com
including configuration file /usr/local/etc/raddb/modules/cui
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/modules/echo
including configuration
file /usr/local/etc/raddb/modules/dynamic_clients
including configuration file /usr/local/etc/raddb/modules/detail
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/files
including configuration file /usr/local/etc/raddb/modules/rediswho
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/passwd
including configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file /usr/local/etc/raddb/modules/otp
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/perl
including configuration file /usr/local/etc/raddb/modules/ippool
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file /usr/local/etc/raddb/modules/redis
including configuration file /usr/local/etc/raddb/modules/unix
including configuration file /usr/local/etc/raddb/modules/smbpasswd
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/sql_log
including configuration file /usr/local/etc/raddb/modules/smsotp
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/modules/ntlm_auth
including configuration
file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/opendirectory
including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file /usr/local/etc/raddb/modules/logintime
including configuration file /usr/local/etc/raddb/modules/ldap
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration
file /usr/local/etc/raddb/sites-enabled/inner-tunnel
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration
file /usr/local/etc/raddb/sites-enabled/control-socket
main {
allow_core_dumps = no
}
including dictionary file /usr/local/etc/raddb/dictionary
main {
name = "radiusd"
prefix = "/usr/local"
localstatedir = "/usr/local/var"
sbindir = "/usr/local/sbin"
logdir = "/usr/local/var/log/radius"
run_dir = "/usr/local/var/run/radiusd"
libdir = "/usr/local/lib"
radacctdir = "/usr/local/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
realm NULL {
authhost = 10.10.10.10
secret = testing
}
realm nebraska.gov {
nostrip
authhost = 10.10.10.10
secret = testing123
}
realm DEFAULT {
}
realm arr {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
client 10.10.10.11 {
require_message_authenticator = no
secret = "testing"
shortname = "thing-O'doom"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from
file /usr/local/etc/raddb/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from
file /usr/local/etc/raddb/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from
file /usr/local/etc/raddb/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from
file /usr/local/etc/raddb/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server { # from file /usr/local/etc/raddb/radiusd.conf
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from
file /usr/local/etc/raddb/modules/pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from
file /usr/local/etc/raddb/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from
file /usr/local/etc/raddb/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
allow_retry = yes
}
Module: Linked to module rlm_digest
Module: Instantiating module "digest" from
file /usr/local/etc/raddb/modules/digest
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from
file /usr/local/etc/raddb/modules/unix
unix {
radwtmp = "/usr/local/var/log/radius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from
file /usr/local/etc/raddb/eap.conf
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/usr/local/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/usr/local/etc/raddb/certs/server.pem"
certificate_file = "/usr/local/etc/raddb/certs/server.pem"
CA_file = "/usr/local/etc/raddb/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/usr/local/etc/raddb/certs/dh"
random_file = "/usr/local/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/usr/local/etc/raddb/certs/bootstrap"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = no
virtual_server = "inner-tunnel"
soh = no
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from
file /usr/local/etc/raddb/modules/preprocess
preprocess {
huntgroups = "/usr/local/etc/raddb/huntgroups"
hints = "/usr/local/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from
file /usr/local/etc/raddb/modules/files
files {
usersfile = "/usr/local/etc/raddb/users"
acctusersfile = "/usr/local/etc/raddb/acct_users"
preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
compat = "no"
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from
file /usr/local/etc/raddb/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from
file /usr/local/etc/raddb/modules/detail
detail {
detailfile =
"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from
file /usr/local/etc/raddb/modules/radutmp
radutmp {
filename = "/usr/local/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.accounting_response" from
file /usr/local/etc/raddb/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/usr/local/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Instantiating module "attr_filter.access_reject" from
file /usr/local/etc/raddb/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/usr/local/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
}
} # modules
} # server
server inner-tunnel { # from
file /usr/local/etc/raddb/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from
file /usr/local/etc/raddb/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Instantiating module "ntdomain" from
file /usr/local/etc/raddb/modules/realm
realm ntdomain {
format = "prefix"
delimiter = "\"
ignore_default = no
ignore_null = no
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "control"
listen {
socket = "/usr/local/var/run/radiusd/radiusd.sock"
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /usr/local/var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server
inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.10.10.11 port 32800, id=89,
length=177
User-Name = "test.user"
NAS-IP-Address = 10.x.x.x
NAS-Port = 0
NAS-Identifier = "10.x.x.x"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "00259C9BE72C"
Called-Station-Id = "000B8661628C"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message = 0x02010011017061747269636b2e7365696d
Aruba-Essid-Name = "NEW_TEST"
Aruba-Location-Id = "test-ap-41"
Message-Authenticator = 0xdf151b9dba8cb89031a97a35c3a5525c
# Executing section authorize from
file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[eap] EAP packet type response id 1 length 17
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 89 to 10.10.10.11 port 32800
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2052e9672050f0faff17be72cc36539c
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.10.10.11 port 32800, id=90,
length=283
User-Name = "test.user"
NAS-IP-Address = 10.x.x.x
NAS-Port = 0
NAS-Identifier = "10.x.x.x"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "00259C9BE72C"
Called-Station-Id = "000B8661628C"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message =
0x0202006919800000005f160301005a0100005603014dcc447a9e26be32ebd0fd1adefa8a85c46f008e37baba3c6b718a4284c34a2a000018002f00350005000ac013c014c009c00a003200380013000401000015ff01000100000a0006000400170018000b00020100
State = 0x2052e9672050f0faff17be72cc36539c
Aruba-Essid-Name = "NEW_TEST"
Aruba-Location-Id = "test-ap-41"
Message-Authenticator = 0xdf99df74968c610596c6a85a61b0c202
# Executing section authorize from
file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[eap] EAP packet type response id 2 length 105
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 95
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 005a], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0031], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 085e], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 90 to 10.10.10.11 port 32800
EAP-Message =
0x0103040019c0000008a216030100310200002d03014dcc447aed5b1ef6435cfa44f73ea8176fe5e02354695520efb84af0f7118f9200002f000005ff01000100160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c65204365727469666963617465204175
EAP-Message =
0x74686f72697479301e170d3131303531303230343335375a170d3132303530393230343335375a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d463b1aafef2a119e70a826b4a8b44328f135e311cb352000474ddf2a0c06b8a557427d07bf4603327a5b7944c0a419954899a9ff61600
EAP-Message =
0xd0ab2fe76f57ac5f299c664a9442de69a2b9f0ebc93e2887c6abf2ed0c2f1093c798b395409eeb975c8a56b49b43263c7bfae4c2bb7d73d1948c4ceafa88e49cab2cbb270aafd43caf7221d2079ba09d04855d112f09a21a253aa2c0448149a3ae4f3b9cca77ba6237da9e4e26f7b9b957dcc80660f0a512208ff3f3b0045cdcf4f085a497bc055e4241c5d1302ca31ebb75ba82834ae7671165d9197eda04d8b2e81d0f5adcd6512b4141de5c18227ee1d1a1d623ae8154b281353291de93f8f67402d4999e123b630203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038201010007f9
EAP-Message =
0x7a008acba7d5f022e4d938e6f179a7e944ea895df2feec90ff23d4e16a7787d203b7bcf6918e33b9304e1a0b1e539b63421208551bfd03fbdbe64d982b6cf02c6d938314635463e4c9dbb8d09f5499012252c73ac28b8d0c6786676cca6f3a449ebcd61df1d209c6e9faa239ce044c5b7d53457ff90e82e2aedfe41ea5cadbf64ab401e81af4ba2144463e2c22868ec57705bd91e0fa9fb2fcedde7d19ac8f01ff57a5a79371c180e2eb00edbddf56f5b080596d2bbd34a8cb82abfde208e4b4d553ba51ca7df91aa4616b599f646c3700422d49d5fd3b24f9f44c7b183a5f4ca9d4135f361558c6443432cdf339f4196aa914561fa30fe3656afe7bc7
EAP-Message = 0x380004ab308204a73082038f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2052e9672151f0faff17be72cc36539c
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.10.10.11 port 32800, id=91,
length=184
User-Name = "test.user"
NAS-IP-Address = 10.x.x.x
NAS-Port = 0
NAS-Identifier = "10.x.x.x"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "00259C9BE72C"
Called-Station-Id = "000B8661628C"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message = 0x020300061900
State = 0x2052e9672151f0faff17be72cc36539c
Aruba-Essid-Name = "NEW_TEST"
Aruba-Location-Id = "test-ap-41"
Message-Authenticator = 0xc02c4b0944964e409f405fd7adbdc17a
# Executing section authorize from
file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 91 to 10.10.10.11 port 32800
EAP-Message =
0x010403fc1940a003020102020900a8f05f0b37f93f58300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3131303531303230343335375a170d3132303530393230343335375a308193310b3009060355040613024652310f300d0603550408130652616469757331
EAP-Message =
0x12301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100b68445dca1c915e8ee350b1680723b61055f7e21d6975a9905cd66bc1ab98a983b622422fa69571c0a6feaffb2cfa74c040320bec0ea86b517fd11bf3cbc1a28fe420f148ac5a051c1dbd1d1c21b1db60bba211deb85f7ab0449301b37546cded5189bcf497e00e5
EAP-Message =
0x243141a921d87edb371a073ba3af94ae54a39e90ae5f7ac42b14fb794383f9510831b86464f863850a5a8d530ddc52496dc14e51524ae7c44ef073b5f09e2285c062798db69e32f9a3295861812c0e46f5ac6ff135ce61dccf96ad904173305f94053cd82ca8ff1908a7442f7387b342a09394c3bca38409bf91f3e771aaaecb639e4a3b6d9d8c81c94bd4b2e840f88c76676d39620f523f0203010001a381fb3081f8301d0603551d0e04160414975c6511ef5df417b44b06856738d58a76d48d343081c80603551d230481c03081bd8014975c6511ef5df417b44b06856738d58a76d48d34a18199a48196308193310b300906035504061302465231
EAP-Message =
0x0f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900a8f05f0b37f93f58300c0603551d13040530030101ff300d06092a864886f70d0101050500038201010055114aa1808b6dbd7413008cd7c16a549f8814117fd7bf0d414aecc301ed51d2d15a7f9f5579980bf90ed6d9c05c6507cdef893b5aab4bf9448a52f5e83207046fa085c55c33211d0ff476
EAP-Message = 0x625424b11b2973c2
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2052e9672256f0faff17be72cc36539c
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.10.10.11 port 32800, id=92,
length=184
User-Name = "test.user"
NAS-IP-Address = 10.x.x.x
NAS-Port = 0
NAS-Identifier = "10.x.x.x"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "00259C9BE72C"
Called-Station-Id = "000B8661628C"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message = 0x020400061900
State = 0x2052e9672256f0faff17be72cc36539c
Aruba-Essid-Name = "NEW_TEST"
Aruba-Location-Id = "test-ap-41"
Message-Authenticator = 0xbce793c7192ddc319b9a79c0dbbd41a5
# Executing section authorize from
file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 92 to 10.10.10.11 port 32800
EAP-Message =
0x010500bc190097aea26a1dd042d90f3c02c05e438e6e316279e061ad1dea2285c4b5587e88f045afa44cd2fe0c97337d208e2b728b4f0de04540495e4fbb19cfde5e258f9a54256fc6118758a8efafd62b4455d2bd95c1efe2cbd1e7d79eeed1402d04d66ebbf3aa1e48183ae284c4e849fd64db81281a912ea446537710c4318c1bf96b18c269fb16098655227700a2d2c92e735b5eeae8dcbdafb0da219751d868a85a2b27922790ca348a64f9a84b08af4d16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2052e9672357f0faff17be72cc36539c
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.10.10.11 port 32800, id=93,
length=516
User-Name = "test.user"
NAS-IP-Address = 10.x.x.x
NAS-Port = 0
NAS-Identifier = "10.x.x.x"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "00259C9BE72C"
Called-Station-Id = "000B8661628C"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message =
0x020501501980000001461603010106100001020100640c21effedba2f24a2251cbf569b4f20f683ad5c343a5bf19be310a54c5e252969f848e315136144e168bf9ea1e86fe29ce5c5044e4e5d072677b81a3fbe18984011cda1884f46264052867704a6ec3ef8e0485e72e0138a8a70eb74a9cb33b78bc9c9d36e5bdcdb935c273fd8352b4410870426f0b0608ac8763794cf77d91b6b57fda14f207771250ad5d3cc0ddc3a0b75716b030535a726f5b17df426782b6b3251b95f1beb98dd4b28cc8ac4ee65cd4aeb4dbb7dfc9f62f3a1b3e2c5302c6bc652518da877ecad73ff5edfae516e1acc189407ecbdc71678382484887de9c3a5d93e795f4c7
EAP-Message =
0xa2011e44ad7c45d7bc053a48344fefbbf5a6a910b1f53e111403010001011603010030343cf27cd25659485fa80be7a33226410f80e950184826afa4244eca7e4a7a11a901f1fd3f5647f54f27af3496071065
State = 0x2052e9672357f0faff17be72cc36539c
Aruba-Essid-Name = "NEW_TEST"
Aruba-Location-Id = "test-ap-41"
Message-Authenticator = 0xd7cb67bd36cf87c50b4eaddc02d14e18
# Executing section authorize from
file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[eap] EAP packet type response id 5 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 326
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 93 to 10.10.10.11 port 32800
EAP-Message =
0x010600411900140301000101160301003066a73876a01fa3964df69d40f877ff5f284b71a339b38b6022dc323996127d976155e63deec1b57cae6f764ac0307be3
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2052e9672454f0faff17be72cc36539c
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.10.10.11 port 32800, id=94,
length=184
User-Name = "test.user"
NAS-IP-Address = 10.x.x.x
NAS-Port = 0
NAS-Identifier = "10.x.x.x"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "00259C9BE72C"
Called-Station-Id = "000B8661628C"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message = 0x020600061900
State = 0x2052e9672454f0faff17be72cc36539c
Aruba-Essid-Name = "NEW_TEST"
Aruba-Location-Id = "test-ap-41"
Message-Authenticator = 0x50a8c2ff0b03d4e3ef93dfdd854aa205
# Executing section authorize from
file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[eap] EAP packet type response id 6 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] returns handled
Sending Access-Challenge of id 94 to 10.10.10.11 port 32800
EAP-Message =
0x0107002b19001703010020d1bc9f15904697a8f3a5e0c0f6e37bde3b6f406889de52ba92d8f14e3eeb2f7f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2052e9672555f0faff17be72cc36539c
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.10.10.11 port 32800, id=95,
length=237
User-Name = "test.user"
NAS-IP-Address = 10.x.x.x
NAS-Port = 0
NAS-Identifier = "10.x.x.x"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "00259C9BE72C"
Called-Station-Id = "000B8661628C"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message =
0x0207003b19001703010030aa3b4cd58b3962aeae0c612785a20fd2a9ff0823ea6640e47befdaabedab43ab648046ba0a365957694ab46520928d8a
State = 0x2052e9672555f0faff17be72cc36539c
Aruba-Essid-Name = "NEW_TEST"
Aruba-Location-Id = "test-ap-41"
Message-Authenticator = 0x89794a3abd2819405279c72d48e91da8
# Executing section authorize from
file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[eap] EAP packet type response id 7 length 59
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - test.user
[peap] Got inner identity 'test.user'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
EAP-Message = 0x02070011017061747269636b2e7365696d
server {
[peap] Setting User-Name to test.user
Sending tunneled request
EAP-Message = 0x02070011017061747269636b2e7365696d
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "test.user"
NAS-IP-Address = 10.x.x.x
NAS-Port = 0
NAS-Identifier = "10.x.x.x"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "00259C9BE72C"
Called-Station-Id = "000B8661628C"
Service-Type = Login-User
Framed-MTU = 1100
Aruba-Essid-Name = "NEW_TEST"
Aruba-Location-Id = "test-ap-41"
server inner-tunnel {
# Executing section authorize from
file /usr/local/etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "test.user", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test.user"
[suffix] Adding Realm = "NULL"
[suffix] Proxying request from user test.user to realm NULL
[suffix] Preparing to proxy authentication request to realm "NULL"
++[suffix] returns updated
[ntdomain] Request already proxied. Ignoring.
++[ntdomain] returns ok
[eap] Request is supposed to be proxied to Realm NULL. Not doing EAP.
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
} # server inner-tunnel
[peap] Got tunneled reply code 0
PEAP: Calling authenticate in order to initiate tunneled EAP session.
# Executing group from
file /usr/local/etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
PEAP: Cancelling proxy to realm NULL until the tunneled EAP session
has been established
[peap] Got tunneled reply RADIUS code 11
EAP-Message =
0x010800261a0108002110148b6ec01694003ba739d7c1317734327061747269636b2e7365696d
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x77077cec770f66abbb823e592cf0990c
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 95 to 10.10.10.11 port 32800
EAP-Message =
0x0108004b19001703010040a08cd426955c25ad3a51bf209509b2a4bc4fe6c10b3c3493c06eca2839d1bce711f02900d477d0136fb673ddaafee249939c0e18e27849555a40e5368bae0c89
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2052e967265af0faff17be72cc36539c
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.10.10.11 port 32800, id=96,
length=285
User-Name = "test.user"
NAS-IP-Address = 10.x.x.x
NAS-Port = 0
NAS-Identifier = "10.x.x.x"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "00259C9BE72C"
Called-Station-Id = "000B8661628C"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message =
0x0208006b19001703010060df0be2d261566e3ba81ad2ff49841b97963f9a8b38bb45ee22028938767a57c113d36230a7276fccc49641fa2ff660afeea870007f4a26ddb2b82081e8b95981ab8590b82c309facf3f4269b7724c2fac2057882cb750d47112722f0d9d9dc92
State = 0x2052e967265af0faff17be72cc36539c
Aruba-Essid-Name = "NEW_TEST"
Aruba-Location-Id = "test-ap-41"
Message-Authenticator = 0xc7d4fc6f0e62c2922a7ef9eb414b3ab7
# Executing section authorize from
file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[eap] EAP packet type response id 8 length 107
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message =
0x020800471a02080042317d0e90f4aa65b4bd430e9f694541779000000000000000007eb68ee463835b22f336f9e73e379b8308bba82e828efc91007061747269636b2e7365696d
server {
[peap] Setting User-Name to test.user
Sending tunneled request
EAP-Message =
0x020800471a02080042317d0e90f4aa65b4bd430e9f694541779000000000000000007eb68ee463835b22f336f9e73e379b8308bba82e828efc91007061747269636b2e7365696d
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "test.user"
State = 0x77077cec770f66abbb823e592cf0990c
NAS-IP-Address = 10.x.x.x
NAS-Port = 0
NAS-Identifier = "10.x.x.x"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "00259C9BE72C"
Called-Station-Id = "000B8661628C"
Service-Type = Login-User
Framed-MTU = 1100
Aruba-Essid-Name = "NEW_TEST"
Aruba-Location-Id = "test-ap-41"
server inner-tunnel {
# Executing section authorize from
file /usr/local/etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "test.user", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test.user"
[suffix] Adding Realm = "NULL"
[suffix] Proxying request from user test.user to realm NULL
[suffix] Preparing to proxy authentication request to realm "NULL"
++[suffix] returns updated
[ntdomain] Request already proxied. Ignoring.
++[ntdomain] returns ok
[eap] Request is supposed to be proxied to Realm NULL. Not doing EAP.
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
} # server inner-tunnel
[peap] Got tunneled reply code 0
PEAP: Calling authenticate in order to initiate tunneled EAP session.
# Executing group from
file /usr/local/etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Not-EAP proxy set. Not composing EAP
++[eap] returns handled
PEAP: Tunneled authentication will be proxied to NULL
PEAP: Remembering to do EAP-MS-CHAP-V2 post-proxy.
[eap] Tunneled session will be proxied. Not doing EAP.
++[eap] returns handled
WARNING: Empty pre-proxy section. Using default return values.
Sending Access-Request of id 4 to 10.10.10.10 port 1812
User-Name = "test.user"
NAS-IP-Address = 10.x.x.x
NAS-Port = 0
NAS-Identifier = "10.x.x.x"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "00259C9BE72C"
Called-Station-Id = "000B8661628C"
Service-Type = Login-User
Framed-MTU = 1100
Aruba-Essid-Name = "NEW_TEST"
Aruba-Location-Id = "test-ap-41"
MS-CHAP-Challenge = 0x148b6ec01694003ba739d7c131773432
MS-CHAP2-Response =
0x08617d0e90f4aa65b4bd430e9f694541779000000000000000007eb68ee463835b22f336f9e73e379b8308bba82e828efc91
Proxy-State = 0x3936
Proxying request 7 to home server 10.10.10.10 port 1812
Sending Access-Request of id 4 to 10.10.10.10 port 1812
User-Name = "test.user"
NAS-IP-Address = 10.x.x.x
NAS-Port = 0
NAS-Identifier = "10.x.x.x"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "00259C9BE72C"
Called-Station-Id = "000B8661628C"
Service-Type = Login-User
Framed-MTU = 1100
Aruba-Essid-Name = "NEW_TEST"
Aruba-Location-Id = "test-ap-41"
MS-CHAP-Challenge = 0x148b6ec01694003ba739d7c131773432
MS-CHAP2-Response =
0x08617d0e90f4aa65b4bd430e9f694541779000000000000000007eb68ee463835b22f336f9e73e379b8308bba82e828efc91
Proxy-State = 0x3936
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Accept packet from host 10.10.10.10 port 1812, id=4,
length=291
Proxy-State = 0x3936
Aruba-User-Role = "network-fools"
Filter-Id = "networking"
Tunnel-Private-Group-Id:0 = "default"
Class =
0x4e8a062e00000137000117000000000000000000000000000000000101cbfeebf8e6a00c0000000000007429
MS-MPPE-Recv-Key = 0x7f1107c20babf24559df0d663ee39985
MS-MPPE-Send-Key = 0x90d1203360319de86b213aad9476d06f
MS-CHAP2-Success =
0x08533d45364132353930413732433133373630394336383638373838453639443543324637393244444632
MS-CHAP-Domain = "\010STN"
MS-Link-Utilization-Threshold = 50
MS-Link-Drop-Time-Limit = 120
# Executing section post-proxy from
file /usr/local/etc/raddb/sites-enabled/default
+- entering group post-proxy {...}
[eap] Doing post-proxy callback
[eap] Passing reply from proxy back into the tunnel.
server inner-tunnel {
[eap] Passing reply back for EAP-MS-CHAP-V2
# Executing section post-proxy from
file /usr/local/etc/raddb/sites-enabled/inner-tunnel
+- entering group post-proxy {...}
[eap] Doing post-proxy callback
rlm_eap_mschapv2: Passing reply from proxy back into the tunnel
0x997890 2.
rlm_eap_mschapv2: Authentication succeeded.
MSCHAP Success
++[eap] returns ok
# Executing section post-auth from
file /usr/local/etc/raddb/sites-enabled/inner-tunnel
+- entering group post-auth {...}
expand: %{request:Filter-Id} ->
++[outer.reply] returns noop
} # server inner-tunnel
[eap] Final reply from tunneled session code 11
Proxy-State = 0x3936
Aruba-User-Role = "network-fools"
Filter-Id = "networking"
Tunnel-Private-Group-Id:0 = "default"
Class =
0x4e8a062e00000137000117000000000000000000000000000000000101cbfeebf8e6a00c0000000000007429
MS-CHAP-Domain = "\010STN"
MS-Link-Utilization-Threshold = 50
MS-Link-Drop-Time-Limit = 120
EAP-Message =
0x010900331a0308002e533d45364132353930413732433133373630394336383638373838453639443543324637393244444632
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x77077cec760e66abbb823e592cf0990c
[eap] Got reply 11
[eap] Got tunneled reply RADIUS code 11
Proxy-State = 0x3936
Aruba-User-Role = "network-fools"
Filter-Id = "networking"
Tunnel-Private-Group-Id:0 = "default"
Class =
0x4e8a062e00000137000117000000000000000000000000000000000101cbfeebf8e6a00c0000000000007429
MS-CHAP-Domain = "\010STN"
MS-Link-Utilization-Threshold = 50
MS-Link-Drop-Time-Limit = 120
EAP-Message =
0x010900331a0308002e533d45364132353930413732433133373630394336383638373838453639443543324637393244444632
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x77077cec760e66abbb823e592cf0990c
[eap] Got tunneled Access-Challenge
[eap] Saving tunneled attributes for later
[eap] Reply was handled
++[eap] returns ok
Sending Access-Challenge of id 96 to 10.10.10.11 port 32800
Filter-Id = ""
EAP-Message =
0x0109005b190017030100509d9a4aa35ec2cb40ae533f0d7be59fdcc8a6b2cc3fccfa3b6dcaa6ca24dae27f958a0332f39cd817a23f92da039626f59dfca32c43bb8cd8827aefdc43c3c7cbf30a749995ee3169b7392387d5d0b7a5
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2052e967275bf0faff17be72cc36539c
Finished request 7.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.10.10.11 port 32800, id=97,
length=221
User-Name = "test.user"
NAS-IP-Address = 10.x.x.x
NAS-Port = 0
NAS-Identifier = "10.x.x.x"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "00259C9BE72C"
Called-Station-Id = "000B8661628C"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message =
0x0209002b19001703010020bff5e4f0a093f4fbba3dac4511f756c7c5c7d74ed1886fb99d704dd69b6ad7f3
State = 0x2052e967275bf0faff17be72cc36539c
Aruba-Essid-Name = "NEW_TEST"
Aruba-Location-Id = "test-ap-41"
Message-Authenticator = 0x66847103a90432b93ab24808d8ec7a71
# Executing section authorize from
file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[eap] EAP packet type response id 9 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x020900061a03
server {
[peap] Setting User-Name to test.user
Sending tunneled request
EAP-Message = 0x020900061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "test.user"
State = 0x77077cec760e66abbb823e592cf0990c
NAS-IP-Address = 10.x.x.x
NAS-Port = 0
NAS-Identifier = "10.x.x.x"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "00259C9BE72C"
Called-Station-Id = "000B8661628C"
Service-Type = Login-User
Framed-MTU = 1100
Aruba-Essid-Name = "NEW_TEST"
Aruba-Location-Id = "test-ap-41"
server inner-tunnel {
# Executing section authorize from
file /usr/local/etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "test.user", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test.user"
[suffix] Adding Realm = "NULL"
[suffix] Proxying request from user test.user to realm NULL
[suffix] Preparing to proxy authentication request to realm "NULL"
++[suffix] returns updated
[ntdomain] Request already proxied. Ignoring.
++[ntdomain] returns ok
[eap] Request is supposed to be proxied to Realm NULL. Not doing EAP.
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
} # server inner-tunnel
[peap] Got tunneled reply code 0
PEAP: Calling authenticate in order to initiate tunneled EAP session.
# Executing group from
file /usr/local/etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] returns ok
[peap] Got tunneled reply RADIUS code 2
MS-MPPE-Send-Key = 0x90d1203360319de86b213aad9476d06f
MS-MPPE-Recv-Key = 0x7f1107c20babf24559df0d663ee39985
EAP-Message = 0x03090004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "test.user"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
[peap] Saving tunneled attributes for later
++[eap] returns handled
Sending Access-Challenge of id 97 to 10.10.10.11 port 32800
EAP-Message =
0x010a002b19001703010020536577cc3da7e7a391006e8c1445b85700ae00a3425cf630c608144333ced9f9
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2052e9672858f0faff17be72cc36539c
Finished request 8.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.10.10.11 port 32800, id=98,
length=221
User-Name = "test.user"
NAS-IP-Address = 10.x.x.x
NAS-Port = 0
NAS-Identifier = "10.x.x.x"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "00259C9BE72C"
Called-Station-Id = "000B8661628C"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message =
0x020a002b19001703010020d6214a534ba200598e450e90712affef897efd7f3ea95fb6fdaa1d9f200c9ce4
State = 0x2052e9672858f0faff17be72cc36539c
Aruba-Essid-Name = "NEW_TEST"
Aruba-Location-Id = "test-ap-41"
Message-Authenticator = 0xe89f9162ef2fa954e6dc4c038eaed024
# Executing section authorize from
file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[eap] EAP packet type response id 10 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv success
[peap] Received EAP-TLV response.
[peap] Success
[peap] Using saved attributes from the original Access-Accept
User-Name = "test.user"
[eap] Freeing handler
++[eap] returns ok
# Executing section post-auth from
file /usr/local/etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 98 to 10.10.10.11 port 32800
User-Name = "test.user"
MS-MPPE-Recv-Key =
0x0a169a0bf16593123bc68ed03a6b1b826dc04cfba9dd8cc725d51800710f23a1
MS-MPPE-Send-Key =
0x82ef22906ad494b5b2c2a0f65f1a4ebba82918e8b6ae4a8c4c10b43c4711e63f
EAP-Message = 0x030a0004
Message-Authenticator = 0x00000000000000000000000000000000
Finished request 9.
Going to the next request
Waking up in 4.8 seconds.
Cleaning up request 0 ID 89 with timestamp +35
Cleaning up request 1 ID 90 with timestamp +35
Cleaning up request 2 ID 91 with timestamp +35
Cleaning up request 3 ID 92 with timestamp +35
Cleaning up request 4 ID 93 with timestamp +35
Cleaning up request 5 ID 94 with timestamp +35
Cleaning up request 6 ID 95 with timestamp +35
Cleaning up request 7 ID 96 with timestamp +35
Cleaning up request 8 ID 97 with timestamp +35
Cleaning up request 9 ID 98 with timestamp +35
Ready to process requests.
2
1
12 May '11
http://wiki.freeradius.org/SQL_HOWTO mentions using "group" entry to
failover between sql servers.
How is it different compared using redundant unlang? Is there
additional documentation for group directive?
--
Fajar
2
1
Hello,
There are some minor diffs between the doc on "deployingradius.com" and the embedded doc in the mschap module. Which one should I use? Specifically, what is the "correct" ntlm_auth command string, and should I enable the "with_ntdomain_hack" in the mschap module?
TIA!
Gary
<font size="1">
<div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'>
</div>
"This email is intended to be reviewed by only the intended recipient
and may contain information that is privileged and/or confidential.
If you are not the intended recipient, you are hereby notified that
any review, use, dissemination, disclosure or copying of this email
and its attachments, if any, is strictly prohibited. If you have
received this email in error, please immediately notify the sender by
return email and delete this email from your system."
</font>
2
1