Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
September 2011
- 120 participants
- 184 discussions
Dear Expert(Installation Request)
Cent5 (server)
Freeradius
cent5(NAS1)
pptp,oepnvpn
The expenses will be paid by US dollar
mailto:sekchel@gmail.com <sekchel(a)gmail.com>
My current status
----------------------------------------------------------------------------------
cent5 install
yum update
yum install net-snmp net-snmp-devel mysql-devel libtool-ltdl-devel php-mysql
#Because of dialup ----
# wget freeradius2-2.1.7-7.el5.src.rpm
# cp freeradius2-2.1.7-7.el5.src.rpm/dialup_admin /usr/local
yum search freeradius*
yum install freeradius2-mysql
yum instal freeradius2-utils
show variables like 'have_innodb'; check ok
create database radius;
vi /etc/raddb/sql/ndb/admin.sql (radiusid/test1234)
mysql -u root -p mysql < /etc/raddb/sql/ndb/admin.sql
mysql -u root -p radius < /etc/raddb/sql/ndb/schema.sql
mysql -u root -p radius < /etc/raddb/sql/mysql/cui.sql
mysql -u root -p radius < /etc/raddb/sql/mysql/ippool.sql
mysql -u root -p radius < /etc/raddb/sql/mysql/nas.sql
mysql -u root -p radius < /etc/raddb/sql/mysql/wimax.sql
vi /etc/raddb/sql.conf
login = "radiusid"
password = "test1234"
vi /etc/raddb/radiusd.conf
proxy_requests = no
$INCLUDE sql.conf #remove
$INCLUDE sql/mysql/counter.conf #remove
$INCLUDE sqlippool.conf #remove
vi /etc/raddb/sqlippool.conf
$INCLUDE sql/mysql/ippool.conf <== edit
vi /etc/raddb/client.conf
client xx0.x7.1xx.xx4 {
ipaddr = xx0.x7.1xx.xx4
secret = test1234
require_message_authenticator = no
nastype = other # localhost isn't usually a NAS...
}
ln -s /usr/local/dialup_admin/htdocs /var/www/html/dialup
<Directory /var/www/html/dialup>
AuthName "Restricted Area"
AuthType Basic
AuthUserFile /var/www/.htpasswd
require valid-user
</Directory>
htpasswd -cm /var/www/.htpasswd administrator
mysql -u root -p radius < /usr/local/dialup_admin/sql/mysql/badusers.sql
mysql -u root -p radius < /usr/local/dialup_admin/sql/mysql/mtotacct.sql
mysql -u root -p radius < /usr/local/dialup_admin/sql/mysql/totacct.sql
mysql -u root -p radius < /usr/local/dialup_admin/sql/mysql/userinfo.sql (
id int(10) NOT NULL auto_increment,)
vi /etc/httpd/conf.d/php.conf
#AddType application/x-httpd-php-source .phps
#LoadModule php4_module libexec/libphp4.so
#AddModule mod_php4.c
AddType application/x-httpd-php .php
AddType application/x-httpd-php .php3
vi /usr/local/dialup_admin/conf/admin.conf
general_radiusd_base_dir: /usr/sbin Edit
general_strip_realms: yes # remove
sql_username: radiusid
sql_password: test1234
#sql_debug: true
NAS1 ==> client xx0.x7.1xx.xx4
pptpd-1.3.4.tar.gz freeradius-client-1.1.6.tar.gz
openvpn-2.2.1.tar.gz radiusplugin_v2.1a_beta1.tar.gz
openvpn-gui http://www.openvpn.se/files/install_packages_source/
Dependent(tap0901,auth-user-pass auth-user-pass.txt)
nas1 ip_range xx0.x7.1xx.xx5-60 (public ip)
2
1
I have a requirement to get successful and failed radius
authentication logs from FreeRADIUS to a SIEM for audit purposes. I
have updated the config to log to syslog, but I need more information
than is currently appearing.
Example:
Sep 29 10:40:56 radiusserver radiusd[13806]: Login incorrect: [azbycx]
(from client ScreenNets port 0)
Is there a way to syslog the username, client-ip-addres and
calling-station-id that appears in radacct? Alternately, is there a
way to send radacct to syslog instead of the file system? In my ideal
world, all of the information currently recorded for radacct would be
logged to the SIEM but I'm not sure how to best achieve that.
I've been through the documentation and just am not finding an obvious
way to change what information is sent to syslog.
Any help/suggestions would be much appreciated.
Tremaine Lea
Network Security Consultant
Intrepid ACL
"Paranoia for hire"
2
2
Hi All,
I'm using Freeradius 2.1,
Users that connects to the my network by wireless clients at 2.4GHz get
authenticated by username and password, but there also CPE that connect at
5GHz and authenticate thelmselves by username and EAP to give access to
wired lan users ( not supplicant ).
Is it possible to deny usernames used by cpe on the 2.4GHz net?
Can i force username used on cpe only to pass the EAP auth too? if
yes..how?
it'a matter of policy.conf?
Thanks
--
View this message in context: http://freeradius.1045715.n5.nabble.com/Authentications-types-by-usernames-…
Sent from the FreeRadius - User mailing list archive at Nabble.com.
3
8
Hi,
I am using Version 2.1.11 for broadband PPP authentication. I want to put
the unauthenticated users to a default service. I have to revert the
access-reject message to access-accept because once CISCO ISG get a
access-reject from the AAA server it's terminating the ppp with
access-reject.
I tried to use Post-Auth-Type REJECT section of the configuration but its
not working.
Here is my config and some debug outputs.
post-auth {
Post-Auth-Type REJECT {
ok
update control {
Auth-Type:=Accept
}
}
}
....(AFTER SQL Lookup)
[sql] User ccotesist06adsl not found
++[sql] returns notfound
Found Auth-Type = PAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "test"
[pap] No password configured for the user. Cannot do authentication
++[pap] returns fail
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
++[ok] returns ok
++[control] returns ok
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 11
Deniz AYDIN
Senior Network Engineer
-----
Deniz AYDIN
Senior Network Engineer
--
View this message in context: http://freeradius.1045715.n5.nabble.com/Reverting-Accept-Reject-to-Access-A…
Sent from the FreeRadius - User mailing list archive at Nabble.com.
5
12
Hi to all,
I have a problem using freeradius 2.1.8.
I have an auth server that is a Communigate 5.3 mail server.
I'd want my windows clients can use a PEAP/MSCHAPv2 default auth schema but
it seems not working. With TTLS/PAP-MSCHAPv1 it works fine (but I have to
install SecureW2 software).
This is my configuration and the response when I try to connect
FreeRADIUS Version 2.1.8, for host x86_64-pc-linux-gnu, built on Jan 5 2010
at 02:56:18
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/ntlm_auth
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/cui
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/pam
including configuration file
/etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
main {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
including dictionary file /etc/freeradius/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = no
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
realm mail.sns.it {
authhost = LOCAL
accthost = LOCAL
}
realm mail.sns.it.veramente {
authhost = mail.sns.it:1812
secret = XXXXX
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
client test {
ipaddr = 192.168.0.0
netmask = 0
require_message_authenticator = no
secret = "pulcinella"
shortname = "private-network-2"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server inner-tunnel {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = "auto"
auto_header = yes
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/etc/freeradius/certs/server.key"
certificate_file = "/etc/freeradius/certs/server.pem"
CA_file = "/etc/freeradius/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/etc/freeradius/certs/dh"
random_file = "/etc/freeradius/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/freeradius/certs/bootstrap"
cache {
enable = no
lifetime = 24
max_entries = 255
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating suffix
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Instantiating ntdomain
realm ntdomain {
format = "prefix"
delimiter = "\"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating files
files {
usersfile = "/etc/freeradius/users"
acctusersfile = "/etc/freeradius/acct_users"
preproxy_usersfile = "/etc/freeradius/preproxy_users"
compat = "no"
}
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating attr_filter.access_reject
attr_filter attr_filter.access_reject {
attrsfile = "/etc/freeradius/attrs.access_reject"
key = "%{User-Name}"
}
} # modules
} # server
server {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = "/etc/freeradius/huntgroups"
hints = "/etc/freeradius/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating detail
detail {
detailfile =
"/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating attr_filter.accounting_response
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/freeradius/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
RESPONSE:
rad_recv: Access-Request packet from host 192.168.71.131 port 2048, id=0,
length=163
User-Name = "rosario.lumia(a)mail.sns.it"
NAS-IP-Address = 192.168.71.131
Called-Station-Id = "00236929d1a4"
Calling-Station-Id = "e8e5d6d76775"
NAS-Identifier = "00236929d1a4"
NAS-Port = 5
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0200001e01726f736172696f2e6c756d6961406d61696c2e736e732e6974
Message-Authenticator = 0x0c44b3e602345e27cab38b80d83a991a
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "mail.sns.it" for User-Name = "
rosario.lumia(a)mail.sns.it"
[suffix] Found realm "mail.sns.it"
[suffix] Adding Stripped-User-Name = "rosario.lumia"
[suffix] Adding Realm = "mail.sns.it"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied. Ignoring.
++[ntdomain] returns ok
[eap] EAP packet type response id 0 length 30
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.71.131 port 2048
EAP-Message = 0x010100160410b147c10c4e418d94bf9e40ea36334bb3
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x9dd480bf9dd58457068c8abbb9608c64
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.71.131 port 2048, id=0,
length=157
Cleaning up request 0 ID 0 with timestamp +233
User-Name = "rosario.lumia(a)mail.sns.it"
NAS-IP-Address = 192.168.71.131
Called-Station-Id = "00236929d1a4"
Calling-Station-Id = "e8e5d6d76775"
NAS-Identifier = "00236929d1a4"
NAS-Port = 5
Framed-MTU = 1400
State = 0x9dd480bf9dd58457068c8abbb9608c64
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020100060319
Message-Authenticator = 0x1c396e46a4c5ea98691a8ff91ce87893
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "mail.sns.it" for User-Name = "
rosario.lumia(a)mail.sns.it"
[suffix] Found realm "mail.sns.it"
[suffix] Adding Stripped-User-Name = "rosario.lumia"
[suffix] Adding Realm = "mail.sns.it"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied. Ignoring.
++[ntdomain] returns ok
[eap] EAP packet type response id 1 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.71.131 port 2048
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x9dd480bf9cd69957068c8abbb9608c64
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.71.131 port 2048, id=0,
length=255
Cleaning up request 1 ID 0 with timestamp +233
User-Name = "rosario.lumia(a)mail.sns.it"
NAS-IP-Address = 192.168.71.131
Called-Station-Id = "00236929d1a4"
Calling-Station-Id = "e8e5d6d76775"
NAS-Identifier = "00236929d1a4"
NAS-Port = 5
Framed-MTU = 1400
State = 0x9dd480bf9cd69957068c8abbb9608c64
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0202006819800000005e16030100590100005503014e830888e4b3dfeb276293e107afeaa97e182e6a27ec167de337a9456efa4c3500002800390038003500160013000a00330032002f000500040015001200090014001100080006000300ff0100000400230000
Message-Authenticator = 0x0d05314c94d184903b362c2994aefa68
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "mail.sns.it" for User-Name = "
rosario.lumia(a)mail.sns.it"
[suffix] Found realm "mail.sns.it"
[suffix] Adding Stripped-User-Name = "rosario.lumia"
[suffix] Adding Realm = "mail.sns.it"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied. Ignoring.
++[ntdomain] returns ok
[eap] EAP packet type response id 2 length 104
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 94
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0059], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0035], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 01b7], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 018d], ServerKeyExchange
[peap] TLS_accept: SSLv3 write key exchange A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate
A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.71.131 port 2048
EAP-Message =
0x01030397190016030100350200003103014e8308897223b8a42ad452c65b3bc45a8754be6be442843c649385e3abf2b522000039000009ff010001000023000016030101b70b0001b30001b00001ad308201a930820112020900d44947c0dcd0eb3c300d06092a864886f70d01010505003019311730150603550403130e726164697573412e736e732e6974301e170d3131303530353131353934325a170d3231303530323131353934325a3019311730150603550403130e726164697573412e736e732e697430819f300d06092a864886f70d010101050003818d0030818902818100b247a3028058771448a2f7ace2fbd0c0bb43a72f8996b69702
EAP-Message =
0x336484343830376222b43eb81ede99cb93e11f172c584cb57b822f25037d2eb039605e72057dc5659d67c295424c0270830885c9ecab83cd0cd240182aa3db9e11384cdbb094f39913a56dd860a2888a6c819b1bb1a618dc8ff67f32c949b871d8e654444610710203010001300d06092a864886f70d0101050500038181004e536e5b917bfb2ae61aafdb3bbb46906a5408076ddc26729794ccfb07ce7ae21ce18ccf11aee0163e113128c643d33dd96ea2fcb2b5acf6c0b15d445f299f2b33a88edd94899acd0f886f9f08b87f68f12d290b028312d3b72b42de49e97a08d97331e666468f7d7a2070a5f4e8409ec2776cac410a45871647fa00adb9
EAP-Message =
0x2239160301018d0c0001890080cc3c1d7bd03f8d9e95e3e8382bd2cac235f89eeaa794094b683d1b4d086f2bfb8a9ed7297d8b9b25d7d9f6b65e3a0b4807e9860ca296982a5a9ec05f73a356ba247d3eaa3c0fdaaa88e4a55d50275a645a6c7845cb9c73ca2d47dad3ac0c756c48f511166ad738bb0c7c9221fe59c58e260e7b00f285de34927a4f678ad23efb0001020080032d3a5627399b74e33a2a437bd31b491ad6251cb3584aedf53c797cfccd48fc6eb39953cc483fa276a9585150a9b4309220c410f36951689be392b93b17365cacf41ebb75ee208643d817dfb01fbace0b7d9df93cd84931198f11007eb35d41a9d5b5da0d01d6d0d78ad0
EAP-Message =
0xc30bc4c2e9889f3169916942c23a694e787a53c31200803b92d558849d014ad5eb0f41e499c1bfc87336cacddfb5bb02eb846266d0a07a4857a9ce1d952f977a59d18cebacaa1c174d5134d37253b02d82a58a19375b5c90e960ef16829acff3d9c18d24c08a120f5054838c5628e14327751aaff77ee8b0b16e1025dae4abd47bf3d7701bee69a283342f2d428bfdd27b9951e5d4305816030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x9dd480bf9fd79957068c8abbb9608c64
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.71.131 port 2048, id=0,
length=359
Cleaning up request 2 ID 0 with timestamp +233
User-Name = "rosario.lumia(a)mail.sns.it"
NAS-IP-Address = 192.168.71.131
Called-Station-Id = "00236929d1a4"
Calling-Station-Id = "e8e5d6d76775"
NAS-Identifier = "00236929d1a4"
NAS-Port = 5
Framed-MTU = 1400
State = 0x9dd480bf9fd79957068c8abbb9608c64
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x020300d01980000000c616030100861000008200806a764749631adc4da713999ef8db804827d1c44fab41d538a3a2755368cebb4f54ca1c87884a37f408c640e4a9a0b93c46c4c683753e3885cacb11c4bdec114b6779981368d4eed97846df5ed9edf392ca2b12c513f9f050a3517cb8b045947207cf052910ad8c41de9b86133e84880f574391d990734cf7f5f1202c5d6fc5121403010001011603010030e1ae24ab53d88f46abc276c57ca5d7a3463ecd8d1cbf242dfed051afd9cd411952a9856ae7b0eccaf6d1bd8b57937e48
Message-Authenticator = 0x1f33307e5bbeb0bf6fb6ea4bc86a2e9f
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "mail.sns.it" for User-Name = "
rosario.lumia(a)mail.sns.it"
[suffix] Found realm "mail.sns.it"
[suffix] Adding Stripped-User-Name = "rosario.lumia"
[suffix] Adding Realm = "mail.sns.it"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied. Ignoring.
++[ntdomain] returns ok
[eap] EAP packet type response id 3 length 208
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 198
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 Handshake [length 00aa]???
[peap] TLS_accept: SSLv3 write session ticket A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.71.131 port 2048
EAP-Message =
0x010400f0190016030100aa040000a60000000000a00a5ac7005d9fb7fd360f0698407d4c96c4a45ea1c55004f204bdaf79ca75e4230e9186bb5edc0458bd88c153d4ced453a03e24db5c1444dc34abeb1b660e674950a83e1052aea8fe5d5988abeb7f6beac2c3a2de36ce3cab2d7c67a8d55bbee5aa5c9641b950975651dcd5fb3d62af93725ef13d87166e6c02770265b65bbc391850c49a64c4eb6b355492eff70d12f32ef2994142b0bf3f4740608e8c32eb5a14030100010116030100301c75d8374b982475d21bbdb68c05936c0fc1f364bdcf1ded90bb9c9d8f6b7f1a8b8a57822fc7dcdca101726fe126403a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x9dd480bf9ed09957068c8abbb9608c64
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.71.131 port 2048, id=0,
length=157
Cleaning up request 3 ID 0 with timestamp +234
User-Name = "rosario.lumia(a)mail.sns.it"
NAS-IP-Address = 192.168.71.131
Called-Station-Id = "00236929d1a4"
Calling-Station-Id = "e8e5d6d76775"
NAS-Identifier = "00236929d1a4"
NAS-Port = 5
Framed-MTU = 1400
State = 0x9dd480bf9ed09957068c8abbb9608c64
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020400061900
Message-Authenticator = 0xef939c3535dd70c46519b41cb657d39c
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "mail.sns.it" for User-Name = "
rosario.lumia(a)mail.sns.it"
[suffix] Found realm "mail.sns.it"
[suffix] Adding Stripped-User-Name = "rosario.lumia"
[suffix] Adding Realm = "mail.sns.it"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied. Ignoring.
++[ntdomain] returns ok
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.71.131 port 2048
EAP-Message =
0x0105002b19001703010020a865949ad5d50b0e2da3b601d836a5db44849d139e7ac2e4fadbd2a84436eef3
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x9dd480bf99d19957068c8abbb9608c64
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.71.131 port 2048, id=0,
length=247
Cleaning up request 4 ID 0 with timestamp +234
User-Name = "rosario.lumia(a)mail.sns.it"
NAS-IP-Address = 192.168.71.131
Called-Station-Id = "00236929d1a4"
Calling-Station-Id = "e8e5d6d76775"
NAS-Identifier = "00236929d1a4"
NAS-Port = 5
Framed-MTU = 1400
State = 0x9dd480bf99d19957068c8abbb9608c64
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x020500601900170301002060829614464804e6e47711ef807c4797ffb45a90d923aad46b5e053af710abd717030100306542c1b399f1c075966c709f1364fed0c304601c766d2e908354fee852e9c633744f560aa615550abb254e8f6acfe76c
Message-Authenticator = 0x17699948626c902751f348054ed7f05c
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "mail.sns.it" for User-Name = "
rosario.lumia(a)mail.sns.it"
[suffix] Found realm "mail.sns.it"
[suffix] Adding Stripped-User-Name = "rosario.lumia"
[suffix] Adding Realm = "mail.sns.it"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied. Ignoring.
++[ntdomain] returns ok
[eap] EAP packet type response id 5 length 96
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Identity - rosario.lumia(a)mail.sns.it
[peap] Got tunneled request
EAP-Message =
0x0205001e01726f736172696f2e6c756d6961406d61696c2e736e732e6974
server {
PEAP: Got tunneled identity of rosario.lumia(a)mail.sns.it
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to rosario.lumia(a)mail.sns.it
Sending tunneled request
EAP-Message =
0x0205001e01726f736172696f2e6c756d6961406d61696c2e736e732e6974
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "rosario.lumia(a)mail.sns.it"
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] Looking up realm "mail.sns.it" for User-Name = "
rosario.lumia(a)mail.sns.it"
[suffix] Found realm "mail.sns.it"
[suffix] Adding Stripped-User-Name = "rosario.lumia"
[suffix] Adding Realm = "mail.sns.it"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied. Ignoring.
++[ntdomain] returns ok
++[control] returns ok
[eap] EAP packet type response id 5 length 30
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message =
0x010600331a0106002e103025f88867b6177e20681b72680d2759726f736172696f2e6c756d6961406d61696c2e736e732e6974
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf3b625d1f3b03f960f179937a5f9e80a
[peap] Got tunneled reply RADIUS code 11
EAP-Message =
0x010600331a0106002e103025f88867b6177e20681b72680d2759726f736172696f2e6c756d6961406d61696c2e736e732e6974
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf3b625d1f3b03f960f179937a5f9e80a
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.71.131 port 2048
EAP-Message =
0x0106005b1900170301005022bda37f6a7e8eb3bb9d8a945baaafcf72404ca8b67395735c749d53527e3c149e7067addbdbd3df1d788a7257f491271545022ebc4295906bf2f2518880881ac04f0dff9d6852640ccae739f0c49155
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x9dd480bf98d29957068c8abbb9608c64
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.71.131 port 2048, id=0,
length=311
Cleaning up request 5 ID 0 with timestamp +234
User-Name = "rosario.lumia(a)mail.sns.it"
NAS-IP-Address = 192.168.71.131
Called-Station-Id = "00236929d1a4"
Calling-Station-Id = "e8e5d6d76775"
NAS-Identifier = "00236929d1a4"
NAS-Port = 5
Framed-MTU = 1400
State = 0x9dd480bf98d29957068c8abbb9608c64
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x020600a019001703010020f38b245f8a4ba2c32c11d311a30ec5468f90a3e93b949d95fe62f6245a8e2fdf17030100705d20747f5666db6644551bdb05c49f5d386b9a33e685b2ba9d5bb5f1fad85716c350c2f470171ecc4b318ef39c623c100d584d4c7a05aae14f25ee4799a730e73d57f5028ebccf9812ed150573069f4873fffac3e8c77408b541eb103166b7ae0ad38ae356d6dadb1ecef633c05b174b
Message-Authenticator = 0xb698d82a5c553ea8ce3aa6df65d772cf
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "mail.sns.it" for User-Name = "
rosario.lumia(a)mail.sns.it"
[suffix] Found realm "mail.sns.it"
[suffix] Adding Stripped-User-Name = "rosario.lumia"
[suffix] Adding Realm = "mail.sns.it"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied. Ignoring.
++[ntdomain] returns ok
[eap] EAP packet type response id 6 length 160
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message =
0x020600541a0206004f313b4861962778fb4f6155136de4c9ee6900000000000000004b32d3bb55eb0f1b839631b8af05b76b74d60b6070c49e4600726f736172696f2e6c756d6961406d61696c2e736e732e6974
server {
PEAP: Setting User-Name to rosario.lumia(a)mail.sns.it
Sending tunneled request
EAP-Message =
0x020600541a0206004f313b4861962778fb4f6155136de4c9ee6900000000000000004b32d3bb55eb0f1b839631b8af05b76b74d60b6070c49e4600726f736172696f2e6c756d6961406d61696c2e736e732e6974
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "rosario.lumia(a)mail.sns.it"
State = 0xf3b625d1f3b03f960f179937a5f9e80a
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] Looking up realm "mail.sns.it" for User-Name = "
rosario.lumia(a)mail.sns.it"
[suffix] Found realm "mail.sns.it"
[suffix] Adding Stripped-User-Name = "rosario.lumia"
[suffix] Adding Realm = "mail.sns.it"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied. Ignoring.
++[ntdomain] returns ok
++[control] returns ok
[eap] EAP packet type response id 6 length 84
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for rosario.lumia(a)mail.sns.it with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
MS-CHAP-Error = "\006E=691 R=1"
EAP-Message = 0x04060004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
MS-CHAP-Error = "\006E=691 R=1"
EAP-Message = 0x04060004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.71.131 port 2048
EAP-Message =
0x0107002b1900170301002014144525592c90d11a4fffed6af1b8a86fbd0f0aa4e1183beec57a73002d68df
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x9dd480bf9bd39957068c8abbb9608c64
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.71.131 port 2048, id=0,
length=231
Cleaning up request 6 ID 0 with timestamp +234
User-Name = "rosario.lumia(a)mail.sns.it"
NAS-IP-Address = 192.168.71.131
Called-Station-Id = "00236929d1a4"
Calling-Station-Id = "e8e5d6d76775"
NAS-Identifier = "00236929d1a4"
NAS-Port = 5
Framed-MTU = 1400
State = 0x9dd480bf9bd39957068c8abbb9608c64
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x02070050190017030100209504be9fbeeaf7e9938c4381f5a2c07d40e9fc9329c858bfa8290dbaece688cc170301002059a912cbd613fdf127f5994477421b08aa7ed0b1754001f54b31ad2faf777dfe
Message-Authenticator = 0x93d185379d826e86b0379af4a516b144
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "mail.sns.it" for User-Name = "
rosario.lumia(a)mail.sns.it"
[suffix] Found realm "mail.sns.it"
[suffix] Adding Stripped-User-Name = "rosario.lumia"
[suffix] Adding Realm = "mail.sns.it"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[ntdomain] Request already proxied. Ignoring.
++[ntdomain] returns ok
[eap] EAP packet type response id 7 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Had sent TLV failure. User was rejected earlier in this session.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} ->
rosario.lumia(a)mail.sns.it
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 7 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 7
Sending Access-Reject of id 0 to 192.168.71.131 port 2048
EAP-Message = 0x04070004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 4.9 seconds.
Cleaning up request 7 ID 0 with timestamp +234
Ready to process requests.
--
Rosario L.
2
5
Hi all,
I am using FR 2.1.11 and I try to implement access_attr &
access_attr_used_for_allow with rlm_ldap.
modules/ldap.conf :
....
access_attr = inetUserStatus
access_attr_used_for_allow = yes
compare_check_items = no
do_xlat = yes
set_auth_type = yes
...
Inside our OpenLDAP, the attribute is inetUserStatus, whose value can
be(active/inactive).
According to rlm_ldap docs, this should be a boolean (yes/no/TRUE/FALSE).
At the moment, access is granted if inetUserStatus is set to active as well
as if inetUserStatus is set to inactive, I suppose because FR does not
interpred those values as TRUE/yes or FALSE/no ..
As I cannot act on ldap server side, (many other applications already uses
this attribute value pair) Is there any way to have this working on
freeradius side ?
Is it necessary to ldap.attrmap this attribute to use this feature ?
Could I (for example) update the attribute recovered from ldap during author
and change inactive to FALSE or active to TRUE ?
debug extract :
Fri Sep 23 12:54:05 2011 : Info: [ldap] performing user authorization for
user_sps
Fri Sep 23 12:54:05 2011 : Info: [ldap] expand:
%{Stripped-User-Name} ->
Fri Sep 23 12:54:05 2011 : Info: [ldap] ... expanding second
conditional
Fri Sep 23 12:54:05 2011 : Info: [ldap] expand: %{User-Name} ->
user_sps
Fri Sep 23 12:54:05 2011 : Info: [ldap] expand:
(uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=user_sps)
Fri Sep 23 12:54:05 2011 : Info: [ldap] expand:
dc=corp,dc=toto,dc=com -> dc=corp,dc=toto,dc=com
Fri Sep 23 12:54:05 2011 : Debug: [ldap] ldap_get_conn: Checking Id: 0
Fri Sep 23 12:54:05 2011 : Debug: [ldap] ldap_get_conn: Got Id: 0
Fri Sep 23 12:54:05 2011 : Debug: [ldap] attempting LDAP reconnection
Fri Sep 23 12:54:05 2011 : Debug: [ldap] (re)connect to 10.49.64.25:389,
authentication 0
Fri Sep 23 12:54:05 2011 : Debug: [ldap] bind as
cn=syncuser,dc=toto,dc=com/L?JHLjvk to 10.49.64.25:389
Fri Sep 23 12:54:05 2011 : Debug: [ldap] waiting for bind result ...
Fri Sep 23 12:54:05 2011 : Debug: [ldap] Bind was successful
Fri Sep 23 12:54:05 2011 : Debug: [ldap] performing search in
dc=corp,dc=toto,dc=com, with filter (uid=user_sps)
Fri Sep 23 12:54:05 2011 : Info: [ldap] checking if remote access for
user_sps is allowed by inetUserStatus
Fri Sep 23 12:54:05 2011 : Info: [ldap] looking for check items in
directory...
Fri Sep 23 12:54:05 2011 : Debug: [ldap] userPassword ->
Password-With-Header == "{SSHA}SnrchnIFWrKzn+nOzZem4YjMjRqHiavi"
Fri Sep 23 12:54:05 2011 : Debug: [ldap] ntPassword -> NT-Password ==
0x7305108b06d9839d8530b917307803e9
Fri Sep 23 12:54:05 2011 : Info: [ldap] looking for reply items in
directory...
Fri Sep 23 12:54:05 2011 : Info: [ldap] Setting Auth-Type = LDAP
Fri Sep 23 12:54:05 2011 : Info: [ldap] user user_sps authorized to use
remote access
Fri Sep 23 12:54:05 2011 : Debug: [ldap] ldap_release_conn: Release Id: 0
Fri Sep 23 12:54:05 2011 : Info: ++[ldap] returns ok
Fri Sep 23 12:54:05 2011 : Info: [files] users: Matched entry user_sps at
line 1
Fri Sep 23 12:54:05 2011 : Info: ++[files] returns ok
Best regards,
Fred MAISON
1
1
Hi all,
I want to advise everyone of a debian-specific problem using
$ENV{HOSTNAME} in freeradius 2 config files :
It seems environment passed to freeradius at startup does not have
HOSTNAME defined.
In fact, it seems only a subset of environment variables are passed to
executables ...
To be able to use this, we have to explicitly set HOSTNAME environment
BEFORE launching freeradius.
For example :
freeradius -X will expand $ENV{HOSTNAME} to empty string
HOSTNAME=`hostname` freeradius -X will expand $ENV{HOSTNAME} to
correct value ...
in /etc/freeeradois/init.d, you could use this :
export PATH="${PATH:+$PATH:}/usr/sbin:/sbin" ### this is present in original
export HOSTNAME="`hostname`" ### this has to be added to access $ENV{HOSTNAME}
Please note : other debian base distro as Ubuntu show same issue.
Best regards
Fred
3
4
I'm stuck in my testing. I have configured and reconfigured my freeradius
and keep getting back to the same error:
[mschap] ERROR: User-Name (RC24558\jojo) is not the same as MS-CHAP Name
(jojo) from EAP-MSCHAPv2
I was able to use the mschap-username to successfully authenticate to ldap
but then fail in the authentication because the usernames are not the same.
Any help is greatly appreciated.
Here is my log:
FreeRADIUS Version 2.1.11, for host x86_64-unknown-linux-gnu, built on Jul
19 2011 at 10:04:23
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file
/usr/local/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /usr/local/etc/raddb/modules/ntlm_auth
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/otp
including configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file /usr/local/etc/raddb/modules/soh
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/dynamic_clients
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file /usr/local/etc/raddb/modules/echo
including configuration file /usr/local/etc/raddb/modules/logintime
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/unix
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr/local/etc/raddb/modules/perl
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/krb5
including configuration file /usr/local/etc/raddb/modules/ippool
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/replicate
including configuration file /usr/local/etc/raddb/modules/wimax
including configuration file /usr/local/etc/raddb/modules/detail.example.com
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/sql_log
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/modules/detail
including configuration file /usr/local/etc/raddb/modules/ldap
including configuration file /usr/local/etc/raddb/modules/rediswho
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/opendirectory
including configuration file /usr/local/etc/raddb/modules/pam
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/smbpasswd
including configuration file /usr/local/etc/raddb/modules/cui
including configuration file /usr/local/etc/raddb/modules/files
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/redis
including configuration file /usr/local/etc/raddb/modules/passwd
including configuration file /usr/local/etc/raddb/modules/smsotp
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration file
/usr/local/etc/raddb/sites-enabled/control-socket
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
main {
allow_core_dumps = no
}
including dictionary file /usr/local/etc/raddb/dictionary
main {
name = "radiusd"
prefix = "/usr/local"
localstatedir = "/usr/local/var"
sbindir = "/usr/local/sbin"
logdir = "/usr/local/var/log/radius"
run_dir = "/usr/local/var/run/radiusd"
libdir = "/usr/local/lib"
radacctdir = "/usr/local/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
client 10.0.0.0/8 {
require_message_authenticator = no
secret = "testing123"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file
/usr/local/etc/raddb/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file
/usr/local/etc/raddb/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file
/usr/local/etc/raddb/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file
/usr/local/etc/raddb/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server { # from file /usr/local/etc/raddb/radiusd.conf
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file
/usr/local/etc/raddb/modules/pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file
/usr/local/etc/raddb/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file
/usr/local/etc/raddb/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
allow_retry = yes
}
Module: Linked to module rlm_digest
Module: Instantiating module "digest" from file
/usr/local/etc/raddb/modules/digest
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file
/usr/local/etc/raddb/modules/unix
unix {
radwtmp = "/usr/local/var/log/radius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /usr/local/etc/raddb/eap.conf
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/usr/local/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/usr/local/etc/raddb/certs/server.pem"
certificate_file = "/usr/local/etc/raddb/certs/server.pem"
CA_file = "/usr/local/etc/raddb/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/usr/local/etc/raddb/certs/dh"
random_file = "/usr/local/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/usr/local/etc/raddb/certs/bootstrap"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file
/usr/local/etc/raddb/modules/preprocess
preprocess {
huntgroups = "/usr/local/etc/raddb/huntgroups"
hints = "/usr/local/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file
/usr/local/etc/raddb/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file
/usr/local/etc/raddb/modules/files
files {
usersfile = "/usr/local/etc/raddb/users"
acctusersfile = "/usr/local/etc/raddb/acct_users"
preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
compat = "no"
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file
/usr/local/etc/raddb/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file
/usr/local/etc/raddb/modules/detail
detail {
detailfile =
"/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file
/usr/local/etc/raddb/modules/radutmp
radutmp {
filename = "/usr/local/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.accounting_response" from file
/usr/local/etc/raddb/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/usr/local/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Instantiating module "attr_filter.access_reject" from file
/usr/local/etc/raddb/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/usr/local/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
}
} # modules
} # server
server inner-tunnel { # from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_ldap
Module: Instantiating module "ldap" from file
/usr/local/etc/raddb/modules/ldap
ldap {
server = "127.0.0.1"
port = 389
password = ""
identity = ""
net_timeout = 1
timeout = 4
timelimit = 3
tls_mode = no
start_tls = no
tls_require_cert = "allow"
tls {
start_tls = no
require_cert = "allow"
}
basedn = "ou=Users,dc=rcsd"
filter = "(uid=%{mschap:User-Name:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
auto_header = no
access_attr = "uid"
access_attr_used_for_allow = yes
groupname_attribute = "cn"
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
dictionary_mapping = "/usr/local/etc/raddb/ldap.attrmap"
ldap_debug = 0
ldap_connections_number = 5
compare_check_items = no
do_xlat = yes
set_auth_type = yes
}
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: Over-riding set_auth_type, as there is no module ldap listed in
the "authenticate" section.
rlm_ldap: reading ldap<->radius mappings from file
/usr/local/etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaLMPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNTPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password
rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS
Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS
Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS
Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS
Tunnel-Private-Group-Id
conns: 0x1ad15d0
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "control"
listen {
socket = "/usr/local/var/run/radiusd/radiusd.sock"
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
... adding new socket proxy address * port 36878
Listening on authentication address * port 1645
Listening on accounting address * port 1646
Listening on command file /usr/local/var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server
inner-tunnel
Listening on proxy address * port 1647
Ready to process requests.
rad_recv: Access-Request packet from host 10.0.14.36 port 1645, id=91,
length=137
User-Name = "RC24558\\jojo"
Framed-MTU = 1400
Called-Station-Id = "0013.5ffa.57f0"
Calling-Station-Id = "0013.ceca.3fb6"
Service-Type = Login-User
Message-Authenticator = 0x730ec4591f16ea272e41a4d1b93ffbbb
EAP-Message = 0x0202001101524332343535385c6a6f6a6f
NAS-Port-Type = Wireless-802.11
NAS-Port = 15329
NAS-IP-Address = 10.0.14.36
NAS-Identifier = "ap"
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "RC24558\jojo", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 17
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 91 to 10.0.14.36 port 1645
EAP-Message = 0x0103001604107a9555769afc05b15cfddd786cfcf120
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4ca0317e4ca335654561e181a1238ac7
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.14.36 port 1645, id=92,
length=144
User-Name = "RC24558\\jojo"
Framed-MTU = 1400
Called-Station-Id = "0013.5ffa.57f0"
Calling-Station-Id = "0013.ceca.3fb6"
Service-Type = Login-User
Message-Authenticator = 0x469a38299798a6bdad68ad002c64c1c4
EAP-Message = 0x020300060319
NAS-Port-Type = Wireless-802.11
NAS-Port = 15329
State = 0x4ca0317e4ca335654561e181a1238ac7
NAS-IP-Address = 10.0.14.36
NAS-Identifier = "ap"
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "RC24558\jojo", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 92 to 10.0.14.36 port 1645
EAP-Message = 0x010400061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4ca0317e4da428654561e181a1238ac7
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.14.36 port 1645, id=93,
length=225
User-Name = "RC24558\\jojo"
Framed-MTU = 1400
Called-Station-Id = "0013.5ffa.57f0"
Calling-Station-Id = "0013.ceca.3fb6"
Service-Type = Login-User
Message-Authenticator = 0x2a3c021b7a144c149255c9aad2a96a69
EAP-Message =
0x0204005719800000004d16030100480100004403014e83706486a693aec5255a8c6210944f7d593d3271b289ef3bc606f9a21ec92c00001600040005000a0009006400620003000600130012006301000005ff01000100
NAS-Port-Type = Wireless-802.11
NAS-Port = 15329
State = 0x4ca0317e4da428654561e181a1238ac7
NAS-IP-Address = 10.0.14.36
NAS-Identifier = "ap"
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "RC24558\jojo", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 87
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 77
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0048], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0031], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 085e], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate
A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 93 to 10.0.14.36 port 1645
EAP-Message =
0x0105040019c0000008a216030100310200002d03014e8370adfc322701872fc66e7e60ee41cdcf9267f0aa8c7009af069c89b7dfb3000004000005ff01000100160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c65204365727469666963617465204175
EAP-Message =
0x74686f72697479301e170d3131303932373138303635385a170d3132303932363138303635385a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100c121fd8539341d239e11726dd2d4898412ba8500642572253cd7f06ea30e88cc931e0b0f242d8ddf34150c64cf3e9bd5d5285f9d3986cc
EAP-Message =
0xcb45885a82695ea1a6b39d5ef541e69162b4359b50a2ed1f5c7a07df7aca67373754c4ea22465331621c620274224387e9c840e06c711331b9280f0b86243942837350849ca68e6fa0cce2a3dab50f1c075697c51a8fb0bb08bf040837fb03bfc8b75cb0a1ed510dbeece90953a4b7e819a2a996ea394dac797d3d0f154743d8a5ebb9e2b62fdf34df5d79cea48d13aef0d4ffdcda5be7cbb726ac90aea665bceda245dd291040060b3112a08b7f3d049cef0d8e1c7d0aa078f4a3cd576fabed2fa73b4a46e3959dc90203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000382010100b54e
EAP-Message =
0xcb50c44266842cafcecf579486a35543eebb25e577701de400b09c629fbc1a07a47b43b1ae181c1768613c49149122b679f538bca127b3755211bf3b960bd999d11a295ac90b8ca78210db712f26704409d4bb3b271e4549b18a0385210fed58b893055d0088bb0462f872effd4076410129fcb2eeefbfbae501a61327c7feec9e114cf05541cd954496455198277cba7aa97cc5db2cb0fd4e5272e0359ca23a221ec98972fbd31c2c8780e3f5ffd11fceeecf6a16d1e3e0e3c00f26de8e07e42fdfffede0a8dc45ab6d9525567417042db59a655ea0f6439e703808293c9a78217c9445a796e3ad38ee013d10a7108c0e2dba3b36eb4e0da448dc65c0
EAP-Message = 0x490004ab308204a73082038f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4ca0317e4ea528654561e181a1238ac7
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.14.36 port 1645, id=94,
length=144
User-Name = "RC24558\\jojo"
Framed-MTU = 1400
Called-Station-Id = "0013.5ffa.57f0"
Calling-Station-Id = "0013.ceca.3fb6"
Service-Type = Login-User
Message-Authenticator = 0xec06efe320583e8240ab20df04078c7a
EAP-Message = 0x020500061900
NAS-Port-Type = Wireless-802.11
NAS-Port = 15329
State = 0x4ca0317e4ea528654561e181a1238ac7
NAS-IP-Address = 10.0.14.36
NAS-Identifier = "ap"
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "RC24558\jojo", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 94 to 10.0.14.36 port 1645
EAP-Message =
0x010603fc1940a003020102020900e5e03da624058331300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3131303932373138303635385a170d3132303932363138303635385a308193310b3009060355040613024652310f300d0603550408130652616469757331
EAP-Message =
0x12301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100bc808d2b03bdbf6ac5c874378118db5304e6663225a86d4318d6ab93bc36d6543c4961d1ee53078b619e7277cdf0b8adf588f4ffc26ddfb8e047f7461ad510939dcaf8d6dd6b7cab43e75127ab5a5145762d952ea463bbd0a60c999b4753ded3bdd4d5f8b5b75bbb
EAP-Message =
0x2f0b8250f9d0e52d7eabe4825558ff020c1821bdcfb0a15fdeb81d8156631cbb2700305b9b0ac303c077f133398976172de8741d01cfe8e74696e66d7ecd99c6ca992ba76af05889f1026e5280e7d2a7042c970437ead114dcf1540ef57630197a2d87f6e81a9f3a077064fe9f8ecc1c231aa97fac75340eb6865f0d3f195374450138bd49ded4f31e01213b45c5a5f21eb1be690d5266430203010001a381fb3081f8301d0603551d0e04160414fb73bd14c5287245379ea9ea2864c3478fdb72e63081c80603551d230481c03081bd8014fb73bd14c5287245379ea9ea2864c3478fdb72e6a18199a48196308193310b300906035504061302465231
EAP-Message =
0x0f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900e5e03da624058331300c0603551d13040530030101ff300d06092a864886f70d010105050003820101000e91ac6bc29269750d07c5163c9e72236ab05dcbe35a178bc64b51d8a706e4fa5460d2ca3743d9371eb8995c9b2a77e7b03b4a04f6bd5ebfef8a90c8ef54573aee93625399c41d2f72b7aa
EAP-Message = 0x3afcccd32589e909
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4ca0317e4fa628654561e181a1238ac7
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.14.36 port 1645, id=95,
length=144
User-Name = "RC24558\\jojo"
Framed-MTU = 1400
Called-Station-Id = "0013.5ffa.57f0"
Calling-Station-Id = "0013.ceca.3fb6"
Service-Type = Login-User
Message-Authenticator = 0x223abc48134a68bf867277a39db25c90
EAP-Message = 0x020600061900
NAS-Port-Type = Wireless-802.11
NAS-Port = 15329
State = 0x4ca0317e4fa628654561e181a1238ac7
NAS-IP-Address = 10.0.14.36
NAS-Identifier = "ap"
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "RC24558\jojo", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 95 to 10.0.14.36 port 1645
EAP-Message =
0x010700bc190078b2cd3c43c5f26c97b73770863abe48869ed55bbcd7ec5478e8a262e827e272637c47884e3e257e78738bb255202321d5782bd4df57c8ea191eafb643ce68868c77ab12fd973fad37efd91a94946191e9c331524eb4ee1e7aceeff06a5d7a6f741cb06dfae01a4096a766a2901b7c1a915fa078c9fccf8d5582ede3cf5b9855f94c1ee714a9eccb45229fa833b41d36a07f97e992da1bee4b0166c617fe3f5b5c30cca27587801786d4f6c7ab16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4ca0317e48a728654561e181a1238ac7
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.14.36 port 1645, id=96,
length=460
User-Name = "RC24558\\jojo"
Framed-MTU = 1400
Called-Station-Id = "0013.5ffa.57f0"
Calling-Station-Id = "0013.ceca.3fb6"
Service-Type = Login-User
Message-Authenticator = 0x80944747c69a6d6e10419de21f4272bd
EAP-Message =
0x02070140198000000136160301010610000102010047035f448a84d6697d94525253dcfac0975acb44b8c3acf73f8787aecfba1221616cdb08dc410de97e07259ae6b2aa21a59c6da201bb2db5eca4e22e8ffe26441db9033a425e30c2ace13729938c86ab795d045f2d22e4c45e0495d3be8d0dcb0f8c98e94feaf2541e4464749d6612985b5f601876a30028b95e7188392ab71ecae7aeb0720a935b12d6e18e9d661ae9380f0589a44a292365c63154993d2c66188066c25f44f075e6dffe91456f32629874c20f20d74ccfb605ab631f78c73f71138ebf15b45f4ec209378f8a6c3f626c3ead67ea442db26b7b0a2c3bddf6e342bd8fdbd1ad3072
EAP-Message =
0x12a50394fdb05d70897bf6659d6be21d3ffeb99c030f4d7714030100010116030100205a862653d6933f49eb774a277c5f8d981d2b96037ece4e96a24ecb4c697e2628
NAS-Port-Type = Wireless-802.11
NAS-Port = 15329
State = 0x4ca0317e48a728654561e181a1238ac7
NAS-IP-Address = 10.0.14.36
NAS-Identifier = "ap"
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "RC24558\jojo", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 310
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 96 to 10.0.14.36 port 1645
EAP-Message =
0x01080031190014030100010116030100200d0692cfdffe635ebef274611fcf735831738f8900056b57e62295c0e7596613
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4ca0317e49a828654561e181a1238ac7
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.14.36 port 1645, id=97,
length=144
User-Name = "RC24558\\jojo"
Framed-MTU = 1400
Called-Station-Id = "0013.5ffa.57f0"
Calling-Station-Id = "0013.ceca.3fb6"
Service-Type = Login-User
Message-Authenticator = 0x47ef5c834de354dfc6d3a786c2c57394
EAP-Message = 0x020800061900
NAS-Port-Type = Wireless-802.11
NAS-Port = 15329
State = 0x4ca0317e49a828654561e181a1238ac7
NAS-IP-Address = 10.0.14.36
NAS-Identifier = "ap"
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "RC24558\jojo", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] returns handled
Sending Access-Challenge of id 97 to 10.0.14.36 port 1645
EAP-Message =
0x0109002019001703010015e406cf732364b980898faadb579838947066471650
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4ca0317e4aa928654561e181a1238ac7
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.14.36 port 1645, id=98,
length=178
User-Name = "RC24558\\jojo"
Framed-MTU = 1400
Called-Station-Id = "0013.5ffa.57f0"
Calling-Station-Id = "0013.ceca.3fb6"
Service-Type = Login-User
Message-Authenticator = 0xc396b72f72e366d2c3d40579aa8754c8
EAP-Message =
0x020900281900170301001dc33a990e62301104e56b7858134a582a8ed9672aad0e4f3206cc8a3edb
NAS-Port-Type = Wireless-802.11
NAS-Port = 15329
State = 0x4ca0317e4aa928654561e181a1238ac7
NAS-IP-Address = 10.0.14.36
NAS-Identifier = "ap"
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "RC24558\jojo", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 9 length 40
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - RC24558\jojo
[peap] Got inner identity 'RC24558\jojo'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
EAP-Message = 0x0209001101524332343535385c6a6f6a6f
server {
[peap] Setting User-Name to RC24558\jojo
Sending tunneled request
EAP-Message = 0x0209001101524332343535385c6a6f6a6f
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "RC24558\\jojo"
server inner-tunnel {
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "RC24558\jojo", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 9 length 17
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for RC24558\jojo
[ldap] expand: (uid=%{mschap:User-Name:-%{User-Name}}) -> (uid=jojo)
[ldap] expand: ou=Users,dc=rcsd -> ou=Users,dc=rcsd
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to 127.0.0.1:389, authentication 0
[ldap] bind as / to 127.0.0.1:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in ou=Users,dc=rcsd, with filter (uid=jojo)
[ldap] checking if remote access for RC24558\jojo is allowed by uid
[ldap] looking for check items in directory...
[ldap] userPassword -> Password-With-Header ==
"{SSHA}II8f7AGFYlC1KCv9i1ciQO5U9qNG1RrG"
[ldap] sambaNTPassword -> NT-Password ==
0x3530354139323739434644324639344336353839383035353143464445373335
[ldap] looking for reply items in directory...
[ldap] user RC24558\jojo authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing SSHA1-Password from base64 encoding
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message =
0x010a00261a010a002110dc7866d4128b49da77e4041e94ff2deb524332343535385c6a6f6a6f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xdc586d28dc52772ac41aca5400308a27
[peap] Got tunneled reply RADIUS code 11
EAP-Message =
0x010a00261a010a002110dc7866d4128b49da77e4041e94ff2deb524332343535385c6a6f6a6f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xdc586d28dc52772ac41aca5400308a27
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 98 to 10.0.14.36 port 1645
EAP-Message =
0x010a003d19001703010032ad137791c4500ba4df2a20ca6838b44dad3417e2ebab688484e1695317a6f5efb600b21ade1d97484d0de7f48a4217ecb2a3
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4ca0317e4baa28654561e181a1238ac7
Finished request 7.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.14.36 port 1645, id=99,
length=224
User-Name = "RC24558\\jojo"
Framed-MTU = 1400
Called-Station-Id = "0013.5ffa.57f0"
Calling-Station-Id = "0013.ceca.3fb6"
Service-Type = Login-User
Message-Authenticator = 0x4c9395db835a55b9dd2f9f15d0277a1c
EAP-Message =
0x020a00561900170301004b22b2f8b3aa052a4493207355395da0dfc741f86d49b30c6f79095df3b3e93493bdaae374f6c08e6cda7d36f84da65e68efaadb2206a64c258422593402705c44087a81ca68867484d087fc
NAS-Port-Type = Wireless-802.11
NAS-Port = 15329
State = 0x4ca0317e4baa28654561e181a1238ac7
NAS-IP-Address = 10.0.14.36
NAS-Identifier = "ap"
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "RC24558\jojo", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 10 length 86
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message =
0x020a003f1a020a003a3152db2b98f772e2c071e33180e86333770000000000000000348b1cdaee566588b2ae036201f6531b5b9751289c96a32d006a6f6a6f
server {
[peap] Setting User-Name to RC24558\jojo
Sending tunneled request
EAP-Message =
0x020a003f1a020a003a3152db2b98f772e2c071e33180e86333770000000000000000348b1cdaee566588b2ae036201f6531b5b9751289c96a32d006a6f6a6f
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "RC24558\\jojo"
State = 0xdc586d28dc52772ac41aca5400308a27
server inner-tunnel {
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "RC24558\jojo", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 10 length 63
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for RC24558\jojo
[ldap] expand: (uid=%{mschap:User-Name:-%{User-Name}}) -> (uid=jojo)
[ldap] expand: ou=Users,dc=rcsd -> ou=Users,dc=rcsd
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in ou=Users,dc=rcsd, with filter (uid=jojo)
[ldap] checking if remote access for RC24558\jojo is allowed by uid
[ldap] looking for check items in directory...
[ldap] userPassword -> Password-With-Header ==
"{SSHA}II8f7AGFYlC1KCv9i1ciQO5U9qNG1RrG"
[ldap] sambaNTPassword -> NT-Password ==
0x3530354139323739434644324639344336353839383035353143464445373335
[ldap] looking for reply items in directory...
[ldap] user RC24558\jojo authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing SSHA1-Password from base64 encoding
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] Found NT-Password
[mschap] ERROR: User-Name (RC24558\jojo) is not the same as MS-CHAP Name
(jojo) from EAP-MSCHAPv2
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
EAP-Message = 0x040a0004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
EAP-Message = 0x040a0004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
--
View this message in context: http://freeradius.1045715.n5.nabble.com/mschap-returns-reject-tp4850396p485…
Sent from the FreeRadius - User mailing list archive at Nabble.com.
3
3
Hello,
After upgrading to FreeRadius version 2.1.11 on RHEL6, I am seeing the
following in radius.log right before the process terminates:
Wed Sep 28 11:16:12 2011 : Error: Child PID 30242 is taking too much time:
forcing failure and killing child.
Wed Sep 28 11:16:12 2011 : Error: Child PID 30243 is taking too much time:
forcing failure and killing child.
Wed Sep 28 11:16:12 2011 : Error: Child PID 30244 is taking too much time:
forcing failure and killing child.
Wed Sep 28 11:16:13 2011 : Error: Child PID 30245 is taking too much time:
forcing failure and killing child.
Wed Sep 28 11:16:13 2011 : Info: Signalled to terminate
Wed Sep 28 11:16:13 2011 : Info: Exiting normally.
Wed Sep 28 11:16:13 2011 : Error: Child PID 30246 is taking too much time:
forcing failure and killing child.
Wed Sep 28 11:16:13 2011 : Error: Request 179116 has been waiting in the
processing queue for 8 seconds. Check that all databases are running
properly!
Wed Sep 28 11:16:13 2011 : Error: Child PID 30247 is taking too much time:
forcing failure and killing child.
Wed Sep 28 11:16:13 2011 : Error: Child PID 30251 is taking too much time:
forcing failure and killing child.
Wed Sep 28 11:16:13 2011 : Error: Child PID 30252 is taking too much time:
forcing failure and killing child.
Wed Sep 28 11:16:13 2011 : Error: Child PID 30249 is taking too much time:
forcing failure and killing child.
Wed Sep 28 11:16:13 2011 : Error: Child PID 30253 is taking too much time:
forcing failure and killing child.
Wed Sep 28 11:16:13 2011 : Error: Child PID 30255 is taking too much time:
forcing failure and killing child.
Wed Sep 28 11:16:13 2011 : Error: Child PID 30250 is taking too much time:
forcing failure and killing child.
Wed Sep 28 11:16:13 2011 : Error: Child PID 30248 is taking too much time:
forcing failure and killing child.
Wed Sep 28 11:16:13 2011 : Error: Child PID 30254 is taking too much time:
forcing failure and killing child.
Wed Sep 28 11:16:14 2011 : Error: Child PID 30257 is taking too much time:
forcing failure and killing child.
Wed Sep 28 11:16:14 2011 : Error: Child PID 30256 is taking too much time:
forcing failure and killing child.
Wed Sep 28 11:16:14 2011 : Error: Child PID 30258 is taking too much time:
forcing failure and killing child.
Wed Sep 28 11:16:14 2011 : Error: Child PID 30259 is taking too much time:
forcing failure and killing child.
The radiusd process ends, and I can't find anything to explain this. I've
restarted the service with -X and will report back if I see anything
suspicious.
In the meantime, has anyone else seen this?
Thanks,
Dave
--
View this message in context: http://freeradius.1045715.n5.nabble.com/2-1-11-inexplicable-crash-tp4849607…
Sent from the FreeRadius - User mailing list archive at Nabble.com.
2
6