Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
June 2012
- 103 participants
- 130 discussions
Hello...
I am currently using freeRadius to proxy messages between a client and
server as follows:
radius client ----------freeRadius--------------radius server
The client normally send access_request messages which are proxyed to the
server. The server can either respond with access-accept or access-reject.
That is all working fine at the moment.
What I need to do now, is the following:
1. If the server sends access-accept, then proxy the message back to the
client (like it is being done at the moment)
2. If the server sends access-reject, then do not proxy, just drop the
packet.
Is that possible?
3
3
Hi,
I'm trying to test FreeRADIUS on FreeBSD which is the easy part
however, I need a web ui and so Dialup Admin directly comes with the
port on FreeBSD.....
Trying to get it running I am having difficulty with php it seems??
I get a green screen saying "Dialup Admin" and that's it. On the left
hand side of the screen I have this:
<?php
$auth_user = $HTTP_SERVER_VARS["PHP_AUTH_USER"];
if ($auth_user){
if (is_file("../html/buttons/$auth_user/buttons.html.php3"))
include("../html/buttons/$auth_user/buttons.html.php3");
else{
if (is_file("../html/buttons/default/buttons.html.php3"))
include("../html/buttons/default/buttons.html.php3");
}
}
else{
if (is_file("../html/buttons/default/buttons.html.php3"))
include("../html/buttons/default/buttons.html.php3");
}
?>
I went through the install guide here:
http://wiki.freeradius.org/Dialup-admin#Apache+Configuration
However, I am using Php5.4 which gets installed by default on FreeBSD
unless using a "Legacy" port.
Could anyone help me getting this to work or is the web-ui simply too
old to be able to work with the latest FreeBSD variant?
Regards,
Kaya
5
4
How do I enable Freeradius to not only authenticate the a user but
verify a specific attribute for the user? I've been going though the
docs but this is escaping me.
Thanks.
4
6
01 Jun '12
Hi,
we have a Cisco C3750E switch stack which had a previous version of
IOS on it, 12.2 or so....
I recently performed an upgrade to the latest version that Cisco
offer: 15.0(1)SE2 however, after the upgrade took place the phones
started loosing connectivity.
It seems that the correct VLAN wasn't beeing assigned to the MAC
addresses of the phones and therefor the phones acquiring the business
vlan and hence the ports getting blocked.
I will perform a wireshark and tcpdump packet capture this evening in
order to try to debug more clearly what is going on between the
devices however, in the mean time I was wondering if there was some
sort of interoperability quircks between newer Cisco IOS releases and
FreeRADIUS (VMPS)??
Unfortunately I can't give the version of FreeRADIUS being used as I
didn't set it up initially and hence the software is not within the
package database of the Linux box it's running on; however if there is
a command I could use from one of the FreeRADIUS binaries I am happy
to provide the information.
Can anyone suggest anything?
Regards,
Kaya
4
6
Hi,
Simple question here :
I have an LDAP xlat query to populate the Ldap-Group attribute in order
to do crazy stuff with the group membership (out of scope to explain you
what kind of crazy stuff). The issue I have is that the query may
return multiple group membership lines.
update request {
Ldap-Group +=
"%{ldap:ldap:///dc=inverse,dc=local?memberOf?sub?sAMAccountName=%u}"
}
My question is, how can the Ldap-Group be listed for each result the
query return? ie.
Ldap-Group = "cn=group1,dc=inverse,dc=local"
Ldap-Group = "cn=group2,dc=inverse,dc=local"
Right now, the Ldap-Group will only contain the first group of the list.
Thanks!
--
Francois Gaudreault, ing. jr
fgaudreault(a)inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
2
2
Greetings list,
I am trying to configure PAM on my remote Linux servers to authenticate
via FreeRADIUS to Active Directory. I have followed the instructions at
http://deployingradius.com/documents/configuration/active_directory.html
to the letter and am able to successfully run radtest against the
FreeRADIUS server :
running *radtest -t mschap jonathanv /mypassword/ localhost 0
testing123*, returns the following:
rad_recv: Access-Request packet from host 127.0.0.1 port 57650, id=252,
length=117
User-Name = "jonathanv"
NAS-IP-Address = 172.16.132.254
NAS-Port = 0
MS-CHAP-Challenge = 0x3ab2e0ada92d1a3b
MS-CHAP-Response =
0x0001000000000000000000000000000000000000000000000000d868800a8540b1a1823945859c18d2596202279141f6daea
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = "jonathanv", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv1 with NT-Password
[mschap] expand: --username=%{mschap:User-Name:-None} ->
--username=jonathanv
[mschap] No NT-Domain was found in the User-Name.
[mschap] expand: %{mschap:NT-Domain} ->
[mschap] ... expanding second conditional
[mschap] expand: --domain=%{%{mschap:NT-Domain}:-MSAD} -> --domain=MSAD
[mschap] mschap1: 3a
[mschap] expand: --challenge=%{mschap:Challenge:-00} ->
--challenge=3ab2e0ada92d1a3b
[mschap] expand: --nt-response=%{mschap:NT-Response:-00} ->
--nt-response=d868800a8540b1a1823945859c18d2596202279141f6daea
Exec-Program output: NT_KEY: 74910D7B290EDE12A3926DCD2EA68453
Exec-Program-Wait: plaintext: NT_KEY: 74910D7B290EDE12A3926DCD2EA68453
Exec-Program: returned: 0
[mschap] adding MS-CHAPv1 MPPE keys
++[mschap] returns ok
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 252 to 127.0.0.1 port 57650
MS-CHAP-MPPE-Keys =
0x000000000000000074910d7b290ede12a3926dcd2ea684530000000000000000
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 2 ID 252 with timestamp +269
Ready to process requests.
However, now, I would like to configure PAM on a test Linux (CentOS 6)
box to authenticate Active Directory users (system-auth, password-auth
and ssh) via the FreeRADIUS server. I have installed the *pam_radius*
package from the EPEL repository on my test box and have configured
*/etc/pam_radius.conf* file like so:
172.16.132.254 /*mypassword*/*//* 3
...172.16.132.254 being my FreeRADIUS server...
To test SSH authentication I have added the following line to the
*/etc/pam.d/sshd* file:
*auth required pam_radius_auth.so*
On the FreeRADIUS server I have configured the following in clients.conf :
*
client 172.16.132.140 {
secret = /mypassword/
shortname = jonathan-c6
nastype = other
}*
...172.16.132.140 being the test box...
When attempting to ssh to the test box as an Active Directory user I
receive the following debug output:
rad_recv: Access-Request packet from host 172.16.132.140 port 32768,
id=12, length=95
User-Name = "jonathanv"
User-Password = "\010\n\r\177INCORRECT"
NAS-IP-Address = 172.16.132.140
NAS-Identifier = "sshd"
NAS-Port = 4369
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Calling-Station-Id = "172.16.132.148"
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "jonathanv", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
*ERROR: No authenticate method (Auth-Type) found for the request:
Rejecting the user*
Failed to authenticate the user.
WARNING: Unprintable characters in the password. Double-check
the shared secret on the server and the NAS!
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> jonathanv
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 3 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 3
Sending Access-Reject of id 12 to 172.16.132.140 port 32768
Waking up in 4.9 seconds.
Cleaning up request 3 ID 12 with timestamp +1336
Ready to process requests.
From this output it's clear to me that neither MSCHAP, or any other
Auth-Type for that matter, are being used. I know I'm missing something
here, but really not sure what. Some advice would be much appreciated!
Greetings,
Jonathan
Disclaimer
The information contained in this communication from the sender is confidential. It is intended solely for use by the recipient and others authorized to receive it. If you are not the recipient, you are hereby notified that any disclosure, copying, distribution or taking action in relation of the contents of this information is strictly prohibited and may be unlawful.
This email has been scanned for viruses and malware, and automatically archived by Mimecast SA (Pty) Ltd, an innovator in Software as a Service (SaaS) for business. Mimecast Unified Email Management (UEM) offers email continuity, security, archiving and compliance with all current legislation. To find out more, visit http://www.mimecast.co.za/uem-ppc.
2
3
Hi there list,
After getting (p)eap an mschap working I'm faced with the following
problem: The client gets authenticated through mschap and receives an
Access-Accept but the rlm_perl added pair which where added in request 0
are not send to the client. Resulting in a client ending up in the wrong
vlan.
I've tried several things to resolve this but with no result. One of
which was running the perl code in a post-auth event. This resulted in
something like 250 requests and the client not connecting.,
Two things strike me as odd:
- There is a warning about 2 auth-types - perl and eap
- Why does the authorization run first? I would have thought
authentication comes first.
Below the trace and versions.
Peter
FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Nov 24
2011 at 07:53:12
Ubuntu 64bit 12.04 (wheezy/sid)
FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Nov 24
2011 at 07:53:12
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/opendirectory
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/dynamic_clients
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file
/etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/cui
including configuration file /etc/freeradius/modules/ntlm_auth
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
main {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
including dictionary file /etc/freeradius/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
client sysop-2 {
ipaddr = 10.0.0.20
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
client ap {
ipaddr = 10.0.9.48
require_message_authenticator = no
secret = "testing123"
nastype = "cisco"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file
/etc/freeradius/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file
/etc/freeradius/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file
/etc/freeradius/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file
/etc/freeradius/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan
"
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server inner-tunnel { # from file
/etc/freeradius/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Instantiating module "ntlm_auth" from file
/etc/freeradius/modules/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/usr/bin/ntlm_auth --request-nt-key --domain=ATLAS
--username=%{mschap:User-Name} --password=%{User-Password}"
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file
/etc/freeradius/modules/pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file
/etc/freeradius/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file
/etc/freeradius/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:-None}
--domain=%{%{mschap:NT-Domain}:-ATLAS}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
}
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file
/etc/freeradius/modules/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /etc/freeradius/eap.conf
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/etc/freeradius/certs"
pem_file_type = yes
private_key_file = "/etc/freeradius/certs/server.key"
certificate_file = "/etc/freeradius/certs/server.pem"
CA_file = "/etc/freeradius/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/etc/freeradius/certs/dh"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/freeradius/certs/bootstrap"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Linked to module rlm_perl
Module: Instantiating module "perl" from file
/etc/freeradius/modules/perl
perl {
module = "/etc/freeradius/example.pl"
func_authorize = "authorize"
func_authenticate = "authenticate"
func_accounting = "accounting"
func_preacct = "preacct"
func_checksimul = "checksimul"
func_detach = "detach"
func_xlat = "xlat"
func_pre_proxy = "pre_proxy"
func_post_proxy = "post_proxy"
func_post_auth = "post_auth"
func_recv_coa = "recv_coa"
func_send_coa = "send_coa"
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file
/etc/freeradius/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file
/etc/freeradius/modules/files
files {
usersfile = "/etc/freeradius/users"
acctusersfile = "/etc/freeradius/acct_users"
preproxy_usersfile = "/etc/freeradius/preproxy_users"
compat = "no"
}
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file
/etc/freeradius/modules/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.access_reject" from file
/etc/freeradius/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/etc/freeradius/attrs.access_reject"
key = "%{User-Name}"
}
} # modules
} # server
server { # from file /etc/freeradius/radiusd.conf
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_digest
Module: Instantiating module "digest" from file
/etc/freeradius/modules/digest
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file
/etc/freeradius/modules/preprocess
preprocess {
huntgroups = "/etc/freeradius/huntgroups"
hints = "/etc/freeradius/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file
/etc/freeradius/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file
/etc/freeradius/modules/detail
detail {
detailfile =
"/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating module "attr_filter.accounting_response" from
file /etc/freeradius/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/freeradius/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server
inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.0.9.48 port 1645, id=202,
length=210
User-Name = "host/lt-pkn.atlas.atlascollege.nl"
Framed-MTU = 1400
Called-Station-Id = "0019.070a.a011"
Calling-Station-Id = "0016.eae4.d5aa"
Cisco-AVPair = "ssid=geengast"
Service-Type = Login-User
Message-Authenticator = 0xe29cf9a9ecd3cbce938b7d4917ea7286
EAP-Message =
0x0202002601686f73742f6c742d706b6e2e61746c61732e61746c6173636f6c6c656765
2e6e6c
NAS-Port-Type = Wireless-802.11
NAS-Port = 389
NAS-Port-Id = "389"
NAS-IP-Address = 10.0.9.48
NAS-Identifier = "radtest"
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = "host/lt-pkn.atlas.atlascollege.nl",
looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 38
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 209
++[files] returns ok
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Service-Type = Login-User
rlm_perl: Added pair Calling-Station-Id = 0016.eae4.d5aa
rlm_perl: Added pair Called-Station-Id = 0019.070a.a011
rlm_perl: Added pair Message-Authenticator =
0xe29cf9a9ecd3cbce938b7d4917ea7286
rlm_perl: Added pair Cisco-AVPair = ssid=geengast
rlm_perl: Added pair User-Name = host/lt-pkn.atlas.atlascollege.nl
rlm_perl: Added pair NAS-Identifier = radtest
rlm_perl: Added pair EAP-Message =
0x0202002601686f73742f6c742d706b6e2e61746c61732e61746c6173636f6c6c656765
2e6e6c
rlm_perl: Added pair EAP-Type = Identity
rlm_perl: Added pair NAS-IP-Address = 10.0.9.48
rlm_perl: Added pair NAS-Port = 389
rlm_perl: Added pair NAS-Port-Id = 389
rlm_perl: Added pair Framed-MTU = 1400
rlm_perl: Added pair Tunnel-Private-Group-ID = 101
rlm_perl: Added pair Session-Timeout = 250
rlm_perl: Added pair Tunnel-Type = 13
rlm_perl: Added pair Tunnel-Medium-Type = 6
rlm_perl: Added pair Auth-Type = EAP
++[perl] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 202 to 10.0.9.48 port 1645
Tunnel-Private-Group-Id:0 = "101"
Session-Timeout = 250
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
EAP-Message = 0x010300061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xfa8b288efa8831bb8df0c9954079019a
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.9.48 port 1645, id=203,
length=295
User-Name = "host/lt-pkn.atlas.atlascollege.nl"
Framed-MTU = 1400
Called-Station-Id = "0019.070a.a011"
Calling-Station-Id = "0016.eae4.d5aa"
Cisco-AVPair = "ssid=geengast"
Service-Type = Login-User
Message-Authenticator = 0xb1f4bca9888d29b9737e493878e3d421
EAP-Message =
0x0203006919800000005f160301005a0100005603014fc73361cfa763a813cd492895c4
7eaa37aedcae0683cf4fad46d7cfdbfe1f5a000018002f00350005000ac013c014c009c0
0a003200380013000401000015ff01000100000a0006000400170018000b00020100
NAS-Port-Type = Wireless-802.11
NAS-Port = 389
NAS-Port-Id = "389"
State = 0xfa8b288efa8831bb8df0c9954079019a
NAS-IP-Address = 10.0.9.48
NAS-Identifier = "radtest"
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = "host/lt-pkn.atlas.atlascollege.nl",
looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 105
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 95
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 005a], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0031], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 02ae], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 203 to 10.0.9.48 port 1645
EAP-Message =
0x010402f8190016030100310200002d03014fc7334922ea9802ba6fd82e47b9eb5abed5
e3075ad553d92a0502656236500000002f000005ff0100010016030102ae0b0002aa0002
a70002a4308202a03082018802090093612d39d755e4c6300d06092a864886f70d010105
050030123110300e0603550403130772616474657374301e170d31323035323231313430
33325a170d3232303532303131343033325a30123110300e060355040313077261647465
737430820122300d06092a864886f70d01010105000382010f003082010a0282010100ad
3ae0a6b058a19f697fd586bbbabf66f43779ad771cde66d4dbdbf2b824510c485ab969b8
8ac7
EAP-Message =
0x6a7ba5b8d15fd768890756ef6e606f27d21623f0fa9bfc07dc282a4db2de57fe048773
02e4d91bb921dba6fbafd77da8f8b5eb2082949a8b522092418771ff67d4a186c80b3bd7
d84a89da318eef50b16c931948ef882001269f33d39a0b3644b09125668e4423124eb7ca
b5b85a6b92428edfe4ee1c789b9add3f478b718f4665737afe87a85a7f6580db9c42d204
6aa5263bba39ec6c455dbb80702244dfe3f50a361cb29b66eba17e668cfd860a0ec28f05
b70cc2cc5eea96c4520ea1dd5a237e26034e7ef0a3c82d42ae455c15c9d5a5149d568c13
346f0203010001300d06092a864886f70d010105050003820101000c9d1ae5dbcc0b4fae
fe91
EAP-Message =
0x9f91d3e971823a0df53cf3783498064e1dbac81a510fcc1162bc2f3e7ab14958d208d1
4653a210430589233379b05bc27611322d9c636da1c6ba154e1f10d6bd4afadfed812e50
4811a8c0b9301a3303cce719f2f78828beaf92d08d21c43cbb001ddf6ea3e57c0c0e24c0
f1a11db8d2d90779dd4860af589161db5633cd1618a87e56500834601697b4eaab460907
d3305686421ab9912d14f33589f1ea98fe2da40497047c35a9436721d0a6703b0fd074c4
3d5673d48706ebd00aaf5efc94f31b5407b43278871a2e56822173ff21811f03657a640b
d912d1b52f4844976c13658655ebab73bcc79299df2830a2f8b1a984d85716030100040e
0000
EAP-Message = 0x00
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xfa8b288efb8f31bb8df0c9954079019a
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.9.48 port 1645, id=204,
length=528
User-Name = "host/lt-pkn.atlas.atlascollege.nl"
Framed-MTU = 1400
Called-Station-Id = "0019.070a.a011"
Calling-Station-Id = "0016.eae4.d5aa"
Cisco-AVPair = "ssid=geengast"
Service-Type = Login-User
Message-Authenticator = 0x8297464cc5d683623a7610651854dd3e
EAP-Message =
0x0204015019800000014616030101061000010201003984f63af6565c1a71d6ca259f81
dbf2194e47cae6f46c5e3c802bea536c17bbad61ea61a89102f672aa22601466e46bb1a7
83d41759125f8ba1174ce7a55b0032997e2606cdfa1e6c015d51a2e1ac6e5751ca48a26c
33df07d8d3fa2327c5dbe2c39f09b688850a06a45ffb1dd46718cf620e5a583393b450fb
66e0a64bb618f84b45292940cceeb1a79907374125d7aed6070943cc9557613ee9bff5db
c0efdc61145238e349b343bce6e8032fe69b9f769100b021819cd532e66a4dbab9decdd0
adec15598a86993cc9105aafcb937d62229d5b02d530d66e49875a6ce6b0061ffb20b2c1
13d8
EAP-Message =
0x465df29cbfb7867a6e326bc5833ab5619c421643e0976b8d1403010001011603010030
7409547395973a8f1dd53ca88878b699e118d5042d0ec13681f7bce17fd6af272e2053cf
c663c966a8dd362722af3684
NAS-Port-Type = Wireless-802.11
NAS-Port = 389
NAS-Port-Id = "389"
State = 0xfa8b288efb8f31bb8df0c9954079019a
NAS-IP-Address = 10.0.9.48
NAS-Identifier = "radtest"
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = "host/lt-pkn.atlas.atlascollege.nl",
looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 326
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 204 to 10.0.9.48 port 1645
EAP-Message =
0x0105004119001403010001011603010030b44fd787ae0d0ad9df11ad9e7c34e5309ff1
4efaaf30a8f24eccb23a628bde5320bbe9d461ce50186a0d260a5450d9e1
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xfa8b288ef88e31bb8df0c9954079019a
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.9.48 port 1645, id=205,
length=196
User-Name = "host/lt-pkn.atlas.atlascollege.nl"
Framed-MTU = 1400
Called-Station-Id = "0019.070a.a011"
Calling-Station-Id = "0016.eae4.d5aa"
Cisco-AVPair = "ssid=geengast"
Service-Type = Login-User
Message-Authenticator = 0x43082862e1ec75cac73daf2685e9089a
EAP-Message = 0x020500061900
NAS-Port-Type = Wireless-802.11
NAS-Port = 389
NAS-Port-Id = "389"
State = 0xfa8b288ef88e31bb8df0c9954079019a
NAS-IP-Address = 10.0.9.48
NAS-Identifier = "radtest"
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = "host/lt-pkn.atlas.atlascollege.nl",
looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] returns handled
Sending Access-Challenge of id 205 to 10.0.9.48 port 1645
EAP-Message =
0x0106002b19001703010020054299ee7054795987b8ffa05baf241e11bf2cfbd8a59fb7
dfa152855b2b9010
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xfa8b288ef98d31bb8df0c9954079019a
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.9.48 port 1645, id=206,
length=265
User-Name = "host/lt-pkn.atlas.atlascollege.nl"
Framed-MTU = 1400
Called-Station-Id = "0019.070a.a011"
Calling-Station-Id = "0016.eae4.d5aa"
Cisco-AVPair = "ssid=geengast"
Service-Type = Login-User
Message-Authenticator = 0x68aa7f1b7c3e6edd8a86f5d00dbcf8a0
EAP-Message =
0x0206004b19001703010040e4a88b3269302d6cfce6b1a7989d18617e49499b98d34f06
845ebb556174a44eddc8752ae1709c96aa0501fdbb077d31f706ac32123100731f075910
02136df9
NAS-Port-Type = Wireless-802.11
NAS-Port = 389
NAS-Port-Id = "389"
State = 0xfa8b288ef98d31bb8df0c9954079019a
NAS-IP-Address = 10.0.9.48
NAS-Identifier = "radtest"
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = "host/lt-pkn.atlas.atlascollege.nl",
looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 75
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - host/lt-pkn.atlas.atlascollege.nl
[peap] Got inner identity 'host/lt-pkn.atlas.atlascollege.nl'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
EAP-Message =
0x0206002601686f73742f6c742d706b6e2e61746c61732e61746c6173636f6c6c656765
2e6e6c
server {
PEAP: Setting User-Name to host/lt-pkn.atlas.atlascollege.nl
Sending tunneled request
EAP-Message =
0x0206002601686f73742f6c742d706b6e2e61746c61732e61746c6173636f6c6c656765
2e6e6c
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "host/lt-pkn.atlas.atlascollege.nl"
server inner-tunnel {
# Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "host/lt-pkn.atlas.atlascollege.nl",
looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[files] users: Matched entry DEFAULT at line 209
++[files] returns ok
rlm_perl: Added pair User-Name = host/lt-pkn.atlas.atlascollege.nl
rlm_perl: Added pair EAP-Message =
0x0206002601686f73742f6c742d706b6e2e61746c61732e61746c6173636f6c6c656765
2e6e6c
rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1
rlm_perl: Added pair Auth-Type = Perl
rlm_perl: Added pair Proxy-To-Realm = LOCAL
rlm_perl: Added pair EAP-Type = MS-CHAP-V2
++[perl] returns noop
[eap] EAP packet type response id 6 length 38
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = Perl
Found Auth-Type = EAP
Warning: Found 2 auth-types on request for user
'host/lt-pkn.atlas.atlascollege.nl'
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message =
0x0107003b1a010700361052c2c92bbd0e87883b4b4f0274aba0d2686f73742f6c742d70
6b6e2e61746c61732e61746c6173636f6c6c6567652e6e6c
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xed1f2576ed183f556982a467baafe64e
[peap] Got tunneled reply RADIUS code 11
EAP-Message =
0x0107003b1a010700361052c2c92bbd0e87883b4b4f0274aba0d2686f73742f6c742d70
6b6e2e61746c61732e61746c6173636f6c6c6567652e6e6c
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xed1f2576ed183f556982a467baafe64e
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 206 to 10.0.9.48 port 1645
EAP-Message =
0x0107005b190017030100506963cc9b3e61da63080f3f4649e097ce960af7145c127858
b6e32f795b6a8768628888fc569f050c4e9ff7581b993f91c83610dcebc1f97097dd1385
520f0e66cd7d6c63c0b4afe5a0d526f13917e99e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xfa8b288efe8c31bb8df0c9954079019a
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.9.48 port 1645, id=207,
length=313
User-Name = "host/lt-pkn.atlas.atlascollege.nl"
Framed-MTU = 1400
Called-Station-Id = "0019.070a.a011"
Calling-Station-Id = "0016.eae4.d5aa"
Cisco-AVPair = "ssid=geengast"
Service-Type = Login-User
Message-Authenticator = 0xe33f0b004c2ca6563de0b3ad8040eed7
EAP-Message =
0x0207007b19001703010070beb17e8fe13c07a0d805fe4183f700b885c5f9204faa53ff
1cec4bc5774926082432d9443b371b83f91e3d73770c20a875836cad6a362464c52fd450
4f9522a09e6c2d7602f94a0130fce57149e9ba16f55da6cfe6a1946e4b9565975b423dc0
fd31defda2dcbeea261dcbd9faf9938e
NAS-Port-Type = Wireless-802.11
NAS-Port = 389
NAS-Port-Id = "389"
State = 0xfa8b288efe8c31bb8df0c9954079019a
NAS-IP-Address = 10.0.9.48
NAS-Identifier = "radtest"
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = "host/lt-pkn.atlas.atlascollege.nl",
looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 123
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message =
0x0207005c1a0207005731f4a74198ac9707e6d2e2de480af77ddc000000000000000074
9aed48b37215d879a819b543c8230fc1ea904c861be95000686f73742f6c742d706b6e2e
61746c61732e61746c6173636f6c6c6567652e6e6c
server {
PEAP: Setting User-Name to host/lt-pkn.atlas.atlascollege.nl
Sending tunneled request
EAP-Message =
0x0207005c1a0207005731f4a74198ac9707e6d2e2de480af77ddc000000000000000074
9aed48b37215d879a819b543c8230fc1ea904c861be95000686f73742f6c742d706b6e2e
61746c61732e61746c6173636f6c6c6567652e6e6c
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "host/lt-pkn.atlas.atlascollege.nl"
State = 0xed1f2576ed183f556982a467baafe64e
server inner-tunnel {
# Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "host/lt-pkn.atlas.atlascollege.nl",
looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[files] users: Matched entry DEFAULT at line 209
++[files] returns ok
rlm_perl: Added pair User-Name = host/lt-pkn.atlas.atlascollege.nl
rlm_perl: Added pair EAP-Message =
0x0207005c1a0207005731f4a74198ac9707e6d2e2de480af77ddc000000000000000074
9aed48b37215d879a819b543c8230fc1ea904c861be95000686f73742f6c742d706b6e2e
61746c61732e61746c6173636f6c6c6567652e6e6c
rlm_perl: Added pair State = 0xed1f2576ed183f556982a467baafe64e
rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1
rlm_perl: Added pair Auth-Type = Perl
rlm_perl: Added pair Proxy-To-Realm = LOCAL
++[perl] returns noop
[eap] EAP packet type response id 7 length 92
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = Perl
Found Auth-Type = EAP
Warning: Found 2 auth-types on request for user
'host/lt-pkn.atlas.atlascollege.nl'
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file
/etc/freeradius/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username:
host/lt-pkn.atlas.atlascollege.nl
[mschap] Told to do MS-CHAPv2 for host/lt-pkn.atlas.atlascollege.nl with
NT-Password
[mschap] expand: --username=%{mschap:User-Name:-None} ->
--username=lt-pkn$
[mschap] expand: %{mschap:NT-Domain} -> atlas
[mschap] expand: --domain=%{%{mschap:NT-Domain}:-ATLAS} ->
--domain=atlas
[mschap] mschap2: 52
[mschap] Creating challenge hash with username:
host/lt-pkn.atlas.atlascollege.nl
[mschap] expand: --challenge=%{mschap:Challenge:-00} ->
--challenge=2a115578878d4bc4
[mschap] expand: --nt-response=%{mschap:NT-Response:-00} ->
--nt-response=749aed48b37215d879a819b543c8230fc1ea904c861be950
Exec-Program output: NT_KEY: 0E4B3AC71048637A22E975629A7E708B
Exec-Program-Wait: plaintext: NT_KEY: 0E4B3AC71048637A22E975629A7E708B
Exec-Program: returned: 0
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message =
0x010800331a0307002e533d333044303431353546324430383542393832454638463339
44443846343330393345394445304230
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xed1f2576ec173f556982a467baafe64e
[peap] Got tunneled reply RADIUS code 11
EAP-Message =
0x010800331a0307002e533d333044303431353546324430383542393832454638463339
44443846343330393345394445304230
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xed1f2576ec173f556982a467baafe64e
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 207 to 10.0.9.48 port 1645
EAP-Message =
0x0108005b190017030100502098e038ea3dda0988810bd213735cf28e6dc3a3d5669105
0ce3d24d50dd9e3c25b5dabc315f20b0c5cfdb599016c1875de725cd2c9be6206065cd5e
50d49ce05630243c395e4d6c8df6c9b770f41992
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xfa8b288eff8331bb8df0c9954079019a
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.9.48 port 1645, id=208,
length=233
User-Name = "host/lt-pkn.atlas.atlascollege.nl"
Framed-MTU = 1400
Called-Station-Id = "0019.070a.a011"
Calling-Station-Id = "0016.eae4.d5aa"
Cisco-AVPair = "ssid=geengast"
Service-Type = Login-User
Message-Authenticator = 0x01f97cbd1a55a4b5d3c343a8bff50e32
EAP-Message =
0x0208002b19001703010020195414ca1d196ee92e32583f8298b7ea67f168be12401176
4e2561105941cb00
NAS-Port-Type = Wireless-802.11
NAS-Port = 389
NAS-Port-Id = "389"
State = 0xfa8b288eff8331bb8df0c9954079019a
NAS-IP-Address = 10.0.9.48
NAS-Identifier = "radtest"
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = "host/lt-pkn.atlas.atlascollege.nl",
looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x020800061a03
server {
PEAP: Setting User-Name to host/lt-pkn.atlas.atlascollege.nl
Sending tunneled request
EAP-Message = 0x020800061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "host/lt-pkn.atlas.atlascollege.nl"
State = 0xed1f2576ec173f556982a467baafe64e
server inner-tunnel {
# Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "host/lt-pkn.atlas.atlascollege.nl",
looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[files] users: Matched entry DEFAULT at line 209
++[files] returns ok
rlm_perl: Added pair User-Name = host/lt-pkn.atlas.atlascollege.nl
rlm_perl: Added pair EAP-Message = 0x020800061a03
rlm_perl: Added pair State = 0xed1f2576ec173f556982a467baafe64e
rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1
rlm_perl: Added pair Auth-Type = Perl
rlm_perl: Added pair Proxy-To-Realm = LOCAL
++[perl] returns noop
[eap] EAP packet type response id 8 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = Perl
Found Auth-Type = EAP
Warning: Found 2 auth-types on request for user
'host/lt-pkn.atlas.atlascollege.nl'
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] returns ok
WARNING: Empty post-auth section. Using default return values.
# Executing section post-auth from file
/etc/freeradius/sites-enabled/inner-tunnel
} # server inner-tunnel
[peap] Got tunneled reply code 2
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
MS-MPPE-Send-Key = 0xa2a8dbf6f2cfb9fdbd0b000663af7c62
MS-MPPE-Recv-Key = 0x2288dd50426a86ee2dca3737658de57c
EAP-Message = 0x03080004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "host/lt-pkn.atlas.atlascollege.nl"
[peap] Got tunneled reply RADIUS code 2
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
MS-MPPE-Send-Key = 0xa2a8dbf6f2cfb9fdbd0b000663af7c62
MS-MPPE-Recv-Key = 0x2288dd50426a86ee2dca3737658de57c
EAP-Message = 0x03080004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "host/lt-pkn.atlas.atlascollege.nl"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 208 to 10.0.9.48 port 1645
EAP-Message =
0x0109002b19001703010020dc05ca7cb6357d0b606833914286d4570c9be8b49d0fb0e5
5712e1f7d1ee6020
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xfa8b288efc8231bb8df0c9954079019a
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.9.48 port 1645, id=209,
length=233
User-Name = "host/lt-pkn.atlas.atlascollege.nl"
Framed-MTU = 1400
Called-Station-Id = "0019.070a.a011"
Calling-Station-Id = "0016.eae4.d5aa"
Cisco-AVPair = "ssid=geengast"
Service-Type = Login-User
Message-Authenticator = 0x810f84840491233963bd54edd7cd489d
EAP-Message =
0x0209002b190017030100209393b67c4b83a3c60c318cbe352bac2f864b5fb9a1fe6a37
34b682ea4f6fa775
NAS-Port-Type = Wireless-802.11
NAS-Port = 389
NAS-Port-Id = "389"
State = 0xfa8b288efc8231bb8df0c9954079019a
NAS-IP-Address = 10.0.9.48
NAS-Identifier = "radtest"
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = "host/lt-pkn.atlas.atlascollege.nl",
looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 9 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv success
[peap] Received EAP-TLV response.
[peap] Success
[eap] Freeing handler
++[eap] returns ok
# Executing section post-auth from file
/etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 209 to 10.0.9.48 port 1645
MS-MPPE-Recv-Key =
0x33ecfbf5652ce567309f5f2b1710989bd8c1c1ef2e68386139e7c94f2eb06a75
MS-MPPE-Send-Key =
0x5c0639908bded95e2a61821743bf72ea714a6acc829016d7c4ce07edfdba4223
EAP-Message = 0x03090004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "host/lt-pkn.atlas.atlascollege.nl"
Finished request 7.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 202 with timestamp +10
Cleaning up request 1 ID 203 with timestamp +10
Cleaning up request 2 ID 204 with timestamp +10
Cleaning up request 3 ID 205 with timestamp +10
Cleaning up request 4 ID 206 with timestamp +10
Cleaning up request 5 ID 207 with timestamp +10
Cleaning up request 6 ID 208 with timestamp +10
Cleaning up request 7 ID 209 with timestamp +10
Ready to process requests.
4
6
Hi, I'm trying to get working huntgroups but I can't do it:
I've appended something like to huntgroups file
mb NAS-IP-Address == 10.129.189.1
mb NAS-IP-Address == 10.129.84.1
mb Called-Station-Id == 00-1B-7E-DC-AB-1A:UP-PVIII-I
And in users files:
pruebita Huntgroup-Name == "mb",Cleartext-Password := "pruebon"
But is not working user pruebita does not get an Access-Accept
Please could you help me to solve it?
Below the debug messages (I've trunked a bit for mail can be sent)
FreeRADIUS Version 2.1.12, for host x86_64-unknown-linux-gnu, built on
Jan 3 2012 at 16:18:16
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb-testing/radiusd.conf
including configuration file /etc/raddb-testing/proxy.conf
including configuration file /etc/raddb-testing/clients.conf
including files in directory /etc/raddb-testing/modules/
including configuration file /etc/raddb-testing/modules/chap
including configuration file /etc/raddb-testing/modules/mschap
including configuration file
/etc/raddb-testing/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb-testing/modules/exec
including configuration file /etc/raddb-testing/modules/realm
including configuration file /etc/raddb-testing/modules/checkval
including configuration file /etc/raddb-testing/modules/rediswho
including configuration file /etc/raddb-testing/modules/passwd
including configuration file /etc/raddb-testing/modules/attr_filter
including configuration file /etc/raddb-testing/modules/linelog
including configuration file /etc/raddb-testing/modules/wimax
including configuration file /etc/raddb-testing/modules/pam
including configuration file /etc/raddb-testing/modules/inner-eap
including configuration file /etc/raddb-testing/modules/echo
including configuration file /etc/raddb-testing/modules/soh
including configuration file /etc/raddb-testing/modules/replicate
including configuration file /etc/raddb-testing/modules/acct_unique
including configuration file /etc/raddb-testing/modules/etc_group
including configuration file /etc/raddb-testing/modules/pap
including configuration file /etc/raddb-testing/modules/expr
including configuration file /etc/raddb-testing/modules/smbpasswd
including configuration file /etc/raddb-testing/modules/attr_rewrite
including configuration file /etc/raddb-testing/modules/radutmp
including configuration file /etc/raddb-testing/modules/mac2ip
including configuration file /etc/raddb-testing/modules/logintime
including configuration file /etc/raddb-testing/modules/sql_log
including configuration file /etc/raddb-testing/modules/smsotp
including configuration file /etc/raddb-testing/modules/preprocess
including configuration file /etc/raddb-testing/modules/policy
including configuration file /etc/raddb-testing/modules/cui
including configuration file /etc/raddb-testing/modules/perl
including configuration file /etc/raddb-testing/modules/digest
including configuration file /etc/raddb-testing/modules/mac2vlan
including configuration file /etc/raddb-testing/modules/otp
including configuration file /etc/raddb-testing/modules/files
including configuration file /etc/raddb-testing/modules/always
including configuration file /etc/raddb-testing/modules/ntlm_auth
including configuration file /etc/raddb-testing/modules/detail
including configuration file /etc/raddb-testing/modules/krb5
including configuration file /etc/raddb-testing/modules/sradutmp
including configuration file /etc/raddb-testing/modules/opendirectory
including configuration file /etc/raddb-testing/modules/counter
including configuration file /etc/raddb-testing/modules/detail.example.com
including configuration file /etc/raddb-testing/modules/ippool
including configuration file /etc/raddb-testing/modules/expiration
including configuration file /etc/raddb-testing/modules/dynamic_clients
including configuration file /etc/raddb-testing/modules/detail.log
including configuration file /etc/raddb-testing/modules/redis
including configuration file /etc/raddb-testing/modules/ldap
including configuration file /etc/raddb-testing/modules/unix
including configuration file /etc/raddb-testing/eap.conf
including configuration file /etc/raddb-testing/policy.conf
including files in directory /etc/raddb-testing/sites-enabled/
including configuration file /etc/raddb-testing/sites-enabled/status
including configuration file /etc/raddb-testing/sites-enabled/control-socket
including configuration file /etc/raddb-testing/sites-enabled/inner-tunnel
including configuration file /etc/raddb-testing/sites-enabled/default
including configuration file /etc/raddb-testing/sites-enabled/inner-tunnel-peap
main {
user = "radiusd"
group = "radiusd"
allow_core_dumps = no
}
including dictionary file /etc/raddb-testing/dictionary
main {
name = "radiusd"
prefix = "/usr/local-test"
localstatedir = "/usr/local-test/var"
sbindir = "/usr/local-test/sbin"
logdir = "/usr/local-test/var/log/radius"
run_dir = "/usr/local-test/var/run/radiusd"
libdir = "/usr/local-test/lib"
radacctdir = "/usr/local-test/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/usr/local-test/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local-test/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = yes
auth = yes
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
client spectrum {
require_message_authenticator = no
secret = "testing123"
shortname = "spectrum.sarlanga.edu"
}
client 10.129.100.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-3-winnie"
shortname = "AP-PI-PB"
}
client 10.129.10.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-3-winnie"
shortname = "AP-PI-SS"
}
client 10.129.11.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-3-winnie"
shortname = "AP-PI-1"
}
client 10.129.111.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-3-winnie"
shortname = "AP-PI-1"
}
client 10.129.12.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-3-winnie"
shortname = "AP-PI-2"
}
client 10.129.13.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-3-winnie"
shortname = "AP-PI-3"
}
client 10.129.14.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-3-winnie"
shortname = "AP-PI-4"
}
client 10.129.199.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "PIVOT-LINKSYS"
}
client 10.129.200.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "PIVOT-TPLINK"
}
client 10.129.254.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "Transitional"
}
client 10.129.15.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-3-winnie"
shortname = "AP-PI-5"
}
client 10.129.16.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-3-winnie"
shortname = "AP-PI-6"
}
client 10.129.17.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-3-winnie"
shortname = "AP-PI-7"
}
client 10.129.60.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-Sociales-0"
}
client 10.129.61.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-Sociales-I"
}
client 10.129.158.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-PVIII-SS"
}
client 10.129.80.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-PVIII-PB"
}
client 10.129.180.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-PVIII-PB-SUM"
}
client 10.128.255.81 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-PVIII-I"
}
client 10.129.81.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-PVIII-I"
}
client 10.128.255.82 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-PVIII-II"
}
client 10.129.82.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-PVIII-II"
}
client 10.128.250.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-PVIII-Bridge"
}
client 10.128.255.172 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-PVIII-I_bis_test"
}
client 10.128.255.83 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-PVIII-III"
}
client 10.129.83.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-PVIII-III"
}
client 10.129.183.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-PVIII-III"
}
client 10.129.84.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-PVIII-IV"
}
client 10.129.184.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-PVIII-IV-Bis"
}
client 10.129.194.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-PVIII-IV-Bis-2"
}
client 10.128.255.181 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-PVIII-I_bis"
}
client 10.129.181.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-PVIII-I_bis"
}
client 10.129.162.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-PVIII-I_bis_2"
}
client 10.128.255.86 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-PVIII-VI"
}
client 10.129.86.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-PVIII-VI"
}
client 10.128.255.87 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-PVIII-VII"
}
client 10.129.87.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-PVIII-VII"
}
client 10.129.187.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-PVIII-VII-Derecho"
}
client 10.129.99.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-PVIII-Pivot"
}
client 10.129.52.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-PV-PB"
}
client 10.128.255.85 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-PVIII-V"
}
client 10.129.85.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-PVIII-V"
}
client 10.129.189.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-PVIII-IX-HD"
}
client 10.129.88.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-PVIII-VIII"
}
client 10.129.89.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "oficina-test"
}
client 10.129.160.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-Sociales-Auditorio"
}
client 10.129.182.1 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-PVIII-X"
}
client 192.168.2.53 {
require_message_authenticator = no
secret = "akantilad0-Green-22"
shortname = "sarlanga3"
}
client 192.168.45 {
require_message_authenticator = no
secret = "sarlangalad0-black-54"
shortname = "sarlanga4"
}
client 192.168.3.201 {
require_message_authenticator = no
secret = "sarlangalad0-blue-246692"
shortname = "sarlanga7"
}
client 192.168.4 {
require_message_authenticator = no
secret = "Zarag0Za-Muppet5-32"
shortname = "AP-sarlanga7"
}
client 192.168.142.240 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-Cabre-1"
}
client 192.168.142.241 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-Cabre-2"
}
client 192.168.142.242 {
require_message_authenticator = no
secret = "sarlangalad0-Red-398952"
shortname = "AP-Cabre-3"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file /etc/raddb-testing/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file /etc/raddb-testing/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file
/etc/raddb-testing/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file
/etc/raddb-testing/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/raddb-testing/radiusd.conf
modules {
Module: Creating Post-Auth-Type = REJECT
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file /etc/raddb-testing/modules/pap
pap {
encryption_scheme = "auto"
auto_header = yes
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file /etc/raddb-testing/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file
/etc/raddb-testing/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
allow_retry = yes
}
Module: Linked to module rlm_pam
Module: Instantiating module "pam" from file /etc/raddb-testing/modules/pam
pam {
pam_auth = "radiusd"
}
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file /etc/raddb-testing/modules/unix
unix {
radwtmp = "/usr/local-test/var/log/radius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /etc/raddb-testing/eap.conf
eap {
default_eap_type = "md5"
timer_expire = 600
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/etc/pki/tls/certs/ips-spectrum-key.pem"
certificate_file = "/etc/pki/tls/certs/spectrum.sarlanga.edu.cer"
CA_file = "/etc/pki/tls/certs/IPS-IPSCABUNDLE.crt"
dh_file = "/etc/raddb-testing/certs/dh"
random_file = "/etc/raddb-testing/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
cache {
enable = yes
lifetime = 6
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel-peap"
soh = no
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = yes
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file
/etc/raddb-testing/modules/preprocess
preprocess {
huntgroups = "/etc/raddb-testing/huntgroups"
hints = "/etc/raddb-testing/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_detail
Module: Instantiating module "auth_log" from file
/etc/raddb-testing/modules/detail.log
detail auth_log {
detailfile = "/usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file
/etc/raddb-testing/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file /etc/raddb-testing/modules/files
files {
usersfile = "/etc/raddb-testing/users"
acctusersfile = "/etc/raddb-testing/acct_users"
preproxy_usersfile = "/etc/raddb-testing/preproxy_users"
compat = "no"
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file
/etc/raddb-testing/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Instantiating module "detail" from file
/etc/raddb-testing/modules/detail
detail {
detailfile = "/usr/local-test/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file
/etc/raddb-testing/modules/radutmp
radutmp {
filename = "/usr/local-test/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.accounting_response" from
file /etc/raddb-testing/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/raddb-testing/attrs.accounting_response"
key = "%{User-Name}"
relaxed = no
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Instantiating module "reply_log" from file
/etc/raddb-testing/modules/detail.log
detail reply_log {
detailfile = "/usr/local-test/var/log/radius/radacct/replies/%{Client-IP-Address}/reply-detail-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating module "attr_filter.access_reject" from file
/etc/raddb-testing/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/etc/raddb-testing/attrs.access_reject"
key = "%{User-Name}"
relaxed = no
}
} # modules
} # server
server status { # from file /etc/raddb-testing/sites-enabled/status
modules {
Module: Creating Autz-Type = Status-Server
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_always
Module: Instantiating module "ok" from file /etc/raddb-testing/modules/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
} # modules
} # server
server inner-tunnel { # from file /etc/raddb-testing/sites-enabled/inner-tunnel
modules {
Module: Creating Auth-Type = LDAP
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_ldap
Module: Instantiating module "ldap" from file /etc/raddb-testing/modules/ldap
ldap {
server = "ldap.sarlanga.edu"
port = 636
password = "sarlanga"
identity = "cn=freeradius,ou=applications,dc=sarlanga,dc=edu"
net_timeout = 10
timeout = 120
timelimit = 30
tls_mode = no
start_tls = no
tls_require_cert = "allow"
tls {
start_tls = no
cacertfile = "/etc/raddb-testing/cacert.pem"
randfile = "/dev/urandom"
require_cert = "demand"
}
basedn = "ou=people,dc=sarlanga,dc=edu"
filter = "(uid=%u)"
base_filter = "(objectclass=radiusprofile)"
auto_header = no
access_attr = "radiusAllowed"
access_attr_used_for_allow = yes
groupname_attribute = "cn"
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
dictionary_mapping = "/etc/raddb-testing/ldap.attrmap"
ldap_debug = 40
ldap_connections_number = 15
compare_check_items = no
do_xlat = yes
set_auth_type = yes
keepalive {
interval = 3
}
}
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap<->radius mappings from file
/etc/raddb-testing/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusPassword mapped to RADIUS Cleartext-Password
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password
rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS
Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS
Tunnel-Private-Group-Id
conns: 0x1ffc1270
Module: Checking authorize {...} for more modules to load
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Instantiating module "post_proxy_log" from file
/etc/raddb-testing/modules/detail.log
detail post_proxy_log {
detailfile = "/usr/local-test/var/log/radius/radacct/postproxy/%{Client-IP-Address}/post-proxy-detail-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
server inner-tunnel-peap { # from file
/etc/raddb-testing/sites-enabled/inner-tunnel-peap
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = 192.168.1.5
port = 0
}
listen {
type = "acct"
ipaddr = 192.168.1.5
port = 0
}
listen {
type = "control"
listen {
socket = "/usr/local-test/var/run/radiusd/radiusd.sock"
}
}
listen {
type = "status"
ipaddr = 127.0.0.1
port = 18120
client admin {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "YellowSubmarine"
}
}
... adding new socket proxy address * port 54388
Listening on authentication address 192.168.1.5 port 1812
Listening on accounting address 192.168.1.5 port 1813
Listening on command file /usr/local-test/var/run/radiusd/radiusd.sock
Listening on status address 127.0.0.1 port 18120 as server status
Listening on proxy address 192.168.1.5 port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.129.89.1 port 38848,
id=74, length=170
User-Name = "pruebita"
NAS-Identifier = "AP-PVIII-IX-OF"
NAS-Port = 3
Called-Station-Id = "00:1B-7E-DC-AB-1A:sarlanga-I"
Calling-Station-Id = "E8-3E-B6-26-C3-28"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x0238000d017072756562697461
Message-Authenticator = 0x510c83d2d8d716e25fa8e00162124f28
# Executing section authorize from file /etc/raddb-testing/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: %{Virtual-Server} ->
[auth_log] ... expanding second conditional
[auth_log] expand:
/usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
-> /usr/local-test/var/log/radius/radacct/requests/10.129.89.1/auth-detail-AP-PVIII-IX-OF-DEFAULT-20120601
[auth_log] /usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
expands to /usr/local-test/var/log/radius/radacct/requests/10.129.89.1/auth-detail-AP-PVIII-IX-OF-DEFAULT-20120601
[auth_log] expand: %t -> Fri Jun 1 07:43:26 2012
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "pruebita", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 56 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry pruebita at line 434
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb-testing/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 74 to 10.129.89.1 port 38848
EAP-Message = 0x013900160410381a962cdd81a78cdd529de9d83f2b61
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x51c5e19f51fce56b215acf310f5bc900
Finished request 28.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.129.89.1 port 38848,
id=75, length=181
User-Name = "pruebita"
NAS-Identifier = "AP-PVIII-IX-OF"
NAS-Port = 3
Called-Station-Id = "00:1B-7E-DC-AB-1A:sarlanga-I"
Calling-Station-Id = "E8-3E-B6-26-C3-28"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x023900060319
State = 0x51c5e19f51fce56b215acf310f5bc900
Message-Authenticator = 0x9a66eb7b5a106c018d00e0b57f80f262
# Executing section authorize from file /etc/raddb-testing/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: %{Virtual-Server} ->
[auth_log] ... expanding second conditional
[auth_log] expand:
/usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
-> /usr/local-test/var/log/radius/radacct/requests/10.129.89.1/auth-detail-AP-PVIII-IX-OF-DEFAULT-20120601
[auth_log] /usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
expands to /usr/local-test/var/log/radius/radacct/requests/10.129.89.1/auth-detail-AP-PVIII-IX-OF-DEFAULT-20120601
[auth_log] expand: %t -> Fri Jun 1 07:43:26 2012
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "pruebita", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 57 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry pruebita at line 434
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb-testing/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 75 to 10.129.89.1 port 38848
EAP-Message = 0x013a00061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x51c5e19f50fff86b215acf310f5bc900
Finished request 29.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.129.89.1 port 38848,
id=76, length=241
User-Name = "pruebita"
NAS-Identifier = "AP-PVIII-IX-OF"
NAS-Port = 3
Called-Station-Id = "00:1B-7E-DC-AB-1A:sarlanga-I"
Calling-Station-Id = "E8-3E-B6-26-C3-28"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x023a0042190016030100370100003303014fc89ccd9ef24a5acabf352713ed67aad4acfb2a2f0d4c5ad746a761a24f976800000c0013000a0033002f000500040100
State = 0x51c5e19f50fff86b215acf310f5bc900
Message-Authenticator = 0xb1b6655fab2a4f02abdddc4928d46870
# Executing section authorize from file /etc/raddb-testing/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: %{Virtual-Server} ->
[auth_log] ... expanding second conditional
[auth_log] expand:
/usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
-> /usr/local-test/var/log/radius/radacct/requests/10.129.89.1/auth-detail-AP-PVIII-IX-OF-DEFAULT-20120601
[auth_log] /usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
expands to /usr/local-test/var/log/radius/radacct/requests/10.129.89.1/auth-detail-AP-PVIII-IX-OF-DEFAULT-20120601
[auth_log] expand: %t -> Fri Jun 1 07:43:26 2012
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "pruebita", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 58 length 66
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb-testing/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0037], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 004a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 1324], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 76 to 10.129.89.1 port 38848
EAP-Message = 0x013b040019c000001381160301004a0200004603014fc89cce0c471ae8314022655c37dcbb1fe882ed8735b93cfda7f5029188744220189eb3cfe1bd6b3b6b87fa215018f64ad2b414cda3740799b6d6c814cb3f7700000a0016030113240b00132000131d00071730820713308205fba0030201020214101b7f691cb7a76e4d2434f172207f0d6457bfd6300d06092a864886f70d01010505003081b0310b3009060355040613024553310f300d060355040813064d4144524944310f300d060355040713064d414452494431243022060355040a131b6970732043657274696669636174696f6e20417574686f7269747931183016060355040b130f
EAP-Message = 0x43657274696669636163696f6e657331193017060355040313106970734341204c6576656c20312043413124302206092a864886f70d010901161569707363616c6576656c314069707363612e636f6d301e170d3132303132373132303731335a170d3134303230313132303731335a30818d310b3009060355040613024152311530130603550407130c4275656e6f73204169726573311f301d060355040a1316556e6976657273696461642064652050616c65726d6f31273025060355040b131e446570617274616d656e746f20646520436f6d756e69636163696f6e6573311d301b06035504031314737065637472756d2e70616c65726d6f2e
EAP-Message = 0x65647530820122300d06092a864886f70d01010105000382010f003082010a0282010100a8efabc6c785b1314fc7a643f75a6b1e1ae645b4ad47d23a5ce062cd3fa5a998112d48b88960da17628181430eb1e6dbcd806eb3b77ad9ca5728e86d333f9a910107d90c0e2dad1951587fb6ebe0b1f99665fad04e352e1d87dbf1a1292ae3cc8bb936511b10cc25facb79db7df50a443359a5c46213253cfbee9db5a262221e23d6961c6f2e4bff6c7702fe05eeff8c97c3c4558f84d3d61a1571017d5638863ec4f341613113aca1b385ae7598065503f28f78c83c632ebb0183d6d8ffd21edd8cd4db50c1550443f12706847a053769c1c5c7f94eff9fff
EAP-Message = 0x8c3091d3892db2f35ab46dc208d1e03f37b82fb96d7fba474b42279ecb74157fdc521c038949dd0203010001a38203443082034030090603551d1304023000301106096086480186f8420101040403020640300b0603551d0f0404030205a030130603551d25040c300a06082b06010505070301301d0603551d0e04160414d57dbba6130341755d2138e3ed9faacb3e65cdcb301f0603551d230418301680147d9e6b0efc13e1c48ba77f61ae6021cfcda0d30630090603551d1104023000305b0603551d1204543052a450304e310b300906035504061302455331243022060355040a131b6970732043657274696669636174696f6e20417574686f
EAP-Message = 0x726974793119301706035504
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x51c5e19f53fef86b215acf310f5bc900
Finished request 30.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.129.89.1 port 38848,
id=77, length=181
User-Name = "pruebita"
NAS-Identifier = "AP-PVIII-IX-OF"
NAS-Port = 3
Called-Station-Id = "00:1B-7E-DC-AB-1A:sarlanga-I"
Calling-Station-Id = "E8-3E-B6-26-C3-28"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x023b00061900
State = 0x51c5e19f53fef86b215acf310f5bc900
Message-Authenticator = 0xa4a26c588cef259c66f231f46e99c8da
# Executing section authorize from file /etc/raddb-testing/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: %{Virtual-Server} ->
[auth_log] ... expanding second conditional
[auth_log] expand:
/usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
-> /usr/local-test/var/log/radius/radacct/requests/10.129.89.1/auth-detail-AP-PVIII-IX-OF-DEFAULT-20120601
[auth_log] /usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
expands to /usr/local-test/var/log/radius/radacct/requests/10.129.89.1/auth-detail-AP-PVIII-IX-OF-DEFAULT-20120601
[auth_log] expand: %t -> Fri Jun 1 07:43:26 2012
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "pruebita", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 59 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb-testing/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 77 to 10.129.89.1 port 38848
EAP-Message = 0x013c03fc19400313106970734341204c6576656c2031204341307106096086480186f842010d046416624f7267616e697a6174696f6e20496e666f726d6174696f6e204e4f542056414c4944415445442e204c4556454c3120536572766572204365727469666963617465206973737565642062792068747470733a2f2f7777772e69707363612e636f6d2f302906096086480186f8420102041c161a687474703a2f2f6c6576656c3130312e69707363612e636f6d2f303c06096086480186f8420104042f162d687474703a2f2f6c6576656c3130312e69707363612e636f6d2f63726c2f69707363616c6576656c312e63726c3043060960864801
EAP-Message = 0x86f842010304361634687474703a2f2f6c6576656c3130312e69707363612e636f6d2f63726c2f7265766f636174696f6e4c4556454c312e68746d6c3f304006096086480186f842010704331631687474703a2f2f6c6576656c3130312e69707363612e636f6d2f63726c2f72656e6577616c4c4556454c312e68746d6c3f303e06096086480186f84201080431162f687474703a2f2f6c6576656c3130312e69707363612e636f6d2f63726c2f706f6c6963794c4556454c312e68746d6c30730603551d1f046c306a3033a031a02f862d687474703a2f2f6c6576656c3130312e69707363612e636f6d2f63726c2f69707363616c6576656c312e63
EAP-Message = 0x726c3033a031a02f862d687474703a2f2f6c6576656c3130322e69707363612e636f6d2f63726c2f69707363616c6576656c312e63726c303e06082b0601050507010104323030302e06082b060105050730018622687474703a2f2f6f6373706c6576656c3130312e69707363612e636f6d2f6f637370300d06092a864886f70d010105050003820101004b61ec4cf7163dad3601e3de9938175ec4ec75d60f658eabf37b1e331283419e7438e584e8cfc47c087c7cba005dcd9d7d165a470bd7aaea70b69b1a18ad2a6cc136cf2ff5cb948ae2866b1c46bbf8ef999ecb510407f28a091e7aa75684d90938f85c3fcd39580112b6979f3284c581f86b
EAP-Message = 0x998bc211c1de82e87fd57ee7a975905e9dec75020feda29cf4f29dc59dc3946ccf328f7380c6f3f4064d3f6f496fffd640ed2c813c44d648f9ee0143f894d41f4970f30e158064b305a4ae264887a62b5ee51f4f7f3241ddeebcd1153f836262d7c24c4cd7a09f2ab6bc052cd2ecf78e948f240e526538478893fb776f27d44d620c8e58641b4231958c85d758080005f2308205ee308204d6a00302010202141000000000000000000000000000000000000011300d06092a864886f70d01010505003081b2310b3009060355040613024553310f300d060355040813064d6164726964310f300d060355040713064d6164726964312f302d06035504
EAP-Message = 0x0a13264950532043
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x51c5e19f52f9f86b215acf310f5bc900
Finished request 31.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.129.89.1 port 38848,
id=78, length=181
User-Name = "pruebita"
NAS-Identifier = "AP-PVIII-IX-OF"
NAS-Port = 3
Called-Station-Id = "00:1B-7E-DC-AB-1A:sarlanga-I"
Calling-Station-Id = "E8-3E-B6-26-C3-28"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x023c00061900
State = 0x51c5e19f52f9f86b215acf310f5bc900
Message-Authenticator = 0xf15626a2f70fb625cfbdee8873d99f4f
# Executing section authorize from file /etc/raddb-testing/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: %{Virtual-Server} ->
[auth_log] ... expanding second conditional
[auth_log] expand:
/usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
-> /usr/local-test/var/log/radius/radacct/requests/10.129.89.1/auth-detail-AP-PVIII-IX-OF-DEFAULT-20120601
[auth_log] /usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
expands to /usr/local-test/var/log/radius/radacct/requests/10.129.89.1/auth-detail-AP-PVIII-IX-OF-DEFAULT-20120601
[auth_log] expand: %t -> Fri Jun 1 07:43:26 2012
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "pruebita", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 60 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb-testing/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 78 to 10.129.89.1 port 38848
EAP-Message = 0x013d03fc1940657274696669636174696f6e20417574686f7269747920732e6c2e206970734341310e300c060355040b13056970734341311d301b06035504031314697073434120476c6f62616c20434120526f6f743121301f06092a864886f70d0109011612676c6f62616c30314069707363612e636f6d301e170d3039313231303131333835325a170d3239313232343131333835325a3081b0310b3009060355040613024553310f300d060355040813064d4144524944310f300d060355040713064d414452494431243022060355040a131b6970732043657274696669636174696f6e20417574686f7269747931183016060355040b130f43
EAP-Message = 0x657274696669636163696f6e657331193017060355040313106970734341204c6576656c20312043413124302206092a864886f70d010901161569707363616c6576656c314069707363612e636f6d30820122300d06092a864886f70d01010105000382010f003082010a02820101009f4db33023c13a798527825d45ce5b64f82bafe15d6001e2940ed501863645858c0c8e76e1a0a40d935417986aeeb2840b23eabf217cc0ee49c026791954d6311890f7fb970be3a8c51640de2eb88c655b32d953f7c8ff06fb896654f8ea44420fb74fc7b0e94fd1d0bbfa968a33e346b7fa64bc65b11fb1e0e105f80cdd4af58b3097b4480a94feaf1d63f269
EAP-Message = 0x2c6b1b446afd3bd9dae70df0c68ab6e0190160a309a2b320401b14073a8c22df33f476c185b862b849b975c196ed1108af3c3f4e59e840dc995a134747e3b2840a7e8130b71c969f2e0d1cd0e5845e5bad3cce4a6b7d684522f54d5ae79f5c19004827a5787882d3e2ffb1e680dfeb2a125bb10203010001a38201fa308201f6302a06096086480186f8420102041d161b68747470733a2f2f6c6576656c3130312e69707363612e636f6d2f302106096086480186f84201030414161265737461646f2f65737461646f2e6173703f302706096086480186f8420104041a161865737461646f4341544553542f65737461646f2e6173703f3022060960
EAP-Message = 0x86480186f84201070415161365737461646f2f72656e756576612e6173703f302006096086480186f84201080413161165737461646f2f706f6c6963792e617370302406096086480186f842010d04171615436572746966696361646f20706f72206970734341301106096086480186f8420101040403020007300c0603551d13040530030101ff301d0603551d0e041604147d9e6b0efc13e1c48ba77f61ae6021cfcda0d306303e0603551d1f043730353033a031a02f862d687474703a2f2f6c6576656c3130312e69707363612e636f6d2f63726c2f69707363616c6576656c312e63726c303a06082b06010505070101042e302c302a06082b06
EAP-Message = 0x010505073001861e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x51c5e19f55f8f86b215acf310f5bc900
Finished request 32.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.129.89.1 port 38848,
id=79, length=181
User-Name = "pruebita"
NAS-Identifier = "AP-PVIII-IX-OF"
NAS-Port = 3
Called-Station-Id = "00:1B-7E-DC-AB-1A:sarlanga-I"
Calling-Station-Id = "E8-3E-B6-26-C3-28"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x023d00061900
State = 0x51c5e19f55f8f86b215acf310f5bc900
Message-Authenticator = 0x4ce902814c105901520df2f8036166c3
# Executing section authorize from file /etc/raddb-testing/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: %{Virtual-Server} ->
[auth_log] ... expanding second conditional
[auth_log] expand:
/usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
-> /usr/local-test/var/log/radius/radacct/requests/10.129.89.1/auth-detail-AP-PVIII-IX-OF-DEFAULT-20120601
[auth_log] /usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
expands to /usr/local-test/var/log/radius/radacct/requests/10.129.89.1/auth-detail-AP-PVIII-IX-OF-DEFAULT-20120601
[auth_log] expand: %t -> Fri Jun 1 07:43:26 2012
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "pruebita", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 61 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb-testing/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 79 to 10.129.89.1 port 38848
EAP-Message = 0x013e03fc1940687474703a2f2f6f6373706c6576656c3130312e69707363612e636f6d2f300b0603551d0f04040302010630470603551d250440303e06082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070308060a2b0601040182370a0304300d06092a864886f70d010105050003820101008737bf8f76d31d2eca683935839d2958fe74add252963aff06e84cb0308e3316c5972d29aebe28e77e10ab20e1ed509ecfbbd394fe1da47370d27e6239b31cd636e1d4782bace12bedc753a14dd4281f588e56e2c924f956ec0ad0df5268575ea4393bb9e46619c4cff0a7fbb7717f
EAP-Message = 0xd7f247a501f8245587996ac61064ada017958080eb6d4bd3e9171685a951ae6e69419776e8de7f43fb891b853397030059549676d110ed837018f76ca7231a20647365211bee7e1e67f8026ad21c2e37a31e7001bb866076bc7adc7eff3475f2e33e94c60ed70ce792cc33c31c32df09e853cf3587c59453f98efa685cce193a482a52f3da46c2e6bd5d02b5471eb9954000060b30820607308204efa003020102020100300d06092a864886f70d01010505003081b2310b3009060355040613024553310f300d060355040813064d6164726964310f300d060355040713064d6164726964312f302d060355040a132649505320436572746966696361
EAP-Message = 0x74696f6e20417574686f7269747920732e6c2e206970734341310e300c060355040b13056970734341311d301b06035504031314697073434120476c6f62616c20434120526f6f743121301f06092a864886f70d0109011612676c6f62616c30314069707363612e636f6d301e170d3039303930373134333834345a170d3239313232353134333834345a3081b2310b3009060355040613024553310f300d060355040813064d6164726964310f300d060355040713064d6164726964312f302d060355040a13264950532043657274696669636174696f6e20417574686f7269747920732e6c2e206970734341310e300c060355040b130569707343
EAP-Message = 0x41311d301b06035504031314697073434120476c6f62616c20434120526f6f743121301f06092a864886f70d0109011612676c6f62616c30314069707363612e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100a7efcc8030b091244fb068f8c3ca2d1538555882e23863b0f7a3926f83b8b05eb08cac54b177d050e097b390ad8ab31f392b4556f7aae2df7cb2ec6f532f9acbd0e666cbc913e872e2b4cd31578712b593e8fa72ceea47f28cb4b063d70400b764363997e895f188f9710d03278c61cf0883964f83c54ee85cf80670f102aa1c1ea9c8aa7ee75dcd8d3c146f67d01ba923488b21283a8a4ce6
EAP-Message = 0x1131f9212eb26766
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x51c5e19f54fbf86b215acf310f5bc900
Finished request 33.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.129.89.1 port 38848,
id=80, length=181
User-Name = "pruebita"
NAS-Identifier = "AP-PVIII-IX-OF"
NAS-Port = 3
Called-Station-Id = "00:1B-7E-DC-AB-1A:sarlanga-I"
Calling-Station-Id = "E8-3E-B6-26-C3-28"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x023e00061900
State = 0x51c5e19f54fbf86b215acf310f5bc900
Message-Authenticator = 0x419616a5e5f69204aaca365aa417d934
# Executing section authorize from file /etc/raddb-testing/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: %{Virtual-Server} ->
[auth_log] ... expanding second conditional
[auth_log] expand:
/usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
-> /usr/local-test/var/log/radius/radacct/requests/10.129.89.1/auth-detail-AP-PVIII-IX-OF-DEFAULT-20120601
[auth_log] /usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
expands to /usr/local-test/var/log/radius/radacct/requests/10.129.89.1/auth-detail-AP-PVIII-IX-OF-DEFAULT-20120601
[auth_log] expand: %t -> Fri Jun 1 07:43:26 2012
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "pruebita", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 62 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb-testing/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 80 to 10.129.89.1 port 38848
EAP-Message = 0x013f03af1900c6296e9493cf4096fcb03dbfb2b493bf5671b6a54187b058b559232849b898f9501e2d15280b4cac49d184a99b9ae77254b738d0dbc9fea973d56d10cd8e75ebfe97fd803cfcb4d848f499460b8814a4b62edb4c60f421c16c809514d5afd50203010001a382022430820220301d0603551d0e0416041415a69680b1154b31c3c29cf6e7130b4bf318cd863081df0603551d230481d73081d4801415a69680b1154b31c3c29cf6e7130b4bf318cd86a181b8a481b53081b2310b3009060355040613024553310f300d060355040813064d6164726964310f300d060355040713064d6164726964312f302d060355040a13264950532043
EAP-Message = 0x657274696669636174696f6e20417574686f7269747920732e6c2e206970734341310e300c060355040b13056970734341311d301b06035504031314697073434120476c6f62616c20434120526f6f743121301f06092a864886f70d0109011612676c6f62616c30314069707363612e636f6d820100300c0603551d13040530030101ff300b0603551d0f04040302010630470603551d250440303e06082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070308060a2b0601040182370a0304301d0603551d11041630148112676c6f62616c30314069707363612e636f6d301d0603
EAP-Message = 0x551d12041630148112676c6f62616c30314069707363612e636f6d30410603551d1f043a30383036a034a0328630687474703a2f2f63726c676c6f62616c30312e69707363612e636f6d2f63726c2f63726c676c6f62616c30312e63726c303806082b06010505070101042c302a302806082b06010505073001861c687474703a2f2f63726c676c6f62616c30312e69707363612e636f6d300d06092a864886f70d0101050500038201010018f4aefe800f8ec1776fa25a47489f2355a1536bf95da730a524be432ff8c1d157f93e2c8025cc46a936f3495b1df67cd763b34d3e78f6a7b40277f8790d3e6acb1860b8fd00af0cdd54e3548f223df310
EAP-Message = 0x6f110db51e7a8d27cc08b85bc3b81a5f2ba7603f001cf70f5c4266649e8712807089e0fa57280e4e1f102fd90580b6802f1c69f0f6b66534056fcad93ef8d45d3732c7b82bccff73930071e001c8aa43bda9f1cefa80f9f1431291a665e560074d47ba2b2f04f64a8529886510c9b253629c6c9b605c1a1bd3aec51d729906ff05cc862673b4d45405dd1e6b003bb789e8e391022012ebefe9fe0a29238123a300da70cc925f3723d01c7b355c037a16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x51c5e19f57faf86b215acf310f5bc900
Finished request 34.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.129.89.1 port 38848,
id=81, length=501
User-Name = "pruebita"
NAS-Identifier = "AP-PVIII-IX-OF"
NAS-Port = 3
Called-Station-Id = "00:1B-7E-DC-AB-1A:sarlanga-I"
Calling-Station-Id = "E8-3E-B6-26-C3-28"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x023f014419001603010106100001020100615e16737ca27664e029e9464b6d38d0e96d10e9fa36dcc345d6c2bebc5b46b7f6f57dee94e3445d5addd0c341d0330731effdda2d1300f6163f8f9e639e7f29d6d5e01f75cc38ae18ea18c5db3b29b96255f6928c2a420882655e8cb81ea6c6df4fe2f5d37b0de031b7c81556d94022fb272852e078572cba44e3e8151e9660e6816d10fdba3a51b36e43119417ce6ca34e1d37d659a2f8b1f8bb4248ed807392bf7f5f453cf26f00fbcdfc6ec84f1798737710ade7141b2ecd78d77e6ba428ba468a36405c92a816c5a4868fa9ebb0b5f8a726d4b1ce9892fa2fe554e645d16522c263f3c5f86cd03171d0
EAP-Message = 0x8053a3c19d3fe2901eac4ee34cc1a51f2d9068191403010001011603010028dc45b3ecdbce94b5a878b480e812ee79a9c17150a92671fa177236cf97bf02bffc1a52c026dbbb2a
State = 0x51c5e19f57faf86b215acf310f5bc900
Message-Authenticator = 0xf86876fb7612ab7ff8a644817293b53b
# Executing section authorize from file /etc/raddb-testing/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: %{Virtual-Server} ->
[auth_log] ... expanding second conditional
[auth_log] expand:
/usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
-> /usr/local-test/var/log/radius/radacct/requests/10.129.89.1/auth-detail-AP-PVIII-IX-OF-DEFAULT-20120601
[auth_log] /usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
expands to /usr/local-test/var/log/radius/radacct/requests/10.129.89.1/auth-detail-AP-PVIII-IX-OF-DEFAULT-20120601
[auth_log] expand: %t -> Fri Jun 1 07:43:26 2012
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "pruebita", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 63 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb-testing/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
SSL: adding session
189eb3cfe1bd6b3b6b87fa215018f64ad2b414cda3740799b6d6c814cb3f7700 to
cache
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 81 to 10.129.89.1 port 38848
EAP-Message = 0x0140003919001403010001011603010028120ba7581f67afee3fe93d71202a3b8eef45d44ed59366641e4e901d1d30295d67644c20f0636c95
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x51c5e19f5685f86b215acf310f5bc900
Finished request 35.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.129.89.1 port 38848,
id=82, length=181
User-Name = "pruebita"
NAS-Identifier = "AP-PVIII-IX-OF"
NAS-Port = 3
Called-Station-Id = "00:1B-7E-DC-AB-1A:sarlanga-I"
Calling-Station-Id = "E8-3E-B6-26-C3-28"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x024000061900
State = 0x51c5e19f5685f86b215acf310f5bc900
Message-Authenticator = 0x9876211434267235d34177c6baada0a0
# Executing section authorize from file /etc/raddb-testing/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: %{Virtual-Server} ->
[auth_log] ... expanding second conditional
[auth_log] expand:
/usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
-> /usr/local-test/var/log/radius/radacct/requests/10.129.89.1/auth-detail-AP-PVIII-IX-OF-DEFAULT-20120601
[auth_log] /usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
expands to /usr/local-test/var/log/radius/radacct/requests/10.129.89.1/auth-detail-AP-PVIII-IX-OF-DEFAULT-20120601
[auth_log] expand: %t -> Fri Jun 1 07:43:26 2012
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "pruebita", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 64 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb-testing/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] returns handled
Sending Access-Challenge of id 82 to 10.129.89.1 port 38848
EAP-Message = 0x0141002b19001703010020a7bad7bd5b08f24e8165859c7202d96fbb32d601cf63a81969b692422bbce7f0
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x51c5e19f5984f86b215acf310f5bc900
Finished request 36.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.129.89.1 port 38848,
id=83, length=247
User-Name = "pruebita"
NAS-Identifier = "AP-PVIII-IX-OF"
NAS-Port = 3
Called-Station-Id = "00:1B-7E-DC-AB-1A:sarlanga-I"
Calling-Station-Id = "E8-3E-B6-26-C3-28"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x02410048190017030100182c80dd585307c00c58051a0ea4faa27e4a5df95720469a7a170301002095ab5282b093ae854c63cc7d3ba67d506c23bddff057c2a98511a4bf854240c9
State = 0x51c5e19f5984f86b215acf310f5bc900
Message-Authenticator = 0x39c120e0dca7d430448165505dc8dd6c
# Executing section authorize from file /etc/raddb-testing/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: %{Virtual-Server} ->
[auth_log] ... expanding second conditional
[auth_log] expand:
/usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
-> /usr/local-test/var/log/radius/radacct/requests/10.129.89.1/auth-detail-AP-PVIII-IX-OF-DEFAULT-20120601
[auth_log] /usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
expands to /usr/local-test/var/log/radius/radacct/requests/10.129.89.1/auth-detail-AP-PVIII-IX-OF-DEFAULT-20120601
[auth_log] expand: %t -> Fri Jun 1 07:43:26 2012
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "pruebita", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 65 length 72
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb-testing/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - pruebita
[peap] Got inner identity 'pruebita'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
EAP-Message = 0x0241000d017072756562697461
server {
[peap] Setting User-Name to pruebita
Sending tunneled request
EAP-Message = 0x0241000d017072756562697461
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "pruebita"
NAS-Identifier = "AP-PVIII-IX-OF"
NAS-Port = 3
Called-Station-Id = "00:1B-7E-DC-AB-1A:sarlanga-I"
Calling-Station-Id = "E8-3E-B6-26-C3-28"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
NAS-IP-Address = 10.129.89.1
server inner-tunnel-peap {
# Executing section authorize from file
/etc/raddb-testing/sites-enabled/inner-tunnel-peap
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "pruebita", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 65 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for pruebita
[ldap] expand: (uid=%u) -> (uid=pruebita)
[ldap] expand: ou=people,dc=sarlanga,dc=edu -> ou=people,dc=sarlanga,dc=edu
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in ou=people,dc=sarlanga,dc=edu, with
filter (uid=pruebita)
[ldap] object not found
[ldap] search failed
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns notfound
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb-testing/sites-enabled/inner-tunnel-peap
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel-peap
[peap] Got tunneled reply code 11
EAP-Message = 0x014200221a0142001d1044c4caf16d9a7e43d6e3fbad805501237072756562697461
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x63fdd7b563bfcd4b0f3934ebfe7a85b9
[peap] Got tunneled reply RADIUS code 11
EAP-Message = 0x014200221a0142001d1044c4caf16d9a7e43d6e3fbad805501237072756562697461
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x63fdd7b563bfcd4b0f3934ebfe7a85b9
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 83 to 10.129.89.1 port 38848
EAP-Message = 0x0142004319001703010038359eaf0224c732f9e83935d0da09d2f6b169503605cb8311ba6d9e3485d51cb6a25ddfc336d6bae781180ce0d413562af3bdcfde5180c80f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x51c5e19f5887f86b215acf310f5bc900
Finished request 37.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.129.89.1 port 38848,
id=84, length=303
User-Name = "pruebita"
NAS-Identifier = "AP-PVIII-IX-OF"
NAS-Port = 3
Called-Station-Id = "00:1B-7E-DC-AB-1A:sarlanga-I"
Calling-Station-Id = "E8-3E-B6-26-C3-28"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x0242008019001703010018f3e980063f7cfb058900cf00b2760b697de7aba67e199b4f17030100588febd03280df614d10106a127d9ce496c4fccaad9681a12dd4f8d4641a2e337486c608e136ed1cbeac8af33318136b2dfa9b9a952cb7b61837ad54a90d1330537628ee52fde4e6af685b3d573bbbf04388bbaeecb4ea8e17
State = 0x51c5e19f5887f86b215acf310f5bc900
Message-Authenticator = 0x0c1ae63b5d7e03e33800ad87364eed83
# Executing section authorize from file /etc/raddb-testing/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: %{Virtual-Server} ->
[auth_log] ... expanding second conditional
[auth_log] expand:
/usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
-> /usr/local-test/var/log/radius/radacct/requests/10.129.89.1/auth-detail-AP-PVIII-IX-OF-DEFAULT-20120601
[auth_log] /usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
expands to /usr/local-test/var/log/radius/radacct/requests/10.129.89.1/auth-detail-AP-PVIII-IX-OF-DEFAULT-20120601
[auth_log] expand: %t -> Fri Jun 1 07:43:26 2012
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "pruebita", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 66 length 128
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb-testing/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x024200431a0242003e314a6d7e7fe98db69bbc4fc8cceb9dfb8d0000000000000000cedcbce414bab2e5f0f7952223f1b126947ce80dd6929378007072756562697461
server {
[peap] Setting User-Name to pruebita
Sending tunneled request
EAP-Message = 0x024200431a0242003e314a6d7e7fe98db69bbc4fc8cceb9dfb8d0000000000000000cedcbce414bab2e5f0f7952223f1b126947ce80dd6929378007072756562697461
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "pruebita"
State = 0x63fdd7b563bfcd4b0f3934ebfe7a85b9
NAS-Identifier = "AP-PVIII-IX-OF"
NAS-Port = 3
Called-Station-Id = "00:1B-7E-DC-AB-1A:sarlanga-I"
Calling-Station-Id = "E8-3E-B6-26-C3-28"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
NAS-IP-Address = 10.129.89.1
server inner-tunnel-peap {
# Executing section authorize from file
/etc/raddb-testing/sites-enabled/inner-tunnel-peap
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "pruebita", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 66 length 67
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for pruebita
[ldap] expand: (uid=%u) -> (uid=pruebita)
[ldap] expand: ou=people,dc=sarlanga,dc=edu -> ou=people,dc=sarlanga,dc=edu
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in ou=people,dc=sarlanga,dc=edu, with
filter (uid=pruebita)
[ldap] object not found
[ldap] search failed
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns notfound
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb-testing/sites-enabled/inner-tunnel-peap
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file
/etc/raddb-testing/sites-enabled/inner-tunnel-peap
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Creating challenge hash with username: pruebita
[mschap] Told to do MS-CHAPv2 for pruebita with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
MSCHAP Failure
++[eap] returns handled
} # server inner-tunnel-peap
[peap] Got tunneled reply code 11
EAP-Message = 0x014300121a0442000d453d36393120523d31
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x63fdd7b562becd4b0f3934ebfe7a85b9
[peap] Got tunneled reply RADIUS code 11
EAP-Message = 0x014300121a0442000d453d36393120523d31
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x63fdd7b562becd4b0f3934ebfe7a85b9
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 84 to 10.129.89.1 port 38848
EAP-Message = 0x014300331900170301002888636a6445053d18018a230fd21f9959466fd90802b7210f8b788a09a4494fc64d1f7b6ae050f021
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x51c5e19f5b86f86b215acf310f5bc900
Finished request 38.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.129.89.1 port 38848,
id=85, length=239
User-Name = "pruebita"
NAS-Identifier = "AP-PVIII-IX-OF"
NAS-Port = 3
Called-Station-Id = "00:1B-7E-DC-AB-1A:sarlanga-I"
Calling-Station-Id = "E8-3E-B6-26-C3-28"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x0243004019001703010018e16554d32843bdba9b707d3e41f21023c12b34e85e7f7df517030100186d29c7588683f31175ad338f971a6426cac9ffe6b6eaa912
State = 0x51c5e19f5b86f86b215acf310f5bc900
Message-Authenticator = 0x10df06a435d2fc959d36eb7ecb637292
# Executing section authorize from file /etc/raddb-testing/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: %{Virtual-Server} ->
[auth_log] ... expanding second conditional
[auth_log] expand:
/usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
-> /usr/local-test/var/log/radius/radacct/requests/10.129.89.1/auth-detail-AP-PVIII-IX-OF-DEFAULT-20120601
[auth_log] /usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
expands to /usr/local-test/var/log/radius/radacct/requests/10.129.89.1/auth-detail-AP-PVIII-IX-OF-DEFAULT-20120601
[auth_log] expand: %t -> Fri Jun 1 07:43:26 2012
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "pruebita", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 67 length 64
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb-testing/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x024300061a04
server {
[peap] Setting User-Name to pruebita
Sending tunneled request
EAP-Message = 0x024300061a04
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "pruebita"
State = 0x63fdd7b562becd4b0f3934ebfe7a85b9
NAS-Identifier = "AP-PVIII-IX-OF"
NAS-Port = 3
Called-Station-Id = "00:1B-7E-DC-AB-1A:sarlanga-I"
Calling-Station-Id = "E8-3E-B6-26-C3-28"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
NAS-IP-Address = 10.129.89.1
server inner-tunnel-peap {
# Executing section authorize from file
/etc/raddb-testing/sites-enabled/inner-tunnel-peap
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "pruebita", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 67 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for pruebita
[ldap] expand: (uid=%u) -> (uid=pruebita)
[ldap] expand: ou=people,dc=sarlanga,dc=edu -> ou=people,dc=sarlanga,dc=edu
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in ou=people,dc=sarlanga,dc=edu, with
filter (uid=pruebita)
[ldap] object not found
[ldap] search failed
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns notfound
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb-testing/sites-enabled/inner-tunnel-peap
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
Login incorrect ( [ldap] User not found): [pruebita] (from client
oficina-test port 3 cli E8-3E-B6-26-C3-28 via TLS tunnel)
} # server inner-tunnel-peap
[peap] Got tunneled reply code 3
EAP-Message = 0x04430004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
EAP-Message = 0x04430004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 85 to 10.129.89.1 port 38848
EAP-Message = 0x0144002b1900170301002083387441294d575a9779c1b19e136da15935afcd9f001a1d2e4b5b87e236d164
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x51c5e19f5a81f86b215acf310f5bc900
Finished request 39.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.129.89.1 port 38848,
id=86, length=247
User-Name = "pruebita"
NAS-Identifier = "AP-PVIII-IX-OF"
NAS-Port = 3
Called-Station-Id = "00:1B-7E-DC-AB-1A:sarlanga-I"
Calling-Station-Id = "E8-3E-B6-26-C3-28"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x024400481900170301001854ac58595af316bc6d8484be6039a67508204d0ecaea270a1703010020b983c87ab4edfd3bc018184ba6271d50216bc96f1f430e19808d9e1a4ec9180a
State = 0x51c5e19f5a81f86b215acf310f5bc900
Message-Authenticator = 0xae08495c38c1461cb67d946cdf22ceae
# Executing section authorize from file /etc/raddb-testing/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: %{Virtual-Server} ->
[auth_log] ... expanding second conditional
[auth_log] expand:
/usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
-> /usr/local-test/var/log/radius/radacct/requests/10.129.89.1/auth-detail-AP-PVIII-IX-OF-DEFAULT-20120601
[auth_log] /usr/local-test/var/log/radius/radacct/requests/%{Client-IP-Address}/auth-detail-%{NAS-Identifier}-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d
expands to /usr/local-test/var/log/radius/radacct/requests/10.129.89.1/auth-detail-AP-PVIII-IX-OF-DEFAULT-20120601
[auth_log] expand: %t -> Fri Jun 1 07:43:26 2012
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "pruebita", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 68 length 72
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb-testing/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv failure
[peap] Received EAP-TLV response.
[peap] The users session was previously rejected: returning reject (again.)
[peap] *** This means you need to read the PREVIOUS messages in the
debug output
[peap] *** to find out the reason why the user was rejected.
[peap] *** Look for "reject" or "fail". Those earlier messages will tell you.
[peap] *** what went wrong, and how to fix the problem.
SSL: Removing session
189eb3cfe1bd6b3b6b87fa215018f64ad2b414cda3740799b6d6c814cb3f7700 from
the cache
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [pruebita] (from client oficina-test port 3 cli
E8-3E-B6-26-C3-28)
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb-testing/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> pruebita
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 40 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
--
--
Sergio Belkin http://www.sergiobelkin.com
Watch More TV http://sebelk.blogspot.com
LPIC-2 Certified - http://www.lpi.org
1
0
Hi,
Does setting Service-Type AVP to Authorize-Only in a RADIUS REQUEST make FreeRADIUS do only the authorization part?
I am using FreeRADIUS Version 2.1.12.
I do not know much about of how freeRADIUS works, but I am looking to get either of these scenarios working -
Case 1:
authenticate a user (using EAP-SIM) with FreeRADIUS and then,
initiate authorization (separately using Service-Type AVP set to Authorize-Only) for the same user with FreeRADIUS
Case 2:
Configure FreeRadius to Authenticate & Authorize the user in one go; in which case the output of radiusd -X clearly indicates that both Auth & Autz are done.
If case 2 happens, how do I distinguish it from an Authentication-Only scenario?
Forgive my ignorance, please advise.
- AJ
2
1
Thanks for your prompt replies.
I have checked the double checked my config files for both radius and mpd (pppoe daemon).
"clients.conf" from the path indicated by the debugs.
client "raph-firewall" {
ipaddr = 192.168.1.254
proto = udp
secret = 123456789
require_message_authenticator = no
max_connections = 16
shortname = raph-firewall
nastype = other
### login = !root ###
### password = someadminpass ###
}
"mpd.conf"
pppoe_standard:
set bundle no multilink
set bundle enable compression
set auth max-logins 1
set iface up-script /usr/local/sbin/vpn-linkup
set iface down-script /usr/local/sbin/vpn-linkdown
set iface idle 0
set iface disable on-demand
set iface disable proxy-arp
set iface enable tcpmssfix
set iface mtu 1500
set link no pap chap
set link enable pap
set link keep-alive 60 180
set ipcp yes vjcomp
set ipcp no vjcomp
set link max-redial -1
set link mtu 1492
set link mru 1492
set ccp yes mpp-e40
set ccp yes mpp-e128
set ccp yes mpp-stateless
set link latency 1
#set ipcp dns 10.10.1.3
#set bundle accept encryption
set ipcp dns 192.168.1.254
set radius server 192.168.1.254 "123456789 1812 "
set radius retries 3
set radius timeout 10
set auth enable radius-auth
Really weird one, i thought it would be much simpler!!
Tim
2
1