Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
August 2014
- 68 participants
- 94 discussions
14 Aug '14
Hi all,
At the moment, I'm trying to get FreeRADIUS (Version 2.1.12 on CentOS 6.5, 64-bit) to do something a little oddball. I've got users in an Active Directory 2008 R2 domain, and I need to be able to authenticate them via RADIUS. However, it's complicated a little because I want to use UserPrincipalName. The longterm aim for this is a server doing EAP with inner and outer tunnels for Eduroam, hence the UPN. NTLMauth won't work with UPN natively - it usually just strips the realm off and uses the username portion. This won't work for me because the UPN and sAMAccountNames don't match (legacy reasons) and also will never match as we'll be using the full UPN matching the user's email address in future for other stuff, and having different UPNs to Emails will cause confusion as they'll be too similar.
I've been told it may be possible in the authorise section to query LDAP using the UPN, and return the sAMAccountName into a variable, then use that in the Authenticate section to actually auth the user via NTLMauth.
I've managed to modify the dictionary and ldap.attrs files, so when I run an authentication I see in the debug my variable get something put into it (and indeed, what I expect to see in it). However, when I feed this to the ntlm_auth module, it all falls over and says the variable doesn't exist, or can't be expanded.
I followed this howto for the ntlm_auth:
http://deployingradius.com/documents/configuration/active_directory.html
I modified the ntlm module as follows:
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{Bucks-samAccountName} --password=%{User-Password}"
}
ldap.attrmap has an extra line (tried as both a check-item and a replyitem. I'm thinking it should be check-item as a replyitem is sent in the RADIUS reply, which I don't want).
checkItem Bucks-samAccountName sAMAccountName
And I modified the dictionary:
ATTRIBUTE Bucks-samAccountName 3003 string
Does anybody know where I'm going wrong with this? Is it even possible? I've been playing with it for a while, and getting nowhere. Unforuntately the documentation hints at only certain variables being passed into modules, but doesn't elaborate on which ones, hence resorting to the mailing list.
My complete debug follows my sig, suitably sanitised.
Thanks in advance.
--
David Rickard
Systems Manager
IT - Core Systems Team
Buckinghamshire New University
High Wycombe Campus
Queen Alexandra Road
High Wycombe
Buckinghamshire HP11 2JZ
Telephone: 01494 601 649
Facsimile: 01494 524 392
Main Switchboard: 01494 522 141, ext. 1649
bucks.ac.uk
# radiusd -X
FreeRADIUS Version 2.1.12, for host x86_64-redhat-linux-gnu, built on Oct 3 2012 at 01:22:51
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/dynamic_clients
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/replicate
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/redis
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/rediswho
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/opendirectory
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/soh
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/control-socket
including configuration file /etc/raddb/sites-enabled/inner-tunnel
main {
user = "radiusd"
group = "radiusd"
allow_core_dumps = no
}
including dictionary file /etc/raddb/dictionary
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
libdir = "/usr/lib64/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client myclientpc {
ipaddr = x.x.x.x
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file /etc/raddb/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file /etc/raddb/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file /etc/raddb/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file /etc/raddb/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/raddb/radiusd.conf
modules {
Module: Creating Auth-Type = ntlm_auth
Module: Creating Auth-Type = digest
Module: Creating Post-Auth-Type = REJECT
Module: Checking authenticate {...} for more modules to load
Module: Instantiating module "ntlm_auth" from file /etc/raddb/modules/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{:Bucks-sAMAccountName} --password=%{User-Password}"
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file /etc/raddb/modules/pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file /etc/raddb/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file /etc/raddb/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:Bucks-sAMAccountName:-None} --domain=%{%{mschap:NT-Domain}:-MYDOMAIN} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
allow_retry = yes
}
Module: Linked to module rlm_digest
Module: Instantiating module "digest" from file /etc/raddb/modules/digest
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file /etc/raddb/modules/unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /etc/raddb/eap.conf
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server.pem"
certificate_file = "/etc/raddb/certs/server.pem"
CA_file = "/etc/raddb/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/etc/raddb/certs/dh"
random_file = "/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file /etc/raddb/modules/preprocess
preprocess {
huntgroups = "/etc/raddb/huntgroups"
hints = "/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_ldap
Module: Instantiating module "ldap" from file /etc/raddb/modules/ldap
ldap {
server = "adserver.domain"
port = 389
password = "somethingsomething"
identity = "CN=LDAP User,CN=users,DC=mydomain,DC=tld"
net_timeout = 1
timeout = 4
timelimit = 3
tls_mode = no
start_tls = no
tls_require_cert = "allow"
tls {
start_tls = yes
require_cert = "allow"
}
basedn = "OU=users,DC=mydomain,DC=tld"
filter = "(userPrincipalName=%{%{Stripped-User-Name}:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
auto_header = no
access_attr_used_for_allow = yes
groupname_attribute = "cn"
groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
dictionary_mapping = "/etc/raddb/ldap.attrmap"
ldap_debug = 0
ldap_connections_number = 5
compare_check_items = no
do_xlat = yes
set_auth_type = no
keepalive {
idle = 60
probes = 3
interval = 3
}
}
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap
rlm_ldap: LDAP sAMAccountName mapped to RADIUS Bucks-sAMAccountName
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password
rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id
conns: 0x7f6307196780
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file /etc/raddb/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file /etc/raddb/modules/files
files {
usersfile = "/etc/raddb/users"
acctusersfile = "/etc/raddb/acct_users"
preproxy_usersfile = "/etc/raddb/preproxy_users"
compat = "no"
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file /etc/raddb/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file /etc/raddb/modules/detail
detail {
detailfile = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file /etc/raddb/modules/radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.accounting_response" from file /etc/raddb/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
relaxed = no
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Instantiating module "attr_filter.access_reject" from file /etc/raddb/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
relaxed = no
}
} # modules
} # server
server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "control"
listen {
socket = "/var/run/radiusd/radiusd.sock"
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
... adding new socket proxy address * port 51284
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host x.x.x.x port 57184, id=72, length=147
User-Name = "test.account(a)bucks.ac.uk"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x73b52b7e92735b3dc3aa9894f90b4f21
MS-CHAP-Challenge = 0x9988e47a2058b555
MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000004bacf42e37cb08d97a2790cd6acb3651e92e44ea3fcf86dc
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[ldap] performing user authorization for test.account(a)bucks.ac.uk
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> test.account(a)bucks.ac.uk
[ldap] expand: (userPrincipalName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (userPrincipalName=test.account(a)bucks.ac.uk)
[ldap] expand: OU=users,DC=mydomain,DC=tld -> OU=users,DC=mydomain,DC=tld
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to adserver.domain:389, authentication 0
[ldap] starting TLS
[ldap] bind as CN=LDAP User,CN=users,DC=mydomain,DC=tld/secretsecret to adserver.domain:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in OU=users,DC=mydomain,DC=tld, with filter (userPrincipalName=test.account(a)bucks.ac.uk)
[ldap] looking for check items in directory...
[ldap] sAMAccountName -> Bucks-sAMAccountName == "taccount"
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
[ldap] user test.account(a)bucks.ac.uk authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
++[digest] returns noop
[suffix] Looking up realm "bucks.ac.uk" for User-Name = "test.account(a)bucks.ac.uk"
[suffix] No such realm "bucks.ac.uk"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv1 with NT-Password
[mschap] Unknown expansion string "Bucks-sAMAccountName:-None"
[mschap] expand: --username=%{mschap:Bucks-sAMAccountName:-None} -> --username=
[mschap] No NT-Domain was found in the User-Name.
[mschap] expand: %{mschap:NT-Domain} ->
[mschap] ... expanding second conditional
[mschap] expand: --domain=%{%{mschap:NT-Domain}:-MYDOMAIN} -> --domain=MYDOMAIN
[mschap] mschap1: 99
[mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=9988e47a2058b555
[mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=4bacf42e37cb08d97a2790cd6acb3651e92e44ea3fcf86dc
username must be specified!
Usage: [OPTION...]
--helper-protocol=helper protocol to use operate as a stdio-based helper
--username=STRING username
--domain=STRING domain name
--workstation=STRING workstation
--challenge=STRING challenge (HEX encoded)
--lm-response=STRING LM Response to the challenge (HEX encoded)
--nt-response=STRING NT or NTLMv2 Response to the challenge (HEX encoded)
--password=STRING User's plaintext password
--request-lm-key Retrieve LM session key
--request-nt-key Retrieve User (NT) session key
--use-cached-creds Use cached credentials if no password is given
--diagnostics Perform diagnostics on the authentication chain
--require-membership-of=STRING Require that a user be a member of this group (either name or SID) for authentication to succeed
--pam-winbind-conf=STRING Require that request must set WBFLAG_PAM_CONTACT_TRUSTDOM when krb5 auth is required
Help options:
-?, --help Show this help message
--usage Display brief usage message
Common samba config:
--configfile=CONFIGFILE Use alternate configuration file
Common samba options:
-V, --version Print version
Exec-Program output:
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] MS-CHAP-Response is incorrect.
++[mschap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> test.account(a)bucks.ac.uk
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 72 to x.x.x.x port 57184
MS-CHAP-Error = "\000E=691 R=1"
Waking up in 4.9 seconds.
Cleaning up request 0 ID 72 with timestamp +34
Ready to process requests.
--
David Rickard
Systems Manager
IT - Core Systems Team
Buckinghamshire New University
High Wycombe Campus
Queen Alexandra Road
High Wycombe
Buckinghamshire HP11 2JZ
Telephone: 01494 601 649
Facsimile: 01494 524 392
Main Switchboard: 01494 522 141, ext. 1649
bucks.ac.uk
4
4
Just for the record on the list, there was up until recently a great page
that showed how to use the rlm_raw module here:
http://sourceforge.net/apps/trac/hotcakes/wiki/YfiTechDynamicClients
But unfortunately this page has been moved/gone. :-(
After a bit of digging I found the original page cached on the 'wayback
machine' here:
http://web.archive.org/web/20131203083354/http://sourceforge.net/apps/trac/h
otcakes/wiki/YfiTechDynamicClients
Unfortunately the images are missing though.
Just putting it here if anyone else wants this page in the future...
Cheers
Kev/.
2
1
I'm trying to get Freeradius to authenticate wireless users. AVPs
don't pass when clients use PEAP even with tunneled reply on. If I force
the client to TTLS it works fine, passes AVPs everyones happy. Problem
is, windows android and ios all default to PEAP. Has anyone else run
into this? Any help is greatly appreciated.
Freeradius FreeRADIUS Version 3.0.3, for host
x86_64-unknown-linux-gnu, built on Jun 6 2014 at 13:18:16
Copyright (C) 1999-2014 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
I have included ttls and peap settings of my eap file:
ttls {
tls = tls-common
default_eap_type = md5
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
}
peap {
tls = tls-common
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
}
Installed newer freeradius from source with same result:
FreeRADIUS Version 3.1.0 (git #9a810bd), for host
x86_64-unknown-linux-gnu, built on Aug 8 2014 at 11:53:47
Copyright (C) 1999-2014 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
5
13
Hi,
When I try to compile FR2.2.5 on Slaris 10 ( SPARC ) server with Oracle DB,
configuration went successfully but I run make , I got the following error:
Making all in rlm_unix...
/usr/sfw/bin/gmake -w -C rlm_unix all
gmake[6]: Entering directory
`/export/home/freeradius-server-2.2.5/src/modules/rlm_unix'
/export/home/freeradius-server-2.2.5/libtool --mode=compile --tag=CC gcc
-I/export/home/freeradius-server-2.2.5
-I/export/home/freeradius-server-2.2.5/src -g -O2 -Wall -D_GNU_SOURCE
-D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DNDEBUG
-I/export/home/freeradius-server-2.2.5/libltdl
-I/export/home/freeradius-server-2.2.5/src
-I/export/home/freeradius-server-2.2.5/libltdl -c rlm_unix.c
gcc -I/export/home/freeradius-server-2.2.5
-I/export/home/freeradius-server-2.2.5/src -g -O2 -Wall -D_GNU_SOURCE
-D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DNDEBUG
-I/export/home/freeradius-server-2.2.5/libltdl
-I/export/home/freeradius-server-2.2.5/src
-I/export/home/freeradius-server-2.2.5/libltdl -c rlm_unix.c -fPIC -DPIC
-o .libs/rlm_unix.o
rlm_unix.c: In function `groupcmp':
rlm_unix.c:81: warning: unused variable `username'
rlm_unix.c:83: warning: unused variable `vp'
rlm_unix.c: In function `unix_accounting':
rlm_unix.c:543: error: structure has no member named `ut_host'
rlm_unix.c:543: error: structure has no member named `ut_host'
gmake[6]: *** [rlm_unix.lo] Error 1
gmake[6]: Leaving directory
`/export/home/freeradius-server-2.2.5/src/modules/rlm_unix'
gmake[5]: *** [rlm_unix] Error 2
gmake[5]: Leaving directory
`/export/home/freeradius-server-2.2.5/src/modules'
gmake[4]: *** [all] Error 2
gmake[4]: Leaving directory
`/export/home/freeradius-server-2.2.5/src/modules'
gmake[3]: *** [modules] Error 2
gmake[3]: Leaving directory `/export/home/freeradius-server-2.2.5/src'
gmake[2]: *** [all] Error 2
gmake[2]: Leaving directory `/export/home/freeradius-server-2.2.5/src'
gmake[1]: *** [src] Error 2
gmake[1]: Leaving directory `/export/home/freeradius-server-2.2.5'
gmake: *** [all] Error 2
Thanks;
Awaad
2
3
In an 802.1x environment is there a way to, as part of authorization,
to do end point checking on the connecting client? To check things
such as virus software installed, OS updates, etc.
Or is this something that could be handled by another product.
Thanks
3
2
I have install Kamailio 4.1 with MySQL database so all users stored in
MySQL (authentication), Later I have installed FreeRadius for accounting
only, Just accounting (Invite/Bye). In short MySQL for authentication and
FreeRadius for accounting ( CDRTool).
Problems: If i register user using SIP phone and call other SIP extension
then freeradius start accounting and insert entry in MySQL/radaccts tables
if i end call then it doesn't update END accounting ( Bye ). I have google
it everywhere but didn't get single clue so i hope i get something here
from you guys
-- kamailio.cfg ( default file i just add following radius section)
loadmodule "acc.so"
loadmodule "acc_radius.so"
...
...
# ------- FreeRadius Accounting -------
modparam("acc_radius", "radius_flag", 1)
modparam("acc_radius", "radius_missed_flag", 2)
modparam("acc", "log_flag", 1)
modparam("acc", "log_missed_flag", 1)
modparam("acc_radius", "service_type", 15)
modparam("acc_radius", "radius_config",
"/etc/radiusclient-ng/radiusclient.conf")
modparam("acc_radius", "radius_extra", "User-Name=$Au")
-- /etc/freeradius/sql.conf
sql {
driver = "rlm_sql_mysql"
server = "localhost"
login = "radius"
password = "radius"
radius_db = "radius"
sqltrace = no
sqltracefile = ${logdir}/sqltrace-%Y%m%d.log
num_sql_socks = 25
connect_failure_retry_delay = 60
accounting_start_query = "\
CALL insert_radacct_record( \
'radius', \
'%{Acct-Session-Id}', \
'%{Acct-Unique-Session-Id}', \
'%{Billing-Party}', \
'%{Billing-Party}', \
'%{SIP-Proxy-IP}', \
'%{NAS-Port}', \
FROM_UNIXTIME('%S'), \
'0', \
'0', \
'0', \
'0', \
'%{Called-Station-Id}', \
'%{Calling-Station-Id}', \
'%{Sip-Response-Code}', \
'%{Service-Type}', \
'%{ENUM-TLD}', \
'%{Framed-IP-Address}', \
UNIX_TIMESTAMP('%S') - '%{Event-Timestamp}', \
UNIX_TIMESTAMP('%S') - '%{Event-Timestamp}', \
'%{Sip-Response-Code}', \
'%{Sip-Method}', \
'%{Sip-Translated-Request-URI}', \
'%{Sip-To-Tag}', \
'%{Sip-From-Tag}', \
'%{Sip-RPId}', \
'%{Source-IP}', \
'%{Source-Port}', \
'%{Canonical-URI}', \
'', \
'', \
'%{Sip-Application-Type}', \
'%{User-Agent}', \
'%{From-Header}' \
)"
accounting_stop_query = "\
CALL update_radacct_record( \
'radius', \
FROM_UNIXTIME('%S'), \
UNIX_TIMESTAMP('%S') - '%{Event-Timestamp}', \
'', \
'%{X-RTP-Stat}', \
'%{Acct-Session-Id}', \
'%{Sip-To-Tag}', \
'%{Sip-From-Tag}' \
)"
-- Radius logs
rad_recv: Accounting-Request packet from host 127.0.0.1 port 36379, id=11,
length=152
Acct-Status-Type = Start
Service-Type = Sip-Session
Sip-Response-Code = 200
Sip-Method = Invite
Event-Timestamp = "Aug 12 2014 22:45:36 EDT"
Sip-From-Tag = "59eb1875"
Sip-To-Tag = "d443e36e"
Acct-Session-Id = "M2IwZTVkY2Y5YTU2ZjdmOTQ5NWMzYzI1NTU3MWMwYjQ."
User-Name = "2002(a)192.168.1.5"
NAS-Port = 5060
Acct-Delay-Time = 0
NAS-IP-Address = 127.0.0.1
Tue Aug 12 22:45:36 2014 : Info: # Executing section preacct from file
/etc/freeradius/sites-enabled/default
Tue Aug 12 22:45:36 2014 : Info: +- entering group preacct {...}
Tue Aug 12 22:45:36 2014 : Info: ++[preprocess] returns ok
Tue Aug 12 22:45:36 2014 : Info: [acct_unique] Hashing 'NAS-Port =
5060,Client-IP-Address = 127.0.0.1,NAS-IP-Address =
127.0.0.1,Acct-Session-Id =
"M2IwZTVkY2Y5YTU2ZjdmOTQ5NWMzYzI1NTU3MWMwYjQ.",User-Name = "2002(a)192.168.1.5
"'
Tue Aug 12 22:45:36 2014 : Info: [acct_unique] Acct-Unique-Session-ID =
"117c7740de62ba6c".
Tue Aug 12 22:45:36 2014 : Info: ++[acct_unique] returns ok
Tue Aug 12 22:45:36 2014 : Info: [suffix] Looking up realm "192.168.1.5"
for User-Name = "2002(a)192.168.1.5"
Tue Aug 12 22:45:36 2014 : Info: [suffix] No such realm "192.168.1.5"
Tue Aug 12 22:45:36 2014 : Info: ++[suffix] returns noop
Tue Aug 12 22:45:36 2014 : Info: ++[files] returns noop
Tue Aug 12 22:45:36 2014 : Info: # Executing section accounting from file
/etc/freeradius/radiusd.conf
Tue Aug 12 22:45:36 2014 : Info: +- entering group accounting {...}
Tue Aug 12 22:45:36 2014 : Info: [detail] expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d ->
/var/log/freeradius/radacct/127.0.0.1/detail-20140812
Tue Aug 12 22:45:36 2014 : Info: [detail]
/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to
/var/log/freeradius/radacct/127.0.0.1/detail-20140812
Tue Aug 12 22:45:36 2014 : Info: [detail] expand: %t -> Tue Aug 12
22:45:36 2014
Tue Aug 12 22:45:36 2014 : Info: ++[detail] returns ok
Tue Aug 12 22:45:36 2014 : Info: [sql] expand: CALL
insert_radacct_record( 'radius',
'%{Acct-Session-Id}',
'%{Acct-Unique-Session-Id}',
'%{Billing-Party}', '%{Billing-Party}',
'%{SIP-Proxy-IP}', '%{NAS-Port}',
FROM_UNIXTIME('%S'), '0',
'0', '0', '0',
'%{Called-Station-Id}',
'%{Calling-Station-Id}',
'%{Sip-Response-Code}', '%{Service-Type}',
'%{ENUM-TLD}', '%{Framed-IP-Address}',
UNIX_TIMESTAMP('%S') - '%{Event-Timestamp}',
UNIX_TIMESTAMP('%S') - '%{Event-Timestamp}',
'%{Sip-Response-Code}', '%{Sip-Method}',
'%{Sip-Translated-Request-URI}',
'%{Sip-To-Tag}', '%{Sip-From-Tag}',
'%{Sip-RPId}', '%{Source-IP}'
Tue Aug 12 22:45:36 2014 : Debug: rlm_sql (sql): Reserving sql socket id: 24
Tue Aug 12 22:45:36 2014 : Debug: rlm_sql (sql): Released sql socket id: 24
Tue Aug 12 22:45:36 2014 : Info: ++[sql] returns ok
Sending Accounting-Response of id 11 to 127.0.0.1 port 36379
Tue Aug 12 22:45:36 2014 : Info: Finished request 0.
Tue Aug 12 22:45:36 2014 : Info: Cleaning up request 0 ID 11 with timestamp
+13
Tue Aug 12 22:45:36 2014 : Debug: Going to the next request
Tue Aug 12 22:45:36 2014 : Info: Ready to process requests.
rad_recv: Accounting-Request packet from host 127.0.0.1 port 35683, id=149,
length=152
Acct-Status-Type = Stop
Service-Type = Sip-Session
Sip-Response-Code = 200
Sip-Method = Bye
Event-Timestamp = "Aug 12 2014 22:46:20 EDT"
Sip-From-Tag = "59eb1875"
Sip-To-Tag = "d443e36e"
Acct-Session-Id = "M2IwZTVkY2Y5YTU2ZjdmOTQ5NWMzYzI1NTU3MWMwYjQ."
User-Name = "2002(a)192.168.1.5"
NAS-Port = 5060
Acct-Delay-Time = 0
NAS-IP-Address = 127.0.0.1
Tue Aug 12 22:46:20 2014 : Info: # Executing section preacct from file
/etc/freeradius/sites-enabled/default
Tue Aug 12 22:46:20 2014 : Info: +- entering group preacct {...}
Tue Aug 12 22:46:20 2014 : Info: ++[preprocess] returns ok
Tue Aug 12 22:46:20 2014 : Info: [acct_unique] Hashing 'NAS-Port =
5060,Client-IP-Address = 127.0.0.1,NAS-IP-Address =
127.0.0.1,Acct-Session-Id =
"M2IwZTVkY2Y5YTU2ZjdmOTQ5NWMzYzI1NTU3MWMwYjQ.",User-Name = "2002(a)192.168.1.5
"'
Tue Aug 12 22:46:20 2014 : Info: [acct_unique] Acct-Unique-Session-ID =
"117c7740de62ba6c".
Tue Aug 12 22:46:20 2014 : Info: ++[acct_unique] returns ok
Tue Aug 12 22:46:20 2014 : Info: [suffix] Looking up realm "192.168.1.5"
for User-Name = "2002(a)192.168.1.5"
Tue Aug 12 22:46:20 2014 : Info: [suffix] No such realm "192.168.1.5"
Tue Aug 12 22:46:20 2014 : Info: ++[suffix] returns noop
Tue Aug 12 22:46:20 2014 : Info: ++[files] returns noop
Tue Aug 12 22:46:20 2014 : Info: # Executing section accounting from file
/etc/freeradius/radiusd.conf
Tue Aug 12 22:46:20 2014 : Info: +- entering group accounting {...}
Tue Aug 12 22:46:20 2014 : Info: [detail] expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d ->
/var/log/freeradius/radacct/127.0.0.1/detail-20140812
Tue Aug 12 22:46:20 2014 : Info: [detail]
/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to
/var/log/freeradius/radacct/127.0.0.1/detail-20140812
Tue Aug 12 22:46:20 2014 : Info: [detail] expand: %t -> Tue Aug 12
22:46:20 2014
Tue Aug 12 22:46:20 2014 : Info: ++[detail] returns ok
Tue Aug 12 22:46:20 2014 : Info: [sql] expand: CALL
update_radacct_record( 'radius',
FROM_UNIXTIME('%S'), UNIX_TIMESTAMP('%S') -
'%{Event-Timestamp}', '',
'%{X-RTP-Stat}', '%{Acct-Session-Id}',
'%{Sip-To-Tag}', '%{Sip-From-Tag}' ) ->
CALL update_radacct_record( 'radius',
FROM_UNIXTIME('2014-08-12 22:46:20'),
UNIX_TIMESTAMP('2014-08-12 22:46:20') - 'Aug 12 2014 22:46:20
EDT', '', '',
'M2IwZTVkY2Y5YTU2ZjdmOTQ5NWMzYzI1NTU3MWMwYjQ.',
'd443e36e', '59eb1875' )
Tue Aug 12 22:46:20 2014 : Debug: rlm_sql (sql): Reserving sql socket id: 23
Tue Aug 12 22:46:20 2014 : Info: [sql] expand: stop packet with zero
session length. [user '%{User-Name}', nas '%{NAS-IP-Address}'] -> stop
packet with zero session length. [user '2002(a)192.168.1.5', nas '127.0.0.1']
Tue Aug 12 22:46:20 2014 : Info: [sql] stop packet with zero session
length. [user '2002(a)192.168.1.5', nas '127.0.0.1']
Tue Aug 12 22:46:20 2014 : Debug: rlm_sql (sql): Released sql socket id: 23
Tue Aug 12 22:46:20 2014 : Info: ++[sql] returns noop
Sending Accounting-Response of id 149 to 127.0.0.1 port 35683
Tue Aug 12 22:46:20 2014 : Info: Finished request 1.
Tue Aug 12 22:46:20 2014 : Info: Cleaning up request 1 ID 149 with
timestamp +57
Tue Aug 12 22:46:20 2014 : Debug: Going to the next request
Tue Aug 12 22:46:20 2014 : Info: Ready to process requests.
-- SQL tables ( Time is wired 1969 )
mysql> select * from radacct196912;
+-----------+-----------------
-----------------------------+------------------+----------+-------+--------------+-----------+-------------+---------------------+---------------------+-----------------+---------------+-------------------+------------------+-----------------+------------------+-----------------+------------------+--------------------+-------------+---------+-----------------+----------------+---------------+-----------+-----------------+----------+------------+-------------------------+---------------+--------------------+-----------+---------+---------------+----------+------------+--------------+-----------+-----------+---------------+------+-------+------------+-----------+-----------+---------------+------------+-----------+---------+
| RadAcctId | AcctSessionId |
AcctUniqueId | UserName | Realm | NASIPAddress | NASPortId |
NASPortType | AcctStartTime | AcctStopTime | AcctSessionTime |
AcctAuthentic | ConnectInfo_start | ConnectInfo_stop | AcctInputOctets |
AcctOutputOctets | CalledStationId | CallingStationId | AcctTerminateCause
| ServiceType | ENUMtld | FramedIPAddress | AcctStartDelay | AcctStopDelay
| SipMethod | SipResponseCode | SipToTag | SipFromTag |
SipTranslatedRequestURI | SipUserAgents | SipApplicationType | SipCodecs |
SipRPID | SipRPIDHeader | SourceIP | SourcePort | CanonicalURI | DelayTime
| Timestamp | DestinationId | Rate | Price | Normalized | BillingId |
MediaInfo | RTPStatistics | FromHeader | UserAgent | Contact |
+-----------+----------------------------------------------+------------------+----------+-------+--------------+-----------+-------------+---------------------+---------------------+-----------------+---------------+-------------------+------------------+-----------------+------------------+-----------------+------------------+--------------------+-------------+---------+-----------------+----------------+---------------+-----------+-----------------+----------+------------+-------------------------+---------------+--------------------+-----------+---------+---------------+----------+------------+--------------+-----------+-----------+---------------+------+-------+------------+-----------+-----------+---------------+------------+-----------+---------+
| 1 | Y2ExZjhkMTU4ODRmN2MwMGM1N2Q1Y2E5YTA5ZjAzNjg |
e46f9d0439141495 | | | | 5060
| | 1969-12-31 19:00:00 | 1969-12-31 19:00:00 | 0
| NULL | NULL | | 0
| 0 | | |
200 | Sip-Session | | |
1407883391 | 0 | Invite | 200 | 70cc9216 |
e2cb1f0c | | |
| | | | |
| | | 0 | | | NULL |
0 | | NULL | | |
| |
| 2 | MzYyY2JhM2Q3MzEyN2U1ODJkMDA1NGNiMTMzYmE0OTc |
aa9b8bcb6effa2c7 | | | | 5060
| | 1969-12-31 19:00:00 | 1969-12-31 19:00:00 | 0
| NULL | NULL | | 0
| 0 | | |
200 | Sip-Session | | |
0 | 0 | Invite | 200 | c6ea6056 | 407f047e
| | | |
| | | | |
| | 0 | | | NULL | 0
| | NULL | | | | |
| 3 | M2IwZTVkY2Y5YTU2ZjdmOTQ5NWMzYzI1NTU3MWMwYjQ. |
117c7740de62ba6c | | | | 5060
| | 1969-12-31 19:33:34 | 1969-12-31 19:33:34 | 0
| NULL | NULL | | 0
| 0 | | |
200 | Sip-Session | | |
1407897936 | 1407897980 | Invite | 200 | d443e36e |
59eb1875 | | |
| | | | |
| | | 0 | | | NULL |
0 | | NULL | | |
| |
+-----------+----------------------------------------------+------------------+----------+-------+--------------+-----------+-------------+---------------------+---------------------+-----------------+---------------+-------------------+------------------+-----------------+------------------+-----------------+------------------+--------------------+-------------+---------+-----------------+----------------+---------------+-----------+-----------------+----------+------------+-------------------------+---------------+--------------------+-----------+---------+---------------+----------+------------+--------------+-----------+-----------+---------------+------+-------+------------+-----------+-----------+---------------+------------+-----------+---------+
3 rows in set (0.00 sec)
3
4
Hi Nicolas,
I browsed a little of your error and your conf files to notice you are
still missing a LOT of bits of a standard freeradius configuration to
connect to an AD. mschap encryptition strength, configuration of EAP
tunnels and protocols, actual domain not defined in FreeRadius/proxy.conf,
and then not yet VLANs (ok, not probably at this time of the game, but you
eventually will get there).
You would better search and use in freeradius and Janet for tutorials about
configuring RADIUS for AD. It is not as simples as tweaking the config
files.
About the certificates, I hope you dont use the current ones in production,
as you just published them to the world at large.
One last note, 2.1.12 FreeRadius has serious bugs working with AD (it
works, but crashes a lot). I would recommend at least 2.2.5 or going
directly to version 3.x.
Regards,
Rui Ribeiro
> Message: 2
> Date: Wed, 13 Aug 2014 10:58:31 +0200
> From: nfischer(a)hush.com
> To: freeradius-users(a)lists.freeradius.org
> Subject: freeRADIUS -> AD Auth (<100kb)
> Message-ID: <20140813085831.79D2B60960(a)smtp.hushmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi there!
>
> I have a problem with the auth against an Active Directory.
> I would be very thankfull if you could help me.
>
> Im tring to setup an WiFi Network where the Useres can auth with their
> AD Useraccs,
>
> Setup:
> WiFi-Router with DD-WRT
> Ubuntu 10.04LTS with FreeRADIUS kerberus samba etc.
> AD at a Windows Server 2008 SBS (Total mess never install it!)
>
> The communicatuion W-Lan Client->Router->FreeRADIUS runs.
> The Ubuntu Server is in the Domain, wbinfo -u gives me all Users.
> The auth via NTLM_AUTH runns too:
> /etc/freeradius$ ntlm_auth --request-nt-key --domain=DOMAINNAME
> --username=USERNAME
> Password:
> NT_STATUS_OK: Success (0x0)
>
> I think just FreeRADIUS is configured wrong.
> The auth fails, respectively does not take place.
>
> I put the config files and the freeradius -X output in the attachment.
> (I removed a few unimportant configfiles to not hit the 100kb limit of
> this mailinglist.)
>
> Many thanks in advance!
>
5
7
Hello,
A small detail perhaps: in raddb/sites-available/default, one may read
#
# If the users are logging in with an MS-CHAP-Challenge
# attribute for authentication, the mschap module will find
# the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
# to the request, which will cause the server to then use
# the mschap module for authentication.
mschap
Wouldn't
"... add 'Auth-Type := MS-CHAP' to the control list, ..."
be more accurate?
Axel
2
1
Hi there!
I have a problem with the auth against an Active Directory.
I would be very thankfull if you could help me.
Im tring to setup an WiFi Network where the Useres can auth with their
AD Useraccs,
Setup:
WiFi-Router with DD-WRT
Ubuntu 10.04LTS with FreeRADIUS kerberus samba etc.
AD at a Windows Server 2008 SBS (Total mess never install it!)
The communicatuion W-Lan Client->Router->FreeRADIUS runs.
The Ubuntu Server is in the Domain, wbinfo -u gives me all Users.
The auth via NTLM_AUTH runns too:
/etc/freeradius$ ntlm_auth --request-nt-key --domain=DOMAINNAME
--username=USERNAME
Password:
NT_STATUS_OK: Success (0x0)
I think just FreeRADIUS is configured wrong.
The auth fails, respectively does not take place.
I put the config files and the freeradius -X output in the attachment.
(I removed a few unimportant configfiles to not hit the 100kb limit of
this mailinglist.)
Many thanks in advance!
--
Mit freundlichem Gruß
Nicolas Fischer
email: nfischer(a)hush.com
jabber: jagger(a)jabber.ccc.de
tel: 01573-0420888
Skype: jagger64
TOX: Just ask me :)
PGP-Key:
http://keyserver.ubuntu.com/pks/lookup?op=vindex&fingerprint=on&search=0xCF…
If you sent me a PGP Crypted Mail I´ll be happy and will give you a
free cookie :)
3
2
Hello-
I have done lots of searching and through some archived messages from this list made some good progress. Reading these messages I have determined that since I have md5 hashed passwords in my openldap database I need to use PAP + TTLS. I have read and performed the radtests at the top of the inner-tunnel config file with successful auths. Specifically, I ran the following successfully:
radtest -t pap USER PASSWORD 127.0.0.1:18120 0 testing123
My problem comes when I try to authenticate a wireless device against the network. I enter the username and password in the dialog (cisco WLC and Mac OSX Client) and get the following from the freeradius debug output. I think its trying to do a form of authentication that I do not want hence why I am getting "No Authenticate method found for request". Any guidance would be greatly appreciated. If you need me to supply config files I can do that. Thank you ahead of time for taking the time to read this:
rad_recv: Access-Request packet from host XXX.XXX.XXX.XXX port 32768, id=209, length=223
User-Name = "alexgregory"
Chargeable-User-Identity = ""
Location-Capable = Civix-Location
Calling-Station-Id = "78-31-c1-be-89-a8"
Called-Station-Id = "d4-a0-2a-15-7f-00:C2_Test"
NAS-Port = 4
Cisco-AVPair = "audit-session-id=0a2100820000057653e962bb"
NAS-IP-Address = 10.33.0.130
NAS-Identifier = "inWebo"
Airespace-Wlan-Id = 6
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0201001001616c6578677265676f7279
Message-Authenticator = 0x85c12dd9ab3c4960d2889e61daedc0c6
Tue Aug 12 00:41:59 2014 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default
Tue Aug 12 00:41:59 2014 : Info: +- entering group authorize {...}
Tue Aug 12 00:41:59 2014 : Info: ++[preprocess] returns ok
Tue Aug 12 00:41:59 2014 : Info: ++[digest] returns noop
Tue Aug 12 00:41:59 2014 : Info: [suffix] No '@' in User-Name = "alexgregory", looking up realm NULL
Tue Aug 12 00:41:59 2014 : Info: [suffix] No such realm "NULL"
Tue Aug 12 00:41:59 2014 : Info: ++[suffix] returns noop
Tue Aug 12 00:41:59 2014 : Info: [eap] EAP packet type response id 1 length 16
Tue Aug 12 00:41:59 2014 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation
Tue Aug 12 00:41:59 2014 : Info: ++[eap] returns updated
Tue Aug 12 00:41:59 2014 : Info: ++[files] returns noop
Tue Aug 12 00:41:59 2014 : Info: [ldap] performing user authorization for alexgregory
Tue Aug 12 00:41:59 2014 : Info: [ldap] expand: %{Stripped-User-Name} ->
Tue Aug 12 00:41:59 2014 : Info: [ldap] ... expanding second conditional
Tue Aug 12 00:41:59 2014 : Info: [ldap] expand: %{User-Name} -> alexgregory
Tue Aug 12 00:41:59 2014 : Info: [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=alexgregory)
Tue Aug 12 00:41:59 2014 : Info: [ldap] expand: ou=Users,dc=team,dc=company,dc=com -> ou=Users,dc=team,dc=company,dc=com
Tue Aug 12 00:41:59 2014 : Debug: [ldap] ldap_get_conn: Checking Id: 0
Tue Aug 12 00:41:59 2014 : Debug: [ldap] ldap_get_conn: Got Id: 0
Tue Aug 12 00:41:59 2014 : Debug: [ldap] attempting LDAP reconnection
Tue Aug 12 00:41:59 2014 : Debug: [ldap] (re)connect to localhost:389, authentication 0
Tue Aug 12 00:41:59 2014 : Debug: [ldap] bind as cn=admin,dc=team,dc=company,dc=com/653776d05374 to localhost:389
Tue Aug 12 00:41:59 2014 : Debug: [ldap] waiting for bind result ...
Tue Aug 12 00:41:59 2014 : Debug: [ldap] Bind was successful
Tue Aug 12 00:41:59 2014 : Debug: [ldap] performing search in ou=Users,dc=team,dc=company,dc=com, with filter (uid=alexgregory)
Tue Aug 12 00:41:59 2014 : Info: [ldap] No default NMAS login sequence
Tue Aug 12 00:41:59 2014 : Info: [ldap] looking for check items in directory...
Tue Aug 12 00:41:59 2014 : Debug: [ldap] userPassword -> Password-With-Header == "{MD5}replacedpasswordhash"
Tue Aug 12 00:41:59 2014 : Info: [ldap] looking for reply items in directory...
Tue Aug 12 00:41:59 2014 : Info: [ldap] user alexgregory authorized to use remote access
Tue Aug 12 00:41:59 2014 : Debug: [ldap] ldap_release_conn: Release Id: 0
Tue Aug 12 00:41:59 2014 : Info: ++[ldap] returns ok
Tue Aug 12 00:41:59 2014 : Info: ++[expiration] returns noop
Tue Aug 12 00:41:59 2014 : Info: ++[logintime] returns noop
Tue Aug 12 00:41:59 2014 : Info: [pap] WARNING: Auth-Type already set. Not setting to PAP
Tue Aug 12 00:41:59 2014 : Info: ++[pap] returns noop
Tue Aug 12 00:41:59 2014 : Info: Found Auth-Type = EAP
Tue Aug 12 00:41:59 2014 : Info: # Executing group from file /etc/freeradius/sites-enabled/default
Tue Aug 12 00:41:59 2014 : Info: +- entering group authenticate {...}
Tue Aug 12 00:41:59 2014 : Info: [eap] EAP Identity
Tue Aug 12 00:41:59 2014 : Info: [eap] processing type tls
Tue Aug 12 00:41:59 2014 : Info: [tls] Initiate
Tue Aug 12 00:41:59 2014 : Info: [tls] Start returned 1
Tue Aug 12 00:41:59 2014 : Info: ++[eap] returns handled
Sending Access-Challenge of id 209 to XXX.XXX.XXX.XXX port 32768
EAP-Message = 0x010200061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x136652b6136447253c8241792e3864a7
Tue Aug 12 00:41:59 2014 : Info: Finished request 0.
Tue Aug 12 00:41:59 2014 : Debug: Going to the next request
Tue Aug 12 00:41:59 2014 : Debug: Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host XXX.XXX.XXX.XXX port 32768, id=210, length=377
User-Name = "alexgregory"
Chargeable-User-Identity = ""
Location-Capable = Civix-Location
Calling-Station-Id = "78-31-c1-be-89-a8"
Called-Station-Id = "d4-a0-2a-15-7f-00:C2_Test"
NAS-Port = 4
Cisco-AVPair = "audit-session-id=0a2100820000057653e962bb"
NAS-IP-Address = 10.33.0.130
NAS-Identifier = "inWebo"
Airespace-Wlan-Id = 6
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0202009815800000008e160301008901000085030153e962d614f15c225bbed04d947e74771b76339e7fede2cc3e100ed6c5e8e02a00004a00ffc024c023c00ac009c007c008c028c027c014c013c011c012c026c025c02ac029c005c004c002c003c00fc00ec00cc00d003d003c002f000500040035000a0067006b00330039001601000012000a00080006001700180019000b00020100
State = 0x136652b6136447253c8241792e3864a7
Message-Authenticator = 0x385c18e1699b11f23b5ccdadb073dcf2
Tue Aug 12 00:41:59 2014 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default
Tue Aug 12 00:41:59 2014 : Info: +- entering group authorize {...}
Tue Aug 12 00:41:59 2014 : Info: ++[preprocess] returns ok
Tue Aug 12 00:41:59 2014 : Info: ++[digest] returns noop
Tue Aug 12 00:41:59 2014 : Info: [suffix] No '@' in User-Name = "alexgregory", looking up realm NULL
Tue Aug 12 00:41:59 2014 : Info: [suffix] No such realm "NULL"
Tue Aug 12 00:41:59 2014 : Info: ++[suffix] returns noop
Tue Aug 12 00:41:59 2014 : Info: [eap] EAP packet type response id 2 length 152
Tue Aug 12 00:41:59 2014 : Info: [eap] Continuing tunnel setup.
Tue Aug 12 00:41:59 2014 : Info: ++[eap] returns ok
Tue Aug 12 00:41:59 2014 : Info: Found Auth-Type = EAP
Tue Aug 12 00:41:59 2014 : Info: # Executing group from file /etc/freeradius/sites-enabled/default
Tue Aug 12 00:41:59 2014 : Info: +- entering group authenticate {...}
Tue Aug 12 00:41:59 2014 : Info: [eap] Request found, released from the list
Tue Aug 12 00:41:59 2014 : Info: [eap] EAP/ttls
Tue Aug 12 00:41:59 2014 : Info: [eap] processing type ttls
Tue Aug 12 00:41:59 2014 : Info: [ttls] Authenticate
Tue Aug 12 00:41:59 2014 : Info: [ttls] processing EAP-TLS
Tue Aug 12 00:41:59 2014 : Debug: TLS Length 142
Tue Aug 12 00:41:59 2014 : Info: [ttls] Length Included
Tue Aug 12 00:41:59 2014 : Info: [ttls] eaptls_verify returned 11
Tue Aug 12 00:41:59 2014 : Info: [ttls] (other): before/accept initialization
Tue Aug 12 00:41:59 2014 : Info: [ttls] TLS_accept: before/accept initialization
Tue Aug 12 00:41:59 2014 : Info: [ttls] <<< TLS 1.0 Handshake [length 0089], ClientHello
Tue Aug 12 00:41:59 2014 : Info: [ttls] TLS_accept: SSLv3 read client hello A
Tue Aug 12 00:41:59 2014 : Info: [ttls] >>> TLS 1.0 Handshake [length 0039], ServerHello
Tue Aug 12 00:41:59 2014 : Info: [ttls] TLS_accept: SSLv3 write server hello A
Tue Aug 12 00:41:59 2014 : Info: [ttls] >>> TLS 1.0 Handshake [length 02c4], Certificate
Tue Aug 12 00:41:59 2014 : Info: [ttls] TLS_accept: SSLv3 write certificate A
Tue Aug 12 00:41:59 2014 : Info: [ttls] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
Tue Aug 12 00:41:59 2014 : Info: [ttls] TLS_accept: SSLv3 write key exchange A
Tue Aug 12 00:41:59 2014 : Info: [ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
Tue Aug 12 00:41:59 2014 : Info: [ttls] TLS_accept: SSLv3 write server done A
Tue Aug 12 00:41:59 2014 : Info: [ttls] TLS_accept: SSLv3 flush data
Tue Aug 12 00:41:59 2014 : Info: [ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A
Tue Aug 12 00:41:59 2014 : Debug: In SSL Handshake Phase
Tue Aug 12 00:41:59 2014 : Debug: In SSL Accept mode
Tue Aug 12 00:41:59 2014 : Info: [ttls] eaptls_process returned 13
Tue Aug 12 00:41:59 2014 : Info: ++[eap] returns handled
Sending Access-Challenge of id 210 to XXX.XXX.XXX.XXX port 32768
EAP-Message = 0x0103040015c000000460160301003902000035030153e962d744d1a41d7796e73a84a55e3ecd6f143df28b861f8a5d93d8bc80a60700c01400000dff01000100000b00040300010216030102c40b0002c00002bd0002ba308202b63082019ea003020102020900b507e231935d6b3f300d06092a864886f70d010105050030133111300f060355040313086f70656e6c646170301e170d3134303830373232333035385a170d3234303830343232333035385a30133111300f060355040313086f70656e6c64617030820122300d06092a864886f70d01010105000382010f003082010a0282010100bae7e24798efa862ea1659a17ac74864a297d09a
EAP-Message = 0x249d8e467e1a40a3fc4fdcf36e73ac43cc11e5df4978020ae6af6c12d0a98f7c90d0352eae9c5b9c8364cffe115b833c52bfbcb43c292c303ee0f8cca82a3732ed53bcdba3905a9f030c9bf242e7482f28c0a30e5210afbf064e6129cef1358e30942581621b927da448fcea0fcca181c7ea6ac7385946513bd092e7ccf41df13f7a4f498533947d1f0451659c20977cfddeb5ffadef948b8f876a1bbba0f2a574e05daf8fe696a828973f21674abc246ca73279dcd5fe1720f1140b3f351427fc5be4a4158fb31d2b46643e0bbef9297b892cea88babfcb26e53bcc981bec71b84d0fb21760176f5d12adc90203010001a30d300b30090603551d1304
EAP-Message = 0x023000300d06092a864886f70d010105050003820101009a35e4dddb99265dfbe96dbd2dd5efcec97ebbb6111d42b313a0d7b6f29a4a4cc378c154afc028a986a118ddf1e611aa3fda9ed59c9f745663fcfd2655891584047b99042c2f7d3757ff92e86d008a55dac7e1e2a8f7e67711fec590812461e9de753eacf30285e44c3c7ecc31671d4ccbfdc6de65536e8b780cbf05ca5e0442748ccc7356f315baac1cc9bb528198bba1526d18213171b26e3676162be28056600762ed21df47ca64f29fb8b9853b8e84731708c7e7c5b0862c3d61aa07b37b89eb915e0fb7f5867a9eb9346574bfc112aa4ea45ae9bae8fdf44b9cedbd3ba5082046a7de23
EAP-Message = 0xc8fefa2502dad1e8da8bf54443bc2b061a301dd93689ce6867d9160301014b0c0001470300174104c833e1540e097f1e67c5b07600aed83309c6e30ee8881705b60b847eddc532f31791039547ef4bfcbb6ac6a8f8002f68a21ae8fd516ba969ae79829cc3c53cc601006e2e6fc775a6528b025bfc7605cbb2448d3571cf62293a8ba90c69daa86dc8f090e869362ee4a57fc0300dccc93f970fb0402632f4977a2346e4ee2947a180866e2b6fb7873c6f6ded0a810a1fb9c49952c918e416f516b34855d0371e9066eae748d1d467035a333c4d05e11222879454b7a492d187edb65306dff65955fecad26bfd1a79301dd5568dfd5a236f93420cd068
EAP-Message = 0x051d4c1e3e1ec8536a166083
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x136652b6126547253c8241792e3864a7
Tue Aug 12 00:41:59 2014 : Info: Finished request 1.
Tue Aug 12 00:41:59 2014 : Debug: Going to the next request
Tue Aug 12 00:41:59 2014 : Debug: Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host XXX.XXX.XXX.XXX port 32768, id=211, length=231
User-Name = "alexgregory"
Chargeable-User-Identity = ""
Location-Capable = Civix-Location
Calling-Station-Id = "78-31-c1-be-89-a8"
Called-Station-Id = "d4-a0-2a-15-7f-00:C2_Test"
NAS-Port = 4
Cisco-AVPair = "audit-session-id=0a2100820000057653e962bb"
NAS-IP-Address = 10.33.0.130
NAS-Identifier = "inWebo"
Airespace-Wlan-Id = 6
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020300061500
State = 0x136652b6126547253c8241792e3864a7
Message-Authenticator = 0xcec26d420e8446eca2daa7c678f31edf
Tue Aug 12 00:41:59 2014 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default
Tue Aug 12 00:41:59 2014 : Info: +- entering group authorize {...}
Tue Aug 12 00:41:59 2014 : Info: ++[preprocess] returns ok
Tue Aug 12 00:41:59 2014 : Info: ++[digest] returns noop
Tue Aug 12 00:41:59 2014 : Info: [suffix] No '@' in User-Name = "alexgregory", looking up realm NULL
Tue Aug 12 00:41:59 2014 : Info: [suffix] No such realm "NULL"
Tue Aug 12 00:41:59 2014 : Info: ++[suffix] returns noop
Tue Aug 12 00:41:59 2014 : Info: [eap] EAP packet type response id 3 length 6
Tue Aug 12 00:41:59 2014 : Info: [eap] Continuing tunnel setup.
Tue Aug 12 00:41:59 2014 : Info: ++[eap] returns ok
Tue Aug 12 00:41:59 2014 : Info: Found Auth-Type = EAP
Tue Aug 12 00:41:59 2014 : Info: # Executing group from file /etc/freeradius/sites-enabled/default
Tue Aug 12 00:41:59 2014 : Info: +- entering group authenticate {...}
Tue Aug 12 00:41:59 2014 : Info: [eap] Request found, released from the list
Tue Aug 12 00:41:59 2014 : Info: [eap] EAP/ttls
Tue Aug 12 00:41:59 2014 : Info: [eap] processing type ttls
Tue Aug 12 00:41:59 2014 : Info: [ttls] Authenticate
Tue Aug 12 00:41:59 2014 : Info: [ttls] processing EAP-TLS
Tue Aug 12 00:41:59 2014 : Info: [ttls] Received TLS ACK
Tue Aug 12 00:41:59 2014 : Info: [ttls] ACK handshake fragment handler
Tue Aug 12 00:41:59 2014 : Info: [ttls] eaptls_verify returned 1
Tue Aug 12 00:41:59 2014 : Info: [ttls] eaptls_process returned 13
Tue Aug 12 00:41:59 2014 : Info: ++[eap] returns handled
Sending Access-Challenge of id 211 to XXX.XXX.XXX.XXX port 32768
EAP-Message = 0x01040074158000000460e16f53b8c421f13b800a406a4af847fe03bd96ecadc78ba923d1e7aaed4324dfc7daaee76106d734751755494bfa126d7ce78d28cd6e999d9a4dcd7cabbe6378c66afc86e1eac9de94fb58ec01b03fdb99c58c58336ecdaf8d5840b49a2ab4a00916030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x136652b6116247253c8241792e3864a7
Tue Aug 12 00:41:59 2014 : Info: Finished request 2.
Tue Aug 12 00:41:59 2014 : Debug: Going to the next request
Tue Aug 12 00:41:59 2014 : Debug: Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host XXX.XXX.XXX.XXX port 32768, id=212, length=369
User-Name = "alexgregory"
Chargeable-User-Identity = ""
Location-Capable = Civix-Location
Calling-Station-Id = "78-31-c1-be-89-a8"
Called-Station-Id = "d4-a0-2a-15-7f-00:C2_Test"
NAS-Port = 4
Cisco-AVPair = "audit-session-id=0a2100820000057653e962bb"
NAS-IP-Address = 10.33.0.130
NAS-Identifier = "inWebo"
Airespace-Wlan-Id = 6
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0204009015800000008616030100461000004241047e1f049d3dd9710b6b47b7c6531e6881e765adb63d231e128e5c1656f58c2d396607a6af675607c91011a766f6697aab0b3052de7ff8e3786f13065b851af468140301000101160301003050d9c71f246c4d8eb945d9df442f7282a41eede22f07169c4896feae772897c6ce3235500f7508721ad8f19d3aff5267
State = 0x136652b6116247253c8241792e3864a7
Message-Authenticator = 0x02fc5bba2b69377c63112ef27fc30f03
Tue Aug 12 00:41:59 2014 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default
Tue Aug 12 00:41:59 2014 : Info: +- entering group authorize {...}
Tue Aug 12 00:41:59 2014 : Info: ++[preprocess] returns ok
Tue Aug 12 00:41:59 2014 : Info: ++[digest] returns noop
Tue Aug 12 00:41:59 2014 : Info: [suffix] No '@' in User-Name = "alexgregory", looking up realm NULL
Tue Aug 12 00:41:59 2014 : Info: [suffix] No such realm "NULL"
Tue Aug 12 00:41:59 2014 : Info: ++[suffix] returns noop
Tue Aug 12 00:41:59 2014 : Info: [eap] EAP packet type response id 4 length 144
Tue Aug 12 00:41:59 2014 : Info: [eap] Continuing tunnel setup.
Tue Aug 12 00:41:59 2014 : Info: ++[eap] returns ok
Tue Aug 12 00:41:59 2014 : Info: Found Auth-Type = EAP
Tue Aug 12 00:41:59 2014 : Info: # Executing group from file /etc/freeradius/sites-enabled/default
Tue Aug 12 00:41:59 2014 : Info: +- entering group authenticate {...}
Tue Aug 12 00:41:59 2014 : Info: [eap] Request found, released from the list
Tue Aug 12 00:41:59 2014 : Info: [eap] EAP/ttls
Tue Aug 12 00:41:59 2014 : Info: [eap] processing type ttls
Tue Aug 12 00:41:59 2014 : Info: [ttls] Authenticate
Tue Aug 12 00:41:59 2014 : Info: [ttls] processing EAP-TLS
Tue Aug 12 00:41:59 2014 : Debug: TLS Length 134
Tue Aug 12 00:41:59 2014 : Info: [ttls] Length Included
Tue Aug 12 00:41:59 2014 : Info: [ttls] eaptls_verify returned 11
Tue Aug 12 00:41:59 2014 : Info: [ttls] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
Tue Aug 12 00:41:59 2014 : Info: [ttls] TLS_accept: SSLv3 read client key exchange A
Tue Aug 12 00:41:59 2014 : Info: [ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001]
Tue Aug 12 00:41:59 2014 : Info: [ttls] <<< TLS 1.0 Handshake [length 0010], Finished
Tue Aug 12 00:41:59 2014 : Info: [ttls] TLS_accept: SSLv3 read finished A
Tue Aug 12 00:41:59 2014 : Info: [ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001]
Tue Aug 12 00:41:59 2014 : Info: [ttls] TLS_accept: SSLv3 write change cipher spec A
Tue Aug 12 00:41:59 2014 : Info: [ttls] >>> TLS 1.0 Handshake [length 0010], Finished
Tue Aug 12 00:41:59 2014 : Info: [ttls] TLS_accept: SSLv3 write finished A
Tue Aug 12 00:41:59 2014 : Info: [ttls] TLS_accept: SSLv3 flush data
Tue Aug 12 00:41:59 2014 : Info: [ttls] (other): SSL negotiation finished successfully
Tue Aug 12 00:41:59 2014 : Debug: SSL Connection Established
Tue Aug 12 00:41:59 2014 : Info: [ttls] eaptls_process returned 13
Tue Aug 12 00:41:59 2014 : Info: ++[eap] returns handled
Sending Access-Challenge of id 212 to XXX.XXX.XXX.XXX port 32768
EAP-Message = 0x0105004515800000003b1403010001011603010030dc83519bd0a54a2ba41dd3dd74692893c115160b7e71146f182ca186255317fc818e1681328d26a42aa495432bc5c248
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x136652b6106347253c8241792e3864a7
Tue Aug 12 00:41:59 2014 : Info: Finished request 3.
Tue Aug 12 00:41:59 2014 : Debug: Going to the next request
Tue Aug 12 00:41:59 2014 : Debug: Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host XXX.XXX.XXX.XXX port 32768, id=213, length=384
User-Name = "alexgregory"
Chargeable-User-Identity = ""
Location-Capable = Civix-Location
Calling-Station-Id = "78-31-c1-be-89-a8"
Called-Station-Id = "d4-a0-2a-15-7f-00:C2_Test"
NAS-Port = 4
Cisco-AVPair = "audit-session-id=0a2100820000057653e962bb"
NAS-IP-Address = 10.33.0.130
NAS-Identifier = "inWebo"
Airespace-Wlan-Id = 6
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0205009f15800000009517030100906e9af3e38e1981dff6e7302b8416c4225a69e79159da41f80b94714d999f8f6db4f68627a60ab33836980ce199aaca80f2dc87f04621632ab15a338b87cbc7c6fbb1fa04c0cf0fe5098807810e55c05457de3d0b774145bc3d7fc2643f135c544702649a03598f45fbf3d1c74bc0c5523d9d808b2a6ecfdb74bf15464ea1fcb6679f332682b1b30ec13ac0ab460f2a43
State = 0x136652b6106347253c8241792e3864a7
Message-Authenticator = 0xe56cd52f822858761a85b03a3891a935
Tue Aug 12 00:41:59 2014 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default
Tue Aug 12 00:41:59 2014 : Info: +- entering group authorize {...}
Tue Aug 12 00:41:59 2014 : Info: ++[preprocess] returns ok
Tue Aug 12 00:41:59 2014 : Info: ++[digest] returns noop
Tue Aug 12 00:41:59 2014 : Info: [suffix] No '@' in User-Name = "alexgregory", looking up realm NULL
Tue Aug 12 00:41:59 2014 : Info: [suffix] No such realm "NULL"
Tue Aug 12 00:41:59 2014 : Info: ++[suffix] returns noop
Tue Aug 12 00:41:59 2014 : Info: [eap] EAP packet type response id 5 length 159
Tue Aug 12 00:41:59 2014 : Info: [eap] Continuing tunnel setup.
Tue Aug 12 00:41:59 2014 : Info: ++[eap] returns ok
Tue Aug 12 00:41:59 2014 : Info: Found Auth-Type = EAP
Tue Aug 12 00:41:59 2014 : Info: # Executing group from file /etc/freeradius/sites-enabled/default
Tue Aug 12 00:41:59 2014 : Info: +- entering group authenticate {...}
Tue Aug 12 00:41:59 2014 : Info: [eap] Request found, released from the list
Tue Aug 12 00:41:59 2014 : Info: [eap] EAP/ttls
Tue Aug 12 00:41:59 2014 : Info: [eap] processing type ttls
Tue Aug 12 00:41:59 2014 : Info: [ttls] Authenticate
Tue Aug 12 00:41:59 2014 : Info: [ttls] processing EAP-TLS
Tue Aug 12 00:41:59 2014 : Debug: TLS Length 149
Tue Aug 12 00:41:59 2014 : Info: [ttls] Length Included
Tue Aug 12 00:41:59 2014 : Info: [ttls] eaptls_verify returned 11
Tue Aug 12 00:41:59 2014 : Info: [ttls] eaptls_process returned 7
Tue Aug 12 00:41:59 2014 : Info: [ttls] Session established. Proceeding to decode tunneled attributes.
TTLS tunnel data in 0000: 00 00 00 01 00 00 00 13 61 6c 65 78 67 72 65 67
TTLS tunnel data in 0010: 6f 72 79 00 00 00 00 0b 80 00 00 1c 00 00 01 37
TTLS tunnel data in 0020: 77 cb 2f 7d e8 c3 de e8 10 e3 b5 0d 16 23 8e 37
TTLS tunnel data in 0030: 00 00 00 19 80 00 00 3e 00 00 01 37 97 00 d8 6e
TTLS tunnel data in 0040: 34 f0 8e e9 d8 24 d9 d7 93 55 6d cf 6b 51 00 00
TTLS tunnel data in 0050: 00 00 00 00 00 00 b6 3d 56 f4 29 90 0e 14 16 da
TTLS tunnel data in 0060: dc 4a fd f6 50 15 09 5e 57 92 f5 03 d9 d9 00 00
Tue Aug 12 00:41:59 2014 : Info: [ttls] Got tunneled request
User-Name = "alexgregory"
MS-CHAP-Challenge = 0x77cb2f7de8c3dee810e3b50d16238e37
MS-CHAP2-Response = 0x9700d86e34f08ee9d824d9d793556dcf6b510000000000000000b63d56f429900e1416dadc4afdf65015095e5792f503d9d9
FreeRADIUS-Proxied-To = 127.0.0.1
Tue Aug 12 00:41:59 2014 : Info: [ttls] Sending tunneled request
User-Name = "alexgregory"
MS-CHAP-Challenge = 0x77cb2f7de8c3dee810e3b50d16238e37
MS-CHAP2-Response = 0x9700d86e34f08ee9d824d9d793556dcf6b510000000000000000b63d56f429900e1416dadc4afdf65015095e5792f503d9d9
FreeRADIUS-Proxied-To = 127.0.0.1
Chargeable-User-Identity = ""
Location-Capable = Civix-Location
Calling-Station-Id = "78-31-c1-be-89-a8"
Called-Station-Id = "d4-a0-2a-15-7f-00:C2_Test"
NAS-Port = 4
Cisco-AVPair = "audit-session-id=0a2100820000057653e962bb"
NAS-IP-Address = 10.33.0.130
NAS-Identifier = "inWebo"
Airespace-Wlan-Id = 6
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
server inner-tunnel {
Tue Aug 12 00:41:59 2014 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
Tue Aug 12 00:41:59 2014 : Info: +- entering group authorize {...}
Tue Aug 12 00:41:59 2014 : Info: [suffix] No '@' in User-Name = "alexgregory", looking up realm NULL
Tue Aug 12 00:41:59 2014 : Info: [suffix] No such realm "NULL"
Tue Aug 12 00:41:59 2014 : Info: ++[suffix] returns noop
Tue Aug 12 00:41:59 2014 : Info: ++[control] returns noop
Tue Aug 12 00:41:59 2014 : Info: [eap] No EAP-Message, not doing EAP
Tue Aug 12 00:41:59 2014 : Info: ++[eap] returns noop
Tue Aug 12 00:41:59 2014 : Info: ++[files] returns noop
Tue Aug 12 00:41:59 2014 : Info: [ldap] performing user authorization for alexgregory
Tue Aug 12 00:41:59 2014 : Info: [ldap] expand: %{Stripped-User-Name} ->
Tue Aug 12 00:41:59 2014 : Info: [ldap] ... expanding second conditional
Tue Aug 12 00:41:59 2014 : Info: [ldap] expand: %{User-Name} -> alexgregory
Tue Aug 12 00:41:59 2014 : Info: [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=alexgregory)
Tue Aug 12 00:41:59 2014 : Info: [ldap] expand: ou=Users,dc=team,dc=company,dc=com -> ou=Users,dc=team,dc=company,dc=com
Tue Aug 12 00:41:59 2014 : Debug: [ldap] ldap_get_conn: Checking Id: 0
Tue Aug 12 00:41:59 2014 : Debug: [ldap] ldap_get_conn: Got Id: 0
Tue Aug 12 00:41:59 2014 : Debug: [ldap] performing search in ou=Users,dc=team,dc=company,dc=com, with filter (uid=alexgregory)
Tue Aug 12 00:41:59 2014 : Info: [ldap] No default NMAS login sequence
Tue Aug 12 00:41:59 2014 : Info: [ldap] looking for check items in directory...
Tue Aug 12 00:41:59 2014 : Debug: [ldap] userPassword -> Password-With-Header == "{MD5}replacedpasswordhash"
Tue Aug 12 00:41:59 2014 : Info: [ldap] looking for reply items in directory...
Tue Aug 12 00:41:59 2014 : Info: [ldap] user alexgregory authorized to use remote access
Tue Aug 12 00:41:59 2014 : Debug: [ldap] ldap_release_conn: Release Id: 0
Tue Aug 12 00:41:59 2014 : Info: ++[ldap] returns ok
Tue Aug 12 00:41:59 2014 : Info: ++[expiration] returns noop
Tue Aug 12 00:41:59 2014 : Info: ++[logintime] returns noop
Tue Aug 12 00:41:59 2014 : Info: [pap] No clear-text password in the request. Not performing PAP.
Tue Aug 12 00:41:59 2014 : Info: ++[pap] returns noop
Tue Aug 12 00:41:59 2014 : Info: ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
Tue Aug 12 00:41:59 2014 : Info: Failed to authenticate the user.
} # server inner-tunnel
Tue Aug 12 00:41:59 2014 : Info: [ttls] Got tunneled reply code 3
Tue Aug 12 00:41:59 2014 : Info: [ttls] Got tunneled Access-Reject
Tue Aug 12 00:41:59 2014 : Info: [eap] Handler failed in EAP/ttls
Tue Aug 12 00:41:59 2014 : Info: [eap] Failed in EAP select
Tue Aug 12 00:41:59 2014 : Info: ++[eap] returns invalid
Tue Aug 12 00:41:59 2014 : Info: Failed to authenticate the user.
Tue Aug 12 00:41:59 2014 : Info: Using Post-Auth-Type Reject
Tue Aug 12 00:41:59 2014 : Info: # Executing group from file /etc/freeradius/sites-enabled/default
Tue Aug 12 00:41:59 2014 : Info: +- entering group REJECT {...}
Tue Aug 12 00:41:59 2014 : Info: [attr_filter.access_reject] expand: %{User-Name} -> alexgregory
Tue Aug 12 00:41:59 2014 : Debug: attr_filter: Matched entry DEFAULT at line 11
Tue Aug 12 00:41:59 2014 : Info: ++[attr_filter.access_reject] returns updated
Tue Aug 12 00:41:59 2014 : Info: Delaying reject of request 4 for 1 seconds
Tue Aug 12 00:41:59 2014 : Debug: Going to the next request
Tue Aug 12 00:41:59 2014 : Debug: Waking up in 0.9 seconds.
Tue Aug 12 00:42:00 2014 : Info: Sending delayed reject for request 4
Sending Access-Reject of id 213 to XXX.XXX.XXX.XXX port 32768
EAP-Message = 0x04050004
Message-Authenticator = 0x00000000000000000000000000000000
Tue Aug 12 00:42:00 2014 : Debug: Waking up in 3.8 seconds.
Tue Aug 12 00:42:04 2014 : Info: Cleaning up request 0 ID 209 with timestamp +23
Tue Aug 12 00:42:04 2014 : Info: Cleaning up request 1 ID 210 with timestamp +23
Tue Aug 12 00:42:04 2014 : Info: Cleaning up request 2 ID 211 with timestamp +23
Tue Aug 12 00:42:04 2014 : Info: Cleaning up request 3 ID 212 with timestamp +23
Tue Aug 12 00:42:04 2014 : Debug: Waking up in 1.0 seconds.
Tue Aug 12 00:42:05 2014 : Info: Cleaning up request 4 ID 213 with timestamp +23
Tue Aug 12 00:42:05 2014 : Info: Ready to process requests.
rad_recv: Access-Request packet from host XXX.XXX.XXX.XXX port 32768, id=214, length=223
User-Name = "alexgregory"
Chargeable-User-Identity = ""
Location-Capable = Civix-Location
Calling-Station-Id = "78-31-c1-be-89-a8"
Called-Station-Id = "d4-a0-2a-15-7f-00:C2_Test"
NAS-Port = 4
Cisco-AVPair = "audit-session-id=0a2100820000057653e962bb"
NAS-IP-Address = 10.33.0.130
NAS-Identifier = "inWebo"
Airespace-Wlan-Id = 6
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0201001001616c6578677265676f7279
Message-Authenticator = 0x89bf1ff14e1e789bcabf7f8b1e6e4cb0
Tue Aug 12 00:42:07 2014 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default
Tue Aug 12 00:42:07 2014 : Info: +- entering group authorize {...}
Tue Aug 12 00:42:07 2014 : Info: ++[preprocess] returns ok
Tue Aug 12 00:42:07 2014 : Info: ++[digest] returns noop
Tue Aug 12 00:42:07 2014 : Info: [suffix] No '@' in User-Name = "alexgregory", looking up realm NULL
Tue Aug 12 00:42:07 2014 : Info: [suffix] No such realm "NULL"
Tue Aug 12 00:42:07 2014 : Info: ++[suffix] returns noop
Tue Aug 12 00:42:07 2014 : Info: [eap] EAP packet type response id 1 length 16
Tue Aug 12 00:42:07 2014 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation
Tue Aug 12 00:42:07 2014 : Info: ++[eap] returns updated
Tue Aug 12 00:42:07 2014 : Info: ++[files] returns noop
Tue Aug 12 00:42:07 2014 : Info: [ldap] performing user authorization for alexgregory
Tue Aug 12 00:42:07 2014 : Info: [ldap] expand: %{Stripped-User-Name} ->
Tue Aug 12 00:42:07 2014 : Info: [ldap] ... expanding second conditional
Tue Aug 12 00:42:07 2014 : Info: [ldap] expand: %{User-Name} -> alexgregory
Tue Aug 12 00:42:07 2014 : Info: [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=alexgregory)
Tue Aug 12 00:42:07 2014 : Info: [ldap] expand: ou=Users,dc=team,dc=company,dc=com -> ou=Users,dc=team,dc=company,dc=com
Tue Aug 12 00:42:07 2014 : Debug: [ldap] ldap_get_conn: Checking Id: 0
Tue Aug 12 00:42:07 2014 : Debug: [ldap] ldap_get_conn: Got Id: 0
Tue Aug 12 00:42:07 2014 : Debug: [ldap] performing search in ou=Users,dc=team,dc=company,dc=com, with filter (uid=alexgregory)
Tue Aug 12 00:42:07 2014 : Info: [ldap] No default NMAS login sequence
Tue Aug 12 00:42:07 2014 : Info: [ldap] looking for check items in directory...
Tue Aug 12 00:42:07 2014 : Debug: [ldap] userPassword -> Password-With-Header == "{MD5}replacedpasswordhash"
Tue Aug 12 00:42:07 2014 : Info: [ldap] looking for reply items in directory...
Tue Aug 12 00:42:07 2014 : Info: [ldap] user alexgregory authorized to use remote access
Tue Aug 12 00:42:07 2014 : Debug: [ldap] ldap_release_conn: Release Id: 0
Tue Aug 12 00:42:07 2014 : Info: ++[ldap] returns ok
Tue Aug 12 00:42:07 2014 : Info: ++[expiration] returns noop
Tue Aug 12 00:42:07 2014 : Info: ++[logintime] returns noop
Tue Aug 12 00:42:07 2014 : Info: [pap] WARNING: Auth-Type already set. Not setting to PAP
Tue Aug 12 00:42:07 2014 : Info: ++[pap] returns noop
Tue Aug 12 00:42:07 2014 : Info: Found Auth-Type = EAP
Tue Aug 12 00:42:07 2014 : Info: # Executing group from file /etc/freeradius/sites-enabled/default
Tue Aug 12 00:42:07 2014 : Info: +- entering group authenticate {...}
Tue Aug 12 00:42:07 2014 : Info: [eap] EAP Identity
Tue Aug 12 00:42:07 2014 : Info: [eap] processing type tls
Tue Aug 12 00:42:07 2014 : Info: [tls] Initiate
Tue Aug 12 00:42:07 2014 : Info: [tls] Start returned 1
Tue Aug 12 00:42:07 2014 : Info: ++[eap] returns handled
Sending Access-Challenge of id 214 to XXX.XXX.XXX.XXX port 32768
EAP-Message = 0x010200061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf4659c56f467891adaf6263d5bd06672
Tue Aug 12 00:42:07 2014 : Info: Finished request 5.
Tue Aug 12 00:42:07 2014 : Debug: Going to the next request
Tue Aug 12 00:42:07 2014 : Debug: Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host XXX.XXX.XXX.XXX port 32768, id=215, length=377
User-Name = "alexgregory"
Chargeable-User-Identity = ""
Location-Capable = Civix-Location
Calling-Station-Id = "78-31-c1-be-89-a8"
Called-Station-Id = "d4-a0-2a-15-7f-00:C2_Test"
NAS-Port = 4
Cisco-AVPair = "audit-session-id=0a2100820000057653e962bb"
NAS-IP-Address = 10.33.0.130
NAS-Identifier = "inWebo"
Airespace-Wlan-Id = 6
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0202009815800000008e160301008901000085030153e962de481721e9ec93cd96a6d507b8c83a2e8ff85bef8f992ef6e991eb252a00004a00ffc024c023c00ac009c007c008c028c027c014c013c011c012c026c025c02ac029c005c004c002c003c00fc00ec00cc00d003d003c002f000500040035000a0067006b00330039001601000012000a00080006001700180019000b00020100
State = 0xf4659c56f467891adaf6263d5bd06672
Message-Authenticator = 0x6f742b54c937a23a2edc3e0f9dd35c37
Tue Aug 12 00:42:07 2014 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default
Tue Aug 12 00:42:07 2014 : Info: +- entering group authorize {...}
Tue Aug 12 00:42:07 2014 : Info: ++[preprocess] returns ok
Tue Aug 12 00:42:07 2014 : Info: ++[digest] returns noop
Tue Aug 12 00:42:07 2014 : Info: [suffix] No '@' in User-Name = "alexgregory", looking up realm NULL
Tue Aug 12 00:42:07 2014 : Info: [suffix] No such realm "NULL"
Tue Aug 12 00:42:07 2014 : Info: ++[suffix] returns noop
Tue Aug 12 00:42:07 2014 : Info: [eap] EAP packet type response id 2 length 152
Tue Aug 12 00:42:07 2014 : Info: [eap] Continuing tunnel setup.
Tue Aug 12 00:42:07 2014 : Info: ++[eap] returns ok
Tue Aug 12 00:42:07 2014 : Info: Found Auth-Type = EAP
Tue Aug 12 00:42:07 2014 : Info: # Executing group from file /etc/freeradius/sites-enabled/default
Tue Aug 12 00:42:07 2014 : Info: +- entering group authenticate {...}
Tue Aug 12 00:42:07 2014 : Info: [eap] Request found, released from the list
Tue Aug 12 00:42:07 2014 : Info: [eap] EAP/ttls
Tue Aug 12 00:42:07 2014 : Info: [eap] processing type ttls
Tue Aug 12 00:42:07 2014 : Info: [ttls] Authenticate
Tue Aug 12 00:42:07 2014 : Info: [ttls] processing EAP-TLS
Tue Aug 12 00:42:07 2014 : Debug: TLS Length 142
Tue Aug 12 00:42:07 2014 : Info: [ttls] Length Included
Tue Aug 12 00:42:07 2014 : Info: [ttls] eaptls_verify returned 11
Tue Aug 12 00:42:07 2014 : Info: [ttls] (other): before/accept initialization
Tue Aug 12 00:42:07 2014 : Info: [ttls] TLS_accept: before/accept initialization
Tue Aug 12 00:42:07 2014 : Info: [ttls] <<< TLS 1.0 Handshake [length 0089], ClientHello
Tue Aug 12 00:42:07 2014 : Info: [ttls] TLS_accept: SSLv3 read client hello A
Tue Aug 12 00:42:07 2014 : Info: [ttls] >>> TLS 1.0 Handshake [length 0039], ServerHello
Tue Aug 12 00:42:07 2014 : Info: [ttls] TLS_accept: SSLv3 write server hello A
Tue Aug 12 00:42:07 2014 : Info: [ttls] >>> TLS 1.0 Handshake [length 02c4], Certificate
Tue Aug 12 00:42:07 2014 : Info: [ttls] TLS_accept: SSLv3 write certificate A
Tue Aug 12 00:42:07 2014 : Info: [ttls] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
Tue Aug 12 00:42:07 2014 : Info: [ttls] TLS_accept: SSLv3 write key exchange A
Tue Aug 12 00:42:07 2014 : Info: [ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
Tue Aug 12 00:42:07 2014 : Info: [ttls] TLS_accept: SSLv3 write server done A
Tue Aug 12 00:42:07 2014 : Info: [ttls] TLS_accept: SSLv3 flush data
Tue Aug 12 00:42:07 2014 : Info: [ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A
Tue Aug 12 00:42:07 2014 : Debug: In SSL Handshake Phase
Tue Aug 12 00:42:07 2014 : Debug: In SSL Accept mode
Tue Aug 12 00:42:07 2014 : Info: [ttls] eaptls_process returned 13
Tue Aug 12 00:42:07 2014 : Info: ++[eap] returns handled
Sending Access-Challenge of id 215 to XXX.XXX.XXX.XXX port 32768
EAP-Message = 0x0103040015c000000460160301003902000035030153e962df37a9d56ac3e6810cf50a27b3f859e545ec4588903fa92db2b6e7a76500c01400000dff01000100000b00040300010216030102c40b0002c00002bd0002ba308202b63082019ea003020102020900b507e231935d6b3f300d06092a864886f70d010105050030133111300f060355040313086f70656e6c646170301e170d3134303830373232333035385a170d3234303830343232333035385a30133111300f060355040313086f70656e6c64617030820122300d06092a864886f70d01010105000382010f003082010a0282010100bae7e24798efa862ea1659a17ac74864a297d09a
EAP-Message = 0x249d8e467e1a40a3fc4fdcf36e73ac43cc11e5df4978020ae6af6c12d0a98f7c90d0352eae9c5b9c8364cffe115b833c52bfbcb43c292c303ee0f8cca82a3732ed53bcdba3905a9f030c9bf242e7482f28c0a30e5210afbf064e6129cef1358e30942581621b927da448fcea0fcca181c7ea6ac7385946513bd092e7ccf41df13f7a4f498533947d1f0451659c20977cfddeb5ffadef948b8f876a1bbba0f2a574e05daf8fe696a828973f21674abc246ca73279dcd5fe1720f1140b3f351427fc5be4a4158fb31d2b46643e0bbef9297b892cea88babfcb26e53bcc981bec71b84d0fb21760176f5d12adc90203010001a30d300b30090603551d1304
EAP-Message = 0x023000300d06092a864886f70d010105050003820101009a35e4dddb99265dfbe96dbd2dd5efcec97ebbb6111d42b313a0d7b6f29a4a4cc378c154afc028a986a118ddf1e611aa3fda9ed59c9f745663fcfd2655891584047b99042c2f7d3757ff92e86d008a55dac7e1e2a8f7e67711fec590812461e9de753eacf30285e44c3c7ecc31671d4ccbfdc6de65536e8b780cbf05ca5e0442748ccc7356f315baac1cc9bb528198bba1526d18213171b26e3676162be28056600762ed21df47ca64f29fb8b9853b8e84731708c7e7c5b0862c3d61aa07b37b89eb915e0fb7f5867a9eb9346574bfc112aa4ea45ae9bae8fdf44b9cedbd3ba5082046a7de23
EAP-Message = 0xc8fefa2502dad1e8da8bf54443bc2b061a301dd93689ce6867d9160301014b0c000147030017410421f95124ae7f38f71bf732b2781f1a6bc15dc261d0da4beb19f6ded2ff693eb8dd6e07996bdb8a54b76f694a9d1ba3a929fab8b30ce26243d194a97ec262c0b00100485c8393ff37ca0476fc9b5368dfb6222fe8c5c491e5c202deaf9a65186760861a551fa6ede92df57bc62b9eed3113ddcbc3553ae4c5cfeea1c773903780d4e2205b5e8dd1fbcdf39abc08c836b5db984e8df7718e769ef13c68d92b00085e89a331bee6762dfa3251912ccb415a1457707443c3bb856020e45760d9c5060bab2a883998a936e71147470f60748f563ffffa80
EAP-Message = 0xce2b6f452704e0ae5a4d1808
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf4659c56f566891adaf6263d5bd06672
Tue Aug 12 00:42:07 2014 : Info: Finished request 6.
Tue Aug 12 00:42:07 2014 : Debug: Going to the next request
Tue Aug 12 00:42:07 2014 : Debug: Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host XXX.XXX.XXX.XXX port 32768, id=216, length=231
User-Name = "alexgregory"
Chargeable-User-Identity = ""
Location-Capable = Civix-Location
Calling-Station-Id = "78-31-c1-be-89-a8"
Called-Station-Id = "d4-a0-2a-15-7f-00:C2_Test"
NAS-Port = 4
Cisco-AVPair = "audit-session-id=0a2100820000057653e962bb"
NAS-IP-Address = 10.33.0.130
NAS-Identifier = "inWebo"
Airespace-Wlan-Id = 6
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020300061500
State = 0xf4659c56f566891adaf6263d5bd06672
Message-Authenticator = 0x83131792813c3848c6a17efe5d93c5da
Tue Aug 12 00:42:07 2014 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default
Tue Aug 12 00:42:07 2014 : Info: +- entering group authorize {...}
Tue Aug 12 00:42:07 2014 : Info: ++[preprocess] returns ok
Tue Aug 12 00:42:07 2014 : Info: ++[digest] returns noop
Tue Aug 12 00:42:07 2014 : Info: [suffix] No '@' in User-Name = "alexgregory", looking up realm NULL
Tue Aug 12 00:42:07 2014 : Info: [suffix] No such realm "NULL"
Tue Aug 12 00:42:07 2014 : Info: ++[suffix] returns noop
Tue Aug 12 00:42:07 2014 : Info: [eap] EAP packet type response id 3 length 6
Tue Aug 12 00:42:07 2014 : Info: [eap] Continuing tunnel setup.
Tue Aug 12 00:42:07 2014 : Info: ++[eap] returns ok
Tue Aug 12 00:42:07 2014 : Info: Found Auth-Type = EAP
Tue Aug 12 00:42:07 2014 : Info: # Executing group from file /etc/freeradius/sites-enabled/default
Tue Aug 12 00:42:07 2014 : Info: +- entering group authenticate {...}
Tue Aug 12 00:42:07 2014 : Info: [eap] Request found, released from the list
Tue Aug 12 00:42:07 2014 : Info: [eap] EAP/ttls
Tue Aug 12 00:42:07 2014 : Info: [eap] processing type ttls
Tue Aug 12 00:42:07 2014 : Info: [ttls] Authenticate
Tue Aug 12 00:42:07 2014 : Info: [ttls] processing EAP-TLS
Tue Aug 12 00:42:07 2014 : Info: [ttls] Received TLS ACK
Tue Aug 12 00:42:07 2014 : Info: [ttls] ACK handshake fragment handler
Tue Aug 12 00:42:07 2014 : Info: [ttls] eaptls_verify returned 1
Tue Aug 12 00:42:07 2014 : Info: [ttls] eaptls_process returned 13
Tue Aug 12 00:42:07 2014 : Info: ++[eap] returns handled
Sending Access-Challenge of id 216 to XXX.XXX.XXX.XXX port 32768
EAP-Message = 0x010400741580000004603041fb2046d9e58d258f4cdd4e20c9249dc902d21713370b300975e8e8d63b7902a267e342faf9de6c4bb93d97b9ac18c8cd79e8ce50c058536884496fc0644fdfe96026bf7e1e79df0fff526f4a1cc029a47926a7ab9f3a3b4fc8160e5d499be616030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf4659c56f661891adaf6263d5bd06672
Tue Aug 12 00:42:07 2014 : Info: Finished request 7.
Tue Aug 12 00:42:07 2014 : Debug: Going to the next request
Tue Aug 12 00:42:07 2014 : Debug: Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host XXX.XXX.XXX.XXX port 32768, id=217, length=369
User-Name = "alexgregory"
Chargeable-User-Identity = ""
Location-Capable = Civix-Location
Calling-Station-Id = "78-31-c1-be-89-a8"
Called-Station-Id = "d4-a0-2a-15-7f-00:C2_Test"
NAS-Port = 4
Cisco-AVPair = "audit-session-id=0a2100820000057653e962bb"
NAS-IP-Address = 10.33.0.130
NAS-Identifier = "inWebo"
Airespace-Wlan-Id = 6
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x02040090158000000086160301004610000042410410609b20fa3db38744d052fa32b9d99534c8e0aad10ebe39f5ad4ea1360b6bd7367a59faf71c6b95eae90ced4a0bfe0809d24c5ff21851f7faefc016d41924141403010001011603010030f347f9e61c61c903fcb9199137cb8b1cecf39deb7f3d418c0b82f3b06b583c76b2eafad1e9a766192f0fe28a16809ae2
State = 0xf4659c56f661891adaf6263d5bd06672
Message-Authenticator = 0x0a403539bd800196113b1aa9a87d78b3
Tue Aug 12 00:42:07 2014 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default
Tue Aug 12 00:42:07 2014 : Info: +- entering group authorize {...}
Tue Aug 12 00:42:07 2014 : Info: ++[preprocess] returns ok
Tue Aug 12 00:42:07 2014 : Info: ++[digest] returns noop
Tue Aug 12 00:42:07 2014 : Info: [suffix] No '@' in User-Name = "alexgregory", looking up realm NULL
Tue Aug 12 00:42:07 2014 : Info: [suffix] No such realm "NULL"
Tue Aug 12 00:42:07 2014 : Info: ++[suffix] returns noop
Tue Aug 12 00:42:07 2014 : Info: [eap] EAP packet type response id 4 length 144
Tue Aug 12 00:42:07 2014 : Info: [eap] Continuing tunnel setup.
Tue Aug 12 00:42:07 2014 : Info: ++[eap] returns ok
Tue Aug 12 00:42:07 2014 : Info: Found Auth-Type = EAP
Tue Aug 12 00:42:07 2014 : Info: # Executing group from file /etc/freeradius/sites-enabled/default
Tue Aug 12 00:42:07 2014 : Info: +- entering group authenticate {...}
Tue Aug 12 00:42:07 2014 : Info: [eap] Request found, released from the list
Tue Aug 12 00:42:07 2014 : Info: [eap] EAP/ttls
Tue Aug 12 00:42:07 2014 : Info: [eap] processing type ttls
Tue Aug 12 00:42:07 2014 : Info: [ttls] Authenticate
Tue Aug 12 00:42:07 2014 : Info: [ttls] processing EAP-TLS
Tue Aug 12 00:42:07 2014 : Debug: TLS Length 134
Tue Aug 12 00:42:07 2014 : Info: [ttls] Length Included
Tue Aug 12 00:42:07 2014 : Info: [ttls] eaptls_verify returned 11
Tue Aug 12 00:42:07 2014 : Info: [ttls] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
Tue Aug 12 00:42:07 2014 : Info: [ttls] TLS_accept: SSLv3 read client key exchange A
Tue Aug 12 00:42:07 2014 : Info: [ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001]
Tue Aug 12 00:42:07 2014 : Info: [ttls] <<< TLS 1.0 Handshake [length 0010], Finished
Tue Aug 12 00:42:07 2014 : Info: [ttls] TLS_accept: SSLv3 read finished A
Tue Aug 12 00:42:07 2014 : Info: [ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001]
Tue Aug 12 00:42:07 2014 : Info: [ttls] TLS_accept: SSLv3 write change cipher spec A
Tue Aug 12 00:42:07 2014 : Info: [ttls] >>> TLS 1.0 Handshake [length 0010], Finished
Tue Aug 12 00:42:07 2014 : Info: [ttls] TLS_accept: SSLv3 write finished A
Tue Aug 12 00:42:07 2014 : Info: [ttls] TLS_accept: SSLv3 flush data
Tue Aug 12 00:42:07 2014 : Info: [ttls] (other): SSL negotiation finished successfully
Tue Aug 12 00:42:07 2014 : Debug: SSL Connection Established
Tue Aug 12 00:42:07 2014 : Info: [ttls] eaptls_process returned 13
Tue Aug 12 00:42:07 2014 : Info: ++[eap] returns handled
Sending Access-Challenge of id 217 to XXX.XXX.XXX.XXX port 32768
EAP-Message = 0x0105004515800000003b1403010001011603010030d8f2c43771ec025853ef49cc006b67b868a494442d6037ee42ec86ed631480ba9a17c9d3a760732b9f07d446f1f5a839
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf4659c56f760891adaf6263d5bd06672
Tue Aug 12 00:42:07 2014 : Info: Finished request 8.
Tue Aug 12 00:42:07 2014 : Debug: Going to the next request
Tue Aug 12 00:42:07 2014 : Debug: Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host XXX.XXX.XXX.XXX port 32768, id=218, length=384
User-Name = "alexgregory"
Chargeable-User-Identity = ""
Location-Capable = Civix-Location
Calling-Station-Id = "78-31-c1-be-89-a8"
Called-Station-Id = "d4-a0-2a-15-7f-00:C2_Test"
NAS-Port = 4
Cisco-AVPair = "audit-session-id=0a2100820000057653e962bb"
NAS-IP-Address = 10.33.0.130
NAS-Identifier = "inWebo"
Airespace-Wlan-Id = 6
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0205009f15800000009517030100907bc646b5cd2459705f364e4ba30bd248154985b82c9961aae42e39904a74c2dd39af755c6bb342dd1bd9e21d6d965b1751e44d16f9ebbadf648adc439e136e2c2c62a8ec6010b6b3a1683b9f2d03500d3bc33728c7789e5be81a9f20f318cc6c5eac3b959c3e0eb7d60e31b4e15a9eaad9d0e3b9c649ea3a2dc326e6cf1491dd356d7b4fab2d581abe522b9990e0afef
State = 0xf4659c56f760891adaf6263d5bd06672
Message-Authenticator = 0xccc7cc64a106a3fcbe39b45ee77bb381
Tue Aug 12 00:42:07 2014 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default
Tue Aug 12 00:42:07 2014 : Info: +- entering group authorize {...}
Tue Aug 12 00:42:07 2014 : Info: ++[preprocess] returns ok
Tue Aug 12 00:42:07 2014 : Info: ++[digest] returns noop
Tue Aug 12 00:42:07 2014 : Info: [suffix] No '@' in User-Name = "alexgregory", looking up realm NULL
Tue Aug 12 00:42:07 2014 : Info: [suffix] No such realm "NULL"
Tue Aug 12 00:42:07 2014 : Info: ++[suffix] returns noop
Tue Aug 12 00:42:07 2014 : Info: [eap] EAP packet type response id 5 length 159
Tue Aug 12 00:42:07 2014 : Info: [eap] Continuing tunnel setup.
Tue Aug 12 00:42:07 2014 : Info: ++[eap] returns ok
Tue Aug 12 00:42:07 2014 : Info: Found Auth-Type = EAP
Tue Aug 12 00:42:07 2014 : Info: # Executing group from file /etc/freeradius/sites-enabled/default
Tue Aug 12 00:42:07 2014 : Info: +- entering group authenticate {...}
Tue Aug 12 00:42:07 2014 : Info: [eap] Request found, released from the list
Tue Aug 12 00:42:07 2014 : Info: [eap] EAP/ttls
Tue Aug 12 00:42:07 2014 : Info: [eap] processing type ttls
Tue Aug 12 00:42:07 2014 : Info: [ttls] Authenticate
Tue Aug 12 00:42:07 2014 : Info: [ttls] processing EAP-TLS
Tue Aug 12 00:42:07 2014 : Debug: TLS Length 149
Tue Aug 12 00:42:07 2014 : Info: [ttls] Length Included
Tue Aug 12 00:42:07 2014 : Info: [ttls] eaptls_verify returned 11
Tue Aug 12 00:42:07 2014 : Info: [ttls] eaptls_process returned 7
Tue Aug 12 00:42:07 2014 : Info: [ttls] Session established. Proceeding to decode tunneled attributes.
TTLS tunnel data in 0000: 00 00 00 01 00 00 00 13 61 6c 65 78 67 72 65 67
TTLS tunnel data in 0010: 6f 72 79 00 00 00 00 0b 80 00 00 1c 00 00 01 37
TTLS tunnel data in 0020: 63 61 7d 3c 0b 66 a7 d4 4f c7 f6 2a f6 1c ce b2
TTLS tunnel data in 0030: 00 00 00 19 80 00 00 3e 00 00 01 37 1c 00 2e b8
TTLS tunnel data in 0040: 7c 02 be de 7f 09 34 cd a0 f7 76 5c fa ac 00 00
TTLS tunnel data in 0050: 00 00 00 00 00 00 c2 ab 1c 93 9d c6 10 de f7 ac
TTLS tunnel data in 0060: bd c9 79 e0 3d 9a d5 81 c5 05 61 8b f9 9f 00 00
Tue Aug 12 00:42:07 2014 : Info: [ttls] Got tunneled request
User-Name = "alexgregory"
MS-CHAP-Challenge = 0x63617d3c0b66a7d44fc7f62af61cceb2
MS-CHAP2-Response = 0x1c002eb87c02bede7f0934cda0f7765cfaac0000000000000000c2ab1c939dc610def7acbdc979e03d9ad581c505618bf99f
FreeRADIUS-Proxied-To = 127.0.0.1
Tue Aug 12 00:42:07 2014 : Info: [ttls] Sending tunneled request
User-Name = "alexgregory"
MS-CHAP-Challenge = 0x63617d3c0b66a7d44fc7f62af61cceb2
MS-CHAP2-Response = 0x1c002eb87c02bede7f0934cda0f7765cfaac0000000000000000c2ab1c939dc610def7acbdc979e03d9ad581c505618bf99f
FreeRADIUS-Proxied-To = 127.0.0.1
Chargeable-User-Identity = ""
Location-Capable = Civix-Location
Calling-Station-Id = "78-31-c1-be-89-a8"
Called-Station-Id = "d4-a0-2a-15-7f-00:C2_Test"
NAS-Port = 4
Cisco-AVPair = "audit-session-id=0a2100820000057653e962bb"
NAS-IP-Address = 10.33.0.130
NAS-Identifier = "inWebo"
Airespace-Wlan-Id = 6
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
server inner-tunnel {
Tue Aug 12 00:42:07 2014 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
Tue Aug 12 00:42:07 2014 : Info: +- entering group authorize {...}
Tue Aug 12 00:42:07 2014 : Info: [suffix] No '@' in User-Name = "alexgregory", looking up realm NULL
Tue Aug 12 00:42:07 2014 : Info: [suffix] No such realm "NULL"
Tue Aug 12 00:42:07 2014 : Info: ++[suffix] returns noop
Tue Aug 12 00:42:07 2014 : Info: ++[control] returns noop
Tue Aug 12 00:42:07 2014 : Info: [eap] No EAP-Message, not doing EAP
Tue Aug 12 00:42:07 2014 : Info: ++[eap] returns noop
Tue Aug 12 00:42:07 2014 : Info: ++[files] returns noop
Tue Aug 12 00:42:07 2014 : Info: [ldap] performing user authorization for alexgregory
Tue Aug 12 00:42:07 2014 : Info: [ldap] expand: %{Stripped-User-Name} ->
Tue Aug 12 00:42:07 2014 : Info: [ldap] ... expanding second conditional
Tue Aug 12 00:42:07 2014 : Info: [ldap] expand: %{User-Name} -> alexgregory
Tue Aug 12 00:42:07 2014 : Info: [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=alexgregory)
Tue Aug 12 00:42:07 2014 : Info: [ldap] expand: ou=Users,dc=team,dc=company,dc=com -> ou=Users,dc=team,dc=company,dc=com
Tue Aug 12 00:42:07 2014 : Debug: [ldap] ldap_get_conn: Checking Id: 0
Tue Aug 12 00:42:07 2014 : Debug: [ldap] ldap_get_conn: Got Id: 0
Tue Aug 12 00:42:07 2014 : Debug: [ldap] performing search in ou=Users,dc=team,dc=company,dc=com, with filter (uid=alexgregory)
Tue Aug 12 00:42:07 2014 : Info: [ldap] No default NMAS login sequence
Tue Aug 12 00:42:07 2014 : Info: [ldap] looking for check items in directory...
Tue Aug 12 00:42:07 2014 : Debug: [ldap] userPassword -> Password-With-Header == "{MD5}replacedpasswordhash"
Tue Aug 12 00:42:07 2014 : Info: [ldap] looking for reply items in directory...
Tue Aug 12 00:42:07 2014 : Info: [ldap] user alexgregory authorized to use remote access
Tue Aug 12 00:42:07 2014 : Debug: [ldap] ldap_release_conn: Release Id: 0
Tue Aug 12 00:42:07 2014 : Info: ++[ldap] returns ok
Tue Aug 12 00:42:07 2014 : Info: ++[expiration] returns noop
Tue Aug 12 00:42:07 2014 : Info: ++[logintime] returns noop
Tue Aug 12 00:42:07 2014 : Info: [pap] No clear-text password in the request. Not performing PAP.
Tue Aug 12 00:42:07 2014 : Info: ++[pap] returns noop
Tue Aug 12 00:42:07 2014 : Info: ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
Tue Aug 12 00:42:07 2014 : Info: Failed to authenticate the user.
} # server inner-tunnel
Tue Aug 12 00:42:07 2014 : Info: [ttls] Got tunneled reply code 3
Tue Aug 12 00:42:07 2014 : Info: [ttls] Got tunneled Access-Reject
Tue Aug 12 00:42:07 2014 : Info: [eap] Handler failed in EAP/ttls
Tue Aug 12 00:42:07 2014 : Info: [eap] Failed in EAP select
Tue Aug 12 00:42:07 2014 : Info: ++[eap] returns invalid
Tue Aug 12 00:42:07 2014 : Info: Failed to authenticate the user.
Tue Aug 12 00:42:07 2014 : Info: Using Post-Auth-Type Reject
Tue Aug 12 00:42:07 2014 : Info: # Executing group from file /etc/freeradius/sites-enabled/default
Tue Aug 12 00:42:07 2014 : Info: +- entering group REJECT {...}
Tue Aug 12 00:42:07 2014 : Info: [attr_filter.access_reject] expand: %{User-Name} -> alexgregory
Tue Aug 12 00:42:07 2014 : Debug: attr_filter: Matched entry DEFAULT at line 11
Tue Aug 12 00:42:07 2014 : Info: ++[attr_filter.access_reject] returns updated
Tue Aug 12 00:42:07 2014 : Info: Delaying reject of request 9 for 1 seconds
Tue Aug 12 00:42:07 2014 : Debug: Going to the next request
Tue Aug 12 00:42:07 2014 : Debug: Waking up in 0.9 seconds.
Tue Aug 12 00:42:08 2014 : Info: Sending delayed reject for request 9
Sending Access-Reject of id 218 to XXX.XXX.XXX.XXX port 32768
EAP-Message = 0x04050004
Message-Authenticator = 0x00000000000000000000000000000000
Tue Aug 12 00:42:08 2014 : Debug: Waking up in 3.9 seconds.
Tue Aug 12 00:42:12 2014 : Info: Cleaning up request 5 ID 214 with timestamp +31
Tue Aug 12 00:42:12 2014 : Info: Cleaning up request 6 ID 215 with timestamp +31
Tue Aug 12 00:42:12 2014 : Info: Cleaning up request 7 ID 216 with timestamp +31
Tue Aug 12 00:42:12 2014 : Info: Cleaning up request 8 ID 217 with timestamp +31
Tue Aug 12 00:42:12 2014 : Debug: Waking up in 1.0 seconds.
Tue Aug 12 00:42:13 2014 : Info: Cleaning up request 9 ID 218 with timestamp +31
Tue Aug 12 00:42:13 2014 : Info: Ready to process requests.
5
12