Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
October 2015
- 86 participants
- 105 discussions
11 Oct '15
Hi
Yes, I've read the section in the wiki about this error message*
This happens on on FreeBSD 10.2 using the version in ports, though I'm
uncertain whether I'm looking at the problem from the correct angle as
ldd isn't crying about missing libraries:
# ldd /usr/local/lib/freeradius-3.0.10/rlm_sql_postgresql.so
/usr/local/lib/freeradius-3.0.10/rlm_sql_postgresql.so:
libpq.so.5 => /usr/local/lib/libpq.so.5 (0x801608000)
libc.so.7 => /lib/libc.so.7 (0x800821000)
libthr.so.3 => /lib/libthr.so.3 (0x801836000)
libintl.so.8 => /usr/local/lib/libintl.so.8 (0x801a5a000)
libssl.so.7 => /usr/lib/libssl.so.7 (0x801c65000)
libcrypto.so.7 => /lib/libcrypto.so.7 (0x801ed1000)
There seems not to be a library it cannot find (same for radiusd itself)?
The build logs seem to compile rlm_sql_postgresql without hickup either
and I see no check error:
LINK build/lib/rlm_sql.la
CC src/modules/rlm_sql/drivers/rlm_sql_unixodbc/rlm_sql_unixodbc.c
LINK build/lib/rlm_sql_unixodbc.la
CC src/modules/rlm_sql/drivers/rlm_sql_mysql/rlm_sql_mysql.c
LINK build/lib/rlm_sql_mysql.la
CC src/modules/rlm_sql/drivers/rlm_sql_postgresql/rlm_sql_postgresql.c
LINK build/lib/rlm_sql_postgresql.la
CC src/modules/rlm_sql/drivers/rlm_sql_sqlite/rlm_sql_sqlite.c
LINK build/lib/rlm_sql_sqlite.la
CC src/modules/rlm_sql/drivers/rlm_sql_null/rlm_sql_null.c
I've rebuilt both postgresql93-client and freeradius from source using
FreeBSD's poudriere tool, not difference there.
Any idea where I could look further into this?
-- Mathieu
*
http://wiki.freeradius.org/guide/FAQ#It-says-%22Could-not-link-...-file-not…
2
2
Hello,
Perhaps of interest for those encountering problems with WPA/WPA2 Enterprise and the latest Apple client OS releases.
As a reminder, I was facing such a behavior: the device connects to an AP and is successfully authenticated by FR, then connects and authenticates again, and so on.
In the meantime, all other devices (including Apple ones with earlier OSes) were enjoying the Wi-Fi service as usual.
This was with FR 3.0.4 and OpenSSL 0.9.8y.
Since the problematic clients didn’t explicitly complain nor write anything useful in their logs, they just behaved like black boxes.
I thus experimented an upgrade to FR 3.0.10 and OpenSSL 1.0.2d.
(with the head 3.0.x as of yesterday; but commit b7b5493c61 should be sufficient)
And… IOS9 and El Capitan devices don’t choke anymore. [*]
Moreover, the other few devices active today (a Sunday) didn’t seem to be adversely affected by the change.
HTH,
Axel
[*] I still don’t know why those clients are happy now, and that’s hateful. If someone had a clue…
2
1
Hi,
Like lots of people, we've been hit with the changes to TLS support in
IOS9. I've upgraded to FR2.2.9 (we're a moderate sized ISP and can't
upgrade to 3.x in a hurry) but there's still little change to the matter.
Our configuration is an proxy configuration which forwards normal (non-EAP)
RADIUS to our customer facing radius platform.
The difference that we're seeing between an 8.x connection attempt (which
works fine) and a 9.x connection attempt is that we don't see the MSCHAP
attributes passed through in the request.
If anyone has any ideas, that would be greatly appreciated. I'm kind of at
a dead end at this point.
Cheers
Mark
Thread 3 handling request 25, (6 handled so far)
# Executing section authorize from file
/usr/share/ii/wifiproxy/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "levsky", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 1 length 11
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /usr/share/ii/wifiproxy/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Finished request 25.
Going to the next request
Thread 3 waiting to be assigned a request
Waking up in 0.9 seconds.
Thread 4 got semaphore
Thread 4 handling request 26, (6 handled so far)
# Executing section authorize from file
/usr/share/ii/wifiproxy/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "levsky", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 2 length 143
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /usr/share/ii/wifiproxy/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
TLS Length 133
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls] (other): before/accept initialization
[ttls] TLS_accept: before/accept initialization
[ttls] <<< TLS 1.0 Handshake [length 0080], ClientHello
[ttls] TLS_accept: SSLv3 read client hello A
[ttls] >>> TLS 1.0 Handshake [length 0031], ServerHello
[ttls] TLS_accept: SSLv3 write server hello A
[ttls] >>> TLS 1.0 Handshake [length 06b2], Certificate
[ttls] TLS_accept: SSLv3 write certificate A
[ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[ttls] TLS_accept: SSLv3 write server done A
[ttls] TLS_accept: SSLv3 flush data
[ttls] TLS_accept: Need to read more data: SSLv3 read client
certificate A
[ttls] TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Finished request 26.
Going to the next request
Thread 4 waiting to be assigned a request
Waking up in 0.9 seconds.
Thread 2 got semaphore
Thread 2 handling request 27, (6 handled so far)
# Executing section authorize from file
/usr/share/ii/wifiproxy/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "levsky", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /usr/share/ii/wifiproxy/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Finished request 27.
Going to the next request
Thread 2 waiting to be assigned a request
Waking up in 0.9 seconds.
Thread 5 got semaphore
Thread 5 handling request 28, (6 handled so far)
# Executing section authorize from file
/usr/share/ii/wifiproxy/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "levsky", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 4 length 253
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /usr/share/ii/wifiproxy/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
TLS Length 326
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[ttls] TLS_accept: SSLv3 read client key exchange A
[ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[ttls] <<< TLS 1.0 Handshake [length 0010], Finished
[ttls] TLS_accept: SSLv3 read finished A
[ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[ttls] TLS_accept: SSLv3 write change cipher spec A
[ttls] >>> TLS 1.0 Handshake [length 0010], Finished
[ttls] TLS_accept: SSLv3 write finished A
[ttls] TLS_accept: SSLv3 flush data
[ttls] (other): SSL negotiation finished successfully
SSL Connection Established
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Finished request 28.
Going to the next request
Thread 5 waiting to be assigned a request
Waking up in 0.8 seconds.
Thread 1 got semaphore
Thread 1 handling request 29, (7 handled so far)
# Executing section authorize from file
/usr/share/ii/wifiproxy/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "levsky", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 5 length 63
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /usr/share/ii/wifiproxy/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
TLS Length 53
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls] eaptls_process returned 7
[ttls] Session established. Proceeding to decode tunneled attributes.
[ttls] Got tunneled identity of levsky
[ttls] Setting default EAP type for tunneled EAP session.
# Executing section authorize from file
/usr/share/ii/wifiproxy/sites-enabled/ttls-proxy
+group authorize {
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Service-Type = Framed-User
rlm_perl: Added pair Tunnel-Type = VLAN
rlm_perl: Added pair Called-Station-Id = 34dbfd24e9e0:iiNet Customer DEV
rlm_perl: Added pair Airespace-Wlan-Id = 155
rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1
rlm_perl: Added pair Location-Capable = Civix-Location
rlm_perl: Added pair II-Proxy-Realm = IIRADIUS
rlm_perl: Added pair NAS-IP-Address = 10.13.6.8
rlm_perl: Added pair Tunnel-Private-Group-Id = 151
rlm_perl: Added pair Tunnel-Medium-Type = IEEE-802
rlm_perl: Added pair Calling-Station-Id = f0f61c739670
rlm_perl: Added pair Cisco-AVPair =
audit-session-id=0a19d7cb0005280162131656
rlm_perl: Added pair User-Name = levsky
rlm_perl: Added pair NAS-Identifier = wlc1.per3
rlm_perl: Added pair Chargeable-User-Identity =
rlm_perl: Added pair EAP-Message = 0x0200000b016c6576736b79
rlm_perl: Added pair NAS-Port = 1
rlm_perl: Added pair Framed-MTU = 1300
rlm_perl: Added pair EAP-Type = MD5-Challenge
++[perl-innertunnels] = ok
++update control {
expand: %{II-Proxy-Realm} -> IIRADIUS
++} # update control = noop
+} # group authorize = ok
[ttls] Tunneled authentication will be proxied to IIRADIUS
[eap] Tunneled session will be proxied. Not doing EAP.
++[eap] = handled
+} # group authenticate = handled
WARNING: Empty pre-proxy section. Using default return values.
Proxying request 29 to home server 10.10.24.1 port 1645
Going to the next request
Thread 1 waiting to be assigned a request
Waking up in 0.8 seconds.
Thread 3 got semaphore
Thread 3 handling request 29, (7 handled so far)
# Executing section post-proxy from file
/usr/share/ii/wifiproxy/sites-enabled/default
+group post-proxy {
[eap] Doing post-proxy callback
[eap] Passing reply from proxy back into the tunnel.
[eap] Got tunneled Access-Reject
[eap] Reply was rejected
[eap] Failed in post-proxy callback
rlm_eap_ttls: Freeing handler for user levsky
++[eap] = reject
+} # group post-proxy = reject
Login incorrect (Home Server says so): [levsky/<via Auth-Type = EAP>] (from
client wlc1.per3 port 1 cli f0f61c739670)
Using Post-Auth-Type Reject
# Executing group from file /usr/share/ii/wifiproxy/sites-enabled/default
+group REJECT {
[attr_filter.access_reject] expand: %{User-Name} -> levsky
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 29 for 1 seconds
Going to the next request
Thread 3 waiting to be assigned a request
Sending delayed reject for request 29
Cleaning up request 23 ID 117 with timestamp +47
Waking up in 1.7 seconds.
Cleaning up request 24 ID 119 with timestamp +49
Waking up in 2.0 seconds.
Waking up in 0.9 seconds.
7
16
Hello Everyone,
We are using freeradius Version 2.1.12, for x86 64bit linux to manage many hotspots for different vendors(groups) who all use our capative portal to provide free wifi to their customers. Right now all no one has a user data(upload/download) limit(daily/weekly/monthly) but Speed(UP/DOWN limits) control and accounting only.
Now some of our vendors want data cap, like vendor A want 100 MB/user/day and vendor B want 500 MB/user/month. I have read about SQL Counter and implemented one but the limitation is that will apply throughout vendors(groups). We do not want to have 1 free radius server running for each vendor. Can someone please tell me if it is possible to have some all vendors on same freeradius server with some vendors having no data cap limit for end users, some having daily data limits and some having monthly limit. Policy should apply when a user login from that specific vendor hotspot. Any weblink/idea will be helpful.
Thanks in advance.
RegardsSY
2
2
mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication
by Torsten Wilms 09 Oct '15
by Torsten Wilms 09 Oct '15
09 Oct '15
Hi @all.
Not sure if we have a bug, but i tried to get an AD authentication about
ldap more then 4 days. I read a lot of documentation and testet a lot of
stuff.
i have the following:
If i try to login via "radtest -x test testpwd 127.0.0.1:18120 0 testing123"
on the linux console, everything is working via ldap. If i try this over the
802.1X AccessPoint, it doesn't work.
If i try the same with a defined user in users like "bob Cleartext-Password
:= "hello"" over the accessPoint, it works fine.
Anything goes wrong with the password if we i use peap:
via console with domain User over inner-tunnel:
(1) Received Access-Request Id 7 from 127.0.0.1:48026 to 127.0.0.1:18120
length 74
(1) User-Name = "test"
(1) User-Password = "password"
(1) NAS-IP-Address = 192.168.8.27
(1) NAS-Port = 0
(1) Message-Authenticator = 0xc7c247ef109fb66332c18aab75068b33
(1) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel-domain
(1) authorize {
(1) [files] = noop
(1) [mschap] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "test", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) update control {
(1) Proxy-To-Realm := LOCAL
(1) } # update control = noop
(1) eap: No EAP-Message, not doing EAP
(1) [eap] = noop
(1) [expiration] = noop
(1) [logintime] = noop
rlm_ldap (ldap_domain): Reserved connection (0)
(1) ldap_domain: EXPAND
(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})
(1) ldap_domain: --> (sAMAccountName=test)
(1) ldap_domain: Performing search in "cn=Users,dc=domain,dc=local" with
filter "(sAMAccountName=test)", scope "sub"
(1) ldap_domain: Waiting for search result...
(1) ldap_domain: User object found at DN "CN=Test
TEST,CN=Users,DC=domain,DC=local"
(1) ldap_domain: Processing user attributes
(1) ldap_domain: WARNING: No "known good" password added. Ensure the admin
user has permission to read the password attribute
(1) ldap_domain: WARNING: PAP authentication will NOT work with Active
Directory (if that is what you were trying to configure)
rlm_ldap (ldap_domain): Released connection (0)
rlm_ldap (ldap_domain): Need 5 more connections to reach 10 spares
rlm_ldap (ldap_domain): Opening additional connection (5), 1 of 27 pending
slots used
rlm_ldap (ldap_domain): Connecting to ldap://dc.domain.local:389
rlm_ldap (ldap_domain): Waiting for bind result...
rlm_ldap (ldap_domain): Bind successful
(1) [ldap_domain] = ok
(1) if ((ok || updated) && User-Password) {
(1) if ((ok || updated) && User-Password) -> TRUE
(1) if ((ok || updated) && User-Password) {
(1) update {
(1) control:Auth-Type := LDAP
(1) } # update = noop
(1) } # if ((ok || updated) && User-Password) = noop
(1) [pap] = noop
(1) if (User-Password) {
(1) if (User-Password) -> TRUE
(1) if (User-Password) {
(1) update control {
(1) Auth-Type := LDAP
(1) } # update control = noop
(1) } # if (User-Password) = noop
(1) } # authorize = ok
(1) Found Auth-Type = LDAP
(1) # Executing group from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel-domain
(1) Auth-Type LDAP {
rlm_ldap (ldap_domain): Reserved connection (1)
(1) ldap_domain: Login attempt by "test"
(1) ldap_domain: Using user DN from request "CN=Test
TEST,CN=Users,DC=domain,DC=local"
(1) ldap_domain: Waiting for bind result...
(1) ldap_domain: Bind successful
(1) ldap_domain: Bind as user "CN=Test TEST,CN=Users,DC=domain,DC=local" was
successful
rlm_ldap (ldap_domain): Released connection (1)
(1) [ldap_domain] = ok
(1) } # Auth-Type LDAP = ok
(1) Sent Access-Accept Id 7 from 127.0.0.1:18120 to 127.0.0.1:48026 length 0
(1) Finished request
Waking up in 0.3 seconds.
(0) Cleaning up request packet ID 130 with timestamp +4
Waking up in 4.6 seconds.
(1) Cleaning up request packet ID 7 with timestamp +9
Ready to process requests
via AccessPoint with domain User:
(2) Received Access-Request Id 42 from 192.168.2.250:3072 to
192.168.8.27:1812 length 178
(2) User-Name = "test"
(2) Service-Type = Framed-User
(2) NAS-IP-Address = 192.168.2.250
(2) NAS-Port = 10
(2) NAS-Port-Id = "10"
(2) Called-Station-Id = "0E-0B-6B-2F-12-67:domain 8021X"
(2) Calling-Station-Id = "B8-E8-56-41-2C-2A"
(2) Connect-Info = "CONNECT 54 Mbps 802.11g"
(2) NAS-Identifier = "AP-domain01"
(2) NAS-Port-Type = Wireless-802.11
(2) Framed-MTU = 1500
(2) EAP-Message = 0x020100090174657374
(2) Message-Authenticator = 0x83d8e6487c3977ae8116026c26702525
(2) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/domain
(2) authorize {
(2) [files] = noop
(2) [preprocess] = ok
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "test", looking up realm NULL
(2) suffix: No such realm "NULL"
(2) [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 1 length 9
(2) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest
of authorize
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = EAP
(2) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain
(2) authenticate {
(2) eap: Peer sent packet with method EAP Identity (1)
(2) eap: Calling submodule eap_peap to process data
(2) eap_peap: Initiating new EAP-TLS session
(2) eap_peap: [eaptls start] = request
(2) eap: Sending EAP Request (code 1) ID 2 length 6
(2) eap: EAP session adding &reply:State = 0x714e61bf714c78fd
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) Post-Auth-Type sub-section not found. Ignoring.
(2) Sent Access-Challenge Id 42 from 192.168.8.27:1812 to 192.168.2.250:3072
length 0
(2) EAP-Message = 0x010200061920
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x714e61bf714c78fd13de40933f3a43c8
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 58 from 192.168.2.250:3072 to
192.168.8.27:1812 length 339
(3) User-Name = "test"
(3) Service-Type = Framed-User
(3) NAS-IP-Address = 192.168.2.250
(3) NAS-Port = 10
(3) NAS-Port-Id = "10"
(3) State = 0x714e61bf714c78fd13de40933f3a43c8
(3) Called-Station-Id = "0E-0B-6B-2F-12-67:domain 8021X"
(3) Calling-Station-Id = "B8-E8-56-41-2C-2A"
(3) Connect-Info = "CONNECT 54 Mbps 802.11g"
(3) NAS-Identifier = "AP-domain01"
(3) NAS-Port-Type = Wireless-802.11
(3) Framed-MTU = 1500
(3) EAP-Message =
0x0202009819800000008e160301008901000085030156162f87a13e4465c695b7754a35671d
e87e37f1c9c068c51ee0c258d39cc34f00004a00ffc024c023c00ac009c008c028c027c014c0
13c012c026c025c005c004c003c02ac029c00fc00ec00d006b0067003900330016003d003c00
35002f000ac0
(3) Message-Authenticator = 0x1b3f4a72c416640c87d6f902d0effe2e
(3) session-state: No cached attributes
(3) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/domain
(3) authorize {
(3) [files] = noop
(3) [preprocess] = ok
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "test", looking up realm NULL
(3) suffix: No such realm "NULL"
(3) [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 2 length 152
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = EAP
(3) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain
(3) authenticate {
(3) eap: Expiring EAP session with state 0x714e61bf714c78fd
(3) eap: Finished EAP session with state 0x714e61bf714c78fd
(3) eap: Previous EAP request found for state 0x714e61bf714c78fd, released
from the list
(3) eap: Peer sent packet with method EAP PEAP (25)
(3) eap: Calling submodule eap_peap to process data
(3) eap_peap: Continuing EAP-TLS
(3) eap_peap: Peer indicated complete TLS record size will be 142 bytes
(3) eap_peap: Got complete TLS record (142 bytes)
(3) eap_peap: [eaptls verify] = length included
(3) eap_peap: (other): before/accept initialization
(3) eap_peap: TLS_accept: before/accept initialization
(3) eap_peap: <<< TLS 1.0 Handshake [length 0089], ClientHello
(3) eap_peap: TLS_accept: SSLv3 read client hello A
(3) eap_peap: >>> TLS 1.0 Handshake [length 0039], ServerHello
(3) eap_peap: TLS_accept: SSLv3 write server hello A
(3) eap_peap: >>> TLS 1.0 Handshake [length 0964], Certificate
(3) eap_peap: TLS_accept: SSLv3 write certificate A
(3) eap_peap: >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
(3) eap_peap: TLS_accept: SSLv3 write key exchange A
(3) eap_peap: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
(3) eap_peap: TLS_accept: SSLv3 write server done A
(3) eap_peap: TLS_accept: SSLv3 flush data
(3) eap_peap: TLS_accept: Need to read more data: SSLv3 read client
certificate A
(3) eap_peap: TLS_accept: Need to read more data: SSLv3 read client
certificate A
(3) eap_peap: In SSL Handshake Phase
(3) eap_peap: In SSL Accept mode
(3) eap_peap: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 3 length 1004
(3) eap: EAP session adding &reply:State = 0x714e61bf704d78fd
(3) [eap] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) Post-Auth-Type sub-section not found. Ignoring.
(3) Sent Access-Challenge Id 58 from 192.168.8.27:1812 to 192.168.2.250:3072
length 0
(3) EAP-Message =
0x010303ec19c000000b00160301003902000035030194873ddf6cee275a11fcde492d5ae2b8
261f83dd50ed9063133a31be2e3d24b500c01400000dff01000100000b000403000102160301
09640b00096000095d0005a7308205a33082048ba0030201020213720000003379461d9f383b
20c900010000
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0x714e61bf704d78fd13de40933f3a43c8
(3) Finished request
Waking up in 4.9 seconds.
(4) Received Access-Request Id 46 from 192.168.2.250:3072 to
192.168.8.27:1812 length 193
(4) User-Name = "test"
(4) Service-Type = Framed-User
(4) NAS-IP-Address = 192.168.2.250
(4) NAS-Port = 10
(4) NAS-Port-Id = "10"
(4) State = 0x714e61bf704d78fd13de40933f3a43c8
(4) Called-Station-Id = "0E-0B-6B-2F-12-67:domain 8021X"
(4) Calling-Station-Id = "B8-E8-56-41-2C-2A"
(4) Connect-Info = "CONNECT 54 Mbps 802.11g"
(4) NAS-Identifier = "AP-domain01"
(4) NAS-Port-Type = Wireless-802.11
(4) Framed-MTU = 1500
(4) EAP-Message = 0x020300061900
(4) Message-Authenticator = 0xe7c2576faeb3228ae2d056b77bc6cce8
(4) session-state: No cached attributes
(4) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/domain
(4) authorize {
(4) [files] = noop
(4) [preprocess] = ok
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "test", looking up realm NULL
(4) suffix: No such realm "NULL"
(4) [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 3 length 6
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = EAP
(4) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain
(4) authenticate {
(4) eap: Expiring EAP session with state 0x714e61bf704d78fd
(4) eap: Finished EAP session with state 0x714e61bf704d78fd
(4) eap: Previous EAP request found for state 0x714e61bf704d78fd, released
from the list
(4) eap: Peer sent packet with method EAP PEAP (25)
(4) eap: Calling submodule eap_peap to process data
(4) eap_peap: Continuing EAP-TLS
(4) eap_peap: Peer ACKed our handshake fragment
(4) eap_peap: [eaptls verify] = request
(4) eap_peap: [eaptls process] = handled
(4) eap: Sending EAP Request (code 1) ID 4 length 1000
(4) eap: EAP session adding &reply:State = 0x714e61bf734a78fd
(4) [eap] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) Post-Auth-Type sub-section not found. Ignoring.
(4) Sent Access-Challenge Id 46 from 192.168.8.27:1812 to 192.168.2.250:3072
length 0
(4) EAP-Message =
0x010403e81940b53081b206082b060105050730028681a56c6461703a2f2f2f434e3d6e6564
65636f253230476d624825323043412c434e3d4149412c434e3d5075626c69632532304b6579
25323053657276696365732c434e3d53657276696365732c434e3d436f6e6669677572617469
6f6e2c44433d
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x714e61bf734a78fd13de40933f3a43c8
(4) Finished request
Waking up in 4.9 seconds.
(2) Cleaning up request packet ID 42 with timestamp +151
(3) Cleaning up request packet ID 58 with timestamp +151
(4) Cleaning up request packet ID 46 with timestamp +151
Ready to process requests
(5) Received Access-Request Id 216 from 192.168.2.250:3072 to
192.168.8.27:1812 length 193
(5) User-Name = "test"
(5) Service-Type = Framed-User
(5) NAS-IP-Address = 192.168.2.250
(5) NAS-Port = 10
(5) NAS-Port-Id = "10"
(5) State = 0x714e61bf734a78fd13de40933f3a43c8
(5) Called-Station-Id = "0E-0B-6B-2F-12-67:domain 8021X"
(5) Calling-Station-Id = "B8-E8-56-41-2C-2A"
(5) Connect-Info = "CONNECT 54 Mbps 802.11g"
(5) NAS-Identifier = "AP-domain01"
(5) NAS-Port-Type = Wireless-802.11
(5) Framed-MTU = 1500
(5) EAP-Message = 0x020400061900
(5) Message-Authenticator = 0xdf4b4a18dbd046ae4568ed5b900675ca
(5) session-state: No cached attributes
(5) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/domain
(5) authorize {
(5) [files] = noop
(5) [preprocess] = ok
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "test", looking up realm NULL
(5) suffix: No such realm "NULL"
(5) [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 4 length 6
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = EAP
(5) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain
(5) authenticate {
(5) eap: Expiring EAP session with state 0x714e61bf734a78fd
(5) eap: Finished EAP session with state 0x714e61bf734a78fd
(5) eap: Previous EAP request found for state 0x714e61bf734a78fd, released
from the list
(5) eap: Peer sent packet with method EAP PEAP (25)
(5) eap: Calling submodule eap_peap to process data
(5) eap_peap: Continuing EAP-TLS
(5) eap_peap: Peer ACKed our handshake fragment
(5) eap_peap: [eaptls verify] = request
(5) eap_peap: [eaptls process] = handled
(5) eap: Sending EAP Request (code 1) ID 5 length 834
(5) eap: EAP session adding &reply:State = 0x714e61bf724b78fd
(5) [eap] = handled
(5) } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) Post-Auth-Type sub-section not found. Ignoring.
(5) Sent Access-Challenge Id 216 from 192.168.8.27:1812 to
192.168.2.250:3072 length 0
(5) EAP-Message =
0x01050342190068d99b627f3ca6561e6c1dcd0e8bb529b85d2515a36c2ba6f906ee9a223e61
9decfff2f24ef8674307735d591964d50ac988776a55970203010001a3819130818e30130609
2b060104018237140204061e0400430041300e0603551d0f0101ff040403020186300f060355
1d130101ff04
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x714e61bf724b78fd13de40933f3a43c8
(5) Finished request
Waking up in 4.9 seconds.
(6) Received Access-Request Id 228 from 192.168.2.250:3072 to
192.168.8.27:1812 length 331
(6) User-Name = "test"
(6) Service-Type = Framed-User
(6) NAS-IP-Address = 192.168.2.250
(6) NAS-Port = 10
(6) NAS-Port-Id = "10"
(6) State = 0x714e61bf724b78fd13de40933f3a43c8
(6) Called-Station-Id = "0E-0B-6B-2F-12-67:domain 8021X"
(6) Calling-Station-Id = "B8-E8-56-41-2C-2A"
(6) Connect-Info = "CONNECT 54 Mbps 802.11g"
(6) NAS-Identifier = "AP-domain01"
(6) NAS-Port-Type = Wireless-802.11
(6) Framed-MTU = 1500
(6) EAP-Message =
0x0205009019800000008616030100461000004241041ddb75e112e6a51620e1d90e79faf858
ba440ee51859f6f36dbb3d61474b8fc891e7a246f576a1aef8372b95f81c96af01b2ba44e938
f2dde2e5fa57032812201403010001011603010030680540b7b149e993c9f964d5e0a79cda35
934c4c8e292f
(6) Message-Authenticator = 0x96295d1faa87d10973b6fe400102f545
(6) session-state: No cached attributes
(6) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/domain
(6) authorize {
(6) [files] = noop
(6) [preprocess] = ok
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "test", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) eap: Peer sent EAP Response (code 2) ID 5 length 144
(6) eap: Continuing tunnel setup
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = EAP
(6) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain
(6) authenticate {
(6) eap: Expiring EAP session with state 0x714e61bf724b78fd
(6) eap: Finished EAP session with state 0x714e61bf724b78fd
(6) eap: Previous EAP request found for state 0x714e61bf724b78fd, released
from the list
(6) eap: Peer sent packet with method EAP PEAP (25)
(6) eap: Calling submodule eap_peap to process data
(6) eap_peap: Continuing EAP-TLS
(6) eap_peap: Peer indicated complete TLS record size will be 134 bytes
(6) eap_peap: Got complete TLS record (134 bytes)
(6) eap_peap: [eaptls verify] = length included
(6) eap_peap: <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
(6) eap_peap: TLS_accept: SSLv3 read client key exchange A
(6) eap_peap: <<< TLS 1.0 ChangeCipherSpec length 0001 eap_peap: <<< TLS 1.0
Handshake [length 0010], Finished
(6) eap_peap: TLS_accept: SSLv3 read finished A
(6) eap_peap: >>> TLS 1.0 ChangeCipherSpec length 0001 eap_peap: TLS_accept:
SSLv3 write change cipher spec A
(6) eap_peap: >>> TLS 1.0 Handshake [length 0010], Finished
(6) eap_peap: TLS_accept: SSLv3 write finished A
(6) eap_peap: TLS_accept: SSLv3 flush data
(6) eap_peap: (other): SSL negotiation finished successfully
(6) eap_peap: SSL Connection Established
(6) eap_peap: [eaptls process] = handled
(6) eap: Sending EAP Request (code 1) ID 6 length 65
(6) eap: EAP session adding &reply:State = 0x714e61bf754878fd
(6) [eap] = handled
(6) } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) Post-Auth-Type sub-section not found. Ignoring.
(6) Sent Access-Challenge Id 228 from 192.168.8.27:1812 to
192.168.2.250:3072 length 0
(6) EAP-Message =
0x01060041190014030100010116030100301b8a91b9523361e58c472a6f4bedc223a3780b77
e80492846d5f574cd2db238cdd236645e7e78ed7e706e2dd3aecd6a2
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0x714e61bf754878fd13de40933f3a43c8
(6) Finished request
Waking up in 4.8 seconds.
(7) Received Access-Request Id 77 from 192.168.2.250:3072 to
192.168.8.27:1812 length 193
(7) User-Name = "test"
(7) Service-Type = Framed-User
(7) NAS-IP-Address = 192.168.2.250
(7) NAS-Port = 10
(7) NAS-Port-Id = "10"
(7) State = 0x714e61bf754878fd13de40933f3a43c8
(7) Called-Station-Id = "0E-0B-6B-2F-12-67:domain 8021X"
(7) Calling-Station-Id = "B8-E8-56-41-2C-2A"
(7) Connect-Info = "CONNECT 54 Mbps 802.11g"
(7) NAS-Identifier = "AP-domain01"
(7) NAS-Port-Type = Wireless-802.11
(7) Framed-MTU = 1500
(7) EAP-Message = 0x020600061900
(7) Message-Authenticator = 0xaabe36b47f3a6a409dd2ec806970d983
(7) session-state: No cached attributes
(7) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/domain
(7) authorize {
(7) [files] = noop
(7) [preprocess] = ok
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "test", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) eap: Peer sent EAP Response (code 2) ID 6 length 6
(7) eap: Continuing tunnel setup
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = EAP
(7) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain
(7) authenticate {
(7) eap: Expiring EAP session with state 0x714e61bf754878fd
(7) eap: Finished EAP session with state 0x714e61bf754878fd
(7) eap: Previous EAP request found for state 0x714e61bf754878fd, released
from the list
(7) eap: Peer sent packet with method EAP PEAP (25)
(7) eap: Calling submodule eap_peap to process data
(7) eap_peap: Continuing EAP-TLS
(7) eap_peap: Peer ACKed our handshake fragment. handshake is finished
(7) eap_peap: [eaptls verify] = success
(7) eap_peap: [eaptls process] = success
(7) eap_peap: Session established. Decoding tunneled attributes
(7) eap_peap: PEAP state TUNNEL ESTABLISHED
(7) eap: Sending EAP Request (code 1) ID 7 length 43
(7) eap: EAP session adding &reply:State = 0x714e61bf744978fd
(7) [eap] = handled
(7) } # authenticate = handled
(7) Using Post-Auth-Type Challenge
(7) Post-Auth-Type sub-section not found. Ignoring.
(7) Sent Access-Challenge Id 77 from 192.168.8.27:1812 to 192.168.2.250:3072
length 0
(7) EAP-Message =
0x0107002b19001703010020a6135f04ae6dffd42c8ef419d75113ac720759219e31f74d4247
b6b610e9a071
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0x714e61bf744978fd13de40933f3a43c8
(7) Finished request
Waking up in 4.8 seconds.
(8) Received Access-Request Id 86 from 192.168.2.250:3072 to
192.168.8.27:1812 length 230
(8) User-Name = "test"
(8) Service-Type = Framed-User
(8) NAS-IP-Address = 192.168.2.250
(8) NAS-Port = 10
(8) NAS-Port-Id = "10"
(8) State = 0x714e61bf744978fd13de40933f3a43c8
(8) Called-Station-Id = "0E-0B-6B-2F-12-67:domain 8021X"
(8) Calling-Station-Id = "B8-E8-56-41-2C-2A"
(8) Connect-Info = "CONNECT 54 Mbps 802.11g"
(8) NAS-Identifier = "AP-domain01"
(8) NAS-Port-Type = Wireless-802.11
(8) Framed-MTU = 1500
(8) EAP-Message =
0x0207002b19001703010020aa7e796b21bdc47f3c2b751c50ffbf8aaaafc3ad47a3a4a6dab8
50e706bf7227
(8) Message-Authenticator = 0xb0ef481a7beafe09a46383286750ead8
(8) session-state: No cached attributes
(8) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/domain
(8) authorize {
(8) [files] = noop
(8) [preprocess] = ok
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "test", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) eap: Peer sent EAP Response (code 2) ID 7 length 43
(8) eap: Continuing tunnel setup
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = EAP
(8) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain
(8) authenticate {
(8) eap: Expiring EAP session with state 0x714e61bf744978fd
(8) eap: Finished EAP session with state 0x714e61bf744978fd
(8) eap: Previous EAP request found for state 0x714e61bf744978fd, released
from the list
(8) eap: Peer sent packet with method EAP PEAP (25)
(8) eap: Calling submodule eap_peap to process data
(8) eap_peap: Continuing EAP-TLS
(8) eap_peap: [eaptls verify] = ok
(8) eap_peap: Done initial handshake
(8) eap_peap: [eaptls process] = ok
(8) eap_peap: Session established. Decoding tunneled attributes
(8) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(8) eap_peap: Identity - test
(8) eap_peap: Got inner identity 'test'
(8) eap_peap: Setting default EAP type for tunneled EAP session
(8) eap_peap: Got tunneled request
(8) eap_peap: EAP-Message = 0x020700090174657374
(8) eap_peap: Setting User-Name to test
(8) eap_peap: Sending tunneled request to inner-tunnel
(8) eap_peap: EAP-Message = 0x020700090174657374
(8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(8) eap_peap: User-Name = "test"
(8) Virtual server inner-tunnel received request
(8) EAP-Message = 0x020700090174657374
(8) FreeRADIUS-Proxied-To = 127.0.0.1
(8) User-Name = "test"
(8) server inner-tunnel {
(8) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel-domain
(8) authorize {
(8) [files] = noop
(8) [mschap] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "test", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) update control {
(8) Proxy-To-Realm := LOCAL
(8) } # update control = noop
(8) eap: Peer sent EAP Response (code 2) ID 7 length 9
(8) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest
of authorize
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = EAP
(8) # Executing group from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel-domain
(8) authenticate {
(8) eap: Peer sent packet with method EAP Identity (1)
(8) eap: Calling submodule eap_mschapv2 to process data
(8) eap_mschapv2: Issuing Challenge
(8) eap: Sending EAP Request (code 1) ID 8 length 43
(8) eap: EAP session adding &reply:State = 0xbd1845cebd105fc4
(8) [eap] = handled
(8) } # authenticate = handled
(8) } # server inner-tunnel
(8) Virtual server sending reply
(8) EAP-Message =
0x0108002b1a0108002610ba684a0833e561a9e780eedf9829518f667265657261646975732d
332e302e3131
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0xbd1845cebd105fc4a22a1c51082d7ecf
(8) eap_peap: Got tunneled reply code 11
(8) eap_peap: EAP-Message =
0x0108002b1a0108002610ba684a0833e561a9e780eedf9829518f667265657261646975732d
332e302e3131
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: State = 0xbd1845cebd105fc4a22a1c51082d7ecf
(8) eap_peap: Got tunneled reply RADIUS code 11
(8) eap_peap: EAP-Message =
0x0108002b1a0108002610ba684a0833e561a9e780eedf9829518f667265657261646975732d
332e302e3131
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: State = 0xbd1845cebd105fc4a22a1c51082d7ecf
(8) eap_peap: Got tunneled Access-Challenge
(8) eap: Sending EAP Request (code 1) ID 8 length 75
(8) eap: EAP session adding &reply:State = 0x714e61bf774678fd
(8) [eap] = handled
(8) } # authenticate = handled
(8) Using Post-Auth-Type Challenge
(8) Post-Auth-Type sub-section not found. Ignoring.
(8) Sent Access-Challenge Id 86 from 192.168.8.27:1812 to 192.168.2.250:3072
length 0
(8) EAP-Message =
0x0108004b19001703010040c6831d9a1c5c30c64d40563c5fa21ee3cc103adbb4e99517563c
9e67d781aefdd941ba0f19bc124976046e7471792eec1d4771c20abf67b78282a152634eed5e
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0x714e61bf774678fd13de40933f3a43c8
(8) Finished request
Waking up in 4.8 seconds.
(5) Cleaning up request packet ID 216 with timestamp +181
(6) Cleaning up request packet ID 228 with timestamp +181
(7) Cleaning up request packet ID 77 with timestamp +181
(8) Cleaning up request packet ID 86 with timestamp +181
Ready to process requests
(9) Received Access-Request Id 14 from 192.168.2.250:3072 to
192.168.8.27:1812 length 278
(9) User-Name = "test"
(9) Service-Type = Framed-User
(9) NAS-IP-Address = 192.168.2.250
(9) NAS-Port = 10
(9) NAS-Port-Id = "10"
(9) State = 0x714e61bf774678fd13de40933f3a43c8
(9) Called-Station-Id = "0E-0B-6B-2F-12-67:domain 8021X"
(9) Calling-Station-Id = "B8-E8-56-41-2C-2A"
(9) Connect-Info = "CONNECT 54 Mbps 802.11g"
(9) NAS-Identifier = "AP-domain01"
(9) NAS-Port-Type = Wireless-802.11
(9) Framed-MTU = 1500
(9) EAP-Message =
0x0208005b1900170301005041a588e579c1a63e94555d08bea2166f123e059dea3d7f8a17bc
bfd8e4f4a54c876ceee7b33a4a101a4afd0dc078e77a3c8163b76b6c9e9567e6954214f5e1ec
01cdafcd013db92c58ae136658519d20
(9) Message-Authenticator = 0xac0b3e273dede594c80988c13eaafd54
(9) session-state: No cached attributes
(9) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/domain
(9) authorize {
(9) [files] = noop
(9) [preprocess] = ok
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "test", looking up realm NULL
(9) suffix: No such realm "NULL"
(9) [suffix] = noop
(9) eap: Peer sent EAP Response (code 2) ID 8 length 91
(9) eap: Continuing tunnel setup
(9) [eap] = ok
(9) } # authorize = ok
(9) Found Auth-Type = EAP
(9) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain
(9) authenticate {
(9) eap: Expiring EAP session with state 0xbd1845cebd105fc4
(9) eap: Finished EAP session with state 0x714e61bf774678fd
(9) eap: Previous EAP request found for state 0x714e61bf774678fd, released
from the list
(9) eap: Peer sent packet with method EAP PEAP (25)
(9) eap: Calling submodule eap_peap to process data
(9) eap_peap: Continuing EAP-TLS
(9) eap_peap: [eaptls verify] = ok
(9) eap_peap: Done initial handshake
(9) eap_peap: [eaptls process] = ok
(9) eap_peap: Session established. Decoding tunneled attributes
(9) eap_peap: PEAP state phase2
(9) eap_peap: EAP method MSCHAPv2 (26)
(9) eap_peap: Got tunneled request
(9) eap_peap: EAP-Message =
0x0208003f1a0208003a316670e0343c5cde7c22158c2f3b1e05bd0000000000000000e36cbc
3c625721798db23c5fc199979df656a52246010d310074657374
(9) eap_peap: Setting User-Name to test
(9) eap_peap: Sending tunneled request to inner-tunnel
(9) eap_peap: EAP-Message =
0x0208003f1a0208003a316670e0343c5cde7c22158c2f3b1e05bd0000000000000000e36cbc
3c625721798db23c5fc199979df656a52246010d310074657374
(9) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(9) eap_peap: User-Name = "test"
(9) eap_peap: State = 0xbd1845cebd105fc4a22a1c51082d7ecf
(9) Virtual server inner-tunnel received request
(9) EAP-Message =
0x0208003f1a0208003a316670e0343c5cde7c22158c2f3b1e05bd0000000000000000e36cbc
3c625721798db23c5fc199979df656a52246010d310074657374
(9) FreeRADIUS-Proxied-To = 127.0.0.1
(9) User-Name = "test"
(9) State = 0xbd1845cebd105fc4a22a1c51082d7ecf
(9) server inner-tunnel {
(9) session-state: No cached attributes
(9) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel-domain
(9) authorize {
(9) [files] = noop
(9) [mschap] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "test", looking up realm NULL
(9) suffix: No such realm "NULL"
(9) [suffix] = noop
(9) update control {
(9) Proxy-To-Realm := LOCAL
(9) } # update control = noop
(9) eap: Peer sent EAP Response (code 2) ID 8 length 63
(9) eap: No EAP Start, assuming it's an on-going EAP conversation
(9) [eap] = updated
(9) [expiration] = noop
(9) [logintime] = noop
rlm_ldap (ldap_domain): Closing connection (2): Hit idle_timeout, was idle
for 211 seconds
rlm_ldap (ldap_domain): Closing connection (3): Hit idle_timeout, was idle
for 211 seconds
rlm_ldap (ldap_domain): Closing connection (4): Hit idle_timeout, was idle
for 211 seconds
rlm_ldap (ldap_domain): Closing connection (0): Hit idle_timeout, was idle
for 202 seconds
rlm_ldap (ldap_domain): You probably need to lower "min"
rlm_ldap (ldap_domain): Closing connection (5): Hit idle_timeout, was idle
for 202 seconds
rlm_ldap (ldap_domain): You probably need to lower "min"
rlm_ldap (ldap_domain): Closing connection (1): Hit idle_timeout, was idle
for 202 seconds
rlm_ldap (ldap_domain): You probably need to lower "min"
rlm_ldap (ldap_domain): 0 of 0 connections in use. You may need to increase
"spare"
rlm_ldap (ldap_domain): Opening additional connection (6), 1 of 32 pending
slots used
rlm_ldap (ldap_domain): Connecting to ldap://dc.domain.local:389
rlm_ldap (ldap_domain): Waiting for bind result...
rlm_ldap (ldap_domain): Bind successful
rlm_ldap (ldap_domain): Reserved connection (6)
(9) ldap_domain: EXPAND
(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})
(9) ldap_domain: --> (sAMAccountName=test)
(9) ldap_domain: Performing search in "cn=Users,dc=domain,dc=local" with
filter "(sAMAccountName=test)", scope "sub"
(9) ldap_domain: Waiting for search result...
(9) ldap_domain: User object found at DN "CN=Test
TEST,CN=Users,DC=domain,DC=local"
(9) ldap_domain: Processing user attributes
(9) ldap_domain: WARNING: No "known good" password added. Ensure the admin
user has permission to read the password attribute
(9) ldap_domain: WARNING: PAP authentication will NOT work with Active
Directory (if that is what you were trying to configure)
rlm_ldap (ldap_domain): Released connection (6)
rlm_ldap (ldap_domain): Need 2 more connections to reach 10 spares
rlm_ldap (ldap_domain): Opening additional connection (7), 1 of 31 pending
slots used
rlm_ldap (ldap_domain): Connecting to ldap://dc.domain.local:389
rlm_ldap (ldap_domain): Waiting for bind result...
rlm_ldap (ldap_domain): Bind successful
(9) [ldap_domain] = ok
(9) if ((ok || updated) && User-Password) {
(9) if ((ok || updated) && User-Password) -> FALSE
(9) [pap] = noop
(9) if (User-Password) {
(9) if (User-Password) -> FALSE
(9) } # authorize = updated
(9) Found Auth-Type = EAP
(9) # Executing group from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel-domain
(9) authenticate {
(9) eap: Expiring EAP session with state 0xbd1845cebd105fc4
(9) eap: Finished EAP session with state 0xbd1845cebd105fc4
(9) eap: Previous EAP request found for state 0xbd1845cebd105fc4, released
from the list
(9) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(9) eap: Calling submodule eap_mschapv2 to process data
(9) eap_mschapv2: # Executing group from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel-domain
(9) eap_mschapv2: Auth-Type MS-CHAP {
(9) mschap: WARNING: No Cleartext-Password configured. Cannot create
NT-Password
(9) mschap: WARNING: No Cleartext-Password configured. Cannot create
LM-Password
(9) mschap: Creating challenge hash with username: test
(9) mschap: Client is using MS-CHAPv2
(9) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication
(9) mschap: ERROR: MS-CHAP2-Response is incorrect
(9) [mschap] = reject
(9) } # Auth-Type MS-CHAP = reject
(9) eap: Sending EAP Failure (code 4) ID 8 length 4
(9) eap: Freeing handler
(9) [eap] = reject
(9) } # authenticate = reject
(9) Failed to authenticate the user
(9) Using Post-Auth-Type Reject
(9) Post-Auth-Type sub-section not found. Ignoring.
(9) } # server inner-tunnel
(9) Virtual server sending reply
(9) MS-CHAP-Error = "\010E=691 R=1 C=12a7b91273b8d4ea014f8d6353762c6f V=3
M=Authentication failed"
(9) EAP-Message = 0x04080004
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) eap_peap: Got tunneled reply code 3
(9) eap_peap: MS-CHAP-Error = "\010E=691 R=1
C=12a7b91273b8d4ea014f8d6353762c6f V=3 M=Authentication failed"
(9) eap_peap: EAP-Message = 0x04080004
(9) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(9) eap_peap: Got tunneled reply RADIUS code 3
(9) eap_peap: MS-CHAP-Error = "\010E=691 R=1
C=12a7b91273b8d4ea014f8d6353762c6f V=3 M=Authentication failed"
(9) eap_peap: EAP-Message = 0x04080004
(9) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(9) eap_peap: Tunneled authentication was rejected
(9) eap_peap: FAILURE
(9) eap: Sending EAP Request (code 1) ID 9 length 43
(9) eap: EAP session adding &reply:State = 0x714e61bf764778fd
(9) [eap] = handled
(9) } # authenticate = handled
(9) Using Post-Auth-Type Challenge
(9) Post-Auth-Type sub-section not found. Ignoring.
(9) Sent Access-Challenge Id 14 from 192.168.8.27:1812 to 192.168.2.250:3072
length 0
(9) EAP-Message =
0x0109002b19001703010020b8c28870cb31e457ad24447c2dad4915f836138d395b9e74200f
e48a71906242
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) State = 0x714e61bf764778fd13de40933f3a43c8
(9) Finished request
Waking up in 4.9 seconds.
(10) Received Access-Request Id 10 from 192.168.2.250:3072 to
192.168.8.27:1812 length 230
(10) User-Name = "test"
(10) Service-Type = Framed-User
(10) NAS-IP-Address = 192.168.2.250
(10) NAS-Port = 10
(10) NAS-Port-Id = "10"
(10) State = 0x714e61bf764778fd13de40933f3a43c8
(10) Called-Station-Id = "0E-0B-6B-2F-12-67:domain 8021X"
(10) Calling-Station-Id = "B8-E8-56-41-2C-2A"
(10) Connect-Info = "CONNECT 54 Mbps 802.11g"
(10) NAS-Identifier = "AP-domain01"
(10) NAS-Port-Type = Wireless-802.11
(10) Framed-MTU = 1500
(10) EAP-Message =
0x0209002b190017030100209f64c67a9a32761683b0d21eb6f28bfb8a42fa0a50d6ef3dfbf3
815d7511e4a1
(10) Message-Authenticator = 0x26f3267a7372bfa1b0f71a27ccba5c9f
(10) session-state: No cached attributes
(10) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/domain
(10) authorize {
(10) [files] = noop
(10) [preprocess] = ok
(10) suffix: Checking for suffix after "@"
(10) suffix: No '@' in User-Name = "test", looking up realm NULL
(10) suffix: No such realm "NULL"
(10) [suffix] = noop
(10) eap: Peer sent EAP Response (code 2) ID 9 length 43
(10) eap: Continuing tunnel setup
(10) [eap] = ok
(10) } # authorize = ok
(10) Found Auth-Type = EAP
(10) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain
(10) authenticate {
(10) eap: Expiring EAP session with state 0x714e61bf764778fd
(10) eap: Finished EAP session with state 0x714e61bf764778fd
(10) eap: Previous EAP request found for state 0x714e61bf764778fd, released
from the list
(10) eap: Peer sent packet with method EAP PEAP (25)
(10) eap: Calling submodule eap_peap to process data
(10) eap_peap: Continuing EAP-TLS
(10) eap_peap: [eaptls verify] = ok
(10) eap_peap: Done initial handshake
(10) eap_peap: [eaptls process] = ok
(10) eap_peap: Session established. Decoding tunneled attributes
(10) eap_peap: PEAP state send tlv failure
(10) eap_peap: Received EAP-TLV response
(10) eap_peap: The users session was previously rejected: returning reject
(again.)
(10) eap_peap: This means you need to read the PREVIOUS messages in the
debug output
(10) eap_peap: to find out the reason why the user was rejected
(10) eap_peap: Look for "reject" or "fail". Those earlier messages will tell
you
(10) eap_peap: what went wrong, and how to fix the problem
(10) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module
failed
(10) eap: Sending EAP Failure (code 4) ID 9 length 4
(10) eap: Failed in EAP select
(10) [eap] = invalid
(10) } # authenticate = invalid
(10) Failed to authenticate the user
(10) Using Post-Auth-Type Reject
(10) Post-Auth-Type sub-section not found. Ignoring.
(10) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(10) Sending delayed response
(10) Sent Access-Reject Id 10 from 192.168.8.27:1812 to 192.168.2.250:3072
length 44
(10) EAP-Message = 0x04090004
(10) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
(9) Cleaning up request packet ID 14 with timestamp +211
(10) Cleaning up request packet ID 10 with timestamp +211
Ready to process requests
default site:
server default {
listen {
type = auth
ipaddr = *
port = 0
# clients = per_socket_clients
limit {
max_connections = 0
lifetime = 0
idle_timeout = 30
}
}
listen {
ipaddr = *
port = 0
type = acct
# interface = eth0
# clients = per_socket_clients
limit {
idle_timeout = 0
lifetime = 0
max_connections = 0
}
}
authorize {
files
preprocess
suffix
eap {
ok = return
}
expiration
logintime
}
authenticate {
eap
}
preacct {
}
accounting {
detail
sql_domain
}
session {
radutmp
sql_domain
}
post-auth {
}
pre-proxy {
}
post-proxy {
}
}
inner-tunnel site:
server inner-tunnel {
listen {
ipaddr = 127.0.0.1
port = 18120
type = auth
}
authorize {
files
mschap
suffix
update control {
Proxy-To-Realm := LOCAL
}
eap {
ok = return
}
expiration
logintime
ldap_domain
if ((ok || updated) && User-Password) {
update {
control:Auth-Type := ldap
}
}
pap
if (User-Password) {
update control {
Auth-Type := ldap
}
}
}
authenticate {
Auth-Type PAP {
#ldap_domain
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
Auth-Type LDAP {
ldap_domain
}
ldap_domain
eap
}
session {
radutmp
}
post-auth {
}
pre-proxy {
}
post-proxy {
}
}
eap configuration:
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = ${max_requests}
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls-config tls-common {
private_key_password = whatever
private_key_file = ${certdir}/nedeco/aaa.nedeco.local.key
certificate_file = ${certdir}/nedeco/aaa.nedeco.local.pem
ca_file = ${cadir}/nedeco/nedeco_CA.pem
dh_file = ${certdir}/dh
random_file = /dev/urandom
ca_path = ${cadir}
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24 # hours
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
}
}
tls {
tls = tls-common
}
ttls {
}
peap {
tls = tls-common
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = no
virtual_server = "inner-tunnel"
}
mschapv2 {
}
}
the chap configuration:
chap {
# no configuration
}
the mschap configuration
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
pool {
start = ${thread[pool].start_servers}
min = ${thread[pool].min_spare_servers}
max = ${thread[pool].max_servers}
spare = ${thread[pool].max_spare_servers}
uses = 0
retry_delay = 30
lifetime = 86400
cleanup_interval = 300
idle_timeout = 600
}
passchange {
}
retry_msg = "Re-enter (or reset) the password"
}
ldap configuration:
ldap ldap_domain {
server = 'dc.domain.local'
port = 389
identity = 'cn=Administrator,cn=Users,dc=domain,dc=local'
password = password
base_dn = 'cn=Users,dc=domain,dc=local'
sasl {
realm = 'domain.local'
}
update {
control:Password-With-Header += 'userPassword'
control:NT-Password := 'ntPassword'
control: += 'radiusControlAttribute'
request: += 'radiusRequestAttribute'
reply: += 'radiusReplyAttribute'
}
edir_autz = yes
user {
base_dn = "${..base_dn}"
filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
sasl {
}
scope = 'sub'
}
group {
base_dn = "${..base_dn}"
filter = '(objectClass=posixGroup)'
membership_attribute = 'memberOf'
}
profile {
}
client {
base_dn = "${..base_dn}"
filter = '(objectClass=radiusClient)'
}
attribute {
ipaddr = 'radiusClientIdentifier'
secret = 'radiusClientSecret'
}
}
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}}"
type {
start {
update {
description := "Online at %S"
}
}
interim-update {
update {
description := "Last seen at %S"
}
}
stop {
update {
description := "Offline at %S"
}
}
}
}
post-auth {
update {
description := "Authenticated at %S"
}
}
options {
chase_referrals = yes
rebind = yes
res_timeout = 10
srv_timelimit = 3
net_timeout = 1
idle = 60
probes = 3
interval = 3
ldap_debug = 0x0028
}
tls {
start_tls = yes
require_cert = 'never'
}
pool {
start = ${thread[pool].start_servers}
min = ${thread[pool].min_spare_servers}
max = ${thread[pool].max_servers}
spare = ${thread[pool].max_spare_servers}
uses = 0
retry_delay = 30
lifetime = 0
idle_timeout = 60
}
}
radius Version: radiusd: FreeRADIUS Version 3.0.11 (git #7a659a2), for host
x86_64-unknown-linux-gnu, built on Oct 7 2015 at 15:23:07
with user bob over console:
(0) Received Access-Request Id 213 from 127.0.0.1:45282 to 127.0.0.1:18120
length 73
(0) User-Name = "bob"
(0) User-Password = "hello"
(0) NAS-IP-Address = 192.168.8.27
(0) NAS-Port = 0
(0) Message-Authenticator = 0xbed4902174d4f8ff5f36492af1ae51de
(0) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel-domain
(0) authorize {
(0) files: users: Matched entry bob at line 69
(0) [files] = ok
(0) [mschap] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "bob", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) update control {
(0) Proxy-To-Realm := LOCAL
(0) } # update control = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) [expiration] = noop
(0) [logintime] = noop
rlm_ldap (ldap_domain): Reserved connection (0)
(0) ldap_domain: EXPAND
(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})
(0) ldap_domain: --> (sAMAccountName=bob)
(0) ldap_domain: Performing search in "cn=Users,dc=domain,dc=local" with
filter "(sAMAccountName=bob)", scope "sub"
(0) ldap_domain: Waiting for search result...
(0) ldap_domain: Search returned no results
rlm_ldap (ldap_domain): Released connection (0)
rlm_ldap (ldap_domain): Need 5 more connections to reach 10 spares
rlm_ldap (ldap_domain): Opening additional connection (5), 1 of 27 pending
slots used
rlm_ldap (ldap_domain): Connecting to ldap://dc.domain.local:389
rlm_ldap (ldap_domain): Waiting for bind result...
rlm_ldap (ldap_domain): Bind successful
(0) [ldap_domain] = notfound
(0) if ((ok || updated) && User-Password) {
(0) if ((ok || updated) && User-Password) -> FALSE
(0) [pap] = updated
(0) if (User-Password) {
(0) if (User-Password) -> TRUE
(0) if (User-Password) {
(0) update control {
(0) Auth-Type := LDAP
(0) } # update control = noop
(0) } # if (User-Password) = noop
(0) } # authorize = updated
(0) Found Auth-Type = LDAP
(0) # Executing group from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel-domain
(0) Auth-Type LDAP {
rlm_ldap (ldap_domain): Reserved connection (1)
(0) ldap_domain: Login attempt by "bob"
(0) ldap_domain: EXPAND
(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})
(0) ldap_domain: --> (sAMAccountName=bob)
(0) ldap_domain: Performing search in "cn=Users,dc=domain,dc=local" with
filter "(sAMAccountName=bob)", scope "sub"
(0) ldap_domain: Waiting for search result...
(0) ldap_domain: Search returned no results
rlm_ldap (ldap_domain): Released connection (1)
(0) [ldap_domain] = notfound
(0) } # Auth-Type LDAP = notfound
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) Post-Auth-Type sub-section not found. Ignoring.
(0) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 213 from 127.0.0.1:18120 to 127.0.0.1:45282 length
20
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 213 with timestamp +5
Ready to process requests
with user bob over AccessPoint:
(1) Received Access-Request Id 155 from 192.168.2.250:3072 to
192.168.8.27:1812 length 176
(1) User-Name = "bob"
(1) Service-Type = Framed-User
(1) NAS-IP-Address = 192.168.2.250
(1) NAS-Port = 10
(1) NAS-Port-Id = "10"
(1) Called-Station-Id = "0E-0B-6B-2F-12-67:domain 8021X"
(1) Calling-Station-Id = "B8-E8-56-41-2C-2A"
(1) Connect-Info = "CONNECT 54 Mbps 802.11g"
(1) NAS-Identifier = "AP-domain01"
(1) NAS-Port-Type = Wireless-802.11
(1) Framed-MTU = 1500
(1) EAP-Message = 0x0201000801626f62
(1) Message-Authenticator = 0x4680895a204b3df7d15d82558ff9e6ea
(1) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/domain
(1) authorize {
(1) files: users: Matched entry bob at line 69
(1) [files] = ok
(1) [preprocess] = ok
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "bob", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 1 length 8
(1) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest
of authorize
(1) [eap] = ok
(1) } # authorize = ok
(1) Found Auth-Type = EAP
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain
(1) authenticate {
(1) eap: Peer sent packet with method EAP Identity (1)
(1) eap: Calling submodule eap_peap to process data
(1) eap_peap: Initiating new EAP-TLS session
(1) eap_peap: [eaptls start] = request
(1) eap: Sending EAP Request (code 1) ID 2 length 6
(1) eap: EAP session adding &reply:State = 0x7322fa167320e364
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) Post-Auth-Type sub-section not found. Ignoring.
(1) Sent Access-Challenge Id 155 from 192.168.8.27:1812 to
192.168.2.250:3072 length 0
(1) EAP-Message = 0x010200061920
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x7322fa167320e3641bb25e163c98a49d
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 219 from 192.168.2.250:3072 to
192.168.8.27:1812 length 338
(2) User-Name = "bob"
(2) Service-Type = Framed-User
(2) NAS-IP-Address = 192.168.2.250
(2) NAS-Port = 10
(2) NAS-Port-Id = "10"
(2) State = 0x7322fa167320e3641bb25e163c98a49d
(2) Called-Station-Id = "0E-0B-6B-2F-12-67:domain 8021X"
(2) Calling-Station-Id = "B8-E8-56-41-2C-2A"
(2) Connect-Info = "CONNECT 54 Mbps 802.11g"
(2) NAS-Identifier = "AP-domain01"
(2) NAS-Port-Type = Wireless-802.11
(2) Framed-MTU = 1500
(2) EAP-Message =
0x0202009819800000008e1603010089010000850301561634f097408b8f9058fa38f1f34ce4
854696e71aebecb3ae3cd9850b14d4cc00004a00ffc024c023c00ac009c008c028c027c014c0
13c012c026c025c005c004c003c02ac029c00fc00ec00d006b0067003900330016003d003c00
35002f000ac0
(2) Message-Authenticator = 0x5309b752e9ed063e669ba97b7c937db8
(2) session-state: No cached attributes
(2) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/domain
(2) authorize {
(2) files: users: Matched entry bob at line 69
(2) [files] = ok
(2) [preprocess] = ok
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "bob", looking up realm NULL
(2) suffix: No such realm "NULL"
(2) [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 2 length 152
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = EAP
(2) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain
(2) authenticate {
(2) eap: Expiring EAP session with state 0x7322fa167320e364
(2) eap: Finished EAP session with state 0x7322fa167320e364
(2) eap: Previous EAP request found for state 0x7322fa167320e364, released
from the list
(2) eap: Peer sent packet with method EAP PEAP (25)
(2) eap: Calling submodule eap_peap to process data
(2) eap_peap: Continuing EAP-TLS
(2) eap_peap: Peer indicated complete TLS record size will be 142 bytes
(2) eap_peap: Got complete TLS record (142 bytes)
(2) eap_peap: [eaptls verify] = length included
(2) eap_peap: (other): before/accept initialization
(2) eap_peap: TLS_accept: before/accept initialization
(2) eap_peap: <<< TLS 1.0 Handshake [length 0089], ClientHello
(2) eap_peap: TLS_accept: SSLv3 read client hello A
(2) eap_peap: >>> TLS 1.0 Handshake [length 0039], ServerHello
(2) eap_peap: TLS_accept: SSLv3 write server hello A
(2) eap_peap: >>> TLS 1.0 Handshake [length 0964], Certificate
(2) eap_peap: TLS_accept: SSLv3 write certificate A
(2) eap_peap: >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
(2) eap_peap: TLS_accept: SSLv3 write key exchange A
(2) eap_peap: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
(2) eap_peap: TLS_accept: SSLv3 write server done A
(2) eap_peap: TLS_accept: SSLv3 flush data
(2) eap_peap: TLS_accept: Need to read more data: SSLv3 read client
certificate A
(2) eap_peap: TLS_accept: Need to read more data: SSLv3 read client
certificate A
(2) eap_peap: In SSL Handshake Phase
(2) eap_peap: In SSL Accept mode
(2) eap_peap: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 3 length 1004
(2) eap: EAP session adding &reply:State = 0x7322fa167221e364
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) Post-Auth-Type sub-section not found. Ignoring.
(2) Sent Access-Challenge Id 219 from 192.168.8.27:1812 to
192.168.2.250:3072 length 0
(2) EAP-Message =
0x010303ec19c000000b001603010039020000350301da2dfe903d7c37a7634c8742deb0c9de
5ef2b5d7f4c0d4d8d1697deec243cc5600c01400000dff01000100000b000403000102160301
09640b00096000095d0005a7308205a33082048ba0030201020213720000003379461d9f383b
20c900010000
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x7322fa167221e3641bb25e163c98a49d
(2) Finished request
Waking up in 4.9 seconds.
(1) Cleaning up request packet ID 155 with timestamp +61
(2) Cleaning up request packet ID 219 with timestamp +61
Ready to process requests
(3) Received Access-Request Id 54 from 192.168.2.250:3072 to
192.168.8.27:1812 length 192
(3) User-Name = "bob"
(3) Service-Type = Framed-User
(3) NAS-IP-Address = 192.168.2.250
(3) NAS-Port = 10
(3) NAS-Port-Id = "10"
(3) State = 0x7322fa167221e3641bb25e163c98a49d
(3) Called-Station-Id = "0E-0B-6B-2F-12-67:domain 8021X"
(3) Calling-Station-Id = "B8-E8-56-41-2C-2A"
(3) Connect-Info = "CONNECT 54 Mbps 802.11g"
(3) NAS-Identifier = "AP-domain01"
(3) NAS-Port-Type = Wireless-802.11
(3) Framed-MTU = 1500
(3) EAP-Message = 0x020300061900
(3) Message-Authenticator = 0xa70b8b8371dc21e4a3352e99bad8a487
(3) session-state: No cached attributes
(3) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/domain
(3) authorize {
(3) files: users: Matched entry bob at line 69
(3) [files] = ok
(3) [preprocess] = ok
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "bob", looking up realm NULL
(3) suffix: No such realm "NULL"
(3) [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 3 length 6
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = EAP
(3) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain
(3) authenticate {
(3) eap: Expiring EAP session with state 0x7322fa167221e364
(3) eap: Finished EAP session with state 0x7322fa167221e364
(3) eap: Previous EAP request found for state 0x7322fa167221e364, released
from the list
(3) eap: Peer sent packet with method EAP PEAP (25)
(3) eap: Calling submodule eap_peap to process data
(3) eap_peap: Continuing EAP-TLS
(3) eap_peap: Peer ACKed our handshake fragment
(3) eap_peap: [eaptls verify] = request
(3) eap_peap: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 4 length 1000
(3) eap: EAP session adding &reply:State = 0x7322fa167126e364
(3) [eap] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) Post-Auth-Type sub-section not found. Ignoring.
(3) Sent Access-Challenge Id 54 from 192.168.8.27:1812 to 192.168.2.250:3072
length 0
(3) EAP-Message =
0x010403e81940b53081b206082b060105050730028681a56c6461703a2f2f2f434e3d6e6564
65636f253230476d624825323043412c434e3d4149412c434e3d5075626c69632532304b6579
25323053657276696365732c434e3d53657276696365732c434e3d436f6e6669677572617469
6f6e2c44433d
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0x7322fa167126e3641bb25e163c98a49d
(3) Finished request
Waking up in 4.9 seconds.
(4) Received Access-Request Id 29 from 192.168.2.250:3072 to
192.168.8.27:1812 length 192
(4) User-Name = "bob"
(4) Service-Type = Framed-User
(4) NAS-IP-Address = 192.168.2.250
(4) NAS-Port = 10
(4) NAS-Port-Id = "10"
(4) State = 0x7322fa167126e3641bb25e163c98a49d
(4) Called-Station-Id = "0E-0B-6B-2F-12-67:domain 8021X"
(4) Calling-Station-Id = "B8-E8-56-41-2C-2A"
(4) Connect-Info = "CONNECT 54 Mbps 802.11g"
(4) NAS-Identifier = "AP-domain01"
(4) NAS-Port-Type = Wireless-802.11
(4) Framed-MTU = 1500
(4) EAP-Message = 0x020400061900
(4) Message-Authenticator = 0x841ce2c1c9b797b25c3aff5bba5e059d
(4) session-state: No cached attributes
(4) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/domain
(4) authorize {
(4) files: users: Matched entry bob at line 69
(4) [files] = ok
(4) [preprocess] = ok
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "bob", looking up realm NULL
(4) suffix: No such realm "NULL"
(4) [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 4 length 6
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = EAP
(4) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain
(4) authenticate {
(4) eap: Expiring EAP session with state 0x7322fa167126e364
(4) eap: Finished EAP session with state 0x7322fa167126e364
(4) eap: Previous EAP request found for state 0x7322fa167126e364, released
from the list
(4) eap: Peer sent packet with method EAP PEAP (25)
(4) eap: Calling submodule eap_peap to process data
(4) eap_peap: Continuing EAP-TLS
(4) eap_peap: Peer ACKed our handshake fragment
(4) eap_peap: [eaptls verify] = request
(4) eap_peap: [eaptls process] = handled
(4) eap: Sending EAP Request (code 1) ID 5 length 834
(4) eap: EAP session adding &reply:State = 0x7322fa167027e364
(4) [eap] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) Post-Auth-Type sub-section not found. Ignoring.
(4) Sent Access-Challenge Id 29 from 192.168.8.27:1812 to 192.168.2.250:3072
length 0
(4) EAP-Message =
0x01050342190068d99b627f3ca6561e6c1dcd0e8bb529b85d2515a36c2ba6f906ee9a223e61
9decfff2f24ef8674307735d591964d50ac988776a55970203010001a3819130818e30130609
2b060104018237140204061e0400430041300e0603551d0f0101ff040403020186300f060355
1d130101ff04
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x7322fa167027e3641bb25e163c98a49d
(4) Finished request
Waking up in 4.9 seconds.
(5) Received Access-Request Id 215 from 192.168.2.250:3072 to
192.168.8.27:1812 length 330
(5) User-Name = "bob"
(5) Service-Type = Framed-User
(5) NAS-IP-Address = 192.168.2.250
(5) NAS-Port = 10
(5) NAS-Port-Id = "10"
(5) State = 0x7322fa167027e3641bb25e163c98a49d
(5) Called-Station-Id = "0E-0B-6B-2F-12-67:domain 8021X"
(5) Calling-Station-Id = "B8-E8-56-41-2C-2A"
(5) Connect-Info = "CONNECT 54 Mbps 802.11g"
(5) NAS-Identifier = "AP-domain01"
(5) NAS-Port-Type = Wireless-802.11
(5) Framed-MTU = 1500
(5) EAP-Message =
0x0205009019800000008616030100461000004241048075a5ca05d012d0fd77b0f9e1664c5c
e577eda72a1368e0a8e78fd9072b0a6e04ce9f7f3cb1339ca9fd58bdc40e0afce833807f1c40
35e532e91d07e8d45fdb1403010001011603010030bff39ef9cf9a0400269ae5fd8888ba5c49
40b72599bca5
(5) Message-Authenticator = 0xfaa49416d762fdf0846428951f176829
(5) session-state: No cached attributes
(5) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/domain
(5) authorize {
(5) files: users: Matched entry bob at line 69
(5) [files] = ok
(5) [preprocess] = ok
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "bob", looking up realm NULL
(5) suffix: No such realm "NULL"
(5) [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 5 length 144
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = EAP
(5) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain
(5) authenticate {
(5) eap: Expiring EAP session with state 0x7322fa167027e364
(5) eap: Finished EAP session with state 0x7322fa167027e364
(5) eap: Previous EAP request found for state 0x7322fa167027e364, released
from the list
(5) eap: Peer sent packet with method EAP PEAP (25)
(5) eap: Calling submodule eap_peap to process data
(5) eap_peap: Continuing EAP-TLS
(5) eap_peap: Peer indicated complete TLS record size will be 134 bytes
(5) eap_peap: Got complete TLS record (134 bytes)
(5) eap_peap: [eaptls verify] = length included
(5) eap_peap: <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
(5) eap_peap: TLS_accept: SSLv3 read client key exchange A
(5) eap_peap: <<< TLS 1.0 ChangeCipherSpec length 0001 eap_peap: <<< TLS 1.0
Handshake [length 0010], Finished
(5) eap_peap: TLS_accept: SSLv3 read finished A
(5) eap_peap: >>> TLS 1.0 ChangeCipherSpec length 0001 eap_peap: TLS_accept:
SSLv3 write change cipher spec A
(5) eap_peap: >>> TLS 1.0 Handshake [length 0010], Finished
(5) eap_peap: TLS_accept: SSLv3 write finished A
(5) eap_peap: TLS_accept: SSLv3 flush data
(5) eap_peap: (other): SSL negotiation finished successfully
(5) eap_peap: SSL Connection Established
(5) eap_peap: [eaptls process] = handled
(5) eap: Sending EAP Request (code 1) ID 6 length 65
(5) eap: EAP session adding &reply:State = 0x7322fa167724e364
(5) [eap] = handled
(5) } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) Post-Auth-Type sub-section not found. Ignoring.
(5) Sent Access-Challenge Id 215 from 192.168.8.27:1812 to
192.168.2.250:3072 length 0
(5) EAP-Message =
0x010600411900140301000101160301003055bf61e75ec8b42df54cc0a1eab6dd5e274dd8db
872c3a18e2616a373eda384dcffbfa8de45423ccb8890ee689f1f4cb
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x7322fa167724e3641bb25e163c98a49d
(5) Finished request
Waking up in 4.8 seconds.
(6) Received Access-Request Id 116 from 192.168.2.250:3072 to
192.168.8.27:1812 length 192
(6) User-Name = "bob"
(6) Service-Type = Framed-User
(6) NAS-IP-Address = 192.168.2.250
(6) NAS-Port = 10
(6) NAS-Port-Id = "10"
(6) State = 0x7322fa167724e3641bb25e163c98a49d
(6) Called-Station-Id = "0E-0B-6B-2F-12-67:domain 8021X"
(6) Calling-Station-Id = "B8-E8-56-41-2C-2A"
(6) Connect-Info = "CONNECT 54 Mbps 802.11g"
(6) NAS-Identifier = "AP-domain01"
(6) NAS-Port-Type = Wireless-802.11
(6) Framed-MTU = 1500
(6) EAP-Message = 0x020600061900
(6) Message-Authenticator = 0xb468a031e9e011addea02301e58313cb
(6) session-state: No cached attributes
(6) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/domain
(6) authorize {
(6) files: users: Matched entry bob at line 69
(6) [files] = ok
(6) [preprocess] = ok
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "bob", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) eap: Peer sent EAP Response (code 2) ID 6 length 6
(6) eap: Continuing tunnel setup
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = EAP
(6) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain
(6) authenticate {
(6) eap: Expiring EAP session with state 0x7322fa167724e364
(6) eap: Finished EAP session with state 0x7322fa167724e364
(6) eap: Previous EAP request found for state 0x7322fa167724e364, released
from the list
(6) eap: Peer sent packet with method EAP PEAP (25)
(6) eap: Calling submodule eap_peap to process data
(6) eap_peap: Continuing EAP-TLS
(6) eap_peap: Peer ACKed our handshake fragment. handshake is finished
(6) eap_peap: [eaptls verify] = success
(6) eap_peap: [eaptls process] = success
(6) eap_peap: Session established. Decoding tunneled attributes
(6) eap_peap: PEAP state TUNNEL ESTABLISHED
(6) eap: Sending EAP Request (code 1) ID 7 length 43
(6) eap: EAP session adding &reply:State = 0x7322fa167625e364
(6) [eap] = handled
(6) } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) Post-Auth-Type sub-section not found. Ignoring.
(6) Sent Access-Challenge Id 116 from 192.168.8.27:1812 to
192.168.2.250:3072 length 0
(6) EAP-Message =
0x0107002b19001703010020ba0b3d2b7d949cf1727c708a6c6ac8606201ef325b4408284fbf
4115ccf1e60c
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0x7322fa167625e3641bb25e163c98a49d
(6) Finished request
Waking up in 4.8 seconds.
(7) Received Access-Request Id 108 from 192.168.2.250:3072 to
192.168.8.27:1812 length 229
(7) User-Name = "bob"
(7) Service-Type = Framed-User
(7) NAS-IP-Address = 192.168.2.250
(7) NAS-Port = 10
(7) NAS-Port-Id = "10"
(7) State = 0x7322fa167625e3641bb25e163c98a49d
(7) Called-Station-Id = "0E-0B-6B-2F-12-67:domain 8021X"
(7) Calling-Station-Id = "B8-E8-56-41-2C-2A"
(7) Connect-Info = "CONNECT 54 Mbps 802.11g"
(7) NAS-Identifier = "AP-domain01"
(7) NAS-Port-Type = Wireless-802.11
(7) Framed-MTU = 1500
(7) EAP-Message =
0x0207002b190017030100205db45e564856f45f7af7cc0f3ec2e54ef3aab9a99f6cb2d9944b
2c53980f0bde
(7) Message-Authenticator = 0xd2092e590023b1e9af89a2d5f9927801
(7) session-state: No cached attributes
(7) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/domain
(7) authorize {
(7) files: users: Matched entry bob at line 69
(7) [files] = ok
(7) [preprocess] = ok
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "bob", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) eap: Peer sent EAP Response (code 2) ID 7 length 43
(7) eap: Continuing tunnel setup
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = EAP
(7) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain
(7) authenticate {
(7) eap: Expiring EAP session with state 0x7322fa167625e364
(7) eap: Finished EAP session with state 0x7322fa167625e364
(7) eap: Previous EAP request found for state 0x7322fa167625e364, released
from the list
(7) eap: Peer sent packet with method EAP PEAP (25)
(7) eap: Calling submodule eap_peap to process data
(7) eap_peap: Continuing EAP-TLS
(7) eap_peap: [eaptls verify] = ok
(7) eap_peap: Done initial handshake
(7) eap_peap: [eaptls process] = ok
(7) eap_peap: Session established. Decoding tunneled attributes
(7) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(7) eap_peap: Identity - bob
(7) eap_peap: Got inner identity 'bob'
(7) eap_peap: Setting default EAP type for tunneled EAP session
(7) eap_peap: Got tunneled request
(7) eap_peap: EAP-Message = 0x0207000801626f62
(7) eap_peap: Setting User-Name to bob
(7) eap_peap: Sending tunneled request to inner-tunnel
(7) eap_peap: EAP-Message = 0x0207000801626f62
(7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(7) eap_peap: User-Name = "bob"
(7) Virtual server inner-tunnel received request
(7) EAP-Message = 0x0207000801626f62
(7) FreeRADIUS-Proxied-To = 127.0.0.1
(7) User-Name = "bob"
(7) server inner-tunnel {
(7) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel-domain
(7) authorize {
(7) files: users: Matched entry bob at line 69
(7) [files] = ok
(7) [mschap] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "bob", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) update control {
(7) Proxy-To-Realm := LOCAL
(7) } # update control = noop
(7) eap: Peer sent EAP Response (code 2) ID 7 length 8
(7) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest
of authorize
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = EAP
(7) # Executing group from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel-domain
(7) authenticate {
(7) eap: Peer sent packet with method EAP Identity (1)
(7) eap: Calling submodule eap_mschapv2 to process data
(7) eap_mschapv2: Issuing Challenge
(7) eap: Sending EAP Request (code 1) ID 8 length 43
(7) eap: EAP session adding &reply:State = 0xa0773c37a07f2697
(7) [eap] = handled
(7) } # authenticate = handled
(7) } # server inner-tunnel
(7) Virtual server sending reply
(7) EAP-Message =
0x0108002b1a0108002610499c5c634fd1c53afcf63e2a20dc0dbd667265657261646975732d
332e302e3131
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0xa0773c37a07f269794c91e639bc0d99c
(7) eap_peap: Got tunneled reply code 11
(7) eap_peap: EAP-Message =
0x0108002b1a0108002610499c5c634fd1c53afcf63e2a20dc0dbd667265657261646975732d
332e302e3131
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: State = 0xa0773c37a07f269794c91e639bc0d99c
(7) eap_peap: Got tunneled reply RADIUS code 11
(7) eap_peap: EAP-Message =
0x0108002b1a0108002610499c5c634fd1c53afcf63e2a20dc0dbd667265657261646975732d
332e302e3131
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: State = 0xa0773c37a07f269794c91e639bc0d99c
(7) eap_peap: Got tunneled Access-Challenge
(7) eap: Sending EAP Request (code 1) ID 8 length 75
(7) eap: EAP session adding &reply:State = 0x7322fa16752ae364
(7) [eap] = handled
(7) } # authenticate = handled
(7) Using Post-Auth-Type Challenge
(7) Post-Auth-Type sub-section not found. Ignoring.
(7) Sent Access-Challenge Id 108 from 192.168.8.27:1812 to
192.168.2.250:3072 length 0
(7) EAP-Message =
0x0108004b19001703010040d8e4f8be725dc18720efdaf547282b5b876c26c5fdbea8c05f38
0bf87ea452cdf6938d2793528a14f784d70ad64f66ebcb6998cae0cdb2ec340b208caf7adddc
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0x7322fa16752ae3641bb25e163c98a49d
(7) Finished request
Waking up in 4.8 seconds.
(8) Received Access-Request Id 50 from 192.168.2.250:3072 to
192.168.8.27:1812 length 277
(8) User-Name = "bob"
(8) Service-Type = Framed-User
(8) NAS-IP-Address = 192.168.2.250
(8) NAS-Port = 10
(8) NAS-Port-Id = "10"
(8) State = 0x7322fa16752ae3641bb25e163c98a49d
(8) Called-Station-Id = "0E-0B-6B-2F-12-67:domain 8021X"
(8) Calling-Station-Id = "B8-E8-56-41-2C-2A"
(8) Connect-Info = "CONNECT 54 Mbps 802.11g"
(8) NAS-Identifier = "AP-domain01"
(8) NAS-Port-Type = Wireless-802.11
(8) Framed-MTU = 1500
(8) EAP-Message =
0x0208005b1900170301005035d828d77a9cd3611fc5b79937ff5a2749a2d013a332137a52fe
3a206717cde550258b9914956f0b2f88dd7f4491d6d52e7b97a1fd99e59010b7e346d7692d76
8748d8d8efb3995a7d8d58863b0e3c9f
(8) Message-Authenticator = 0x27a3860baf38d3fd1d0e7f85c85a398e
(8) session-state: No cached attributes
(8) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/domain
(8) authorize {
(8) files: users: Matched entry bob at line 69
(8) [files] = ok
(8) [preprocess] = ok
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "bob", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) eap: Peer sent EAP Response (code 2) ID 8 length 91
(8) eap: Continuing tunnel setup
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = EAP
(8) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain
(8) authenticate {
(8) eap: Expiring EAP session with state 0xa0773c37a07f2697
(8) eap: Finished EAP session with state 0x7322fa16752ae364
(8) eap: Previous EAP request found for state 0x7322fa16752ae364, released
from the list
(8) eap: Peer sent packet with method EAP PEAP (25)
(8) eap: Calling submodule eap_peap to process data
(8) eap_peap: Continuing EAP-TLS
(8) eap_peap: [eaptls verify] = ok
(8) eap_peap: Done initial handshake
(8) eap_peap: [eaptls process] = ok
(8) eap_peap: Session established. Decoding tunneled attributes
(8) eap_peap: PEAP state phase2
(8) eap_peap: EAP method MSCHAPv2 (26)
(8) eap_peap: Got tunneled request
(8) eap_peap: EAP-Message =
0x0208003e1a02080039318c4c5187cb6d3acc25374e1a666c6ebd00000000000000005c626c
4605277cd81e771f53707290714956dfed703aa31a00626f62
(8) eap_peap: Setting User-Name to bob
(8) eap_peap: Sending tunneled request to inner-tunnel
(8) eap_peap: EAP-Message =
0x0208003e1a02080039318c4c5187cb6d3acc25374e1a666c6ebd00000000000000005c626c
4605277cd81e771f53707290714956dfed703aa31a00626f62
(8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(8) eap_peap: User-Name = "bob"
(8) eap_peap: State = 0xa0773c37a07f269794c91e639bc0d99c
(8) Virtual server inner-tunnel received request
(8) EAP-Message =
0x0208003e1a02080039318c4c5187cb6d3acc25374e1a666c6ebd00000000000000005c626c
4605277cd81e771f53707290714956dfed703aa31a00626f62
(8) FreeRADIUS-Proxied-To = 127.0.0.1
(8) User-Name = "bob"
(8) State = 0xa0773c37a07f269794c91e639bc0d99c
(8) server inner-tunnel {
(8) session-state: No cached attributes
(8) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel-domain
(8) authorize {
(8) files: users: Matched entry bob at line 69
(8) [files] = ok
(8) [mschap] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "bob", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) update control {
(8) Proxy-To-Realm := LOCAL
(8) } # update control = noop
(8) eap: Peer sent EAP Response (code 2) ID 8 length 62
(8) eap: No EAP Start, assuming it's an on-going EAP conversation
(8) [eap] = updated
(8) [expiration] = noop
(8) [logintime] = noop
rlm_ldap (ldap_domain): Closing connection (2): Hit idle_timeout, was idle
for 90 seconds
rlm_ldap (ldap_domain): Closing connection (3): Hit idle_timeout, was idle
for 90 seconds
rlm_ldap (ldap_domain): Closing connection (4): Hit idle_timeout, was idle
for 90 seconds
rlm_ldap (ldap_domain): Closing connection (0): Hit idle_timeout, was idle
for 85 seconds
rlm_ldap (ldap_domain): You probably need to lower "min"
rlm_ldap (ldap_domain): Closing connection (5): Hit idle_timeout, was idle
for 85 seconds
rlm_ldap (ldap_domain): You probably need to lower "min"
rlm_ldap (ldap_domain): Closing connection (1): Hit idle_timeout, was idle
for 85 seconds
rlm_ldap (ldap_domain): You probably need to lower "min"
rlm_ldap (ldap_domain): 0 of 0 connections in use. You may need to increase
"spare"
rlm_ldap (ldap_domain): Opening additional connection (6), 1 of 32 pending
slots used
rlm_ldap (ldap_domain): Connecting to ldap://dc.domain.local:389
rlm_ldap (ldap_domain): Waiting for bind result...
rlm_ldap (ldap_domain): Bind successful
rlm_ldap (ldap_domain): Reserved connection (6)
(8) ldap_domain: EXPAND
(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})
(8) ldap_domain: --> (sAMAccountName=bob)
(8) ldap_domain: Performing search in "cn=Users,dc=domain,dc=local" with
filter "(sAMAccountName=bob)", scope "sub"
(8) ldap_domain: Waiting for search result...
(8) ldap_domain: Search returned no results
rlm_ldap (ldap_domain): Released connection (6)
rlm_ldap (ldap_domain): Need 2 more connections to reach 10 spares
rlm_ldap (ldap_domain): Opening additional connection (7), 1 of 31 pending
slots used
rlm_ldap (ldap_domain): Connecting to ldap://dc.domain.local:389
rlm_ldap (ldap_domain): Waiting for bind result...
rlm_ldap (ldap_domain): Bind successful
(8) [ldap_domain] = notfound
(8) if ((ok || updated) && User-Password) {
(8) if ((ok || updated) && User-Password) -> FALSE
(8) pap: WARNING: Auth-Type already set. Not setting to PAP
(8) [pap] = noop
(8) if (User-Password) {
(8) if (User-Password) -> FALSE
(8) } # authorize = updated
(8) Found Auth-Type = EAP
(8) # Executing group from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel-domain
(8) authenticate {
(8) eap: Expiring EAP session with state 0xa0773c37a07f2697
(8) eap: Finished EAP session with state 0xa0773c37a07f2697
(8) eap: Previous EAP request found for state 0xa0773c37a07f2697, released
from the list
(8) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(8) eap: Calling submodule eap_mschapv2 to process data
(8) eap_mschapv2: # Executing group from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel-domain
(8) eap_mschapv2: Auth-Type MS-CHAP {
(8) mschap: Found Cleartext-Password, hashing to create NT-Password
(8) mschap: Found Cleartext-Password, hashing to create LM-Password
(8) mschap: Creating challenge hash with username: bob
(8) mschap: Client is using MS-CHAPv2
(8) mschap: Adding MS-CHAPv2 MPPE keys
(8) [mschap] = ok
(8) } # Auth-Type MS-CHAP = ok
(8) MSCHAP Success
(8) eap: Sending EAP Request (code 1) ID 9 length 51
(8) eap: EAP session adding &reply:State = 0xa0773c37a17e2697
(8) [eap] = handled
(8) } # authenticate = handled
(8) } # server inner-tunnel
(8) Virtual server sending reply
(8) EAP-Message =
0x010900331a0308002e533d4130303731353232344432383732443943443233443736334535
4535313444393146323441424646
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0xa0773c37a17e269794c91e639bc0d99c
(8) eap_peap: Got tunneled reply code 11
(8) eap_peap: EAP-Message =
0x010900331a0308002e533d4130303731353232344432383732443943443233443736334535
4535313444393146323441424646
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: State = 0xa0773c37a17e269794c91e639bc0d99c
(8) eap_peap: Got tunneled reply RADIUS code 11
(8) eap_peap: EAP-Message =
0x010900331a0308002e533d4130303731353232344432383732443943443233443736334535
4535313444393146323441424646
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: State = 0xa0773c37a17e269794c91e639bc0d99c
(8) eap_peap: Got tunneled Access-Challenge
(8) eap: Sending EAP Request (code 1) ID 9 length 91
(8) eap: EAP session adding &reply:State = 0x7322fa16742be364
(8) [eap] = handled
(8) } # authenticate = handled
(8) Using Post-Auth-Type Challenge
(8) Post-Auth-Type sub-section not found. Ignoring.
(8) Sent Access-Challenge Id 50 from 192.168.8.27:1812 to 192.168.2.250:3072
length 0
(8) EAP-Message =
0x0109005b19001703010050859ea345fa5ac6b144a9e42ed8bff28f0b2320a237ac8370d029
cb70f52d482a0d76da88b813e4df36252cb6397300ec8d8d78b8622e934b5283b40ee5a8abe7
5b64b6667666fd21f0cac5fcc60f98ed
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0x7322fa16742be3641bb25e163c98a49d
(8) Finished request
Waking up in 4.7 seconds.
(9) Received Access-Request Id 168 from 192.168.2.250:3072 to
192.168.8.27:1812 length 229
(9) User-Name = "bob"
(9) Service-Type = Framed-User
(9) NAS-IP-Address = 192.168.2.250
(9) NAS-Port = 10
(9) NAS-Port-Id = "10"
(9) State = 0x7322fa16742be3641bb25e163c98a49d
(9) Called-Station-Id = "0E-0B-6B-2F-12-67:domain 8021X"
(9) Calling-Station-Id = "B8-E8-56-41-2C-2A"
(9) Connect-Info = "CONNECT 54 Mbps 802.11g"
(9) NAS-Identifier = "AP-domain01"
(9) NAS-Port-Type = Wireless-802.11
(9) Framed-MTU = 1500
(9) EAP-Message =
0x0209002b19001703010020ef0b01a2e1a2ce59b84fcd3a36f6101ad280a2da6de9e3034ee1
142fd2c2d87b
(9) Message-Authenticator = 0xcbef8a5238f2450a86714781617cb91e
(9) session-state: No cached attributes
(9) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/domain
(9) authorize {
(9) files: users: Matched entry bob at line 69
(9) [files] = ok
(9) [preprocess] = ok
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "bob", looking up realm NULL
(9) suffix: No such realm "NULL"
(9) [suffix] = noop
(9) eap: Peer sent EAP Response (code 2) ID 9 length 43
(9) eap: Continuing tunnel setup
(9) [eap] = ok
(9) } # authorize = ok
(9) Found Auth-Type = EAP
(9) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain
(9) authenticate {
(9) eap: Expiring EAP session with state 0xa0773c37a17e2697
(9) eap: Finished EAP session with state 0x7322fa16742be364
(9) eap: Previous EAP request found for state 0x7322fa16742be364, released
from the list
(9) eap: Peer sent packet with method EAP PEAP (25)
(9) eap: Calling submodule eap_peap to process data
(9) eap_peap: Continuing EAP-TLS
(9) eap_peap: [eaptls verify] = ok
(9) eap_peap: Done initial handshake
(9) eap_peap: [eaptls process] = ok
(9) eap_peap: Session established. Decoding tunneled attributes
(9) eap_peap: PEAP state phase2
(9) eap_peap: EAP method MSCHAPv2 (26)
(9) eap_peap: Got tunneled request
(9) eap_peap: EAP-Message = 0x020900061a03
(9) eap_peap: Setting User-Name to bob
(9) eap_peap: Sending tunneled request to inner-tunnel
(9) eap_peap: EAP-Message = 0x020900061a03
(9) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(9) eap_peap: User-Name = "bob"
(9) eap_peap: State = 0xa0773c37a17e269794c91e639bc0d99c
(9) Virtual server inner-tunnel received request
(9) EAP-Message = 0x020900061a03
(9) FreeRADIUS-Proxied-To = 127.0.0.1
(9) User-Name = "bob"
(9) State = 0xa0773c37a17e269794c91e639bc0d99c
(9) server inner-tunnel {
(9) session-state: No cached attributes
(9) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel-domain
(9) authorize {
(9) files: users: Matched entry bob at line 69
(9) [files] = ok
(9) [mschap] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "bob", looking up realm NULL
(9) suffix: No such realm "NULL"
(9) [suffix] = noop
(9) update control {
(9) Proxy-To-Realm := LOCAL
(9) } # update control = noop
(9) eap: Peer sent EAP Response (code 2) ID 9 length 6
(9) eap: No EAP Start, assuming it's an on-going EAP conversation
(9) [eap] = updated
(9) [expiration] = noop
(9) [logintime] = noop
rlm_ldap (ldap_domain): Reserved connection (6)
(9) ldap_domain: EXPAND
(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})
(9) ldap_domain: --> (sAMAccountName=bob)
(9) ldap_domain: Performing search in "cn=Users,dc=domain,dc=local" with
filter "(sAMAccountName=bob)", scope "sub"
(9) ldap_domain: Waiting for search result...
(9) ldap_domain: Search returned no results
rlm_ldap (ldap_domain): Released connection (6)
(9) [ldap_domain] = notfound
(9) if ((ok || updated) && User-Password) {
(9) if ((ok || updated) && User-Password) -> FALSE
(9) pap: WARNING: Auth-Type already set. Not setting to PAP
(9) [pap] = noop
(9) if (User-Password) {
(9) if (User-Password) -> FALSE
(9) } # authorize = updated
(9) Found Auth-Type = EAP
(9) # Executing group from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel-domain
(9) authenticate {
(9) eap: Expiring EAP session with state 0xa0773c37a17e2697
(9) eap: Finished EAP session with state 0xa0773c37a17e2697
(9) eap: Previous EAP request found for state 0xa0773c37a17e2697, released
from the list
(9) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(9) eap: Calling submodule eap_mschapv2 to process data
(9) eap: Sending EAP Success (code 3) ID 9 length 4
(9) eap: Freeing handler
(9) [eap] = ok
(9) } # authenticate = ok
(9) } # server inner-tunnel
(9) Virtual server sending reply
(9) MS-MPPE-Encryption-Policy = Encryption-Required
(9) MS-MPPE-Encryption-Types = 4
(9) MS-MPPE-Send-Key = 0xc40f7d178a19b383691a863644016790
(9) MS-MPPE-Recv-Key = 0x1f490d8645a1a87f762bc38738f37149
(9) EAP-Message = 0x03090004
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) User-Name = "bob"
(9) eap_peap: Got tunneled reply code 2
(9) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Required
(9) eap_peap: MS-MPPE-Encryption-Types = 4
(9) eap_peap: MS-MPPE-Send-Key = 0xc40f7d178a19b383691a863644016790
(9) eap_peap: MS-MPPE-Recv-Key = 0x1f490d8645a1a87f762bc38738f37149
(9) eap_peap: EAP-Message = 0x03090004
(9) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(9) eap_peap: User-Name = "bob"
(9) eap_peap: Got tunneled reply RADIUS code 2
(9) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Required
(9) eap_peap: MS-MPPE-Encryption-Types = 4
(9) eap_peap: MS-MPPE-Send-Key = 0xc40f7d178a19b383691a863644016790
(9) eap_peap: MS-MPPE-Recv-Key = 0x1f490d8645a1a87f762bc38738f37149
(9) eap_peap: EAP-Message = 0x03090004
(9) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(9) eap_peap: User-Name = "bob"
(9) eap_peap: Tunneled authentication was successful
(9) eap_peap: SUCCESS
(9) eap: Sending EAP Request (code 1) ID 10 length 43
(9) eap: EAP session adding &reply:State = 0x7322fa167b28e364
(9) [eap] = handled
(9) } # authenticate = handled
(9) Using Post-Auth-Type Challenge
(9) Post-Auth-Type sub-section not found. Ignoring.
(9) Sent Access-Challenge Id 168 from 192.168.8.27:1812 to
192.168.2.250:3072 length 0
(9) EAP-Message =
0x010a002b190017030100209ebe5c178129e763273f16ddd56f3f5e123f6a27587c42e7e480
f2874b2985ac
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) State = 0x7322fa167b28e3641bb25e163c98a49d
(9) Finished request
Waking up in 4.7 seconds.
(10) Received Access-Request Id 89 from 192.168.2.250:3072 to
192.168.8.27:1812 length 229
(10) User-Name = "bob"
(10) Service-Type = Framed-User
(10) NAS-IP-Address = 192.168.2.250
(10) NAS-Port = 10
(10) NAS-Port-Id = "10"
(10) State = 0x7322fa167b28e3641bb25e163c98a49d
(10) Called-Station-Id = "0E-0B-6B-2F-12-67:domain 8021X"
(10) Calling-Station-Id = "B8-E8-56-41-2C-2A"
(10) Connect-Info = "CONNECT 54 Mbps 802.11g"
(10) NAS-Identifier = "AP-domain01"
(10) NAS-Port-Type = Wireless-802.11
(10) Framed-MTU = 1500
(10) EAP-Message =
0x020a002b19001703010020ae6a94676019ad167b393353926209ead29be3185de748899304
ff6a50957c1a
(10) Message-Authenticator = 0x64a847e3ae161cf68eccda80a2f11f16
(10) session-state: No cached attributes
(10) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/domain
(10) authorize {
(10) files: users: Matched entry bob at line 69
(10) [files] = ok
(10) [preprocess] = ok
(10) suffix: Checking for suffix after "@"
(10) suffix: No '@' in User-Name = "bob", looking up realm NULL
(10) suffix: No such realm "NULL"
(10) [suffix] = noop
(10) eap: Peer sent EAP Response (code 2) ID 10 length 43
(10) eap: Continuing tunnel setup
(10) [eap] = ok
(10) } # authorize = ok
(10) Found Auth-Type = EAP
(10) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain
(10) authenticate {
(10) eap: Expiring EAP session with state 0x7322fa167b28e364
(10) eap: Finished EAP session with state 0x7322fa167b28e364
(10) eap: Previous EAP request found for state 0x7322fa167b28e364, released
from the list
(10) eap: Peer sent packet with method EAP PEAP (25)
(10) eap: Calling submodule eap_peap to process data
(10) eap_peap: Continuing EAP-TLS
(10) eap_peap: [eaptls verify] = ok
(10) eap_peap: Done initial handshake
(10) eap_peap: [eaptls process] = ok
(10) eap_peap: Session established. Decoding tunneled attributes
(10) eap_peap: PEAP state send tlv success
(10) eap_peap: Received EAP-TLV response
(10) eap_peap: Success
(10) eap: Sending EAP Success (code 3) ID 10 length 4
(10) eap: Freeing handler
(10) [eap] = ok
(10) } # authenticate = ok
(10) Sent Access-Accept Id 89 from 192.168.8.27:1812 to 192.168.2.250:3072
length 0
(10) MS-MPPE-Recv-Key =
0xa16bc44cb5331571c4f3d362fd38e1bb11a2670822b415e53eb7ebbc67c2cb93
(10) MS-MPPE-Send-Key =
0xbd2081385181a9a51170b7fa40bfd3b32e396b6e7d46f9b5369a38d64be27cc8
(10) EAP-Message = 0x030a0004
(10) Message-Authenticator = 0x00000000000000000000000000000000
(10) User-Name = "bob"
(10) Finished request
Waking up in 4.7 seconds.
(3) Cleaning up request packet ID 54 with timestamp +90
(4) Cleaning up request packet ID 29 with timestamp +90
Waking up in 0.1 seconds.
(5) Cleaning up request packet ID 215 with timestamp +90
(6) Cleaning up request packet ID 116 with timestamp +90
(7) Cleaning up request packet ID 108 with timestamp +90
(8) Cleaning up request packet ID 50 with timestamp +90
(9) Cleaning up request packet ID 168 with timestamp +90
(10) Cleaning up request packet ID 89 with timestamp +90
Ready to process requests
I think that everything goes wrong with encrypt/decrypt the Domain User
password or no User-Password is given after eap or something else. I tried a
lot of stuff, but nothing works.
users configuration
bob Cleartext-Password := "hello"
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "CSLIP"
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "SLIP"
Framed-Protocol = SLIP
Messages:
(7) ldap_nedeco: Processing user attributes
(7) ldap_nedeco: WARNING: No "known good" password added. Ensure the admin
user has permission to read the password attribute
(7) ldap_nedeco: WARNING: PAP authentication will NOT work with Active
Directory (if that is what you were trying to configure)
rlm_ldap (ldap_nedeco): Released connection (0)
..
(7) mschap: WARNING: No Cleartext-Password configured. Cannot create
NT-Password
(7) mschap: WARNING: No Cleartext-Password configured. Cannot create
LM-Password
(7) mschap: Creating challenge hash with username: test
(7) mschap: Client is using MS-CHAPv2
(7) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication
(7) mschap: ERROR: MS-CHAP2-Response is incorrect
..
(8) eap_peap: Received EAP-TLV response
(8) eap_peap: The users session was previously rejected: returning reject
(again.)
(8) eap_peap: This means you need to read the PREVIOUS messages in the debug
output
(8) eap_peap: to find out the reason why the user was rejected
(8) eap_peap: Look for "reject" or "fail". Those earlier messages will tell
you
(8) eap_peap: what went wrong, and how to fix the problem
(8) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module
failed
..
Any Idea?
4
10
[Zebra_Logo_Stacked_K_small]
John D Williams Sr
Product Engineer - Private Broadband Networks
ZEBRA TECHNOLOGIES CORPORATION
5200 Franklin Drive Suite 100
Pleasanton CA, 94588
T: +1 925 201 4516
john.williams(a)zebra.com<mailto:john.williams@zebra.com>
www.zebra.com<http://www.zebra.com/>
Motorola Solutions' Enterprise Business
is now a part of Zebra Technologies.
Follow Zebra!
[social-fb]<http://www.facebook.com/zebratechnologiesglobal>
[social-tstr]<http://www.twitter.com/zebratechnology>
[social-in]<https://www.linkedin.com/company/167024?trk=tyah&trkInfo=tarId%3A1398351214…>
[social-g+]<https://plus.google.com/u/0/b/116127895496262117488/116127895496262117488/p…>
[social-B]<http://blogs.zebra.com/>
[social-youtube]<http://www.youtube.com/user/ZebraTechnologies>
[social-zebra]<http://www.slideshare.net/ZebraTechnologies>
________________________________
- CONFIDENTIAL-
This email and any files transmitted with it are confidential, and may also be legally privileged. If you are not the intended recipient, you may not review, use, copy, or distribute this message. If you receive this email in error, please notify the sender immediately by reply email and then delete this email.
2
1
Having used an ancient version of FR up to now I just look into 3.0.10. I started with a fresh install and activated sql in default, to get the functionality of the former sql_log module.
Additionally I enabled logfile in mods-available/sql and linked the file to mods-enabled.
# Write SQL queries to a logfile. This is potentially useful for tracing
# issues with authorization queries.
logfile = ${logdir}/sqllog.sql
I hope the following part of the logs are sufficient. I did not want to post 900 lines here. If necessary I can provide the complete log.
radius obviously sees this directive on startup:
radius -X
.....
.....
# Loading module "sql" from file /home/dop/tests/freeradius-server-3.0.10/etc/raddb/mods-enabled/sql^M
sql {^M
driver = "rlm_sql_null"^M
server = ""^M
port = 0^M
login = ""^M
password = <<< secret >>>^M
radius_db = "radius"^M
read_groups = yes^M
read_profiles = yes^M
read_clients = no^M
delete_stale_sessions = yes^M
sql_user_name = "%{User-Name}"^M
logfile = "/home/dop/tests/freeradius-server-3.0.10/var/log/radius/sqllog.sql"^M
default_user_profile = ""^M
.....
Firering up radtest with bob and hello, I get an Access-Accept.
I would have expected to see a line in the logfile now, but no logfile is to be found and
also in the post-auth part of the radius' debug output I do not see any anything that looks like writing to a file, instead:
(0) # Executing section post-auth from file /home/dop/tests/freeradius-server-3.0.10/etc/raddb/sites-enabled/default^M
(0) post-auth {^M
(0) update {^M
(0) No attributes updated^M
(0) } # update = noop^M
(0) sql: EXPAND .query^M
(0) sql: --> .query^M
(0) sql: Using query template 'query'^M
rlm_sql (sql): Reserved connection (1)^M
(0) sql: EXPAND %{User-Name}^M
(0) sql: --> bob^M
(0) sql: SQL-User-Name set to 'bob'^M
(0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')^M
(0) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'bob', 'hello', 'Access-Accept', '2015-10-09 11:52:21')^M
(0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'bob', 'hello', 'Access-Accept', '2015-10-09 11:52:21')^M
(0) sql: SQL query returned: success^M
(0) sql: 1 record(s) updated^M
rlm_sql (sql): Released connection (1)^M
(0) [sql] = ok^M
The logfile will also not be written, when running radius in daemon mode.
Do I have to change the config elsewhere for this ?
Norbert
2
4
Hello
I use freeradius 3.0.9 and I want to define multiple huntgroups for the same NAS-IP-ADDRESS into the huntgroup file.
Is it possible and how ?
Regards
--
Ce message et toutes les pieces jointes (ci-apres le "message") sont
confidentiels et etablis a l'intention exclusive de ses destinataires.
Toute utilisation ou diffusion non autorisee est interdite. Tout
message etant susceptible d'alteration, l'emetteur decline toute
responsabilite au titre de ce message s'il a ete altere, deforme ou
falsifie.
-----------------------------------
This message and any attachments (the "message") are confidential and
intended solely for the addressees. Any unauthorised use or
dissemination is prohibited. As e-mails are susceptible to alteration,
the issuer shall not be liable for the message if altered, changed
or falsified.
1
0
Hi all,
I installed freeradius-3.0.4-6.el7 on Centos 7.1 to replace our existing
freeradius-2.1.12-6. I am having difficulty enabling LDAP. LDAP in our
existing freeradius-2.1.12-6 works like a charm, but as soon as I enable
LDAP in /sites-available/inner-tunnel radiusd won't start. I have linked
ldap in /mods-available.
ldap -> /etc/raddb/mods-available/ldap
# diff inner-tunnel inner-tunnel.ORIG
227,229c224,226
< Auth-Type LDAP {
< ldap
< }
---
> # Auth-Type LDAP {
> # ldap
> # }
Here is relevant error messages.
# systemctl status radiusd.service -l
radiusd.service - FreeRADIUS high performance RADIUS server.
Loaded: loaded (/usr/lib/systemd/system/radiusd.service; disabled)
Active: failed (Result: exit-code) since Wed 2015-10-07 10:20:41
PDT; 10min ago
Process: 17895 ExecStart=/usr/sbin/radiusd -d /etc/raddb
(code=exited, status=0/SUCCESS)
Process: 18504 ExecStartPre=/usr/sbin/radiusd -C (code=exited,
status=1/FAILURE)
Process: 18500 ExecStartPre=/bin/chown -R radiusd.radiusd
/var/run/radiusd (code=exited, status=0/SUCCESS)
Main PID: 17897 (code=exited, status=0/SUCCESS)
Oct 07 10:20:41 ccndev4.triumf.ca systemd[1]: Starting FreeRADIUS high
performance RADIUS server....
Oct 07 10:20:41 ccndev4.triumf.ca systemd[1]: radiusd.service: control
process exited, code=exited status=1
Oct 07 10:20:41 ccndev4.triumf.ca systemd[1]: Failed to start FreeRADIUS
high performance RADIUS server..
Oct 07 10:20:41 ccndev4.triumf.ca systemd[1]: Unit radiusd.service
entered failed state.
# journalctl -xn
-- Logs begin at Sat 2015-10-03 09:04:12 PDT, end at Wed 2015-10-07
10:30:01 PDT. --
Oct 07 10:20:01 ccndev4.triumf.ca systemd[1]: Starting Session 735 of
user root.
-- Subject: Unit session-735.scope has begun with start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- Unit session-735.scope has begun starting up.
Oct 07 10:20:01 ccndev4.triumf.ca systemd[1]: Started Session 735 of
user root.
-- Subject: Unit session-735.scope has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- Unit session-735.scope has finished starting up.
-- The start-up result is done.
Oct 07 10:20:01 ccndev4.triumf.ca CROND[18463]: (root) CMD
(/usr/lib64/sa/sa1 1 1)
Oct 07 10:20:41 ccndev4.triumf.ca systemd[1]: Starting FreeRADIUS high
performance RADIUS server....
-- Subject: Unit radiusd.service has begun with start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- Unit radiusd.service has begun starting up.
Oct 07 10:20:41 ccndev4.triumf.ca systemd[1]: radiusd.service: control
process exited, code=exited status
Oct 07 10:20:41 ccndev4.triumf.ca systemd[1]: Failed to start FreeRADIUS
high performance RADIUS server..
-- Subject: Unit radiusd.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- Unit radiusd.service has failed.
-- The result is failed.
Oct 07 10:20:41 ccndev4.triumf.ca systemd[1]: Unit radiusd.service
entered failed state.
Oct 07 10:30:01 ccndev4.triumf.ca systemd[1]: Starting Session 736 of
user root.
-- Subject: Unit session-736.scope has begun with start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- Unit session-736.scope has begun starting up.
Oct 07 10:30:01 ccndev4.triumf.ca systemd[1]: Started Session 736 of
user root.
-- Subject: Unit session-736.scope has finished start-up
Any ideas?
Many thanks in advance,
Hossein Rafighi
--
_____ _____ _____ _ _ _ _ ____ Hossein Rafighi
|_ _|| _ \ |_ _|| | | || \_/ || __|TRIUMF, 4004 Wesbrook Mall
| | | |_| ) | | | | | || || |__ Vancouver BC, Canada, V6T 2A3
| | | _ / | | | \_/ || \_/ || __|Voice: (604) 222-1047
| | | | \ \ _| |_ | || | | || | Fax: (604) 222-1074
|_| |_| \_\|_____| \___/ |_| |_||_| Website: http://www.triumf.ca
4
10
08 Oct '15
Hi @all.
Not sure if we have a bug, but i tried to get an AD authentication about ldap more then 4 days. I read a lot of documentation and testet a lot of stuff.i have the following:If i try to login via "radtest -x test testpwd 127.0.0.1:18120 0 testing123" on the linux console, everything is working via ldap. If i try this over the 802.1X AccessPoint, it doesn't work. If i try the same with a defined user in users like "bob Cleartext-Password := "hello"" over the accessPoint, it works fine.Anything goes wrong with the password if we i use peap:
via console with domain User over inner-tunnel:(1) Received Access-Request Id 7 from 127.0.0.1:48026 to 127.0.0.1:18120 length 74(1) User-Name = "test"(1) User-Password = "password"(1) NAS-IP-Address = 192.168.8.27(1) NAS-Port = 0(1) Message-Authenticator = 0xc7c247ef109fb66332c18aab75068b33(1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel-domain(1) authorize {(1) [files] = noop(1) [mschap] = noop(1) suffix: Checking for suffix after "@"(1) suffix: No '@' in User-Name = "test", looking up realm NULL(1) suffix: No such realm "NULL"(1) [suffix] = noop(1) update control {(1) Proxy-To-Realm := LOCAL(1) } # update control = noop(1) eap: No EAP-Message, not doing EAP(1) [eap] = noop(1) [expiration] = noop(1) [logintime] = nooprlm_ldap (ldap_domain): Reserved connection (0)(1) ldap_domain: EXPAND (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})(1) ldap_domain: --> (sAMAccountName=test)(1) ldap_domain: Performing search in "cn=Users,dc=domain,dc=local" with filter "(sAMAccountName=test)", scope "sub"(1) ldap_domain: Waiting for search result...(1) ldap_domain: User object found at DN "CN=Test TEST,CN=Users,DC=domain,DC=local"(1) ldap_domain: Processing user attributes(1) ldap_domain: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute(1) ldap_domain: WARNING: PAP authentication will NOT work with Active Directory (if that is what you were trying to configure)rlm_ldap (ldap_domain): Released connection (0)rlm_ldap (ldap_domain): Need 5 more connections to reach 10 sparesrlm_ldap (ldap_domain): Opening additional connection (5), 1 of 27 pending slots usedrlm_ldap (ldap_domain): Connecting to ldap://dc.domain.local:389rlm_ldap (ldap_domain): Waiting for bind result...rlm_ldap (ldap_domain): Bind successful(1) [ldap_domain] = ok(1) if ((ok || updated) && User-Password) {(1) if ((ok || updated) && User-Password) -> TRUE(1) if ((ok || updated) && User-Password) {(1) update {(1) control:Auth-Type := LDAP(1) } # update = noop(1) } # if ((ok || updated) && User-Password) = noop(1) [pap] = noop(1) if (User-Password) {(1) if (User-Password) -> TRUE(1) if (User-Password) {(1) update control {(1) Auth-Type := LDAP(1) } # update control = noop(1) } # if (User-Password) = noop(1) } # authorize = ok(1) Found Auth-Type = LDAP(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel-domain(1) Auth-Type LDAP {rlm_ldap (ldap_domain): Reserved connection (1)(1) ldap_domain: Login attempt by "test"(1) ldap_domain: Using user DN from request "CN=Test TEST,CN=Users,DC=domain,DC=local"(1) ldap_domain: Waiting for bind result...(1) ldap_domain: Bind successful(1) ldap_domain: Bind as user "CN=Test TEST,CN=Users,DC=domain,DC=local" was successfulrlm_ldap (ldap_domain): Released connection (1)(1) [ldap_domain] = ok(1) } # Auth-Type LDAP = ok(1) Sent Access-Accept Id 7 from 127.0.0.1:18120 to 127.0.0.1:48026 length 0(1) Finished requestWaking up in 0.3 seconds.(0) Cleaning up request packet ID 130 with timestamp +4Waking up in 4.6 seconds.(1) Cleaning up request packet ID 7 with timestamp +9Ready to process requests
via AccessPoint with domain User:(2) Received Access-Request Id 42 from 192.168.2.250:3072 to 192.168.8.27:1812 length 178(2) User-Name = "test"(2) Service-Type = Framed-User(2) NAS-IP-Address = 192.168.2.250(2) NAS-Port = 10(2) NAS-Port-Id = "10"(2) Called-Station-Id = "0E-0B-6B-2F-12-67:domain 8021X"(2) Calling-Station-Id = "B8-E8-56-41-2C-2A"(2) Connect-Info = "CONNECT 54 Mbps 802.11g"(2) NAS-Identifier = "AP-domain01"(2) NAS-Port-Type = Wireless-802.11(2) Framed-MTU = 1500(2) EAP-Message = 0x020100090174657374(2) Message-Authenticator = 0x83d8e6487c3977ae8116026c26702525(2) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/domain(2) authorize {(2) [files] = noop(2) [preprocess] = ok(2) suffix: Checking for suffix after "@"(2) suffix: No '@' in User-Name = "test", looking up realm NULL(2) suffix: No such realm "NULL"(2) [suffix] = noop(2) eap: Peer sent EAP Response (code 2) ID 1 length 9(2) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize(2) [eap] = ok(2) } # authorize = ok(2) Found Auth-Type = EAP(2) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain(2) authenticate {(2) eap: Peer sent packet with method EAP Identity (1)(2) eap: Calling submodule eap_peap to process data(2) eap_peap: Initiating new EAP-TLS session(2) eap_peap: [eaptls start] = request(2) eap: Sending EAP Request (code 1) ID 2 length 6(2) eap: EAP session adding &reply:State = 0x714e61bf714c78fd(2) [eap] = handled(2) } # authenticate = handled(2) Using Post-Auth-Type Challenge(2) Post-Auth-Type sub-section not found. Ignoring.(2) Sent Access-Challenge Id 42 from 192.168.8.27:1812 to 192.168.2.250:3072 length 0(2) EAP-Message = 0x010200061920(2) Message-Authenticator = 0x00000000000000000000000000000000(2) State = 0x714e61bf714c78fd13de40933f3a43c8(2) Finished requestWaking up in 4.9 seconds.(3) Received Access-Request Id 58 from 192.168.2.250:3072 to 192.168.8.27:1812 length 339(3) User-Name = "test"(3) Service-Type = Framed-User(3) NAS-IP-Address = 192.168.2.250(3) NAS-Port = 10(3) NAS-Port-Id = "10"(3) State = 0x714e61bf714c78fd13de40933f3a43c8(3) Called-Station-Id = "0E-0B-6B-2F-12-67:domain 8021X"(3) Calling-Station-Id = "B8-E8-56-41-2C-2A"(3) Connect-Info = "CONNECT 54 Mbps 802.11g"(3) NAS-Identifier = "AP-domain01"(3) NAS-Port-Type = Wireless-802.11(3) Framed-MTU = 1500(3) EAP-Message = 0x0202009819800000008e160301008901000085030156162f87a13e4465c695b7754a35671de87e37f1c9c068c51ee0c258d39cc34f00004a00ffc024c023c00ac009c008c028c027c014c013c012c026c025c005c004c003c02ac029c00fc00ec00d006b0067003900330016003d003c0035002f000ac0(3) Message-Authenticator = 0x1b3f4a72c416640c87d6f902d0effe2e(3) session-state: No cached attributes(3) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/domain(3) authorize {(3) [files] = noop(3) [preprocess] = ok(3) suffix: Checking for suffix after "@"(3) suffix: No '@' in User-Name = "test", looking up realm NULL(3) suffix: No such realm "NULL"(3) [suffix] = noop(3) eap: Peer sent EAP Response (code 2) ID 2 length 152(3) eap: Continuing tunnel setup(3) [eap] = ok(3) } # authorize = ok(3) Found Auth-Type = EAP(3) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain(3) authenticate {(3) eap: Expiring EAP session with state 0x714e61bf714c78fd(3) eap: Finished EAP session with state 0x714e61bf714c78fd(3) eap: Previous EAP request found for state 0x714e61bf714c78fd, released from the list(3) eap: Peer sent packet with method EAP PEAP (25)(3) eap: Calling submodule eap_peap to process data(3) eap_peap: Continuing EAP-TLS(3) eap_peap: Peer indicated complete TLS record size will be 142 bytes(3) eap_peap: Got complete TLS record (142 bytes)(3) eap_peap: [eaptls verify] = length included(3) eap_peap: (other): before/accept initialization(3) eap_peap: TLS_accept: before/accept initialization(3) eap_peap: <<< TLS 1.0 Handshake [length 0089], ClientHello(3) eap_peap: TLS_accept: SSLv3 read client hello A(3) eap_peap: >>> TLS 1.0 Handshake [length 0039], ServerHello(3) eap_peap: TLS_accept: SSLv3 write server hello A(3) eap_peap: >>> TLS 1.0 Handshake [length 0964], Certificate(3) eap_peap: TLS_accept: SSLv3 write certificate A(3) eap_peap: >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange(3) eap_peap: TLS_accept: SSLv3 write key exchange A(3) eap_peap: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone(3) eap_peap: TLS_accept: SSLv3 write server done A(3) eap_peap: TLS_accept: SSLv3 flush data(3) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A(3) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A(3) eap_peap: In SSL Handshake Phase(3) eap_peap: In SSL Accept mode(3) eap_peap: [eaptls process] = handled(3) eap: Sending EAP Request (code 1) ID 3 length 1004(3) eap: EAP session adding &reply:State = 0x714e61bf704d78fd(3) [eap] = handled(3) } # authenticate = handled(3) Using Post-Auth-Type Challenge(3) Post-Auth-Type sub-section not found. Ignoring.(3) Sent Access-Challenge Id 58 from 192.168.8.27:1812 to 192.168.2.250:3072 length 0(3) EAP-Message = 0x010303ec19c000000b00160301003902000035030194873ddf6cee275a11fcde492d5ae2b8261f83dd50ed9063133a31be2e3d24b500c01400000dff01000100000b00040300010216030109640b00096000095d0005a7308205a33082048ba0030201020213720000003379461d9f383b20c900010000(3) Message-Authenticator = 0x00000000000000000000000000000000(3) State = 0x714e61bf704d78fd13de40933f3a43c8(3) Finished requestWaking up in 4.9 seconds.(4) Received Access-Request Id 46 from 192.168.2.250:3072 to 192.168.8.27:1812 length 193(4) User-Name = "test"(4) Service-Type = Framed-User(4) NAS-IP-Address = 192.168.2.250(4) NAS-Port = 10(4) NAS-Port-Id = "10"(4) State = 0x714e61bf704d78fd13de40933f3a43c8(4) Called-Station-Id = "0E-0B-6B-2F-12-67:domain 8021X"(4) Calling-Station-Id = "B8-E8-56-41-2C-2A"(4) Connect-Info = "CONNECT 54 Mbps 802.11g"(4) NAS-Identifier = "AP-domain01"(4) NAS-Port-Type = Wireless-802.11(4) Framed-MTU = 1500(4) EAP-Message = 0x020300061900(4) Message-Authenticator = 0xe7c2576faeb3228ae2d056b77bc6cce8(4) session-state: No cached attributes(4) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/domain(4) authorize {(4) [files] = noop(4) [preprocess] = ok(4) suffix: Checking for suffix after "@"(4) suffix: No '@' in User-Name = "test", looking up realm NULL(4) suffix: No such realm "NULL"(4) [suffix] = noop(4) eap: Peer sent EAP Response (code 2) ID 3 length 6(4) eap: Continuing tunnel setup(4) [eap] = ok(4) } # authorize = ok(4) Found Auth-Type = EAP(4) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain(4) authenticate {(4) eap: Expiring EAP session with state 0x714e61bf704d78fd(4) eap: Finished EAP session with state 0x714e61bf704d78fd(4) eap: Previous EAP request found for state 0x714e61bf704d78fd, released from the list(4) eap: Peer sent packet with method EAP PEAP (25)(4) eap: Calling submodule eap_peap to process data(4) eap_peap: Continuing EAP-TLS(4) eap_peap: Peer ACKed our handshake fragment(4) eap_peap: [eaptls verify] = request(4) eap_peap: [eaptls process] = handled(4) eap: Sending EAP Request (code 1) ID 4 length 1000(4) eap: EAP session adding &reply:State = 0x714e61bf734a78fd(4) [eap] = handled(4) } # authenticate = handled(4) Using Post-Auth-Type Challenge(4) Post-Auth-Type sub-section not found. Ignoring.(4) Sent Access-Challenge Id 46 from 192.168.8.27:1812 to 192.168.2.250:3072 length 0(4) EAP-Message = 0x010403e81940b53081b206082b060105050730028681a56c6461703a2f2f2f434e3d6e656465636f253230476d624825323043412c434e3d4149412c434e3d5075626c69632532304b657925323053657276696365732c434e3d53657276696365732c434e3d436f6e66696775726174696f6e2c44433d(4) Message-Authenticator = 0x00000000000000000000000000000000(4) State = 0x714e61bf734a78fd13de40933f3a43c8(4) Finished requestWaking up in 4.9 seconds.(2) Cleaning up request packet ID 42 with timestamp +151(3) Cleaning up request packet ID 58 with timestamp +151(4) Cleaning up request packet ID 46 with timestamp +151Ready to process requests(5) Received Access-Request Id 216 from 192.168.2.250:3072 to 192.168.8.27:1812 length 193(5) User-Name = "test"(5) Service-Type = Framed-User(5) NAS-IP-Address = 192.168.2.250(5) NAS-Port = 10(5) NAS-Port-Id = "10"(5) State = 0x714e61bf734a78fd13de40933f3a43c8(5) Called-Station-Id = "0E-0B-6B-2F-12-67:domain 8021X"(5) Calling-Station-Id = "B8-E8-56-41-2C-2A"(5) Connect-Info = "CONNECT 54 Mbps 802.11g"(5) NAS-Identifier = "AP-domain01"(5) NAS-Port-Type = Wireless-802.11(5) Framed-MTU = 1500(5) EAP-Message = 0x020400061900(5) Message-Authenticator = 0xdf4b4a18dbd046ae4568ed5b900675ca(5) session-state: No cached attributes(5) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/domain(5) authorize {(5) [files] = noop(5) [preprocess] = ok(5) suffix: Checking for suffix after "@"(5) suffix: No '@' in User-Name = "test", looking up realm NULL(5) suffix: No such realm "NULL"(5) [suffix] = noop(5) eap: Peer sent EAP Response (code 2) ID 4 length 6(5) eap: Continuing tunnel setup(5) [eap] = ok(5) } # authorize = ok(5) Found Auth-Type = EAP(5) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain(5) authenticate {(5) eap: Expiring EAP session with state 0x714e61bf734a78fd(5) eap: Finished EAP session with state 0x714e61bf734a78fd(5) eap: Previous EAP request found for state 0x714e61bf734a78fd, released from the list(5) eap: Peer sent packet with method EAP PEAP (25)(5) eap: Calling submodule eap_peap to process data(5) eap_peap: Continuing EAP-TLS(5) eap_peap: Peer ACKed our handshake fragment(5) eap_peap: [eaptls verify] = request(5) eap_peap: [eaptls process] = handled(5) eap: Sending EAP Request (code 1) ID 5 length 834(5) eap: EAP session adding &reply:State = 0x714e61bf724b78fd(5) [eap] = handled(5) } # authenticate = handled(5) Using Post-Auth-Type Challenge(5) Post-Auth-Type sub-section not found. Ignoring.(5) Sent Access-Challenge Id 216 from 192.168.8.27:1812 to 192.168.2.250:3072 length 0(5) EAP-Message = 0x01050342190068d99b627f3ca6561e6c1dcd0e8bb529b85d2515a36c2ba6f906ee9a223e619decfff2f24ef8674307735d591964d50ac988776a55970203010001a3819130818e301306092b060104018237140204061e0400430041300e0603551d0f0101ff040403020186300f0603551d130101ff04(5) Message-Authenticator = 0x00000000000000000000000000000000(5) State = 0x714e61bf724b78fd13de40933f3a43c8(5) Finished requestWaking up in 4.9 seconds.(6) Received Access-Request Id 228 from 192.168.2.250:3072 to 192.168.8.27:1812 length 331(6) User-Name = "test"(6) Service-Type = Framed-User(6) NAS-IP-Address = 192.168.2.250(6) NAS-Port = 10(6) NAS-Port-Id = "10"(6) State = 0x714e61bf724b78fd13de40933f3a43c8(6) Called-Station-Id = "0E-0B-6B-2F-12-67:domain 8021X"(6) Calling-Station-Id = "B8-E8-56-41-2C-2A"(6) Connect-Info = "CONNECT 54 Mbps 802.11g"(6) NAS-Identifier = "AP-domain01"(6) NAS-Port-Type = Wireless-802.11(6) Framed-MTU = 1500(6) EAP-Message = 0x0205009019800000008616030100461000004241041ddb75e112e6a51620e1d90e79faf858ba440ee51859f6f36dbb3d61474b8fc891e7a246f576a1aef8372b95f81c96af01b2ba44e938f2dde2e5fa57032812201403010001011603010030680540b7b149e993c9f964d5e0a79cda35934c4c8e292f(6) Message-Authenticator = 0x96295d1faa87d10973b6fe400102f545(6) session-state: No cached attributes(6) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/domain(6) authorize {(6) [files] = noop(6) [preprocess] = ok(6) suffix: Checking for suffix after "@"(6) suffix: No '@' in User-Name = "test", looking up realm NULL(6) suffix: No such realm "NULL"(6) [suffix] = noop(6) eap: Peer sent EAP Response (code 2) ID 5 length 144(6) eap: Continuing tunnel setup(6) [eap] = ok(6) } # authorize = ok(6) Found Auth-Type = EAP(6) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain(6) authenticate {(6) eap: Expiring EAP session with state 0x714e61bf724b78fd(6) eap: Finished EAP session with state 0x714e61bf724b78fd(6) eap: Previous EAP request found for state 0x714e61bf724b78fd, released from the list(6) eap: Peer sent packet with method EAP PEAP (25)(6) eap: Calling submodule eap_peap to process data(6) eap_peap: Continuing EAP-TLS(6) eap_peap: Peer indicated complete TLS record size will be 134 bytes(6) eap_peap: Got complete TLS record (134 bytes)(6) eap_peap: [eaptls verify] = length included(6) eap_peap: <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange(6) eap_peap: TLS_accept: SSLv3 read client key exchange A(6) eap_peap: <<< TLS 1.0 ChangeCipherSpec length 0001 eap_peap: <<< TLS 1.0 Handshake [length 0010], Finished(6) eap_peap: TLS_accept: SSLv3 read finished A(6) eap_peap: >>> TLS 1.0 ChangeCipherSpec length 0001 eap_peap: TLS_accept: SSLv3 write change cipher spec A(6) eap_peap: >>> TLS 1.0 Handshake [length 0010], Finished(6) eap_peap: TLS_accept: SSLv3 write finished A(6) eap_peap: TLS_accept: SSLv3 flush data(6) eap_peap: (other): SSL negotiation finished successfully(6) eap_peap: SSL Connection Established(6) eap_peap: [eaptls process] = handled(6) eap: Sending EAP Request (code 1) ID 6 length 65(6) eap: EAP session adding &reply:State = 0x714e61bf754878fd(6) [eap] = handled(6) } # authenticate = handled(6) Using Post-Auth-Type Challenge(6) Post-Auth-Type sub-section not found. Ignoring.(6) Sent Access-Challenge Id 228 from 192.168.8.27:1812 to 192.168.2.250:3072 length 0(6) EAP-Message = 0x01060041190014030100010116030100301b8a91b9523361e58c472a6f4bedc223a3780b77e80492846d5f574cd2db238cdd236645e7e78ed7e706e2dd3aecd6a2(6) Message-Authenticator = 0x00000000000000000000000000000000(6) State = 0x714e61bf754878fd13de40933f3a43c8(6) Finished requestWaking up in 4.8 seconds.(7) Received Access-Request Id 77 from 192.168.2.250:3072 to 192.168.8.27:1812 length 193(7) User-Name = "test"(7) Service-Type = Framed-User(7) NAS-IP-Address = 192.168.2.250(7) NAS-Port = 10(7) NAS-Port-Id = "10"(7) State = 0x714e61bf754878fd13de40933f3a43c8(7) Called-Station-Id = "0E-0B-6B-2F-12-67:domain 8021X"(7) Calling-Station-Id = "B8-E8-56-41-2C-2A"(7) Connect-Info = "CONNECT 54 Mbps 802.11g"(7) NAS-Identifier = "AP-domain01"(7) NAS-Port-Type = Wireless-802.11(7) Framed-MTU = 1500(7) EAP-Message = 0x020600061900(7) Message-Authenticator = 0xaabe36b47f3a6a409dd2ec806970d983(7) session-state: No cached attributes(7) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/domain(7) authorize {(7) [files] = noop(7) [preprocess] = ok(7) suffix: Checking for suffix after "@"(7) suffix: No '@' in User-Name = "test", looking up realm NULL(7) suffix: No such realm "NULL"(7) [suffix] = noop(7) eap: Peer sent EAP Response (code 2) ID 6 length 6(7) eap: Continuing tunnel setup(7) [eap] = ok(7) } # authorize = ok(7) Found Auth-Type = EAP(7) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain(7) authenticate {(7) eap: Expiring EAP session with state 0x714e61bf754878fd(7) eap: Finished EAP session with state 0x714e61bf754878fd(7) eap: Previous EAP request found for state 0x714e61bf754878fd, released from the list(7) eap: Peer sent packet with method EAP PEAP (25)(7) eap: Calling submodule eap_peap to process data(7) eap_peap: Continuing EAP-TLS(7) eap_peap: Peer ACKed our handshake fragment. handshake is finished(7) eap_peap: [eaptls verify] = success(7) eap_peap: [eaptls process] = success(7) eap_peap: Session established. Decoding tunneled attributes(7) eap_peap: PEAP state TUNNEL ESTABLISHED(7) eap: Sending EAP Request (code 1) ID 7 length 43(7) eap: EAP session adding &reply:State = 0x714e61bf744978fd(7) [eap] = handled(7) } # authenticate = handled(7) Using Post-Auth-Type Challenge(7) Post-Auth-Type sub-section not found. Ignoring.(7) Sent Access-Challenge Id 77 from 192.168.8.27:1812 to 192.168.2.250:3072 length 0(7) EAP-Message = 0x0107002b19001703010020a6135f04ae6dffd42c8ef419d75113ac720759219e31f74d4247b6b610e9a071(7) Message-Authenticator = 0x00000000000000000000000000000000(7) State = 0x714e61bf744978fd13de40933f3a43c8(7) Finished requestWaking up in 4.8 seconds.(8) Received Access-Request Id 86 from 192.168.2.250:3072 to 192.168.8.27:1812 length 230(8) User-Name = "test"(8) Service-Type = Framed-User(8) NAS-IP-Address = 192.168.2.250(8) NAS-Port = 10(8) NAS-Port-Id = "10"(8) State = 0x714e61bf744978fd13de40933f3a43c8(8) Called-Station-Id = "0E-0B-6B-2F-12-67:domain 8021X"(8) Calling-Station-Id = "B8-E8-56-41-2C-2A"(8) Connect-Info = "CONNECT 54 Mbps 802.11g"(8) NAS-Identifier = "AP-domain01"(8) NAS-Port-Type = Wireless-802.11(8) Framed-MTU = 1500(8) EAP-Message = 0x0207002b19001703010020aa7e796b21bdc47f3c2b751c50ffbf8aaaafc3ad47a3a4a6dab850e706bf7227(8) Message-Authenticator = 0xb0ef481a7beafe09a46383286750ead8(8) session-state: No cached attributes(8) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/domain(8) authorize {(8) [files] = noop(8) [preprocess] = ok(8) suffix: Checking for suffix after "@"(8) suffix: No '@' in User-Name = "test", looking up realm NULL(8) suffix: No such realm "NULL"(8) [suffix] = noop(8) eap: Peer sent EAP Response (code 2) ID 7 length 43(8) eap: Continuing tunnel setup(8) [eap] = ok(8) } # authorize = ok(8) Found Auth-Type = EAP(8) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain(8) authenticate {(8) eap: Expiring EAP session with state 0x714e61bf744978fd(8) eap: Finished EAP session with state 0x714e61bf744978fd(8) eap: Previous EAP request found for state 0x714e61bf744978fd, released from the list(8) eap: Peer sent packet with method EAP PEAP (25)(8) eap: Calling submodule eap_peap to process data(8) eap_peap: Continuing EAP-TLS(8) eap_peap: [eaptls verify] = ok(8) eap_peap: Done initial handshake(8) eap_peap: [eaptls process] = ok(8) eap_peap: Session established. Decoding tunneled attributes(8) eap_peap: PEAP state WAITING FOR INNER IDENTITY(8) eap_peap: Identity - test(8) eap_peap: Got inner identity 'test'(8) eap_peap: Setting default EAP type for tunneled EAP session(8) eap_peap: Got tunneled request(8) eap_peap: EAP-Message = 0x020700090174657374(8) eap_peap: Setting User-Name to test(8) eap_peap: Sending tunneled request to inner-tunnel(8) eap_peap: EAP-Message = 0x020700090174657374(8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1(8) eap_peap: User-Name = "test"(8) Virtual server inner-tunnel received request(8) EAP-Message = 0x020700090174657374(8) FreeRADIUS-Proxied-To = 127.0.0.1(8) User-Name = "test"(8) server inner-tunnel {(8) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel-domain(8) authorize {(8) [files] = noop(8) [mschap] = noop(8) suffix: Checking for suffix after "@"(8) suffix: No '@' in User-Name = "test", looking up realm NULL(8) suffix: No such realm "NULL"(8) [suffix] = noop(8) update control {(8) Proxy-To-Realm := LOCAL(8) } # update control = noop(8) eap: Peer sent EAP Response (code 2) ID 7 length 9(8) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize(8) [eap] = ok(8) } # authorize = ok(8) Found Auth-Type = EAP(8) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel-domain(8) authenticate {(8) eap: Peer sent packet with method EAP Identity (1)(8) eap: Calling submodule eap_mschapv2 to process data(8) eap_mschapv2: Issuing Challenge(8) eap: Sending EAP Request (code 1) ID 8 length 43(8) eap: EAP session adding &reply:State = 0xbd1845cebd105fc4(8) [eap] = handled(8) } # authenticate = handled(8) } # server inner-tunnel(8) Virtual server sending reply(8) EAP-Message = 0x0108002b1a0108002610ba684a0833e561a9e780eedf9829518f667265657261646975732d332e302e3131(8) Message-Authenticator = 0x00000000000000000000000000000000(8) State = 0xbd1845cebd105fc4a22a1c51082d7ecf(8) eap_peap: Got tunneled reply code 11(8) eap_peap: EAP-Message = 0x0108002b1a0108002610ba684a0833e561a9e780eedf9829518f667265657261646975732d332e302e3131(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000(8) eap_peap: State = 0xbd1845cebd105fc4a22a1c51082d7ecf(8) eap_peap: Got tunneled reply RADIUS code 11(8) eap_peap: EAP-Message = 0x0108002b1a0108002610ba684a0833e561a9e780eedf9829518f667265657261646975732d332e302e3131(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000(8) eap_peap: State = 0xbd1845cebd105fc4a22a1c51082d7ecf(8) eap_peap: Got tunneled Access-Challenge(8) eap: Sending EAP Request (code 1) ID 8 length 75(8) eap: EAP session adding &reply:State = 0x714e61bf774678fd(8) [eap] = handled(8) } # authenticate = handled(8) Using Post-Auth-Type Challenge(8) Post-Auth-Type sub-section not found. Ignoring.(8) Sent Access-Challenge Id 86 from 192.168.8.27:1812 to 192.168.2.250:3072 length 0(8) EAP-Message = 0x0108004b19001703010040c6831d9a1c5c30c64d40563c5fa21ee3cc103adbb4e99517563c9e67d781aefdd941ba0f19bc124976046e7471792eec1d4771c20abf67b78282a152634eed5e(8) Message-Authenticator = 0x00000000000000000000000000000000(8) State = 0x714e61bf774678fd13de40933f3a43c8(8) Finished requestWaking up in 4.8 seconds.(5) Cleaning up request packet ID 216 with timestamp +181(6) Cleaning up request packet ID 228 with timestamp +181(7) Cleaning up request packet ID 77 with timestamp +181(8) Cleaning up request packet ID 86 with timestamp +181Ready to process requests(9) Received Access-Request Id 14 from 192.168.2.250:3072 to 192.168.8.27:1812 length 278(9) User-Name = "test"(9) Service-Type = Framed-User(9) NAS-IP-Address = 192.168.2.250(9) NAS-Port = 10(9) NAS-Port-Id = "10"(9) State = 0x714e61bf774678fd13de40933f3a43c8(9) Called-Station-Id = "0E-0B-6B-2F-12-67:domain 8021X"(9) Calling-Station-Id = "B8-E8-56-41-2C-2A"(9) Connect-Info = "CONNECT 54 Mbps 802.11g"(9) NAS-Identifier = "AP-domain01"(9) NAS-Port-Type = Wireless-802.11(9) Framed-MTU = 1500(9) EAP-Message = 0x0208005b1900170301005041a588e579c1a63e94555d08bea2166f123e059dea3d7f8a17bcbfd8e4f4a54c876ceee7b33a4a101a4afd0dc078e77a3c8163b76b6c9e9567e6954214f5e1ec01cdafcd013db92c58ae136658519d20(9) Message-Authenticator = 0xac0b3e273dede594c80988c13eaafd54(9) session-state: No cached attributes(9) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/domain(9) authorize {(9) [files] = noop(9) [preprocess] = ok(9) suffix: Checking for suffix after "@"(9) suffix: No '@' in User-Name = "test", looking up realm NULL(9) suffix: No such realm "NULL"(9) [suffix] = noop(9) eap: Peer sent EAP Response (code 2) ID 8 length 91(9) eap: Continuing tunnel setup(9) [eap] = ok(9) } # authorize = ok(9) Found Auth-Type = EAP(9) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain(9) authenticate {(9) eap: Expiring EAP session with state 0xbd1845cebd105fc4(9) eap: Finished EAP session with state 0x714e61bf774678fd(9) eap: Previous EAP request found for state 0x714e61bf774678fd, released from the list(9) eap: Peer sent packet with method EAP PEAP (25)(9) eap: Calling submodule eap_peap to process data(9) eap_peap: Continuing EAP-TLS(9) eap_peap: [eaptls verify] = ok(9) eap_peap: Done initial handshake(9) eap_peap: [eaptls process] = ok(9) eap_peap: Session established. Decoding tunneled attributes(9) eap_peap: PEAP state phase2(9) eap_peap: EAP method MSCHAPv2 (26)(9) eap_peap: Got tunneled request(9) eap_peap: EAP-Message = 0x0208003f1a0208003a316670e0343c5cde7c22158c2f3b1e05bd0000000000000000e36cbc3c625721798db23c5fc199979df656a52246010d310074657374(9) eap_peap: Setting User-Name to test(9) eap_peap: Sending tunneled request to inner-tunnel(9) eap_peap: EAP-Message = 0x0208003f1a0208003a316670e0343c5cde7c22158c2f3b1e05bd0000000000000000e36cbc3c625721798db23c5fc199979df656a52246010d310074657374(9) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1(9) eap_peap: User-Name = "test"(9) eap_peap: State = 0xbd1845cebd105fc4a22a1c51082d7ecf(9) Virtual server inner-tunnel received request(9) EAP-Message = 0x0208003f1a0208003a316670e0343c5cde7c22158c2f3b1e05bd0000000000000000e36cbc3c625721798db23c5fc199979df656a52246010d310074657374(9) FreeRADIUS-Proxied-To = 127.0.0.1(9) User-Name = "test"(9) State = 0xbd1845cebd105fc4a22a1c51082d7ecf(9) server inner-tunnel {(9) session-state: No cached attributes(9) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel-domain(9) authorize {(9) [files] = noop(9) [mschap] = noop(9) suffix: Checking for suffix after "@"(9) suffix: No '@' in User-Name = "test", looking up realm NULL(9) suffix: No such realm "NULL"(9) [suffix] = noop(9) update control {(9) Proxy-To-Realm := LOCAL(9) } # update control = noop(9) eap: Peer sent EAP Response (code 2) ID 8 length 63(9) eap: No EAP Start, assuming it's an on-going EAP conversation(9) [eap] = updated(9) [expiration] = noop(9) [logintime] = nooprlm_ldap (ldap_domain): Closing connection (2): Hit idle_timeout, was idle for 211 secondsrlm_ldap (ldap_domain): Closing connection (3): Hit idle_timeout, was idle for 211 secondsrlm_ldap (ldap_domain): Closing connection (4): Hit idle_timeout, was idle for 211 secondsrlm_ldap (ldap_domain): Closing connection (0): Hit idle_timeout, was idle for 202 secondsrlm_ldap (ldap_domain): You probably need to lower "min"rlm_ldap (ldap_domain): Closing connection (5): Hit idle_timeout, was idle for 202 secondsrlm_ldap (ldap_domain): You probably need to lower "min"rlm_ldap (ldap_domain): Closing connection (1): Hit idle_timeout, was idle for 202 secondsrlm_ldap (ldap_domain): You probably need to lower "min"rlm_ldap (ldap_domain): 0 of 0 connections in use. You may need to increase "spare"rlm_ldap (ldap_domain): Opening additional connection (6), 1 of 32 pending slots usedrlm_ldap (ldap_domain): Connecting to ldap://dc.domain.local:389rlm_ldap (ldap_domain): Waiting for bind result...rlm_ldap (ldap_domain): Bind successfulrlm_ldap (ldap_domain): Reserved connection (6)(9) ldap_domain: EXPAND (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})(9) ldap_domain: --> (sAMAccountName=test)(9) ldap_domain: Performing search in "cn=Users,dc=domain,dc=local" with filter "(sAMAccountName=test)", scope "sub"(9) ldap_domain: Waiting for search result...(9) ldap_domain: User object found at DN "CN=Test TEST,CN=Users,DC=domain,DC=local"(9) ldap_domain: Processing user attributes(9) ldap_domain: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute(9) ldap_domain: WARNING: PAP authentication will NOT work with Active Directory (if that is what you were trying to configure)rlm_ldap (ldap_domain): Released connection (6)rlm_ldap (ldap_domain): Need 2 more connections to reach 10 sparesrlm_ldap (ldap_domain): Opening additional connection (7), 1 of 31 pending slots usedrlm_ldap (ldap_domain): Connecting to ldap://dc.domain.local:389rlm_ldap (ldap_domain): Waiting for bind result...rlm_ldap (ldap_domain): Bind successful(9) [ldap_domain] = ok(9) if ((ok || updated) && User-Password) {(9) if ((ok || updated) && User-Password) -> FALSE(9) [pap] = noop(9) if (User-Password) {(9) if (User-Password) -> FALSE(9) } # authorize = updated(9) Found Auth-Type = EAP(9) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel-domain(9) authenticate {(9) eap: Expiring EAP session with state 0xbd1845cebd105fc4(9) eap: Finished EAP session with state 0xbd1845cebd105fc4(9) eap: Previous EAP request found for state 0xbd1845cebd105fc4, released from the list(9) eap: Peer sent packet with method EAP MSCHAPv2 (26)(9) eap: Calling submodule eap_mschapv2 to process data(9) eap_mschapv2: # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel-domain(9) eap_mschapv2: Auth-Type MS-CHAP {(9) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password(9) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password(9) mschap: Creating challenge hash with username: test(9) mschap: Client is using MS-CHAPv2(9) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication(9) mschap: ERROR: MS-CHAP2-Response is incorrect(9) [mschap] = reject(9) } # Auth-Type MS-CHAP = reject(9) eap: Sending EAP Failure (code 4) ID 8 length 4(9) eap: Freeing handler(9) [eap] = reject(9) } # authenticate = reject(9) Failed to authenticate the user(9) Using Post-Auth-Type Reject(9) Post-Auth-Type sub-section not found. Ignoring.(9) } # server inner-tunnel(9) Virtual server sending reply(9) MS-CHAP-Error = "\010E=691 R=1 C=12a7b91273b8d4ea014f8d6353762c6f V=3 M=Authentication failed"(9) EAP-Message = 0x04080004(9) Message-Authenticator = 0x00000000000000000000000000000000(9) eap_peap: Got tunneled reply code 3(9) eap_peap: MS-CHAP-Error = "\010E=691 R=1 C=12a7b91273b8d4ea014f8d6353762c6f V=3 M=Authentication failed"(9) eap_peap: EAP-Message = 0x04080004(9) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000(9) eap_peap: Got tunneled reply RADIUS code 3(9) eap_peap: MS-CHAP-Error = "\010E=691 R=1 C=12a7b91273b8d4ea014f8d6353762c6f V=3 M=Authentication failed"(9) eap_peap: EAP-Message = 0x04080004(9) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000(9) eap_peap: Tunneled authentication was rejected(9) eap_peap: FAILURE(9) eap: Sending EAP Request (code 1) ID 9 length 43(9) eap: EAP session adding &reply:State = 0x714e61bf764778fd(9) [eap] = handled(9) } # authenticate = handled(9) Using Post-Auth-Type Challenge(9) Post-Auth-Type sub-section not found. Ignoring.(9) Sent Access-Challenge Id 14 from 192.168.8.27:1812 to 192.168.2.250:3072 length 0(9) EAP-Message = 0x0109002b19001703010020b8c28870cb31e457ad24447c2dad4915f836138d395b9e74200fe48a71906242(9) Message-Authenticator = 0x00000000000000000000000000000000(9) State = 0x714e61bf764778fd13de40933f3a43c8(9) Finished requestWaking up in 4.9 seconds.(10) Received Access-Request Id 10 from 192.168.2.250:3072 to 192.168.8.27:1812 length 230(10) User-Name = "test"(10) Service-Type = Framed-User(10) NAS-IP-Address = 192.168.2.250(10) NAS-Port = 10(10) NAS-Port-Id = "10"(10) State = 0x714e61bf764778fd13de40933f3a43c8(10) Called-Station-Id = "0E-0B-6B-2F-12-67:domain 8021X"(10) Calling-Station-Id = "B8-E8-56-41-2C-2A"(10) Connect-Info = "CONNECT 54 Mbps 802.11g"(10) NAS-Identifier = "AP-domain01"(10) NAS-Port-Type = Wireless-802.11(10) Framed-MTU = 1500(10) EAP-Message = 0x0209002b190017030100209f64c67a9a32761683b0d21eb6f28bfb8a42fa0a50d6ef3dfbf3815d7511e4a1(10) Message-Authenticator = 0x26f3267a7372bfa1b0f71a27ccba5c9f(10) session-state: No cached attributes(10) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/domain(10) authorize {(10) [files] = noop(10) [preprocess] = ok(10) suffix: Checking for suffix after "@"(10) suffix: No '@' in User-Name = "test", looking up realm NULL(10) suffix: No such realm "NULL"(10) [suffix] = noop(10) eap: Peer sent EAP Response (code 2) ID 9 length 43(10) eap: Continuing tunnel setup(10) [eap] = ok(10) } # authorize = ok(10) Found Auth-Type = EAP(10) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain(10) authenticate {(10) eap: Expiring EAP session with state 0x714e61bf764778fd(10) eap: Finished EAP session with state 0x714e61bf764778fd(10) eap: Previous EAP request found for state 0x714e61bf764778fd, released from the list(10) eap: Peer sent packet with method EAP PEAP (25)(10) eap: Calling submodule eap_peap to process data(10) eap_peap: Continuing EAP-TLS(10) eap_peap: [eaptls verify] = ok(10) eap_peap: Done initial handshake(10) eap_peap: [eaptls process] = ok(10) eap_peap: Session established. Decoding tunneled attributes(10) eap_peap: PEAP state send tlv failure(10) eap_peap: Received EAP-TLV response(10) eap_peap: The users session was previously rejected: returning reject (again.)(10) eap_peap: This means you need to read the PREVIOUS messages in the debug output(10) eap_peap: to find out the reason why the user was rejected(10) eap_peap: Look for "reject" or "fail". Those earlier messages will tell you(10) eap_peap: what went wrong, and how to fix the problem(10) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed(10) eap: Sending EAP Failure (code 4) ID 9 length 4(10) eap: Failed in EAP select(10) [eap] = invalid(10) } # authenticate = invalid(10) Failed to authenticate the user(10) Using Post-Auth-Type Reject(10) Post-Auth-Type sub-section not found. Ignoring.(10) Delaying response for 1.000000 secondsWaking up in 0.3 seconds.Waking up in 0.6 seconds.(10) Sending delayed response(10) Sent Access-Reject Id 10 from 192.168.8.27:1812 to 192.168.2.250:3072 length 44(10) EAP-Message = 0x04090004(10) Message-Authenticator = 0x00000000000000000000000000000000Waking up in 3.9 seconds.(9) Cleaning up request packet ID 14 with timestamp +211(10) Cleaning up request packet ID 10 with timestamp +211Ready to process requests
default site:
server default {
listen { type = auth ipaddr = * port = 0# clients = per_socket_clients
limit { max_connections = 0 lifetime = 0 idle_timeout = 30 }}
listen { ipaddr = * port = 0 type = acct# interface = eth0# clients = per_socket_clients
limit { idle_timeout = 0 lifetime = 0 max_connections = 0 }}
authorize { files preprocess suffix eap { ok = return } expiration logintime
}
authenticate { eap}
preacct {}
accounting { detail sql_domain}
session { radutmp sql_domain}
post-auth {}
pre-proxy {}
post-proxy {}}
inner-tunnel site:server inner-tunnel {
listen { ipaddr = 127.0.0.1 port = 18120 type = auth}
authorize { files mschap suffix update control { Proxy-To-Realm := LOCAL } eap { ok = return } expiration logintime ldap_domain if ((ok || updated) && User-Password) { update { control:Auth-Type := ldap } } pap if (User-Password) { update control { Auth-Type := ldap } }}
authenticate { Auth-Type PAP { #ldap_domain pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } Auth-Type LDAP { ldap_domain } ldap_domain eap}
session { radutmp}
post-auth {}
pre-proxy {}
post-proxy {}}
eap configuration:
eap {default_eap_type = peaptimer_expire = 60ignore_unknown_eap_types = nocisco_accounting_username_bug = nomax_sessions = ${max_requests}md5 {}
leap {}
gtc { auth_type = PAP}
tls-config tls-common { private_key_password = whatever private_key_file = ${certdir}/nedeco/aaa.nedeco.local.key certificate_file = ${certdir}/nedeco/aaa.nedeco.local.pem ca_file = ${cadir}/nedeco/nedeco_CA.pem dh_file = ${certdir}/dh random_file = /dev/urandom ca_path = ${cadir} cipher_list = "DEFAULT" ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 # hours max_entries = 255 }
verify { }
ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" }}
tls { tls = tls-common}
ttls {}
peap { tls = tls-common default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = no virtual_server = "inner-tunnel"}
mschapv2 {}}
the chap configuration:
chap {# no configuration}
the mschap configuration
mschap {use_mppe = yesrequire_encryption = yesrequire_strong = yeswith_ntdomain_hack = yespool {start = ${thread[pool].start_servers}min = ${thread[pool].min_spare_servers}max = ${thread[pool].max_servers}spare = ${thread[pool].max_spare_servers}uses = 0retry_delay = 30lifetime = 86400cleanup_interval = 300idle_timeout = 600}
passchange {}retry_msg = "Re-enter (or reset) the password"}
ldap configuration:
ldap ldap_domain {server = 'dc.domain.local'port = 389identity = 'cn=Administrator,cn=Users,dc=domain,dc=local'password = passwordbase_dn = 'cn=Users,dc=domain,dc=local'
sasl { realm = 'domain.local'}
update { control:Password-With-Header += 'userPassword' control:NT-Password := 'ntPassword' control: += 'radiusControlAttribute' request: += 'radiusRequestAttribute' reply: += 'radiusReplyAttribute'}
edir_autz = yes
user { base_dn = "${..base_dn}" filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
sasl { }
scope = 'sub'
}
group { base_dn = "${..base_dn}" filter = '(objectClass=posixGroup)' membership_attribute = 'memberOf'}
profile {}
client { base_dn = "${..base_dn}" filter = '(objectClass=radiusClient)' }
attribute { ipaddr = 'radiusClientIdentifier' secret = 'radiusClientSecret' }}
accounting { reference = "%{tolower:type.%{Acct-Status-Type}}"
type { start { update { description := "Online at %S" } }
interim-update { update { description := "Last seen at %S" } }
stop { update { description := "Offline at %S" } } }}
post-auth { update { description := "Authenticated at %S" }}
options { chase_referrals = yes rebind = yes res_timeout = 10 srv_timelimit = 3 net_timeout = 1 idle = 60 probes = 3 interval = 3 ldap_debug = 0x0028}
tls { start_tls = yes require_cert = 'never'}
pool { start = ${thread[pool].start_servers} min = ${thread[pool].min_spare_servers} max = ${thread[pool].max_servers} spare = ${thread[pool].max_spare_servers} uses = 0 retry_delay = 30 lifetime = 0 idle_timeout = 60}}
radius Version: radiusd: FreeRADIUS Version 3.0.11 (git #7a659a2), for host x86_64-unknown-linux-gnu, built on Oct 7 2015 at 15:23:07
with user bob over console:
(0) Received Access-Request Id 213 from 127.0.0.1:45282 to 127.0.0.1:18120 length 73(0) User-Name = "bob"(0) User-Password = "hello"(0) NAS-IP-Address = 192.168.8.27(0) NAS-Port = 0(0) Message-Authenticator = 0xbed4902174d4f8ff5f36492af1ae51de(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel-domain(0) authorize {(0) files: users: Matched entry bob at line 69(0) [files] = ok(0) [mschap] = noop(0) suffix: Checking for suffix after "@"(0) suffix: No '@' in User-Name = "bob", looking up realm NULL(0) suffix: No such realm "NULL"(0) [suffix] = noop(0) update control {(0) Proxy-To-Realm := LOCAL(0) } # update control = noop(0) eap: No EAP-Message, not doing EAP(0) [eap] = noop(0) [expiration] = noop(0) [logintime] = nooprlm_ldap (ldap_domain): Reserved connection (0)(0) ldap_domain: EXPAND (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})(0) ldap_domain: --> (sAMAccountName=bob)(0) ldap_domain: Performing search in "cn=Users,dc=domain,dc=local" with filter "(sAMAccountName=bob)", scope "sub"(0) ldap_domain: Waiting for search result...(0) ldap_domain: Search returned no resultsrlm_ldap (ldap_domain): Released connection (0)rlm_ldap (ldap_domain): Need 5 more connections to reach 10 sparesrlm_ldap (ldap_domain): Opening additional connection (5), 1 of 27 pending slots usedrlm_ldap (ldap_domain): Connecting to ldap://dc.domain.local:389rlm_ldap (ldap_domain): Waiting for bind result...rlm_ldap (ldap_domain): Bind successful(0) [ldap_domain] = notfound(0) if ((ok || updated) && User-Password) {(0) if ((ok || updated) && User-Password) -> FALSE(0) [pap] = updated(0) if (User-Password) {(0) if (User-Password) -> TRUE(0) if (User-Password) {(0) update control {(0) Auth-Type := LDAP(0) } # update control = noop(0) } # if (User-Password) = noop(0) } # authorize = updated(0) Found Auth-Type = LDAP(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel-domain(0) Auth-Type LDAP {rlm_ldap (ldap_domain): Reserved connection (1)(0) ldap_domain: Login attempt by "bob"(0) ldap_domain: EXPAND (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})(0) ldap_domain: --> (sAMAccountName=bob)(0) ldap_domain: Performing search in "cn=Users,dc=domain,dc=local" with filter "(sAMAccountName=bob)", scope "sub"(0) ldap_domain: Waiting for search result...(0) ldap_domain: Search returned no resultsrlm_ldap (ldap_domain): Released connection (1)(0) [ldap_domain] = notfound(0) } # Auth-Type LDAP = notfound(0) Failed to authenticate the user(0) Using Post-Auth-Type Reject(0) Post-Auth-Type sub-section not found. Ignoring.(0) Delaying response for 1.000000 secondsWaking up in 0.3 seconds.Waking up in 0.6 seconds.(0) Sending delayed response(0) Sent Access-Reject Id 213 from 127.0.0.1:18120 to 127.0.0.1:45282 length 20Waking up in 3.9 seconds.(0) Cleaning up request packet ID 213 with timestamp +5Ready to process requests
with user bob over AccessPoint:
(1) Received Access-Request Id 155 from 192.168.2.250:3072 to 192.168.8.27:1812 length 176(1) User-Name = "bob"(1) Service-Type = Framed-User(1) NAS-IP-Address = 192.168.2.250(1) NAS-Port = 10(1) NAS-Port-Id = "10"(1) Called-Station-Id = "0E-0B-6B-2F-12-67:domain 8021X"(1) Calling-Station-Id = "B8-E8-56-41-2C-2A"(1) Connect-Info = "CONNECT 54 Mbps 802.11g"(1) NAS-Identifier = "AP-domain01"(1) NAS-Port-Type = Wireless-802.11(1) Framed-MTU = 1500(1) EAP-Message = 0x0201000801626f62(1) Message-Authenticator = 0x4680895a204b3df7d15d82558ff9e6ea(1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/domain(1) authorize {(1) files: users: Matched entry bob at line 69(1) [files] = ok(1) [preprocess] = ok(1) suffix: Checking for suffix after "@"(1) suffix: No '@' in User-Name = "bob", looking up realm NULL(1) suffix: No such realm "NULL"(1) [suffix] = noop(1) eap: Peer sent EAP Response (code 2) ID 1 length 8(1) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize(1) [eap] = ok(1) } # authorize = ok(1) Found Auth-Type = EAP(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain(1) authenticate {(1) eap: Peer sent packet with method EAP Identity (1)(1) eap: Calling submodule eap_peap to process data(1) eap_peap: Initiating new EAP-TLS session(1) eap_peap: [eaptls start] = request(1) eap: Sending EAP Request (code 1) ID 2 length 6(1) eap: EAP session adding &reply:State = 0x7322fa167320e364(1) [eap] = handled(1) } # authenticate = handled(1) Using Post-Auth-Type Challenge(1) Post-Auth-Type sub-section not found. Ignoring.(1) Sent Access-Challenge Id 155 from 192.168.8.27:1812 to 192.168.2.250:3072 length 0(1) EAP-Message = 0x010200061920(1) Message-Authenticator = 0x00000000000000000000000000000000(1) State = 0x7322fa167320e3641bb25e163c98a49d(1) Finished requestWaking up in 4.9 seconds.(2) Received Access-Request Id 219 from 192.168.2.250:3072 to 192.168.8.27:1812 length 338(2) User-Name = "bob"(2) Service-Type = Framed-User(2) NAS-IP-Address = 192.168.2.250(2) NAS-Port = 10(2) NAS-Port-Id = "10"(2) State = 0x7322fa167320e3641bb25e163c98a49d(2) Called-Station-Id = "0E-0B-6B-2F-12-67:domain 8021X"(2) Calling-Station-Id = "B8-E8-56-41-2C-2A"(2) Connect-Info = "CONNECT 54 Mbps 802.11g"(2) NAS-Identifier = "AP-domain01"(2) NAS-Port-Type = Wireless-802.11(2) Framed-MTU = 1500(2) EAP-Message = 0x0202009819800000008e1603010089010000850301561634f097408b8f9058fa38f1f34ce4854696e71aebecb3ae3cd9850b14d4cc00004a00ffc024c023c00ac009c008c028c027c014c013c012c026c025c005c004c003c02ac029c00fc00ec00d006b0067003900330016003d003c0035002f000ac0(2) Message-Authenticator = 0x5309b752e9ed063e669ba97b7c937db8(2) session-state: No cached attributes(2) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/domain(2) authorize {(2) files: users: Matched entry bob at line 69(2) [files] = ok(2) [preprocess] = ok(2) suffix: Checking for suffix after "@"(2) suffix: No '@' in User-Name = "bob", looking up realm NULL(2) suffix: No such realm "NULL"(2) [suffix] = noop(2) eap: Peer sent EAP Response (code 2) ID 2 length 152(2) eap: Continuing tunnel setup(2) [eap] = ok(2) } # authorize = ok(2) Found Auth-Type = EAP(2) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain(2) authenticate {(2) eap: Expiring EAP session with state 0x7322fa167320e364(2) eap: Finished EAP session with state 0x7322fa167320e364(2) eap: Previous EAP request found for state 0x7322fa167320e364, released from the list(2) eap: Peer sent packet with method EAP PEAP (25)(2) eap: Calling submodule eap_peap to process data(2) eap_peap: Continuing EAP-TLS(2) eap_peap: Peer indicated complete TLS record size will be 142 bytes(2) eap_peap: Got complete TLS record (142 bytes)(2) eap_peap: [eaptls verify] = length included(2) eap_peap: (other): before/accept initialization(2) eap_peap: TLS_accept: before/accept initialization(2) eap_peap: <<< TLS 1.0 Handshake [length 0089], ClientHello(2) eap_peap: TLS_accept: SSLv3 read client hello A(2) eap_peap: >>> TLS 1.0 Handshake [length 0039], ServerHello(2) eap_peap: TLS_accept: SSLv3 write server hello A(2) eap_peap: >>> TLS 1.0 Handshake [length 0964], Certificate(2) eap_peap: TLS_accept: SSLv3 write certificate A(2) eap_peap: >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange(2) eap_peap: TLS_accept: SSLv3 write key exchange A(2) eap_peap: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone(2) eap_peap: TLS_accept: SSLv3 write server done A(2) eap_peap: TLS_accept: SSLv3 flush data(2) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A(2) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A(2) eap_peap: In SSL Handshake Phase(2) eap_peap: In SSL Accept mode(2) eap_peap: [eaptls process] = handled(2) eap: Sending EAP Request (code 1) ID 3 length 1004(2) eap: EAP session adding &reply:State = 0x7322fa167221e364(2) [eap] = handled(2) } # authenticate = handled(2) Using Post-Auth-Type Challenge(2) Post-Auth-Type sub-section not found. Ignoring.(2) Sent Access-Challenge Id 219 from 192.168.8.27:1812 to 192.168.2.250:3072 length 0(2) EAP-Message = 0x010303ec19c000000b001603010039020000350301da2dfe903d7c37a7634c8742deb0c9de5ef2b5d7f4c0d4d8d1697deec243cc5600c01400000dff01000100000b00040300010216030109640b00096000095d0005a7308205a33082048ba0030201020213720000003379461d9f383b20c900010000(2) Message-Authenticator = 0x00000000000000000000000000000000(2) State = 0x7322fa167221e3641bb25e163c98a49d(2) Finished requestWaking up in 4.9 seconds.(1) Cleaning up request packet ID 155 with timestamp +61(2) Cleaning up request packet ID 219 with timestamp +61Ready to process requests(3) Received Access-Request Id 54 from 192.168.2.250:3072 to 192.168.8.27:1812 length 192(3) User-Name = "bob"(3) Service-Type = Framed-User(3) NAS-IP-Address = 192.168.2.250(3) NAS-Port = 10(3) NAS-Port-Id = "10"(3) State = 0x7322fa167221e3641bb25e163c98a49d(3) Called-Station-Id = "0E-0B-6B-2F-12-67:domain 8021X"(3) Calling-Station-Id = "B8-E8-56-41-2C-2A"(3) Connect-Info = "CONNECT 54 Mbps 802.11g"(3) NAS-Identifier = "AP-domain01"(3) NAS-Port-Type = Wireless-802.11(3) Framed-MTU = 1500(3) EAP-Message = 0x020300061900(3) Message-Authenticator = 0xa70b8b8371dc21e4a3352e99bad8a487(3) session-state: No cached attributes(3) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/domain(3) authorize {(3) files: users: Matched entry bob at line 69(3) [files] = ok(3) [preprocess] = ok(3) suffix: Checking for suffix after "@"(3) suffix: No '@' in User-Name = "bob", looking up realm NULL(3) suffix: No such realm "NULL"(3) [suffix] = noop(3) eap: Peer sent EAP Response (code 2) ID 3 length 6(3) eap: Continuing tunnel setup(3) [eap] = ok(3) } # authorize = ok(3) Found Auth-Type = EAP(3) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain(3) authenticate {(3) eap: Expiring EAP session with state 0x7322fa167221e364(3) eap: Finished EAP session with state 0x7322fa167221e364(3) eap: Previous EAP request found for state 0x7322fa167221e364, released from the list(3) eap: Peer sent packet with method EAP PEAP (25)(3) eap: Calling submodule eap_peap to process data(3) eap_peap: Continuing EAP-TLS(3) eap_peap: Peer ACKed our handshake fragment(3) eap_peap: [eaptls verify] = request(3) eap_peap: [eaptls process] = handled(3) eap: Sending EAP Request (code 1) ID 4 length 1000(3) eap: EAP session adding &reply:State = 0x7322fa167126e364(3) [eap] = handled(3) } # authenticate = handled(3) Using Post-Auth-Type Challenge(3) Post-Auth-Type sub-section not found. Ignoring.(3) Sent Access-Challenge Id 54 from 192.168.8.27:1812 to 192.168.2.250:3072 length 0(3) EAP-Message = 0x010403e81940b53081b206082b060105050730028681a56c6461703a2f2f2f434e3d6e656465636f253230476d624825323043412c434e3d4149412c434e3d5075626c69632532304b657925323053657276696365732c434e3d53657276696365732c434e3d436f6e66696775726174696f6e2c44433d(3) Message-Authenticator = 0x00000000000000000000000000000000(3) State = 0x7322fa167126e3641bb25e163c98a49d(3) Finished requestWaking up in 4.9 seconds.(4) Received Access-Request Id 29 from 192.168.2.250:3072 to 192.168.8.27:1812 length 192(4) User-Name = "bob"(4) Service-Type = Framed-User(4) NAS-IP-Address = 192.168.2.250(4) NAS-Port = 10(4) NAS-Port-Id = "10"(4) State = 0x7322fa167126e3641bb25e163c98a49d(4) Called-Station-Id = "0E-0B-6B-2F-12-67:domain 8021X"(4) Calling-Station-Id = "B8-E8-56-41-2C-2A"(4) Connect-Info = "CONNECT 54 Mbps 802.11g"(4) NAS-Identifier = "AP-domain01"(4) NAS-Port-Type = Wireless-802.11(4) Framed-MTU = 1500(4) EAP-Message = 0x020400061900(4) Message-Authenticator = 0x841ce2c1c9b797b25c3aff5bba5e059d(4) session-state: No cached attributes(4) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/domain(4) authorize {(4) files: users: Matched entry bob at line 69(4) [files] = ok(4) [preprocess] = ok(4) suffix: Checking for suffix after "@"(4) suffix: No '@' in User-Name = "bob", looking up realm NULL(4) suffix: No such realm "NULL"(4) [suffix] = noop(4) eap: Peer sent EAP Response (code 2) ID 4 length 6(4) eap: Continuing tunnel setup(4) [eap] = ok(4) } # authorize = ok(4) Found Auth-Type = EAP(4) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain(4) authenticate {(4) eap: Expiring EAP session with state 0x7322fa167126e364(4) eap: Finished EAP session with state 0x7322fa167126e364(4) eap: Previous EAP request found for state 0x7322fa167126e364, released from the list(4) eap: Peer sent packet with method EAP PEAP (25)(4) eap: Calling submodule eap_peap to process data(4) eap_peap: Continuing EAP-TLS(4) eap_peap: Peer ACKed our handshake fragment(4) eap_peap: [eaptls verify] = request(4) eap_peap: [eaptls process] = handled(4) eap: Sending EAP Request (code 1) ID 5 length 834(4) eap: EAP session adding &reply:State = 0x7322fa167027e364(4) [eap] = handled(4) } # authenticate = handled(4) Using Post-Auth-Type Challenge(4) Post-Auth-Type sub-section not found. Ignoring.(4) Sent Access-Challenge Id 29 from 192.168.8.27:1812 to 192.168.2.250:3072 length 0(4) EAP-Message = 0x01050342190068d99b627f3ca6561e6c1dcd0e8bb529b85d2515a36c2ba6f906ee9a223e619decfff2f24ef8674307735d591964d50ac988776a55970203010001a3819130818e301306092b060104018237140204061e0400430041300e0603551d0f0101ff040403020186300f0603551d130101ff04(4) Message-Authenticator = 0x00000000000000000000000000000000(4) State = 0x7322fa167027e3641bb25e163c98a49d(4) Finished requestWaking up in 4.9 seconds.(5) Received Access-Request Id 215 from 192.168.2.250:3072 to 192.168.8.27:1812 length 330(5) User-Name = "bob"(5) Service-Type = Framed-User(5) NAS-IP-Address = 192.168.2.250(5) NAS-Port = 10(5) NAS-Port-Id = "10"(5) State = 0x7322fa167027e3641bb25e163c98a49d(5) Called-Station-Id = "0E-0B-6B-2F-12-67:domain 8021X"(5) Calling-Station-Id = "B8-E8-56-41-2C-2A"(5) Connect-Info = "CONNECT 54 Mbps 802.11g"(5) NAS-Identifier = "AP-domain01"(5) NAS-Port-Type = Wireless-802.11(5) Framed-MTU = 1500(5) EAP-Message = 0x0205009019800000008616030100461000004241048075a5ca05d012d0fd77b0f9e1664c5ce577eda72a1368e0a8e78fd9072b0a6e04ce9f7f3cb1339ca9fd58bdc40e0afce833807f1c4035e532e91d07e8d45fdb1403010001011603010030bff39ef9cf9a0400269ae5fd8888ba5c4940b72599bca5(5) Message-Authenticator = 0xfaa49416d762fdf0846428951f176829(5) session-state: No cached attributes(5) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/domain(5) authorize {(5) files: users: Matched entry bob at line 69(5) [files] = ok(5) [preprocess] = ok(5) suffix: Checking for suffix after "@"(5) suffix: No '@' in User-Name = "bob", looking up realm NULL(5) suffix: No such realm "NULL"(5) [suffix] = noop(5) eap: Peer sent EAP Response (code 2) ID 5 length 144(5) eap: Continuing tunnel setup(5) [eap] = ok(5) } # authorize = ok(5) Found Auth-Type = EAP(5) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain(5) authenticate {(5) eap: Expiring EAP session with state 0x7322fa167027e364(5) eap: Finished EAP session with state 0x7322fa167027e364(5) eap: Previous EAP request found for state 0x7322fa167027e364, released from the list(5) eap: Peer sent packet with method EAP PEAP (25)(5) eap: Calling submodule eap_peap to process data(5) eap_peap: Continuing EAP-TLS(5) eap_peap: Peer indicated complete TLS record size will be 134 bytes(5) eap_peap: Got complete TLS record (134 bytes)(5) eap_peap: [eaptls verify] = length included(5) eap_peap: <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange(5) eap_peap: TLS_accept: SSLv3 read client key exchange A(5) eap_peap: <<< TLS 1.0 ChangeCipherSpec length 0001 eap_peap: <<< TLS 1.0 Handshake [length 0010], Finished(5) eap_peap: TLS_accept: SSLv3 read finished A(5) eap_peap: >>> TLS 1.0 ChangeCipherSpec length 0001 eap_peap: TLS_accept: SSLv3 write change cipher spec A(5) eap_peap: >>> TLS 1.0 Handshake [length 0010], Finished(5) eap_peap: TLS_accept: SSLv3 write finished A(5) eap_peap: TLS_accept: SSLv3 flush data(5) eap_peap: (other): SSL negotiation finished successfully(5) eap_peap: SSL Connection Established(5) eap_peap: [eaptls process] = handled(5) eap: Sending EAP Request (code 1) ID 6 length 65(5) eap: EAP session adding &reply:State = 0x7322fa167724e364(5) [eap] = handled(5) } # authenticate = handled(5) Using Post-Auth-Type Challenge(5) Post-Auth-Type sub-section not found. Ignoring.(5) Sent Access-Challenge Id 215 from 192.168.8.27:1812 to 192.168.2.250:3072 length 0(5) EAP-Message = 0x010600411900140301000101160301003055bf61e75ec8b42df54cc0a1eab6dd5e274dd8db872c3a18e2616a373eda384dcffbfa8de45423ccb8890ee689f1f4cb(5) Message-Authenticator = 0x00000000000000000000000000000000(5) State = 0x7322fa167724e3641bb25e163c98a49d(5) Finished requestWaking up in 4.8 seconds.(6) Received Access-Request Id 116 from 192.168.2.250:3072 to 192.168.8.27:1812 length 192(6) User-Name = "bob"(6) Service-Type = Framed-User(6) NAS-IP-Address = 192.168.2.250(6) NAS-Port = 10(6) NAS-Port-Id = "10"(6) State = 0x7322fa167724e3641bb25e163c98a49d(6) Called-Station-Id = "0E-0B-6B-2F-12-67:domain 8021X"(6) Calling-Station-Id = "B8-E8-56-41-2C-2A"(6) Connect-Info = "CONNECT 54 Mbps 802.11g"(6) NAS-Identifier = "AP-domain01"(6) NAS-Port-Type = Wireless-802.11(6) Framed-MTU = 1500(6) EAP-Message = 0x020600061900(6) Message-Authenticator = 0xb468a031e9e011addea02301e58313cb(6) session-state: No cached attributes(6) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/domain(6) authorize {(6) files: users: Matched entry bob at line 69(6) [files] = ok(6) [preprocess] = ok(6) suffix: Checking for suffix after "@"(6) suffix: No '@' in User-Name = "bob", looking up realm NULL(6) suffix: No such realm "NULL"(6) [suffix] = noop(6) eap: Peer sent EAP Response (code 2) ID 6 length 6(6) eap: Continuing tunnel setup(6) [eap] = ok(6) } # authorize = ok(6) Found Auth-Type = EAP(6) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain(6) authenticate {(6) eap: Expiring EAP session with state 0x7322fa167724e364(6) eap: Finished EAP session with state 0x7322fa167724e364(6) eap: Previous EAP request found for state 0x7322fa167724e364, released from the list(6) eap: Peer sent packet with method EAP PEAP (25)(6) eap: Calling submodule eap_peap to process data(6) eap_peap: Continuing EAP-TLS(6) eap_peap: Peer ACKed our handshake fragment. handshake is finished(6) eap_peap: [eaptls verify] = success(6) eap_peap: [eaptls process] = success(6) eap_peap: Session established. Decoding tunneled attributes(6) eap_peap: PEAP state TUNNEL ESTABLISHED(6) eap: Sending EAP Request (code 1) ID 7 length 43(6) eap: EAP session adding &reply:State = 0x7322fa167625e364(6) [eap] = handled(6) } # authenticate = handled(6) Using Post-Auth-Type Challenge(6) Post-Auth-Type sub-section not found. Ignoring.(6) Sent Access-Challenge Id 116 from 192.168.8.27:1812 to 192.168.2.250:3072 length 0(6) EAP-Message = 0x0107002b19001703010020ba0b3d2b7d949cf1727c708a6c6ac8606201ef325b4408284fbf4115ccf1e60c(6) Message-Authenticator = 0x00000000000000000000000000000000(6) State = 0x7322fa167625e3641bb25e163c98a49d(6) Finished requestWaking up in 4.8 seconds.(7) Received Access-Request Id 108 from 192.168.2.250:3072 to 192.168.8.27:1812 length 229(7) User-Name = "bob"(7) Service-Type = Framed-User(7) NAS-IP-Address = 192.168.2.250(7) NAS-Port = 10(7) NAS-Port-Id = "10"(7) State = 0x7322fa167625e3641bb25e163c98a49d(7) Called-Station-Id = "0E-0B-6B-2F-12-67:domain 8021X"(7) Calling-Station-Id = "B8-E8-56-41-2C-2A"(7) Connect-Info = "CONNECT 54 Mbps 802.11g"(7) NAS-Identifier = "AP-domain01"(7) NAS-Port-Type = Wireless-802.11(7) Framed-MTU = 1500(7) EAP-Message = 0x0207002b190017030100205db45e564856f45f7af7cc0f3ec2e54ef3aab9a99f6cb2d9944b2c53980f0bde(7) Message-Authenticator = 0xd2092e590023b1e9af89a2d5f9927801(7) session-state: No cached attributes(7) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/domain(7) authorize {(7) files: users: Matched entry bob at line 69(7) [files] = ok(7) [preprocess] = ok(7) suffix: Checking for suffix after "@"(7) suffix: No '@' in User-Name = "bob", looking up realm NULL(7) suffix: No such realm "NULL"(7) [suffix] = noop(7) eap: Peer sent EAP Response (code 2) ID 7 length 43(7) eap: Continuing tunnel setup(7) [eap] = ok(7) } # authorize = ok(7) Found Auth-Type = EAP(7) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain(7) authenticate {(7) eap: Expiring EAP session with state 0x7322fa167625e364(7) eap: Finished EAP session with state 0x7322fa167625e364(7) eap: Previous EAP request found for state 0x7322fa167625e364, released from the list(7) eap: Peer sent packet with method EAP PEAP (25)(7) eap: Calling submodule eap_peap to process data(7) eap_peap: Continuing EAP-TLS(7) eap_peap: [eaptls verify] = ok(7) eap_peap: Done initial handshake(7) eap_peap: [eaptls process] = ok(7) eap_peap: Session established. Decoding tunneled attributes(7) eap_peap: PEAP state WAITING FOR INNER IDENTITY(7) eap_peap: Identity - bob(7) eap_peap: Got inner identity 'bob'(7) eap_peap: Setting default EAP type for tunneled EAP session(7) eap_peap: Got tunneled request(7) eap_peap: EAP-Message = 0x0207000801626f62(7) eap_peap: Setting User-Name to bob(7) eap_peap: Sending tunneled request to inner-tunnel(7) eap_peap: EAP-Message = 0x0207000801626f62(7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1(7) eap_peap: User-Name = "bob"(7) Virtual server inner-tunnel received request(7) EAP-Message = 0x0207000801626f62(7) FreeRADIUS-Proxied-To = 127.0.0.1(7) User-Name = "bob"(7) server inner-tunnel {(7) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel-domain(7) authorize {(7) files: users: Matched entry bob at line 69(7) [files] = ok(7) [mschap] = noop(7) suffix: Checking for suffix after "@"(7) suffix: No '@' in User-Name = "bob", looking up realm NULL(7) suffix: No such realm "NULL"(7) [suffix] = noop(7) update control {(7) Proxy-To-Realm := LOCAL(7) } # update control = noop(7) eap: Peer sent EAP Response (code 2) ID 7 length 8(7) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize(7) [eap] = ok(7) } # authorize = ok(7) Found Auth-Type = EAP(7) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel-domain(7) authenticate {(7) eap: Peer sent packet with method EAP Identity (1)(7) eap: Calling submodule eap_mschapv2 to process data(7) eap_mschapv2: Issuing Challenge(7) eap: Sending EAP Request (code 1) ID 8 length 43(7) eap: EAP session adding &reply:State = 0xa0773c37a07f2697(7) [eap] = handled(7) } # authenticate = handled(7) } # server inner-tunnel(7) Virtual server sending reply(7) EAP-Message = 0x0108002b1a0108002610499c5c634fd1c53afcf63e2a20dc0dbd667265657261646975732d332e302e3131(7) Message-Authenticator = 0x00000000000000000000000000000000(7) State = 0xa0773c37a07f269794c91e639bc0d99c(7) eap_peap: Got tunneled reply code 11(7) eap_peap: EAP-Message = 0x0108002b1a0108002610499c5c634fd1c53afcf63e2a20dc0dbd667265657261646975732d332e302e3131(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000(7) eap_peap: State = 0xa0773c37a07f269794c91e639bc0d99c(7) eap_peap: Got tunneled reply RADIUS code 11(7) eap_peap: EAP-Message = 0x0108002b1a0108002610499c5c634fd1c53afcf63e2a20dc0dbd667265657261646975732d332e302e3131(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000(7) eap_peap: State = 0xa0773c37a07f269794c91e639bc0d99c(7) eap_peap: Got tunneled Access-Challenge(7) eap: Sending EAP Request (code 1) ID 8 length 75(7) eap: EAP session adding &reply:State = 0x7322fa16752ae364(7) [eap] = handled(7) } # authenticate = handled(7) Using Post-Auth-Type Challenge(7) Post-Auth-Type sub-section not found. Ignoring.(7) Sent Access-Challenge Id 108 from 192.168.8.27:1812 to 192.168.2.250:3072 length 0(7) EAP-Message = 0x0108004b19001703010040d8e4f8be725dc18720efdaf547282b5b876c26c5fdbea8c05f380bf87ea452cdf6938d2793528a14f784d70ad64f66ebcb6998cae0cdb2ec340b208caf7adddc(7) Message-Authenticator = 0x00000000000000000000000000000000(7) State = 0x7322fa16752ae3641bb25e163c98a49d(7) Finished requestWaking up in 4.8 seconds.(8) Received Access-Request Id 50 from 192.168.2.250:3072 to 192.168.8.27:1812 length 277(8) User-Name = "bob"(8) Service-Type = Framed-User(8) NAS-IP-Address = 192.168.2.250(8) NAS-Port = 10(8) NAS-Port-Id = "10"(8) State = 0x7322fa16752ae3641bb25e163c98a49d(8) Called-Station-Id = "0E-0B-6B-2F-12-67:domain 8021X"(8) Calling-Station-Id = "B8-E8-56-41-2C-2A"(8) Connect-Info = "CONNECT 54 Mbps 802.11g"(8) NAS-Identifier = "AP-domain01"(8) NAS-Port-Type = Wireless-802.11(8) Framed-MTU = 1500(8) EAP-Message = 0x0208005b1900170301005035d828d77a9cd3611fc5b79937ff5a2749a2d013a332137a52fe3a206717cde550258b9914956f0b2f88dd7f4491d6d52e7b97a1fd99e59010b7e346d7692d768748d8d8efb3995a7d8d58863b0e3c9f(8) Message-Authenticator = 0x27a3860baf38d3fd1d0e7f85c85a398e(8) session-state: No cached attributes(8) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/domain(8) authorize {(8) files: users: Matched entry bob at line 69(8) [files] = ok(8) [preprocess] = ok(8) suffix: Checking for suffix after "@"(8) suffix: No '@' in User-Name = "bob", looking up realm NULL(8) suffix: No such realm "NULL"(8) [suffix] = noop(8) eap: Peer sent EAP Response (code 2) ID 8 length 91(8) eap: Continuing tunnel setup(8) [eap] = ok(8) } # authorize = ok(8) Found Auth-Type = EAP(8) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain(8) authenticate {(8) eap: Expiring EAP session with state 0xa0773c37a07f2697(8) eap: Finished EAP session with state 0x7322fa16752ae364(8) eap: Previous EAP request found for state 0x7322fa16752ae364, released from the list(8) eap: Peer sent packet with method EAP PEAP (25)(8) eap: Calling submodule eap_peap to process data(8) eap_peap: Continuing EAP-TLS(8) eap_peap: [eaptls verify] = ok(8) eap_peap: Done initial handshake(8) eap_peap: [eaptls process] = ok(8) eap_peap: Session established. Decoding tunneled attributes(8) eap_peap: PEAP state phase2(8) eap_peap: EAP method MSCHAPv2 (26)(8) eap_peap: Got tunneled request(8) eap_peap: EAP-Message = 0x0208003e1a02080039318c4c5187cb6d3acc25374e1a666c6ebd00000000000000005c626c4605277cd81e771f53707290714956dfed703aa31a00626f62(8) eap_peap: Setting User-Name to bob(8) eap_peap: Sending tunneled request to inner-tunnel(8) eap_peap: EAP-Message = 0x0208003e1a02080039318c4c5187cb6d3acc25374e1a666c6ebd00000000000000005c626c4605277cd81e771f53707290714956dfed703aa31a00626f62(8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1(8) eap_peap: User-Name = "bob"(8) eap_peap: State = 0xa0773c37a07f269794c91e639bc0d99c(8) Virtual server inner-tunnel received request(8) EAP-Message = 0x0208003e1a02080039318c4c5187cb6d3acc25374e1a666c6ebd00000000000000005c626c4605277cd81e771f53707290714956dfed703aa31a00626f62(8) FreeRADIUS-Proxied-To = 127.0.0.1(8) User-Name = "bob"(8) State = 0xa0773c37a07f269794c91e639bc0d99c(8) server inner-tunnel {(8) session-state: No cached attributes(8) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel-domain(8) authorize {(8) files: users: Matched entry bob at line 69(8) [files] = ok(8) [mschap] = noop(8) suffix: Checking for suffix after "@"(8) suffix: No '@' in User-Name = "bob", looking up realm NULL(8) suffix: No such realm "NULL"(8) [suffix] = noop(8) update control {(8) Proxy-To-Realm := LOCAL(8) } # update control = noop(8) eap: Peer sent EAP Response (code 2) ID 8 length 62(8) eap: No EAP Start, assuming it's an on-going EAP conversation(8) [eap] = updated(8) [expiration] = noop(8) [logintime] = nooprlm_ldap (ldap_domain): Closing connection (2): Hit idle_timeout, was idle for 90 secondsrlm_ldap (ldap_domain): Closing connection (3): Hit idle_timeout, was idle for 90 secondsrlm_ldap (ldap_domain): Closing connection (4): Hit idle_timeout, was idle for 90 secondsrlm_ldap (ldap_domain): Closing connection (0): Hit idle_timeout, was idle for 85 secondsrlm_ldap (ldap_domain): You probably need to lower "min"rlm_ldap (ldap_domain): Closing connection (5): Hit idle_timeout, was idle for 85 secondsrlm_ldap (ldap_domain): You probably need to lower "min"rlm_ldap (ldap_domain): Closing connection (1): Hit idle_timeout, was idle for 85 secondsrlm_ldap (ldap_domain): You probably need to lower "min"rlm_ldap (ldap_domain): 0 of 0 connections in use. You may need to increase "spare"rlm_ldap (ldap_domain): Opening additional connection (6), 1 of 32 pending slots usedrlm_ldap (ldap_domain): Connecting to ldap://dc.domain.local:389rlm_ldap (ldap_domain): Waiting for bind result...rlm_ldap (ldap_domain): Bind successfulrlm_ldap (ldap_domain): Reserved connection (6)(8) ldap_domain: EXPAND (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})(8) ldap_domain: --> (sAMAccountName=bob)(8) ldap_domain: Performing search in "cn=Users,dc=domain,dc=local" with filter "(sAMAccountName=bob)", scope "sub"(8) ldap_domain: Waiting for search result...(8) ldap_domain: Search returned no resultsrlm_ldap (ldap_domain): Released connection (6)rlm_ldap (ldap_domain): Need 2 more connections to reach 10 sparesrlm_ldap (ldap_domain): Opening additional connection (7), 1 of 31 pending slots usedrlm_ldap (ldap_domain): Connecting to ldap://dc.domain.local:389rlm_ldap (ldap_domain): Waiting for bind result...rlm_ldap (ldap_domain): Bind successful(8) [ldap_domain] = notfound(8) if ((ok || updated) && User-Password) {(8) if ((ok || updated) && User-Password) -> FALSE(8) pap: WARNING: Auth-Type already set. Not setting to PAP(8) [pap] = noop(8) if (User-Password) {(8) if (User-Password) -> FALSE(8) } # authorize = updated(8) Found Auth-Type = EAP(8) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel-domain(8) authenticate {(8) eap: Expiring EAP session with state 0xa0773c37a07f2697(8) eap: Finished EAP session with state 0xa0773c37a07f2697(8) eap: Previous EAP request found for state 0xa0773c37a07f2697, released from the list(8) eap: Peer sent packet with method EAP MSCHAPv2 (26)(8) eap: Calling submodule eap_mschapv2 to process data(8) eap_mschapv2: # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel-domain(8) eap_mschapv2: Auth-Type MS-CHAP {(8) mschap: Found Cleartext-Password, hashing to create NT-Password(8) mschap: Found Cleartext-Password, hashing to create LM-Password(8) mschap: Creating challenge hash with username: bob(8) mschap: Client is using MS-CHAPv2(8) mschap: Adding MS-CHAPv2 MPPE keys(8) [mschap] = ok(8) } # Auth-Type MS-CHAP = ok(8) MSCHAP Success(8) eap: Sending EAP Request (code 1) ID 9 length 51(8) eap: EAP session adding &reply:State = 0xa0773c37a17e2697(8) [eap] = handled(8) } # authenticate = handled(8) } # server inner-tunnel(8) Virtual server sending reply(8) EAP-Message = 0x010900331a0308002e533d41303037313532323444323837324439434432334437363345354535313444393146323441424646(8) Message-Authenticator = 0x00000000000000000000000000000000(8) State = 0xa0773c37a17e269794c91e639bc0d99c(8) eap_peap: Got tunneled reply code 11(8) eap_peap: EAP-Message = 0x010900331a0308002e533d41303037313532323444323837324439434432334437363345354535313444393146323441424646(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000(8) eap_peap: State = 0xa0773c37a17e269794c91e639bc0d99c(8) eap_peap: Got tunneled reply RADIUS code 11(8) eap_peap: EAP-Message = 0x010900331a0308002e533d41303037313532323444323837324439434432334437363345354535313444393146323441424646(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000(8) eap_peap: State = 0xa0773c37a17e269794c91e639bc0d99c(8) eap_peap: Got tunneled Access-Challenge(8) eap: Sending EAP Request (code 1) ID 9 length 91(8) eap: EAP session adding &reply:State = 0x7322fa16742be364(8) [eap] = handled(8) } # authenticate = handled(8) Using Post-Auth-Type Challenge(8) Post-Auth-Type sub-section not found. Ignoring.(8) Sent Access-Challenge Id 50 from 192.168.8.27:1812 to 192.168.2.250:3072 length 0(8) EAP-Message = 0x0109005b19001703010050859ea345fa5ac6b144a9e42ed8bff28f0b2320a237ac8370d029cb70f52d482a0d76da88b813e4df36252cb6397300ec8d8d78b8622e934b5283b40ee5a8abe75b64b6667666fd21f0cac5fcc60f98ed(8) Message-Authenticator = 0x00000000000000000000000000000000(8) State = 0x7322fa16742be3641bb25e163c98a49d(8) Finished requestWaking up in 4.7 seconds.(9) Received Access-Request Id 168 from 192.168.2.250:3072 to 192.168.8.27:1812 length 229(9) User-Name = "bob"(9) Service-Type = Framed-User(9) NAS-IP-Address = 192.168.2.250(9) NAS-Port = 10(9) NAS-Port-Id = "10"(9) State = 0x7322fa16742be3641bb25e163c98a49d(9) Called-Station-Id = "0E-0B-6B-2F-12-67:domain 8021X"(9) Calling-Station-Id = "B8-E8-56-41-2C-2A"(9) Connect-Info = "CONNECT 54 Mbps 802.11g"(9) NAS-Identifier = "AP-domain01"(9) NAS-Port-Type = Wireless-802.11(9) Framed-MTU = 1500(9) EAP-Message = 0x0209002b19001703010020ef0b01a2e1a2ce59b84fcd3a36f6101ad280a2da6de9e3034ee1142fd2c2d87b(9) Message-Authenticator = 0xcbef8a5238f2450a86714781617cb91e(9) session-state: No cached attributes(9) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/domain(9) authorize {(9) files: users: Matched entry bob at line 69(9) [files] = ok(9) [preprocess] = ok(9) suffix: Checking for suffix after "@"(9) suffix: No '@' in User-Name = "bob", looking up realm NULL(9) suffix: No such realm "NULL"(9) [suffix] = noop(9) eap: Peer sent EAP Response (code 2) ID 9 length 43(9) eap: Continuing tunnel setup(9) [eap] = ok(9) } # authorize = ok(9) Found Auth-Type = EAP(9) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain(9) authenticate {(9) eap: Expiring EAP session with state 0xa0773c37a17e2697(9) eap: Finished EAP session with state 0x7322fa16742be364(9) eap: Previous EAP request found for state 0x7322fa16742be364, released from the list(9) eap: Peer sent packet with method EAP PEAP (25)(9) eap: Calling submodule eap_peap to process data(9) eap_peap: Continuing EAP-TLS(9) eap_peap: [eaptls verify] = ok(9) eap_peap: Done initial handshake(9) eap_peap: [eaptls process] = ok(9) eap_peap: Session established. Decoding tunneled attributes(9) eap_peap: PEAP state phase2(9) eap_peap: EAP method MSCHAPv2 (26)(9) eap_peap: Got tunneled request(9) eap_peap: EAP-Message = 0x020900061a03(9) eap_peap: Setting User-Name to bob(9) eap_peap: Sending tunneled request to inner-tunnel(9) eap_peap: EAP-Message = 0x020900061a03(9) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1(9) eap_peap: User-Name = "bob"(9) eap_peap: State = 0xa0773c37a17e269794c91e639bc0d99c(9) Virtual server inner-tunnel received request(9) EAP-Message = 0x020900061a03(9) FreeRADIUS-Proxied-To = 127.0.0.1(9) User-Name = "bob"(9) State = 0xa0773c37a17e269794c91e639bc0d99c(9) server inner-tunnel {(9) session-state: No cached attributes(9) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel-domain(9) authorize {(9) files: users: Matched entry bob at line 69(9) [files] = ok(9) [mschap] = noop(9) suffix: Checking for suffix after "@"(9) suffix: No '@' in User-Name = "bob", looking up realm NULL(9) suffix: No such realm "NULL"(9) [suffix] = noop(9) update control {(9) Proxy-To-Realm := LOCAL(9) } # update control = noop(9) eap: Peer sent EAP Response (code 2) ID 9 length 6(9) eap: No EAP Start, assuming it's an on-going EAP conversation(9) [eap] = updated(9) [expiration] = noop(9) [logintime] = nooprlm_ldap (ldap_domain): Reserved connection (6)(9) ldap_domain: EXPAND (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})(9) ldap_domain: --> (sAMAccountName=bob)(9) ldap_domain: Performing search in "cn=Users,dc=domain,dc=local" with filter "(sAMAccountName=bob)", scope "sub"(9) ldap_domain: Waiting for search result...(9) ldap_domain: Search returned no resultsrlm_ldap (ldap_domain): Released connection (6)(9) [ldap_domain] = notfound(9) if ((ok || updated) && User-Password) {(9) if ((ok || updated) && User-Password) -> FALSE(9) pap: WARNING: Auth-Type already set. Not setting to PAP(9) [pap] = noop(9) if (User-Password) {(9) if (User-Password) -> FALSE(9) } # authorize = updated(9) Found Auth-Type = EAP(9) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel-domain(9) authenticate {(9) eap: Expiring EAP session with state 0xa0773c37a17e2697(9) eap: Finished EAP session with state 0xa0773c37a17e2697(9) eap: Previous EAP request found for state 0xa0773c37a17e2697, released from the list(9) eap: Peer sent packet with method EAP MSCHAPv2 (26)(9) eap: Calling submodule eap_mschapv2 to process data(9) eap: Sending EAP Success (code 3) ID 9 length 4(9) eap: Freeing handler(9) [eap] = ok(9) } # authenticate = ok(9) } # server inner-tunnel(9) Virtual server sending reply(9) MS-MPPE-Encryption-Policy = Encryption-Required(9) MS-MPPE-Encryption-Types = 4(9) MS-MPPE-Send-Key = 0xc40f7d178a19b383691a863644016790(9) MS-MPPE-Recv-Key = 0x1f490d8645a1a87f762bc38738f37149(9) EAP-Message = 0x03090004(9) Message-Authenticator = 0x00000000000000000000000000000000(9) User-Name = "bob"(9) eap_peap: Got tunneled reply code 2(9) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Required(9) eap_peap: MS-MPPE-Encryption-Types = 4(9) eap_peap: MS-MPPE-Send-Key = 0xc40f7d178a19b383691a863644016790(9) eap_peap: MS-MPPE-Recv-Key = 0x1f490d8645a1a87f762bc38738f37149(9) eap_peap: EAP-Message = 0x03090004(9) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000(9) eap_peap: User-Name = "bob"(9) eap_peap: Got tunneled reply RADIUS code 2(9) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Required(9) eap_peap: MS-MPPE-Encryption-Types = 4(9) eap_peap: MS-MPPE-Send-Key = 0xc40f7d178a19b383691a863644016790(9) eap_peap: MS-MPPE-Recv-Key = 0x1f490d8645a1a87f762bc38738f37149(9) eap_peap: EAP-Message = 0x03090004(9) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000(9) eap_peap: User-Name = "bob"(9) eap_peap: Tunneled authentication was successful(9) eap_peap: SUCCESS(9) eap: Sending EAP Request (code 1) ID 10 length 43(9) eap: EAP session adding &reply:State = 0x7322fa167b28e364(9) [eap] = handled(9) } # authenticate = handled(9) Using Post-Auth-Type Challenge(9) Post-Auth-Type sub-section not found. Ignoring.(9) Sent Access-Challenge Id 168 from 192.168.8.27:1812 to 192.168.2.250:3072 length 0(9) EAP-Message = 0x010a002b190017030100209ebe5c178129e763273f16ddd56f3f5e123f6a27587c42e7e480f2874b2985ac(9) Message-Authenticator = 0x00000000000000000000000000000000(9) State = 0x7322fa167b28e3641bb25e163c98a49d(9) Finished requestWaking up in 4.7 seconds.(10) Received Access-Request Id 89 from 192.168.2.250:3072 to 192.168.8.27:1812 length 229(10) User-Name = "bob"(10) Service-Type = Framed-User(10) NAS-IP-Address = 192.168.2.250(10) NAS-Port = 10(10) NAS-Port-Id = "10"(10) State = 0x7322fa167b28e3641bb25e163c98a49d(10) Called-Station-Id = "0E-0B-6B-2F-12-67:domain 8021X"(10) Calling-Station-Id = "B8-E8-56-41-2C-2A"(10) Connect-Info = "CONNECT 54 Mbps 802.11g"(10) NAS-Identifier = "AP-domain01"(10) NAS-Port-Type = Wireless-802.11(10) Framed-MTU = 1500(10) EAP-Message = 0x020a002b19001703010020ae6a94676019ad167b393353926209ead29be3185de748899304ff6a50957c1a(10) Message-Authenticator = 0x64a847e3ae161cf68eccda80a2f11f16(10) session-state: No cached attributes(10) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/domain(10) authorize {(10) files: users: Matched entry bob at line 69(10) [files] = ok(10) [preprocess] = ok(10) suffix: Checking for suffix after "@"(10) suffix: No '@' in User-Name = "bob", looking up realm NULL(10) suffix: No such realm "NULL"(10) [suffix] = noop(10) eap: Peer sent EAP Response (code 2) ID 10 length 43(10) eap: Continuing tunnel setup(10) [eap] = ok(10) } # authorize = ok(10) Found Auth-Type = EAP(10) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain(10) authenticate {(10) eap: Expiring EAP session with state 0x7322fa167b28e364(10) eap: Finished EAP session with state 0x7322fa167b28e364(10) eap: Previous EAP request found for state 0x7322fa167b28e364, released from the list(10) eap: Peer sent packet with method EAP PEAP (25)(10) eap: Calling submodule eap_peap to process data(10) eap_peap: Continuing EAP-TLS(10) eap_peap: [eaptls verify] = ok(10) eap_peap: Done initial handshake(10) eap_peap: [eaptls process] = ok(10) eap_peap: Session established. Decoding tunneled attributes(10) eap_peap: PEAP state send tlv success(10) eap_peap: Received EAP-TLV response(10) eap_peap: Success(10) eap: Sending EAP Success (code 3) ID 10 length 4(10) eap: Freeing handler(10) [eap] = ok(10) } # authenticate = ok(10) Sent Access-Accept Id 89 from 192.168.8.27:1812 to 192.168.2.250:3072 length 0(10) MS-MPPE-Recv-Key = 0xa16bc44cb5331571c4f3d362fd38e1bb11a2670822b415e53eb7ebbc67c2cb93(10) MS-MPPE-Send-Key = 0xbd2081385181a9a51170b7fa40bfd3b32e396b6e7d46f9b5369a38d64be27cc8(10) EAP-Message = 0x030a0004(10) Message-Authenticator = 0x00000000000000000000000000000000(10) User-Name = "bob"(10) Finished requestWaking up in 4.7 seconds.(3) Cleaning up request packet ID 54 with timestamp +90(4) Cleaning up request packet ID 29 with timestamp +90Waking up in 0.1 seconds.(5) Cleaning up request packet ID 215 with timestamp +90(6) Cleaning up request packet ID 116 with timestamp +90(7) Cleaning up request packet ID 108 with timestamp +90(8) Cleaning up request packet ID 50 with timestamp +90(9) Cleaning up request packet ID 168 with timestamp +90(10) Cleaning up request packet ID 89 with timestamp +90Ready to process requests
I think that everything goes wrong with encrypt/decrypt the Domain User password or no User-Password is given after eap or something else. I tried a lot of stuff, but nothing works.
users configuration
bob Cleartext-Password := "hello"
DEFAULT Framed-Protocol == PPPFramed-Protocol = PPP,Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "CSLIP"Framed-Protocol = SLIP,Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "SLIP"Framed-Protocol = SLIP
Messages:
(7) ldap_nedeco: Processing user attributes(7) ldap_nedeco: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute(7) ldap_nedeco: WARNING: PAP authentication will NOT work with Active Directory (if that is what you were trying to configure)rlm_ldap (ldap_nedeco): Released connection (0)..(7) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password(7) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password(7) mschap: Creating challenge hash with username: test(7) mschap: Client is using MS-CHAPv2(7) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication(7) mschap: ERROR: MS-CHAP2-Response is incorrect..(8) eap_peap: Received EAP-TLV response(8) eap_peap: The users session was previously rejected: returning reject (again.)(8) eap_peap: This means you need to read the PREVIOUS messages in the debug output(8) eap_peap: to find out the reason why the user was rejected(8) eap_peap: Look for "reject" or "fail". Those earlier messages will tell you(8) eap_peap: what went wrong, and how to fix the problem(8) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed..
Any Idea?
2
1