Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
August 2015
- 78 participants
- 98 discussions
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
hi,
I configured FR v.3.0.9 against LDAP and can successfully auth with EAPMD5/TLS/TTLS+PAP
now I want to add check for Called-Station-SSID and am failing ...
please, help me to understand what I miss?
as you can see from debug bellow, configured in LDAP Called-Station-SSID
(via radiusCheckItem as well as via mapped attribute) is ignored, and
client is granted access
I hoped if I set radiusCheckItem: Called-Station-SSID := 'SSID_ALLOWED'
then check will be performed against Called-Station-SSID value processed
- From Called-Station-Id
what is wrong?
here is debug:
- ----[ quotation start ]-------------------------------------------
(6) Received Access-Request Id 16 from 192.168.0.1:46326 to 192.168.0.254:1812 length 314
(6) User-Name = "jdoe"
(6) NAS-Identifier = "jdoe.wrt"
(6) Called-Station-Id = "9A-46-5E-3B-A1-0E:SSID_REQUESTED"
(6) NAS-Port-Type = Wireless-802.11
(6) NAS-Port = 1
(6) Calling-Station-Id = "73-62-0A-DA-7C-5A"
(6) Connect-Info = "CONNECT 54Mbps 802.11g"
(6) Acct-Session-Id = "55BE1E6B-0000001C"
(6) Framed-MTU = 1400
(6) EAP-Message = 0x0223008015001703010020b9f3cc80bf61ea3ab2b9ad0e3d5492f814652d30a19f2a0d562832d6db02468f1703010050e426680ec3a1a7db12904734432af8744492e725b6689affce7e093ed666bc0c3338fb8d3fd12d2eaca8b304c373e8e1d42f14db0683b1f4de08004
67ff2d302e44d864249a30d
(6) State = 0x1df02c2d18d339202ca9dbdadeae133a
(6) Message-Authenticator = 0x7e5712cf45d3b99b42e4b80452950d1a
(6) session-state: No cached attributes
(6) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(6) authorize {
(6) [preprocess] = ok
(6) policy rewrite_calling_station_id {
(6) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) {
(6) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) -> TRUE
(6) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) {
(6) update request {
(6) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(6) --> 73-62-0A-DA-7C-5A
(6) &Calling-Station-Id := 73-62-0A-DA-7C-5A
(6) } # update request = noop
(6) [updated] = updated
(6) } # if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) = updated
(6) ... skipping else for request 6: Preceding "if" was taken
(6) } # policy rewrite_calling_station_id = updated
(6) auth_log: EXPAND /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(6) auth_log: --> /var/log/radacct/192.168.0.1/auth-detail-20150803
(6) auth_log: /var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radacct/192.168.0.1/auth-detail-20150803
(6) auth_log: EXPAND %t
(6) auth_log: --> Mon Aug 3 23:46:13 2015
(6) [auth_log] = ok
(6) [chap] = noop
(6) [mschap] = noop
(6) [digest] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "jdoe", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) ntdomain: Checking for prefix before "\"
(6) ntdomain: No '\' in User-Name = "jdoe", looking up realm NULL
(6) ntdomain: No such realm "NULL"
(6) [ntdomain] = noop
(6) policy rewrite_called_station_id {
(6) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(6) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(6) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(6) update request {
(6) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(6) --> 9A-46-5E-3B-A1-0E
(6) &Called-Station-Id := 9A-46-5E-3B-A1-0E
(6) } # update request = noop
(6) if ("%{8}") {
(6) --> SSID_REQUESTED
(6) if ("%{8}") -> TRUE
(6) if ("%{8}") {
(6) update request {
(6) EXPAND %{8}
(6) --> SSID_REQUESTED
(6) &Called-Station-SSID := SSID_REQUESTED
(6) } # update request = noop
(6) } # if ("%{8}") = noop
(6) [updated] = updated
(6) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(6) ... skipping else for request 6: Preceding "if" was taken
(6) } # policy rewrite_called_station_id = updated
(6) eap: Peer sent EAP Response (code 2) ID 35 length 128
(6) eap: Continuing tunnel setup
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = EAP
(6) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(6) authenticate {
(6) eap: Expiring EAP session with state 0x1df02c2d18d33920
(6) eap: Finished EAP session with state 0x1df02c2d18d33920
(6) eap: Previous EAP request found for state 0x1df02c2d18d33920, released from the list
(6) eap: Peer sent packet with method EAP TTLS (21)
(6) eap: Calling submodule eap_ttls to process data
(6) eap_ttls: Authenticate
(6) eap_ttls: Continuing EAP-TLS
(6) eap_ttls: Done initial handshake
(6) eap_ttls: [eaptls process] = ok
(6) eap_ttls: Session established. Proceeding to decode tunneled attributes
(6) eap_ttls: Got tunneled request
(6) eap_ttls: User-Name = "jdoe"
(6) eap_ttls: User-Password = "jdoe"
(6) eap_ttls: Sending tunneled request
(6) Virtual server inner-tunnel received request
(6) User-Name = "jdoe"
(6) User-Password = "jdoe"
(6) server inner-tunnel {
(6) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(6) authorize {
(6) [chap] = noop
(6) [mschap] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "jdoe", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) ntdomain: Checking for prefix before "\"
(6) ntdomain: No '\' in User-Name = "jdoe", looking up realm NULL
(6) ntdomain: No such realm "NULL"
(6) [ntdomain] = noop
(6) update control {
(6) &Proxy-To-Realm := LOCAL
(6) } # update control = noop
(6) eap: No EAP-Message, not doing EAP
(6) files: EXPAND %{%{Stripped-User-Name}:-%{User-Name}:-%{Calling-Station-Id}}
(6) files: --> jdoe
(6) [files] = noop
rlm_ldap (ldap): Reserved connection (2)
(6) ldap: EXPAND (|(&(cn=%{%{Stripped-User-Name}:-%{User-Name}})(|(authorizedService=802.1x@xyz)(authorizedService=802.1x-mac@xyz)))(&(cn=%{User-Name})(authorizedService=802.1x-eap-tls@xyz)))
(6) ldap: --> (|(&(cn=jdoe)(|(authorizedService=802.1x@xyz)(authorizedService=802.1x-mac@xyz)))(&(cn=jdoe)(authorizedService=802.1x-eap-tls@xyz)))
(6) ldap: Performing search in "ou=People,dc=xyz" with filter "(|(&(cn=jdoe)(|(authorizedService=802.1x@xyz)(authorizedService=802.1x-mac@xyz)))(&(cn=jdoe)(authorizedService=802.1x-eap-tls@xyz)))", scope "sub"
(6) ldap: Waiting for search result...
(6) ldap: User object found at DN "uid=jdoe,authorizedService=802.1x-eap-tls@xyz,uid=jdoe,ou=People,dc=xyz"
(6) ldap: Performing search in "cn=wifi-xyz,ou=profiles,ou=RADIUS,dc=xyz" with filter "(objectclass=radiusprofile)", scope "base"
(6) ldap: Waiting for search result...
(6) ldap: Processing profile attributes
(6) ldap: control:Called-Station-SSID := 'SSID_ALLOWED'
(6) ldap: reply:Session-Timeout := 900
(6) ldap: reply:Reply-Message := 'You have entered SSID: SSID_ALLOWED.'
(6) ldap: reply:Tunnel-Type := VLAN
(6) ldap: reply:Tunnel-Medium-Type := IEEE-802
(6) ldap: reply:Tunnel-Private-Group-Id := '3481'
(6) ldap: Processing user attributes
(6) ldap: control:Cleartext-Password := 'jdoe'
(6) ldap: control:Password-With-Header += 'jdoe'
rlm_ldap (ldap): Released connection (2)
(6) [ldap] = updated
(6) [expiration] = noop
(6) [logintime] = noop
(6) pap: WARNING: Config already contains a "known good" password (&control:Cleartext-Password). Ignoring &config:Password-With-Header
(6) [pap] = updated
(6) } # authorize = updated
(6) Found Auth-Type = PAP
(6) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(6) Auth-Type PAP {
(6) pap: Login attempt with password
(6) pap: Comparing with "known good" Cleartext-Password
(6) pap: User authenticated successfully
(6) [pap] = ok
(6) } # Auth-Type PAP = ok
(6) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(6) Login OK: [jdoe] (from client office021.xyz port 0 via TLS tunnel)
(6) } # server inner-tunnel
(6) Virtual server sending reply
(6) Session-Timeout := 900
(6) Reply-Message := "You have entered SSID: SSID_ALLOWED."
(6) Tunnel-Type := VLAN
(6) Tunnel-Medium-Type := IEEE-802
(6) Tunnel-Private-Group-Id := "3481"
(6) eap_ttls: Got tunneled Access-Accept
(6) eap_ttls: No information to cache: session caching will be disabled for session e5b5fc820be72baebe838286f4df80848a5bfadd06493077391aec818504665c
(6) eap: Sending EAP Success (code 3) ID 35 length 4
(6) eap: Freeing handler
(6) [eap] = ok
(6) } # authenticate = ok
(6) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
(6) post-auth {
(6) update {
(6) No attributes updated
(6) } # update = noop
(6) [exec] = noop
(6) policy remove_reply_message_if_eap {
(6) if (&reply:EAP-Message && &reply:Reply-Message) {
(6) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(6) else {
(6) [noop] = noop
(6) } # else = noop
(6) } # policy remove_reply_message_if_eap = noop
(6) } # post-auth = noop
(6) Login OK: [jdoe] (from client office021.xyz port 1 cli 73-62-0A-DA-7C-5A)
(6) Sent Access-Accept Id 16 from 192.168.0.254:1812 to 192.168.0.1:46326 length 0
(6) MS-MPPE-Recv-Key = 0x27eec264980471ed15d7d03785d
- ----[ quotation end ]-------------------------------------------
- --
Zeus V. Panchenko jid:zeus@im.ibs.dn.ua
IT Dpt., I.B.S. LLC GMT+2 (EET)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEARECAAYFAlXAqooACgkQr3jpPg/3oypphACg/KT1YUFx9s3c7ay0iX6TYhUe
rt8AoOAQNtaSkKj6Kna7EzjHJEl7sKSt
=jM5p
-----END PGP SIGNATURE-----
5
12
Re: Freeradius-Users Digest, Vol 124, Issue 23, reply to Nathan Ward's message in "OS X Mavericks not connection to Debian Freeradius."
by Edward Ulrich 12 Aug '15
by Edward Ulrich 12 Aug '15
12 Aug '15
> On 12/08/2015, at 8:21, Nathan Ward wrote:
>
> “That’s true, I mean, why doesn’t the FreeRADIUS documentation
include details about the location of the power switch for my routers? A
career sys admin would know this, but this is unclear to others.”
The FreeRADIUS documentation is often unclear, it could easily include
more relevant examples but it does not. The instructions not being
clear enough and not providing enough examples in "clients.conf" about
which IP address of the router to use is certainly not tantamount to not
saying where the power switch to the router is!
Also, I do have the FreeRADIUS beginners guide book which you
mentioned. It is a good overview of the technology but it really does
not give many specifics at all about installing the system, especially
when working with ssl certificates.
Edward
1
0
I can configure either certificate or user+password in freeradius server
for wireless security.
I would like try if it s possible to use the both together to access
network.
I mean you cant access network if you have only certificate or the couple
user+passwd, you need the two to access network.
what do I do
Rints
2
2
11 Aug '15
Hello
This is my first time posting here, so sorry if something is wrong, sorry for my English too.
I have configured freeradius V3.0.4 on Centos 7 for authenticating with Mac-address and a LDAP Server, using EAP-TTLS with PAP. One week ago all the clients (Windows 7, Windows 8, Ubuntu, Android) were able to authenticate without any issues; but in last day Windows 8 clients can not authenticate. In the debug (freeradius -X) i can see the server sending an Access-Challenge but the client never respond with the an Access-request.
This is the Output of the freeradius -X when the Windows 8 client try to connect:
Received Access-Request Id 84 from 10.66.146.10:62781 to
10.66.150.52:1812 length 184
User-Name = 'juliop'
NAS-IP-Address = 10.66.146.10
NAS-Port = 0
NAS-Identifier = '10.66.146.10'
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = 'e0ca94e63751'
Called-Station-Id = 'aca31ec60340'
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message = 0x0201000b016a756c696f70
Aruba-Essid-Name = 'riguprov'
Aruba-Location-Id = 'apcdoggerC60340'
Aruba-AP-Group = 'WLCZOO'
Message-Authenticator =
0x2ae08657e469e194ccbd4e778e519044
(230) Received Access-Request packet from host 10.66.146.10
port 62781, id=84, length=184
(230) User-Name = 'juliop'
(230) NAS-IP-Address = 10.66.146.10
(230) NAS-Port = 0
(230) NAS-Identifier = '10.66.146.10'
(230) NAS-Port-Type = Wireless-802.11
(230) Calling-Station-Id = 'e0ca94e63751'
(230) Called-Station-Id = 'aca31ec60340'
(230) Service-Type = Login-User
(230) Framed-MTU = 1100
(230) EAP-Message = 0x0201000b016a756c696f70
(230) Aruba-Essid-Name = 'riguprov'
(230) Aruba-Location-Id = 'apcdoggerC60340'
(230) Aruba-AP-Group = 'WLCZOO'
(230) Message-Authenticator =
0x2ae08657e469e194ccbd4e778e519044
(230) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(230) authorize {
(230) filter_username filter_username {
(230) if (!&User-Name)
(230) if (!&User-Name) -> FALSE
(230) if (&User-Name =~ / /)
(230) if (&User-Name =~ / /) -> FALSE
(230) if (&User-Name =~ /@.*@/ )
(230) if (&User-Name =~ /@.*@/ ) -> FALSE
(230) if (&User-Name =~ /\\.\\./ )
(230) if (&User-Name =~ /\\.\\./ ) -> FALSE
(230) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\
\.(.+)$/))
(230) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\
\.(.+)$/)) -> FALSE
(230) if (&User-Name =~ /\\.$/)
(230) if (&User-Name =~ /\\.$/) -> FALSE
(230) if (&User-Name =~ /(a)\\./)
(230) if (&User-Name =~ /(a)\\./) -> FALSE
(230) } # filter_username filter_username = notfound
(230) [preprocess] = ok
(230) [chap] = noop
(230) [mschap] = noop
(230) rewrite_calling_station_id rewrite_calling_station_id
{
(230) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-
f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]
{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)
(230) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-
f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]
{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) ->
TRUE
(230) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-
f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]
{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) {
(230) update request {
(230) EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(230) --> e0-ca-94-e6-37-51
(230) Calling-Station-Id := "e0-ca-94-e6-37-51"
(230) } # update request = noop
(230) [updated] = updated
(230) } # if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-
9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-
f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) =
updated
(230) ... skipping else for request 230: Preceding "if"
was taken
(230) } # rewrite_calling_station_id
rewrite_calling_station_id = updated
(230) authorized_macs_rigu : EXPAND %{Calling-Station-ID}
(230) authorized_macs_rigu : --> e0-ca-94-e6-37-51
(230) authorized_macs_rigu : users: Matched entry e0-ca-94-
e6-37-51 at line 3
(230) [authorized_macs_rigu] = ok
(230) if (!ok)
(230) if (!ok) -> FALSE
(230) else else {
(230) eap : Peer sent code Response (2) ID 1 length 11
(230) eap : EAP-Identity reply, returning 'ok' so we can
short-circuit the rest of authorize
(230) [eap] = ok
(230) } # else else = ok
(230) [unix] = notfound
(230) [expiration] = noop
(230) [logintime] = noop
(230) WARNING: pap : No "known good" password found for the
user. Not setting Auth-Type
(230) WARNING: pap : Authentication will fail unless a
"known good" password is available
(230) [pap] = noop
(230) if (User-Password)
(230) if (User-Password) -> FALSE
(230) } # authorize = updated
(230) Found Auth-Type = EAP
(230) # Executing group from file /etc/raddb/sites-
enabled/default
(230) authenticate {
(230) eap : Peer sent method Identity (1)
(230) eap : Calling eap_gtc to process EAP data
(230) eap_gtc : EXPAND Password:
(230) eap_gtc : --> Password:
(230) eap : New EAP session, adding 'State' attribute to
reply 0x045d7f1e045f7973
(230) [eap] = handled
(230) } # authenticate = handled
(230) Sending Access-Challenge packet to host 10.66.146.10
port 62781, id=84, length=0
(230) EAP-Message = 0x0102000f0650617373776f72643a20
(230) Message-Authenticator =
0x00000000000000000000000000000000
(230) State = 0x045d7f1e045f79735c746ec40219cffa
Sending Access-Challenge Id 84 from 10.66.150.52:1812 to
10.66.146.10:62781
EAP-Message = 0x0102000f0650617373776f72643a20
Message-Authenticator =
0x00000000000000000000000000000000
State = 0x045d7f1e045f79735c746ec40219cffa
(230) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 85 from 10.66.146.10:62781 to
10.66.150.52:1812 length 197
User-Name = 'juliop'
NAS-IP-Address = 10.66.146.10
NAS-Port = 0
NAS-Identifier = '10.66.146.10'
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = 'e0ca94e63751'
Called-Station-Id = 'aca31ec60340'
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message = 0x020200060315
State = 0x045d7f1e045f79735c746ec40219cffa
Aruba-Essid-Name = 'riguprov'
Aruba-Location-Id = 'apcdoggerC60340'
Aruba-AP-Group = 'WLCZOO'
Message-Authenticator =
0xd50b45437d77af44008db8418d48efe9
(231) Received Access-Request packet from host 10.66.146.10
port 62781, id=85, length=197
(231) User-Name = 'juliop'
(231) NAS-IP-Address = 10.66.146.10
(231) NAS-Port = 0
(231) NAS-Identifier = '10.66.146.10'
(231) NAS-Port-Type = Wireless-802.11
(231) Calling-Station-Id = 'e0ca94e63751'
(231) Called-Station-Id = 'aca31ec60340'
(231) Service-Type = Login-User
(231) Framed-MTU = 1100
(231) EAP-Message = 0x020200060315
(231) State = 0x045d7f1e045f79735c746ec40219cffa
(231) Aruba-Essid-Name = 'riguprov'
(231) Aruba-Location-Id = 'apcdoggerC60340'
(231) Aruba-AP-Group = 'WLCZOO'
(231) Message-Authenticator =
0xd50b45437d77af44008db8418d48efe9
(231) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(231) authorize {
(231) filter_username filter_username {
(231) if (!&User-Name)
(231) if (!&User-Name) -> FALSE
(231) if (&User-Name =~ / /)
(231) if (&User-Name =~ / /) -> FALSE
(231) if (&User-Name =~ /@.*@/ )
(231) if (&User-Name =~ /@.*@/ ) -> FALSE
(231) if (&User-Name =~ /\\.\\./ )
(231) if (&User-Name =~ /\\.\\./ ) -> FALSE
(231) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\
\.(.+)$/))
(231) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\
\.(.+)$/)) -> FALSE
(231) if (&User-Name =~ /\\.$/)
(231) if (&User-Name =~ /\\.$/) -> FALSE
(231) if (&User-Name =~ /(a)\\./)
(231) if (&User-Name =~ /(a)\\./) -> FALSE
(231) } # filter_username filter_username = notfound
(231) [preprocess] = ok
(231) [chap] = noop
(231) [mschap] = noop
(231) rewrite_calling_station_id rewrite_calling_station_id
{
(231) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-
f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]
{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)
(231) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-
f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]
{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) ->
TRUE
(231) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-
f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]
{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) {
(231) update request {
(231) EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(231) --> e0-ca-94-e6-37-51
(231) Calling-Station-Id := "e0-ca-94-e6-37-51"
(231) } # update request = noop
(231) [updated] = updated
(231) } # if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-
9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-
f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) =
updated
(231) ... skipping else for request 231: Preceding "if"
was taken
(231) } # rewrite_calling_station_id
rewrite_calling_station_id = updated
(231) authorized_macs_rigu : EXPAND %{Calling-Station-ID}
(231) authorized_macs_rigu : --> e0-ca-94-e6-37-51
(231) authorized_macs_rigu : users: Matched entry e0-ca-94-
e6-37-51 at line 3
(231) [authorized_macs_rigu] = ok
(231) if (!ok)
(231) if (!ok) -> FALSE
(231) else else {
(231) eap : Peer sent code Response (2) ID 2 length 6
(231) eap : No EAP Start, assuming it's an on-going EAP
conversation
(231) [eap] = updated
(231) } # else else = updated
(231) [unix] = notfound
(231) [expiration] = noop
(231) [logintime] = noop
(231) WARNING: pap : No "known good" password found for the
user. Not setting Auth-Type
(231) WARNING: pap : Authentication will fail unless a
"known good" password is available
(231) [pap] = noop
(231) if (User-Password)
(231) if (User-Password) -> FALSE
(231) } # authorize = updated
(231) Found Auth-Type = EAP
(231) # Executing group from file /etc/raddb/sites-
enabled/default
(231) authenticate {
(231) eap : Expiring EAP session with state
0xa5b12d7ba0b63875
(231) eap : Expiring EAP session with state
0x045d7f1e045f7973
(231) eap : Finished EAP session with state
0x045d7f1e045f7973
(231) eap : Previous EAP request found for state
0x045d7f1e045f7973, released from the list
(231) eap : Peer sent method NAK (3)
(231) eap : Found mutually acceptable type TTLS (21)
(231) eap : Calling eap_ttls to process EAP data
(231) eap_ttls : Initiate
(231) eap_ttls : Start returned 1
(231) eap : New EAP session, adding 'State' attribute to
reply 0x045d7f1e055e6a73
(231) [eap] = handled
(231) } # authenticate = handled
(231) Sending Access-Challenge packet to host 10.66.146.10
port 62781, id=85, length=0
(231) EAP-Message = 0x010300061520
(231) Message-Authenticator =
0x00000000000000000000000000000000
(231) State = 0x045d7f1e055e6a735c746ec40219cffa
Sending Access-Challenge Id 85 from 10.66.150.52:1812 to
10.66.146.10:62781
EAP-Message = 0x010300061520
Message-Authenticator =
0x00000000000000000000000000000000
State = 0x045d7f1e055e6a735c746ec40219cffa
(231) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 86 from 10.66.146.10:62781 to
10.66.150.52:1812 length 300
User-Name = 'juliop'
NAS-IP-Address = 10.66.146.10
NAS-Port = 0
NAS-Identifier = '10.66.146.10'
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = 'e0ca94e63751'
Called-Station-Id = 'aca31ec60340'
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message =
0x0203006d158000000063160301005e0100005a030155ca1e1527cd64549
1215c4d26942596749837856c75f293e184b19096f7d8e1000018002f0035
0005000ac013c014c009c00a003200380013000401000019ff01000100000
a0006000400170018000b0002010000230000
State = 0x045d7f1e055e6a735c746ec40219cffa
Aruba-Essid-Name = 'riguprov'
Aruba-Location-Id = 'apcdoggerC60340'
Aruba-AP-Group = 'WLCZOO'
Message-Authenticator =
0xe1de6209c504840cb7a94ab08a4646f2
(232) Received Access-Request packet from host 10.66.146.10
port 62781, id=86, length=300
(232) User-Name = 'juliop'
(232) NAS-IP-Address = 10.66.146.10
(232) NAS-Port = 0
(232) NAS-Identifier = '10.66.146.10'
(232) NAS-Port-Type = Wireless-802.11
(232) Calling-Station-Id = 'e0ca94e63751'
(232) Called-Station-Id = 'aca31ec60340'
(232) Service-Type = Login-User
(232) Framed-MTU = 1100
(232) EAP-Message =
0x0203006d158000000063160301005e0100005a030155ca1e1527cd64549
1215c4d26942596749837856c75f293e184b19096f7d8e1000018002f0035
0005000ac013c014c009c00a003200380013000401000019ff01000100000
a0006000400170018000b0002010000230000
(232) State = 0x045d7f1e055e6a735c746ec40219cffa
(232) Aruba-Essid-Name = 'riguprov'
(232) Aruba-Location-Id = 'apcdoggerC60340'
(232) Aruba-AP-Group = 'WLCZOO'
(232) Message-Authenticator =
0xe1de6209c504840cb7a94ab08a4646f2
(232) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(232) authorize {
(232) filter_username filter_username {
(232) if (!&User-Name)
(232) if (!&User-Name) -> FALSE
(232) if (&User-Name =~ / /)
(232) if (&User-Name =~ / /) -> FALSE
(232) if (&User-Name =~ /@.*@/ )
(232) if (&User-Name =~ /@.*@/ ) -> FALSE
(232) if (&User-Name =~ /\\.\\./ )
(232) if (&User-Name =~ /\\.\\./ ) -> FALSE
(232) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\
\.(.+)$/))
(232) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\
\.(.+)$/)) -> FALSE
(232) if (&User-Name =~ /\\.$/)
(232) if (&User-Name =~ /\\.$/) -> FALSE
(232) if (&User-Name =~ /(a)\\./)
(232) if (&User-Name =~ /(a)\\./) -> FALSE
(232) } # filter_username filter_username = notfound
(232) [preprocess] = ok
(232) [chap] = noop
(232) [mschap] = noop
(232) rewrite_calling_station_id rewrite_calling_station_id
{
(232) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-
f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]
{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)
(232) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-
f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]
{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) ->
TRUE
(232) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-
f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]
{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) {
(232) update request {
(232) EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(232) --> e0-ca-94-e6-37-51
(232) Calling-Station-Id := "e0-ca-94-e6-37-51"
(232) } # update request = noop
(232) [updated] = updated
(232) } # if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-
9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-
f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) =
updated
(232) ... skipping else for request 232: Preceding "if"
was taken
(232) } # rewrite_calling_station_id
rewrite_calling_station_id = updated
(232) authorized_macs_rigu : EXPAND %{Calling-Station-ID}
(232) authorized_macs_rigu : --> e0-ca-94-e6-37-51
(232) authorized_macs_rigu : users: Matched entry e0-ca-94-
e6-37-51 at line 3
(232) [authorized_macs_rigu] = ok
(232) if (!ok)
(232) if (!ok) -> FALSE
(232) else else {
(232) eap : Peer sent code Response (2) ID 3 length 109
(232) eap : Continuing tunnel setup
(232) [eap] = ok
(232) } # else else = ok
(232) [unix] = notfound
(232) [expiration] = noop
(232) [logintime] = noop
(232) [pap] = noop
(232) if (User-Password)
(232) if (User-Password) -> FALSE
(232) } # authorize = updated
(232) Found Auth-Type = EAP
(232) # Executing group from file /etc/raddb/sites-
enabled/default
(232) authenticate {
(232) eap : Expiring EAP session with state
0x045d7f1e055e6a73
(232) eap : Finished EAP session with state
0x045d7f1e055e6a73
(232) eap : Previous EAP request found for state
0x045d7f1e055e6a73, released from the list
(232) eap : Peer sent method TTLS (21)
(232) eap : EAP TTLS (21)
(232) eap : Calling eap_ttls to process EAP data
(232) eap_ttls : Authenticate
(232) eap_ttls : processing EAP-TLS
TLS Length 99
(232) eap_ttls : Length Included
(232) eap_ttls : eaptls_verify returned 11
(232) eap_ttls : (other): before/accept initialization
(232) eap_ttls : TLS_accept: before/accept initialization
(232) eap_ttls : <<< TLS 1.0 Handshake [length 005e],
ClientHello
(232) eap_ttls : TLS_accept: SSLv3 read client hello A
(232) eap_ttls : >>> TLS 1.0 Handshake [length 0051],
ServerHello
(232) eap_ttls : TLS_accept: SSLv3 write server hello A
(232) eap_ttls : >>> TLS 1.0 Handshake [length 08d0],
Certificate
(232) eap_ttls : TLS_accept: SSLv3 write certificate A
(232) eap_ttls : >>> TLS 1.0 Handshake [length 0004],
ServerHelloDone
(232) eap_ttls : TLS_accept: SSLv3 write server done A
(232) eap_ttls : TLS_accept: SSLv3 flush data
(232) eap_ttls : TLS_accept: Need to read more data: SSLv3
read client certificate A
In SSL Handshake Phase
In SSL Accept mode
(232) eap_ttls : eaptls_process returned 13
(232) eap : New EAP session, adding 'State' attribute to
reply 0x045d7f1e06596a73
(232) [eap] = handled
(232) } # authenticate = handled
(232) Sending Access-Challenge packet to host 10.66.146.10
port 62781, id=86, length=0
(232) EAP-Message =
0x010403ec15c00000093416030100510200004d030155ca2598dd8c3b53d
f8b24bf7fdcef8d8deaea8c43cce6b8ce3d002e31400bce204c2e39d34510
36f48b4baafb453941ca4904c6858af2168a40acf8a26672e307002f00000
5ff0100010016030108d00b0008cc0008c90003de308203da308202c2a003
020102020101300d06092a864886f70d01010b0500308193310b300906035
5040613024652310f300d0603550408130652616469757331123010060355
04071309536f6d65776865726531153013060355040a130c4578616d706c6
520496e632e3120301e06092a864886f70d010901161161646d696e406578
616d706c652e636f6d312630240603550403131d4578616d706c652043657
2746966696361746520417574686f72697479301e170d3135303630333135
323831355a170d3135303830323135323831355a307c310b3009060355040
613024652310f300d0603550408130652616469757331153013060355040a
130c4578616d706c6520496e632e312330210603550403131a4578616d706
c65205365727665722043657274696669636174653120301e06092a864886
f70d010901161161646d696e406578616d706c652e636f6d30820122300d0
6092a864886f70d01010105000382010f003082010a0282010100d25092ad
a62933bf922ec8bdd20f51d230edb578
(232) Message-Authenticator =
0x00000000000000000000000000000000
(232) State = 0x045d7f1e06596a735c746ec40219cffa
Sending Access-Challenge Id 86 from 10.66.150.52:1812 to
10.66.146.10:62781
EAP-Message =
0x010403ec15c00000093416030100510200004d030155ca2598dd8c3b53d
f8b24bf7fdcef8d8deaea8c43cce6b8ce3d002e31400bce204c2e39d34510
36f48b4baafb453941ca4904c6858af2168a40acf8a26672e307002f00000
5ff0100010016030108d00b0008cc0008c90003de308203da308202c2a003
020102020101300d06092a864886f70d01010b0500308193310b300906035
5040613024652310f300d0603550408130652616469757331123010060355
04071309536f6d65776865726531153013060355040a130c4578616d706c6
520496e632e3120301e06092a864886f70d010901161161646d696e406578
616d706c652e636f6d312630240603550403131d4578616d706c652043657
2746966696361746520417574686f72697479301e170d3135303630333135
323831355a170d3135303830323135323831355a307c310b3009060355040
613024652310f300d0603550408130652616469757331153013060355040a
130c4578616d706c6520496e632e312330210603550403131a4578616d706
c65205365727665722043657274696669636174653120301e06092a864886
f70d010901161161646d696e406578616d706c652e636f6d30820122300d0
6092a864886f70d01010105000382010f003082010a0282010100d25092ad
a62933bf922ec8bdd20f51d230edb57
Message-Authenticator =
0x00000000000000000000000000000000
State = 0x045d7f1e06596a735c746ec40219cffa
(232) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 87 from 10.66.146.10:62781 to
10.66.150.52:1812 length 197
User-Name = 'juliop'
NAS-IP-Address = 10.66.146.10
NAS-Port = 0
NAS-Identifier = '10.66.146.10'
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = 'e0ca94e63751'
Called-Station-Id = 'aca31ec60340'
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message = 0x020400061500
State = 0x045d7f1e06596a735c746ec40219cffa
Aruba-Essid-Name = 'riguprov'
Aruba-Location-Id = 'apcdoggerC60340'
Aruba-AP-Group = 'WLCZOO'
Message-Authenticator =
0xbb89e26656fbb3e2d883d37f1f809264
(233) Received Access-Request packet from host 10.66.146.10
port 62781, id=87, length=197
(233) User-Name = 'juliop'
(233) NAS-IP-Address = 10.66.146.10
(233) NAS-Port = 0
(233) NAS-Identifier = '10.66.146.10'
(233) NAS-Port-Type = Wireless-802.11
(233) Calling-Station-Id = 'e0ca94e63751'
(233) Called-Station-Id = 'aca31ec60340'
(233) Service-Type = Login-User
(233) Framed-MTU = 1100
(233) EAP-Message = 0x020400061500
(233) State = 0x045d7f1e06596a735c746ec40219cffa
(233) Aruba-Essid-Name = 'riguprov'
(233) Aruba-Location-Id = 'apcdoggerC60340'
(233) Aruba-AP-Group = 'WLCZOO'
(233) Message-Authenticator =
0xbb89e26656fbb3e2d883d37f1f809264
(233) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(233) authorize {
(233) filter_username filter_username {
(233) if (!&User-Name)
(233) if (!&User-Name) -> FALSE
(233) if (&User-Name =~ / /)
(233) if (&User-Name =~ / /) -> FALSE
(233) if (&User-Name =~ /@.*@/ )
(233) if (&User-Name =~ /@.*@/ ) -> FALSE
(233) if (&User-Name =~ /\\.\\./ )
(233) if (&User-Name =~ /\\.\\./ ) -> FALSE
(233) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\
\.(.+)$/))
(233) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\
\.(.+)$/)) -> FALSE
(233) if (&User-Name =~ /\\.$/)
(233) if (&User-Name =~ /\\.$/) -> FALSE
(233) if (&User-Name =~ /(a)\\./)
(233) if (&User-Name =~ /(a)\\./) -> FALSE
(233) } # filter_username filter_username = notfound
(233) [preprocess] = ok
(233) [chap] = noop
(233) [mschap] = noop
(233) rewrite_calling_station_id rewrite_calling_station_id
{
(233) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-
f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]
{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)
(233) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-
f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]
{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) ->
TRUE
(233) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-
f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]
{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) {
(233) update request {
(233) EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(233) --> e0-ca-94-e6-37-51
(233) Calling-Station-Id := "e0-ca-94-e6-37-51"
(233) } # update request = noop
(233) [updated] = updated
(233) } # if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-
9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-
f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) =
updated
(233) ... skipping else for request 233: Preceding "if"
was taken
(233) } # rewrite_calling_station_id
rewrite_calling_station_id = updated
(233) authorized_macs_rigu : EXPAND %{Calling-Station-ID}
(233) authorized_macs_rigu : --> e0-ca-94-e6-37-51
(233) authorized_macs_rigu : users: Matched entry e0-ca-94-
e6-37-51 at line 3
(233) [authorized_macs_rigu] = ok
(233) if (!ok)
(233) if (!ok) -> FALSE
(233) else else {
(233) eap : Peer sent code Response (2) ID 4 length 6
(233) eap : Continuing tunnel setup
(233) [eap] = ok
(233) } # else else = ok
(233) [unix] = notfound
(233) [expiration] = noop
(233) [logintime] = noop
(233) [pap] = noop
(233) if (User-Password)
(233) if (User-Password) -> FALSE
(233) } # authorize = updated
(233) Found Auth-Type = EAP
(233) # Executing group from file /etc/raddb/sites-
enabled/default
(233) authenticate {
(233) eap : Expiring EAP session with state
0x045d7f1e06596a73
(233) eap : Finished EAP session with state
0x045d7f1e06596a73
(233) eap : Previous EAP request found for state
0x045d7f1e06596a73, released from the list
(233) eap : Peer sent method TTLS (21)
(233) eap : EAP TTLS (21)
(233) eap : Calling eap_ttls to process EAP data
(233) eap_ttls : Authenticate
(233) eap_ttls : processing EAP-TLS
(233) eap_ttls : Received TLS ACK
(233) eap_ttls : Received TLS ACK
(233) eap_ttls : ACK handshake fragment handler
(233) eap_ttls : eaptls_verify returned 1
(233) eap_ttls : eaptls_process returned 13
(233) eap : New EAP session, adding 'State' attribute to
reply 0x045d7f1e07586a73
(233) [eap] = handled
(233) } # authenticate = handled
(233) Sending Access-Challenge packet to host 10.66.146.10
port 62781, id=87, length=0
(233) EAP-Message =
0x010503ec15c0000009344cbf2bce7c2d153e57a0ae308d0085a8c641d1b
d8a274505d2dff596d77bab57bb54c46518f80b78d2f3705a8a11706a2781
a6dcd17a902e2b4eaa13cd5fa68fe7a8c94257d645fc967bbde06b931ebed
475aa096ef3342df2b5ede54f115db3df0004e5308204e1308203c9a00302
01020209009552ff70bc0159d9300d06092a864886f70d010105050030819
3310b3009060355040613024652310f300d06035504081306526164697573
3112301006035504071309536f6d65776865726531153013060355040a130
c4578616d706c6520496e632e3120301e06092a864886f70d010901161161
646d696e406578616d706c652e636f6d312630240603550403131d4578616
d706c6520436572746966696361746520417574686f72697479301e170d31
35303630333135323831355a170d3135303830323135323831355a3081933
10b3009060355040613024652310f300d0603550408130652616469757331
12301006035504071309536f6d65776865726531153013060355040a130c4
578616d706c6520496e632e3120301e06092a864886f70d01090116116164
6d696e406578616d706c652e636f6d312630240603550403131d4578616d7
06c6520436572746966696361746520417574686f7269747930820122300d
06092a864886f70d0101010500038201
(233) Message-Authenticator =
0x00000000000000000000000000000000
(233) State = 0x045d7f1e07586a735c746ec40219cffa
Sending Access-Challenge Id 87 from 10.66.150.52:1812 to
10.66.146.10:62781
EAP-Message =
0x010503ec15c0000009344cbf2bce7c2d153e57a0ae308d0085a8c641d1b
d8a274505d2dff596d77bab57bb54c46518f80b78d2f3705a8a11706a2781
a6dcd17a902e2b4eaa13cd5fa68fe7a8c94257d645fc967bbde06b931ebed
475aa096ef3342df2b5ede54f115db3df0004e5308204e1308203c9a00302
01020209009552ff70bc0159d9300d06092a864886f70d010105050030819
3310b3009060355040613024652310f300d06035504081306526164697573
3112301006035504071309536f6d65776865726531153013060355040a130
c4578616d706c6520496e632e3120301e06092a864886f70d010901161161
646d696e406578616d706c652e636f6d312630240603550403131d4578616
d706c6520436572746966696361746520417574686f72697479301e170d31
35303630333135323831355a170d3135303830323135323831355a3081933
10b3009060355040613024652310f300d0603550408130652616469757331
12301006035504071309536f6d65776865726531153013060355040a130c4
578616d706c6520496e632e3120301e06092a864886f70d01090116116164
6d696e406578616d706c652e636f6d312630240603550403131d4578616d7
06c6520436572746966696361746520417574686f7269747930820122300d
06092a864886f70d010101050003820
Message-Authenticator =
0x00000000000000000000000000000000
State = 0x045d7f1e07586a735c746ec40219cffa
(233) Finished request
Waking up in 0.1 seconds.
Received Access-Request Id 88 from 10.66.146.10:62781 to
10.66.150.52:1812 length 197
User-Name = 'juliop'
NAS-IP-Address = 10.66.146.10
NAS-Port = 0
NAS-Identifier = '10.66.146.10'
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = 'e0ca94e63751'
Called-Station-Id = 'aca31ec60340'
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message = 0x020500061500
State = 0x045d7f1e07586a735c746ec40219cffa
Aruba-Essid-Name = 'riguprov'
Aruba-Location-Id = 'apcdoggerC60340'
Aruba-AP-Group = 'WLCZOO'
Message-Authenticator =
0x2167af66b4077bc2ada6d8cc82632788
(234) Received Access-Request packet from host 10.66.146.10
port 62781, id=88, length=197
(234) User-Name = 'juliop'
(234) NAS-IP-Address = 10.66.146.10
(234) NAS-Port = 0
(234) NAS-Identifier = '10.66.146.10'
(234) NAS-Port-Type = Wireless-802.11
(234) Calling-Station-Id = 'e0ca94e63751'
(234) Called-Station-Id = 'aca31ec60340'
(234) Service-Type = Login-User
(234) Framed-MTU = 1100
(234) EAP-Message = 0x020500061500
(234) State = 0x045d7f1e07586a735c746ec40219cffa
(234) Aruba-Essid-Name = 'riguprov'
(234) Aruba-Location-Id = 'apcdoggerC60340'
(234) Aruba-AP-Group = 'WLCZOO'
(234) Message-Authenticator =
0x2167af66b4077bc2ada6d8cc82632788
(234) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(234) authorize {
(234) filter_username filter_username {
(234) if (!&User-Name)
(234) if (!&User-Name) -> FALSE
(234) if (&User-Name =~ / /)
(234) if (&User-Name =~ / /) -> FALSE
(234) if (&User-Name =~ /@.*@/ )
(234) if (&User-Name =~ /@.*@/ ) -> FALSE
(234) if (&User-Name =~ /\\.\\./ )
(234) if (&User-Name =~ /\\.\\./ ) -> FALSE
(234) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\
\.(.+)$/))
(234) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\
\.(.+)$/)) -> FALSE
(234) if (&User-Name =~ /\\.$/)
(234) if (&User-Name =~ /\\.$/) -> FALSE
(234) if (&User-Name =~ /(a)\\./)
(234) if (&User-Name =~ /(a)\\./) -> FALSE
(234) } # filter_username filter_username = notfound
(234) [preprocess] = ok
(234) [chap] = noop
(234) [mschap] = noop
(234) rewrite_calling_station_id rewrite_calling_station_id
{
(234) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-
f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]
{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)
(234) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-
f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]
{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) ->
TRUE
(234) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-
f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]
{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) {
(234) update request {
(234) EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(234) --> e0-ca-94-e6-37-51
(234) Calling-Station-Id := "e0-ca-94-e6-37-51"
(234) } # update request = noop
(234) [updated] = updated
(234) } # if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-
9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-
f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) =
updated
(234) ... skipping else for request 234: Preceding "if"
was taken
(234) } # rewrite_calling_station_id
rewrite_calling_station_id = updated
(234) authorized_macs_rigu : EXPAND %{Calling-Station-ID}
(234) authorized_macs_rigu : --> e0-ca-94-e6-37-51
(234) authorized_macs_rigu : users: Matched entry e0-ca-94-
e6-37-51 at line 3
(234) [authorized_macs_rigu] = ok
(234) if (!ok)
(234) if (!ok) -> FALSE
(234) else else {
(234) eap : Peer sent code Response (2) ID 5 length 6
(234) eap : Continuing tunnel setup
(234) [eap] = ok
(234) } # else else = ok
(234) [unix] = notfound
(234) [expiration] = noop
(234) [logintime] = noop
(234) [pap] = noop
(234) if (User-Password)
(234) if (User-Password) -> FALSE
(234) } # authorize = updated
(234) Found Auth-Type = EAP
(234) # Executing group from file /etc/raddb/sites-
enabled/default
(234) authenticate {
(234) eap : Expiring EAP session with state
0x045d7f1e07586a73
(234) eap : Finished EAP session with state
0x045d7f1e07586a73
(234) eap : Previous EAP request found for state
0x045d7f1e07586a73, released from the list
(234) eap : Peer sent method TTLS (21)
(234) eap : EAP TTLS (21)
(234) eap : Calling eap_ttls to process EAP data
(234) eap_ttls : Authenticate
(234) eap_ttls : processing EAP-TLS
(234) eap_ttls : Received TLS ACK
(234) eap_ttls : Received TLS ACK
(234) eap_ttls : ACK handshake fragment handler
(234) eap_ttls : eaptls_verify returned 1
(234) eap_ttls : eaptls_process returned 13
(234) eap : New EAP session, adding 'State' attribute to
reply 0x045d7f1e005b6a73
(234) [eap] = handled
(234) } # authenticate = handled
(234) Sending Access-Challenge packet to host 10.66.146.10
port 62781, id=88, length=0
(234) EAP-Message =
0x0106017a15800000093474798209009552ff70bc0159d9300c0603551d1
3040530030101ff30360603551d1f042f302d302ba029a027862568747470
3a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e6
3726c300d06092a864886f70d0101050500038201010017b5b9c2cb8ddbd3
35e4580acb8d0d84c69239921370dc5da9ccd6a3876942c071f1f0e6ebda4
1cf972acc79fe6d2185259060ff1f3d4389df26179837357db62e8e69faf9
8aa9cf9504110d389aafc6d21c23cdc83e952b958b92eab43fc55e622f1c0
fd468e3ef2a9750e502d3148c44b7d3f4ae959592de1a2c96d9ae6a4fe68c
de5a96ae933de7fcc77bcb3f591a2a74cb3331199334067d682cd4bf0190c
571c1d4e290aa945e3d69a58da89eaa7fd993981db116333ba66a1df2b9ca
30b8c6cca5c3ab9b2b9f756be3a2de9426450fdaa2363b16f32982e48d8f4
5009bbe7fb217585fc69a5b0540d0fd279a0737a4f87323e36213f5ffa8e3
3f1472ad16030100040e000000
(234) Message-Authenticator =
0x00000000000000000000000000000000
(234) State = 0x045d7f1e005b6a735c746ec40219cffa
Sending Access-Challenge Id 88 from 10.66.150.52:1812 to
10.66.146.10:62781
EAP-Message =
0x0106017a15800000093474798209009552ff70bc0159d9300c0603551d1
3040530030101ff30360603551d1f042f302d302ba029a027862568747470
3a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e6
3726c300d06092a864886f70d0101050500038201010017b5b9c2cb8ddbd3
35e4580acb8d0d84c69239921370dc5da9ccd6a3876942c071f1f0e6ebda4
1cf972acc79fe6d2185259060ff1f3d4389df26179837357db62e8e69faf9
8aa9cf9504110d389aafc6d21c23cdc83e952b958b92eab43fc55e622f1c0
fd468e3ef2a9750e502d3148c44b7d3f4ae959592de1a2c96d9ae6a4fe68c
de5a96ae933de7fcc77bcb3f591a2a74cb3331199334067d682cd4bf0190c
571c1d4e290aa945e3d69a58da89eaa7fd993981db116333ba66a1df2b9ca
30b8c6cca5c3ab9b2b9f756be3a2de9426450fdaa2363b16f32982e48d8f4
5009bbe7fb217585fc69a5b0540d0fd279a0737a4f87323e36213f5ffa8e3
3f1472ad16030100040e000000
Message-Authenticator =
0x00000000000000000000000000000000
State = 0x045d7f1e005b6a735c746ec40219cffa
(234) Finished request
Received Access-Request Id 89 from 10.66.146.10:62781 to
10.66.150.52:1812 length 529
User-Name = 'juliop'
NAS-IP-Address = 10.66.146.10
NAS-Port = 0
NAS-Identifier = '10.66.146.10'
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = 'e0ca94e63751'
Called-Station-Id = 'aca31ec60340'
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message =
0x0206015015800000014616030101061000010201006c9734bf98617e57a
b336a9d59387e12409cdad2e5bfeaaaf0812f8a833959718d95e404b1c66b
c1ac158cc842455fb0a9d372bfc66b9999fe43846d272fe2fc937eeb8fdb4
0f43401765ad3738e2b85b6d30046bfb9393df1bfdc28bca11813b7ec357e
e12d13cbaa40e50cf3ba71b192f5388a302c1ec8d81e85818bcdaab72e635
ca1b3628976700cd08dd3260ca9a122222cef2a02e81c9a5c580d01904ba2
931a9612aace62f032c266a79dff97a32209d5d533d9df10791b577b1d6be
50ce7028424f4e798a3320bb4704bec54ecf9ad4b8f3bf2d8267f28da3e54
01c297c0f9e75851eaed8c1fbe6be017ae2ae1ab72a4be278a3a6976a0a22
a06eaa01403010001011603010030ff73e273aa3d537ab4e6a47049ac6761
52dfe2d2f524602e360b0eac392a1ec6faad956c0ed816a71e552178e740f
706
State = 0x045d7f1e005b6a735c746ec40219cffa
Aruba-Essid-Name = 'riguprov'
Aruba-Location-Id = 'apcdoggerC60340'
Aruba-AP-Group = 'WLCZOO'
Message-Authenticator =
0xb3ee38765ea4f5290b0ec7501bf5c911
(235) Received Access-Request packet from host 10.66.146.10
port 62781, id=89, length=529
(235) User-Name = 'juliop'
(235) NAS-IP-Address = 10.66.146.10
(235) NAS-Port = 0
(235) NAS-Identifier = '10.66.146.10'
(235) NAS-Port-Type = Wireless-802.11
(235) Calling-Station-Id = 'e0ca94e63751'
(235) Called-Station-Id = 'aca31ec60340'
(235) Service-Type = Login-User
(235) Framed-MTU = 1100
(235) EAP-Message =
0x0206015015800000014616030101061000010201006c9734bf98617e57a
b336a9d59387e12409cdad2e5bfeaaaf0812f8a833959718d95e404b1c66b
c1ac158cc842455fb0a9d372bfc66b9999fe43846d272fe2fc937eeb8fdb4
0f43401765ad3738e2b85b6d30046bfb9393df1bfdc28bca11813b7ec357e
e12d13cbaa40e50cf3ba71b192f5388a302c1ec8d81e85818bcdaab72e635
ca1b3628976700cd08dd3260ca9a122222cef2a02e81c9a5c580d01904ba2
931a9612aace62f032c266a79dff97a32209d5d533d9df10791b577b1d6be
50ce7028424f4e798a3320bb4704bec54ecf9ad4b8f3bf2d8267f28da3e54
01c297c0f9e75851eaed8c1fbe6be017ae2ae1ab72a4be278a3a6976a0a22
a06eaa01403010001011603010030ff73e273aa3d537ab4e6a47049ac6761
52dfe2d2f524602e360b0eac392a1ec6faad956c0ed816a71e552178e740f
706
(235) State = 0x045d7f1e005b6a735c746ec40219cffa
(235) Aruba-Essid-Name = 'riguprov'
(235) Aruba-Location-Id = 'apcdoggerC60340'
(235) Aruba-AP-Group = 'WLCZOO'
(235) Message-Authenticator =
0xb3ee38765ea4f5290b0ec7501bf5c911
(235) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(235) authorize {
(235) filter_username filter_username {
(235) if (!&User-Name)
(235) if (!&User-Name) -> FALSE
(235) if (&User-Name =~ / /)
(235) if (&User-Name =~ / /) -> FALSE
(235) if (&User-Name =~ /@.*@/ )
(235) if (&User-Name =~ /@.*@/ ) -> FALSE
(235) if (&User-Name =~ /\\.\\./ )
(235) if (&User-Name =~ /\\.\\./ ) -> FALSE
(235) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\
\.(.+)$/))
(235) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\
\.(.+)$/)) -> FALSE
(235) if (&User-Name =~ /\\.$/)
(235) if (&User-Name =~ /\\.$/) -> FALSE
(235) if (&User-Name =~ /(a)\\./)
(235) if (&User-Name =~ /(a)\\./) -> FALSE
(235) } # filter_username filter_username = notfound
(235) [preprocess] = ok
(235) [chap] = noop
(235) [mschap] = noop
(235) rewrite_calling_station_id rewrite_calling_station_id
{
(235) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-
f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]
{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)
(235) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-
f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]
{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) ->
TRUE
(235) if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-
f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]
{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) {
(235) update request {
(235) EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(235) --> e0-ca-94-e6-37-51
(235) Calling-Station-Id := "e0-ca-94-e6-37-51"
(235) } # update request = noop
(235) [updated] = updated
(235) } # if (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-
9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-
f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i) =
updated
(235) ... skipping else for request 235: Preceding "if"
was taken
(235) } # rewrite_calling_station_id
rewrite_calling_station_id = updated
(235) authorized_macs_rigu : EXPAND %{Calling-Station-ID}
(235) authorized_macs_rigu : --> e0-ca-94-e6-37-51
(235) authorized_macs_rigu : users: Matched entry e0-ca-94-
e6-37-51 at line 3
(235) [authorized_macs_rigu] = ok
(235) if (!ok)
(235) if (!ok) -> FALSE
(235) else else {
(235) eap : Peer sent code Response (2) ID 6 length 336
(235) eap : Continuing tunnel setup
(235) [eap] = ok
(235) } # else else = ok
(235) [unix] = notfound
(235) [expiration] = noop
(235) [logintime] = noop
(235) [pap] = noop
(235) if (User-Password)
(235) if (User-Password) -> FALSE
(235) } # authorize = updated
(235) Found Auth-Type = EAP
(235) # Executing group from file /etc/raddb/sites-
enabled/default
(235) authenticate {
(235) eap : Expiring EAP session with state
0x045d7f1e005b6a73
(235) eap : Finished EAP session with state
0x045d7f1e005b6a73
(235) eap : Previous EAP request found for state
0x045d7f1e005b6a73, released from the list
(235) eap : Peer sent method TTLS (21)
(235) eap : EAP TTLS (21)
(235) eap : Calling eap_ttls to process EAP data
(235) eap_ttls : Authenticate
(235) eap_ttls : processing EAP-TLS
TLS Length 326
(235) eap_ttls : Length Included
(235) eap_ttls : eaptls_verify returned 11
(235) eap_ttls : <<< TLS 1.0 Handshake [length 0106],
ClientKeyExchange
(235) eap_ttls : TLS_accept: SSLv3 read client key exchange
A
(235) eap_ttls : <<< TLS 1.0 ChangeCipherSpec [length 0001]
(235) eap_ttls : <<< TLS 1.0 Handshake [length 0010],
Finished
(235) eap_ttls : TLS_accept: SSLv3 read finished A
(235) eap_ttls : >>> TLS 1.0 ChangeCipherSpec [length 0001]
(235) eap_ttls : TLS_accept: SSLv3 write change cipher spec
A
(235) eap_ttls : >>> TLS 1.0 Handshake [length 0010],
Finished
(235) eap_ttls : TLS_accept: SSLv3 write finished A
(235) eap_ttls : TLS_accept: SSLv3 flush data
SSL: adding session
4c2e39d3451036f48b4baafb453941ca4904c6858af2168a40acf8a26672e
307 to cache
(235) eap_ttls : (other): SSL negotiation finished
successfully
SSL Connection Established
(235) eap_ttls : eaptls_process returned 13
(235) eap : New EAP session, adding 'State' attribute to
reply 0x045d7f1e015a6a73
(235) [eap] = handled
(235) } # authenticate = handled
(235) Sending Access-Challenge packet to host 10.66.146.10
port 62781, id=89, length=0
(235) EAP-Message =
0x0107004515800000003b14030100010116030100308e3794c96fb4750fe
302664ac575681fd3da4d4dc79e608e9b41c79bee203833cadba138fc0cec
70aed233037220d0a1
(235) Message-Authenticator =
0x00000000000000000000000000000000
(235) State = 0x045d7f1e015a6a735c746ec40219cffa
Sending Access-Challenge Id 89 from 10.66.150.52:1812 to
10.66.146.10:62781
EAP-Message =
0x0107004515800000003b14030100010116030100308e3794c96fb4750fe
302664ac575681fd3da4d4dc79e608e9b41c79bee203833cadba138fc0cec
70aed233037220d0a1
Message-Authenticator =
0x00000000000000000000000000000000
State = 0x045d7f1e015a6a735c746ec40219cffa
(235) Finished request
Waking up in 0.1 seconds.
Waking up in 4.3 seconds.
(230) Cleaning up request packet ID 84 with timestamp +8048
(231) Cleaning up request packet ID 85 with timestamp +8048
(232) Cleaning up request packet ID 86 with timestamp +8048
Waking up in 0.1 seconds.
(233) Cleaning up request packet ID 87 with timestamp +8049
(234) Cleaning up request packet ID 88 with timestamp +8049
(235) Cleaning up request packet ID 89 with timestamp +8049
Waking up in 3994804.7 seconds.
I'll be very grateful if anyone can help me. if a configuration file is required, just ask me
Thanks Again.
Cristian M.
4
4
anyone here have experience to implement
authorization and accounting from mac to user ?
For example:
User john is tied to mac aa-bb-cc-dd-ee-ff.
every authorization comes from this mac,
radius will check session for user john.
and do accounting for user john also.
So, every packet auth/acct come from NAS, username 'mac' will be replaced
to 'user' subsquent process.
i think unlang is the solution.
anyone here could give us suggest/idea ?
Cheers.
Johan
2
2
Following is an additional post for the thread I started this morning,
thank you..
Thank you for you help with my previous post. I have some additional
questions also:
Question #1. As for the RADIUS requests not getting to the server, I
have a question about the value of "ipaddr" in the "clients.conf" file.
All of the instructions that I have seen have been unclear about what
this value this should be set to specifically.. Should it be the IP
address of the computer hosting the Radius server (192.168.1.113), or
the IP address of the router (192.168.1.1), or some other value? I have
tried all values and still get the same error message. Note that I have
not yet set the ip address of the server computer to be static in the
"/etc/network/interfaces" file. Following are the questions about this:
Question 1a: What is the best value to use for the "ipaddr" variable in
"clients.conf"? Such as the ip address of the server computer, ect..
Question 1b: What is the best value to use for the "Radius Auth Server
Address" setting in the router (using DD-WRT)? Presumably it is the
same value as 1a?
Question 1c: How important is setting the IP address of the server
computer to be static while testing even though I am sure that the IP
address of the server computer is currently 192.168.1.113 for the time
being?
Question 1d: What is the best source of information about this issue if
the answer is complex?
_____
Question #2. Version 2.1.12 of FreeRADIUS is the one that was installed
when I entered the "apt-get update" and "apt-get install freeradius"
commands. What would be the biggest benefits of upgrading to a newer
version? Presumably I would need to reconfigure from scratch if I
upgraded, am I correct? I have a feeling my problems are elsewhere for
the time being if the user client computer is not connecting to the
server though.
_____
Question #3. When you say "Users cannot manually configure their 802.1x
settings" on Mac computers starting with OS X Lion, do you mean that it
is mandatory to configure Mavericks using the XML method? I'm currently
trying to configure the networking manually in the "Network > Wi-Fi"
section of the prefs by selecting "WPA2-Enterprise", then "EAP-TLS," and
it does seem to be taking all of the necessary information and it even
gives the name of the certificate as a pull-down option, however it then
says "invalid password" when I try to connect.
____
Question #4. As for the certificates, they are being created using the
"sha1" method like you suggested (typed like that rather than "sha-1" if
that makes any difference.) The "default_bits" are set to 2048.
Following is the command I used to create the DH file: "openssl
dhparam -check -text -5 1024 -out dh". I have seen some
instructions that say to trim sections out of the certificates using a
text editor before using them with a Mac, would it be helpful to do that
at all?
Thanks for your help!
2
1
Is there a way to disable ntlm authorization when using PEAP. I added the
following entry in user
"testuser" Cleartext-Password := "password", MS-CHAP-Use-NTLM-Auth := 0
Reply-Message = "Hello, %{User-Name}"
Below is the radius log
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No
such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list [eap] EAP/peap [eap] processing
type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK
handshake fragment handler [peap] eaptls_verify returned 1 [peap]
eaptls_process returned 13 [peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 199 to 10.1.2.12 port 1645
EAP-Message =
0x010403fc194000fd4f6b26b546151e300d06092a864886f70d010105050030818a310b3009
060355040613025553310b30090603550408130256413112301006035504071309536f6d6577
68657265310f300d060355040a1306436f726e65743122302006092a864886f70d0109011613
702e6b616d61746840636f726e65742e636f6d312530230603550403131c436f726e65742043
6572746966696361746520417574686f72697479301e170d3135303830363137333635375a17
0d3135313030353137333635375a30818a310b3009060355040613025553310b300906035504
08130256413112301006035504071309536f6d65776865726531
EAP-Message =
0x0f300d060355040a1306436f726e65743122302006092a864886f70d0109011613702e6b61
6d61746840636f726e65742e636f6d312530230603550403131c436f726e6574204365727469
66696361746520417574686f7269747930820122300d06092a864886f70d0101010500038201
0f003082010a0282010100d47bc9d476a963ae8b2bc54602dd3ec02a9a61d503388bf03325b1
e036a1b3c3789185a1d8db84c8318ecde367d201f5f8f186a25c865840c9b23e65b37266df1a
43bdfaa22e27984d0daf81e92cbd5bb794eb44f54ccbcaded32f178128ddeb7dde5d9f792c3f
93178dd67e64b7f680b12d86b1b6115f870f8762466c30ebd4eb
EAP-Message =
0x7ad6cdf30f95d684e080b4b24048b2df4170bd0a8f33c7c07fa980178288903c8185444061
ed2e387840db38ff3f59a4a27854a83bfae7b97080e3ba2b2ec08038fa54583f58420b1f8586
00ed63c7541e5a0a284bbe67f1a21f8cbb5c6a483ab0bd815401b1554e5bee024db9311b9228
634ca8b32f43f0dc55959a8bbc510203010001a381f23081ef301d0603551d0e04160414a7d9
5ae87b9322fd7c72f4cb8447da70a44858a93081bf0603551d230481b73081b48014a7d95ae8
7b9322fd7c72f4cb8447da70a44858a9a18190a4818d30818a310b3009060355040613025553
310b30090603550408130256413112301006035504071309536f
EAP-Message =
0x6d657768657265310f300d060355040a1306436f726e65743122302006092a864886f70d01
09011613702e6b616d61746840636f726e65742e636f6d312530230603550403131c436f726e
657420436572746966696361746520417574686f72697479820900fd4f6b26b546151e300c06
03551d13040530030101ff300d06092a864886f70d010105050003820101002deab51a55b190
8fe4dd333b9beaab737dbe396a12d17f5856e98eb03f3de18677805ca6033d52cd621cb24771
d3f909d8c35b011d51dadd980e80bb8cb25e98f04d9575fd64fc3d689f3729f648011aa51ed3
c9f3a13c90e690353fe84514c0a9d4f2a6654e90af9cd54c7da1
EAP-Message = 0x73c22dbad3d8ccd2
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa3e091d2a1e48827dc72cc968a436b25
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.1.2.12 port 1645, id=200,
length=167
User-Name = "testuser"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "24-B6-57-D3-2C-8C"
Calling-Station-Id = "5C-B9-01-B2-4A-15"
EAP-Message = 0x020400061900
Message-Authenticator = 0xe2fbaee84c14daebca49cfa615ef8ded
NAS-Port-Type = Ethernet
NAS-Port = 50112
NAS-Port-Id = "GigabitEthernet1/0/12"
State = 0xa3e091d2a1e48827dc72cc968a436b25
NAS-IP-Address = 10.1.2.12
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No
such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list [eap] EAP/peap [eap] processing
type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK
handshake fragment handler [peap] eaptls_verify returned 1 [peap]
eaptls_process returned 13 [peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 200 to 10.1.2.12 port 1645
EAP-Message =
0x0105009a1900f6f1b234409a3067f2946a561c41d329e2d754a68f1c93f8f22c8a79524218
ede2f7357366f533057d0d2af98920702c1d5e0c8ba3a69b9dd4cf8490a6c3c85804bead2421
de19ca57155d7a7df921695c5819a6c3561c8f7a5531960f3f4635175d18752884a7789c8bf2
7866237835c61daa0b744b20f5bb6504022beae99c3abaaa7a5af11fe44e7c1f16030100040e
000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa3e091d2a0e58827dc72cc968a436b25
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.1.2.12 port 1645, id=201,
length=499
User-Name = "testuser"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "24-B6-57-D3-2C-8C"
Calling-Station-Id = "5C-B9-01-B2-4A-15"
EAP-Message =
0x0205015019800000014616030101061000010201006473f4b19800a13a9c5c7b01b3c265ea
10349366de65e2161d5b2c91fdbe8cefe2f3dc20824d20a4ccea304433ee4f644c1be1606b5c
58d8f5eab7b3fbd6325e35903642aefe1ed49c6abc70659b0320d46939ccdee65bb7f1886999
33027510e90b50d550c2bbbbc1253ae3defb82d7cfaf8f2dabe2417d84c49351ba04b6f93435
cca2124f5223c73b1aeb00680810ee17ab8f78db16768b38e6d99d44ab04985665bf5f7406eb
3baa28092d43fedefa54b114154161dc45c83ef6a5edee18978a5c75e4b38d9ce32ff1af0545
6c5c1a953eb4b074fa3fa8aa8e6f68cfb94aeb34c0a757d67b8a
EAP-Message =
0x387ed8c044da03f5d7406be6e7fd97cafb2444dabc0d77441403010001011603010030820a
5d69190d3d35413bd788bcd9f65f7d2b22c2ca536887f0d789165fb645ca844b6936df7fdaf7
01bd12390e8cdbd7
Message-Authenticator = 0x16d00ab524c96631a6b287c799aae583
NAS-Port-Type = Ethernet
NAS-Port = 50112
NAS-Port-Id = "GigabitEthernet1/0/12"
State = 0xa3e091d2a0e58827dc72cc968a436b25
NAS-IP-Address = 10.1.2.12
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No
such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 253 [eap] Continuing tunnel
setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list [eap] EAP/peap [eap] processing
type peap [peap] processing EAP-TLS
TLS Length 326
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0
Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 201 to 10.1.2.12 port 1645
EAP-Message =
0x01060041190014030100010116030100300d9b14780e1f41191472b86a2fd4214ac11ce309
a2e5ac57ec848f6615f78666d5c745305aeb0bbd1cf6cfc958e3a140
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa3e091d2a7e68827dc72cc968a436b25
Finished request 4.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.1.2.12 port 1645, id=202,
length=167
User-Name = "testuser"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "24-B6-57-D3-2C-8C"
Calling-Station-Id = "5C-B9-01-B2-4A-15"
EAP-Message = 0x020600061900
Message-Authenticator = 0xefaefb3a513154371bb7663ec7e046ff
NAS-Port-Type = Ethernet
NAS-Port = 50112
NAS-Port-Id = "GigabitEthernet1/0/12"
State = 0xa3e091d2a7e68827dc72cc968a436b25
NAS-IP-Address = 10.1.2.12
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No
such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list [eap] EAP/peap [eap] processing
type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK
handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process
returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding
tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] returns handled
Sending Access-Challenge of id 202 to 10.1.2.12 port 1645
EAP-Message =
0x0107002b190017030100209e946f4b1c969f5d313d2103e294794df2bdcd4a4dae649fbcee
eb26a155c94b
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa3e091d2a6e78827dc72cc968a436b25
Finished request 5.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.1.2.12 port 1645, id=203,
length=204
User-Name = "testuser"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "24-B6-57-D3-2C-8C"
Calling-Station-Id = "5C-B9-01-B2-4A-15"
EAP-Message =
0x0207002b1900170301002080698631153c58f752969b90367cc7bb69ac4b399ebf69911b8e
a80d378b4ce4
Message-Authenticator = 0x698eabce7651b9a3d79e14a8a99a03c1
NAS-Port-Type = Ethernet
NAS-Port = 50112
NAS-Port-Id = "GigabitEthernet1/0/12"
State = 0xa3e091d2a6e78827dc72cc968a436b25
NAS-IP-Address = 10.1.2.12
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No
such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 43 [eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list [eap] EAP/peap [eap] processing
type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap]
Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - testuser
[peap] Got inner identity 'testuser'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
EAP-Message = 0x0207000d017465737475736572 server { [peap] Setting
User-Name to testuser Sending tunneled request
EAP-Message = 0x0207000d017465737475736572
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "testuser"
server inner-tunnel {
# Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No
such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 7 length 13 [eap] No EAP Start, assuming
it's an on-going EAP conversation
++[eap] returns updated
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message =
0x010800221a0108001d105ce8326e9114d3a2dec5900608214ee17465737475736572
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7aa966307aa17c542ff595d55e7d6a15
[peap] Got tunneled reply RADIUS code 11
EAP-Message =
0x010800221a0108001d105ce8326e9114d3a2dec5900608214ee17465737475736572
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7aa966307aa17c542ff595d55e7d6a15
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 203 to 10.1.2.12 port 1645
EAP-Message =
0x0108004b19001703010040be266c6bc8bf3236c7e1700ce1539cf2905fa2d9a5c93fbc53ad
267876efcf31c6f1d3df428d9db9de49ec9cd07e95a7f06233e489a467a2676163512422c03f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa3e091d2a5e88827dc72cc968a436b25
Finished request 6.
Going to the next request
Waking up in 3.9 seconds.
rad_recv: Access-Request packet from host 10.1.2.12 port 1645, id=204,
length=268
User-Name = "testuser"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "24-B6-57-D3-2C-8C"
Calling-Station-Id = "5C-B9-01-B2-4A-15"
EAP-Message =
0x0208006b1900170301006053c7440846571f5c9208d31294e6a0d5b8dbbdfc0bbc0ec2f0d0
98d24e8079f3dc59fe3f778fa7fc4ec47f37ef3565f42e7ace8c13bb6ab3d5293a7275cfcd49
fa4d577a520df55a5a4950dbfc6608eb927bdac98356c7287449eabe75ac774d
Message-Authenticator = 0x1d5978dcfe28a322fa85f581541a4d61
NAS-Port-Type = Ethernet
NAS-Port = 50112
NAS-Port-Id = "GigabitEthernet1/0/12"
State = 0xa3e091d2a5e88827dc72cc968a436b25
NAS-IP-Address = 10.1.2.12
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No
such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 107 [eap] Continuing tunnel
setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list [eap] EAP/peap [eap] processing
type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap]
Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message =
0x020800431a0208003e31c0591f7fb2f2511bc7c7a39941cb7ca1000000000000000056dc0e
e4ef5fc8898def1758e6aa29ac06cd681d7fd35106007465737475736572
server {
[peap] Setting User-Name to testuser
Sending tunneled request
EAP-Message =
0x020800431a0208003e31c0591f7fb2f2511bc7c7a39941cb7ca1000000000000000056dc0e
e4ef5fc8898def1758e6aa29ac06cd681d7fd35106007465737475736572
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "testuser"
State = 0x7aa966307aa17c542ff595d55e7d6a15
server inner-tunnel {
# Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No
such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 8 length 67 [eap] No EAP Start, assuming
it's an on-going EAP conversation
++[eap] returns updated
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list [eap] EAP/mschapv2 [eap]
processing type mschapv2 [mschapv2] # Executing group from file
/etc/raddb/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...} [mschap] Creating challenge hash
with username: testuser [mschap] Told to do MS-CHAPv2 for testuser with
NT-Password
[mschap] expand: %{Stripped-User-Name} ->
[mschap] ... expanding second conditional
[mschap] expand: %{User-Name} -> testuser
[mschap] expand: %{%{User-Name}:-None} -> testuser
[mschap] expand:
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} ->
--username=testuser
[mschap] Creating challenge hash with username: testuser
[mschap] expand: %{mschap:Challenge} -> f9a36aa3aa275bf0
[mschap] expand: --challenge=%{%{mschap:Challenge}:-00} ->
--challenge=f9a36aa3aa275bf0
[mschap] expand: %{mschap:NT-Response} ->
56dc0ee4ef5fc8898def1758e6aa29ac06cd681d7fd35106
[mschap] expand: --nt-response=%{%{mschap:NT-Response}:-00} ->
--nt-response=56dc0ee4ef5fc8898def1758e6aa29ac06cd681d7fd35106
Exec-Program output: Exec-Program: FAILED to execute /path/to/ntlm_auth: No
such file or directory
Exec-Program-Wait: plaintext: Exec-Program: FAILED to execute
/path/to/ntlm_auth: No such file or directory
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
MS-CHAP-Error = "\010E=691 R=1"
EAP-Message = 0x04080004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
MS-CHAP-Error = "\010E=691 R=1"
EAP-Message = 0x04080004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 204 to 10.1.2.12 port 1645
EAP-Message =
0x0109002b19001703010020126279bbbe9350880386e85c413ca97f91ee0deaf67387bfb865
27c4952dc155
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa3e091d2a4e98827dc72cc968a436b25
Finished request 7.
Going to the next request
Waking up in 3.7 seconds.
rad_recv: Access-Request packet from host 10.1.2.12 port 1645, id=205,
length=204
User-Name = "testuser"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "24-B6-57-D3-2C-8C"
Calling-Station-Id = "5C-B9-01-B2-4A-15"
EAP-Message =
0x0209002b190017030100205e8ff15f68aa5877d0da372e553dea37fa5131380a857a89c766
11d30c77d468
Message-Authenticator = 0x5f64a4462e35c1f883f2fbbaf2d3b957
NAS-Port-Type = Ethernet
NAS-Port = 50112
NAS-Port-Id = "GigabitEthernet1/0/12"
State = 0xa3e091d2a4e98827dc72cc968a436b25
NAS-IP-Address = 10.1.2.12
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No
such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 9 length 43 [eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list [eap] EAP/peap [eap] processing
type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap]
Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv failure
[peap] Received EAP-TLV response.
[peap] The users session was previously rejected: returning reject (again.)
[peap] *** This means you need to read the PREVIOUS messages in the debug
output [peap] *** to find out the reason why the user was rejected.
[peap] *** Look for "reject" or "fail". Those earlier messages will tell
you.
[peap] *** what went wrong, and how to fix the problem.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> testuser
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 8 for 1 seconds Going to the next request Waking
up in 0.9 seconds.
Sending delayed reject for request 8
Sending Access-Reject of id 205 to 10.1.2.12 port 1645
EAP-Message = 0x04090004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 1.8 seconds.
Thanks
Preyas
-----Original Message-----
From: Freeradius-Users
[mailto:freeradius-users-bounces+p.kamath=cornet.com@lists.freeradius.org]
On Behalf Of A.L.M.Buxey(a)lboro.ac.uk
Sent: Thursday, August 06, 2015 9:29 AM
To: FreeRadius users mailing list
Subject: Re: Switch sends EAP-Fail after Radius Access-Accept
Hi,
> [preyask@localhost controller-ned]$ cat /etc/raddb/small.conf listen {
> type = auth
> ipaddr = *
> port = 1812
> }
> client 10.1.2.0/24 { # allow packets from 10.1.2.0/24
> secret = testing123
> shortname = 10.1.2.12
> }
> modules { # We don't use any modules
> }
> authorize { # return Access-Accept for PAP and CHAP
> update control {
> Auth-Type := Accept
> }
> }
yeh. that wont work....start with the default configuration and THEN start
slimming it down
big hints - you are using EAP thus you ARE using modules....in fact ALL work
in FreeRADIUS uses modules. you are doing EAP - therefore the request needs
to go into a virtual server that is called in the eap.conf configuration.
default in virtual-server.
I'll repeat. stop what you are currently doing, install the default config,
add your client and THEN start work....once its working and you get to know
what each module does and how the server works, THEN reduce the
configuration
alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
1
0
Hello,
I'm trying to configure a FreeRADIUS server (Version 2.1.12) on computer
running Debian Linux (Raspbain), and I'm trying to connect to it with a
Mac laptop running OS X Mavericks (10.9). I'm using the EAP-TLS
Wireless WPA2-Enterprise SSL certificate method, but the Mac refuses to
connect to the server, usually saying "Invalid password." The server
seems to be functioning properly, when I run the "freeradius -X"
command I get the "Ready to process requests" message and the error log
does not log anything when I try to connect.
I'm relatively sure that the certificates have been created and
installed properly into the server and Mac OS X keychain, I'm allowed to
select the client certificate from a pull-down menu when I try to
configure the networking in the OS X Networking preferences, but the
computer doesn't actually end up connecting to the network. I have
created the certificates on the Linux side using ssl commands.
Question #1: Do I need an entry in the FreeRADIUS config files for each
individual client computer I'm trying to connect to, such as in the
"users" file or "acct_users" file? What would I put into those files if
I needed to put something? Instructions that I have seen suggest that
I don't need to specify such information as long as the certificates
have been created and implemented properly. I did get a prompt for the
certificate password when I put the certificate into the OS X keychain
and I did enter that properly. Also I was sure to name the "common
name" of the certificate something unique and relevant.
Question #2: In the EAP-TLS section of the "eap.conf" config file there
is the "private_key_password" variable, and some instructions have told
me just to comment that out.. I have also tried to use certificate
passwords and also challenge passwords that were specified for the
certificates, but I still get the same "Invalid Password" message on the
OS X client no matter what I try to do with that. What is the best
setting I should use for that?
Question: #3: Elsewhere I have seen instructions for using XML
configuration profiles for setting up the networking on Mac computers,
but I would rather not deal with that right now and instead I would like
to just create and install the certificates manually to get the most
basic setup running.. Presumably it is not mandatory to use that XML
method with Mavericks for the certificates although please correct me if
I am wrong.
I can provide whatever information is necessary, such as log files or
the SSL commands I have used to create the certificates, ect.. Thank
you for your help!
2
1
Hi,
Has anyone implemented contention ratio with freeradius? For example, our
network, we give 4mbps connection to everyone. Suppose we have 1Gbps
network and only few users are currently using it, can be provide the
active user's more bandwidth till the the number of users increase?
I have checked with burst rate. but its different from this.
Please advice.
Best regards,
Randeep
2
2
Hello there,
Is there anyone using LVS with Freeradius? In one of the previous threads
(see below) Alan said that we can use the status-server of freeradius in
the MISC_CHECK. Unfortunately the link is no longer available. So If anyone
has any information about this or tried this I would be very intersted to
know how you did it.
In advance thank you for your response,
Sara
>>Nicolas Baradakis wrote:
>>> Keepalived will monitor the FreeRADIUS proxies. The health check is
>>> configured with a "MISC_CHECK" stanza in keepalived.conf. You have
>>> to run "radclient" and test whether the server returns Access-Accept,
>>> that's all.
>>This is what Status-Server should be used for.
>>http://www.ietf.org/internet-drafts/draft-dekok-radius-status-server-00.txt
<http://www.ietf.org/internet-drafts/draft-dekok-radius-status-server-00.txt>
>> I have an update I'll be submitting this week. My goal is to have it
>>issued as an RFC in the next 6 months.
>> Alan DeKok.
3
2