Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
March 2017
- 85 participants
- 101 discussions
Hi,
iOS issues in my network aren't related with certs. I think it because TLS
tunnel was established successful. I don' understand why it happens only
iOS devices.
Alan DeKok-2
<http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=user…>
wrote if I turned off session resumption. I've search in eap config about
"session resumption" and I've find in "cache" block. To disable session
resumption is only change attribute on "enable" field to "no" like example
below? In my case this field "enable" is "yes".
cache {
#
# Enable it. The default is "no". Deleting the
entire "cache"
# subsection also disables caching.
#
# You can disallow resumption for a particular
user by adding the
# following attribute to the control item list:
#
# Allow-Session-Resumption = No
#
# If "enable = no" below, you CANNOT enable
resumption for just one
# user by setting the above attribute to "yes".
#
#enable = yes
enable = no
Glad to your help,
1
0
>I've read a lot messages in Freeradius Forum and I continued misunderstand why iOS devices (iPhone, iPad) doesn't connect in my >WPA-Enterprise wifi network. I've installed and configured a freeradius server, version 3.0.14, over openssl 1.1.0e (both have >installed from sources on Debian 8). I've tested connect Android devices to my wifi network and everytime they can connect to >the network, but iOS devices have mysterious issues.
With PEAP you should *always* use Publicly recognised TLS/SSL certificates, preferably with a well-known CA source or one that your University supports. Also it should be at least 2048 bits and uses the SHA256 hash algorithm, SHA1 should be phased out. For example, we use JISC service which uses Quo Vadis CA. Do not use self-signed or internal CA certificates.
>When I try connect iOS device to my wifi in first time, they can connect perfectly. Though, if this same iOS device lost >connection (because it's out of range AP signal or air plane mode turn on by the user for 30 minutes or hours) and try connect >again the device doesn't connect. When I've saw the debug mode, I've noticed that EAP-PEAP tunnel athentication was successful >and server sent Access-Challenge, but device doesn't answer this challenge. I don't understand why the android devices doesn't >this issues.
> Maybe it's related to session resumption? Have you turned that off?
When switched between Aps, session resumption should be enabled to provide seemless connections.
The APS should be using the same SSIDs and
Peter Hutchison MCP
Senior Network Systems SpecialistS
S 01484 473716
Networks Team
University of Huddersfield | Queensgate | Huddersfield | HD1 3DH
University of Huddersfield inspiring tomorrow's professionals.
[http://marketing.hud.ac.uk/_HOSTED/EmailSig2014/EmailSigFooter.jpg]
This transmission is confidential and may be legally privileged. If you receive it in error, please notify us immediately by e-mail and remove it from your system. If the content of this e-mail does not relate to the business of the University of Huddersfield, then we do not endorse it and will accept no liability.
8
22
Hello.
This problem is not specifically of freeradius but maybe someone can help
me.
After a painful process I finally got my Freeradius 2.2.8 server to run
with only EAP-TLS authentication (my experience with freeradius is still
short). But I've found a problem: when I install ca and user certificates
in an antroid terminal all goes well first time i connect, but if I restart
the device, or even if I switch from a wifi conection to another, or i set
"forget" the conection, my device loses the certificates, so i have to
install it again in order to access the network, it happens me with various
devices of different models and brands, after i google it a little i've
found some people with the same problem, but no solution.
Could anyone help me with this issue? What is causing this behaviour?
Has anyone a succesfull experience with eap-tls and android devices?
Any help will be appretiated. Thanks in advance.
4
5
Re: RadPerf '-A delay,lifetime' arg does not copy the 'Calling-Station-Id' from Accept-Request
by Jay Cedrone (jcedrone) 24 Mar '17
by Jay Cedrone (jcedrone) 24 Mar '17
24 Mar '17
Do you have any information on how to have radperf send a calling station ID? Attribute 31.
Thanks a lot,
- Jay
1
0
Hi everyone,
Our (Red Hat) QA was testing the effect of this entry in 3.0.4 ChangeLog:
* Modify pairparsevalue to deal with embedded NULLs better,
and use the binary versions of attribute values in rlm_ldap.
They have noticed that binary LDAP values get truncated on embedded zero
characters (\0) in RADIUS replies, in radiusReplyMessage in particular.
I.e. for
radiusReplyMessage:: cmVwbHkgd2l0aCBhAGI=
The response output by radtest was
Reply-Message = 'reply with a'
The network capture also showed that RADIUS reply packets contained truncated
values. Is this intended, or was there a fix for this?
In related discoveries, it seems that backslashes get removed from LDAP
attribute values in RADIUS replies, so
radiusReplyMessage: reply with a\0b
becomes
Reply-Message = 'reply with a0b'
in radtest output.
Is this intended?
Thank you.
Nick
4
12
24 Mar '17
Hi,
Version:
FreeRADIUS Version 3.0.13
Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
Some client sends value + \0 character at the end of the attribute
Calling-Station-Id (e.g. 421945411479\0 ).
I am trying to fix / workaround this issue via unlang (in pre-proxy
section):
update {
&proxy-request:Calling-Station-Id :=
"%{string:&proxy-request:Calling-Station-Id}"
}
Debug output:
update {
(0) EXPAND %{string:&proxy-request:Calling-Station-Id}
(0) --> 421945411479
(0) &proxy-request:Calling-Station-Id := 421945411479
(0) } # update = noop
Is it good approach ?
I have tried also fix it via following peace of unlang code (doesnt work):
if (&proxy-request:Calling-Station-Id && &proxy-request:Calling-Station-Id
=~ /([0-9]+)/) {
update {
&proxy-request:Calling-Station-Id := "%{0}"
}
}
Debug ouput:
if (&proxy-request:Calling-Station-Id && &proxy-request:Calling-Station-Id
=~ /([0-9]+)/) {
(0) ERROR: regex failed: Found null in subject at offset 12. String
unsafe for evaluation
(0) ERROR: Failed retrieving values required to evaluate condition
Could you please give me advice how to add \0 character at the end of the
attribute value, if i want to send (test request) via radclient ?
Thank you very much.
2
1
<quote author='Alan DeKok-2'>
On Mar 22, 2017, at 7:39 AM, Igor Sousa <igorvolt(a)gmail.com> wrote:
> PLEASE follow the instructions, and use "radiusd -X". Doing "-Xx" just
makes the debug output harder to read.
</quote>
Quoted from:
http://freeradius.1045715.n5.nabble.com/iOS-mysterious-issues-on-Freeradius…
I'm so sorry. I used use "radiusd -Xx" because I like see timestamp, but it
turns debug output harder to read and I agree with you. Now, I get two
debug's output where the first when Iphone can't connect to network and
second when I reboot the same Iphone and it can connect to the same network
(same AP device too).
PS: The certificate was generated during freeradius install. I think that
certificate isn't problem because tunneled authentication was successful
Glad to your help,
Igor Sousa
Debug outputs
IPHONE CANNOT CONNECT TO WIFI NETWORK
(19) Received Access-Request Id 0 from 10.41.17.64:1086 to 10.41.110.86:1812
length 210
(19) Message-Authenticator = 0xaff68abbae7d1c7ec3845b6e82d7820b
(19) Service-Type = Framed-User
(19) User-Name = "userTest"
(19) Framed-MTU = 1488
(19) Called-Station-Id = "40-01-C6-D8-5C-00:AAA-Teste"
(19) Calling-Station-Id = "4C-57-CA-E2-E9-8D"
(19) NAS-Identifier = "3Com Access Point 7760"
(19) NAS-Port-Type = Wireless-802.11
(19) Connect-Info = "CONNECT 54Mbps 802.11g"
(19) EAP-Message = 0x02000010013031383239353036333832
(19) NAS-IP-Address = 10.41.17.64
(19) NAS-Port = 1
(19) NAS-Port-Id = "STA port # 1"
(19) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(19) authorize {
(19) [preprocess] = ok
(19) eap: Peer sent EAP Response (code 2) ID 0 length 16
(19) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(19) [eap] = ok
(19) } # authorize = ok
(19) Found Auth-Type = eap
(19) # Executing group from file /etc/raddb/sites-enabled/default
(19) authenticate {
(19) eap: Peer sent packet with method EAP Identity (1)
(19) eap: Calling submodule eap_peap to process data
(19) eap_peap: Initiating new EAP-TLS session
(19) eap_peap: [eaptls start] = request
(19) eap: Sending EAP Request (code 1) ID 1 length 6
(19) eap: EAP session adding &reply:State = 0x82e4cb1b82e5d244
(19) [eap] = handled
(19) } # authenticate = handled
(19) Using Post-Auth-Type Challenge
(19) Post-Auth-Type sub-section not found. Ignoring.
(19) # Executing group from file /etc/raddb/sites-enabled/default
(19) Sent Access-Challenge Id 0 from 10.41.110.86:1812 to 10.41.17.64:1086
length 0
(19) EAP-Message = 0x010100061920
(19) Message-Authenticator = 0x00000000000000000000000000000000
(19) State = 0x82e4cb1b82e5d244ae1bb12a174a7e27
(19) Finished request
Waking up in 1.0 seconds.
(20) Received Access-Request Id 1 from 10.41.17.64:1086 to 10.41.110.86:1812
length 339
(20) Message-Authenticator = 0x06ed06a6edcefe165e317699f3ab93bf
(20) Service-Type = Framed-User
(20) User-Name = "userTest"
(20) Framed-MTU = 1488
(20) State = 0x82e4cb1b82e5d244ae1bb12a174a7e27
(20) Called-Station-Id = "40-01-C6-D8-5C-00:AAA-Teste"
(20) Calling-Station-Id = "4C-57-CA-E2-E9-8D"
(20) NAS-Identifier = "3Com Access Point 7760"
(20) NAS-Port-Type = Wireless-802.11
(20) Connect-Info = "CONNECT 54Mbps 802.11g"
(20) EAP-Message =
0x0201007f19800000007516030100700100006c030158d2b994740bc0e95df6bd9e51c89c348c9061a2001932506837a83a2b96e1f800002000ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f000a01000023000a00080006001700180019000b00020100000500050100000000
(20) NAS-IP-Address = 10.41.17.64
(20) NAS-Port = 1
(20) NAS-Port-Id = "STA port # 1"
(20) session-state: No cached attributes
(20) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(20) authorize {
(20) [preprocess] = ok
(20) eap: Peer sent EAP Response (code 2) ID 1 length 127
(20) eap: Continuing tunnel setup
(20) [eap] = ok
(20) } # authorize = ok
(20) Found Auth-Type = eap
(20) # Executing group from file /etc/raddb/sites-enabled/default
(20) authenticate {
(20) eap: Expiring EAP session with state 0xfaf55ea1f2e347c8
(20) eap: Finished EAP session with state 0x82e4cb1b82e5d244
(20) eap: Previous EAP request found for state 0x82e4cb1b82e5d244, released
from the list
(20) eap: Peer sent packet with method EAP PEAP (25)
(20) eap: Calling submodule eap_peap to process data
(20) eap_peap: Continuing EAP-TLS
(20) eap_peap: Peer indicated complete TLS record size will be 117 bytes
(20) eap_peap: Got complete TLS record (117 bytes)
(20) eap_peap: [eaptls verify] = length included
(20) eap_peap: (other): before SSL initialization
(20) eap_peap: TLS_accept: before SSL initialization
(20) eap_peap: TLS_accept: before SSL initialization
(20) eap_peap: <<< recv TLS 1.2 [length 0070]
(20) eap_peap: TLS_accept: SSLv3/TLS read client hello
(20) eap_peap: >>> send TLS 1.0 Handshake [length 005d], ServerHello
(20) eap_peap: TLS_accept: SSLv3/TLS write server hello
(20) eap_peap: >>> send TLS 1.0 Handshake [length 08d3], Certificate
(20) eap_peap: TLS_accept: SSLv3/TLS write certificate
(20) eap_peap: >>> send TLS 1.0 Handshake [length 014b], ServerKeyExchange
(20) eap_peap: TLS_accept: SSLv3/TLS write key exchange
(20) eap_peap: >>> send TLS 1.0 Handshake [length 0004], ServerHelloDone
(20) eap_peap: TLS_accept: SSLv3/TLS write server done
(20) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server
done
(20) eap_peap: In SSL Handshake Phase
(20) eap_peap: In SSL Accept mode
(20) eap_peap: [eaptls process] = handled
(20) eap: Sending EAP Request (code 1) ID 2 length 1004
(20) eap: EAP session adding &reply:State = 0x82e4cb1b83e6d244
(20) [eap] = handled
(20) } # authenticate = handled
(20) Using Post-Auth-Type Challenge
(20) Post-Auth-Type sub-section not found. Ignoring.
(20) # Executing group from file /etc/raddb/sites-enabled/default
(20) Sent Access-Challenge Id 1 from 10.41.110.86:1812 to 10.41.17.64:1086
length 0
(20) EAP-Message =
0x010203ec19c000000a93160301005d02000059030137ff0e7945d630b967660ce9dfe075ed12322d81c073d418449d657776955cef20ad6b30ad91ec1d4a1cb29d7bcca8c64ffca1d37b284636e0af73a499a87943b5c014000011ff01000100000b0004030001020017000016030108d30b0008cf0008
(20) Message-Authenticator = 0x00000000000000000000000000000000
(20) State = 0x82e4cb1b83e6d244ae1bb12a174a7e27
(20) Finished request
Waking up in 1.0 seconds.
(21) Received Access-Request Id 2 from 10.41.17.64:1086 to 10.41.110.86:1812
length 218
(21) Message-Authenticator = 0x9e08ee72ba04c092cc95e8dc3c2b126d
(21) Service-Type = Framed-User
(21) User-Name = "userTest"
(21) Framed-MTU = 1488
(21) State = 0x82e4cb1b83e6d244ae1bb12a174a7e27
(21) Called-Station-Id = "40-01-C6-D8-5C-00:AAA-Teste"
(21) Calling-Station-Id = "4C-57-CA-E2-E9-8D"
(21) NAS-Identifier = "3Com Access Point 7760"
(21) NAS-Port-Type = Wireless-802.11
(21) Connect-Info = "CONNECT 54Mbps 802.11g"
(21) EAP-Message = 0x020200061900
(21) NAS-IP-Address = 10.41.17.64
(21) NAS-Port = 1
(21) NAS-Port-Id = "STA port # 1"
(21) session-state: No cached attributes
(21) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(21) authorize {
(21) [preprocess] = ok
(21) eap: Peer sent EAP Response (code 2) ID 2 length 6
(21) eap: Continuing tunnel setup
(21) [eap] = ok
(21) } # authorize = ok
(21) Found Auth-Type = eap
(21) # Executing group from file /etc/raddb/sites-enabled/default
(21) authenticate {
(21) eap: Expiring EAP session with state 0xfaf55ea1f2e347c8
(21) eap: Finished EAP session with state 0x82e4cb1b83e6d244
(21) eap: Previous EAP request found for state 0x82e4cb1b83e6d244, released
from the list
(21) eap: Peer sent packet with method EAP PEAP (25)
(21) eap: Calling submodule eap_peap to process data
(21) eap_peap: Continuing EAP-TLS
(21) eap_peap: Peer ACKed our handshake fragment
(21) eap_peap: [eaptls verify] = request
(21) eap_peap: [eaptls process] = handled
(21) eap: Sending EAP Request (code 1) ID 3 length 1000
(21) eap: EAP session adding &reply:State = 0x82e4cb1b80e7d244
(21) [eap] = handled
(21) } # authenticate = handled
(21) Using Post-Auth-Type Challenge
(21) Post-Auth-Type sub-section not found. Ignoring.
(21) # Executing group from file /etc/raddb/sites-enabled/default
(21) Sent Access-Challenge Id 2 from 10.41.110.86:1812 to 10.41.17.64:1086
length 0
(21) EAP-Message =
0x010303e81940b2c16fe1b0d484179f9cdaaba928edbe85ea947176542ea9646d2f16b8803f26bf43aa9d60ff2c5d4d9ec84c4c511d64d81b360765cd88159cbe3831e7f63102d7e95becbf76520288a093eefd7080eb3f1c6936e347b508b9916d3e4e10615ad52b4601565fedd7e976bdf1ec0004e830
(21) Message-Authenticator = 0x00000000000000000000000000000000
(21) State = 0x82e4cb1b80e7d244ae1bb12a174a7e27
(21) Finished request
Waking up in 1.0 seconds.
(22) Received Access-Request Id 3 from 10.41.17.64:1086 to 10.41.110.86:1812
length 218
(22) Message-Authenticator = 0x0e187ddb9e28534049f07abe7b3a792a
(22) Service-Type = Framed-User
(22) User-Name = "userTest"
(22) Framed-MTU = 1488
(22) State = 0x82e4cb1b80e7d244ae1bb12a174a7e27
(22) Called-Station-Id = "40-01-C6-D8-5C-00:AAA-Teste"
(22) Calling-Station-Id = "4C-57-CA-E2-E9-8D"
(22) NAS-Identifier = "3Com Access Point 7760"
(22) NAS-Port-Type = Wireless-802.11
(22) Connect-Info = "CONNECT 54Mbps 802.11g"
(22) EAP-Message = 0x020300061900
(22) NAS-IP-Address = 10.41.17.64
(22) NAS-Port = 1
(22) NAS-Port-Id = "STA port # 1"
(22) session-state: No cached attributes
(22) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(22) authorize {
(22) [preprocess] = ok
(22) eap: Peer sent EAP Response (code 2) ID 3 length 6
(22) eap: Continuing tunnel setup
(22) [eap] = ok
(22) } # authorize = ok
(22) Found Auth-Type = eap
(22) # Executing group from file /etc/raddb/sites-enabled/default
(22) authenticate {
(22) eap: Expiring EAP session with state 0xfaf55ea1f2e347c8
(22) eap: Finished EAP session with state 0x82e4cb1b80e7d244
(22) eap: Previous EAP request found for state 0x82e4cb1b80e7d244, released
from the list
(22) eap: Peer sent packet with method EAP PEAP (25)
(22) eap: Calling submodule eap_peap to process data
(22) eap_peap: Continuing EAP-TLS
(22) eap_peap: Peer ACKed our handshake fragment
(22) eap_peap: [eaptls verify] = request
(22) eap_peap: [eaptls process] = handled
(22) eap: Sending EAP Request (code 1) ID 4 length 725
(22) eap: EAP session adding &reply:State = 0x82e4cb1b81e0d244
(22) [eap] = handled
(22) } # authenticate = handled
(22) Using Post-Auth-Type Challenge
(22) Post-Auth-Type sub-section not found. Ignoring.
(22) # Executing group from file /etc/raddb/sites-enabled/default
(22) Sent Access-Challenge Id 3 from 10.41.110.86:1812 to 10.41.17.64:1086
length 0
(22) EAP-Message =
0x010402d519006361746520417574686f72697479820900f29e29fc64450db1300f0603551d130101ff040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b0500
(22) Message-Authenticator = 0x00000000000000000000000000000000
(22) State = 0x82e4cb1b81e0d244ae1bb12a174a7e27
(22) Finished request
Waking up in 1.0 seconds.
(23) Received Access-Request Id 4 from 10.41.17.64:1086 to 10.41.110.86:1812
length 356
(23) Message-Authenticator = 0xc77ca6450207ee96bc701c3e80013fa2
(23) Service-Type = Framed-User
(23) User-Name = "userTest"
(23) Framed-MTU = 1488
(23) State = 0x82e4cb1b81e0d244ae1bb12a174a7e27
(23) Called-Station-Id = "40-01-C6-D8-5C-00:AAA-Teste"
(23) Calling-Station-Id = "4C-57-CA-E2-E9-8D"
(23) NAS-Identifier = "3Com Access Point 7760"
(23) NAS-Port-Type = Wireless-802.11
(23) Connect-Info = "CONNECT 54Mbps 802.11g"
(23) EAP-Message =
0x020400901980000000861603010046100000424104fc94c086c80412f32f419d7f1071bd4863294987aebe7139a5d92849080b9c602c5a61b8f8b8e65d7b8f08d5b4f75c942d77f7b0bfba1eb3c64cd9a4f24c9d4114030100010116030100304daead77f0532e3562ea1b4b112348d124a28151794774
(23) NAS-IP-Address = 10.41.17.64
(23) NAS-Port = 1
(23) NAS-Port-Id = "STA port # 1"
(23) session-state: No cached attributes
(23) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(23) authorize {
(23) [preprocess] = ok
(23) eap: Peer sent EAP Response (code 2) ID 4 length 144
(23) eap: Continuing tunnel setup
(23) [eap] = ok
(23) } # authorize = ok
(23) Found Auth-Type = eap
(23) # Executing group from file /etc/raddb/sites-enabled/default
(23) authenticate {
(23) eap: Expiring EAP session with state 0xfaf55ea1f2e347c8
(23) eap: Finished EAP session with state 0x82e4cb1b81e0d244
(23) eap: Previous EAP request found for state 0x82e4cb1b81e0d244, released
from the list
(23) eap: Peer sent packet with method EAP PEAP (25)
(23) eap: Calling submodule eap_peap to process data
(23) eap_peap: Continuing EAP-TLS
(23) eap_peap: Peer indicated complete TLS record size will be 134 bytes
(23) eap_peap: Got complete TLS record (134 bytes)
(23) eap_peap: [eaptls verify] = length included
(23) eap_peap: TLS_accept: SSLv3/TLS write server done
(23) eap_peap: <<< recv TLS 1.0 Handshake [length 0046], ClientKeyExchange
(23) eap_peap: TLS_accept: SSLv3/TLS read client key exchange
(23) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec
(23) eap_peap: <<< recv TLS 1.0 Handshake [length 0010], Finished
(23) eap_peap: TLS_accept: SSLv3/TLS read finished
(23) eap_peap: >>> send TLS 1.0 ChangeCipherSpec [length 0001]
(23) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec
(23) eap_peap: >>> send TLS 1.0 Handshake [length 0010], Finished
(23) eap_peap: TLS_accept: SSLv3/TLS write finished
(23) eap_peap: (other): SSL negotiation finished successfully
(23) eap_peap: SSL Connection Established
(23) eap_peap: [eaptls process] = handled
(23) eap: Sending EAP Request (code 1) ID 5 length 65
(23) eap: EAP session adding &reply:State = 0x82e4cb1b86e1d244
(23) [eap] = handled
(23) } # authenticate = handled
(23) Using Post-Auth-Type Challenge
(23) Post-Auth-Type sub-section not found. Ignoring.
(23) # Executing group from file /etc/raddb/sites-enabled/default
(23) Sent Access-Challenge Id 4 from 10.41.110.86:1812 to 10.41.17.64:1086
length 0
(23) EAP-Message =
0x010500411900140301000101160301003092e53f04b9660df09297508db8e8fb3b4ad05e7b6ae5ec5d0120facf25d35fd262b1706180c33f72e235b2c3f3724cd9
(23) Message-Authenticator = 0x00000000000000000000000000000000
(23) State = 0x82e4cb1b86e1d244ae1bb12a174a7e27
(23) Finished request
Waking up in 1.0 seconds.
(24) Received Access-Request Id 5 from 10.41.17.64:1086 to 10.41.110.86:1812
length 218
(24) Message-Authenticator = 0x7b0940b6625998f02f43527bb1725e77
(24) Service-Type = Framed-User
(24) User-Name = "userTest"
(24) Framed-MTU = 1488
(24) State = 0x82e4cb1b86e1d244ae1bb12a174a7e27
(24) Called-Station-Id = "40-01-C6-D8-5C-00:AAA-Teste"
(24) Calling-Station-Id = "4C-57-CA-E2-E9-8D"
(24) NAS-Identifier = "3Com Access Point 7760"
(24) NAS-Port-Type = Wireless-802.11
(24) Connect-Info = "CONNECT 54Mbps 802.11g"
(24) EAP-Message = 0x020500061900
(24) NAS-IP-Address = 10.41.17.64
(24) NAS-Port = 1
(24) NAS-Port-Id = "STA port # 1"
(24) session-state: No cached attributes
(24) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(24) authorize {
(24) [preprocess] = ok
(24) eap: Peer sent EAP Response (code 2) ID 5 length 6
(24) eap: Continuing tunnel setup
(24) [eap] = ok
(24) } # authorize = ok
(24) Found Auth-Type = eap
(24) # Executing group from file /etc/raddb/sites-enabled/default
(24) authenticate {
(24) eap: Expiring EAP session with state 0xfaf55ea1f2e347c8
(24) eap: Finished EAP session with state 0x82e4cb1b86e1d244
(24) eap: Previous EAP request found for state 0x82e4cb1b86e1d244, released
from the list
(24) eap: Peer sent packet with method EAP PEAP (25)
(24) eap: Calling submodule eap_peap to process data
(24) eap_peap: Continuing EAP-TLS
(24) eap_peap: Peer ACKed our handshake fragment. handshake is finished
(24) eap_peap: [eaptls verify] = success
(24) eap_peap: [eaptls process] = success
(24) eap_peap: Session established. Decoding tunneled attributes
(24) eap_peap: PEAP state TUNNEL ESTABLISHED
(24) eap: Sending EAP Request (code 1) ID 6 length 43
(24) eap: EAP session adding &reply:State = 0x82e4cb1b87e2d244
(24) [eap] = handled
(24) } # authenticate = handled
(24) Using Post-Auth-Type Challenge
(24) Post-Auth-Type sub-section not found. Ignoring.
(24) # Executing group from file /etc/raddb/sites-enabled/default
(24) Sent Access-Challenge Id 5 from 10.41.110.86:1812 to 10.41.17.64:1086
length 0
(24) EAP-Message =
0x0106002b19001703010020afa714d51b4477ae4fc0c892baab98cb04bd0762d895080477d237e60fdae1cb
(24) Message-Authenticator = 0x00000000000000000000000000000000
(24) State = 0x82e4cb1b87e2d244ae1bb12a174a7e27
(24) Finished request
Waking up in 0.9 seconds.
(25) Received Access-Request Id 6 from 10.41.17.64:1086 to 10.41.110.86:1812
length 271
(25) Message-Authenticator = 0xdec0a89429f16c15bc1dc8a9a9a272c1
(25) Service-Type = Framed-User
(25) User-Name = "userTest"
(25) Framed-MTU = 1488
(25) State = 0x82e4cb1b87e2d244ae1bb12a174a7e27
(25) Called-Station-Id = "40-01-C6-D8-5C-00:AAA-Teste"
(25) Calling-Station-Id = "4C-57-CA-E2-E9-8D"
(25) NAS-Identifier = "3Com Access Point 7760"
(25) NAS-Port-Type = Wireless-802.11
(25) Connect-Info = "CONNECT 54Mbps 802.11g"
(25) EAP-Message =
0x0206003b19001703010030657aea9089cf393fccfa7cce8b305fa7c1265fa8174415a9b45527c898b1b5178cb30fa0081511f2f971c4f46af30621
(25) NAS-IP-Address = 10.41.17.64
(25) NAS-Port = 1
(25) NAS-Port-Id = "STA port # 1"
(25) session-state: No cached attributes
(25) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(25) authorize {
(25) [preprocess] = ok
(25) eap: Peer sent EAP Response (code 2) ID 6 length 59
(25) eap: Continuing tunnel setup
(25) [eap] = ok
(25) } # authorize = ok
(25) Found Auth-Type = eap
(25) # Executing group from file /etc/raddb/sites-enabled/default
(25) authenticate {
(25) eap: Expiring EAP session with state 0xfaf55ea1f2e347c8
(25) eap: Finished EAP session with state 0x82e4cb1b87e2d244
(25) eap: Previous EAP request found for state 0x82e4cb1b87e2d244, released
from the list
(25) eap: Peer sent packet with method EAP PEAP (25)
(25) eap: Calling submodule eap_peap to process data
(25) eap_peap: Continuing EAP-TLS
(25) eap_peap: [eaptls verify] = ok
(25) eap_peap: Done initial handshake
(25) eap_peap: [eaptls process] = ok
(25) eap_peap: Session established. Decoding tunneled attributes
(25) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(25) eap_peap: Identity - userTest
(25) eap_peap: Got inner identity 'userTest'
(25) eap_peap: Setting default EAP type for tunneled EAP session
(25) eap_peap: Got tunneled request
(25) eap_peap: EAP-Message = 0x02060010013031383239353036333832
(25) eap_peap: Setting User-Name to userTest
(25) eap_peap: Sending tunneled request to inner-tunnel
(25) eap_peap: EAP-Message = 0x02060010013031383239353036333832
(25) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(25) eap_peap: User-Name = "userTest"
(25) eap_peap: Service-Type = Framed-User
(25) eap_peap: Framed-MTU = 1488
(25) eap_peap: Called-Station-Id = "40-01-C6-D8-5C-00:AAA-Teste"
(25) eap_peap: Calling-Station-Id = "4C-57-CA-E2-E9-8D"
(25) eap_peap: NAS-Identifier = "3Com Access Point 7760"
(25) eap_peap: NAS-Port-Type = Wireless-802.11
(25) eap_peap: Connect-Info = "CONNECT 54Mbps 802.11g"
(25) eap_peap: NAS-IP-Address = 10.41.17.64
(25) eap_peap: NAS-Port = 1
(25) eap_peap: NAS-Port-Id = "STA port # 1"
(25) eap_peap: Event-Timestamp = "Mar 22 2017 14:51:08 -03"
(25) Virtual server inner-tunnel received request
(25) EAP-Message = 0x02060010013031383239353036333832
(25) FreeRADIUS-Proxied-To = 127.0.0.1
(25) User-Name = "userTest"
(25) Service-Type = Framed-User
(25) Framed-MTU = 1488
(25) Called-Station-Id = "40-01-C6-D8-5C-00:AAA-Teste"
(25) Calling-Station-Id = "4C-57-CA-E2-E9-8D"
(25) NAS-Identifier = "3Com Access Point 7760"
(25) NAS-Port-Type = Wireless-802.11
(25) Connect-Info = "CONNECT 54Mbps 802.11g"
(25) NAS-IP-Address = 10.41.17.64
(25) NAS-Port = 1
(25) NAS-Port-Id = "STA port # 1"
(25) Event-Timestamp = "Mar 22 2017 14:51:08 -03"
(25) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(25) server inner-tunnel {
(25) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(25) authorize {
(25) eap: Peer sent EAP Response (code 2) ID 6 length 16
(25) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(25) [eap] = ok
(25) } # authorize = ok
(25) Found Auth-Type = eap
(25) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(25) authenticate {
(25) eap: Peer sent packet with method EAP Identity (1)
(25) eap: Calling submodule eap_mschapv2 to process data
(25) eap_mschapv2: Issuing Challenge
(25) eap: Sending EAP Request (code 1) ID 7 length 43
(25) eap: EAP session adding &reply:State = 0xed05353eed022fbe
(25) [eap] = handled
(25) } # authenticate = handled
(25) } # server inner-tunnel
(25) Virtual server sending reply
(25) EAP-Message =
0x0107002b1a01070026109ac249a45bf691de7fc75a3feed0cb60667265657261646975732d332e302e3134
(25) Message-Authenticator = 0x00000000000000000000000000000000
(25) State = 0xed05353eed022fbe5b1d8e8a916c26a0
(25) eap_peap: Got tunneled reply code 11
(25) eap_peap: EAP-Message =
0x0107002b1a01070026109ac249a45bf691de7fc75a3feed0cb60667265657261646975732d332e302e3134
(25) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(25) eap_peap: State = 0xed05353eed022fbe5b1d8e8a916c26a0
(25) eap_peap: Got tunneled reply RADIUS code 11
(25) eap_peap: EAP-Message =
0x0107002b1a01070026109ac249a45bf691de7fc75a3feed0cb60667265657261646975732d332e302e3134
(25) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(25) eap_peap: State = 0xed05353eed022fbe5b1d8e8a916c26a0
(25) eap_peap: Got tunneled Access-Challenge
(25) eap: Sending EAP Request (code 1) ID 7 length 75
(25) eap: EAP session adding &reply:State = 0x82e4cb1b84e3d244
(25) [eap] = handled
(25) } # authenticate = handled
(25) Using Post-Auth-Type Challenge
(25) Post-Auth-Type sub-section not found. Ignoring.
(25) # Executing group from file /etc/raddb/sites-enabled/default
(25) Sent Access-Challenge Id 6 from 10.41.110.86:1812 to 10.41.17.64:1086
length 0
(25) EAP-Message =
0x0107004b190017030100400bebb44427586f4cbdcaad23463df25a067c4d45afc5e95fc61702ed797b15c868c9c4e14426bc4990166d0694dc72a2ba6e331ddf04fc1789e72561fe224c6d
(25) Message-Authenticator = 0x00000000000000000000000000000000
(25) State = 0x82e4cb1b84e3d244ae1bb12a174a7e27
(25) Finished request
Waking up in 0.9 seconds.
(26) Received Access-Request Id 7 from 10.41.17.64:1086 to 10.41.110.86:1812
length 319
(26) Message-Authenticator = 0x4840c791be0e158ada74c3f7a5b1becf
(26) Service-Type = Framed-User
(26) User-Name = "userTest"
(26) Framed-MTU = 1488
(26) State = 0x82e4cb1b84e3d244ae1bb12a174a7e27
(26) Called-Station-Id = "40-01-C6-D8-5C-00:AAA-Teste"
(26) Calling-Station-Id = "4C-57-CA-E2-E9-8D"
(26) NAS-Identifier = "3Com Access Point 7760"
(26) NAS-Port-Type = Wireless-802.11
(26) Connect-Info = "CONNECT 54Mbps 802.11g"
(26) EAP-Message =
0x0207006b190017030100601e8bbbaa319f1ffc13c3fe11332e7601429bf2a151d6c4d99d3f91e0a79b3b59bc57498e3bf95cdcf978ffd69c15bc6ad68251cc197b0acbc713895da4ea84bb9abc0de37ab3c81c6819b636dae5e12fca59c5704d52cae6fd568351fe2c06d8
(26) NAS-IP-Address = 10.41.17.64
(26) NAS-Port = 1
(26) NAS-Port-Id = "STA port # 1"
(26) session-state: No cached attributes
(26) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(26) authorize {
(26) [preprocess] = ok
(26) eap: Peer sent EAP Response (code 2) ID 7 length 107
(26) eap: Continuing tunnel setup
(26) [eap] = ok
(26) } # authorize = ok
(26) Found Auth-Type = eap
(26) # Executing group from file /etc/raddb/sites-enabled/default
(26) authenticate {
(26) eap: Expiring EAP session with state 0xfaf55ea1f2e347c8
(26) eap: Finished EAP session with state 0x82e4cb1b84e3d244
(26) eap: Previous EAP request found for state 0x82e4cb1b84e3d244, released
from the list
(26) eap: Peer sent packet with method EAP PEAP (25)
(26) eap: Calling submodule eap_peap to process data
(26) eap_peap: Continuing EAP-TLS
(26) eap_peap: [eaptls verify] = ok
(26) eap_peap: Done initial handshake
(26) eap_peap: [eaptls process] = ok
(26) eap_peap: Session established. Decoding tunneled attributes
(26) eap_peap: PEAP state phase2
(26) eap_peap: EAP method MSCHAPv2 (26)
(26) eap_peap: Got tunneled request
(26) eap_peap: EAP-Message =
0x020700461a02070041312878ab53f5a3bfc536df80a0cba47d180000000000000000613251667b283074a5abb46f3f3469403d8ba8a992319ef4003031383239353036333832
(26) eap_peap: Setting User-Name to userTest
(26) eap_peap: Sending tunneled request to inner-tunnel
(26) eap_peap: EAP-Message =
0x020700461a02070041312878ab53f5a3bfc536df80a0cba47d180000000000000000613251667b283074a5abb46f3f3469403d8ba8a992319ef4003031383239353036333832
(26) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(26) eap_peap: User-Name = "userTest"
(26) eap_peap: State = 0xed05353eed022fbe5b1d8e8a916c26a0
(26) eap_peap: Service-Type = Framed-User
(26) eap_peap: Framed-MTU = 1488
(26) eap_peap: Called-Station-Id = "40-01-C6-D8-5C-00:AAA-Teste"
(26) eap_peap: Calling-Station-Id = "4C-57-CA-E2-E9-8D"
(26) eap_peap: NAS-Identifier = "3Com Access Point 7760"
(26) eap_peap: NAS-Port-Type = Wireless-802.11
(26) eap_peap: Connect-Info = "CONNECT 54Mbps 802.11g"
(26) eap_peap: NAS-IP-Address = 10.41.17.64
(26) eap_peap: NAS-Port = 1
(26) eap_peap: NAS-Port-Id = "STA port # 1"
(26) eap_peap: Event-Timestamp = "Mar 22 2017 14:51:08 -03"
(26) Virtual server inner-tunnel received request
(26) EAP-Message =
0x020700461a02070041312878ab53f5a3bfc536df80a0cba47d180000000000000000613251667b283074a5abb46f3f3469403d8ba8a992319ef4003031383239353036333832
(26) FreeRADIUS-Proxied-To = 127.0.0.1
(26) User-Name = "userTest"
(26) State = 0xed05353eed022fbe5b1d8e8a916c26a0
(26) Service-Type = Framed-User
(26) Framed-MTU = 1488
(26) Called-Station-Id = "40-01-C6-D8-5C-00:AAA-Teste"
(26) Calling-Station-Id = "4C-57-CA-E2-E9-8D"
(26) NAS-Identifier = "3Com Access Point 7760"
(26) NAS-Port-Type = Wireless-802.11
(26) Connect-Info = "CONNECT 54Mbps 802.11g"
(26) NAS-IP-Address = 10.41.17.64
(26) NAS-Port = 1
(26) NAS-Port-Id = "STA port # 1"
(26) Event-Timestamp = "Mar 22 2017 14:51:08 -03"
(26) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(26) server inner-tunnel {
(26) session-state: No cached attributes
(26) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(26) authorize {
(26) eap: Peer sent EAP Response (code 2) ID 7 length 70
(26) eap: No EAP Start, assuming it's an on-going EAP conversation
(26) [eap] = updated
rlm_ldap (ldap): Reserved connection (4)
(26) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(26) ldap: --> (uid=userTest)
(26) ldap: Performing search in "ou=people,dc=test,dc=br" with filter
"(uid=userTest)", scope "sub"
(26) ldap: Waiting for search result...
(26) ldap: User object found at DN "uid=userTest,ou=people,dc=test,dc=br"
(26) ldap: Processing user attributes
(26) ldap: control:NT-Password :=
0x3145333941394139324632423038413045363942344435414441374535333332
rlm_ldap (ldap): Released connection (4)
Need 1 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (9), 1 of 23 pending slots
used
rlm_ldap (ldap): Connecting to ldap://10.0.0.2:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(26) [ldap] = updated
(26) [expiration] = noop
(26) [logintime] = noop
(26) pap: Normalizing NT-Password from hex encoding, 32 bytes -> 16 bytes
(26) pap: WARNING: Auth-Type already set. Not setting to PAP
(26) [pap] = noop
(26) } # authorize = updated
(26) Found Auth-Type = eap
(26) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(26) authenticate {
(26) eap: Expiring EAP session with state 0xfaf55ea1f2e347c8
(26) eap: Finished EAP session with state 0xed05353eed022fbe
(26) eap: Previous EAP request found for state 0xed05353eed022fbe, released
from the list
(26) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(26) eap: Calling submodule eap_mschapv2 to process data
(26) eap_mschapv2: # Executing group from file
/etc/raddb/sites-enabled/inner-tunnel
(26) eap_mschapv2: authenticate {
(26) mschap: Found NT-Password
(26) mschap: Creating challenge hash with username: userTest
(26) mschap: Client is using MS-CHAPv2
(26) mschap: Adding MS-CHAPv2 MPPE keys
(26) [mschap] = ok
(26) } # authenticate = ok
(26) MSCHAP Success
(26) eap: Sending EAP Request (code 1) ID 8 length 51
(26) eap: EAP session adding &reply:State = 0xed05353eec0d2fbe
(26) [eap] = handled
(26) } # authenticate = handled
(26) } # server inner-tunnel
(26) Virtual server sending reply
(26) EAP-Message =
0x010800331a0307002e533d38314538303844334446353432374642333142393841314444463533333238304435363930443534
(26) Message-Authenticator = 0x00000000000000000000000000000000
(26) State = 0xed05353eec0d2fbe5b1d8e8a916c26a0
(26) eap_peap: Got tunneled reply code 11
(26) eap_peap: EAP-Message =
0x010800331a0307002e533d38314538303844334446353432374642333142393841314444463533333238304435363930443534
(26) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(26) eap_peap: State = 0xed05353eec0d2fbe5b1d8e8a916c26a0
(26) eap_peap: Got tunneled reply RADIUS code 11
(26) eap_peap: EAP-Message =
0x010800331a0307002e533d38314538303844334446353432374642333142393841314444463533333238304435363930443534
(26) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(26) eap_peap: State = 0xed05353eec0d2fbe5b1d8e8a916c26a0
(26) eap_peap: Got tunneled Access-Challenge
(26) eap: Sending EAP Request (code 1) ID 8 length 91
(26) eap: EAP session adding &reply:State = 0x82e4cb1b85ecd244
(26) [eap] = handled
(26) } # authenticate = handled
(26) Using Post-Auth-Type Challenge
(26) Post-Auth-Type sub-section not found. Ignoring.
(26) # Executing group from file /etc/raddb/sites-enabled/default
(26) Sent Access-Challenge Id 7 from 10.41.110.86:1812 to 10.41.17.64:1086
length 0
(26) EAP-Message =
0x0108005b19001703010050bf2b1c25d323d4882835f598fcfe8da6173e706e4c1d66b36965789bb836b404e89b5b21fa01ea32c48497cc0de0c17c7d2e5197be5bb9e75fec85fc9d6dce20211bc026bc74a7724da41853c158244e
(26) Message-Authenticator = 0x00000000000000000000000000000000
(26) State = 0x82e4cb1b85ecd244ae1bb12a174a7e27
(26) Finished request
(17) Cleaning up request packet ID 20 with timestamp +10
Waking up in 1.8 seconds.
(27) Received Access-Request Id 8 from 10.41.17.64:1086 to 10.41.110.86:1812
length 255
(27) Message-Authenticator = 0xfa367a6fa8cf063157e227ebc3a6dc7c
(27) Service-Type = Framed-User
(27) User-Name = "userTest"
(27) Framed-MTU = 1488
(27) State = 0x82e4cb1b85ecd244ae1bb12a174a7e27
(27) Called-Station-Id = "40-01-C6-D8-5C-00:AAA-Teste"
(27) Calling-Station-Id = "4C-57-CA-E2-E9-8D"
(27) NAS-Identifier = "3Com Access Point 7760"
(27) NAS-Port-Type = Wireless-802.11
(27) Connect-Info = "CONNECT 54Mbps 802.11g"
(27) EAP-Message =
0x0208002b19001703010020051c0ad98ab4c77d2d4580c0e7e07c4055a8762345473a564dab19aafc402cb1
(27) NAS-IP-Address = 10.41.17.64
(27) NAS-Port = 1
(27) NAS-Port-Id = "STA port # 1"
(27) session-state: No cached attributes
(27) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(27) authorize {
(27) [preprocess] = ok
(27) eap: Peer sent EAP Response (code 2) ID 8 length 43
(27) eap: Continuing tunnel setup
(27) [eap] = ok
(27) } # authorize = ok
(27) Found Auth-Type = eap
(27) # Executing group from file /etc/raddb/sites-enabled/default
(27) authenticate {
(27) eap: Expiring EAP session with state 0xfaf55ea1f2e347c8
(27) eap: Finished EAP session with state 0x82e4cb1b85ecd244
(27) eap: Previous EAP request found for state 0x82e4cb1b85ecd244, released
from the list
(27) eap: Peer sent packet with method EAP PEAP (25)
(27) eap: Calling submodule eap_peap to process data
(27) eap_peap: Continuing EAP-TLS
(27) eap_peap: [eaptls verify] = ok
(27) eap_peap: Done initial handshake
(27) eap_peap: [eaptls process] = ok
(27) eap_peap: Session established. Decoding tunneled attributes
(27) eap_peap: PEAP state phase2
(27) eap_peap: EAP method MSCHAPv2 (26)
(27) eap_peap: Got tunneled request
(27) eap_peap: EAP-Message = 0x020800061a03
(27) eap_peap: Setting User-Name to userTest
(27) eap_peap: Sending tunneled request to inner-tunnel
(27) eap_peap: EAP-Message = 0x020800061a03
(27) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(27) eap_peap: User-Name = "userTest"
(27) eap_peap: State = 0xed05353eec0d2fbe5b1d8e8a916c26a0
(27) eap_peap: Service-Type = Framed-User
(27) eap_peap: Framed-MTU = 1488
(27) eap_peap: Called-Station-Id = "40-01-C6-D8-5C-00:AAA-Teste"
(27) eap_peap: Calling-Station-Id = "4C-57-CA-E2-E9-8D"
(27) eap_peap: NAS-Identifier = "3Com Access Point 7760"
(27) eap_peap: NAS-Port-Type = Wireless-802.11
(27) eap_peap: Connect-Info = "CONNECT 54Mbps 802.11g"
(27) eap_peap: NAS-IP-Address = 10.41.17.64
(27) eap_peap: NAS-Port = 1
(27) eap_peap: NAS-Port-Id = "STA port # 1"
(27) eap_peap: Event-Timestamp = "Mar 22 2017 14:51:12 -03"
(27) Virtual server inner-tunnel received request
(27) EAP-Message = 0x020800061a03
(27) FreeRADIUS-Proxied-To = 127.0.0.1
(27) User-Name = "userTest"
(27) State = 0xed05353eec0d2fbe5b1d8e8a916c26a0
(27) Service-Type = Framed-User
(27) Framed-MTU = 1488
(27) Called-Station-Id = "40-01-C6-D8-5C-00:AAA-Teste"
(27) Calling-Station-Id = "4C-57-CA-E2-E9-8D"
(27) NAS-Identifier = "3Com Access Point 7760"
(27) NAS-Port-Type = Wireless-802.11
(27) Connect-Info = "CONNECT 54Mbps 802.11g"
(27) NAS-IP-Address = 10.41.17.64
(27) NAS-Port = 1
(27) NAS-Port-Id = "STA port # 1"
(27) Event-Timestamp = "Mar 22 2017 14:51:12 -03"
(27) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(27) server inner-tunnel {
(27) session-state: No cached attributes
(27) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(27) authorize {
(27) eap: Peer sent EAP Response (code 2) ID 8 length 6
(27) eap: No EAP Start, assuming it's an on-going EAP conversation
(27) [eap] = updated
rlm_ldap (ldap): Reserved connection (0)
(27) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(27) ldap: --> (uid=userTest)
(27) ldap: Performing search in "ou=people,dc=test,dc=br" with filter
"(uid=userTest)", scope "sub"
(27) ldap: Waiting for search result...
(27) ldap: User object found at DN "uid=userTest,ou=people,dc=test,dc=br"
(27) ldap: Processing user attributes
(27) ldap: control:NT-Password :=
0x3145333941394139324632423038413045363942344435414441374535333332
rlm_ldap (ldap): Released connection (0)
(27) [ldap] = updated
(27) [expiration] = noop
(27) [logintime] = noop
(27) pap: Normalizing NT-Password from hex encoding, 32 bytes -> 16 bytes
(27) pap: WARNING: Auth-Type already set. Not setting to PAP
(27) [pap] = noop
(27) } # authorize = updated
(27) Found Auth-Type = eap
(27) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(27) authenticate {
(27) eap: Expiring EAP session with state 0xfaf55ea1f2e347c8
(27) eap: Finished EAP session with state 0xed05353eec0d2fbe
(27) eap: Previous EAP request found for state 0xed05353eec0d2fbe, released
from the list
(27) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(27) eap: Calling submodule eap_mschapv2 to process data
(27) eap: Sending EAP Success (code 3) ID 8 length 4
(27) eap: Freeing handler
(27) [eap] = ok
(27) } # authenticate = ok
(27) # Executing section post-auth from file
/etc/raddb/sites-enabled/inner-tunnel
(27) post-auth { ... } # empty sub-section is ignored
(27) } # server inner-tunnel
(27) Virtual server sending reply
(27) MS-MPPE-Encryption-Policy = Encryption-Allowed
(27) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(27) MS-MPPE-Send-Key = 0x9753abfe82235c4216a0c1a4a959646f
(27) MS-MPPE-Recv-Key = 0x757fbfa227358f8e820817a60ccf472c
(27) EAP-Message = 0x03080004
(27) Message-Authenticator = 0x00000000000000000000000000000000
(27) User-Name = "userTest"
(27) eap_peap: Got tunneled reply code 2
(27) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(27) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(27) eap_peap: MS-MPPE-Send-Key = 0x9753abfe82235c4216a0c1a4a959646f
(27) eap_peap: MS-MPPE-Recv-Key = 0x757fbfa227358f8e820817a60ccf472c
(27) eap_peap: EAP-Message = 0x03080004
(27) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(27) eap_peap: User-Name = "userTest"
(27) eap_peap: Got tunneled reply RADIUS code 2
(27) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(27) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(27) eap_peap: MS-MPPE-Send-Key = 0x9753abfe82235c4216a0c1a4a959646f
(27) eap_peap: MS-MPPE-Recv-Key = 0x757fbfa227358f8e820817a60ccf472c
(27) eap_peap: EAP-Message = 0x03080004
(27) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(27) eap_peap: User-Name = "userTest"
(27) eap_peap: Tunneled authentication was successful
(27) eap_peap: SUCCESS
(27) eap_peap: Saving tunneled attributes for later
(27) eap: Sending EAP Request (code 1) ID 9 length 43
(27) eap: EAP session adding &reply:State = 0x82e4cb1b8aedd244
(27) [eap] = handled
(27) } # authenticate = handled
(27) Using Post-Auth-Type Challenge
(27) Post-Auth-Type sub-section not found. Ignoring.
(27) # Executing group from file /etc/raddb/sites-enabled/default
(27) Sent Access-Challenge Id 8 from 10.41.110.86:1812 to 10.41.17.64:1086
length 0
(27) EAP-Message =
0x0109002b190017030100207a38b4c9aef9e5676a7616149de4a7c75be717b173d6106d60fe592bedcf7088
(27) Message-Authenticator = 0x00000000000000000000000000000000
(27) State = 0x82e4cb1b8aedd244ae1bb12a174a7e27
(27) Finished request
(19) Cleaning up request packet ID 0 with timestamp +22
(20) Cleaning up request packet ID 1 with timestamp +22
(21) Cleaning up request packet ID 2 with timestamp +22
(22) Cleaning up request packet ID 3 with timestamp +22
(23) Cleaning up request packet ID 4 with timestamp +22
(24) Cleaning up request packet ID 5 with timestamp +22
(25) Cleaning up request packet ID 6 with timestamp +22
Waking up in 4.9 seconds.
(27) Cleaning up request packet ID 8 with timestamp +26
Waking up in 1.8 seconds.
(26) Cleaning up request packet ID 7 with timestamp +22
Ready to process requests
=================================
IPHONE CAN CONNECT TO THE WIFI NETWORK
OBS: I ran again "radiusd -X" to clear and understand where is the first
request, but Iphone can connect everytime when I rebooted it.
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on proxy address * port 44713
Listening on proxy address :: port 42886
Ready to process requests
(0) Received Access-Request Id 0 from 10.41.17.64:1090 to 10.41.110.86:1812
length 210
(0) Message-Authenticator = 0xdcad4806f8bc8cf27df0bfcbcabb5c3f
(0) Service-Type = Framed-User
(0) User-Name = "userTest"
(0) Framed-MTU = 1488
(0) Called-Station-Id = "40-01-C6-D8-5C-00:AAA-Teste"
(0) Calling-Station-Id = "4C-57-CA-E2-E9-8D"
(0) NAS-Identifier = "3Com Access Point 7760"
(0) NAS-Port-Type = Wireless-802.11
(0) Connect-Info = "CONNECT 54Mbps 802.11g"
(0) EAP-Message = 0x02000010013031383239353036333832
(0) NAS-IP-Address = 10.41.17.64
(0) NAS-Port = 1
(0) NAS-Port-Id = "STA port # 1"
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0) authorize {
(0) [preprocess] = ok
(0) eap: Peer sent EAP Response (code 2) ID 0 length 16
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_peap to process data
(0) eap_peap: Initiating new EAP-TLS session
(0) eap_peap: Flushing SSL sessions (of #0)
(0) eap_peap: [eaptls start] = request
(0) eap: Sending EAP Request (code 1) ID 1 length 6
(0) eap: EAP session adding &reply:State = 0x4f424a324f4353ce
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) Post-Auth-Type sub-section not found. Ignoring.
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) Sent Access-Challenge Id 0 from 10.41.110.86:1812 to 10.41.17.64:1090
length 0
(0) EAP-Message = 0x010100061920
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x4f424a324f4353ce43a0ba7c4354ed56
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 1 from 10.41.17.64:1090 to 10.41.110.86:1812
length 339
(1) Message-Authenticator = 0xdea1c2b48107147dddcaaddb6be770f0
(1) Service-Type = Framed-User
(1) User-Name = "userTest"
(1) Framed-MTU = 1488
(1) State = 0x4f424a324f4353ce43a0ba7c4354ed56
(1) Called-Station-Id = "40-01-C6-D8-5C-00:AAA-Teste"
(1) Calling-Station-Id = "4C-57-CA-E2-E9-8D"
(1) NAS-Identifier = "3Com Access Point 7760"
(1) NAS-Port-Type = Wireless-802.11
(1) Connect-Info = "CONNECT 54Mbps 802.11g"
(1) EAP-Message =
0x0201007f19800000007516030100700100006c030158d2baf622703ad19984e484f38f9c0ff088678cca0370b25a5e56693df17d4a00002000ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f000a01000023000a00080006001700180019000b00020100000500050100000000
(1) NAS-IP-Address = 10.41.17.64
(1) NAS-Port = 1
(1) NAS-Port-Id = "STA port # 1"
(1) session-state: No cached attributes
(1) # Executing section authorize from file /etc/raddb/sites-enabled/default
(1) authorize {
(1) [preprocess] = ok
(1) eap: Peer sent EAP Response (code 2) ID 1 length 127
(1) eap: Continuing tunnel setup
(1) [eap] = ok
(1) } # authorize = ok
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0x4f424a324f4353ce
(1) eap: Finished EAP session with state 0x4f424a324f4353ce
(1) eap: Previous EAP request found for state 0x4f424a324f4353ce, released
from the list
(1) eap: Peer sent packet with method EAP PEAP (25)
(1) eap: Calling submodule eap_peap to process data
(1) eap_peap: Continuing EAP-TLS
(1) eap_peap: Peer indicated complete TLS record size will be 117 bytes
(1) eap_peap: Got complete TLS record (117 bytes)
(1) eap_peap: [eaptls verify] = length included
(1) eap_peap: (other): before SSL initialization
(1) eap_peap: TLS_accept: before SSL initialization
(1) eap_peap: TLS_accept: before SSL initialization
(1) eap_peap: <<< recv TLS 1.2 [length 0070]
(1) eap_peap: TLS_accept: SSLv3/TLS read client hello
(1) eap_peap: >>> send TLS 1.0 Handshake [length 005d], ServerHello
(1) eap_peap: TLS_accept: SSLv3/TLS write server hello
(1) eap_peap: >>> send TLS 1.0 Handshake [length 08d3], Certificate
(1) eap_peap: TLS_accept: SSLv3/TLS write certificate
(1) eap_peap: >>> send TLS 1.0 Handshake [length 014b], ServerKeyExchange
(1) eap_peap: TLS_accept: SSLv3/TLS write key exchange
(1) eap_peap: >>> send TLS 1.0 Handshake [length 0004], ServerHelloDone
(1) eap_peap: TLS_accept: SSLv3/TLS write server done
(1) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server
done
(1) eap_peap: In SSL Handshake Phase
(1) eap_peap: In SSL Accept mode
(1) eap_peap: [eaptls process] = handled
(1) eap: Sending EAP Request (code 1) ID 2 length 1004
(1) eap: EAP session adding &reply:State = 0x4f424a324e4053ce
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) Post-Auth-Type sub-section not found. Ignoring.
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) Sent Access-Challenge Id 1 from 10.41.110.86:1812 to 10.41.17.64:1090
length 0
(1) EAP-Message =
0x010203ec19c000000a93160301005d020000590301a36dd518f829f99eb9d0363fe456ae7cb1723abe53d9b74ce635ba187578a6122069bc2cddecdc894b088e0f0e198964b4b15264826ce476af949a2aeabbc4a531c014000011ff01000100000b0004030001020017000016030108d30b0008cf0008
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x4f424a324e4053ce43a0ba7c4354ed56
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 2 from 10.41.17.64:1090 to 10.41.110.86:1812
length 218
(2) Message-Authenticator = 0x708523ad3b241d8cb3cd6109c2210206
(2) Service-Type = Framed-User
(2) User-Name = "userTest"
(2) Framed-MTU = 1488
(2) State = 0x4f424a324e4053ce43a0ba7c4354ed56
(2) Called-Station-Id = "40-01-C6-D8-5C-00:AAA-Teste"
(2) Calling-Station-Id = "4C-57-CA-E2-E9-8D"
(2) NAS-Identifier = "3Com Access Point 7760"
(2) NAS-Port-Type = Wireless-802.11
(2) Connect-Info = "CONNECT 54Mbps 802.11g"
(2) EAP-Message = 0x020200061900
(2) NAS-IP-Address = 10.41.17.64
(2) NAS-Port = 1
(2) NAS-Port-Id = "STA port # 1"
(2) session-state: No cached attributes
(2) # Executing section authorize from file /etc/raddb/sites-enabled/default
(2) authorize {
(2) [preprocess] = ok
(2) eap: Peer sent EAP Response (code 2) ID 2 length 6
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0x4f424a324e4053ce
(2) eap: Finished EAP session with state 0x4f424a324e4053ce
(2) eap: Previous EAP request found for state 0x4f424a324e4053ce, released
from the list
(2) eap: Peer sent packet with method EAP PEAP (25)
(2) eap: Calling submodule eap_peap to process data
(2) eap_peap: Continuing EAP-TLS
(2) eap_peap: Peer ACKed our handshake fragment
(2) eap_peap: [eaptls verify] = request
(2) eap_peap: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 3 length 1000
(2) eap: EAP session adding &reply:State = 0x4f424a324d4153ce
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) Post-Auth-Type sub-section not found. Ignoring.
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2) Sent Access-Challenge Id 2 from 10.41.110.86:1812 to 10.41.17.64:1090
length 0
(2) EAP-Message =
0x010303e81940b2c16fe1b0d484179f9cdaaba928edbe85ea947176542ea9646d2f16b8803f26bf43aa9d60ff2c5d4d9ec84c4c511d64d81b360765cd88159cbe3831e7f63102d7e95becbf76520288a093eefd7080eb3f1c6936e347b508b9916d3e4e10615ad52b4601565fedd7e976bdf1ec0004e830
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x4f424a324d4153ce43a0ba7c4354ed56
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 3 from 10.41.17.64:1090 to 10.41.110.86:1812
length 218
(3) Message-Authenticator = 0x694b1490f6e3cd21dfc9199ca65ad6bb
(3) Service-Type = Framed-User
(3) User-Name = "userTest"
(3) Framed-MTU = 1488
(3) State = 0x4f424a324d4153ce43a0ba7c4354ed56
(3) Called-Station-Id = "40-01-C6-D8-5C-00:AAA-Teste"
(3) Calling-Station-Id = "4C-57-CA-E2-E9-8D"
(3) NAS-Identifier = "3Com Access Point 7760"
(3) NAS-Port-Type = Wireless-802.11
(3) Connect-Info = "CONNECT 54Mbps 802.11g"
(3) EAP-Message = 0x020300061900
(3) NAS-IP-Address = 10.41.17.64
(3) NAS-Port = 1
(3) NAS-Port-Id = "STA port # 1"
(3) session-state: No cached attributes
(3) # Executing section authorize from file /etc/raddb/sites-enabled/default
(3) authorize {
(3) [preprocess] = ok
(3) eap: Peer sent EAP Response (code 2) ID 3 length 6
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3) authenticate {
(3) eap: Expiring EAP session with state 0x4f424a324d4153ce
(3) eap: Finished EAP session with state 0x4f424a324d4153ce
(3) eap: Previous EAP request found for state 0x4f424a324d4153ce, released
from the list
(3) eap: Peer sent packet with method EAP PEAP (25)
(3) eap: Calling submodule eap_peap to process data
(3) eap_peap: Continuing EAP-TLS
(3) eap_peap: Peer ACKed our handshake fragment
(3) eap_peap: [eaptls verify] = request
(3) eap_peap: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 4 length 725
(3) eap: EAP session adding &reply:State = 0x4f424a324c4653ce
(3) [eap] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) Post-Auth-Type sub-section not found. Ignoring.
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3) Sent Access-Challenge Id 3 from 10.41.110.86:1812 to 10.41.17.64:1090
length 0
(3) EAP-Message =
0x010402d519006361746520417574686f72697479820900f29e29fc64450db1300f0603551d130101ff040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b0500
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0x4f424a324c4653ce43a0ba7c4354ed56
(3) Finished request
Waking up in 4.8 seconds.
(4) Received Access-Request Id 4 from 10.41.17.64:1090 to 10.41.110.86:1812
length 356
(4) Message-Authenticator = 0x78b058e28b654994f016c8e6d6856262
(4) Service-Type = Framed-User
(4) User-Name = "userTest"
(4) Framed-MTU = 1488
(4) State = 0x4f424a324c4653ce43a0ba7c4354ed56
(4) Called-Station-Id = "40-01-C6-D8-5C-00:AAA-Teste"
(4) Calling-Station-Id = "4C-57-CA-E2-E9-8D"
(4) NAS-Identifier = "3Com Access Point 7760"
(4) NAS-Port-Type = Wireless-802.11
(4) Connect-Info = "CONNECT 54Mbps 802.11g"
(4) EAP-Message =
0x020400901980000000861603010046100000424104343bd0b5232f0b5e71d7c23886a9010adf7356a99fd44cc2cd7f07bf38ff2cc3c22b73845842ed44f3b0a7537745ab07ff8a5adf41d4580e95f2c49e45d7fdf5140301000101160301003094eb3ac531aaff7dc61a1544092a6491d5bd260cea28aa
(4) NAS-IP-Address = 10.41.17.64
(4) NAS-Port = 1
(4) NAS-Port-Id = "STA port # 1"
(4) session-state: No cached attributes
(4) # Executing section authorize from file /etc/raddb/sites-enabled/default
(4) authorize {
(4) [preprocess] = ok
(4) eap: Peer sent EAP Response (code 2) ID 4 length 144
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/raddb/sites-enabled/default
(4) authenticate {
(4) eap: Expiring EAP session with state 0x4f424a324c4653ce
(4) eap: Finished EAP session with state 0x4f424a324c4653ce
(4) eap: Previous EAP request found for state 0x4f424a324c4653ce, released
from the list
(4) eap: Peer sent packet with method EAP PEAP (25)
(4) eap: Calling submodule eap_peap to process data
(4) eap_peap: Continuing EAP-TLS
(4) eap_peap: Peer indicated complete TLS record size will be 134 bytes
(4) eap_peap: Got complete TLS record (134 bytes)
(4) eap_peap: [eaptls verify] = length included
(4) eap_peap: TLS_accept: SSLv3/TLS write server done
(4) eap_peap: <<< recv TLS 1.0 Handshake [length 0046], ClientKeyExchange
(4) eap_peap: TLS_accept: SSLv3/TLS read client key exchange
(4) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec
(4) eap_peap: <<< recv TLS 1.0 Handshake [length 0010], Finished
(4) eap_peap: TLS_accept: SSLv3/TLS read finished
(4) eap_peap: >>> send TLS 1.0 ChangeCipherSpec [length 0001]
(4) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec
(4) eap_peap: >>> send TLS 1.0 Handshake [length 0010], Finished
(4) eap_peap: TLS_accept: SSLv3/TLS write finished
(4) eap_peap: (other): SSL negotiation finished successfully
(4) eap_peap: SSL Connection Established
(4) eap_peap: [eaptls process] = handled
(4) eap: Sending EAP Request (code 1) ID 5 length 65
(4) eap: EAP session adding &reply:State = 0x4f424a324b4753ce
(4) [eap] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) Post-Auth-Type sub-section not found. Ignoring.
(4) # Executing group from file /etc/raddb/sites-enabled/default
(4) Sent Access-Challenge Id 4 from 10.41.110.86:1812 to 10.41.17.64:1090
length 0
(4) EAP-Message =
0x01050041190014030100010116030100305ebd2608873fda32398dd285b4a181b94f12bc58d9f201e22d6dbdb53d406a52ca38c60ba0c717896b1a8901ef563f22
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x4f424a324b4753ce43a0ba7c4354ed56
(4) Finished request
Waking up in 4.8 seconds.
(5) Received Access-Request Id 5 from 10.41.17.64:1090 to 10.41.110.86:1812
length 218
(5) Message-Authenticator = 0x5db7e290140e326df8eab08383d2e765
(5) Service-Type = Framed-User
(5) User-Name = "userTest"
(5) Framed-MTU = 1488
(5) State = 0x4f424a324b4753ce43a0ba7c4354ed56
(5) Called-Station-Id = "40-01-C6-D8-5C-00:AAA-Teste"
(5) Calling-Station-Id = "4C-57-CA-E2-E9-8D"
(5) NAS-Identifier = "3Com Access Point 7760"
(5) NAS-Port-Type = Wireless-802.11
(5) Connect-Info = "CONNECT 54Mbps 802.11g"
(5) EAP-Message = 0x020500061900
(5) NAS-IP-Address = 10.41.17.64
(5) NAS-Port = 1
(5) NAS-Port-Id = "STA port # 1"
(5) session-state: No cached attributes
(5) # Executing section authorize from file /etc/raddb/sites-enabled/default
(5) authorize {
(5) [preprocess] = ok
(5) eap: Peer sent EAP Response (code 2) ID 5 length 6
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5) authenticate {
(5) eap: Expiring EAP session with state 0x4f424a324b4753ce
(5) eap: Finished EAP session with state 0x4f424a324b4753ce
(5) eap: Previous EAP request found for state 0x4f424a324b4753ce, released
from the list
(5) eap: Peer sent packet with method EAP PEAP (25)
(5) eap: Calling submodule eap_peap to process data
(5) eap_peap: Continuing EAP-TLS
(5) eap_peap: Peer ACKed our handshake fragment. handshake is finished
(5) eap_peap: [eaptls verify] = success
(5) eap_peap: [eaptls process] = success
(5) eap_peap: Session established. Decoding tunneled attributes
(5) eap_peap: PEAP state TUNNEL ESTABLISHED
(5) eap: Sending EAP Request (code 1) ID 6 length 43
(5) eap: EAP session adding &reply:State = 0x4f424a324a4453ce
(5) [eap] = handled
(5) } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) Post-Auth-Type sub-section not found. Ignoring.
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5) Sent Access-Challenge Id 5 from 10.41.110.86:1812 to 10.41.17.64:1090
length 0
(5) EAP-Message =
0x0106002b190017030100204fbeb67ecdd80f0d14c8533df8a2921cf85689339ba802443fbb7b4143c6e638
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x4f424a324a4453ce43a0ba7c4354ed56
(5) Finished request
Waking up in 4.8 seconds.
(6) Received Access-Request Id 6 from 10.41.17.64:1090 to 10.41.110.86:1812
length 271
(6) Message-Authenticator = 0xe7b6266a72b2b6fc9b8f7c67f8405d94
(6) Service-Type = Framed-User
(6) User-Name = "userTest"
(6) Framed-MTU = 1488
(6) State = 0x4f424a324a4453ce43a0ba7c4354ed56
(6) Called-Station-Id = "40-01-C6-D8-5C-00:AAA-Teste"
(6) Calling-Station-Id = "4C-57-CA-E2-E9-8D"
(6) NAS-Identifier = "3Com Access Point 7760"
(6) NAS-Port-Type = Wireless-802.11
(6) Connect-Info = "CONNECT 54Mbps 802.11g"
(6) EAP-Message =
0x0206003b19001703010030b1075bb4e12c13ae0e337bfca6841195aa45827fac9d354863e7706d5e066c1de365265b054e4374f86d3cd8ad7f0a14
(6) NAS-IP-Address = 10.41.17.64
(6) NAS-Port = 1
(6) NAS-Port-Id = "STA port # 1"
(6) session-state: No cached attributes
(6) # Executing section authorize from file /etc/raddb/sites-enabled/default
(6) authorize {
(6) [preprocess] = ok
(6) eap: Peer sent EAP Response (code 2) ID 6 length 59
(6) eap: Continuing tunnel setup
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/raddb/sites-enabled/default
(6) authenticate {
(6) eap: Expiring EAP session with state 0x4f424a324a4453ce
(6) eap: Finished EAP session with state 0x4f424a324a4453ce
(6) eap: Previous EAP request found for state 0x4f424a324a4453ce, released
from the list
(6) eap: Peer sent packet with method EAP PEAP (25)
(6) eap: Calling submodule eap_peap to process data
(6) eap_peap: Continuing EAP-TLS
(6) eap_peap: [eaptls verify] = ok
(6) eap_peap: Done initial handshake
(6) eap_peap: [eaptls process] = ok
(6) eap_peap: Session established. Decoding tunneled attributes
(6) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(6) eap_peap: Identity - userTest
(6) eap_peap: Got inner identity 'userTest'
(6) eap_peap: Setting default EAP type for tunneled EAP session
(6) eap_peap: Got tunneled request
(6) eap_peap: EAP-Message = 0x02060010013031383239353036333832
(6) eap_peap: Setting User-Name to userTest
(6) eap_peap: Sending tunneled request to inner-tunnel
(6) eap_peap: EAP-Message = 0x02060010013031383239353036333832
(6) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(6) eap_peap: User-Name = "userTest"
(6) eap_peap: Service-Type = Framed-User
(6) eap_peap: Framed-MTU = 1488
(6) eap_peap: Called-Station-Id = "40-01-C6-D8-5C-00:AAA-Teste"
(6) eap_peap: Calling-Station-Id = "4C-57-CA-E2-E9-8D"
(6) eap_peap: NAS-Identifier = "3Com Access Point 7760"
(6) eap_peap: NAS-Port-Type = Wireless-802.11
(6) eap_peap: Connect-Info = "CONNECT 54Mbps 802.11g"
(6) eap_peap: NAS-IP-Address = 10.41.17.64
(6) eap_peap: NAS-Port = 1
(6) eap_peap: NAS-Port-Id = "STA port # 1"
(6) eap_peap: Event-Timestamp = "Mar 22 2017 14:57:02 -03"
(6) Virtual server inner-tunnel received request
(6) EAP-Message = 0x02060010013031383239353036333832
(6) FreeRADIUS-Proxied-To = 127.0.0.1
(6) User-Name = "userTest"
(6) Service-Type = Framed-User
(6) Framed-MTU = 1488
(6) Called-Station-Id = "40-01-C6-D8-5C-00:AAA-Teste"
(6) Calling-Station-Id = "4C-57-CA-E2-E9-8D"
(6) NAS-Identifier = "3Com Access Point 7760"
(6) NAS-Port-Type = Wireless-802.11
(6) Connect-Info = "CONNECT 54Mbps 802.11g"
(6) NAS-IP-Address = 10.41.17.64
(6) NAS-Port = 1
(6) NAS-Port-Id = "STA port # 1"
(6) Event-Timestamp = "Mar 22 2017 14:57:02 -03"
(6) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(6) server inner-tunnel {
(6) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(6) authorize {
(6) eap: Peer sent EAP Response (code 2) ID 6 length 16
(6) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(6) authenticate {
(6) eap: Peer sent packet with method EAP Identity (1)
(6) eap: Calling submodule eap_mschapv2 to process data
(6) eap_mschapv2: Issuing Challenge
(6) eap: Sending EAP Request (code 1) ID 7 length 43
(6) eap: EAP session adding &reply:State = 0xf3cd2f37f3ca35ba
(6) [eap] = handled
(6) } # authenticate = handled
(6) } # server inner-tunnel
(6) Virtual server sending reply
(6) EAP-Message =
0x0107002b1a010700261067d8cf1d5c0b22de6dca819f0ed63a21667265657261646975732d332e302e3134
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0xf3cd2f37f3ca35bae612626d1b2654f3
(6) eap_peap: Got tunneled reply code 11
(6) eap_peap: EAP-Message =
0x0107002b1a010700261067d8cf1d5c0b22de6dca819f0ed63a21667265657261646975732d332e302e3134
(6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(6) eap_peap: State = 0xf3cd2f37f3ca35bae612626d1b2654f3
(6) eap_peap: Got tunneled reply RADIUS code 11
(6) eap_peap: EAP-Message =
0x0107002b1a010700261067d8cf1d5c0b22de6dca819f0ed63a21667265657261646975732d332e302e3134
(6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(6) eap_peap: State = 0xf3cd2f37f3ca35bae612626d1b2654f3
(6) eap_peap: Got tunneled Access-Challenge
(6) eap: Sending EAP Request (code 1) ID 7 length 75
(6) eap: EAP session adding &reply:State = 0x4f424a32494553ce
(6) [eap] = handled
(6) } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) Post-Auth-Type sub-section not found. Ignoring.
(6) # Executing group from file /etc/raddb/sites-enabled/default
(6) Sent Access-Challenge Id 6 from 10.41.110.86:1812 to 10.41.17.64:1090
length 0
(6) EAP-Message =
0x0107004b190017030100407ee01304c4502480e19242c7f750d012d233a5ea2d1d549713c489b9d008af01dc3ade2bce7451513c3505e6521aa348070036f24b83077b93713aeba346e895
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0x4f424a32494553ce43a0ba7c4354ed56
(6) Finished request
Waking up in 4.7 seconds.
(7) Received Access-Request Id 7 from 10.41.17.64:1090 to 10.41.110.86:1812
length 319
(7) Message-Authenticator = 0x580b6f53691af232921c599c20c2aa51
(7) Service-Type = Framed-User
(7) User-Name = "userTest"
(7) Framed-MTU = 1488
(7) State = 0x4f424a32494553ce43a0ba7c4354ed56
(7) Called-Station-Id = "40-01-C6-D8-5C-00:AAA-Teste"
(7) Calling-Station-Id = "4C-57-CA-E2-E9-8D"
(7) NAS-Identifier = "3Com Access Point 7760"
(7) NAS-Port-Type = Wireless-802.11
(7) Connect-Info = "CONNECT 54Mbps 802.11g"
(7) EAP-Message =
0x0207006b19001703010060c669e7ab79aa07c8499bfa9213bcaebc2d5d1e6e3430c227434a92ef9373471f606a32894c516daacea3cce9b586f7ce7c9d84961e2b80c3de6fa40766f4504a26b64e8fcf20c0a2f2e8dc4711e7e678c6d8a9a86ff7df602dc8286f128b7d2a
(7) NAS-IP-Address = 10.41.17.64
(7) NAS-Port = 1
(7) NAS-Port-Id = "STA port # 1"
(7) session-state: No cached attributes
(7) # Executing section authorize from file /etc/raddb/sites-enabled/default
(7) authorize {
(7) [preprocess] = ok
(7) eap: Peer sent EAP Response (code 2) ID 7 length 107
(7) eap: Continuing tunnel setup
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7) authenticate {
(7) eap: Expiring EAP session with state 0xf3cd2f37f3ca35ba
(7) eap: Finished EAP session with state 0x4f424a32494553ce
(7) eap: Previous EAP request found for state 0x4f424a32494553ce, released
from the list
(7) eap: Peer sent packet with method EAP PEAP (25)
(7) eap: Calling submodule eap_peap to process data
(7) eap_peap: Continuing EAP-TLS
(7) eap_peap: [eaptls verify] = ok
(7) eap_peap: Done initial handshake
(7) eap_peap: [eaptls process] = ok
(7) eap_peap: Session established. Decoding tunneled attributes
(7) eap_peap: PEAP state phase2
(7) eap_peap: EAP method MSCHAPv2 (26)
(7) eap_peap: Got tunneled request
(7) eap_peap: EAP-Message =
0x020700461a0207004131e4c34eceb5730484764dfd45bce48ff100000000000000009faa4c5cb899c5231ce4957cf16fc309db17b07a773a6342003031383239353036333832
(7) eap_peap: Setting User-Name to userTest
(7) eap_peap: Sending tunneled request to inner-tunnel
(7) eap_peap: EAP-Message =
0x020700461a0207004131e4c34eceb5730484764dfd45bce48ff100000000000000009faa4c5cb899c5231ce4957cf16fc309db17b07a773a6342003031383239353036333832
(7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(7) eap_peap: User-Name = "userTest"
(7) eap_peap: State = 0xf3cd2f37f3ca35bae612626d1b2654f3
(7) eap_peap: Service-Type = Framed-User
(7) eap_peap: Framed-MTU = 1488
(7) eap_peap: Called-Station-Id = "40-01-C6-D8-5C-00:AAA-Teste"
(7) eap_peap: Calling-Station-Id = "4C-57-CA-E2-E9-8D"
(7) eap_peap: NAS-Identifier = "3Com Access Point 7760"
(7) eap_peap: NAS-Port-Type = Wireless-802.11
(7) eap_peap: Connect-Info = "CONNECT 54Mbps 802.11g"
(7) eap_peap: NAS-IP-Address = 10.41.17.64
(7) eap_peap: NAS-Port = 1
(7) eap_peap: NAS-Port-Id = "STA port # 1"
(7) eap_peap: Event-Timestamp = "Mar 22 2017 14:57:02 -03"
(7) Virtual server inner-tunnel received request
(7) EAP-Message =
0x020700461a0207004131e4c34eceb5730484764dfd45bce48ff100000000000000009faa4c5cb899c5231ce4957cf16fc309db17b07a773a6342003031383239353036333832
(7) FreeRADIUS-Proxied-To = 127.0.0.1
(7) User-Name = "userTest"
(7) State = 0xf3cd2f37f3ca35bae612626d1b2654f3
(7) Service-Type = Framed-User
(7) Framed-MTU = 1488
(7) Called-Station-Id = "40-01-C6-D8-5C-00:AAA-Teste"
(7) Calling-Station-Id = "4C-57-CA-E2-E9-8D"
(7) NAS-Identifier = "3Com Access Point 7760"
(7) NAS-Port-Type = Wireless-802.11
(7) Connect-Info = "CONNECT 54Mbps 802.11g"
(7) NAS-IP-Address = 10.41.17.64
(7) NAS-Port = 1
(7) NAS-Port-Id = "STA port # 1"
(7) Event-Timestamp = "Mar 22 2017 14:57:02 -03"
(7) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(7) server inner-tunnel {
(7) session-state: No cached attributes
(7) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(7) authorize {
(7) eap: Peer sent EAP Response (code 2) ID 7 length 70
(7) eap: No EAP Start, assuming it's an on-going EAP conversation
(7) [eap] = updated
rlm_ldap (ldap): Reserved connection (0)
(7) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(7) ldap: --> (uid=userTest)
(7) ldap: Performing search in "ou=people,dc=test,dc=br" with filter
"(uid=userTest)", scope "sub"
(7) ldap: Waiting for search result...
(7) ldap: User object found at DN "uid=userTest,ou=people,dc=test,dc=br"
(7) ldap: Processing user attributes
(7) ldap: control:NT-Password :=
0x3145333941394139324632423038413045363942344435414441374535333332
rlm_ldap (ldap): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots
used
rlm_ldap (ldap): Connecting to ldap://10.0.0.2:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(7) [ldap] = updated
(7) [expiration] = noop
(7) [logintime] = noop
(7) pap: Normalizing NT-Password from hex encoding, 32 bytes -> 16 bytes
(7) pap: WARNING: Auth-Type already set. Not setting to PAP
(7) [pap] = noop
(7) } # authorize = updated
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(7) authenticate {
(7) eap: Expiring EAP session with state 0xf3cd2f37f3ca35ba
(7) eap: Finished EAP session with state 0xf3cd2f37f3ca35ba
(7) eap: Previous EAP request found for state 0xf3cd2f37f3ca35ba, released
from the list
(7) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(7) eap: Calling submodule eap_mschapv2 to process data
(7) eap_mschapv2: # Executing group from file
/etc/raddb/sites-enabled/inner-tunnel
(7) eap_mschapv2: authenticate {
(7) mschap: Found NT-Password
(7) mschap: Creating challenge hash with username: userTest
(7) mschap: Client is using MS-CHAPv2
(7) mschap: Adding MS-CHAPv2 MPPE keys
(7) [mschap] = ok
(7) } # authenticate = ok
(7) MSCHAP Success
(7) eap: Sending EAP Request (code 1) ID 8 length 51
(7) eap: EAP session adding &reply:State = 0xf3cd2f37f2c535ba
(7) [eap] = handled
(7) } # authenticate = handled
(7) } # server inner-tunnel
(7) Virtual server sending reply
(7) EAP-Message =
0x010800331a0307002e533d36353643383034344335374539324431353934314344333337323737433135443633453939343543
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0xf3cd2f37f2c535bae612626d1b2654f3
(7) eap_peap: Got tunneled reply code 11
(7) eap_peap: EAP-Message =
0x010800331a0307002e533d36353643383034344335374539324431353934314344333337323737433135443633453939343543
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: State = 0xf3cd2f37f2c535bae612626d1b2654f3
(7) eap_peap: Got tunneled reply RADIUS code 11
(7) eap_peap: EAP-Message =
0x010800331a0307002e533d36353643383034344335374539324431353934314344333337323737433135443633453939343543
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: State = 0xf3cd2f37f2c535bae612626d1b2654f3
(7) eap_peap: Got tunneled Access-Challenge
(7) eap: Sending EAP Request (code 1) ID 8 length 91
(7) eap: EAP session adding &reply:State = 0x4f424a32484a53ce
(7) [eap] = handled
(7) } # authenticate = handled
(7) Using Post-Auth-Type Challenge
(7) Post-Auth-Type sub-section not found. Ignoring.
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7) Sent Access-Challenge Id 7 from 10.41.110.86:1812 to 10.41.17.64:1090
length 0
(7) EAP-Message =
0x0108005b19001703010050ac2f44e2a3ed7acba66a1267f323eb6eae71a2bd254a14b8c51eea8b179c1a0ec40cc59af04ad38b953ba3e697ab8357949e573623914e6e5f3c1f165eddacca08316a41b4bfb822bd25c92ee3130e73
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0x4f424a32484a53ce43a0ba7c4354ed56
(7) Finished request
Waking up in 1.5 seconds.
Waking up in 1.5 seconds.
(8) Received Access-Request Id 8 from 10.41.17.64:1090 to 10.41.110.86:1812
length 255
(8) Message-Authenticator = 0x7dcc3d33a8e6f5ac1e603cc17197c534
(8) Service-Type = Framed-User
(8) User-Name = "userTest"
(8) Framed-MTU = 1488
(8) State = 0x4f424a32484a53ce43a0ba7c4354ed56
(8) Called-Station-Id = "40-01-C6-D8-5C-00:AAA-Teste"
(8) Calling-Station-Id = "4C-57-CA-E2-E9-8D"
(8) NAS-Identifier = "3Com Access Point 7760"
(8) NAS-Port-Type = Wireless-802.11
(8) Connect-Info = "CONNECT 54Mbps 802.11g"
(8) EAP-Message =
0x0208002b19001703010020abc7b9d4379a98cc113dd952442471dc9a0a7631401d09e2600bae46ef769ad8
(8) NAS-IP-Address = 10.41.17.64
(8) NAS-Port = 1
(8) NAS-Port-Id = "STA port # 1"
(8) session-state: No cached attributes
(8) # Executing section authorize from file /etc/raddb/sites-enabled/default
(8) authorize {
(8) [preprocess] = ok
(8) eap: Peer sent EAP Response (code 2) ID 8 length 43
(8) eap: Continuing tunnel setup
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/raddb/sites-enabled/default
(8) authenticate {
(8) eap: Expiring EAP session with state 0xf3cd2f37f2c535ba
(8) eap: Finished EAP session with state 0x4f424a32484a53ce
(8) eap: Previous EAP request found for state 0x4f424a32484a53ce, released
from the list
(8) eap: Peer sent packet with method EAP PEAP (25)
(8) eap: Calling submodule eap_peap to process data
(8) eap_peap: Continuing EAP-TLS
(8) eap_peap: [eaptls verify] = ok
(8) eap_peap: Done initial handshake
(8) eap_peap: [eaptls process] = ok
(8) eap_peap: Session established. Decoding tunneled attributes
(8) eap_peap: PEAP state phase2
(8) eap_peap: EAP method MSCHAPv2 (26)
(8) eap_peap: Got tunneled request
(8) eap_peap: EAP-Message = 0x020800061a03
(8) eap_peap: Setting User-Name to userTest
(8) eap_peap: Sending tunneled request to inner-tunnel
(8) eap_peap: EAP-Message = 0x020800061a03
(8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(8) eap_peap: User-Name = "userTest"
(8) eap_peap: State = 0xf3cd2f37f2c535bae612626d1b2654f3
(8) eap_peap: Service-Type = Framed-User
(8) eap_peap: Framed-MTU = 1488
(8) eap_peap: Called-Station-Id = "40-01-C6-D8-5C-00:AAA-Teste"
(8) eap_peap: Calling-Station-Id = "4C-57-CA-E2-E9-8D"
(8) eap_peap: NAS-Identifier = "3Com Access Point 7760"
(8) eap_peap: NAS-Port-Type = Wireless-802.11
(8) eap_peap: Connect-Info = "CONNECT 54Mbps 802.11g"
(8) eap_peap: NAS-IP-Address = 10.41.17.64
(8) eap_peap: NAS-Port = 1
(8) eap_peap: NAS-Port-Id = "STA port # 1"
(8) eap_peap: Event-Timestamp = "Mar 22 2017 14:57:06 -03"
(8) Virtual server inner-tunnel received request
(8) EAP-Message = 0x020800061a03
(8) FreeRADIUS-Proxied-To = 127.0.0.1
(8) User-Name = "userTest"
(8) State = 0xf3cd2f37f2c535bae612626d1b2654f3
(8) Service-Type = Framed-User
(8) Framed-MTU = 1488
(8) Called-Station-Id = "40-01-C6-D8-5C-00:AAA-Teste"
(8) Calling-Station-Id = "4C-57-CA-E2-E9-8D"
(8) NAS-Identifier = "3Com Access Point 7760"
(8) NAS-Port-Type = Wireless-802.11
(8) Connect-Info = "CONNECT 54Mbps 802.11g"
(8) NAS-IP-Address = 10.41.17.64
(8) NAS-Port = 1
(8) NAS-Port-Id = "STA port # 1"
(8) Event-Timestamp = "Mar 22 2017 14:57:06 -03"
(8) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(8) server inner-tunnel {
(8) session-state: No cached attributes
(8) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(8) authorize {
(8) eap: Peer sent EAP Response (code 2) ID 8 length 6
(8) eap: No EAP Start, assuming it's an on-going EAP conversation
(8) [eap] = updated
rlm_ldap (ldap): Reserved connection (1)
(8) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(8) ldap: --> (uid=userTest)
(8) ldap: Performing search in "ou=people,dc=test,dc=br" with filter
"(uid=userTest)", scope "sub"
(8) ldap: Waiting for search result...
(8) ldap: User object found at DN "uid=userTest,ou=people,dc=test,dc=br"
(8) ldap: Processing user attributes
(8) ldap: control:NT-Password :=
0x3145333941394139324632423038413045363942344435414441374535333332
rlm_ldap (ldap): Released connection (1)
Need 4 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (6), 1 of 26 pending slots
used
rlm_ldap (ldap): Connecting to ldap://10.0.0.2:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(8) [ldap] = updated
(8) [expiration] = noop
(8) [logintime] = noop
(8) pap: Normalizing NT-Password from hex encoding, 32 bytes -> 16 bytes
(8) pap: WARNING: Auth-Type already set. Not setting to PAP
(8) [pap] = noop
(8) } # authorize = updated
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(8) authenticate {
(8) eap: Expiring EAP session with state 0xf3cd2f37f2c535ba
(8) eap: Finished EAP session with state 0xf3cd2f37f2c535ba
(8) eap: Previous EAP request found for state 0xf3cd2f37f2c535ba, released
from the list
(8) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(8) eap: Calling submodule eap_mschapv2 to process data
(8) eap: Sending EAP Success (code 3) ID 8 length 4
(8) eap: Freeing handler
(8) [eap] = ok
(8) } # authenticate = ok
(8) # Executing section post-auth from file
/etc/raddb/sites-enabled/inner-tunnel
(8) post-auth { ... } # empty sub-section is ignored
(8) } # server inner-tunnel
(8) Virtual server sending reply
(8) MS-MPPE-Encryption-Policy = Encryption-Allowed
(8) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(8) MS-MPPE-Send-Key = 0x4aa9e16bdd36625e16a0d830524217af
(8) MS-MPPE-Recv-Key = 0x0a5d092cf0335597ba092c656391f8ce
(8) EAP-Message = 0x03080004
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) User-Name = "userTest"
(8) eap_peap: Got tunneled reply code 2
(8) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(8) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(8) eap_peap: MS-MPPE-Send-Key = 0x4aa9e16bdd36625e16a0d830524217af
(8) eap_peap: MS-MPPE-Recv-Key = 0x0a5d092cf0335597ba092c656391f8ce
(8) eap_peap: EAP-Message = 0x03080004
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: User-Name = "userTest"
(8) eap_peap: Got tunneled reply RADIUS code 2
(8) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(8) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(8) eap_peap: MS-MPPE-Send-Key = 0x4aa9e16bdd36625e16a0d830524217af
(8) eap_peap: MS-MPPE-Recv-Key = 0x0a5d092cf0335597ba092c656391f8ce
(8) eap_peap: EAP-Message = 0x03080004
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: User-Name = "userTest"
(8) eap_peap: Tunneled authentication was successful
(8) eap_peap: SUCCESS
(8) eap_peap: Saving tunneled attributes for later
(8) eap: Sending EAP Request (code 1) ID 9 length 43
(8) eap: EAP session adding &reply:State = 0x4f424a32474b53ce
(8) [eap] = handled
(8) } # authenticate = handled
(8) Using Post-Auth-Type Challenge
(8) Post-Auth-Type sub-section not found. Ignoring.
(8) # Executing group from file /etc/raddb/sites-enabled/default
(8) Sent Access-Challenge Id 8 from 10.41.110.86:1812 to 10.41.17.64:1090
length 0
(8) EAP-Message =
0x0109002b19001703010020eae9a042828d4a49005b266a1f74f0a2bf7014f3c8490968e2346a1102a797f0
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0x4f424a32474b53ce43a0ba7c4354ed56
(8) Finished request
(0) Cleaning up request packet ID 0 with timestamp +13
(1) Cleaning up request packet ID 1 with timestamp +13
(2) Cleaning up request packet ID 2 with timestamp +13
(3) Cleaning up request packet ID 3 with timestamp +13
(4) Cleaning up request packet ID 4 with timestamp +13
(5) Cleaning up request packet ID 5 with timestamp +13
(6) Cleaning up request packet ID 6 with timestamp +13
Waking up in 6.6 seconds.
(9) Received Access-Request Id 9 from 10.41.17.64:1090 to 10.41.110.86:1812
length 255
(9) Message-Authenticator = 0x58645e92fdfebfe5a07ee2ca9e76d058
(9) Service-Type = Framed-User
(9) User-Name = "userTest"
(9) Framed-MTU = 1488
(9) State = 0x4f424a32474b53ce43a0ba7c4354ed56
(9) Called-Station-Id = "40-01-C6-D8-5C-00:AAA-Teste"
(9) Calling-Station-Id = "4C-57-CA-E2-E9-8D"
(9) NAS-Identifier = "3Com Access Point 7760"
(9) NAS-Port-Type = Wireless-802.11
(9) Connect-Info = "CONNECT 54Mbps 802.11g"
(9) EAP-Message =
0x0209002b19001703010020392369a6b70c5ffc43a71c35e3a7fdfedb1358e8be6145c943f3c8f7c084f2aa
(9) NAS-IP-Address = 10.41.17.64
(9) NAS-Port = 1
(9) NAS-Port-Id = "STA port # 1"
(9) session-state: No cached attributes
(9) # Executing section authorize from file /etc/raddb/sites-enabled/default
(9) authorize {
(9) [preprocess] = ok
(9) eap: Peer sent EAP Response (code 2) ID 9 length 43
(9) eap: Continuing tunnel setup
(9) [eap] = ok
(9) } # authorize = ok
(9) Found Auth-Type = eap
(9) # Executing group from file /etc/raddb/sites-enabled/default
(9) authenticate {
(9) eap: Expiring EAP session with state 0x4f424a32474b53ce
(9) eap: Finished EAP session with state 0x4f424a32474b53ce
(9) eap: Previous EAP request found for state 0x4f424a32474b53ce, released
from the list
(9) eap: Peer sent packet with method EAP PEAP (25)
(9) eap: Calling submodule eap_peap to process data
(9) eap_peap: Continuing EAP-TLS
(9) eap_peap: [eaptls verify] = ok
(9) eap_peap: Done initial handshake
(9) eap_peap: [eaptls process] = ok
(9) eap_peap: Session established. Decoding tunneled attributes
(9) eap_peap: PEAP state send tlv success
(9) eap_peap: Received EAP-TLV response
(9) eap_peap: Success
(9) eap_peap: Using saved attributes from the original Access-Accept
(9) eap_peap: User-Name = "userTest"
(9) eap_peap: caching User-Name = "userTest"
(9) eap_peap: Failed to find 'persist_dir' in TLS configuration. Session
will not be cached on disk.
(9) eap: Sending EAP Success (code 3) ID 9 length 4
(9) eap: Freeing handler
(9) [eap] = ok
(9) } # authenticate = ok
(9) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(9) post-auth {
(9) update {
(9) No attributes updated
(9) } # update = noop
(9) [exec] = noop
(9) policy remove_reply_message_if_eap {
(9) if (&reply:EAP-Message && &reply:Reply-Message) {
(9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(9) else {
(9) [noop] = noop
(9) } # else = noop
(9) } # policy remove_reply_message_if_eap = noop
(9) } # post-auth = noop
(9) Sent Access-Accept Id 9 from 10.41.110.86:1812 to 10.41.17.64:1090
length 0
(9) User-Name = "userTest"
(9) MS-MPPE-Recv-Key =
0x00a4bdf20b6b9a550a36b016997d3bb3bd83c0fdfdbcc0ddd6026d3daa2019bb
(9) MS-MPPE-Send-Key =
0xaf0e20d1649dba2bd275bae0ce54905287ec784004b438eac1d71335a6a5df64
(9) EAP-Message = 0x03090004
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) Finished request
Waking up in 4.9 seconds.
(9) Cleaning up request packet ID 9 with timestamp +20
Waking up in 1.6 seconds.
(7) Cleaning up request packet ID 7 with timestamp +13
Waking up in 3.3 seconds.
1
0
hi,
I think I must thanks for FR project @Alan DeKok and @others.it is a great and prefect job.
I hava two ssid,SSID-TMP for temporary user and the SSID-EMP for employee-user,they both use the realm_sql for auth.
the data in radcheck as follows:
current,in raddb/sq/mysql/dialup.conf,
authorize_check_query = "SELECT id, username, attribute, value, op FROM ${authcheck_table} WHERE username = '%{SQL-User-Name}' ORDER BY id"
so when a temporary user tmp_user connect SSID-EMP(for employee),he also get the correct password for connecting the SSID-EMP.that should be disabled.
the problem is:how can I map the user to the correct record?
I have extented radcheck tables with field user_ssid,so the records like:
and change the authorize_check_query statement to:
"SELECT id, username, attribute, value, op FROM ${authcheck_table} WHERE username = '%{SQL-User-Name}' and ssid='%{Aruba_Essid_Name}' ORDER BY id"
but I donot get the correct sql statement:
SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'emp' and ssid='' ORDER BY id
another approach:
I define another virtual server,but they use the same sql realm,and use the same sql_query statement,
How can I achieve the resule what I want?
I am confused about this,thanks for any suggestion or advise,
apologize for my english,
gh.li
tel:+8613910260406
email:gh.li@microshield.com.cn
3
2
Hello,
we are expieriencing the same issues in our network.
We were able to reproduce the problems and it's totally the fault of iOS.
If a user is walking through the building and iOS is roaming through the
various access points, than
in some point the wifi client software on iOS is running into a memory
overflow or something, after 6-7 incomplete
logins because of poor signal strength. After reaching this point,
either the wifi must be disabled for few seconds and
then it works or the device must be restarted.
Our other clients doesn't have these issues.
Kind regards.
D. Stabla
-----Ursprüngliche Nachricht-----
Von: Freeradius-Users
[mailto:freeradius-users-bounces+dstabla=materna.de@lists.freeradius.org]
Im Auftrag von Stefan Winter
Gesendet: Donnerstag, 23. März 2017 08:21
An: freeradius-users(a)lists.freeradius.org
<mailto:freeradius-users@lists.freeradius.org>
Betreff: Re: iOS mysterious issues on Freeradius 3.0.14
Hi,
I was seeing something /very/ similar to the below TLS error recently
and that was because the expected *server name* I configured in the
client didn't match what my server was actually sending.
Despite the usual suspects like typos in client config, you may also
want to check for wildcard names in certs, or things that are not
hostnames (spaces...) - clients sometimes choke on harmlessly looking
things.
Greetings,
Stefan Winter
Am 22.03.2017 um 21:54 schrieb John Tobin:
> The log snip below, shows test on os x Sierra, Windows 7 works, I
have not
> had the time to test win 10.
> So free Radiusd works, this is just an apple os x problem, server cert is
> self signed, dot1xprofiler is my profile app, and has both the signed
cert
> [server.pem] and client cert [client.p12] generated by the make in
> /etc/raddb/certs.
>
> On 3/22/17, 16:37, "John Tobin" <jtobin(a)po-box.esu.edu
<mailto:jtobin@po-box.esu.edu>> wrote:
>
>> Ah, you mean like this: [ERROR: TLS is down a bit, I took the entire
>> transaction out of the logŠ]
>>
>> (86) Received Access-Request Id 196 from 10.99.7.190:1645
>> <http://10.99.7.190:1645/> to 10.99.7.21:1812 <http://10.99.7.21:1812/>
>> length 153
>> (86)User-Name = "tobi1"
>> (86)Framed-MTU = 1400
>> (86)Called-Station-Id = "0022.90bd.9500"
>> (86)Calling-Station-Id = "0025.4b8e.15b9"
>> (86)Service-Type = Login-User
>> (86)Message-Authenticator = 0x5f033b48ec2f2a210b5e0ce5379cdf49
>> (86)EAP-Message = 0x0205001119800000000715030100020100
>> (86)NAS-Port-Type = Wireless-802.11
>> (86)NAS-Port = 394
>> (86)NAS-Port-Id = "394"
>> (86)State = 0xe046c6d9e243dfdaa11e15be1d36d7b4
>> (86)NAS-IP-Address = 10.99.7.190
>> (86)NAS-Identifier = "ap"
>> (86) session-state: No cached attributes
>> (86) # Executing section authorize from file
>> /etc/raddb/sites-enabled/default
>> (86)authorize {
>> (86)policy filter_username {
>> (86)if (&User-Name) {
>> (86)if (&User-Name)-> TRUE
>> (86)if (&User-Name){
>> (86)if (&User-Name =~ / /) {
>> (86)if (&User-Name =~ / /)-> FALSE
>> (86)if (&User-Name =~ /@[^@]*@/ ) {
>> (86)if (&User-Name =~ /@[^@]*@/ )-> FALSE
>> (86)if (&User-Name =~ /\.\./ ) {
>> (86)if (&User-Name =~ /\.\./ )-> FALSE
>> (86)if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
<mailto:/@%28.+%29%5C.%28.+%29$/%29%29>{
>> (86)if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
<mailto:/@%28.+%29%5C.%28.+%29$/%29%29>
>> -> FALSE
>> (86)if (&User-Name =~ /\.$/){
>> (86)if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/))
<mailto:/@%28.+%29%5C.%28.+%29$/%29%29>
>> -> FALSE
>> (86)if (&User-Name =~ /\.$/){
>> (86)if (&User-Name =~ /\.$/)-> FALSE
>> (86)if (&User-Name =~ /(a)\./ <mailto:/@%5C./>){
>> (86)if (&User-Name =~ /(a)\./ <mailto:/@%5C./>)-> FALSE
>> (86)} # if (&User-Name)= notfound
>> (86)} # policy filter_username = notfound
>> (86)[preprocess] = ok
>> (86)[chap] = noop
>> (86)[mschap] = noop
>> (86)[digest] = noop
>> (86) suffix: Checking for suffix after "@"
>> (86) suffix: No '@' in User-Name = "tobi1", looking up realm NULL
>> (86) suffix: No such realm "NULL"
>> (86)[suffix] = noop
>> (86) eap: Peer sent EAP Response (code 2) ID 5 length 17
>> (86) eap: Continuing tunnel setup
>> (86)[eap] = ok
>> (86)} # authorize = ok
>> (86) Found Auth-Type = eap
>> (86) # Executing group from file /etc/raddb/sites-enabled/default
>> (86)authenticate {
>> (86) eap: Expiring EAP session with state 0xe046c6d9e243dfda
>> (86) eap: Finished EAP session with state 0xe046c6d9e243dfda
>> (86) eap: Previous EAP request found for state 0xe046c6d9e243dfda,
>> released from the list
>> (86) eap: Peer sent packet with method EAP PEAP (25)
>> (86) eap: Calling submodule eap_peap to process data
>> (86) eap_peap: Continuing EAP-TLS
>> (86) eap_peap: Peer indicated complete TLS record size will be 7 bytes
>> (86) eap_peap: Got complete TLS record (7 bytes)
>> (86) eap_peap: [eaptls verify] = length included
>> (86) eap_peap: <<< recv TLS 1.0 Alert [length 0002], warning
close_notify
>> (86) eap_peap: ERROR: TLS_accept: Failed in unknown state
>> (86) eap_peap: ERROR: SSL says: error:140940E5:SSL
>> routines:ssl3_read_bytes:ssl handshake failure
>> (86) eap_peap: ERROR: SSL_read failed in a system call (-1), TLS session
>> failed
>> (86) eap_peap: ERROR: TLS receive handshake failed during operation
>> (86) eap_peap: ERROR: [eaptls process] = fail
>> (86) eap: ERROR: Failed continuing EAP PEAP (25) session.EAP sub-module
>> failed
>> (86) eap: Sending EAP Failure (code 4) ID 5 length 4
>> (86) eap: Failed in EAP select
>> (86)[eap] = invalid
>> (86)} # authenticate = invalid
>> (86) Failed to authenticate the user
>> (86) Using Post-Auth-Type Reject
>> (86) # Executing group from file /etc/raddb/sites-enabled/default
>> (86)Post-Auth-Type REJECT {
>> (86) attr_filter.access_reject: EXPAND %{User-Name}
>> (86) attr_filter.access_reject:--> tobi1
>> (86) attr_filter.access_reject: Matched entry DEFAULT at line 11
>> (86)[attr_filter.access_reject] = updated
>> (86)[eap] = noop
>> (86)policy remove_reply_message_if_eap {
>> (86)if (&reply:EAP-Message && &reply:Reply-Message) {
>> (86)if (&reply:EAP-Message && &reply:Reply-Message)-> FALSE
>> (86)else {
>> (86)[noop] = noop
>> (86)} # else = noop
>> (86)} # policy remove_reply_message_if_eap = noop
>> (86)} # Post-Auth-Type REJECT = updated
>> (86)} # policy remove_reply_message_if_eap = noop
>> (86)} # Post-Auth-Type REJECT = updated
>> (86) Delaying response for 1.000000 seconds
>> Waking up in 0.3 seconds.
>> Waking up in 0.6 seconds.
>> (86) Sending delayed response
>> (86) Sent Access-Reject Id 196 from 10.99.7.21:1812
>> <http://10.99.7.21:1812/> to 10.99.7.190:1645 <http://10.99.7.190:1645/>
>> length 44
>> (86)EAP-Message = 0x04050004
>> (86)Message-Authenticator = 0x00000000000000000000000000000000
>> Waking up in 3.7 seconds.
>> Š..
>> Waking up in 0.1 seconds.
>> (86) Cleaning up request packet ID 196 with timestamp +1294629
>> Ready to process requests
>> Ready to process requests
>> Signalled to terminate
>> Exiting normally
>> rlm_ldap (ldap): Removing connection pool
>> rlm_ldap (ldap): Closing connection (12)
>> rlm_ldap (ldap): Closing connection (11)
>> rlm_ldap (ldap): Closing connection (10)
>> tls: Freeing cached session VPs
>>
>>
>>
>> On 3/22/17, 13:20, "Freeradius-Users on behalf of Brian Julin"
>> <freeradius-users-bounces+jtobin=po-box.esu.edu(a)lists.freeradius.org on
>> behalf of BJulin(a)clarku.edu <mailto:BJulin@clarku.edu>> wrote:
>>
>>>
>>>
>>>
>>>
>>>> This is not easy research, since the error messages you receive no one
>>> else seems to see.
>>>> My problem may be that apple devices are no longer accepting self
>>>> signed
>>> certs, but I have also looked at os x upgrades [home brew/openssl
>>> problems] for openssl.
>>>
>>> If the OS is rejecting the cert (or visa versa), you'll see something
>>> like:
>>>
>>> Error: TLS Alert fatal: blah blah blah
>>>
>>> The original poster was getting all the way through MS-CHAP inner
>>> authentication,
>>> so it was could not have been a certificate issue since the TLS tunnel
>>> had successfully
>>> established.
>>>
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html
>>
>
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette
Tel: +352 424409 1
Fax: +352 422473
PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
1
0
Hi,
I sometimes see the following errors in FreeRadius logs:
Received conflicting packet from client nas_test port 15089 - ID: 75 due to unfinished request. Giving up on old request.
In this mailing list I read some comments about it and found out it is caused by slow database which is not able to handle requests on time.
I enabled logging slow queries and noticed there are no queries taking more than 2 seconds.
so what is exactly causing it?
does adjusting nas timeout/retry or FreeRadius settings fix it?
Thanks
Sam
4
6