Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
July 2019
- 69 participants
- 75 discussions
Good morning, everyone! I'm having a challenge understanding why we're
seeing the error:
authenticate {
(660) Fri Jul 26 09:20:17 2019: WARNING: mschap: No Cleartext-Password
configured. Cannot create NT-Password
(660) Fri Jul 26 09:20:17 2019: WARNING: mschap: No Cleartext-Password
configured. Cannot create LM-Password
(660) Fri Jul 26 09:20:17 2019: Debug: mschap: Creating challenge hash
with username: 54-72-4F-69-14-B1
(660) Fri Jul 26 09:20:17 2019: Debug: mschap: Client is using MS-CHAPv2
(660) Fri Jul 26 09:20:17 2019: ERROR: mschap: FAILED: No
NT/LM-Password. Cannot perform authentication
(660) Fri Jul 26 09:20:17 2019: ERROR: mschap: MS-CHAP2-Response is
incorrect
(660) Fri Jul 26 09:20:17 2019: Debug: [mschap] = reject
(660) Fri Jul 26 09:20:17 2019: Debug: } # authenticate = reject
We've just started providing radius services (3.0.18 on CentOS 7) to a
new client, and all 14 of their properties have exhibited this behavior,
to the tune of nearly 300,000 so far this month, with only about 80,000
successful auths.
In the authenticate debug above, it states that there is no
Cleartext-Password, but I personally checked for this specific user, and
the attribute is set in radcheck (I've checked a random sample of some
others, as well, with the same result). Still, however, we see that
error, and for the life of me, although I believe I know *what* the
error is, I'm unable to determine why. We've done packet captures to
ensure that the site's gateway (Nomadix) is sent the correct credential
data (it is), but somehow, on arrival at the FR server, the password
appears to be missing.
If someone can point me in the right direction (I'm thinking the NAS is
the root of this), I would be most appreciative, as I don't want to lose
any more hair! I've included the gzip'd output from raddebug, as this is
a production server.
I've had to include it as an attachment, because in raw form, it
exceeded the message size limit for the list (and I apologize to the
list maintainers for that error).
Many thanks!
-- Jim
4
12
Hello All,
I'm trying to setup freeradius, i have a problem , I can connect with
radtest, but when trying to connect to wifi, i can't get connection ,
although the log says everything is good, but here is a log for one wifi
try, Thank you :
(0) Received Access-Request Id 82 from 192.168.1.7:46948 to
192.168.1.27:1812 length 245
(0) User-Name = "oktaradius(a)contentful.com"
(0) NAS-IP-Address = 192.168.1.7
(0) NAS-Identifier = "F09FC2307B82DFB616DF"
(0) Called-Station-Id = "F0-9F-C2-32-7B-82:Seko"
(0) NAS-Port-Type = Wireless-802.11
(0) Service-Type = Framed-User
(0) Calling-Station-Id = "8C-85-90-C9-C4-A5"
(0) Connect-Info = "CONNECT 0Mbps 802.11b"
(0) Acct-Session-Id = "F4E3DF614E08A6E7"
(0) WLAN-Pairwise-Cipher = 1027076
(0) WLAN-Group-Cipher = 1027074
(0) WLAN-AKM-Suite = 1027073
(0) Framed-MTU = 1400
(0) EAP-Message =
0x0253001e016f6b746172616469757340636f6e74656e7466756c2e636f6d
(0) Message-Authenticator = 0x2ef3105f9641fcc5dcb511bc9002a8b8
(0) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(0) authorize {
(0) update control {
(0) Proxy-To-Realm := LOCAL
(0) } # update control = noop
(0) eap: Peer sent EAP Response (code 2) ID 83 length 30
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_tls to process data
(0) eap_tls: Initiating new EAP-TLS session
(0) eap_tls: Setting verify mode to require certificate from client
(0) eap_tls: [eaptls start] = request
(0) eap: Sending EAP Request (code 1) ID 84 length 6
(0) eap: EAP session adding &reply:State = 0x8e5e79f88e0a7437
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) Post-Auth-Type sub-section not found. Ignoring.
(0) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(0) Sent Access-Challenge Id 82 from 192.168.1.27:1812 to 192.168.1.7:46948
length 0
(0) EAP-Message = 0x015400060d20
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x8e5e79f88e0a7437fcc8affbd9e63c1c
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 83 from 192.168.1.7:46948 to
192.168.1.27:1812 length 241
(1) User-Name = "oktaradius(a)contentful.com"
(1) NAS-IP-Address = 192.168.1.7
(1) NAS-Identifier = "F09FC2307B82DFB616DF"
(1) Called-Station-Id = "F0-9F-C2-32-7B-82:Seko"
(1) NAS-Port-Type = Wireless-802.11
(1) Service-Type = Framed-User
(1) Calling-Station-Id = "8C-85-90-C9-C4-A5"
(1) Connect-Info = "CONNECT 0Mbps 802.11b"
(1) Acct-Session-Id = "F4E3DF614E08A6E7"
(1) WLAN-Pairwise-Cipher = 1027076
(1) WLAN-Group-Cipher = 1027074
(1) WLAN-AKM-Suite = 1027073
(1) Framed-MTU = 1400
(1) EAP-Message = 0x025400080319152b
(1) State = 0x8e5e79f88e0a7437fcc8affbd9e63c1c
(1) Message-Authenticator = 0xbfebf90757d8720c073964a1a576290f
(1) session-state: No cached attributes
(1) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(1) authorize {
(1) update control {
(1) Proxy-To-Realm := LOCAL
(1) } # update control = noop
(1) eap: Peer sent EAP Response (code 2) ID 84 length 8
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1) [eap] = updated
(1) [pap] = noop
(1) if (User-Password) {
(1) if (User-Password) -> FALSE
(1) } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(1) authenticate {
(1) eap: Expiring EAP session with state 0x8e5e79f88e0a7437
(1) eap: Finished EAP session with state 0x8e5e79f88e0a7437
(1) eap: Previous EAP request found for state 0x8e5e79f88e0a7437, released
from the list
(1) eap: Peer sent packet with method EAP NAK (3)
(1) eap: Found mutually acceptable type PEAP (25)
(1) eap: Calling submodule eap_peap to process data
(1) eap_peap: Initiating new EAP-TLS session
(1) eap_peap: [eaptls start] = request
(1) eap: Sending EAP Request (code 1) ID 85 length 6
(1) eap: EAP session adding &reply:State = 0x8e5e79f88f0b6037
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) Post-Auth-Type sub-section not found. Ignoring.
(1) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(1) Sent Access-Challenge Id 83 from 192.168.1.27:1812 to 192.168.1.7:46948
length 0
(1) EAP-Message = 0x015500061920
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x8e5e79f88f0b6037fcc8affbd9e63c1c
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 84 from 192.168.1.7:46948 to
192.168.1.27:1812 length 394
(2) User-Name = "oktaradius(a)contentful.com"
(2) NAS-IP-Address = 192.168.1.7
(2) NAS-Identifier = "F09FC2307B82DFB616DF"
(2) Called-Station-Id = "F0-9F-C2-32-7B-82:Seko"
(2) NAS-Port-Type = Wireless-802.11
(2) Service-Type = Framed-User
(2) Calling-Station-Id = "8C-85-90-C9-C4-A5"
(2) Connect-Info = "CONNECT 0Mbps 802.11b"
(2) Acct-Session-Id = "F4E3DF614E08A6E7"
(2) WLAN-Pairwise-Cipher = 1027076
(2) WLAN-Group-Cipher = 1027074
(2) WLAN-AKM-Suite = 1027073
(2) Framed-MTU = 1400
(2) EAP-Message =
0x025500a119800000009716030100920100008e03035d3b1e54818c4033c2e450ebed8065da3524ab162a0e233ad0c618af5ac5652500002c00ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009d009c003d003c0035002f000a01000039000a00080006001700180019000b00
(2) State = 0x8e5e79f88f0b6037fcc8affbd9e63c1c
(2) Message-Authenticator = 0xcdd72bf2423fa3e01d52be23c7023adf
(2) session-state: No cached attributes
(2) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(2) authorize {
(2) update control {
(2) Proxy-To-Realm := LOCAL
(2) } # update control = noop
(2) eap: Peer sent EAP Response (code 2) ID 85 length 161
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(2) authenticate {
(2) eap: Expiring EAP session with state 0x8e5e79f88f0b6037
(2) eap: Finished EAP session with state 0x8e5e79f88f0b6037
(2) eap: Previous EAP request found for state 0x8e5e79f88f0b6037, released
from the list
(2) eap: Peer sent packet with method EAP PEAP (25)
(2) eap: Calling submodule eap_peap to process data
(2) eap_peap: Continuing EAP-TLS
(2) eap_peap: Peer indicated complete TLS record size will be 151 bytes
(2) eap_peap: Got complete TLS record (151 bytes)
(2) eap_peap: [eaptls verify] = length included
(2) eap_peap: (other): before SSL initialization
(2) eap_peap: TLS_accept: before SSL initialization
(2) eap_peap: TLS_accept: before SSL initialization
(2) eap_peap: <<< recv UNKNOWN TLS VERSION ?0304? [length 0092]
(2) eap_peap: TLS_accept: SSLv3/TLS read client hello
(2) eap_peap: >>> send TLS 1.2 [length 003d]
(2) eap_peap: TLS_accept: SSLv3/TLS write server hello
(2) eap_peap: >>> send TLS 1.2 [length 08d3]
(2) eap_peap: TLS_accept: SSLv3/TLS write certificate
(2) eap_peap: >>> send TLS 1.2 [length 014d]
(2) eap_peap: TLS_accept: SSLv3/TLS write key exchange
(2) eap_peap: >>> send TLS 1.2 [length 0004]
(2) eap_peap: TLS_accept: SSLv3/TLS write server done
(2) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server
done
(2) eap_peap: In SSL Handshake Phase
(2) eap_peap: In SSL Accept mode
(2) eap_peap: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 86 length 1004
(2) eap: EAP session adding &reply:State = 0x8e5e79f88c086037
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) Post-Auth-Type sub-section not found. Ignoring.
(2) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(2) Sent Access-Challenge Id 84 from 192.168.1.27:1812 to 192.168.1.7:46948
length 0
(2) EAP-Message =
0x015603ec19c000000a75160303003d020000390303f4db561afcd51050dfe561afa580cdeba858176c028582f714c957d4f7bb5ebc00c030000011ff01000100000b0004030001020017000016030308d30b0008cf0008cc0003de308203da308202c2a003020102020101300d06092a864886f70d0101
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x8e5e79f88c086037fcc8affbd9e63c1c
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 85 from 192.168.1.7:46948 to
192.168.1.27:1812 length 239
(3) User-Name = "oktaradius(a)contentful.com"
(3) NAS-IP-Address = 192.168.1.7
(3) NAS-Identifier = "F09FC2307B82DFB616DF"
(3) Called-Station-Id = "F0-9F-C2-32-7B-82:Seko"
(3) NAS-Port-Type = Wireless-802.11
(3) Service-Type = Framed-User
(3) Calling-Station-Id = "8C-85-90-C9-C4-A5"
(3) Connect-Info = "CONNECT 0Mbps 802.11b"
(3) Acct-Session-Id = "F4E3DF614E08A6E7"
(3) WLAN-Pairwise-Cipher = 1027076
(3) WLAN-Group-Cipher = 1027074
(3) WLAN-AKM-Suite = 1027073
(3) Framed-MTU = 1400
(3) EAP-Message = 0x025600061900
(3) State = 0x8e5e79f88c086037fcc8affbd9e63c1c
(3) Message-Authenticator = 0xc74b5d9b530183fb982c98cf1cb61978
(3) session-state: No cached attributes
(3) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(3) authorize {
(3) update control {
(3) Proxy-To-Realm := LOCAL
(3) } # update control = noop
(3) eap: Peer sent EAP Response (code 2) ID 86 length 6
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(3) authenticate {
(3) eap: Expiring EAP session with state 0x8e5e79f88c086037
(3) eap: Finished EAP session with state 0x8e5e79f88c086037
(3) eap: Previous EAP request found for state 0x8e5e79f88c086037, released
from the list
(3) eap: Peer sent packet with method EAP PEAP (25)
(3) eap: Calling submodule eap_peap to process data
(3) eap_peap: Continuing EAP-TLS
(3) eap_peap: Peer ACKed our handshake fragment
(3) eap_peap: [eaptls verify] = request
(3) eap_peap: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 87 length 1000
(3) eap: EAP session adding &reply:State = 0x8e5e79f88d096037
(3) [eap] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) Post-Auth-Type sub-section not found. Ignoring.
(3) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(3) Sent Access-Challenge Id 85 from 192.168.1.27:1812 to 192.168.1.7:46948
length 0
(3) EAP-Message =
0x015703e819401243396539a2f1ad1b6a17603569def5a0794b3af441b40273fd27a0361b18742b5e898d798d94b85c2aaa4ede14cfe7c5f7406c7d5eb178bc1e609fbfefb1920ce1f720d4bbd7ea7e4c91a2b00004e8308204e4308203cca003020102020900c803dae017bc13c5300d06092a864886f7
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0x8e5e79f88d096037fcc8affbd9e63c1c
(3) Finished request
Waking up in 4.9 seconds.
(4) Received Access-Request Id 86 from 192.168.1.7:46948 to
192.168.1.27:1812 length 239
(4) User-Name = "oktaradius(a)contentful.com"
(4) NAS-IP-Address = 192.168.1.7
(4) NAS-Identifier = "F09FC2307B82DFB616DF"
(4) Called-Station-Id = "F0-9F-C2-32-7B-82:Seko"
(4) NAS-Port-Type = Wireless-802.11
(4) Service-Type = Framed-User
(4) Calling-Station-Id = "8C-85-90-C9-C4-A5"
(4) Connect-Info = "CONNECT 0Mbps 802.11b"
(4) Acct-Session-Id = "F4E3DF614E08A6E7"
(4) WLAN-Pairwise-Cipher = 1027076
(4) WLAN-Group-Cipher = 1027074
(4) WLAN-AKM-Suite = 1027073
(4) Framed-MTU = 1400
(4) EAP-Message = 0x025700061900
(4) State = 0x8e5e79f88d096037fcc8affbd9e63c1c
(4) Message-Authenticator = 0xdc9c44ffb0df21479896a1ef75f141dc
(4) session-state: No cached attributes
(4) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(4) authorize {
(4) update control {
(4) Proxy-To-Realm := LOCAL
(4) } # update control = noop
(4) eap: Peer sent EAP Response (code 2) ID 87 length 6
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(4) authenticate {
(4) eap: Expiring EAP session with state 0x8e5e79f88d096037
(4) eap: Finished EAP session with state 0x8e5e79f88d096037
(4) eap: Previous EAP request found for state 0x8e5e79f88d096037, released
from the list
(4) eap: Peer sent packet with method EAP PEAP (25)
(4) eap: Calling submodule eap_peap to process data
(4) eap_peap: Continuing EAP-TLS
(4) eap_peap: Peer ACKed our handshake fragment
(4) eap_peap: [eaptls verify] = request
(4) eap_peap: [eaptls process] = handled
(4) eap: Sending EAP Request (code 1) ID 88 length 695
(4) eap: EAP session adding &reply:State = 0x8e5e79f88a066037
(4) [eap] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) Post-Auth-Type sub-section not found. Ignoring.
(4) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(4) Sent Access-Challenge Id 86 from 192.168.1.27:1812 to 192.168.1.7:46948
length 0
(4) EAP-Message =
0x015802b719000101ff040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b0500038201010093b7088d1eca7efc8d6342f26a50a6514cb1333be0b8cce368e35f
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x8e5e79f88a066037fcc8affbd9e63c1c
(4) Finished request
Waking up in 4.9 seconds.
(5) Received Access-Request Id 87 from 192.168.1.7:46948 to
192.168.1.27:1812 length 369
(5) User-Name = "oktaradius(a)contentful.com"
(5) NAS-IP-Address = 192.168.1.7
(5) NAS-Identifier = "F09FC2307B82DFB616DF"
(5) Called-Station-Id = "F0-9F-C2-32-7B-82:Seko"
(5) NAS-Port-Type = Wireless-802.11
(5) Service-Type = Framed-User
(5) Calling-Station-Id = "8C-85-90-C9-C4-A5"
(5) Connect-Info = "CONNECT 0Mbps 802.11b"
(5) Acct-Session-Id = "F4E3DF614E08A6E7"
(5) WLAN-Pairwise-Cipher = 1027076
(5) WLAN-Group-Cipher = 1027074
(5) WLAN-AKM-Suite = 1027073
(5) Framed-MTU = 1400
(5) EAP-Message =
0x0258008819800000007e160303004610000042410455710645a086fa673b5651856435b29c766c56652862fd0d21dfd62e82d5da59671e9b36caf9cb6bb56a9a993f06dd9e3c68167322641401350a4c9765bb8d02140303000101160303002882a691998eb92a952bace837313d29a1bd6ecfef475925
(5) State = 0x8e5e79f88a066037fcc8affbd9e63c1c
(5) Message-Authenticator = 0x45dc3d64eb736878b8deb4327f70ae0a
(5) session-state: No cached attributes
(5) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(5) authorize {
(5) update control {
(5) Proxy-To-Realm := LOCAL
(5) } # update control = noop
(5) eap: Peer sent EAP Response (code 2) ID 88 length 136
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(5) authenticate {
(5) eap: Expiring EAP session with state 0x8e5e79f88a066037
(5) eap: Finished EAP session with state 0x8e5e79f88a066037
(5) eap: Previous EAP request found for state 0x8e5e79f88a066037, released
from the list
(5) eap: Peer sent packet with method EAP PEAP (25)
(5) eap: Calling submodule eap_peap to process data
(5) eap_peap: Continuing EAP-TLS
(5) eap_peap: Peer indicated complete TLS record size will be 126 bytes
(5) eap_peap: Got complete TLS record (126 bytes)
(5) eap_peap: [eaptls verify] = length included
(5) eap_peap: TLS_accept: SSLv3/TLS write server done
(5) eap_peap: <<< recv TLS 1.2 [length 0046]
(5) eap_peap: TLS_accept: SSLv3/TLS read client key exchange
(5) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec
(5) eap_peap: <<< recv TLS 1.2 [length 0010]
(5) eap_peap: TLS_accept: SSLv3/TLS read finished
(5) eap_peap: >>> send TLS 1.2 [length 0001]
(5) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec
(5) eap_peap: >>> send TLS 1.2 [length 0010]
(5) eap_peap: TLS_accept: SSLv3/TLS write finished
(5) eap_peap: (other): SSL negotiation finished successfully
(5) eap_peap: SSL Connection Established
(5) eap_peap: [eaptls process] = handled
(5) eap: Sending EAP Request (code 1) ID 89 length 57
(5) eap: EAP session adding &reply:State = 0x8e5e79f88b076037
(5) [eap] = handled
(5) } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) Post-Auth-Type sub-section not found. Ignoring.
(5) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(5) Sent Access-Challenge Id 87 from 192.168.1.27:1812 to 192.168.1.7:46948
length 0
(5) EAP-Message =
0x01590039190014030300010116030300288508974cf000d696909a31bf90d9f19ddb9d0def8129361cb73755088827c94a02615ac39ed09a64
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x8e5e79f88b076037fcc8affbd9e63c1c
(5) Finished request
Waking up in 4.9 seconds.
(6) Received Access-Request Id 88 from 192.168.1.7:46948 to
192.168.1.27:1812 length 239
(6) User-Name = "oktaradius(a)contentful.com"
(6) NAS-IP-Address = 192.168.1.7
(6) NAS-Identifier = "F09FC2307B82DFB616DF"
(6) Called-Station-Id = "F0-9F-C2-32-7B-82:Seko"
(6) NAS-Port-Type = Wireless-802.11
(6) Service-Type = Framed-User
(6) Calling-Station-Id = "8C-85-90-C9-C4-A5"
(6) Connect-Info = "CONNECT 0Mbps 802.11b"
(6) Acct-Session-Id = "F4E3DF614E08A6E7"
(6) WLAN-Pairwise-Cipher = 1027076
(6) WLAN-Group-Cipher = 1027074
(6) WLAN-AKM-Suite = 1027073
(6) Framed-MTU = 1400
(6) EAP-Message = 0x025900061900
(6) State = 0x8e5e79f88b076037fcc8affbd9e63c1c
(6) Message-Authenticator = 0x9730e87ff8802c126443c327dc21a5f4
(6) session-state: No cached attributes
(6) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(6) authorize {
(6) update control {
(6) Proxy-To-Realm := LOCAL
(6) } # update control = noop
(6) eap: Peer sent EAP Response (code 2) ID 89 length 6
(6) eap: Continuing tunnel setup
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(6) authenticate {
(6) eap: Expiring EAP session with state 0x8e5e79f88b076037
(6) eap: Finished EAP session with state 0x8e5e79f88b076037
(6) eap: Previous EAP request found for state 0x8e5e79f88b076037, released
from the list
(6) eap: Peer sent packet with method EAP PEAP (25)
(6) eap: Calling submodule eap_peap to process data
(6) eap_peap: Continuing EAP-TLS
(6) eap_peap: Peer ACKed our handshake fragment. handshake is finished
(6) eap_peap: [eaptls verify] = success
(6) eap_peap: [eaptls process] = success
(6) eap_peap: Session established. Decoding tunneled attributes
(6) eap_peap: PEAP state TUNNEL ESTABLISHED
(6) eap: Sending EAP Request (code 1) ID 90 length 40
(6) eap: EAP session adding &reply:State = 0x8e5e79f888046037
(6) [eap] = handled
(6) } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) Post-Auth-Type sub-section not found. Ignoring.
(6) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(6) Sent Access-Challenge Id 88 from 192.168.1.27:1812 to 192.168.1.7:46948
length 0
(6) EAP-Message =
0x015a00281900170303001d8508974cf000d697a71a53aaa45991383e25d9a758b07f5792b7018b30
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0x8e5e79f888046037fcc8affbd9e63c1c
(6) Finished request
Waking up in 4.9 seconds.
(7) Received Access-Request Id 89 from 192.168.1.7:46948 to
192.168.1.27:1812 length 294
(7) User-Name = "oktaradius(a)contentful.com"
(7) NAS-IP-Address = 192.168.1.7
(7) NAS-Identifier = "F09FC2307B82DFB616DF"
(7) Called-Station-Id = "F0-9F-C2-32-7B-82:Seko"
(7) NAS-Port-Type = Wireless-802.11
(7) Service-Type = Framed-User
(7) Calling-Station-Id = "8C-85-90-C9-C4-A5"
(7) Connect-Info = "CONNECT 0Mbps 802.11b"
(7) Acct-Session-Id = "F4E3DF614E08A6E7"
(7) WLAN-Pairwise-Cipher = 1027076
(7) WLAN-Group-Cipher = 1027074
(7) WLAN-AKM-Suite = 1027073
(7) Framed-MTU = 1400
(7) EAP-Message =
0x025a003d1900170303003282a691998eb92a966f0d81eac34e3e4935779ed2b220d2a00a184c329dab5b85aa3bb79f1e12c736377db8f54c344e0754ed
(7) State = 0x8e5e79f888046037fcc8affbd9e63c1c
(7) Message-Authenticator = 0xd57102506800bbb4f59d2688fbb14691
(7) session-state: No cached attributes
(7) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(7) authorize {
(7) update control {
(7) Proxy-To-Realm := LOCAL
(7) } # update control = noop
(7) eap: Peer sent EAP Response (code 2) ID 90 length 61
(7) eap: Continuing tunnel setup
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(7) authenticate {
(7) eap: Expiring EAP session with state 0x8e5e79f888046037
(7) eap: Finished EAP session with state 0x8e5e79f888046037
(7) eap: Previous EAP request found for state 0x8e5e79f888046037, released
from the list
(7) eap: Peer sent packet with method EAP PEAP (25)
(7) eap: Calling submodule eap_peap to process data
(7) eap_peap: Continuing EAP-TLS
(7) eap_peap: [eaptls verify] = ok
(7) eap_peap: Done initial handshake
(7) eap_peap: [eaptls process] = ok
(7) eap_peap: Session established. Decoding tunneled attributes
(7) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(7) eap_peap: Identity - oktaradius(a)contentful.com
(7) eap_peap: Got inner identity 'oktaradius(a)contentful.com'
(7) eap_peap: Setting default EAP type for tunneled EAP session
(7) eap_peap: Got tunneled request
(7) eap_peap: EAP-Message =
0x025a001e016f6b746172616469757340636f6e74656e7466756c2e636f6d
(7) eap_peap: Setting User-Name to oktaradius(a)contentful.com
(7) eap_peap: Sending tunneled request to inner-tunnel
(7) eap_peap: EAP-Message =
0x025a001e016f6b746172616469757340636f6e74656e7466756c2e636f6d
(7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(7) eap_peap: User-Name = "oktaradius(a)contentful.com"
(7) eap_peap: NAS-IP-Address = 192.168.1.7
(7) eap_peap: NAS-Identifier = "F09FC2307B82DFB616DF"
(7) eap_peap: Called-Station-Id = "F0-9F-C2-32-7B-82:Seko"
(7) eap_peap: NAS-Port-Type = Wireless-802.11
(7) eap_peap: Service-Type = Framed-User
(7) eap_peap: Calling-Station-Id = "8C-85-90-C9-C4-A5"
(7) eap_peap: Connect-Info = "CONNECT 0Mbps 802.11b"
(7) eap_peap: Acct-Session-Id = "F4E3DF614E08A6E7"
(7) eap_peap: WLAN-Pairwise-Cipher = 1027076
(7) eap_peap: WLAN-Group-Cipher = 1027074
(7) eap_peap: WLAN-AKM-Suite = 1027073
(7) eap_peap: Framed-MTU = 1400
(7) Virtual server inner-tunnel received request
(7) EAP-Message =
0x025a001e016f6b746172616469757340636f6e74656e7466756c2e636f6d
(7) FreeRADIUS-Proxied-To = 127.0.0.1
(7) User-Name = "oktaradius(a)contentful.com"
(7) NAS-IP-Address = 192.168.1.7
(7) NAS-Identifier = "F09FC2307B82DFB616DF"
(7) Called-Station-Id = "F0-9F-C2-32-7B-82:Seko"
(7) NAS-Port-Type = Wireless-802.11
(7) Service-Type = Framed-User
(7) Calling-Station-Id = "8C-85-90-C9-C4-A5"
(7) Connect-Info = "CONNECT 0Mbps 802.11b"
(7) Acct-Session-Id = "F4E3DF614E08A6E7"
(7) WLAN-Pairwise-Cipher = 1027076
(7) WLAN-Group-Cipher = 1027074
(7) WLAN-AKM-Suite = 1027073
(7) Framed-MTU = 1400
(7) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(7) server inner-tunnel {
(7) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(7) authorize {
(7) update control {
(7) Proxy-To-Realm := LOCAL
(7) } # update control = noop
(7) eap: Peer sent EAP Response (code 2) ID 90 length 30
(7) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(7) authenticate {
(7) eap: Peer sent packet with method EAP Identity (1)
(7) eap: Calling submodule eap_gtc to process data
(7) eap_gtc: EXPAND Password:
(7) eap_gtc: --> Password:
(7) eap: Sending EAP Request (code 1) ID 91 length 15
(7) eap: EAP session adding &reply:State = 0x79ff604279a466b1
(7) [eap] = handled
(7) } # authenticate = handled
(7) } # server inner-tunnel
(7) Virtual server sending reply
(7) EAP-Message = 0x015b000f0650617373776f72643a20
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0x79ff604279a466b12b6ee87c9d8fbc5d
(7) eap_peap: Got tunneled reply code 11
(7) eap_peap: EAP-Message = 0x015b000f0650617373776f72643a20
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: State = 0x79ff604279a466b12b6ee87c9d8fbc5d
(7) eap_peap: Got tunneled reply RADIUS code 11
(7) eap_peap: EAP-Message = 0x015b000f0650617373776f72643a20
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: State = 0x79ff604279a466b12b6ee87c9d8fbc5d
(7) eap_peap: Got tunneled Access-Challenge
(7) eap: Sending EAP Request (code 1) ID 91 length 46
(7) eap: EAP session adding &reply:State = 0x8e5e79f889056037
(7) [eap] = handled
(7) } # authenticate = handled
(7) Using Post-Auth-Type Challenge
(7) Post-Auth-Type sub-section not found. Ignoring.
(7) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(7) Sent Access-Challenge Id 89 from 192.168.1.27:1812 to 192.168.1.7:46948
length 0
(7) EAP-Message =
0x015b002e190017030300238508974cf000d69867da188125406fdc050d056f13a39d134e659fb120e7ffd0c25d79
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0x8e5e79f889056037fcc8affbd9e63c1c
(7) Finished request
Waking up in 4.8 seconds.
(8) Received Access-Request Id 90 from 192.168.1.7:46948 to
192.168.1.27:1812 length 281
(8) User-Name = "oktaradius(a)contentful.com"
(8) NAS-IP-Address = 192.168.1.7
(8) NAS-Identifier = "F09FC2307B82DFB616DF"
(8) Called-Station-Id = "F0-9F-C2-32-7B-82:Seko"
(8) NAS-Port-Type = Wireless-802.11
(8) Service-Type = Framed-User
(8) Calling-Station-Id = "8C-85-90-C9-C4-A5"
(8) Connect-Info = "CONNECT 0Mbps 802.11b"
(8) Acct-Session-Id = "F4E3DF614E08A6E7"
(8) WLAN-Pairwise-Cipher = 1027076
(8) WLAN-Group-Cipher = 1027074
(8) WLAN-AKM-Suite = 1027073
(8) Framed-MTU = 1400
(8) EAP-Message =
0x025b00301900170303002582a691998eb92a9706f4341ff93a53d4cd6ca39019fc858d356fcb744312c377435348a313
(8) State = 0x8e5e79f889056037fcc8affbd9e63c1c
(8) Message-Authenticator = 0x793c2aa91adf8352b4d78227013b2880
(8) session-state: No cached attributes
(8) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(8) authorize {
(8) update control {
(8) Proxy-To-Realm := LOCAL
(8) } # update control = noop
(8) eap: Peer sent EAP Response (code 2) ID 91 length 48
(8) eap: Continuing tunnel setup
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = eap
(8) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(8) authenticate {
(8) eap: Expiring EAP session with state 0x79ff604279a466b1
(8) eap: Finished EAP session with state 0x8e5e79f889056037
(8) eap: Previous EAP request found for state 0x8e5e79f889056037, released
from the list
(8) eap: Peer sent packet with method EAP PEAP (25)
(8) eap: Calling submodule eap_peap to process data
(8) eap_peap: Continuing EAP-TLS
(8) eap_peap: [eaptls verify] = ok
(8) eap_peap: Done initial handshake
(8) eap_peap: [eaptls process] = ok
(8) eap_peap: Session established. Decoding tunneled attributes
(8) eap_peap: PEAP state phase2
(8) eap_peap: EAP method GTC (6)
(8) eap_peap: Got tunneled request
(8) eap_peap: EAP-Message = 0x025b001106426574415468657441313335
(8) eap_peap: Setting User-Name to oktaradius(a)contentful.com
(8) eap_peap: Sending tunneled request to inner-tunnel
(8) eap_peap: EAP-Message = 0x025b001106426574415468657441313335
(8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(8) eap_peap: User-Name = "oktaradius(a)contentful.com"
(8) eap_peap: State = 0x79ff604279a466b12b6ee87c9d8fbc5d
(8) eap_peap: NAS-IP-Address = 192.168.1.7
(8) eap_peap: NAS-Identifier = "F09FC2307B82DFB616DF"
(8) eap_peap: Called-Station-Id = "F0-9F-C2-32-7B-82:Seko"
(8) eap_peap: NAS-Port-Type = Wireless-802.11
(8) eap_peap: Service-Type = Framed-User
(8) eap_peap: Calling-Station-Id = "8C-85-90-C9-C4-A5"
(8) eap_peap: Connect-Info = "CONNECT 0Mbps 802.11b"
(8) eap_peap: Acct-Session-Id = "F4E3DF614E08A6E7"
(8) eap_peap: WLAN-Pairwise-Cipher = 1027076
(8) eap_peap: WLAN-Group-Cipher = 1027074
(8) eap_peap: WLAN-AKM-Suite = 1027073
(8) eap_peap: Framed-MTU = 1400
(8) Virtual server inner-tunnel received request
(8) EAP-Message = 0x025b001106426574415468657441313335
(8) FreeRADIUS-Proxied-To = 127.0.0.1
(8) User-Name = "oktaradius(a)contentful.com"
(8) State = 0x79ff604279a466b12b6ee87c9d8fbc5d
(8) NAS-IP-Address = 192.168.1.7
(8) NAS-Identifier = "F09FC2307B82DFB616DF"
(8) Called-Station-Id = "F0-9F-C2-32-7B-82:Seko"
(8) NAS-Port-Type = Wireless-802.11
(8) Service-Type = Framed-User
(8) Calling-Station-Id = "8C-85-90-C9-C4-A5"
(8) Connect-Info = "CONNECT 0Mbps 802.11b"
(8) Acct-Session-Id = "F4E3DF614E08A6E7"
(8) WLAN-Pairwise-Cipher = 1027076
(8) WLAN-Group-Cipher = 1027074
(8) WLAN-AKM-Suite = 1027073
(8) Framed-MTU = 1400
(8) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(8) server inner-tunnel {
(8) session-state: No cached attributes
(8) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(8) authorize {
(8) update control {
(8) Proxy-To-Realm := LOCAL
(8) } # update control = noop
(8) eap: Peer sent EAP Response (code 2) ID 91 length 17
(8) eap: No EAP Start, assuming it's an on-going EAP conversation
(8) [eap] = updated
(8) [pap] = noop
(8) if (User-Password) {
(8) if (User-Password) -> FALSE
(8) } # authorize = updated
(8) Found Auth-Type = eap
(8) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(8) authenticate {
(8) eap: Expiring EAP session with state 0x79ff604279a466b1
(8) eap: Finished EAP session with state 0x79ff604279a466b1
(8) eap: Previous EAP request found for state 0x79ff604279a466b1, released
from the list
(8) eap: Peer sent packet with method EAP GTC (6)
(8) eap: Calling submodule eap_gtc to process data
(8) eap_gtc: # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(8) eap_gtc: Auth-Type PAP {
rlm_ldap (ldap): Reserved connection (0)
(8) ldap: Login attempt by "oktaradius(a)contentful.com"
(8) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(8) ldap: --> (uid=oktaradius(a)contentful.com)
(8) ldap: Performing search in "ou=users,dc=contentful, dc=oktapreview,
dc=com" with filter "(uid=oktaradius(a)contentful.com)", scope "sub"
(8) ldap: Waiting for search result...
(8) ldap: User object found at DN "uid=oktaradius(a)contentful.com
,ou=users,dc=contentful,dc=oktapreview,dc=com"
(8) ldap: Waiting for bind result...
(8) ldap: Bind successful
(8) ldap: Bind as user
"uid=oktaradius(a)contentful.com,ou=users,dc=contentful,dc=oktapreview,dc=com"
was successful
rlm_ldap (ldap): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots
used
rlm_ldap (ldap): Connecting to ldap://contentful.ldap.oktapreview.com:636
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(8) [ldap] = ok
(8) } # Auth-Type PAP = ok
(8) eap: Sending EAP Success (code 3) ID 91 length 4
(8) eap: Freeing handler
(8) [eap] = ok
(8) } # authenticate = ok
(8) # Executing section post-auth from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(8) } # server inner-tunnel
(8) Virtual server sending reply
(8) EAP-Message = 0x035b0004
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) User-Name = "oktaradius(a)contentful.com"
(8) eap_peap: Got tunneled reply code 2
(8) eap_peap: EAP-Message = 0x035b0004
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: User-Name = "oktaradius(a)contentful.com"
(8) eap_peap: Got tunneled reply RADIUS code 2
(8) eap_peap: EAP-Message = 0x035b0004
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: User-Name = "oktaradius(a)contentful.com"
(8) eap_peap: Tunneled authentication was successful
(8) eap_peap: SUCCESS
(8) eap_peap: Saving tunneled attributes for later
(8) eap: Sending EAP Request (code 1) ID 92 length 46
(8) eap: EAP session adding &reply:State = 0x8e5e79f886026037
(8) [eap] = handled
(8) } # authenticate = handled
(8) Using Post-Auth-Type Challenge
(8) Post-Auth-Type sub-section not found. Ignoring.
(8) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(8) Sent Access-Challenge Id 90 from 192.168.1.27:1812 to 192.168.1.7:46948
length 0
(8) EAP-Message =
0x015c002e190017030300238508974cf000d699b2e5906ac3d4547d7f9db95aae8fe5d3e02fe12dd77ac882fbbf97
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0x8e5e79f886026037fcc8affbd9e63c1c
(8) Finished request
Waking up in 3.0 seconds.
Waking up in 3.0 seconds.
(0) Cleaning up request packet ID 82 with timestamp +39
(1) Cleaning up request packet ID 83 with timestamp +39
(2) Cleaning up request packet ID 84 with timestamp +39
(3) Cleaning up request packet ID 85 with timestamp +39
(4) Cleaning up request packet ID 86 with timestamp +39
(5) Cleaning up request packet ID 87 with timestamp +39
(6) Cleaning up request packet ID 88 with timestamp +39
(7) Cleaning up request packet ID 89 with timestamp +39
Waking up in 6.8 seconds.
(8) Cleaning up request packet ID 90 with timestamp +39
Ready to process requests
(9) Received Access-Request Id 91 from 192.168.1.7:40573 to
192.168.1.27:1812 length 245
(9) User-Name = "oktaradius(a)contentful.com"
(9) NAS-IP-Address = 192.168.1.7
(9) NAS-Identifier = "F09FC2307B82DFB616DF"
(9) Called-Station-Id = "F0-9F-C2-32-7B-82:Seko"
(9) NAS-Port-Type = Wireless-802.11
(9) Service-Type = Framed-User
(9) Calling-Station-Id = "8C-85-90-C9-C4-A5"
(9) Connect-Info = "CONNECT 0Mbps 802.11b"
(9) Acct-Session-Id = "F4E3DF614E08A6E7"
(9) WLAN-Pairwise-Cipher = 1027076
(9) WLAN-Group-Cipher = 1027074
(9) WLAN-AKM-Suite = 1027073
(9) Framed-MTU = 1400
(9) EAP-Message =
0x02ff001e016f6b746172616469757340636f6e74656e7466756c2e636f6d
(9) Message-Authenticator = 0x6814d8a702b65f36ca7679d3c30d6abf
(9) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(9) authorize {
(9) update control {
(9) Proxy-To-Realm := LOCAL
(9) } # update control = noop
(9) eap: Peer sent EAP Response (code 2) ID 255 length 30
(9) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(9) [eap] = ok
(9) } # authorize = ok
(9) Found Auth-Type = eap
(9) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(9) authenticate {
(9) eap: Peer sent packet with method EAP Identity (1)
(9) eap: Calling submodule eap_tls to process data
(9) eap_tls: Initiating new EAP-TLS session
(9) eap_tls: Setting verify mode to require certificate from client
(9) eap_tls: [eaptls start] = request
(9) eap: Sending EAP Request (code 1) ID 0 length 6
(9) eap: EAP session adding &reply:State = 0x45a1b60045a1bb20
(9) [eap] = handled
(9) } # authenticate = handled
(9) Using Post-Auth-Type Challenge
(9) Post-Auth-Type sub-section not found. Ignoring.
(9) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(9) Sent Access-Challenge Id 91 from 192.168.1.27:1812 to 192.168.1.7:40573
length 0
(9) EAP-Message = 0x010000060d20
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) State = 0x45a1b60045a1bb203cf58ce5a6130bac
(9) Finished request
Waking up in 4.9 seconds.
(10) Received Access-Request Id 92 from 192.168.1.7:40573 to
192.168.1.27:1812 length 241
(10) User-Name = "oktaradius(a)contentful.com"
(10) NAS-IP-Address = 192.168.1.7
(10) NAS-Identifier = "F09FC2307B82DFB616DF"
(10) Called-Station-Id = "F0-9F-C2-32-7B-82:Seko"
(10) NAS-Port-Type = Wireless-802.11
(10) Service-Type = Framed-User
(10) Calling-Station-Id = "8C-85-90-C9-C4-A5"
(10) Connect-Info = "CONNECT 0Mbps 802.11b"
(10) Acct-Session-Id = "F4E3DF614E08A6E7"
(10) WLAN-Pairwise-Cipher = 1027076
(10) WLAN-Group-Cipher = 1027074
(10) WLAN-AKM-Suite = 1027073
(10) Framed-MTU = 1400
(10) EAP-Message = 0x020000080319152b
(10) State = 0x45a1b60045a1bb203cf58ce5a6130bac
(10) Message-Authenticator = 0xd26c1062637c92beeaf01d2c1b916ad1
(10) session-state: No cached attributes
(10) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(10) authorize {
(10) update control {
(10) Proxy-To-Realm := LOCAL
(10) } # update control = noop
(10) eap: Peer sent EAP Response (code 2) ID 0 length 8
(10) eap: No EAP Start, assuming it's an on-going EAP conversation
(10) [eap] = updated
(10) [pap] = noop
(10) if (User-Password) {
(10) if (User-Password) -> FALSE
(10) } # authorize = updated
(10) Found Auth-Type = eap
(10) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(10) authenticate {
(10) eap: Expiring EAP session with state 0x8e5e79f886026037
(10) eap: Finished EAP session with state 0x45a1b60045a1bb20
(10) eap: Previous EAP request found for state 0x45a1b60045a1bb20, released
from the list
(10) eap: Peer sent packet with method EAP NAK (3)
(10) eap: Found mutually acceptable type PEAP (25)
(10) eap: Calling submodule eap_peap to process data
(10) eap_peap: Initiating new EAP-TLS session
(10) eap_peap: [eaptls start] = request
(10) eap: Sending EAP Request (code 1) ID 1 length 6
(10) eap: EAP session adding &reply:State = 0x45a1b60044a0af20
(10) [eap] = handled
(10) } # authenticate = handled
(10) Using Post-Auth-Type Challenge
(10) Post-Auth-Type sub-section not found. Ignoring.
(10) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(10) Sent Access-Challenge Id 92 from 192.168.1.27:1812 to 192.168.1.7:40573
length 0
(10) EAP-Message = 0x010100061920
(10) Message-Authenticator = 0x00000000000000000000000000000000
(10) State = 0x45a1b60044a0af203cf58ce5a6130bac
(10) Finished request
Waking up in 4.9 seconds.
(11) Received Access-Request Id 93 from 192.168.1.7:40573 to
192.168.1.27:1812 length 394
(11) User-Name = "oktaradius(a)contentful.com"
(11) NAS-IP-Address = 192.168.1.7
(11) NAS-Identifier = "F09FC2307B82DFB616DF"
(11) Called-Station-Id = "F0-9F-C2-32-7B-82:Seko"
(11) NAS-Port-Type = Wireless-802.11
(11) Service-Type = Framed-User
(11) Calling-Station-Id = "8C-85-90-C9-C4-A5"
(11) Connect-Info = "CONNECT 0Mbps 802.11b"
(11) Acct-Session-Id = "F4E3DF614E08A6E7"
(11) WLAN-Pairwise-Cipher = 1027076
(11) WLAN-Group-Cipher = 1027074
(11) WLAN-AKM-Suite = 1027073
(11) Framed-MTU = 1400
(11) EAP-Message =
0x020100a119800000009716030100920100008e03035d3b1e7215b3678f88d097ae9174a206a45b0ff2c31450ec4417b02c0a38eec800002c00ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009d009c003d003c0035002f000a01000039000a00080006001700180019000b00
(11) State = 0x45a1b60044a0af203cf58ce5a6130bac
(11) Message-Authenticator = 0x594cea32c50ad57f863d8a9ec6948b2e
(11) session-state: No cached attributes
(11) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(11) authorize {
(11) update control {
(11) Proxy-To-Realm := LOCAL
(11) } # update control = noop
(11) eap: Peer sent EAP Response (code 2) ID 1 length 161
(11) eap: Continuing tunnel setup
(11) [eap] = ok
(11) } # authorize = ok
(11) Found Auth-Type = eap
(11) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(11) authenticate {
(11) eap: Expiring EAP session with state 0x8e5e79f886026037
(11) eap: Finished EAP session with state 0x45a1b60044a0af20
(11) eap: Previous EAP request found for state 0x45a1b60044a0af20, released
from the list
(11) eap: Peer sent packet with method EAP PEAP (25)
(11) eap: Calling submodule eap_peap to process data
(11) eap_peap: Continuing EAP-TLS
(11) eap_peap: Peer indicated complete TLS record size will be 151 bytes
(11) eap_peap: Got complete TLS record (151 bytes)
(11) eap_peap: [eaptls verify] = length included
(11) eap_peap: (other): before SSL initialization
(11) eap_peap: TLS_accept: before SSL initialization
(11) eap_peap: TLS_accept: before SSL initialization
(11) eap_peap: <<< recv UNKNOWN TLS VERSION ?0304? [length 0092]
(11) eap_peap: TLS_accept: SSLv3/TLS read client hello
(11) eap_peap: >>> send TLS 1.2 [length 003d]
(11) eap_peap: TLS_accept: SSLv3/TLS write server hello
(11) eap_peap: >>> send TLS 1.2 [length 08d3]
(11) eap_peap: TLS_accept: SSLv3/TLS write certificate
(11) eap_peap: >>> send TLS 1.2 [length 014d]
(11) eap_peap: TLS_accept: SSLv3/TLS write key exchange
(11) eap_peap: >>> send TLS 1.2 [length 0004]
(11) eap_peap: TLS_accept: SSLv3/TLS write server done
(11) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server
done
(11) eap_peap: In SSL Handshake Phase
(11) eap_peap: In SSL Accept mode
(11) eap_peap: [eaptls process] = handled
(11) eap: Sending EAP Request (code 1) ID 2 length 1004
(11) eap: EAP session adding &reply:State = 0x45a1b60047a3af20
(11) [eap] = handled
(11) } # authenticate = handled
(11) Using Post-Auth-Type Challenge
(11) Post-Auth-Type sub-section not found. Ignoring.
(11) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(11) Sent Access-Challenge Id 93 from 192.168.1.27:1812 to 192.168.1.7:40573
length 0
(11) EAP-Message =
0x010203ec19c000000a75160303003d020000390303af8f364d831067979b542ea739eaa440ab008d66ab057417430d84bddc45b08600c030000011ff01000100000b0004030001020017000016030308d30b0008cf0008cc0003de308203da308202c2a003020102020101300d06092a864886f70d0101
(11) Message-Authenticator = 0x00000000000000000000000000000000
(11) State = 0x45a1b60047a3af203cf58ce5a6130bac
(11) Finished request
Waking up in 4.9 seconds.
(12) Received Access-Request Id 94 from 192.168.1.7:40573 to
192.168.1.27:1812 length 239
(12) User-Name = "oktaradius(a)contentful.com"
(12) NAS-IP-Address = 192.168.1.7
(12) NAS-Identifier = "F09FC2307B82DFB616DF"
(12) Called-Station-Id = "F0-9F-C2-32-7B-82:Seko"
(12) NAS-Port-Type = Wireless-802.11
(12) Service-Type = Framed-User
(12) Calling-Station-Id = "8C-85-90-C9-C4-A5"
(12) Connect-Info = "CONNECT 0Mbps 802.11b"
(12) Acct-Session-Id = "F4E3DF614E08A6E7"
(12) WLAN-Pairwise-Cipher = 1027076
(12) WLAN-Group-Cipher = 1027074
(12) WLAN-AKM-Suite = 1027073
(12) Framed-MTU = 1400
(12) EAP-Message = 0x020200061900
(12) State = 0x45a1b60047a3af203cf58ce5a6130bac
(12) Message-Authenticator = 0x7de649bfa0533526fa345816cd065d6a
(12) session-state: No cached attributes
(12) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(12) authorize {
(12) update control {
(12) Proxy-To-Realm := LOCAL
(12) } # update control = noop
(12) eap: Peer sent EAP Response (code 2) ID 2 length 6
(12) eap: Continuing tunnel setup
(12) [eap] = ok
(12) } # authorize = ok
(12) Found Auth-Type = eap
(12) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(12) authenticate {
(12) eap: Expiring EAP session with state 0x8e5e79f886026037
(12) eap: Finished EAP session with state 0x45a1b60047a3af20
(12) eap: Previous EAP request found for state 0x45a1b60047a3af20, released
from the list
(12) eap: Peer sent packet with method EAP PEAP (25)
(12) eap: Calling submodule eap_peap to process data
(12) eap_peap: Continuing EAP-TLS
(12) eap_peap: Peer ACKed our handshake fragment
(12) eap_peap: [eaptls verify] = request
(12) eap_peap: [eaptls process] = handled
(12) eap: Sending EAP Request (code 1) ID 3 length 1000
(12) eap: EAP session adding &reply:State = 0x45a1b60046a2af20
(12) [eap] = handled
(12) } # authenticate = handled
(12) Using Post-Auth-Type Challenge
(12) Post-Auth-Type sub-section not found. Ignoring.
(12) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(12) Sent Access-Challenge Id 94 from 192.168.1.27:1812 to 192.168.1.7:40573
length 0
(12) EAP-Message =
0x010303e819401243396539a2f1ad1b6a17603569def5a0794b3af441b40273fd27a0361b18742b5e898d798d94b85c2aaa4ede14cfe7c5f7406c7d5eb178bc1e609fbfefb1920ce1f720d4bbd7ea7e4c91a2b00004e8308204e4308203cca003020102020900c803dae017bc13c5300d06092a864886f7
(12) Message-Authenticator = 0x00000000000000000000000000000000
(12) State = 0x45a1b60046a2af203cf58ce5a6130bac
(12) Finished request
Waking up in 4.9 seconds.
(13) Received Access-Request Id 95 from 192.168.1.7:40573 to
192.168.1.27:1812 length 239
(13) User-Name = "oktaradius(a)contentful.com"
(13) NAS-IP-Address = 192.168.1.7
(13) NAS-Identifier = "F09FC2307B82DFB616DF"
(13) Called-Station-Id = "F0-9F-C2-32-7B-82:Seko"
(13) NAS-Port-Type = Wireless-802.11
(13) Service-Type = Framed-User
(13) Calling-Station-Id = "8C-85-90-C9-C4-A5"
(13) Connect-Info = "CONNECT 0Mbps 802.11b"
(13) Acct-Session-Id = "F4E3DF614E08A6E7"
(13) WLAN-Pairwise-Cipher = 1027076
(13) WLAN-Group-Cipher = 1027074
(13) WLAN-AKM-Suite = 1027073
(13) Framed-MTU = 1400
(13) EAP-Message = 0x020300061900
(13) State = 0x45a1b60046a2af203cf58ce5a6130bac
(13) Message-Authenticator = 0xc28f2af0b0b0b49e5b2414cf69a55d65
(13) session-state: No cached attributes
(13) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(13) authorize {
(13) update control {
(13) Proxy-To-Realm := LOCAL
(13) } # update control = noop
(13) eap: Peer sent EAP Response (code 2) ID 3 length 6
(13) eap: Continuing tunnel setup
(13) [eap] = ok
(13) } # authorize = ok
(13) Found Auth-Type = eap
(13) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(13) authenticate {
(13) eap: Expiring EAP session with state 0x8e5e79f886026037
(13) eap: Finished EAP session with state 0x45a1b60046a2af20
(13) eap: Previous EAP request found for state 0x45a1b60046a2af20, released
from the list
(13) eap: Peer sent packet with method EAP PEAP (25)
(13) eap: Calling submodule eap_peap to process data
(13) eap_peap: Continuing EAP-TLS
(13) eap_peap: Peer ACKed our handshake fragment
(13) eap_peap: [eaptls verify] = request
(13) eap_peap: [eaptls process] = handled
(13) eap: Sending EAP Request (code 1) ID 4 length 695
(13) eap: EAP session adding &reply:State = 0x45a1b60041a5af20
(13) [eap] = handled
(13) } # authenticate = handled
(13) Using Post-Auth-Type Challenge
(13) Post-Auth-Type sub-section not found. Ignoring.
(13) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(13) Sent Access-Challenge Id 95 from 192.168.1.27:1812 to 192.168.1.7:40573
length 0
(13) EAP-Message =
0x010402b719000101ff040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b0500038201010093b7088d1eca7efc8d6342f26a50a6514cb1333be0b8cce368e35f
(13) Message-Authenticator = 0x00000000000000000000000000000000
(13) State = 0x45a1b60041a5af203cf58ce5a6130bac
(13) Finished request
Waking up in 4.9 seconds.
(14) Received Access-Request Id 96 from 192.168.1.7:40573 to
192.168.1.27:1812 length 369
(14) User-Name = "oktaradius(a)contentful.com"
(14) NAS-IP-Address = 192.168.1.7
(14) NAS-Identifier = "F09FC2307B82DFB616DF"
(14) Called-Station-Id = "F0-9F-C2-32-7B-82:Seko"
(14) NAS-Port-Type = Wireless-802.11
(14) Service-Type = Framed-User
(14) Calling-Station-Id = "8C-85-90-C9-C4-A5"
(14) Connect-Info = "CONNECT 0Mbps 802.11b"
(14) Acct-Session-Id = "F4E3DF614E08A6E7"
(14) WLAN-Pairwise-Cipher = 1027076
(14) WLAN-Group-Cipher = 1027074
(14) WLAN-AKM-Suite = 1027073
(14) Framed-MTU = 1400
(14) EAP-Message =
0x0204008819800000007e160303004610000042410489af273349ec0aff39ef9b564988ef3fcc4972fb8903571c2dd74944f09cb378d5cd184f17c90f37cbfd46fcbcf3f592510e4aaa79bd7af5e85b9cfeb6fe18f91403030001011603030028809cad750f6dbea104571008c2ec8a3004448fddd75f8d
(14) State = 0x45a1b60041a5af203cf58ce5a6130bac
(14) Message-Authenticator = 0x1619952b015d109a3971e25afe8d6c71
(14) session-state: No cached attributes
(14) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(14) authorize {
(14) update control {
(14) Proxy-To-Realm := LOCAL
(14) } # update control = noop
(14) eap: Peer sent EAP Response (code 2) ID 4 length 136
(14) eap: Continuing tunnel setup
(14) [eap] = ok
(14) } # authorize = ok
(14) Found Auth-Type = eap
(14) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(14) authenticate {
(14) eap: Expiring EAP session with state 0x8e5e79f886026037
(14) eap: Finished EAP session with state 0x45a1b60041a5af20
(14) eap: Previous EAP request found for state 0x45a1b60041a5af20, released
from the list
(14) eap: Peer sent packet with method EAP PEAP (25)
(14) eap: Calling submodule eap_peap to process data
(14) eap_peap: Continuing EAP-TLS
(14) eap_peap: Peer indicated complete TLS record size will be 126 bytes
(14) eap_peap: Got complete TLS record (126 bytes)
(14) eap_peap: [eaptls verify] = length included
(14) eap_peap: TLS_accept: SSLv3/TLS write server done
(14) eap_peap: <<< recv TLS 1.2 [length 0046]
(14) eap_peap: TLS_accept: SSLv3/TLS read client key exchange
(14) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec
(14) eap_peap: <<< recv TLS 1.2 [length 0010]
(14) eap_peap: TLS_accept: SSLv3/TLS read finished
(14) eap_peap: >>> send TLS 1.2 [length 0001]
(14) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec
(14) eap_peap: >>> send TLS 1.2 [length 0010]
(14) eap_peap: TLS_accept: SSLv3/TLS write finished
(14) eap_peap: (other): SSL negotiation finished successfully
(14) eap_peap: SSL Connection Established
(14) eap_peap: [eaptls process] = handled
(14) eap: Sending EAP Request (code 1) ID 5 length 57
(14) eap: EAP session adding &reply:State = 0x45a1b60040a4af20
(14) [eap] = handled
(14) } # authenticate = handled
(14) Using Post-Auth-Type Challenge
(14) Post-Auth-Type sub-section not found. Ignoring.
(14) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(14) Sent Access-Challenge Id 96 from 192.168.1.27:1812 to 192.168.1.7:40573
length 0
(14) EAP-Message =
0x0105003919001403030001011603030028d50708081d6cd0f58618ff3be735cc543b658761fdbcb9c916f17f8e5c75ea2d052c68aa9d948577
(14) Message-Authenticator = 0x00000000000000000000000000000000
(14) State = 0x45a1b60040a4af203cf58ce5a6130bac
(14) Finished request
Waking up in 4.9 seconds.
(15) Received Access-Request Id 97 from 192.168.1.7:40573 to
192.168.1.27:1812 length 239
(15) User-Name = "oktaradius(a)contentful.com"
(15) NAS-IP-Address = 192.168.1.7
(15) NAS-Identifier = "F09FC2307B82DFB616DF"
(15) Called-Station-Id = "F0-9F-C2-32-7B-82:Seko"
(15) NAS-Port-Type = Wireless-802.11
(15) Service-Type = Framed-User
(15) Calling-Station-Id = "8C-85-90-C9-C4-A5"
(15) Connect-Info = "CONNECT 0Mbps 802.11b"
(15) Acct-Session-Id = "F4E3DF614E08A6E7"
(15) WLAN-Pairwise-Cipher = 1027076
(15) WLAN-Group-Cipher = 1027074
(15) WLAN-AKM-Suite = 1027073
(15) Framed-MTU = 1400
(15) EAP-Message = 0x020500061900
(15) State = 0x45a1b60040a4af203cf58ce5a6130bac
(15) Message-Authenticator = 0x90b0f463f5ece750c76938493bef73e4
(15) session-state: No cached attributes
(15) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(15) authorize {
(15) update control {
(15) Proxy-To-Realm := LOCAL
(15) } # update control = noop
(15) eap: Peer sent EAP Response (code 2) ID 5 length 6
(15) eap: Continuing tunnel setup
(15) [eap] = ok
(15) } # authorize = ok
(15) Found Auth-Type = eap
(15) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(15) authenticate {
(15) eap: Expiring EAP session with state 0x8e5e79f886026037
(15) eap: Finished EAP session with state 0x45a1b60040a4af20
(15) eap: Previous EAP request found for state 0x45a1b60040a4af20, released
from the list
(15) eap: Peer sent packet with method EAP PEAP (25)
(15) eap: Calling submodule eap_peap to process data
(15) eap_peap: Continuing EAP-TLS
(15) eap_peap: Peer ACKed our handshake fragment. handshake is finished
(15) eap_peap: [eaptls verify] = success
(15) eap_peap: [eaptls process] = success
(15) eap_peap: Session established. Decoding tunneled attributes
(15) eap_peap: PEAP state TUNNEL ESTABLISHED
(15) eap: Sending EAP Request (code 1) ID 6 length 40
(15) eap: EAP session adding &reply:State = 0x45a1b60043a7af20
(15) [eap] = handled
(15) } # authenticate = handled
(15) Using Post-Auth-Type Challenge
(15) Post-Auth-Type sub-section not found. Ignoring.
(15) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(15) Sent Access-Challenge Id 97 from 192.168.1.27:1812 to 192.168.1.7:40573
length 0
(15) EAP-Message =
0x010600281900170303001dd50708081d6cd0f6eebf0296c3de40ed139ef68f1f5f6d24dca9580567
(15) Message-Authenticator = 0x00000000000000000000000000000000
(15) State = 0x45a1b60043a7af203cf58ce5a6130bac
(15) Finished request
Waking up in 4.9 seconds.
(16) Received Access-Request Id 98 from 192.168.1.7:40573 to
192.168.1.27:1812 length 294
(16) User-Name = "oktaradius(a)contentful.com"
(16) NAS-IP-Address = 192.168.1.7
(16) NAS-Identifier = "F09FC2307B82DFB616DF"
(16) Called-Station-Id = "F0-9F-C2-32-7B-82:Seko"
(16) NAS-Port-Type = Wireless-802.11
(16) Service-Type = Framed-User
(16) Calling-Station-Id = "8C-85-90-C9-C4-A5"
(16) Connect-Info = "CONNECT 0Mbps 802.11b"
(16) Acct-Session-Id = "F4E3DF614E08A6E7"
(16) WLAN-Pairwise-Cipher = 1027076
(16) WLAN-Group-Cipher = 1027074
(16) WLAN-AKM-Suite = 1027073
(16) Framed-MTU = 1400
(16) EAP-Message =
0x0206003d19001703030032809cad750f6dbea296105b25d092639083e9f94364d1542cb7346480cd940bb4db72582cbab017c3eb64fcd418b590f53045
(16) State = 0x45a1b60043a7af203cf58ce5a6130bac
(16) Message-Authenticator = 0x30f9a4cf8ef936618752f4c9cde86cca
(16) session-state: No cached attributes
(16) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(16) authorize {
(16) update control {
(16) Proxy-To-Realm := LOCAL
(16) } # update control = noop
(16) eap: Peer sent EAP Response (code 2) ID 6 length 61
(16) eap: Continuing tunnel setup
(16) [eap] = ok
(16) } # authorize = ok
(16) Found Auth-Type = eap
(16) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(16) authenticate {
(16) eap: Expiring EAP session with state 0x8e5e79f886026037
(16) eap: Finished EAP session with state 0x45a1b60043a7af20
(16) eap: Previous EAP request found for state 0x45a1b60043a7af20, released
from the list
(16) eap: Peer sent packet with method EAP PEAP (25)
(16) eap: Calling submodule eap_peap to process data
(16) eap_peap: Continuing EAP-TLS
(16) eap_peap: [eaptls verify] = ok
(16) eap_peap: Done initial handshake
(16) eap_peap: [eaptls process] = ok
(16) eap_peap: Session established. Decoding tunneled attributes
(16) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(16) eap_peap: Identity - oktaradius(a)contentful.com
(16) eap_peap: Got inner identity 'oktaradius(a)contentful.com'
(16) eap_peap: Setting default EAP type for tunneled EAP session
(16) eap_peap: Got tunneled request
(16) eap_peap: EAP-Message =
0x0206001e016f6b746172616469757340636f6e74656e7466756c2e636f6d
(16) eap_peap: Setting User-Name to oktaradius(a)contentful.com
(16) eap_peap: Sending tunneled request to inner-tunnel
(16) eap_peap: EAP-Message =
0x0206001e016f6b746172616469757340636f6e74656e7466756c2e636f6d
(16) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(16) eap_peap: User-Name = "oktaradius(a)contentful.com"
(16) eap_peap: NAS-IP-Address = 192.168.1.7
(16) eap_peap: NAS-Identifier = "F09FC2307B82DFB616DF"
(16) eap_peap: Called-Station-Id = "F0-9F-C2-32-7B-82:Seko"
(16) eap_peap: NAS-Port-Type = Wireless-802.11
(16) eap_peap: Service-Type = Framed-User
(16) eap_peap: Calling-Station-Id = "8C-85-90-C9-C4-A5"
(16) eap_peap: Connect-Info = "CONNECT 0Mbps 802.11b"
(16) eap_peap: Acct-Session-Id = "F4E3DF614E08A6E7"
(16) eap_peap: WLAN-Pairwise-Cipher = 1027076
(16) eap_peap: WLAN-Group-Cipher = 1027074
(16) eap_peap: WLAN-AKM-Suite = 1027073
(16) eap_peap: Framed-MTU = 1400
(16) Virtual server inner-tunnel received request
(16) EAP-Message =
0x0206001e016f6b746172616469757340636f6e74656e7466756c2e636f6d
(16) FreeRADIUS-Proxied-To = 127.0.0.1
(16) User-Name = "oktaradius(a)contentful.com"
(16) NAS-IP-Address = 192.168.1.7
(16) NAS-Identifier = "F09FC2307B82DFB616DF"
(16) Called-Station-Id = "F0-9F-C2-32-7B-82:Seko"
(16) NAS-Port-Type = Wireless-802.11
(16) Service-Type = Framed-User
(16) Calling-Station-Id = "8C-85-90-C9-C4-A5"
(16) Connect-Info = "CONNECT 0Mbps 802.11b"
(16) Acct-Session-Id = "F4E3DF614E08A6E7"
(16) WLAN-Pairwise-Cipher = 1027076
(16) WLAN-Group-Cipher = 1027074
(16) WLAN-AKM-Suite = 1027073
(16) Framed-MTU = 1400
(16) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(16) server inner-tunnel {
(16) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(16) authorize {
(16) update control {
(16) Proxy-To-Realm := LOCAL
(16) } # update control = noop
(16) eap: Peer sent EAP Response (code 2) ID 6 length 30
(16) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(16) [eap] = ok
(16) } # authorize = ok
(16) Found Auth-Type = eap
(16) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(16) authenticate {
(16) eap: Peer sent packet with method EAP Identity (1)
(16) eap: Calling submodule eap_gtc to process data
(16) eap_gtc: EXPAND Password:
(16) eap_gtc: --> Password:
(16) eap: Sending EAP Request (code 1) ID 7 length 15
(16) eap: EAP session adding &reply:State = 0x3a620f0e3a650909
(16) [eap] = handled
(16) } # authenticate = handled
(16) } # server inner-tunnel
(16) Virtual server sending reply
(16) EAP-Message = 0x0107000f0650617373776f72643a20
(16) Message-Authenticator = 0x00000000000000000000000000000000
(16) State = 0x3a620f0e3a6509095b1e601543adb3d7
(16) eap_peap: Got tunneled reply code 11
(16) eap_peap: EAP-Message = 0x0107000f0650617373776f72643a20
(16) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(16) eap_peap: State = 0x3a620f0e3a6509095b1e601543adb3d7
(16) eap_peap: Got tunneled reply RADIUS code 11
(16) eap_peap: EAP-Message = 0x0107000f0650617373776f72643a20
(16) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(16) eap_peap: State = 0x3a620f0e3a6509095b1e601543adb3d7
(16) eap_peap: Got tunneled Access-Challenge
(16) eap: Sending EAP Request (code 1) ID 7 length 46
(16) eap: EAP session adding &reply:State = 0x45a1b60042a6af20
(16) [eap] = handled
(16) } # authenticate = handled
(16) Using Post-Auth-Type Challenge
(16) Post-Auth-Type sub-section not found. Ignoring.
(16) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(16) Sent Access-Challenge Id 98 from 192.168.1.27:1812 to 192.168.1.7:40573
length 0
(16) EAP-Message =
0x0107002e19001703030023d50708081d6cd0f7081aeb7d5b48735ede48e96b552ab53673ac37d4aa7fe1f7caadd0
(16) Message-Authenticator = 0x00000000000000000000000000000000
(16) State = 0x45a1b60042a6af203cf58ce5a6130bac
(16) Finished request
Waking up in 4.9 seconds.
(17) Received Access-Request Id 99 from 192.168.1.7:40573 to
192.168.1.27:1812 length 281
(17) User-Name = "oktaradius(a)contentful.com"
(17) NAS-IP-Address = 192.168.1.7
(17) NAS-Identifier = "F09FC2307B82DFB616DF"
(17) Called-Station-Id = "F0-9F-C2-32-7B-82:Seko"
(17) NAS-Port-Type = Wireless-802.11
(17) Service-Type = Framed-User
(17) Calling-Station-Id = "8C-85-90-C9-C4-A5"
(17) Connect-Info = "CONNECT 0Mbps 802.11b"
(17) Acct-Session-Id = "F4E3DF614E08A6E7"
(17) WLAN-Pairwise-Cipher = 1027076
(17) WLAN-Group-Cipher = 1027074
(17) WLAN-AKM-Suite = 1027073
(17) Framed-MTU = 1400
(17) EAP-Message =
0x0207003019001703030025809cad750f6dbea3f1a1f30ac18a7a24bba1605a37789e2b425d90c1973b4210e9111e2b40
(17) State = 0x45a1b60042a6af203cf58ce5a6130bac
(17) Message-Authenticator = 0x9fd2a36dd28c1f5e53e1c8e60cfc589e
(17) session-state: No cached attributes
(17) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(17) authorize {
(17) update control {
(17) Proxy-To-Realm := LOCAL
(17) } # update control = noop
(17) eap: Peer sent EAP Response (code 2) ID 7 length 48
(17) eap: Continuing tunnel setup
(17) [eap] = ok
(17) } # authorize = ok
(17) Found Auth-Type = eap
(17) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(17) authenticate {
(17) eap: Expiring EAP session with state 0x8e5e79f886026037
(17) eap: Finished EAP session with state 0x45a1b60042a6af20
(17) eap: Previous EAP request found for state 0x45a1b60042a6af20, released
from the list
(17) eap: Peer sent packet with method EAP PEAP (25)
(17) eap: Calling submodule eap_peap to process data
(17) eap_peap: Continuing EAP-TLS
(17) eap_peap: [eaptls verify] = ok
(17) eap_peap: Done initial handshake
(17) eap_peap: [eaptls process] = ok
(17) eap_peap: Session established. Decoding tunneled attributes
(17) eap_peap: PEAP state phase2
(17) eap_peap: EAP method GTC (6)
(17) eap_peap: Got tunneled request
(17) eap_peap: EAP-Message = 0x0207001106426574415468657441313335
(17) eap_peap: Setting User-Name to oktaradius(a)contentful.com
(17) eap_peap: Sending tunneled request to inner-tunnel
(17) eap_peap: EAP-Message = 0x0207001106426574415468657441313335
(17) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(17) eap_peap: User-Name = "oktaradius(a)contentful.com"
(17) eap_peap: State = 0x3a620f0e3a6509095b1e601543adb3d7
(17) eap_peap: NAS-IP-Address = 192.168.1.7
(17) eap_peap: NAS-Identifier = "F09FC2307B82DFB616DF"
(17) eap_peap: Called-Station-Id = "F0-9F-C2-32-7B-82:Seko"
(17) eap_peap: NAS-Port-Type = Wireless-802.11
(17) eap_peap: Service-Type = Framed-User
(17) eap_peap: Calling-Station-Id = "8C-85-90-C9-C4-A5"
(17) eap_peap: Connect-Info = "CONNECT 0Mbps 802.11b"
(17) eap_peap: Acct-Session-Id = "F4E3DF614E08A6E7"
(17) eap_peap: WLAN-Pairwise-Cipher = 1027076
(17) eap_peap: WLAN-Group-Cipher = 1027074
(17) eap_peap: WLAN-AKM-Suite = 1027073
(17) eap_peap: Framed-MTU = 1400
(17) Virtual server inner-tunnel received request
(17) EAP-Message = 0x0207001106426574415468657441313335
(17) FreeRADIUS-Proxied-To = 127.0.0.1
(17) User-Name = "oktaradius(a)contentful.com"
(17) State = 0x3a620f0e3a6509095b1e601543adb3d7
(17) NAS-IP-Address = 192.168.1.7
(17) NAS-Identifier = "F09FC2307B82DFB616DF"
(17) Called-Station-Id = "F0-9F-C2-32-7B-82:Seko"
(17) NAS-Port-Type = Wireless-802.11
(17) Service-Type = Framed-User
(17) Calling-Station-Id = "8C-85-90-C9-C4-A5"
(17) Connect-Info = "CONNECT 0Mbps 802.11b"
(17) Acct-Session-Id = "F4E3DF614E08A6E7"
(17) WLAN-Pairwise-Cipher = 1027076
(17) WLAN-Group-Cipher = 1027074
(17) WLAN-AKM-Suite = 1027073
(17) Framed-MTU = 1400
(17) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(17) server inner-tunnel {
(17) session-state: No cached attributes
(17) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(17) authorize {
(17) update control {
(17) Proxy-To-Realm := LOCAL
(17) } # update control = noop
(17) eap: Peer sent EAP Response (code 2) ID 7 length 17
(17) eap: No EAP Start, assuming it's an on-going EAP conversation
(17) [eap] = updated
(17) [pap] = noop
(17) if (User-Password) {
(17) if (User-Password) -> FALSE
(17) } # authorize = updated
(17) Found Auth-Type = eap
(17) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(17) authenticate {
(17) eap: Expiring EAP session with state 0x8e5e79f886026037
(17) eap: Finished EAP session with state 0x3a620f0e3a650909
(17) eap: Previous EAP request found for state 0x3a620f0e3a650909, released
from the list
(17) eap: Peer sent packet with method EAP GTC (6)
(17) eap: Calling submodule eap_gtc to process data
(17) eap_gtc: # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(17) eap_gtc: Auth-Type PAP {
rlm_ldap (ldap): Closing connection (1): Hit idle_timeout, was idle for 72
seconds
rlm_ldap (ldap): Closing connection (2): Hit idle_timeout, was idle for 71
seconds
rlm_ldap (ldap): Closing connection (3): Hit idle_timeout, was idle for 70
seconds
rlm_ldap (ldap): Closing connection (4): Hit idle_timeout, was idle for 69
seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): Reserved connection (0)
(17) ldap: Login attempt by "oktaradius(a)contentful.com"
(17) ldap: Waiting for bind result...
(17) ldap: Bind successful
(17) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(17) ldap: --> (uid=oktaradius(a)contentful.com)
(17) ldap: Performing search in "ou=users,dc=contentful, dc=oktapreview,
dc=com" with filter "(uid=oktaradius(a)contentful.com)", scope "sub"
(17) ldap: Waiting for search result...
(17) ldap: User object found at DN "uid=oktaradius(a)contentful.com
,ou=users,dc=contentful,dc=oktapreview,dc=com"
(17) ldap: Waiting for bind result...
(17) ldap: Bind successful
(17) ldap: Bind as user
"uid=oktaradius(a)contentful.com,ou=users,dc=contentful,dc=oktapreview,dc=com"
was successful
rlm_ldap (ldap): Released connection (0)
Need 1 more connections to reach min connections (3)
rlm_ldap (ldap): Opening additional connection (6), 1 of 30 pending slots
used
rlm_ldap (ldap): Connecting to ldap://contentful.ldap.oktapreview.com:636
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(17) [ldap] = ok
(17) } # Auth-Type PAP = ok
(17) eap: Sending EAP Success (code 3) ID 7 length 4
(17) eap: Freeing handler
(17) [eap] = ok
(17) } # authenticate = ok
(17) # Executing section post-auth from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(17) } # server inner-tunnel
(17) Virtual server sending reply
(17) EAP-Message = 0x03070004
(17) Message-Authenticator = 0x00000000000000000000000000000000
(17) User-Name = "oktaradius(a)contentful.com"
(17) eap_peap: Got tunneled reply code 2
(17) eap_peap: EAP-Message = 0x03070004
(17) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(17) eap_peap: User-Name = "oktaradius(a)contentful.com"
(17) eap_peap: Got tunneled reply RADIUS code 2
(17) eap_peap: EAP-Message = 0x03070004
(17) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(17) eap_peap: User-Name = "oktaradius(a)contentful.com"
(17) eap_peap: Tunneled authentication was successful
(17) eap_peap: SUCCESS
(17) eap_peap: Saving tunneled attributes for later
(17) eap: Sending EAP Request (code 1) ID 8 length 46
(17) eap: EAP session adding &reply:State = 0x45a1b6004da9af20
(17) [eap] = handled
(17) } # authenticate = handled
(17) Using Post-Auth-Type Challenge
(17) Post-Auth-Type sub-section not found. Ignoring.
(17) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(17) Sent Access-Challenge Id 99 from 192.168.1.27:1812 to 192.168.1.7:40573
length 0
(17) EAP-Message =
0x0108002e19001703030023d50708081d6cd0f8afcb22e0f8e0332255e42661c24882389b0d4b344c5bc5d07a9ece
(17) Message-Authenticator = 0x00000000000000000000000000000000
(17) State = 0x45a1b6004da9af203cf58ce5a6130bac
(17) Finished request
Waking up in 2.6 seconds.
(9) Cleaning up request packet ID 91 with timestamp +69
(10) Cleaning up request packet ID 92 with timestamp +69
(11) Cleaning up request packet ID 93 with timestamp +69
(12) Cleaning up request packet ID 94 with timestamp +69
(13) Cleaning up request packet ID 95 with timestamp +69
(14) Cleaning up request packet ID 96 with timestamp +69
(15) Cleaning up request packet ID 97 with timestamp +69
(16) Cleaning up request packet ID 98 with timestamp +69
Waking up in 2.2 seconds.
(17) Cleaning up request packet ID 99 with timestamp +69
Ready to process requests
what do you think ?
--
Nawar Al Tarazi
IT Working Student
nawar.tarazi(a)contentful.com
+4915787991702
www.contentful.com
2
3
Hello...
I've configure radippool module and I have a issue.
Clients can get IP from radippool table normally, but the table still
empty, looks like Freeradius don't write with the data from client.
Thanks!
2
8
Hello,
I'm configuring a server that is connected to a 389ds (ldap) server and to an AD
server for authentication and authorization (on AD, authentication is performed
through ntlm_auth and authorization, i.e.group membership checking, through ldap
protocol)
Authentication is made forcing Auth-Type according to User-Name in the authorize
section through a regex
if ( "%{User-Name}" =~ /[a-z]+[\.]{1}[a-z]+/) {
update control {
Auth-Type := ntlm_auth
}
}
else{
update control {
Auth-Type := ldap
}
}
and it works, as i can authenticate user scailotto on 389ds and stefano.cailotto
on AD with ntlm_auth.
Authorization too works flawlessly if In the authorize section I use only one
kind of server (ldap1 (389ds) works for user scailotto, ad_corporate_1 works for
stefano.cailotto)
The main problem arises when radius tries to match group membership for the
user, as it always points to AD server.
I tried to play with group statements to force using both servers, but with no
success.
If I understand well debug info, the query is performed starting from the
"files" module: the users files contains statements like
DEFAULT Ldap-Group == "delivery-ip", Huntgroup-Name == "junos-tac"
Juniper-Local-User-Name="level15", Unisphere-Alternate-Cli-Access-Level="15"
and so a match between user and groups must be made.
My default file is as follows:
authorize {
preprocess
auth_log
if ( "%{User-Name}" =~ /[a-z]+[\.]{1}[a-z]+/) {
update control {
Auth-Type := ntlm_auth
}
}
else{
update control {
Auth-Type := ldap
}
}
group {
ldap1{
fail=1
notfound=1
}
ad_corporate_1{
fail=1
notfound=1
}
}
files
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
digest
unix
Auth-Type ldap {
redundant {
ldap1
ldap2
}
}
Auth-Type ntlm_auth {
ntlm_auth
}
eap
}
.
.
.
So, my question is: is there a way to force querying a specific server,
according to Auth-Type or User-Name?i.e.
User-Name = scailotto -> Auth-Type = ldap -> search group membership on ldap1
User-Name = stefano.cailotto -> Auth-Type = ntlm_auth -> search group membership
on ad_corporate_1 (using ldap protocol)
I suppose it should somehow be forced in the users files, but can't figure out
how...
TIA,
Stefano
--
Stefano Cailotto
---------------------------------------------------------------------------
EDALab s.r.l. - Networked Embedded Systems
Sede operativa:
Via ca Nova Zampieri, 12, 37057 San Giovanni Lupatoto (VR) - Italy
Sede legale:
Cà Vignal 2, Strada Le Grazie, 15, 37134 Verona - Italy
C.F./P.IVA/Iscr. Reg. Imprese di Verona n. 03706250234
Numero REA: VR - 358813
Capitale sociale: 10.000 euro
---------------------------------------------------------------------------
email: stefano.cailotto(a)edalab.it
web: http://www.edalab.it | https://www.box-io.com
skype: stefano.cailotto
tel: +39-045-257-0357
mobile: +39-391-731-0244
---------------------------------------------------------------------------
3
6
Hello,
I am trying to get FreeRADIUS working with 2FA. I have it mostly setup. I can see in the debug output that saying my user exists in the system. However I'm still getting Access-Reject from my client.
Here is the output from FreeRADIUS (using the FreeRADIUS repo):0) Received Access-Request Id 98 from 10.150.1.190:37142 to 10.150.1.153:1812 length 92
(0) User-Name = "test"
(0) User-Password = "Password!1234"
(0) NAS-IP-Address = 10.150.1.190
(0) NAS-Port = 0
(0) Message-Authenticator = 0xef25474df3491218de56a2d8874cfe47
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /(a)\./) {
(0) if (&User-Name =~ /(a)\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "test", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) files: Failed resolving GID: No error
(0) files: users: Matched entry DEFAULT at line 70
(0) [files] = ok
(0) [expiration] = noop
(0) [logintime] = noop
Not doing PAP as Auth-Type is already set.
(0) [pap] = noop
(0) } # authorize = ok
(0) Found Auth-Type = pam
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) authenticate {
(0) pam: Using pamauth string "radiusd" for pam.conf lookup
(0) pam: ERROR: pam_authenticate failed: Error in service module
(0) [pam] = reject
(0) } # authenticate = reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject: --> test
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) [eap] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 98 from 10.150.1.153:1812 to 10.150.1.190:37142 length 20
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 98 with timestamp +38
Ready to process requests
Here is my radiusd pam configuration
[root@radius01 ~]# cat /etc/pam.d/radiusd
#%PAM-1.0
#auth include password-auth
auth requisite pam_duo.so forward_pass
account required pam_nologin.so
account include password-auth
password include password-auth
session include password-auth
[root@radius01 ~]#
[test@console02 ~]$ radtest test Password!1234123456 10.150.1.153 0 password!
Sent Access-Request Id 98 from 0.0.0.0:37142 to 10.150.1.153:1812 length 92
User-Name = "test"
User-Password = "Password!1234123456"
NAS-IP-Address = 10.150.1.190
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "Password!1234123456"
Received Access-Reject Id 98 from 10.150.1.153:1812 to 0.0.0.0:0 length 20
(0) -: Expected Access-Accept got Access-Reject
[test@console02 ~]$
Should I have changed the radius pam config file? Should I have changed the password-auth config file instead? Eventually I want this work with SSH.
2
1
Hi,Alan and All
I have a question with radius proxy
It is decided to use eduroam as well as the certification of one's own base
in Radius under construction.
If you set proxy.conf and start radius, eduroam can authenticate without
problems.
If you try to authenticate on the internal side (local side), it is
transferred to the home_server side, and proxy.conf
We are troubled because we do not branch in the realm.
The specifications for connection are as follows.
1. An AP connected to eduroam is shared with campus and eduroam
2. If the realm of the connecting user ID is your own site, connect to
LOCAL RADIUS without Proxy, if eduroam, proxy to eduroam
I have been debugging a lot, but I understood that if I do not use a proxy,
I can authenticate my own base with or without a realm.
I am really in trouble as the system release is approaching. Can you ask
for help in problem solving?
y.y
-----------------------<proxy.conf>--------------------------
realm "~^(.+\.)?hoge\.ac\.jp$" {
authhost = LOCAL
accthost = LOCAL
}
realm NULL {
type = radius
authhost = LOCAL
accthost = LOCAL
}
# JP primary server
home_server jp-top-nii {
type = auth+acct
ipaddr = <<jp-top-nii IP>>
port = 1812
secret = <<secret>>
}
# JP secondary server
home_server jp-top-tohoku {
type = auth+acct
ipaddr = <<jp-top-tohoku IP>>
port = 1812
secret = <<secret>>
}
#JP servers pool
home_server_pool jp-top {
type = fail-over
home_server = jp-top-nii
home_server = jp-top-tohoku
}
realm DEFAULT {
pool = jp-top
nostrip
}
-----------------------<debug log>--------------------------
<成功している場合>
Thu Jul 25 19:48:22 2019 : Debug: (9) Received Access-Request Id 1 from
xxx.15.xxx.241:50692 to xxx15.xxx.14:1812 length 277
Thu Jul 25 19:48:22 2019 : Debug: (9) User-Name = "
hoge-test(a)hoge.t.eduroam.jp"
Thu Jul 25 19:48:22 2019 : Debug: (9) NAS-IP-Address = 10.254.0.241
Thu Jul 25 19:48:22 2019 : Debug: (9) NAS-Port = 12289
Thu Jul 25 19:48:22 2019 : Debug: (9) Called-Station-Id =
"08-35-71-F2-CE-05:authtest"
Thu Jul 25 19:48:22 2019 : Debug: (9) Calling-Station-Id =
"50-3E-AA-6D-ED-7E"
Thu Jul 25 19:48:22 2019 : Debug: (9) Framed-MTU = 1250
Thu Jul 25 19:48:22 2019 : Debug: (9) NAS-Port-Type = Wireless-802.11
Thu Jul 25 19:48:22 2019 : Debug: (9) Framed-Compression = None
Thu Jul 25 19:48:22 2019 : Debug: (9) Connect-Info = "CONNECT 802.11g"
Thu Jul 25 19:48:22 2019 : Debug: (9) Chargeable-User-Identity = 0x00
Thu Jul 25 19:48:22 2019 : Debug: (9) EAP-Message =
0x0209005f1580000000551703010050cb3dbe374456b00027a14910cb8c3f3b1f76e3cc15237055d85c2eb80a03e647e45af10d10ec9087f5da992567e67fd53fa1d5c9a4397cfbc89939fff9f74993024a4ceb1ebec6f786749a3d758f6732
Thu Jul 25 19:48:22 2019 : Debug: (9) State =
0x40e0a98c47e9bc7fc4ecba1b8bf4d9d2
Thu Jul 25 19:48:22 2019 : Debug: (9) Message-Authenticator =
0xcaa2f5b3f06d1fc44413ddd7a734a8db
Thu Jul 25 19:48:22 2019 : Debug: (9) session-state: No cached attributes
Thu Jul 25 19:48:22 2019 : Debug: (9) # Executing section authorize from
file /etc/raddb/sites-enabled/default
Thu Jul 25 19:48:22 2019 : Debug: (9) authorize {
Thu Jul 25 19:48:22 2019 : Debug: (9) policy rewrite_called_station_id {
Thu Jul 25 19:48:22 2019 : Debug: (9) if (&Called-Station-Id &&
(&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))
{
Thu Jul 25 19:48:22 2019 : Debug: No matches
Thu Jul 25 19:48:22 2019 : Debug: Adding 9 matches
Thu Jul 25 19:48:22 2019 : Debug: (9) if (&Called-Station-Id &&
(&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))
-> TRUE
Thu Jul 25 19:48:22 2019 : Debug: (9) if (&Called-Station-Id &&
(&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))
{
Thu Jul 25 19:48:22 2019 : Debug: (9) update request {
Thu Jul 25 19:48:22 2019 : Debug: (9) 1/9 Found: 08 (3)
Thu Jul 25 19:48:22 2019 : Debug: (9) 2/9 Found: 35 (3)
Thu Jul 25 19:48:22 2019 : Debug: (9) 3/9 Found: 71 (3)
Thu Jul 25 19:48:22 2019 : Debug: (9) 4/9 Found: F2 (3)
Thu Jul 25 19:48:22 2019 : Debug: (9) 5/9 Found: CE (3)
Thu Jul 25 19:48:22 2019 : Debug: (9) 6/9 Found: 05 (3)
Thu Jul 25 19:48:22 2019 : Debug: (9) EXPAND
%{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
Thu Jul 25 19:48:22 2019 : Debug: (9) --> 08-35-71-F2-CE-05
Thu Jul 25 19:48:22 2019 : Debug: (9) &Called-Station-Id :=
08-35-71-F2-CE-05
Thu Jul 25 19:48:22 2019 : Debug: (9) Overwriting value
"08-35-71-F2-CE-05:authtest" with "08-35-71-F2-CE-05"
Thu Jul 25 19:48:22 2019 : Debug: (9) } # update request = noop
Thu Jul 25 19:48:22 2019 : Debug: (9) if ("%{8}") {
Thu Jul 25 19:48:22 2019 : Debug: (9) EXPAND TMPL XLAT STRUCT
Thu Jul 25 19:48:22 2019 : Debug: (9) 8/9 Found: authtest (9)
Thu Jul 25 19:48:22 2019 : Debug: (9) EXPAND %{8}
Thu Jul 25 19:48:22 2019 : Debug: (9) --> authtest
Thu Jul 25 19:48:22 2019 : Debug: (9) if ("%{8}") -> TRUE
Thu Jul 25 19:48:22 2019 : Debug: (9) if ("%{8}") {
Thu Jul 25 19:48:22 2019 : Debug: (9) update request {
Thu Jul 25 19:48:22 2019 : Debug: (9) 8/9 Found: authtest (9)
Thu Jul 25 19:48:22 2019 : Debug: (9) EXPAND %{8}
Thu Jul 25 19:48:22 2019 : Debug: (9) --> authtest
Thu Jul 25 19:48:22 2019 : Debug: (9) &Called-Station-SSID :=
authtest
Thu Jul 25 19:48:22 2019 : Debug: (9) } # update request = noop
Thu Jul 25 19:48:22 2019 : Debug: (9) } # if ("%{8}") = noop
Thu Jul 25 19:48:22 2019 : Debug: (9) modsingle[authorize]: calling
updated (rlm_always)
Thu Jul 25 19:48:22 2019 : Debug: (9) modsingle[authorize]:
returned from updated (rlm_always)
Thu Jul 25 19:48:22 2019 : Debug: (9) [updated] = updated
Thu Jul 25 19:48:22 2019 : Debug: (9) } # if (&Called-Station-Id &&
(&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))
= updated
Thu Jul 25 19:48:22 2019 : Debug: (9) ... skipping else: Preceding
"if" was taken
Thu Jul 25 19:48:22 2019 : Debug: (9) } # policy
rewrite_called_station_id = updated
Thu Jul 25 19:48:22 2019 : Debug: (9) if (&outer.request) {
Thu Jul 25 19:48:22 2019 : Debug: (9) if (&outer.request) -> FALSE
Thu Jul 25 19:48:22 2019 : Debug: (9) modsingle[authorize]: calling
preprocess (rlm_preprocess)
Thu Jul 25 19:48:22 2019 : Debug: (9) modsingle[authorize]: returned
from preprocess (rlm_preprocess)
Thu Jul 25 19:48:22 2019 : Debug: (9) [preprocess] = ok
Thu Jul 25 19:48:22 2019 : Debug: (9) modsingle[authorize]: calling
mschap (rlm_mschap)
Thu Jul 25 19:48:22 2019 : Debug: (9) modsingle[authorize]: returned
from mschap (rlm_mschap)
Thu Jul 25 19:48:22 2019 : Debug: (9) [mschap] = noop
Thu Jul 25 19:48:22 2019 : Debug: (9) modsingle[authorize]: calling
digest (rlm_digest)
Thu Jul 25 19:48:22 2019 : Debug: (9) modsingle[authorize]: returned
from digest (rlm_digest)
Thu Jul 25 19:48:22 2019 : Debug: (9) [digest] = noop
Thu Jul 25 19:48:22 2019 : Debug: (9) modsingle[authorize]: calling
suffix (rlm_realm)
Thu Jul 25 19:48:22 2019 : Debug: (9) suffix: Checking for suffix after "@"
Thu Jul 25 19:48:22 2019 : Debug: (9) suffix: Looking up realm "
hoge.t.eduroam.jp" for User-Name = "hoge-test(a)hoge.t.eduroam.jp"
Thu Jul 25 19:48:22 2019 : Debug: (9) suffix: Found realm "DEFAULT"
Thu Jul 25 19:48:22 2019 : Debug: (9) suffix: Adding Realm = "DEFAULT"
Thu Jul 25 19:48:22 2019 : Debug: (9) suffix: Proxying request from user
hoge-test(a)hoge.t.eduroam.jp to realm DEFAULT
Thu Jul 25 19:48:22 2019 : Debug: (9) suffix: Preparing to proxy
authentication request to realm "DEFAULT"
Thu Jul 25 19:48:22 2019 : Debug: (9) modsingle[authorize]: returned
from suffix (rlm_realm)
Thu Jul 25 19:48:22 2019 : Debug: (9) [suffix] = updated
Thu Jul 25 19:48:22 2019 : Debug: (9) modsingle[authorize]: calling eap
(rlm_eap)
Thu Jul 25 19:48:22 2019 : Debug: (9) eap: Request is supposed to be
proxied to Realm DEFAULT. Not doing EAP.
Thu Jul 25 19:48:22 2019 : Debug: (9) modsingle[authorize]: returned
from eap (rlm_eap)
Thu Jul 25 19:48:22 2019 : Debug: (9) [eap] = noop
......
Thu Jul 25 19:48:22 2019 : Debug: Adding 1 matches
Thu Jul 25 19:48:22 2019 : Debug: (9) if (&NAS-IP-Address =~
/^10\.254\.0\.24[1]{1}$/) -> TRUE
Thu Jul 25 19:48:22 2019 : Debug: (9) if (&NAS-IP-Address =~
/^10\.254\.0\.24[1]{1}$/) {
Thu Jul 25 19:48:22 2019 : Debug: (9) if (&Called-Station-SSID ==
'authtest') {
Thu Jul 25 19:48:22 2019 : Debug: (9) if (&Called-Station-SSID ==
'authtest') -> TRUE
Thu Jul 25 19:48:22 2019 : Debug: (9) if (&Called-Station-SSID ==
'authtest') {
Thu Jul 25 19:48:22 2019 : Debug: (9) if (&Realm == "NULL" ||
&Realm == "edu.hoge.ac.jp" || &Realm == "edu.imc.hoge.ac.jp" || &Realm == "
hoge.ac.jp" || &Realm == "hoge.jp") {
Thu Jul 25 19:48:22 2019 : Debug: (9) if (&Realm == "NULL" ||
&Realm == "edu.hoge.ac.jp" || &Realm == "edu.imc.hoge.ac.jp" || &Realm == "
hoge.ac.jp" || &Realm == "hoge.jp") -> FALSE
Thu Jul 25 19:48:22 2019 : Debug: (9) } # if (&Called-Station-SSID ==
'authtest') = updated
Thu Jul 25 19:48:22 2019 : Debug: (9) } # if (&NAS-IP-Address =~
/^10\.254\.0\.24[1]{1}$/) = updated
Thu Jul 25 19:48:22 2019 : Debug: (9) modsingle[authorize]: calling
expiration (rlm_expiration)
Thu Jul 25 19:48:22 2019 : Debug: (9) modsingle[authorize]: returned
from expiration (rlm_expiration)
Thu Jul 25 19:48:22 2019 : Debug: (9) [expiration] = noop
Thu Jul 25 19:48:22 2019 : Debug: (9) modsingle[authorize]: calling
logintime (rlm_logintime)
Thu Jul 25 19:48:22 2019 : Debug: (9) modsingle[authorize]: returned
from logintime (rlm_logintime)
Thu Jul 25 19:48:22 2019 : Debug: (9) [logintime] = noop
Thu Jul 25 19:48:22 2019 : Debug: (9) } # authorize = updated
Thu Jul 25 19:48:22 2019 : Debug: (9) Starting proxy to home server
210.151.94.186 port 1812
Thu Jul 25 19:48:22 2019 : Debug: (9) Empty pre-proxy section in virtual
server "default". Using default return values.
Thu Jul 25 19:48:22 2019 : Debug: (9) proxy: Trying to allocate ID (0/2)
Thu Jul 25 19:48:22 2019 : Debug: (9) proxy: request is now in proxy hash
Thu Jul 25 19:48:22 2019 : Debug: (9) proxy: allocating destination
210.151.94.186 port 1812 - Id 202
Thu Jul 25 19:48:22 2019 : Debug: (9) Proxying request to home server
210.151.94.186 port 1812 timeout 30.000000
Thu Jul 25 19:48:22 2019 : Debug: (9) Sent Access-Request Id 202 from
0.0.0.0:55501 to 210.151.94.186:1812 length 277
Thu Jul 25 19:48:22 2019 : Debug: (9) User-Name = "
hoge-test(a)hoge.t.eduroam.jp"
Thu Jul 25 19:48:22 2019 : Debug: (9) NAS-IP-Address = 10.254.0.241
Thu Jul 25 19:48:22 2019 : Debug: (9) NAS-Port = 12289
Thu Jul 25 19:48:22 2019 : Debug: (9) Called-Station-Id :=
"08-35-71-F2-CE-05"
Thu Jul 25 19:48:22 2019 : Debug: (9) Calling-Station-Id =
"50-3E-AA-6D-ED-7E"
Thu Jul 25 19:48:22 2019 : Debug: (9) Framed-MTU = 1250
Thu Jul 25 19:48:22 2019 : Debug: (9) NAS-Port-Type = Wireless-802.11
Thu Jul 25 19:48:22 2019 : Debug: (9) Framed-Compression = None
Thu Jul 25 19:48:22 2019 : Debug: (9) Connect-Info = "CONNECT 802.11g"
Thu Jul 25 19:48:22 2019 : Debug: (9) Chargeable-User-Identity = 0x00
Thu Jul 25 19:48:22 2019 : Debug: (9) EAP-Message =
0x0209005f1580000000551703010050cb3dbe374456b00027a14910cb8c3f3b1f76e3cc15237055d85c2eb80a03e647e45af10d10ec9087f5da992567e67fd53fa1d5c9a4397cfbc89939fff9f74993024a4ceb1ebec6f786749a3d758f6732
Thu Jul 25 19:48:22 2019 : Debug: (9) State =
0x40e0a98c47e9bc7fc4ecba1b8bf4d9d2
Thu Jul 25 19:48:22 2019 : Debug: (9) Message-Authenticator =
0xcaa2f5b3f06d1fc44413ddd7a734a8db
Thu Jul 25 19:48:22 2019 : Debug: (9) Event-Timestamp = "Jul 25 2019
19:48:22 JST"
Thu Jul 25 19:48:22 2019 : Debug: (9) Proxy-State = 0x31
Thu Jul 25 19:48:22 2019 : Debug: Waking up in 0.3 seconds.
Thu Jul 25 19:48:22 2019 : Debug: (9) Clearing existing &reply: attributes
Thu Jul 25 19:48:22 2019 : Debug: (9) Received Access-Accept Id 202 from
210.151.94.186:1812 to xxx15.xxx.14:55501 length 163
Thu Jul 25 19:48:22 2019 : Debug: (9) MS-MPPE-Recv-Key =
0xa7cc9a2165371e3f2a1c102c8c88f1662db0a252368198157cabc2520b14bfef
Thu Jul 25 19:48:22 2019 : Debug: (9) MS-MPPE-Send-Key =
0x10eec8b6b6b83bdb5d32d83fe6289286d5f5ca0d02d4db66db5469bec1b47a58
Thu Jul 25 19:48:22 2019 : Debug: (9) EAP-Message = 0x03090004
Thu Jul 25 19:48:22 2019 : Debug: (9) Message-Authenticator =
0x657ffa391dc40a5dc02417aca8416235
Thu Jul 25 19:48:22 2019 : Debug: (9) Proxy-State = 0x31
Thu Jul 25 19:48:22 2019 : Debug: (9) # Executing section post-proxy from
file /etc/raddb/sites-enabled/default
Thu Jul 25 19:48:22 2019 : Debug: (9) post-proxy {
Thu Jul 25 19:48:22 2019 : Debug: (9) modsingle[post-proxy]: calling
eap (rlm_eap)
Thu Jul 25 19:48:22 2019 : Debug: (9) eap: No pre-existing handler found
Thu Jul 25 19:48:22 2019 : Debug: (9) modsingle[post-proxy]: returned
from eap (rlm_eap)
Thu Jul 25 19:48:22 2019 : Debug: (9) [eap] = noop
Thu Jul 25 19:48:22 2019 : Debug: (9) } # post-proxy = noop
Thu Jul 25 19:48:22 2019 : Debug: (9) Found Auth-Type = Accept
Thu Jul 25 19:48:22 2019 : Debug: (9) Auth-Type = Accept, accepting the user
Thu Jul 25 19:48:22 2019 : Debug: (9) # Executing section post-auth from
file /etc/raddb/sites-enabled/default
Thu Jul 25 19:48:22 2019 : Debug: (9) post-auth {
Thu Jul 25 19:48:22 2019 : Debug: (9) update {
Thu Jul 25 19:48:22 2019 : Debug: (9) No attributes updated
Thu Jul 25 19:48:22 2019 : Debug: (9) } # update = noop
Thu Jul 25 19:48:22 2019 : Debug: (9) update reply {
Thu Jul 25 19:48:22 2019 : Debug: (9) &User-Name !* ANY
Thu Jul 25 19:48:22 2019 : Debug: (9) &Tunnel-Type := VLAN
Thu Jul 25 19:48:22 2019 : Debug: (9) &Tunnel-Medium-Type := IEEE-802
Thu Jul 25 19:48:22 2019 : Debug: (9) &Called-Station-SSID !* ANY
Thu Jul 25 19:48:22 2019 : Debug: (9) &Called-Station-id !* ANY
Thu Jul 25 19:48:22 2019 : Debug: (9) } # update reply = noop
Thu Jul 25 19:48:22 2019 : Debug: (9) policy
remove_reply_message_if_eap {
Thu Jul 25 19:48:22 2019 : Debug: (9) if (&reply:EAP-Message &&
&reply:Reply-Message) {
Thu Jul 25 19:48:22 2019 : Debug: (9) if (&reply:EAP-Message &&
&reply:Reply-Message) -> FALSE
Thu Jul 25 19:48:22 2019 : Debug: (9) else {
Thu Jul 25 19:48:22 2019 : Debug: (9) modsingle[post-auth]: calling
noop (rlm_always)
Thu Jul 25 19:48:22 2019 : Debug: (9) modsingle[post-auth]:
returned from noop (rlm_always)
Thu Jul 25 19:48:22 2019 : Debug: (9) [noop] = noop
Thu Jul 25 19:48:22 2019 : Debug: (9) } # else = noop
Thu Jul 25 19:48:22 2019 : Debug: (9) } # policy
remove_reply_message_if_eap = noop
Thu Jul 25 19:48:22 2019 : Debug: (9) } # post-auth = noop
......
Thu Jul 25 19:48:22 2019 : Debug: (9) EXPAND
%{control:Auth-Type};%{%{outer.request:Calling-Station-Id}:-%{Calling-Station-Id}};%{Called-Station-Id};%{Connect-Info};%{Fortinet-Vdom-Name};%{NAS-Identifier};%{Framed-IP-Address};%{request:User-Name}
Thu Jul 25 19:48:22 2019 : Debug: (9) -->
Accept;50-3E-AA-6D-ED-7E;08-35-71-F2-CE-05;CONNECT
802.11g;;;;hoge-test(a)hoge.t.eduroam.jp
★Thu Jul 25 19:48:22 2019 : Auth: (9) Login OK: [hoge-test(a)hoge.t.eduroam.jp]
(from client wlctest port 12289 cli 50-3E-AA-6D-ED-7E)
Accept;50-3E-AA-6D-ED-7E;08-35-71-F2-CE-05;CONNECT
802.11g;;;;hoge-test(a)hoge.t.eduroam.jp
Thu Jul 25 19:48:22 2019 : Debug: (9) Sent Access-Accept Id 1 from
xxx15.xxx.14:1812 to xxx.15.xxx.241:50692 length 0
Thu Jul 25 19:48:22 2019 : Debug: (9) MS-MPPE-Recv-Key =
0xa7cc9a2165371e3f2a1c102c8c88f1662db0a252368198157cabc2520b14bfef
Thu Jul 25 19:48:22 2019 : Debug: (9) MS-MPPE-Send-Key =
0x10eec8b6b6b83bdb5d32d83fe6289286d5f5ca0d02d4db66db5469bec1b47a58
Thu Jul 25 19:48:22 2019 : Debug: (9) EAP-Message = 0x03090004
Thu Jul 25 19:48:22 2019 : Debug: (9) Message-Authenticator =
0x657ffa391dc40a5dc02417aca8416235
Thu Jul 25 19:48:22 2019 : Debug: (9) Tunnel-Type := VLAN
Thu Jul 25 19:48:22 2019 : Debug: (9) Tunnel-Medium-Type := IEEE-802
Thu Jul 25 19:48:22 2019 : Debug: (9) Finished request
Thu Jul 25 19:48:22 2019 : Debug: Waking up in 4.2 seconds.
<失敗している場合>
Thu Jul 25 19:49:50 2019 : Debug: Waking up in 4.7 seconds.
Thu Jul 25 19:49:50 2019 : Debug: (15) Received Access-Request Id 244 from
xxx.15.xxx.241:50692 to xxx.15.xxx.14:1812 length 267
Thu Jul 25 19:49:50 2019 : Debug: (15) User-Name = "rt015(a)hoge.ac.jp"
Thu Jul 25 19:49:50 2019 : Debug: (15) NAS-IP-Address = 10.254.0.241
Thu Jul 25 19:49:50 2019 : Debug: (15) NAS-Port = 12289
Thu Jul 25 19:49:50 2019 : Debug: (15) Called-Station-Id =
"08-35-71-F2-CE-05:authtest"
Thu Jul 25 19:49:50 2019 : Debug: (15) Calling-Station-Id =
"50-3E-AA-6D-ED-7E"
Thu Jul 25 19:49:50 2019 : Debug: (15) Framed-MTU = 1250
Thu Jul 25 19:49:50 2019 : Debug: (15) NAS-Port-Type = Wireless-802.11
Thu Jul 25 19:49:50 2019 : Debug: (15) Framed-Compression = None
Thu Jul 25 19:49:50 2019 : Debug: (15) Connect-Info = "CONNECT 802.11g"
Thu Jul 25 19:49:50 2019 : Debug: (15) Chargeable-User-Identity = 0x00
Thu Jul 25 19:49:50 2019 : Debug: (15) EAP-Message =
0x0206005f1580000000551703010050ff005ba6796aebc2306257dee2eabb49d15eb605ff09d3433137ee30756350e260ddbbac53bc9f7b691d61337632388d357950c098a212a2d650646f2b6c4bef664b98d320d70799a7304d88d79a5b25
Thu Jul 25 19:49:50 2019 : Debug: (15) State =
0x0973bc8b0d75a983b84b47e28ca6c132
Thu Jul 25 19:49:50 2019 : Debug: (15) Message-Authenticator =
0x004474ef0af1594a1a628592a7bb48cb
Thu Jul 25 19:49:50 2019 : Debug: (15) session-state: No cached attributes
Thu Jul 25 19:49:50 2019 : Debug: (15) # Executing section authorize from
file /etc/raddb/sites-enabled/default
Thu Jul 25 19:49:50 2019 : Debug: (15) authorize {
Thu Jul 25 19:49:50 2019 : Debug: (15) policy rewrite_called_station_id
{
Thu Jul 25 19:49:50 2019 : Debug: (15) if (&Called-Station-Id &&
(&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))
{
Thu Jul 25 19:49:50 2019 : Debug: No matches
Thu Jul 25 19:49:50 2019 : Debug: Adding 9 matches
Thu Jul 25 19:49:50 2019 : Debug: (15) if (&Called-Station-Id &&
(&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))
-> TRUE
Thu Jul 25 19:49:50 2019 : Debug: (15) if (&Called-Station-Id &&
(&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))
{
Thu Jul 25 19:49:50 2019 : Debug: (15) update request {
Thu Jul 25 19:49:50 2019 : Debug: (15) 1/9 Found: 08 (3)
Thu Jul 25 19:49:50 2019 : Debug: (15) 2/9 Found: 35 (3)
Thu Jul 25 19:49:50 2019 : Debug: (15) 3/9 Found: 71 (3)
Thu Jul 25 19:49:50 2019 : Debug: (15) 4/9 Found: F2 (3)
Thu Jul 25 19:49:50 2019 : Debug: (15) 5/9 Found: CE (3)
Thu Jul 25 19:49:50 2019 : Debug: (15) 6/9 Found: 05 (3)
Thu Jul 25 19:49:50 2019 : Debug: (15) EXPAND
%{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
Thu Jul 25 19:49:50 2019 : Debug: (15) --> 08-35-71-F2-CE-05
Thu Jul 25 19:49:50 2019 : Debug: (15) &Called-Station-Id :=
08-35-71-F2-CE-05
Thu Jul 25 19:49:50 2019 : Debug: (15) Overwriting value
"08-35-71-F2-CE-05:authtest" with "08-35-71-F2-CE-05"
Thu Jul 25 19:49:50 2019 : Debug: (15) } # update request = noop
Thu Jul 25 19:49:50 2019 : Debug: (15) if ("%{8}") {
Thu Jul 25 19:49:50 2019 : Debug: (15) EXPAND TMPL XLAT STRUCT
Thu Jul 25 19:49:50 2019 : Debug: (15) 8/9 Found: authtest (9)
Thu Jul 25 19:49:50 2019 : Debug: (15) EXPAND %{8}
Thu Jul 25 19:49:50 2019 : Debug: (15) --> authtest
Thu Jul 25 19:49:50 2019 : Debug: (15) if ("%{8}") -> TRUE
Thu Jul 25 19:49:50 2019 : Debug: (15) if ("%{8}") {
Thu Jul 25 19:49:50 2019 : Debug: (15) update request {
Thu Jul 25 19:49:50 2019 : Debug: (15) 8/9 Found: authtest (9)
Thu Jul 25 19:49:50 2019 : Debug: (15) EXPAND %{8}
Thu Jul 25 19:49:50 2019 : Debug: (15) --> authtest
Thu Jul 25 19:49:50 2019 : Debug: (15) &Called-Station-SSID :=
authtest
Thu Jul 25 19:49:50 2019 : Debug: (15) } # update request = noop
Thu Jul 25 19:49:50 2019 : Debug: (15) } # if ("%{8}") = noop
Thu Jul 25 19:49:50 2019 : Debug: (15) modsingle[authorize]:
calling updated (rlm_always)
Thu Jul 25 19:49:50 2019 : Debug: (15) modsingle[authorize]:
returned from updated (rlm_always)
Thu Jul 25 19:49:50 2019 : Debug: (15) [updated] = updated
Thu Jul 25 19:49:50 2019 : Debug: (15) } # if (&Called-Station-Id &&
(&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))
= updated
Thu Jul 25 19:49:50 2019 : Debug: (15) ... skipping else: Preceding
"if" was taken
Thu Jul 25 19:49:50 2019 : Debug: (15) } # policy
rewrite_called_station_id = updated
Thu Jul 25 19:49:50 2019 : Debug: (15) if (&outer.request) {
Thu Jul 25 19:49:50 2019 : Debug: (15) if (&outer.request) -> FALSE
Thu Jul 25 19:49:50 2019 : Debug: (15) modsingle[authorize]: calling
preprocess (rlm_preprocess)
Thu Jul 25 19:49:50 2019 : Debug: (15) modsingle[authorize]: returned
from preprocess (rlm_preprocess)
Thu Jul 25 19:49:50 2019 : Debug: (15) [preprocess] = ok
Thu Jul 25 19:49:50 2019 : Debug: (15) modsingle[authorize]: calling
mschap (rlm_mschap)
Thu Jul 25 19:49:50 2019 : Debug: (15) modsingle[authorize]: returned
from mschap (rlm_mschap)
Thu Jul 25 19:49:50 2019 : Debug: (15) [mschap] = noop
Thu Jul 25 19:49:50 2019 : Debug: (15) modsingle[authorize]: calling
digest (rlm_digest)
Thu Jul 25 19:49:50 2019 : Debug: (15) modsingle[authorize]: returned
from digest (rlm_digest)
Thu Jul 25 19:49:50 2019 : Debug: (15) [digest] = noop
Thu Jul 25 19:49:50 2019 : Debug: (15) modsingle[authorize]: calling
suffix (rlm_realm)
Thu Jul 25 19:49:50 2019 : Debug: (15) suffix: Checking for suffix after "@"
Thu Jul 25 19:49:50 2019 : Debug: (15) suffix: Looking up realm "hoge.ac.jp"
for User-Name = "rt015(a)hoge.ac.jp"
Thu Jul 25 19:49:50 2019 : Debug: (15) suffix: Found realm
"~^(.+\.)?hoge\.ac\.jp$"
Thu Jul 25 19:49:50 2019 : Debug: (15) suffix: Adding Stripped-User-Name =
"rt015"
Thu Jul 25 19:49:50 2019 : Debug: (15) suffix: Adding Realm = "hoge.ac.jp"
Thu Jul 25 19:49:50 2019 : Debug: (15) suffix: Authentication realm is LOCAL
Thu Jul 25 19:49:50 2019 : Debug: (15) modsingle[authorize]: returned
from suffix (rlm_realm)
Thu Jul 25 19:49:50 2019 : Debug: (15) [suffix] = ok
Thu Jul 25 19:49:50 2019 : Debug: (15) modsingle[authorize]: calling
eap (rlm_eap)
Thu Jul 25 19:49:50 2019 : Debug: (15) eap: Peer sent EAP Response (code 2)
ID 6 length 95
Thu Jul 25 19:49:50 2019 : Debug: (15) eap: Continuing tunnel setup
Thu Jul 25 19:49:50 2019 : Debug: (15) modsingle[authorize]: returned
from eap (rlm_eap)
Thu Jul 25 19:49:50 2019 : Debug: (15) [eap] = ok
Thu Jul 25 19:49:50 2019 : Debug: (15) } # authorize = ok
Thu Jul 25 19:49:50 2019 : Debug: (15) Found Auth-Type = eap
Thu Jul 25 19:49:50 2019 : Debug: (15) # Executing group from file
/etc/raddb/sites-enabled/default
Thu Jul 25 19:49:50 2019 : Debug: (15) authenticate {
Thu Jul 25 19:49:50 2019 : Debug: (15) modsingle[authenticate]: calling
eap (rlm_eap)
Thu Jul 25 19:49:50 2019 : Debug: (15) eap: Expiring EAP session with state
0x0973bc8b0d75a983
Thu Jul 25 19:49:50 2019 : Debug: (15) eap: Finished EAP session with state
0x0973bc8b0d75a983
Thu Jul 25 19:49:50 2019 : Debug: (15) eap: Previous EAP request found for
state 0x0973bc8b0d75a983, released from the list
Thu Jul 25 19:49:50 2019 : Debug: (15) eap: Peer sent packet with method
EAP TTLS (21)
Thu Jul 25 19:49:50 2019 : Debug: (15) eap: Calling submodule eap_ttls to
process data
Thu Jul 25 19:49:50 2019 : Debug: (15) eap_ttls: Authenticate
Thu Jul 25 19:49:50 2019 : Debug: (15) eap_ttls: Continuing EAP-TLS
Thu Jul 25 19:49:50 2019 : Debug: (15) eap_ttls: Peer sent flags --L
Thu Jul 25 19:49:50 2019 : Debug: (15) eap_ttls: Peer indicated complete
TLS record size will be 85 bytes
Thu Jul 25 19:49:50 2019 : Debug: (15) eap_ttls: Got complete TLS record
(85 bytes)
Thu Jul 25 19:49:50 2019 : Debug: (15) eap_ttls: [eaptls verify] = length
included
Thu Jul 25 19:49:50 2019 : Debug: Ignoring cbtls_msg call with pseudo
content type 256, version 0
Thu Jul 25 19:49:50 2019 : Debug: (15) eap_ttls: [eaptls process] = ok
Thu Jul 25 19:49:50 2019 : Debug: (15) eap_ttls: Session established.
Proceeding to decode tunneled attributes
Thu Jul 25 19:49:50 2019 : Debug: (15) eap_ttls: Got tunneled request
Thu Jul 25 19:49:50 2019 : Debug: (15) eap_ttls: User-Name = "
rt015(a)hoge.ac.jp"
Thu Jul 25 19:49:50 2019 : Debug: (15) eap_ttls: User-Password =
"password"
Thu Jul 25 19:49:50 2019 : Debug: (15) eap_ttls: FreeRADIUS-Proxied-To =
127.0.0.1
Thu Jul 25 19:49:50 2019 : Debug: (15) eap_ttls: Sending tunneled request
Thu Jul 25 19:49:50 2019 : Debug: (15) Virtual server inner-tunnel received
request
Thu Jul 25 19:49:50 2019 : Debug: (15) User-Name = "rt015(a)hoge.ac.jp"
Thu Jul 25 19:49:50 2019 : Debug: (15) User-Password = "password"
Thu Jul 25 19:49:50 2019 : Debug: (15) FreeRADIUS-Proxied-To = 127.0.0.1
Thu Jul 25 19:49:50 2019 : WARNING: (15) Outer and inner identities are the
same. User privacy is compromised.
Thu Jul 25 19:49:50 2019 : Debug: (15) server inner-tunnel {
Thu Jul 25 19:49:50 2019 : Debug: (15) session-state: No State attribute
Thu Jul 25 19:49:50 2019 : Debug: (15) # Executing section authorize from
file /etc/raddb/sites-enabled/inner-tunnel
Thu Jul 25 19:49:50 2019 : Debug: (15) authorize {
Thu Jul 25 19:49:50 2019 : Debug: (15) policy
rewrite_called_station_id {
Thu Jul 25 19:49:50 2019 : Debug: (15) if (&Called-Station-Id &&
(&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))
{
Thu Jul 25 19:49:50 2019 : Debug: (15) if (&Called-Station-Id &&
(&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))
-> FALSE
Thu Jul 25 19:49:50 2019 : Debug: (15) else {
Thu Jul 25 19:49:50 2019 : Debug: (15) modsingle[authorize]:
calling noop (rlm_always)
Thu Jul 25 19:49:50 2019 : Debug: (15) modsingle[authorize]:
returned from noop (rlm_always)
Thu Jul 25 19:49:50 2019 : Debug: (15) [noop] = noop
Thu Jul 25 19:49:50 2019 : Debug: (15) } # else = noop
Thu Jul 25 19:49:50 2019 : Debug: (15) } # policy
rewrite_called_station_id = noop
Thu Jul 25 19:49:50 2019 : Debug: (15) modsingle[authorize]: calling
mschap (rlm_mschap)
Thu Jul 25 19:49:50 2019 : Debug: (15) modsingle[authorize]: returned
from mschap (rlm_mschap)
Thu Jul 25 19:49:50 2019 : Debug: (15) [mschap] = noop
Thu Jul 25 19:49:50 2019 : Debug: (15) modsingle[authorize]: calling
suffix (rlm_realm)
Thu Jul 25 19:49:50 2019 : Debug: (15) suffix: Checking for suffix after "@"
Thu Jul 25 19:49:50 2019 : Debug: (15) suffix: Looking up realm "hoge.ac.jp"
for User-Name = "rt015(a)hoge.ac.jp"
Thu Jul 25 19:49:50 2019 : Debug: (15) suffix: Found realm
"~^(.+\.)?hoge\.ac\.jp$"
Thu Jul 25 19:49:50 2019 : Debug: (15) suffix: Adding Stripped-User-Name =
"rt015"
Thu Jul 25 19:49:50 2019 : Debug: (15) suffix: Adding Realm = "hoge.ac.jp"
Thu Jul 25 19:49:50 2019 : Debug: (15) suffix: Authentication realm is LOCAL
Thu Jul 25 19:49:50 2019 : Debug: (15) modsingle[authorize]: returned
from suffix (rlm_realm)
Thu Jul 25 19:49:50 2019 : Debug: (15) [suffix] = ok
Thu Jul 25 19:49:50 2019 : Debug: (15) update control {
Thu Jul 25 19:49:50 2019 : Debug: (15) &Proxy-To-Realm := LOCAL
Thu Jul 25 19:49:50 2019 : Debug: (15) } # update control = noop
Thu Jul 25 19:49:50 2019 : Debug: (15) modsingle[authorize]: calling
eap (rlm_eap)
Thu Jul 25 19:49:50 2019 : Debug: (15) eap: No EAP-Message, not doing EAP
Thu Jul 25 19:49:50 2019 : Debug: (15) modsingle[authorize]: returned
from eap (rlm_eap)
Thu Jul 25 19:49:50 2019 : Debug: (15) [eap] = noop
........
Thu Jul 25 19:49:50 2019 : Debug: Adding 1 matches
Thu Jul 25 19:49:50 2019 : Debug: (15) if
(&outer.request:NAS-IP-Address =~ /^10\.254\.0\.24[1]{1}$/) -> TRUE
Thu Jul 25 19:49:50 2019 : Debug: (15) if
(&outer.request:NAS-IP-Address =~ /^10\.254\.0\.24[1]{1}$/) {
Thu Jul 25 19:49:50 2019 : Debug: (15) if
(&outer.request:Called-Station-SSID == 'authtest') {
Thu Jul 25 19:49:50 2019 : Debug: (15) if
(&outer.request:Called-Station-SSID == 'authtest') -> TRUE
Thu Jul 25 19:49:50 2019 : Debug: (15) if
(&outer.request:Called-Station-SSID == 'authtest') {
Thu Jul 25 19:49:50 2019 : Debug: (15) if (&Realm == "NULL" ||
&Realm == "edu.hoge.ac.jp" || &Realm == "edu.zzz.hoge.ac.jp" || &Realm == "
hoge.ac.jp" || &Realm == "hoge.jp") {
Thu Jul 25 19:49:50 2019 : Debug: (15) if (&Realm == "NULL" ||
&Realm == "edu.hoge.ac.jp" || &Realm == "edu.zzz.hoge.ac.jp" || &Realm == "
hoge.ac.jp" || &Realm == "hoge.jp") -> TRUE
Thu Jul 25 19:49:50 2019 : Debug: (15) if (&Realm == "NULL" ||
&Realm == "edu.hoge.ac.jp" || &Realm == "edu.zzz.hoge.ac.jp" || &Realm == "
hoge.ac.jp" || &Realm == "hoge.jp") {
Thu Jul 25 19:49:50 2019 : Debug: (15) modsingle[authorize]:
calling ldap_regularusers (rlm_ldap)
Thu Jul 25 19:49:50 2019 : Debug: (15) ldap_regularusers: EXPAND TMPL
LITERAL
Thu Jul 25 19:49:50 2019 : Debug: (15) ldap_regularusers: EXPAND TMPL
LITERAL
Thu Jul 25 19:49:50 2019 : Debug: (15) ldap_regularusers: EXPAND TMPL
LITERAL
.........
Thu Jul 25 19:49:50 2019 : Debug: rlm_ldap (ldap_regularusers): Connecting
to ldaps://ldap.edu.hoge.ac.jp:636
Thu Jul 25 19:49:50 2019 : Debug: rlm_ldap (ldap_regularusers): New libldap
handle 0x55fcc83a76e0
Thu Jul 25 19:49:50 2019 : Debug: rlm_ldap (ldap_regularusers): Waiting for
bind result...
Thu Jul 25 19:49:50 2019 : Debug: rlm_ldap (ldap_regularusers): Bind
successful
Thu Jul 25 19:49:50 2019 : Debug: rlm_ldap (ldap_regularusers): Reserved
connection (5)
......
Thu Jul 25 19:49:50 2019 : Debug: (15) ldap_regularusers: Performing search
in "ou=Users,dc=edu,dc=hoge,dc=ac,dc=jp" with filter
"(&(!(employeeType=participant))(!(employeeType=trainee))(!(zzzPersonAccountStatus=03))(!(zzzPersonAccountStatus=04))(uid=rt015))",
scope "sub"
Thu Jul 25 19:49:50 2019 : Debug: (15) ldap_regularusers: Waiting for
search result...
Thu Jul 25 19:49:50 2019 : Debug: (15) ldap_regularusers: User object found
at DN "uid=rt015,ou=Users,dc=edu,dc=hoge,dc=ac,dc=jp"
Thu Jul 25 19:49:50 2019 : Debug: (15) ldap_regularusers: Processing user
attributes
Thu Jul 25 19:49:50 2019 : Debug: (15) ldap_regularusers: Attribute
"radiusAuthType" not found in LDAP object
.....
Thu Jul 25 19:49:50 2019 : Debug: (15) ldap_regularusers: Attribute
"radiusReplyMessage" not found in LDAP object
Thu Jul 25 19:49:50 2019 : Debug: rlm_ldap (ldap_regularusers): Released
connection (5)
Thu Jul 25 19:49:50 2019 : Info: Need 2 more connections to reach min
connections (3)
Thu Jul 25 19:49:50 2019 : Info: rlm_ldap (ldap_regularusers): Opening
additional connection (6), 1 of 31 pending slots used
Thu Jul 25 19:49:50 2019 : Debug: rlm_ldap (ldap_regularusers): Connecting
to ldaps://ldap.edu.hoge.ac.jp:636
Thu Jul 25 19:49:50 2019 : Debug: rlm_ldap (ldap_regularusers): New libldap
handle 0x55fcc8484a20
Thu Jul 25 19:49:50 2019 : Debug: rlm_ldap (ldap_regularusers): Waiting for
bind result...
Thu Jul 25 19:49:50 2019 : Debug: rlm_ldap (ldap_regularusers): Bind
successful
Thu Jul 25 19:49:50 2019 : Debug: (15) modsingle[authorize]:
returned from ldap_regularusers (rlm_ldap)
Thu Jul 25 19:49:50 2019 : Debug: (15) [ldap_regularusers] =
updated
Thu Jul 25 19:49:50 2019 : Debug: (15) update control {
Thu Jul 25 19:49:50 2019 : Debug: (15) &Auth-Type := LDAP
Thu Jul 25 19:49:50 2019 : Debug: (15) } # update control = noop
Thu Jul 25 19:49:50 2019 : Debug: (15) update reply {
Thu Jul 25 19:49:50 2019 : Debug: (15) Executing:
/usr/sbin/ldapvlan rt015(a)hoge.ac.jp:
Thu Jul 25 19:49:50 2019 : Debug: (15) Program returned code
(0) and output ''
Thu Jul 25 19:49:50 2019 : Debug: (15) EXPAND
%{exec:/usr/sbin/ldapvlan %{User-Name}}
Thu Jul 25 19:49:50 2019 : Debug: (15) -->
Thu Jul 25 19:49:50 2019 : Debug: (15)
&Tunnel-Private-Group-Id :=
Thu Jul 25 19:49:50 2019 : Debug: (15) } # update reply = noop
Thu Jul 25 19:49:50 2019 : Debug: (15) } # if (&Realm == "NULL"
|| &Realm == "edu.hoge.ac.jp" || &Realm == "edu.zzz.hoge.ac.jp" || &Realm
== "hoge.ac.jp" || &Realm == "hoge.jp") = updated
Thu Jul 25 19:49:50 2019 : Debug: (15) } # if
(&outer.request:Called-Station-SSID == 'authtest') = updated
Thu Jul 25 19:49:50 2019 : Debug: (15) } # if
(&outer.request:NAS-IP-Address =~ /^10\.254\.0\.24[1]{1}$/) = updated
Thu Jul 25 19:49:50 2019 : Debug: (15) modsingle[authorize]: calling
expiration (rlm_expiration)
Thu Jul 25 19:49:50 2019 : Debug: (15) modsingle[authorize]: returned
from expiration (rlm_expiration)
Thu Jul 25 19:49:50 2019 : Debug: (15) [expiration] = noop
Thu Jul 25 19:49:50 2019 : Debug: (15) modsingle[authorize]: calling
logintime (rlm_logintime)
Thu Jul 25 19:49:50 2019 : Debug: (15) modsingle[authorize]: returned
from logintime (rlm_logintime)
Thu Jul 25 19:49:50 2019 : Debug: (15) [logintime] = noop
Thu Jul 25 19:49:50 2019 : Debug: (15) } # authorize = updated
Thu Jul 25 19:49:50 2019 : Debug: (15) } # server inner-tunnel
Thu Jul 25 19:49:50 2019 : Debug: (15) Virtual server sending reply
Thu Jul 25 19:49:50 2019 : Debug: (15) Tunnel-Private-Group-Id := ""
Thu Jul 25 19:49:50 2019 : Debug: (15) eap_ttls: Tunneled authentication
will be proxied to LOCAL
Thu Jul 25 19:49:50 2019 : WARNING: (15) eap: Tunneled session will be
proxied. Not doing EAP
Thu Jul 25 19:49:50 2019 : Debug: (15) modsingle[authenticate]:
returned from eap (rlm_eap)
Thu Jul 25 19:49:50 2019 : Debug: (15) [eap] = handled
Thu Jul 25 19:49:50 2019 : Debug: (15) } # authenticate = handled
Thu Jul 25 19:49:50 2019 : Debug: (15) Starting proxy to home server
210.151.94.186 port 1812
Thu Jul 25 19:49:50 2019 : Debug: (15) Empty pre-proxy section in virtual
server "default". Using default return values.
Thu Jul 25 19:49:50 2019 : Debug: (15) proxy: Trying to allocate ID (0/2)
Thu Jul 25 19:49:50 2019 : Debug: (15) proxy: request is now in proxy hash
Thu Jul 25 19:49:50 2019 : Debug: (15) proxy: allocating destination
210.151.94.186 port 1812 - Id 39
Thu Jul 25 19:49:50 2019 : Debug: (15) Proxying request to home server
210.151.94.186 port 1812 timeout 30.000000
Thu Jul 25 19:49:50 2019 : Debug: (15) Sent Access-Request Id 39 from
0.0.0.0:55501 to 210.151.94.186:1812 length 78
Thu Jul 25 19:49:50 2019 : Debug: (15) User-Name = "rt015(a)hoge.ac.jp"
Thu Jul 25 19:49:50 2019 : Debug: (15) User-Password = "password"
Thu Jul 25 19:49:50 2019 : Debug: (15) Message-Authenticator := 0x00
Thu Jul 25 19:49:50 2019 : Debug: (15) Proxy-State = 0x323434
Thu Jul 25 19:49:50 2019 : Debug: Waking up in 0.2 seconds.
Thu Jul 25 19:49:50 2019 : Debug: (15) Expecting proxy response no later
than 29.701569 seconds from now
Thu Jul 25 19:49:50 2019 : Debug: Waking up in 4.3 seconds.
Thu Jul 25 19:49:52 2019 : Debug: (15) Sending duplicate proxied request to
home server 210.151.94.186 port 1812 - ID: 39
Thu Jul 25 19:49:52 2019 : Debug: (15) Sent Access-Request Id 39 from
0.0.0.0:55501 to 210.151.94.186:1812 length 78
Thu Jul 25 19:49:52 2019 : Debug: (15) User-Name = "rt015(a)hoge.ac.jp"
Thu Jul 25 19:49:52 2019 : Debug: (15) User-Password = "password"
Thu Jul 25 19:49:52 2019 : Debug: (15) Message-Authenticator := 0x00
Thu Jul 25 19:49:52 2019 : Debug: (15) Proxy-State = 0x323434
Thu Jul 25 19:49:52 2019 : Debug: Waking up in 2.6 seconds.
Thu Jul 25 19:49:52 2019 : Debug: (15) Clearing existing &reply: attributes
Thu Jul 25 19:49:52 2019 : Debug: (15) Received Access-Reject Id 39 from
210.151.94.186:1812 to xxx.15.xxx.14:55501 length 25
Thu Jul 25 19:49:52 2019 : Debug: (15) Proxy-State = 0x323434
Thu Jul 25 19:49:52 2019 : Debug: (15) # Executing section post-proxy from
file /etc/raddb/sites-enabled/default
Thu Jul 25 19:49:52 2019 : Debug: (15) post-proxy {
Thu Jul 25 19:49:52 2019 : Debug: (15) modsingle[post-proxy]: calling
eap (rlm_eap)
Thu Jul 25 19:49:52 2019 : Debug: (15) eap: Doing post-proxy callback
Thu Jul 25 19:49:52 2019 : Debug: (15) eap: Passing reply from proxy back
into the tunnel
Thu Jul 25 19:49:52 2019 : Debug: (15) eap: Got tunneled Access-Reject
Thu Jul 25 19:49:52 2019 : Debug: (15) eap: Reply was rejected
Thu Jul 25 19:49:52 2019 : Debug: (15) eap: Failed in post-proxy callback
Thu Jul 25 19:49:52 2019 : Debug: (15) eap: Sending EAP Failure (code 4) ID
6 length 4
Thu Jul 25 19:49:52 2019 : Debug: (15) modsingle[post-proxy]: returned
from eap (rlm_eap)
Thu Jul 25 19:49:52 2019 : Debug: (15) [eap] = reject
Thu Jul 25 19:49:52 2019 : Debug: (15) } # post-proxy = reject
Thu Jul 25 19:49:52 2019 : Debug:
%{control:Auth-Type};%{%{outer.request:Calling-Station-Id}:-%{Calling-Station-Id}};%{Called-Station-Id};%{Connect-Info};%{Fortinet-Vdom-Name};%{NAS-Identifier};%{Framed-IP-Address};%{request:User-Name}
Thu Jul 25 19:49:52 2019 : Debug: Parsed xlat tree:
Thu Jul 25 19:49:52 2019 : Debug: attribute --> Auth-Type
.....
Thu Jul 25 19:49:52 2019 : Debug: literal --> ;
Thu Jul 25 19:49:52 2019 : Debug: attribute --> User-Name
Thu Jul 25 19:49:52 2019 : Debug: (15) EXPAND
%{control:Auth-Type};%{%{outer.request:Calling-Station-Id}:-%{Calling-Station-Id}};%{Called-Station-Id};%{Connect-Info};%{Fortinet-Vdom-Name};%{NAS-Identifier};%{Framed-IP-Address};%{request:User-Name}
Thu Jul 25 19:49:52 2019 : Debug: (15) -->
eap;50-3E-AA-6D-ED-7E;08-35-71-F2-CE-05;CONNECT 802.11g;;;;rt015(a)hoge.ac.jp
★Thu Jul 25 19:49:52 2019 : Auth: (15) Login incorrect (Home Server says
so): [rt015] (from client netwlc01 port 12289 cli 50-3E-AA-6D-ED-7E)
eap;50-3E-AA-6D-ED-7E;08-35-71-F2-CE-05;CONNECT 802.11g;;;;rt015(a)hoge.ac.jp
2
1
Hi List members
With ssh-keygen I have created -with password- server.pem and ca.pem.
Moved them to /etc/raddb/certs.
but now I've got the following errors:
tls: Failed reading certificate file "/etc/raddb/certs/server.pem"
tls: error:0906D06C:PEM routines:PEM_read_bio:no start line tls:
error:140DC009:SSL routines:use_certificate_chain_file:PEM lib
rlm_eap_tls: Failed initializing SSL context rlm_eap (EAP): Failed to
initialise rlm_eap_tls /etc/raddb/mods-enabled/eap[14]: Instantiation
failed for module "eap"
Please bear in mind I am new here and this is the first time I going to
use freeradius. A little patience is highly appreciated.
What is recommended to solve this problem?
Thanks in advance
Peter
5
8
25 Jul '19
Hi Alan
Concerning mapping attributes of an LDAP group (not evaluating group
memberships), I have made and attempt but failed so far.
Mapping an attribute from a LDAP user to a FreeRADIUS attribute is very
simple in and straightforward:
- Add a custom myattrib to dictionary
- Extend the mapping of LDAP attribute control:<myattrib> in the
update{ } section of mods-available/ldap
- Add a simple if { } check for control:<myattrib> in post-auth
of sites-enabled/<yourserver> and be happy :-)
The problem is that in that particular directory (whether I like it or
not...) the relevant permission can be set for the user but it can also
be set on a group is a member of.
Thus both LDAP filters would need to yield an ACCESS-ACCEPT:
(&(objectClass=posixGroup)(memberUid=bob)(univentionNetworkAccess=1))
OR
(&(objectClass=posixUser)(uid=bob)(univentionNetworkAccess=1))
If I configure both user and group filter, the attribute would be
required on both the user and the group for example.
Instead said permission attribute, this could also be a VLAN ID
attribute that is set at the level of an LDAP group. I've also tried
searching if others have attempted mapping VLANs based on LDAP
attributes, not group memberships alone, but it doesn't seem so.
Creative use of search engines and an attempted areading rlm_ldap's
source code hasn't brought a step ahead yet. - Maybe I'm looking at it
the wrong way? Sorry...
Am 23.07.2019 um 04:29 schrieb Alan DeKok:
> On Jul 22, 2019, at 4:37 PM, Mathieu Simon (Lists) <matsimon.lists(a)simweb.ch> wrote:
>> Thank you for your precise feedback, definitely helped me to better
>> understand where I am and have to poke with the stick.
>
> You're welcome. FreeRADIUS is a complex system, even without adding LDAP.
>
>>> In v3, it's a little complex. In (coming some time soon) v4, it's a "map" command. :(
>>>
>> Ah, now that look interesting indeed! Without you mentioning it here I
>> wouldn't have been able to locate it other than with the 2 lines in v4's
>> doc/ChangeLog. Definitely something worth mentioning prominentely IMO.
>
> The doc/ChangeLog for v4 says little more than "it's version 4".
Yes, but not much yet about its usage, nonetheless very exciting to hear
about what is coming with v4.
[...]
>
> It should be listed in "man unlang". And in doc/unlang/map.adoc
OK, neither is present yet, but as you mentioned: v4 is WiP, I hope to
give a look at v4, I can't promise providing docs but I'd like to if
time allows.
[...]
>
>> I do plan on looking at v4 anyway even more so now. :)
>
> It's stable. There are large parts which work. But also large parts with "here be dragons".
>
> We're not comfortable releasing an official v4 until (a) there are no "gotchas" with features that sort of almost work, and (b) everything is fully documented.
Perfect: Again, your work and the work of the other main contributors is
highly appreciated.
-- Mathieu
2
3
I need some guidance on my setup. I currently have a FreeIPA intallation setup as my LDAP database. Currently I am trying to test using a 3rd party 2FA with it. Currently I have FreeRADIUS setup on a server and connected to FreeIPA. My question is, would I set this up similar to the way I would if it were a doing Wireless authentication?
In other words would I set up FreeRADIUS with EAP-TTLS?
I am following this - Using FreeIPA and FreeRadius as a RADIUS based software token OTP system with CentOS/RedHat 7 - FreeIPA
|
|
|
| | |
|
|
|
| |
Using FreeIPA and FreeRadius as a RADIUS based software token OTP system...
|
|
|
4
3
Hello, All
When trying to build a dynamic VLAN, the contact point of ldap differs
depending on AP,
Can I control which LDAP attribute to map per ldap query?
And what should I offer to receive advice?
Any help would be appreciated.
4
12