Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
April 2021
- 50 participants
- 52 discussions
Hi,
I have implemented EAP-TLS with self signed certificates. I'm able to
successfully test this with eapol_test locally and can see the following
flow of packets in Wireshark:
1 0.000000000 127.0.0.3 127.0.0.1 RADIUS 203 Access-Request id=0
2 0.006344500 127.0.0.1 127.0.0.3 RADIUS 108 Access-Challenge id=0
3 0.018423000 127.0.0.3 127.0.0.1 RADIUS 396 Access-Request id=1
4 0.033722100 127.0.0.1 127.0.0.3 RADIUS 1112 Access-Challenge id=1
5 0.036071400 127.0.0.3 127.0.0.1 RADIUS 206 Access-Request id=2
6 0.037740000 127.0.0.1 127.0.0.3 RADIUS 1112 Access-Challenge id=2
7 0.040921100 127.0.0.3 127.0.0.1 RADIUS 206 Access-Request id=3
8 0.044312500 127.0.0.1 127.0.0.3 RADIUS 1070 Access-Challenge id=3
9 0.090325200 127.0.0.3 127.0.0.1 RADIUS 1618 Access-Request id=4
10 0.098304600 127.0.0.1 127.0.0.3 RADIUS 108 Access-Challenge id=4
11 0.115117500 127.0.0.3 127.0.0.1 RADIUS 1488 Access-Request id=5
12 0.332043500 127.0.0.1 127.0.0.3 RADIUS 163 Access-Challenge id=5
13 0.333669200 127.0.0.3 127.0.0.1 RADIUS 206 Access-Request id=6
33 0.438789100 127.0.0.1 127.0.0.3 RADIUS 239 Access-Accept id=6
Pointing this to a Freeradius server running on AWS with exactly the same
configuration and certificates, I get the following:
1 0.000000000 10.5.0.5 18.168.48.94 RADIUS 203 Access-Request id=0
2 0.015807600 18.168.48.94 10.5.0.5 RADIUS 108 Access-Challenge id=0
3 0.025829000 10.5.0.5 18.168.48.94 RADIUS 396 Access-Request id=1
4 0.040322200 18.168.48.94 10.5.0.5 RADIUS 1112 Access-Challenge id=1
5 0.042580700 10.5.0.5 18.168.48.94 RADIUS 206 Access-Request id=2
6 0.056210200 18.168.48.94 10.5.0.5 RADIUS 1112 Access-Challenge id=2
7 0.064416100 10.5.0.5 18.168.48.94 RADIUS 206 Access-Request id=3
8 0.076431300 18.168.48.94 10.5.0.5 RADIUS 1070 Access-Challenge id=3
10 0.119491200 10.5.0.5 18.168.48.94 RADIUS 138 Access-Request id=4
12 3.121220200 10.5.0.5 18.168.48.94 RADIUS 138 Access-Request id=4,
Duplicate Request
18 9.122298400 10.5.0.5 18.168.48.94 RADIUS 138 Access-Request id=4,
Duplicate Request
20 21.090888500 10.5.0.5 18.168.48.94 RADIUS 138 Access-Request id=4,
Duplicate Request
I am unable to find anything obvious in the server logs and have compared
them to the local server logs:
Waking up in 0.6 seconds.
Thread 3 got semaphore
Thread 3 handling request 18, (4 handled so far)
(18) Received Access-Request Id 0 from 79.173.131.202:62178 to
10.0.2.163:1812 length 159
(18) User-Name = "user(a)example.org"
(18) NAS-IP-Address = 127.0.0.1
(18) Calling-Station-Id = "00-11-22-33-44-55"
(18) Framed-MTU = 1400
(18) NAS-Port-Type = Wireless-802.11
(18) Service-Type = Framed-User
(18) Connect-Info = "CONNECT 11Mbps 802.11b"
(18) Called-Station-Id = "zzzzzzzzzzz"
(18) EAP-Message = 0x029f00150175736572406578616d706c652e6f7267
(18) Message-Authenticator = 0x984328076491a6736625de57ee05ffe2
(18) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(18) authorize {
(18) [preprocess] = ok
(18) if (!EAP-Message) {
(18) if (!EAP-Message) -> FALSE
(18) else {
(18) eap: Peer sent EAP Response (code 2) ID 159 length 21
(18) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(18) [eap] = ok
(18) } # else = ok
(18) } # authorize = ok
(18) Found Auth-Type = eap
(18) # Executing group from file /etc/raddb/sites-enabled/default
(18) authenticate {
(18) eap: Peer sent packet with method EAP Identity (1)
(18) eap: Calling submodule eap_tls to process data
(18) eap_tls: Initiating new TLS session
(18) eap_tls: Setting verify mode to require certificate from client
(18) eap_tls: [eaptls start] = request
(18) eap: Sending EAP Request (code 1) ID 160 length 6
(18) eap: EAP session adding &reply:State = 0xd1f95035d1595d63
(18) [eap] = handled
(18) } # authenticate = handled
(18) Using Post-Auth-Type Challenge
(18) Post-Auth-Type sub-section not found. Ignoring.
(18) # Executing group from file /etc/raddb/sites-enabled/default
(18) Sent Access-Challenge Id 0 from 10.0.2.163:1812 to 79.173.131.202:62178
length 0
(18) EAP-Message = 0x01a000060d20
(18) Message-Authenticator = 0x00000000000000000000000000000000
(18) State = 0xd1f95035d1595d636d0e61ddd027bfa3
(18) Finished request
Thread 3 waiting to be assigned a request
Waking up in 0.6 seconds.
Thread 1 got semaphore
Thread 1 handling request 19, (4 handled so far)
(19) Received Access-Request Id 1 from 79.173.131.202:62178 to
10.0.2.163:1812 length 352
(19) User-Name = "user(a)example.org"
(19) NAS-IP-Address = 127.0.0.1
(19) Calling-Station-Id = "00-11-22-33-44-55"
(19) Framed-MTU = 1400
(19) NAS-Port-Type = Wireless-802.11
(19) Service-Type = Framed-User
(19) Connect-Info = "CONNECT 11Mbps 802.11b"
(19) Called-Station-Id = "zzzzzzzzzzz"
(19) EAP-Message =
0x02a000c40d0016030100b9010000b50303844b73e984fa5133fad9e9c2d0443d36f0a8eb3d6acd9ca9822d64f6689d4e9e000038c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff01000054000b000403000102000a000c000a001d0017001e001900180016000000170000000d0030002e040305030603080708080809080a080b080408050806040105010601030302030301020103020202040205020602
(19) State = 0xd1f95035d1595d636d0e61ddd027bfa3
(19) Message-Authenticator = 0x7ec6458d81e06f84a62b8fe69820b09f
(19) session-state: No cached attributes
(19) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(19) authorize {
(19) [preprocess] = ok
(19) if (!EAP-Message) {
(19) if (!EAP-Message) -> FALSE
(19) else {
(19) eap: Peer sent EAP Response (code 2) ID 160 length 196
(19) eap: No EAP Start, assuming it's an on-going EAP conversation
(19) [eap] = updated
(19) } # else = updated
(19) } # authorize = updated
(19) Found Auth-Type = eap
(19) # Executing group from file /etc/raddb/sites-enabled/default
(19) authenticate {
(19) eap: Expiring EAP session with state 0xd1f95035d1595d63
(19) eap: Finished EAP session with state 0xd1f95035d1595d63
(19) eap: Previous EAP request found for state 0xd1f95035d1595d63, released
from the list
(19) eap: Peer sent packet with method EAP TLS (13)
(19) eap: Calling submodule eap_tls to process data
(19) eap_tls: Continuing EAP-TLS
(19) eap_tls: Got final TLS record fragment (190 bytes)
(19) eap_tls: WARNING: Total received TLS record fragments (190 bytes),
does not equal indicated TLS record length (0 bytes)
(19) eap_tls: [eaptls verify] = ok
(19) eap_tls: Done initial handshake
(19) eap_tls: (other): before SSL initialization
(19) eap_tls: TLS_accept: before SSL initialization
(19) eap_tls: TLS_accept: before SSL initialization
(19) eap_tls: <<< recv TLS 1.3 [length 00b9]
(19) eap_tls: TLS_accept: SSLv3/TLS read client hello
(19) eap_tls: >>> send TLS 1.2 [length 003d]
(19) eap_tls: TLS_accept: SSLv3/TLS write server hello
(19) eap_tls: >>> send TLS 1.2 [length 0903]
(19) eap_tls: TLS_accept: SSLv3/TLS write certificate
(19) eap_tls: >>> send TLS 1.2 [length 014d]
(19) eap_tls: TLS_accept: SSLv3/TLS write key exchange
(19) eap_tls: >>> send TLS 1.2 [length 00d2]
(19) eap_tls: TLS_accept: SSLv3/TLS write certificate request
(19) eap_tls: >>> send TLS 1.2 [length 0004]
(19) eap_tls: TLS_accept: SSLv3/TLS write server done
(19) eap_tls: TLS_accept: Need to read more data: SSLv3/TLS write server
done
(19) eap_tls: TLS - In Handshake Phase
(19) eap_tls: TLS - got 2940 bytes of data
(19) eap_tls: [eaptls process] = handled
(19) eap: Sending EAP Request (code 1) ID 161 length 1004
(19) eap: EAP session adding &reply:State = 0xd1f95035d0585d63
(19) [eap] = handled
(19) } # authenticate = handled
(19) Using Post-Auth-Type Challenge
(19) Post-Auth-Type sub-section not found. Ignoring.
(19) # Executing group from file /etc/raddb/sites-enabled/default
(19) Sent Access-Challenge Id 1 from 10.0.2.163:1812 to 79.173.131.202:62178
length 0
(19) EAP-Message =
0x01a103ec0dc000000b7c160303003d02000039030347213c4e56f7cdcb315edae06b5cbf7ae6f0e8e77fd490029463d930131114c200c030000011ff01000100000b0004030001020017000016030309030b0008ff0008fc0003f8308203f4308202dca003020102020101300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f72697479301e170d3231303432323133353331315a170d3231303632313133353331315a307c310b3009060355040613024652310f300d06035504080c0652616469757331153013060355040a0c0c4578616d706c6520496e632e3123302106035504030c1a4578616d70
(19) Message-Authenticator = 0x00000000000000000000000000000000
(19) State = 0xd1f95035d0585d636d0e61ddd027bfa3
(19) Finished request
Thread 1 waiting to be assigned a request
Waking up in 0.6 seconds.
Thread 4 got semaphore
Thread 4 handling request 20, (5 handled so far)
(20) Received Access-Request Id 2 from 79.173.131.202:62178 to
10.0.2.163:1812 length 162
(20) User-Name = "user(a)example.org"
(20) NAS-IP-Address = 127.0.0.1
(20) Calling-Station-Id = "00-11-22-33-44-55"
(20) Framed-MTU = 1400
(20) NAS-Port-Type = Wireless-802.11
(20) Service-Type = Framed-User
(20) Connect-Info = "CONNECT 11Mbps 802.11b"
(20) Called-Station-Id = "zzzzzzzzzzz"
(20) EAP-Message = 0x02a100060d00
(20) State = 0xd1f95035d0585d636d0e61ddd027bfa3
(20) Message-Authenticator = 0x96b68fa5c27f6103112e03c9ca751a38
(20) session-state: No cached attributes
(20) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(20) authorize {
(20) [preprocess] = ok
(20) if (!EAP-Message) {
(20) if (!EAP-Message) -> FALSE
(20) else {
(20) eap: Peer sent EAP Response (code 2) ID 161 length 6
(20) eap: No EAP Start, assuming it's an on-going EAP conversation
(20) [eap] = updated
(20) } # else = updated
(20) } # authorize = updated
(20) Found Auth-Type = eap
(20) # Executing group from file /etc/raddb/sites-enabled/default
(20) authenticate {
(20) eap: Expiring EAP session with state 0xd1f95035d0585d63
(20) eap: Finished EAP session with state 0xd1f95035d0585d63
(20) eap: Previous EAP request found for state 0xd1f95035d0585d63, released
from the list
(20) eap: Peer sent packet with method EAP TLS (13)
(20) eap: Calling submodule eap_tls to process data
(20) eap_tls: Continuing EAP-TLS
(20) eap_tls: Peer ACKed our handshake fragment
(20) eap_tls: [eaptls verify] = request
(20) eap_tls: [eaptls process] = handled
(20) eap: Sending EAP Request (code 1) ID 162 length 1004
(20) eap: EAP session adding &reply:State = 0xd1f95035d35b5d63
(20) [eap] = handled
(20) } # authenticate = handled
(20) Using Post-Auth-Type Challenge
(20) Post-Auth-Type sub-section not found. Ignoring.
(20) # Executing group from file /etc/raddb/sites-enabled/default
(20) Sent Access-Challenge Id 2 from 10.0.2.163:1812 to 79.173.131.202:62178
length 0
(20) EAP-Message =
0x01a203ec0dc000000b7c0ec0b7f4d11cdfe36864bfcb5711379b78326a8fa424233f53db7b2e0df38d57f2958bc135362147349c036a811e5fc84e63f0979d3ad2ecf86af244eea15041f7abdaab5592aee08e675f99573996e6385e9b11f69d2bc8adf72c2952a6c2aee95326fa86b8750004fe308204fa308203e2a00302010202141e94f1f7a32c45bc413ca334afe12c9e73579783300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f72697479301e170d3231303432323133353331315a170d3231303632313133353331315a308193310b3009060355040613024652310f300d06035504080c06
(20) Message-Authenticator = 0x00000000000000000000000000000000
(20) State = 0xd1f95035d35b5d636d0e61ddd027bfa3
(20) Finished request
Thread 4 waiting to be assigned a request
Waking up in 0.6 seconds.
Thread 5 got semaphore
Thread 5 handling request 21, (5 handled so far)
(21) Received Access-Request Id 3 from 79.173.131.202:62178 to
10.0.2.163:1812 length 162
(21) User-Name = "user(a)example.org"
(21) NAS-IP-Address = 127.0.0.1
(21) Calling-Station-Id = "00-11-22-33-44-55"
(21) Framed-MTU = 1400
(21) NAS-Port-Type = Wireless-802.11
(21) Service-Type = Framed-User
(21) Connect-Info = "CONNECT 11Mbps 802.11b"
(21) Called-Station-Id = "zzzzzzzzzzz"
(21) EAP-Message = 0x02a200060d00
(21) State = 0xd1f95035d35b5d636d0e61ddd027bfa3
(21) Message-Authenticator = 0x1e1f2ac2572d26ae6a14a89ee60d277e
(21) session-state: No cached attributes
(21) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(21) authorize {
(21) [preprocess] = ok
(21) if (!EAP-Message) {
(21) if (!EAP-Message) -> FALSE
(21) else {
(21) eap: Peer sent EAP Response (code 2) ID 162 length 6
(21) eap: No EAP Start, assuming it's an on-going EAP conversation
(21) [eap] = updated
(21) } # else = updated
(21) } # authorize = updated
(21) Found Auth-Type = eap
(21) # Executing group from file /etc/raddb/sites-enabled/default
(21) authenticate {
(21) eap: Expiring EAP session with state 0xd1f95035d35b5d63
(21) eap: Finished EAP session with state 0xd1f95035d35b5d63
(21) eap: Previous EAP request found for state 0xd1f95035d35b5d63, released
from the list
(21) eap: Peer sent packet with method EAP TLS (13)
(21) eap: Calling submodule eap_tls to process data
(21) eap_tls: Continuing EAP-TLS
(21) eap_tls: Peer ACKed our handshake fragment
(21) eap_tls: [eaptls verify] = request
(21) eap_tls: [eaptls process] = handled
(21) eap: Sending EAP Request (code 1) ID 163 length 962
(21) eap: EAP session adding &reply:State = 0xd1f95035d25a5d63
(21) [eap] = handled
(21) } # authenticate = handled
(21) Using Post-Auth-Type Challenge
(21) Post-Auth-Type sub-section not found. Ignoring.
(21) # Executing group from file /etc/raddb/sites-enabled/default
(21) Sent Access-Challenge Id 3 from 10.0.2.163:1812 to 79.173.131.202:62178
length 0
(21) EAP-Message =
0x01a303c20d8000000b7c72746966696361746520417574686f7269747982141e94f1f7a32c45bc413ca334afe12c9e73579783300f0603551d130101ff040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b050003820101008d2f4298f5fedf62311a7b835e3708a3836d27f80b022fdb0e58398064eccea95f1138a48ddcf5cf7e66a8b47667cbecf1be61b3b7911d8d53e28a45918190fc2e8a927eb7e232cc68b460777df0e6c58d5d61b5ab97730d765eae9fad54afaba8fde9dee8ae6cf4057e20bc63c1b95c44cb4ec55f3787835e26ec2ec10ddb17672e6e6a98c7467d660f70045530beabf3d6b6b231d3236503abfb43c43507ff02c830b2b9b9faaa6189730659b7c49e1b9ca62d9ffb825791f32f4437a9661945b099b15624af573c8ab996023ee7cb594537cd8fc2964bb9aa54d1be9c3c7860946178d5d8ac
(21) Message-Authenticator = 0x00000000000000000000000000000000
(21) State = 0xd1f95035d25a5d636d0e61ddd027bfa3
(21) Finished request
Thread 5 waiting to be assigned a request
Waking up in 4.2 seconds.
(18) Cleaning up request packet ID 0 with timestamp +1083
(19) Cleaning up request packet ID 1 with timestamp +1083
(20) Cleaning up request packet ID 2 with timestamp +1083
(21) Cleaning up request packet ID 3 with timestamp +1083
Ready to process requests
My eapol_test command is as follows:
eapol_test -r0 -c eapol_test.conf -a 18.168.48.94 -s testing \
-M 00:11:22:33:44:55 \
-N30:s:zzzzzzzzzzz
(I was experimenting with passing custom attributes above)
The output from eapol_test is:
+ eapol_test -r3 -c eapol_test.conf -a 18.168.48.94 -s testing -W -n
Reading configuration file 'eapol_test.conf'
Line: 1 - start of a new network block
ssid - hexdump_ascii(len=24):
44 6f 65 73 4e 6f 74 4d 61 74 74 65 72 46 6f 72 DoesNotMatterFor
54 68 69 73 54 65 73 74 ThisTest
key_mgmt: 0x1
eap methods - hexdump(len=16): 00 00 00 00 0d 00 00 00 00 00 00 00 00 00 00
00
identity - hexdump_ascii(len=16):
75 73 65 72 40 65 78 61 6d 70 6c 65 2e 6f 72 67 user(a)example.org
ca_cert - hexdump_ascii(len=23):
2f 65 74 63 2f 72 61 64 64 62 2f 63 65 72 74 73 /etc/raddb/certs
2f 63 61 2e 70 65 6d /ca.pem
client_cert - hexdump_ascii(len=37):
2f 65 74 63 2f 72 61 64 64 62 2f 63 65 72 74 73 /etc/raddb/certs
2f 75 73 65 72 40 65 78 61 6d 70 6c 65 2e 6f 72 /user(a)example.or
67 2e 70 65 6d g.pem
private_key - hexdump_ascii(len=27):
2f 65 74 63 2f 72 61 64 64 62 2f 63 65 72 74 73 /etc/raddb/certs
2f 63 6c 69 65 6e 74 2e 6b 65 79 /client.key
private_key_passwd - hexdump_ascii(len=8):
77 68 61 74 65 76 65 72 whatever
Priority group 0
id=0 ssid='DoesNotMatterForThisTest'
Authentication server 18.168.48.94:1812
RADIUS local address: 10.5.0.5:35041
ENGINE: Loading builtin engines
ENGINE: Loading builtin engines
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: KEY_RX entering state NO_KEY_RECEIVE
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
EAPOL: External notification - portValid=0
EAPOL: External notification - portEnabled=1
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: SUPP_BE entering state IDLE
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
Sending fake EAP-Request-Identity
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_PAE entering state RESTART
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
EAPOL: SUPP_PAE entering state AUTHENTICATING
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=215 method=1 vendor=0 vendorMethod=0
EAP: EAP entering state IDENTITY
CTRL-EVENT-EAP-STARTED EAP authentication started
EAP: Status notification: started (param=)
EAP: EAP-Request Identity data - hexdump_ascii(len=0):
EAP: using real identity - hexdump_ascii(len=16):
75 73 65 72 40 65 78 61 6d 70 6c 65 2e 6f 72 67 user(a)example.org
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
WPA: eapol_test_eapol_send(type=0 len=21)
TX EAP -> RADIUS - hexdump(len=21): 02 d7 00 15 01 75 73 65 72 40 65 78 61
6d 70 6c 65 2e 6f 72 67
Encapsulating EAP message into a RADIUS packet
Learned identity from EAP-Response-Identity - hexdump(len=16): 75 73 65 72
40 65 78 61 6d 70 6c 65 2e 6f 72 67
Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=0 length=146
Attribute 1 (User-Name) length=18
Value: 'user(a)example.org'
Attribute 4 (NAS-IP-Address) length=6
Value: 127.0.0.1
Attribute 31 (Calling-Station-Id) length=19
Value: '02-00-00-00-00-01'
Attribute 12 (Framed-MTU) length=6
Value: 1400
Attribute 61 (NAS-Port-Type) length=6
Value: 19
Attribute 6 (Service-Type) length=6
Value: 2
Attribute 77 (Connect-Info) length=24
Value: 'CONNECT 11Mbps 802.11b'
Attribute 79 (EAP-Message) length=23
Value: 02d700150175736572406578616d706c652e6f7267
Attribute 80 (Message-Authenticator) length=18
Value: b413addf8f1253adce139f1de8c6bb28
Next RADIUS client retransmit in 3 seconds
EAPOL: SUPP_BE entering state RECEIVE
Received 64 bytes from RADIUS server
Received RADIUS message
RADIUS message: code=11 (Access-Challenge) identifier=0 length=64
Attribute 79 (EAP-Message) length=8
Value: 01d800060d20
Attribute 80 (Message-Authenticator) length=18
Value: 80ae6242645efce44ed19b021c3c2fe1
Attribute 24 (State) length=18
Value: aa347fceaaec72ef097c289c52522f15
STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending
request, round trip time 0.02 sec
RADIUS packet matching with station
decapsulated EAP packet (code=1 id=216 len=6) from RADIUS server:
EAP-Request-TLS (13)
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=216 method=13 vendor=0 vendorMethod=0
EAP: EAP entering state GET_METHOD
CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13
EAP: Status notification: accept proposed method (param=TLS)
EAP: Initialize selected EAP method: vendor 0 method 13 (TLS)
TLS: using phase1 config options
TLS: Trusted root certificate(s) loaded
OpenSSL: SSL_use_certificate_chain_file --> OK
OpenSSL: tls_use_private_key_file (PEM) --> loaded
SSL: Private key loaded successfully
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected
EAP: EAP entering state METHOD
SSL: Received packet(len=6) - Flags 0x20
EAP-TLS: Start
SSL: (where=0x10 ret=0x1)
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:before SSL initialization
OpenSSL: TX ver=0x0 content_type=256 (TLS header info/)
OpenSSL: Message - hexdump(len=5): 16 03 01 00 b9
OpenSSL: TX ver=0x303 content_type=22 (handshake/client hello)
OpenSSL: Message - hexdump(len=185): 01 00 00 b5 03 03 1b 3d 98 bc a7 84 22
ac bc ea b6 0b 29 46 61 c2 9f ce c7 b7 16 c9 39 2c 4e 6e 33 ec c0 56 c3 a3
00 00 38 c0 2c c0 30 00 9f cc a9 cc a8 cc aa c0 2b c0 2f 00 9e c0 24 c0 28
00 6b c0 23 c0 27 00 67 c0 0a c0 14 00 39 c0 09 c0 13 00 33 00 9d 00 9c 00
3d 00 3c 00 35 00 2f 00 ff 01 00 00 54 00 0b 00 04 03 00 01 02 00 0a 00 0c
00 0a 00 1d 00 17 00 1e 00 19 00 18 00 16 00 00 00 17 00 00 00 0d 00 30 00
2e 04 03 05 03 06 03 08 07 08 08 08 09 08 0a 08 0b 08 04 08 05 08 06 04 01
05 01 06 01 03 03 02 03 03 01 02 01 03 02 02 02 04 02 05 02 06 02
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3/TLS write client hello
SSL: (where=0x1002 ret=0xffffffff)
SSL: SSL_connect:error in SSLv3/TLS write client hello
SSL: SSL_connect - want more data
SSL: 190 bytes pending from ssl_out
SSL: Using TLS version TLSv1.2
SSL: 190 bytes left to be sent out (of total 190 bytes)
EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL
eapRespData=0x5611437a4bc0
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
WPA: eapol_test_eapol_send(type=0 len=196)
TX EAP -> RADIUS - hexdump(len=196): 02 d8 00 c4 0d 00 16 03 01 00 b9 01 00
00 b5 03 03 1b 3d 98 bc a7 84 22 ac bc ea b6 0b 29 46 61 c2 9f ce c7 b7 16
c9 39 2c 4e 6e 33 ec c0 56 c3 a3 00 00 38 c0 2c c0 30 00 9f cc a9 cc a8 cc
aa c0 2b c0 2f 00 9e c0 24 c0 28 00 6b c0 23 c0 27 00 67 c0 0a c0 14 00 39
c0 09 c0 13 00 33 00 9d 00 9c 00 3d 00 3c 00 35 00 2f 00 ff 01 00 00 54 00
0b 00 04 03 00 01 02 00 0a 00 0c 00 0a 00 1d 00 17 00 1e 00 19 00 18 00 16
00 00 00 17 00 00 00 0d 00 30 00 2e 04 03 05 03 06 03 08 07 08 08 08 09 08
0a 08 0b 08 04 08 05 08 06 04 01 05 01 06 01 03 03 02 03 03 01 02 01 03 02
02 02 04 02 05 02 06 02
Encapsulating EAP message into a RADIUS packet
Copied RADIUS State Attribute
Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=1 length=339
Attribute 1 (User-Name) length=18
Value: 'user(a)example.org'
Attribute 4 (NAS-IP-Address) length=6
Value: 127.0.0.1
Attribute 31 (Calling-Station-Id) length=19
Value: '02-00-00-00-00-01'
Attribute 12 (Framed-MTU) length=6
Value: 1400
Attribute 61 (NAS-Port-Type) length=6
Value: 19
Attribute 6 (Service-Type) length=6
Value: 2
Attribute 77 (Connect-Info) length=24
Value: 'CONNECT 11Mbps 802.11b'
Attribute 79 (EAP-Message) length=198
Value:
02d800c40d0016030100b9010000b503031b3d98bca78422acbceab60b294661c29fcec7b716c9392c4e6e33ecc056c3a3000038c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff01000054000b000403000102000a000c000a001d0017001e001900180016000000170000000d0030002e040305030603080708080809080a080b080408050806040105010601030302030301020103020202040205020602
Attribute 24 (State) length=18
Value: aa347fceaaec72ef097c289c52522f15
Attribute 80 (Message-Authenticator) length=18
Value: b0072648c7fc4843ddeba38fc453bdc9
Next RADIUS client retransmit in 3 seconds
EAPOL: SUPP_BE entering state RECEIVE
Received 1068 bytes from RADIUS server
Received RADIUS message
RADIUS message: code=11 (Access-Challenge) identifier=1 length=1068
Attribute 79 (EAP-Message) length=255
Value:
01d903ec0dc000000b4c160303003d020000390303bc1a6b13cc5dea63e9050c85097d4c4c264372c44f18ea99efb3bb51e25e5b5200c030000011ff01000100000b0004030001020017000016030308d30b0008cf0008cc0003de308203da308202c2a003020102020101300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c65204365
Attribute 79 (EAP-Message) length=255
Value:
72746966696361746520417574686f72697479301e170d3231303331363039323830375a170d3231303531353039323830375a307c310b3009060355040613024652310f300d06035504080c0652616469757331153013060355040a0c0c4578616d706c6520496e632e3123302106035504030c1a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100e60c668d77911657c17359444502070d118f228b300af1059fe5c22171445ae21ae185f228f39ffc1635ad
Attribute 79 (EAP-Message) length=255
Value:
117c6e81a92c2b2f6238d678101a3509a6cfdb97a5124fc000d0e0b1f181da41c78bb0c3b1ec7f8b8d8c788f26afc54bec7e9debd9b4a6db0292df11a77a4a6f79b87b2dc562299d8632ce95ecfccf84ee8f09548ea74db2ca3d22d4eecab11cd3912fab0bdb1209e7539775f531b7ab60ee9fd0917548d56f1b51c3c846aa639f2a58a529b114120016627c1f40e6bdfba932120078ce1bf18f1e025fc57ad91faa5714b53c23163a937966965822bc746471bf471224042c3e849a73d89664fad87ba84f301cd0b9f7108ea22a97aea52780ec810203010001a34f304d30130603551d25040c300a06082b0601050507030130360603551d1f042f30
Attribute 79 (EAP-Message) length=247
Value:
2d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d01010b05000382010100dc0f4f67853b3ade33a2865febcd0c6565e3d7da163766750b4abb4336c221d66aad925bbf1f5d8adc4089c0b1036666aca5a4dab2bcac8d7d7a7eba1e7ea45eef1591de763e9ac678095edd236e492e3cf5cc01046a124a30ae5b39026e04471a9cc3e4916f5111664ea9ba84057026bc361134e8e50db28a16e50ecc128b1c8486d4a7b0b3f5fd45cca37b76f0a76de15812ac21bd0e7611af2b70eea141b9a4665c1328b3dcecaad5870e045a183531487e
Attribute 80 (Message-Authenticator) length=18
Value: 49c027cf9dba8453817c9402bba5df63
Attribute 24 (State) length=18
Value: aa347fceabed72ef097c289c52522f15
STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending
request, round trip time 0.01 sec
RADIUS packet matching with station
decapsulated EAP packet (code=1 id=217 len=1004) from RADIUS server:
EAP-Request-TLS (13)
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=217 method=13 vendor=0 vendorMethod=0
EAP: EAP entering state METHOD
SSL: Received packet(len=1004) - Flags 0xc0
SSL: TLS Message Length: 2892
SSL: Need 1898 bytes more input data
SSL: Building ACK (type=13 id=217 ver=0)
EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL
eapRespData=0x56114378d1a0
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
WPA: eapol_test_eapol_send(type=0 len=6)
TX EAP -> RADIUS - hexdump(len=6): 02 d9 00 06 0d 00
Encapsulating EAP message into a RADIUS packet
Copied RADIUS State Attribute
Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=2 length=149
Attribute 1 (User-Name) length=18
Value: 'user(a)example.org'
Attribute 4 (NAS-IP-Address) length=6
Value: 127.0.0.1
Attribute 31 (Calling-Station-Id) length=19
Value: '02-00-00-00-00-01'
Attribute 12 (Framed-MTU) length=6
Value: 1400
Attribute 61 (NAS-Port-Type) length=6
Value: 19
Attribute 6 (Service-Type) length=6
Value: 2
Attribute 77 (Connect-Info) length=24
Value: 'CONNECT 11Mbps 802.11b'
Attribute 79 (EAP-Message) length=8
Value: 02d900060d00
Attribute 24 (State) length=18
Value: aa347fceabed72ef097c289c52522f15
Attribute 80 (Message-Authenticator) length=18
Value: 8af5cff392c3c170630561ca7c697518
Next RADIUS client retransmit in 3 seconds
EAPOL: SUPP_BE entering state RECEIVE
Received 1068 bytes from RADIUS server
Received RADIUS message
RADIUS message: code=11 (Access-Challenge) identifier=2 length=1068
Attribute 79 (EAP-Message) length=255
Value:
01da03ec0dc000000b4cf02e4e7561f0f9cb84fe8f51895909c4e1e1020c846d52676ab84e3e12d4f85d7fa52bb9a5cf091e9d74689a30558695645d79c0f47cc585aee8652e8ffaaad7823760e98f2ba4fc9b6d1392c80004e8308204e4308203cca003020102020900bb0c92dddf3c4381300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d457861
Attribute 79 (EAP-Message) length=255
Value:
6d706c6520436572746966696361746520417574686f72697479301e170d3231303331363039323830375a170d3231303531353039323830375a308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100f0ac730397f6a3e9055b5efc
Attribute 79 (EAP-Message) length=255
Value:
56a5639700e3e50faca2f9d7a13d7247eb296df311f13eaa4ad8ea562b708bccb8ff17374b39dde5126a72cd16858e65fe7ee070533087e2fe3b7a083333f08d74a83383bba797f32e3cb3c103ddd70ac2e77c4468ca8b23fc832b0d373dde6ecc49227d8f3485eb569210321e4fe0051b1ae540acc13c291f5cd8e7e3aa9d82621822c59871c76aef94796232e6372a698b17309cf3a0263ae4fc979ccf95b4cd7b0a2b6d290606ce389c87cd16949d26ba518cb84d82e3e99b6203909bef23c9dbca95cbd80bfeed78a3b750c705c19a93228796b8a42da9b433b51249492630518660c4d3fe2de4ef6d2e38711c9400cff56f0203010001a3820137
Attribute 79 (EAP-Message) length=247
Value:
30820133301d0603551d0e0416041436faeca1c632b8ed66ef198633d92e2ffd957deb3081c80603551d230481c03081bd801436faeca1c632b8ed66ef198633d92e2ffd957deba18199a48196308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f72697479820900bb0c92dddf3c4381300f0603551d13
Attribute 80 (Message-Authenticator) length=18
Value: 4702e89e13b305d43645db58e18ab025
Attribute 24 (State) length=18
Value: aa347fcea8ee72ef097c289c52522f15
STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending
request, round trip time 0.00 sec
RADIUS packet matching with station
decapsulated EAP packet (code=1 id=218 len=1004) from RADIUS server:
EAP-Request-TLS (13)
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=218 method=13 vendor=0 vendorMethod=0
EAP: EAP entering state METHOD
SSL: Received packet(len=1004) - Flags 0xc0
SSL: TLS Message Length: 2892
SSL: Need 904 bytes more input data
SSL: Building ACK (type=13 id=218 ver=0)
EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL
eapRespData=0x56114378d940
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
WPA: eapol_test_eapol_send(type=0 len=6)
TX EAP -> RADIUS - hexdump(len=6): 02 da 00 06 0d 00
Encapsulating EAP message into a RADIUS packet
Copied RADIUS State Attribute
Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=3 length=149
Attribute 1 (User-Name) length=18
Value: 'user(a)example.org'
Attribute 4 (NAS-IP-Address) length=6
Value: 127.0.0.1
Attribute 31 (Calling-Station-Id) length=19
Value: '02-00-00-00-00-01'
Attribute 12 (Framed-MTU) length=6
Value: 1400
Attribute 61 (NAS-Port-Type) length=6
Value: 19
Attribute 6 (Service-Type) length=6
Value: 2
Attribute 77 (Connect-Info) length=24
Value: 'CONNECT 11Mbps 802.11b'
Attribute 79 (EAP-Message) length=8
Value: 02da00060d00
Attribute 24 (State) length=18
Value: aa347fcea8ee72ef097c289c52522f15
Attribute 80 (Message-Authenticator) length=18
Value: 45709548701bd90ff57e1db3f666d78a
Next RADIUS client retransmit in 3 seconds
EAPOL: SUPP_BE entering state RECEIVE
Received 978 bytes from RADIUS server
Received RADIUS message
RADIUS message: code=11 (Access-Challenge) identifier=3 length=978
Attribute 79 (EAP-Message) length=255
Value:
01db03920d8000000b4c0101ff040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b0500038201010041d77ac245c65a585a7d6034f30d084b90ab6185e7bbfd5b9be594fecfd28b9ce54b547373f2a600ff33e8b5f631891f410e9fc39184f77e1f21d43de5f2e8d9c40b7f4733fd3aac73e8754898ec9c4ec680be324f0188ece7a766aedd9909ebf3f4633f98fb6cb82f50b2d9e7792b2b81d3cb770cdf582d1c3619f0d6e0f37b41f53f999571796de3b7066c603e19eb94f71ffedb2726877a58cb4644
Attribute 79 (EAP-Message) length=255
Value:
2486454d2351a238ecca5643148a1760bb130b1365ddc4727aaedefa990c3f946dd3f9955b2f93b6921dec7b95f71150f6a542f8069af90d06e2052de1b313c3f74454a35b94cbd76941ba606c10718686ff78773d1b238545af43b9ad907b3ba9e317160303014d0c00014903001741041fa4d324ecdcd9703322b9ccead9c2c2935aaec8fce1c5177e1fbe207d7ff417d5aeede3bd4fab5a6d197bca25989dcb5a66332f085c745c58f5b5a2d5f3daf708040100e3aeec223a851faf41164148eb6638701664cc64aaabc2d0e882317040836900a1d51f31f42ae5408201ade6d0eebd17046c021939fadedabd7cedd722155d18fb36d96a9e7bbbcf
Attribute 79 (EAP-Message) length=255
Value:
238546280f47532776242c4995f00b660da7f4f300ca18ce08627d013941f631c02aa867574210a992286924f554401ef59c65642a3cd0b1c6219dedfda93fd57abcb5dadaaef99daab26d902d90b5723c6ff50b041ed3396548ced13e309a41b8c557085dd78db41383230be844dd735d8a9f629becae7b7201d9b3a66dc911c866cff330896062009caa9df7e1a0af3799a1ceccc03221d27f2c6826d7924f0d550b66a4f28c80a365cb9a9b2f5c0492830007d81236e416030300d20d0000ce03010240002e040305030603080708080809080a080b0804080508060401050106010303020303010201030202020402050206020098009630819331
Attribute 79 (EAP-Message) length=157
Value:
0b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f7269747916030300040e000000
Attribute 80 (Message-Authenticator) length=18
Value: 9d5dbfea54692e6839da04a4db24ea2b
Attribute 24 (State) length=18
Value: aa347fcea9ef72ef097c289c52522f15
STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending
request, round trip time 0.01 sec
RADIUS packet matching with station
decapsulated EAP packet (code=1 id=219 len=914) from RADIUS server:
EAP-Request-TLS (13)
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=219 method=13 vendor=0 vendorMethod=0
EAP: EAP entering state METHOD
SSL: Received packet(len=914) - Flags 0x80
SSL: TLS Message Length: 2892
OpenSSL: RX ver=0x0 content_type=256 (TLS header info/)
OpenSSL: Message - hexdump(len=5): 16 03 03 00 3d
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3/TLS write client hello
OpenSSL: RX ver=0x303 content_type=22 (handshake/server hello)
OpenSSL: Message - hexdump(len=61): 02 00 00 39 03 03 bc 1a 6b 13 cc 5d ea
63 e9 05 0c 85 09 7d 4c 4c 26 43 72 c4 4f 18 ea 99 ef b3 bb 51 e2 5e 5b 52
00 c0 30 00 00 11 ff 01 00 01 00 00 0b 00 04 03 00 01 02 00 17 00 00
OpenSSL: RX ver=0x0 content_type=256 (TLS header info/)
OpenSSL: Message - hexdump(len=5): 16 03 03 08 d3
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3/TLS read server hello
OpenSSL: RX ver=0x303 content_type=22 (handshake/certificate)
OpenSSL: Message - hexdump(len=2259): 0b 00 08 cf 00 08 cc 00 03 de 30 82
03 da 30 82 02 c2 a0 03 02 01 02 02 01 01 30 0d 06 09 2a 86 48 86 f7 0d 01
01 0b 05 00 30 81 93 31 0b 30 09 06 03 55 04 06 13 02 46 52 31 0f 30 0d 06
03 55 04 08 0c 06 52 61 64 69 75 73 31 12 30 10 06 03 55 04 07 0c 09 53 6f
6d 65 77 68 65 72 65 31 15 30 13 06 03 55 04 0a 0c 0c 45 78 61 6d 70 6c 65
20 49 6e 63 2e 31 20 30 1e 06 09 2a 86 48 86 f7 0d 01 09 01 16 11 61 64 6d
69 6e 40 65 78 61 6d 70 6c 65 2e 6f 72 67 31 26 30 24 06 03 55 04 03 0c 1d
45 78 61 6d 70 6c 65 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 6f
72 69 74 79 30 1e 17 0d 32 31 30 33 31 36 30 39 32 38 30 37 5a 17 0d 32 31
30 35 31 35 30 39 32 38 30 37 5a 30 7c 31 0b 30 09 06 03 55 04 06 13 02 46
52 31 0f 30 0d 06 03 55 04 08 0c 06 52 61 64 69 75 73 31 15 30 13 06 03 55
04 0a 0c 0c 45 78 61 6d 70 6c 65 20 49 6e 63 2e 31 23 30 21 06 03 55 04 03
0c 1a 45 78 61 6d 70 6c 65 20 53 65 72 76 65 72 20 43 65 72 74 69 66 69 63
61 74 65 31 20 30 1e 06 09 2a 86 48 86 f7 0d 01 09 01 16 11 61 64 6d 69 6e
40 65 78 61 6d 70 6c 65 2e 6f 72 67 30 82 01 22 30 0d 06 09 2a 86 48 86 f7
0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 e6 0c 66 8d 77
91 16 57 c1 73 59 44 45 02 07 0d 11 8f 22 8b 30 0a f1 05 9f e5 c2 21 71 44
5a e2 1a e1 85 f2 28 f3 9f fc 16 35 ad 11 7c 6e 81 a9 2c 2b 2f 62 38 d6 78
10 1a 35 09 a6 cf db 97 a5 12 4f c0 00 d0 e0 b1 f1 81 da 41 c7 8b b0 c3 b1
ec 7f 8b 8d 8c 78 8f 26 af c5 4b ec 7e 9d eb d9 b4 a6 db 02 92 df 11 a7 7a
4a 6f 79 b8 7b 2d c5 62 29 9d 86 32 ce 95 ec fc cf 84 ee 8f 09 54 8e a7 4d
b2 ca 3d 22 d4 ee ca b1 1c d3 91 2f ab 0b db 12 09 e7 53 97 75 f5 31 b7 ab
60 ee 9f d0 91 75 48 d5 6f 1b 51 c3 c8 46 aa 63 9f 2a 58 a5 29 b1 14 12 00
16 62 7c 1f 40 e6 bd fb a9 32 12 00 78 ce 1b f1 8f 1e 02 5f c5 7a d9 1f aa
57 14 b5 3c 23 16 3a 93 79 66 96 58 22 bc 74 64 71 bf 47 12 24 04 2c 3e 84
9a 73 d8 96 64 fa d8 7b a8 4f 30 1c d0 b9 f7 10 8e a2 2a 97 ae a5 27 80 ec
81 02 03 01 00 01 a3 4f 30 4d 30 13 06 03 55 1d 25 04 0c 30 0a 06 08 2b 06
01 05 05 07 03 01 30 36 06 03 55 1d 1f 04 2f 30 2d 30 2b a0 29 a0 27 86 25
68 74 74 70 3a 2f 2f 77 77 77 2e 65 78 61 6d 70 6c 65 2e 63 6f 6d 2f 65 78
61 6d 70 6c 65 5f 63 61 2e 63 72 6c 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b
05 00 03 82 01 01 00 dc 0f 4f 67 85 3b 3a de 33 a2 86 5f eb cd 0c 65 65 e3
d7 da 16 37 66 75 0b 4a bb 43 36 c2 21 d6 6a ad 92 5b bf 1f 5d 8a dc 40 89
c0 b1 03 66 66 ac a5 a4 da b2 bc ac 8d 7d 7a 7e ba 1e 7e a4 5e ef 15 91 de
76 3e 9a c6 78 09 5e dd 23 6e 49 2e 3c f5 cc 01 04 6a 12 4a 30 ae 5b 39 02
6e 04 47 1a 9c c3 e4 91 6f 51 11 66 4e a9 ba 84 05 70 26 bc 36 11 34 e8 e5
0d b2 8a 16 e5 0e cc 12 8b 1c 84 86 d4 a7 b0 b3 f5 fd 45 cc a3 7b 76 f0 a7
6d e1 58 12 ac 21 bd 0e 76 11 af 2b 70 ee a1 41 b9 a4 66 5c 13 28 b3 dc ec
aa d5 87 0e 04 5a 18 35 31 48 7e f0 2e 4e 75 61 f0 f9 cb 84 fe 8f 51 89 59
09 c4 e1 e1 02 0c 84 6d 52 67 6a b8 4e 3e 12 d4 f8 5d 7f a5 2b b9 a5 cf 09
1e 9d 74 68 9a 30 55 86 95 64 5d 79 c0 f4 7c c5 85 ae e8 65 2e 8f fa aa d7
82 37 60 e9 8f 2b a4 fc 9b 6d 13 92 c8 00 04 e8 30 82 04 e4 30 82 03 cc a0
03 02 01 02 02 09 00 bb 0c 92 dd df 3c 43 81 30 0d 06 09 2a 86 48 86 f7 0d
01 01 0b 05 00 30 81 93 31 0b 30 09 06 03 55 04 06 13 02 46 52 31 0f 30 0d
06 03 55 04 08 0c 06 52 61 64 69 75 73 31 12 30 10 06 03 55 04 07 0c 09 53
6f 6d 65 77 68 65 72 65 31 15 30 13 06 03 55 04 0a 0c 0c 45 78 61 6d 70 6c
65 20 49 6e 63 2e 31 20 30 1e 06 09 2a 86 48 86 f7 0d 01 09 01 16 11 61 64
6d 69 6e 40 65 78 61 6d 70 6c 65 2e 6f 72 67 31 26 30 24 06 03 55 04 03 0c
1d 45 78 61 6d 70 6c 65 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68
6f 72 69 74 79 30 1e 17 0d 32 31 30 33 31 36 30 39 32 38 30 37 5a 17 0d 32
31 30 35 31 35 30 39 32 38 30 37 5a 30 81 93 31 0b 30 09 06 03 55 04 06 13
02 46 52 31 0f 30 0d 06 03 55 04 08 0c 06 52 61 64 69 75 73 31 12 30 10 06
03 55 04 07 0c 09 53 6f 6d 65 77 68 65 72 65 31 15 30 13 06 03 55 04 0a 0c
0c 45 78 61 6d 70 6c 65 20 49 6e 63 2e 31 20 30 1e 06 09 2a 86 48 86 f7 0d
01 09 01 16 11 61 64 6d 69 6e 40 65 78 61 6d 70 6c 65 2e 6f 72 67 31 26 30
24 06 03 55 04 03 0c 1d 45 78 61 6d 70 6c 65 20 43 65 72 74 69 66 69 63 61
74 65 20 41 75 74 68 6f 72 69 74 79 30 82 01 22 30 0d 06 09 2a 86 48 86 f7
0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 f0 ac 73 03 97
f6 a3 e9 05 5b 5e fc 56 a5 63 97 00 e3 e5 0f ac a2 f9 d7 a1 3d 72 47 eb 29
6d f3 11 f1 3e aa 4a d8 ea 56 2b 70 8b cc b8 ff 17 37 4b 39 dd e5 12 6a 72
cd 16 85 8e 65 fe 7e e0 70 53 30 87 e2 fe 3b 7a 08 33 33 f0 8d 74 a8 33 83
bb a7 97 f3 2e 3c b3 c1 03 dd d7 0a c2 e7 7c 44 68 ca 8b 23 fc 83 2b 0d 37
3d de 6e cc 49 22 7d 8f 34 85 eb 56 92 10 32 1e 4f e0 05 1b 1a e5 40 ac c1
3c 29 1f 5c d8 e7 e3 aa 9d 82 62 18 22 c5 98 71 c7 6a ef 94 79 62 32 e6 37
2a 69 8b 17 30 9c f3 a0 26 3a e4 fc 97 9c cf 95 b4 cd 7b 0a 2b 6d 29 06 06
ce 38 9c 87 cd 16 94 9d 26 ba 51 8c b8 4d 82 e3 e9 9b 62 03 90 9b ef 23 c9
db ca 95 cb d8 0b fe ed 78 a3 b7 50 c7 05 c1 9a 93 22 87 96 b8 a4 2d a9 b4
33 b5 12 49 49 26 30 51 86 60 c4 d3 fe 2d e4 ef 6d 2e 38 71 1c 94 00 cf f5
6f 02 03 01 00 01 a3 82 01 37 30 82 01 33 30 1d 06 03 55 1d 0e 04 16 04 14
36 fa ec a1 c6 32 b8 ed 66 ef 19 86 33 d9 2e 2f fd 95 7d eb 30 81 c8 06 03
55 1d 23 04 81 c0 30 81 bd 80 14 36 fa ec a1 c6 32 b8 ed 66 ef 19 86 33 d9
2e 2f fd 95 7d eb a1 81 99 a4 81 96 30 81 93 31 0b 30 09 06 03 55 04 06 13
02 46 52 31 0f 30 0d 06 03 55 04 08 0c 06 52 61 64 69 75 73 31 12 30 10 06
03 55 04 07 0c 09 53 6f 6d 65 77 68 65 72 65 31 15 30 13 06 03 55 04 0a 0c
0c 45 78 61 6d 70 6c 65 20 49 6e 63 2e 31 20 30 1e 06 09 2a 86 48 86 f7 0d
01 09 01 16 11 61 64 6d 69 6e 40 65 78 61 6d 70 6c 65 2e 6f 72 67 31 26 30
24 06 03 55 04 03 0c 1d 45 78 61 6d 70 6c 65 20 43 65 72 74 69 66 69 63 61
74 65 20 41 75 74 68 6f 72 69 74 79 82 09 00 bb 0c 92 dd df 3c 43 81 30 0f
06 03 55 1d 13 01 01 ff 04 05 30 03 01 01 ff 30 36 06 03 55 1d 1f 04 2f 30
2d 30 2b a0 29 a0 27 86 25 68 74 74 70 3a 2f 2f 77 77 77 2e 65 78 61 6d 70
6c 65 2e 6f 72 67 2f 65 78 61 6d 70 6c 65 5f 63 61 2e 63 72 6c 30 0d 06 09
2a 86 48 86 f7 0d 01 01 0b 05 00 03 82 01 01 00 41 d7 7a c2 45 c6 5a 58 5a
7d 60 34 f3 0d 08 4b 90 ab 61 85 e7 bb fd 5b 9b e5 94 fe cf d2 8b 9c e5 4b
54 73 73 f2 a6 00 ff 33 e8 b5 f6 31 89 1f 41 0e 9f c3 91 84 f7 7e 1f 21 d4
3d e5 f2 e8 d9 c4 0b 7f 47 33 fd 3a ac 73 e8 75 48 98 ec 9c 4e c6 80 be 32
4f 01 88 ec e7 a7 66 ae dd 99 09 eb f3 f4 63 3f 98 fb 6c b8 2f 50 b2 d9 e7
79 2b 2b 81 d3 cb 77 0c df 58 2d 1c 36 19 f0 d6 e0 f3 7b 41 f5 3f 99 95 71
79 6d e3 b7 06 6c 60 3e 19 eb 94 f7 1f fe db 27 26 87 7a 58 cb 46 44 24 86
45 4d 23 51 a2 38 ec ca 56 43 14 8a 17 60 bb 13 0b 13 65 dd c4 72 7a ae de
fa 99 0c 3f 94 6d d3 f9 95 5b 2f 93 b6 92 1d ec 7b 95 f7 11 50 f6 a5 42 f8
06 9a f9 0d 06 e2 05 2d e1 b3 13 c3 f7 44 54 a3 5b 94 cb d7 69 41 ba 60 6c
10 71 86 86 ff 78 77 3d 1b 23 85 45 af 43 b9 ad 90 7b 3b a9 e3 17
CTRL-EVENT-EAP-PEER-CERT depth=1
subject='/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=
admin(a)example.org/CN=Example Certificate Authority'
hash=9d456a5fced0d932da7ccb21b900591988002f480553305485641be5b69da525
TLS: tls_verify_cb - preverify_ok=1 err=0 (ok) ca_cert_verify=1 depth=1
buf='/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=
admin(a)example.org/CN=Example Certificate Authority'
CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=FR/ST=Radius/O=Example
Inc./CN=Example Server Certificate/emailAddress=admin(a)example.org'
hash=4ab60573f5742f8783313b2d83c159be28fc5615016fcf25caa73dc1c8f82f75
TLS: tls_verify_cb - preverify_ok=1 err=0 (ok) ca_cert_verify=1 depth=0
buf='/C=FR/ST=Radius/O=Example Inc./CN=Example Server
Certificate/emailAddress=admin(a)example.org'
EAP: Status notification: remote certificate verification (param=success)
OpenSSL: RX ver=0x0 content_type=256 (TLS header info/)
OpenSSL: Message - hexdump(len=5): 16 03 03 01 4d
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3/TLS read server certificate
OpenSSL: RX ver=0x303 content_type=22 (handshake/server key exchange)
OpenSSL: Message - hexdump(len=333): 0c 00 01 49 03 00 17 41 04 1f a4 d3 24
ec dc d9 70 33 22 b9 cc ea d9 c2 c2 93 5a ae c8 fc e1 c5 17 7e 1f be 20 7d
7f f4 17 d5 ae ed e3 bd 4f ab 5a 6d 19 7b ca 25 98 9d cb 5a 66 33 2f 08 5c
74 5c 58 f5 b5 a2 d5 f3 da f7 08 04 01 00 e3 ae ec 22 3a 85 1f af 41 16 41
48 eb 66 38 70 16 64 cc 64 aa ab c2 d0 e8 82 31 70 40 83 69 00 a1 d5 1f 31
f4 2a e5 40 82 01 ad e6 d0 ee bd 17 04 6c 02 19 39 fa de da bd 7c ed d7 22
15 5d 18 fb 36 d9 6a 9e 7b bb cf 23 85 46 28 0f 47 53 27 76 24 2c 49 95 f0
0b 66 0d a7 f4 f3 00 ca 18 ce 08 62 7d 01 39 41 f6 31 c0 2a a8 67 57 42 10
a9 92 28 69 24 f5 54 40 1e f5 9c 65 64 2a 3c d0 b1 c6 21 9d ed fd a9 3f d5
7a bc b5 da da ae f9 9d aa b2 6d 90 2d 90 b5 72 3c 6f f5 0b 04 1e d3 39 65
48 ce d1 3e 30 9a 41 b8 c5 57 08 5d d7 8d b4 13 83 23 0b e8 44 dd 73 5d 8a
9f 62 9b ec ae 7b 72 01 d9 b3 a6 6d c9 11 c8 66 cf f3 30 89 60 62 00 9c aa
9d f7 e1 a0 af 37 99 a1 ce cc c0 32 21 d2 7f 2c 68 26 d7 92 4f 0d 55 0b 66
a4 f2 8c 80 a3 65 cb 9a 9b 2f 5c 04 92 83 00 07 d8 12 36 e4
OpenSSL: RX ver=0x0 content_type=256 (TLS header info/)
OpenSSL: Message - hexdump(len=5): 16 03 03 00 d2
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3/TLS read server key exchange
OpenSSL: RX ver=0x303 content_type=22 (handshake/certificate request)
OpenSSL: Message - hexdump(len=210): 0d 00 00 ce 03 01 02 40 00 2e 04 03 05
03 06 03 08 07 08 08 08 09 08 0a 08 0b 08 04 08 05 08 06 04 01 05 01 06 01
03 03 02 03 03 01 02 01 03 02 02 02 04 02 05 02 06 02 00 98 00 96 30 81 93
31 0b 30 09 06 03 55 04 06 13 02 46 52 31 0f 30 0d 06 03 55 04 08 0c 06 52
61 64 69 75 73 31 12 30 10 06 03 55 04 07 0c 09 53 6f 6d 65 77 68 65 72 65
31 15 30 13 06 03 55 04 0a 0c 0c 45 78 61 6d 70 6c 65 20 49 6e 63 2e 31 20
30 1e 06 09 2a 86 48 86 f7 0d 01 09 01 16 11 61 64 6d 69 6e 40 65 78 61 6d
70 6c 65 2e 6f 72 67 31 26 30 24 06 03 55 04 03 0c 1d 45 78 61 6d 70 6c 65
20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 6f 72 69 74 79
OpenSSL: RX ver=0x0 content_type=256 (TLS header info/)
OpenSSL: Message - hexdump(len=5): 16 03 03 00 04
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3/TLS read server certificate request
OpenSSL: RX ver=0x303 content_type=22 (handshake/server hello done)
OpenSSL: Message - hexdump(len=4): 0e 00 00 00
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3/TLS read server done
OpenSSL: TX ver=0x0 content_type=256 (TLS header info/)
OpenSSL: Message - hexdump(len=5): 16 03 03 08 c8
OpenSSL: TX ver=0x303 content_type=22 (handshake/certificate)
OpenSSL: Message - hexdump(len=2248): 0b 00 08 c4 00 08 c1 00 03 d3 30 82
03 cf 30 82 02 b7 a0 03 02 01 02 02 01 02 30 0d 06 09 2a 86 48 86 f7 0d 01
01 0b 05 00 30 81 93 31 0b 30 09 06 03 55 04 06 13 02 46 52 31 0f 30 0d 06
03 55 04 08 0c 06 52 61 64 69 75 73 31 12 30 10 06 03 55 04 07 0c 09 53 6f
6d 65 77 68 65 72 65 31 15 30 13 06 03 55 04 0a 0c 0c 45 78 61 6d 70 6c 65
20 49 6e 63 2e 31 20 30 1e 06 09 2a 86 48 86 f7 0d 01 09 01 16 11 61 64 6d
69 6e 40 65 78 61 6d 70 6c 65 2e 6f 72 67 31 26 30 24 06 03 55 04 03 0c 1d
45 78 61 6d 70 6c 65 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 6f
72 69 74 79 30 1e 17 0d 32 31 30 33 31 36 30 39 32 38 30 38 5a 17 0d 32 31
30 35 31 35 30 39 32 38 30 38 5a 30 71 31 0b 30 09 06 03 55 04 06 13 02 46
52 31 0f 30 0d 06 03 55 04 08 0c 06 52 61 64 69 75 73 31 15 30 13 06 03 55
04 0a 0c 0c 45 78 61 6d 70 6c 65 20 49 6e 63 2e 31 19 30 17 06 03 55 04 03
0c 10 75 73 65 72 40 65 78 61 6d 70 6c 65 2e 6f 72 67 31 1f 30 1d 06 09 2a
86 48 86 f7 0d 01 09 01 16 10 75 73 65 72 40 65 78 61 6d 70 6c 65 2e 6f 72
67 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00
30 82 01 0a 02 82 01 01 00 b1 0e 9c 59 89 23 56 26 2f 83 59 c2 bf bb 36 80
3b 01 2b dd a2 dc 7c 4a de 6e 47 43 79 e6 bf c6 d2 4a 08 61 48 f5 15 88 c1
21 af dd c6 3b 89 dd 4c 67 3f 60 d8 02 ff 96 3c 7a 43 25 1f ba 3f 38 e8 1e
84 71 94 db 73 39 68 38 f0 46 e1 68 50 21 b1 fc ea 84 42 22 2a 21 9a bb 73
77 a9 6b 02 4e f0 20 8b f9 d0 40 a2 e9 2e 25 d5 e7 6f 1d b2 79 65 37 dd 14
08 ca 6f 75 ce 67 82 20 cc fa c4 d9 6d 52 a0 e6 bd 13 22 45 49 37 33 fc 3e
33 fc dc 5e 43 b5 e3 6b b2 77 39 aa 04 da bf cc ae b5 70 ab a1 31 81 c5 ed
00 40 70 1e 97 27 bd 03 0a 67 dd ec 87 f9 a8 5a 0d 3e 4c ea 61 35 4e e6 14
4a 6a e7 58 ce 4b 5a b6 63 2a f2 31 85 e2 e2 d9 5d c1 05 e2 17 71 5b d0 f3
86 1a 93 c7 b1 f8 96 b3 f2 8b 33 86 1e 49 48 6d 94 ab 9b bf 1f 9d a4 5a cb
0d 25 3c 8f 95 bd 42 86 cc c0 e5 dd 52 0c 29 02 03 01 00 01 a3 4f 30 4d 30
13 06 03 55 1d 25 04 0c 30 0a 06 08 2b 06 01 05 05 07 03 02 30 36 06 03 55
1d 1f 04 2f 30 2d 30 2b a0 29 a0 27 86 25 68 74 74 70 3a 2f 2f 77 77 77 2e
65 78 61 6d 70 6c 65 2e 63 6f 6d 2f 65 78 61 6d 70 6c 65 5f 63 61 2e 63 72
6c 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 82 01 01 00 27 ec bd 50
cf 4a 7c 05 3d f9 0e 67 50 da 7e 41 0b 98 58 44 fe eb e8 ae 79 b6 c5 b3 d8
41 67 ec 73 3a 57 fd f9 78 e9 2f 8d 28 97 d2 75 ad d1 e0 81 a1 d4 5d 01 e4
57 60 0b b8 31 4c f0 e9 14 5e c9 34 f2 c7 e2 25 bf f8 bd 86 0a 18 37 1e 6e
79 6f de b7 cd d8 c8 68 f5 0a 44 cc 89 1d 84 08 39 5a d5 83 4c b7 67 1f d7
6c 5a 20 05 9a af 62 4d 34 d5 c4 7f 40 79 8a cb 7c 7d b2 ff 55 f1 48 77 b1
bd 2e ae 92 c4 0c c5 d4 5a 8e 6b 46 1a ca fb 80 93 f4 18 be 2a a2 c3 e9 20
3f 86 ad 57 ef 29 a9 87 26 32 15 2e b8 28 d3 62 84 bc 8a 0c 48 8c c0 dd b2
37 00 44 43 bf 23 80 74 5a 3f 2b e6 28 1e 1f de e4 e0 7d 63 59 ad 22 24 ef
79 9a da ba c0 61 b0 07 f9 9e 72 90 c1 2a 22 67 83 d0 a8 86 8c 21 3b 2e ff
7e 5a 47 30 bd 3d 98 d0 5e 13 64 4f 6a f4 31 99 79 09 4f 20 70 7f 64 d5 36
67 a2 00 04 e8 30 82 04 e4 30 82 03 cc a0 03 02 01 02 02 09 00 bb 0c 92 dd
df 3c 43 81 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 81 93 31 0b 30
09 06 03 55 04 06 13 02 46 52 31 0f 30 0d 06 03 55 04 08 0c 06 52 61 64 69
75 73 31 12 30 10 06 03 55 04 07 0c 09 53 6f 6d 65 77 68 65 72 65 31 15 30
13 06 03 55 04 0a 0c 0c 45 78 61 6d 70 6c 65 20 49 6e 63 2e 31 20 30 1e 06
09 2a 86 48 86 f7 0d 01 09 01 16 11 61 64 6d 69 6e 40 65 78 61 6d 70 6c 65
2e 6f 72 67 31 26 30 24 06 03 55 04 03 0c 1d 45 78 61 6d 70 6c 65 20 43 65
72 74 69 66 69 63 61 74 65 20 41 75 74 68 6f 72 69 74 79 30 1e 17 0d 32 31
30 33 31 36 30 39 32 38 30 37 5a 17 0d 32 31 30 35 31 35 30 39 32 38 30 37
5a 30 81 93 31 0b 30 09 06 03 55 04 06 13 02 46 52 31 0f 30 0d 06 03 55 04
08 0c 06 52 61 64 69 75 73 31 12 30 10 06 03 55 04 07 0c 09 53 6f 6d 65 77
68 65 72 65 31 15 30 13 06 03 55 04 0a 0c 0c 45 78 61 6d 70 6c 65 20 49 6e
63 2e 31 20 30 1e 06 09 2a 86 48 86 f7 0d 01 09 01 16 11 61 64 6d 69 6e 40
65 78 61 6d 70 6c 65 2e 6f 72 67 31 26 30 24 06 03 55 04 03 0c 1d 45 78 61
6d 70 6c 65 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 6f 72 69 74
79 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00
30 82 01 0a 02 82 01 01 00 f0 ac 73 03 97 f6 a3 e9 05 5b 5e fc 56 a5 63 97
00 e3 e5 0f ac a2 f9 d7 a1 3d 72 47 eb 29 6d f3 11 f1 3e aa 4a d8 ea 56 2b
70 8b cc b8 ff 17 37 4b 39 dd e5 12 6a 72 cd 16 85 8e 65 fe 7e e0 70 53 30
87 e2 fe 3b 7a 08 33 33 f0 8d 74 a8 33 83 bb a7 97 f3 2e 3c b3 c1 03 dd d7
0a c2 e7 7c 44 68 ca 8b 23 fc 83 2b 0d 37 3d de 6e cc 49 22 7d 8f 34 85 eb
56 92 10 32 1e 4f e0 05 1b 1a e5 40 ac c1 3c 29 1f 5c d8 e7 e3 aa 9d 82 62
18 22 c5 98 71 c7 6a ef 94 79 62 32 e6 37 2a 69 8b 17 30 9c f3 a0 26 3a e4
fc 97 9c cf 95 b4 cd 7b 0a 2b 6d 29 06 06 ce 38 9c 87 cd 16 94 9d 26 ba 51
8c b8 4d 82 e3 e9 9b 62 03 90 9b ef 23 c9 db ca 95 cb d8 0b fe ed 78 a3 b7
50 c7 05 c1 9a 93 22 87 96 b8 a4 2d a9 b4 33 b5 12 49 49 26 30 51 86 60 c4
d3 fe 2d e4 ef 6d 2e 38 71 1c 94 00 cf f5 6f 02 03 01 00 01 a3 82 01 37 30
82 01 33 30 1d 06 03 55 1d 0e 04 16 04 14 36 fa ec a1 c6 32 b8 ed 66 ef 19
86 33 d9 2e 2f fd 95 7d eb 30 81 c8 06 03 55 1d 23 04 81 c0 30 81 bd 80 14
36 fa ec a1 c6 32 b8 ed 66 ef 19 86 33 d9 2e 2f fd 95 7d eb a1 81 99 a4 81
96 30 81 93 31 0b 30 09 06 03 55 04 06 13 02 46 52 31 0f 30 0d 06 03 55 04
08 0c 06 52 61 64 69 75 73 31 12 30 10 06 03 55 04 07 0c 09 53 6f 6d 65 77
68 65 72 65 31 15 30 13 06 03 55 04 0a 0c 0c 45 78 61 6d 70 6c 65 20 49 6e
63 2e 31 20 30 1e 06 09 2a 86 48 86 f7 0d 01 09 01 16 11 61 64 6d 69 6e 40
65 78 61 6d 70 6c 65 2e 6f 72 67 31 26 30 24 06 03 55 04 03 0c 1d 45 78 61
6d 70 6c 65 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 68 6f 72 69 74
79 82 09 00 bb 0c 92 dd df 3c 43 81 30 0f 06 03 55 1d 13 01 01 ff 04 05 30
03 01 01 ff 30 36 06 03 55 1d 1f 04 2f 30 2d 30 2b a0 29 a0 27 86 25 68 74
74 70 3a 2f 2f 77 77 77 2e 65 78 61 6d 70 6c 65 2e 6f 72 67 2f 65 78 61 6d
70 6c 65 5f 63 61 2e 63 72 6c 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00
03 82 01 01 00 41 d7 7a c2 45 c6 5a 58 5a 7d 60 34 f3 0d 08 4b 90 ab 61 85
e7 bb fd 5b 9b e5 94 fe cf d2 8b 9c e5 4b 54 73 73 f2 a6 00 ff 33 e8 b5 f6
31 89 1f 41 0e 9f c3 91 84 f7 7e 1f 21 d4 3d e5 f2 e8 d9 c4 0b 7f 47 33 fd
3a ac 73 e8 75 48 98 ec 9c 4e c6 80 be 32 4f 01 88 ec e7 a7 66 ae dd 99 09
eb f3 f4 63 3f 98 fb 6c b8 2f 50 b2 d9 e7 79 2b 2b 81 d3 cb 77 0c df 58 2d
1c 36 19 f0 d6 e0 f3 7b 41 f5 3f 99 95 71 79 6d e3 b7 06 6c 60 3e 19 eb 94
f7 1f fe db 27 26 87 7a 58 cb 46 44 24 86 45 4d 23 51 a2 38 ec ca 56 43 14
8a 17 60 bb 13 0b 13 65 dd c4 72 7a ae de fa 99 0c 3f 94 6d d3 f9 95 5b 2f
93 b6 92 1d ec 7b 95 f7 11 50 f6 a5 42 f8 06 9a f9 0d 06 e2 05 2d e1 b3 13
c3 f7 44 54 a3 5b 94 cb d7 69 41 ba 60 6c 10 71 86 86 ff 78 77 3d 1b 23 85
45 af 43 b9 ad 90 7b 3b a9 e3 17
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3/TLS write client certificate
OpenSSL: TX ver=0x0 content_type=256 (TLS header info/)
OpenSSL: Message - hexdump(len=5): 16 03 03 00 46
OpenSSL: TX ver=0x303 content_type=22 (handshake/client key exchange)
OpenSSL: Message - hexdump(len=70): 10 00 00 42 41 04 70 70 42 aa b2 c7 d2
29 18 78 27 4b af d7 25 b2 c4 d9 6e a3 d9 3a 1b af 77 01 7b e1 43 f3 11 95
ef 49 72 11 ff 5d 34 b6 36 5a 75 27 af 26 fc e7 8d 83 64 28 90 b5 99 ad 82
58 c5 1e ef 1d c1 da
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3/TLS write client key exchange
OpenSSL: TX ver=0x0 content_type=256 (TLS header info/)
OpenSSL: Message - hexdump(len=5): 16 03 03 01 08
OpenSSL: TX ver=0x303 content_type=22 (handshake/certificate verify)
OpenSSL: Message - hexdump(len=264): 0f 00 01 04 08 04 01 00 1b 57 a5 06 43
34 84 ba e9 25 b3 57 12 08 b2 04 9d cb ce fb 75 a6 24 dc 59 5f 4e 5d e2 2f
bd 14 dd 5d 58 12 ba f6 bd c8 68 95 47 36 07 79 a9 ed 31 01 0d 41 3f 8e 0e
06 d3 de b1 52 86 8e 34 55 98 8f b8 58 28 c4 04 55 10 62 0a c2 bb d1 2c 94
5d dd 50 8d b8 fc d6 9a da 52 7a 7b 8e 56 bc be 6e 5d 52 2f 9e 1a 61 e2 11
10 68 67 78 3c d2 6b 7d 54 8c 57 97 de 45 c8 1f a4 af 0d 09 44 8c fc dd 3c
12 4f 70 18 cd 62 bf f2 a1 35 98 f8 2c cc 9b d8 c6 55 d3 46 fa b8 f6 ff 97
53 cf 15 84 52 7b 0e 8c a5 eb 19 59 99 d5 94 6f 94 b5 e0 c2 79 69 b2 04 0c
00 02 47 d1 de 73 c3 e9 28 8b 53 f7 25 d2 7e 2e 3b 08 6e a3 18 65 fe 50 21
9b 5f bd ab 2b 34 73 67 e8 52 06 ef 86 5c eb 0c f3 b4 a2 6c fe c5 08 5e d0
97 46 cf ee 13 59 d9 a9 d5 68 6c 74 77 89 67 f8 5b 13 48 3c b7 33 25 13 41
90
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3/TLS write certificate verify
OpenSSL: TX ver=0x0 content_type=256 (TLS header info/)
OpenSSL: Message - hexdump(len=5): 14 03 03 00 01
OpenSSL: TX ver=0x303 content_type=20 (change cipher spec/)
OpenSSL: Message - hexdump(len=1): 01
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3/TLS write change cipher spec
OpenSSL: TX ver=0x0 content_type=256 (TLS header info/)
OpenSSL: Message - hexdump(len=5): 16 03 03 00 28
OpenSSL: TX ver=0x303 content_type=22 (handshake/finished)
OpenSSL: Message - hexdump(len=16): 14 00 00 0c 5a 03 a0 a8 7a d3 19 62 01
5e 4b 25
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3/TLS write finished
SSL: (where=0x1002 ret=0xffffffff)
SSL: SSL_connect:error in SSLv3/TLS write finished
SSL: SSL_connect - want more data
SSL: 2648 bytes pending from ssl_out
SSL: Using TLS version TLSv1.2
SSL: 2648 bytes left to be sent out (of total 2648 bytes)
SSL: sending 1398 bytes, more fragments will follow
EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL
eapRespData=0x5611437b17c0
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
WPA: eapol_test_eapol_send(type=0 len=1408)
TX EAP -> RADIUS - hexdump(len=1408): 02 db 05 80 0d c0 00 00 0a 58 16 03
03 08 c8 0b 00 08 c4 00 08 c1 00 03 d3 30 82 03 cf 30 82 02 b7 a0 03 02 01
02 02 01 02 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 81 93 31 0b 30
09 06 03 55 04 06 13 02 46 52 31 0f 30 0d 06 03 55 04 08 0c 06 52 61 64 69
75 73 31 12 30 10 06 03 55 04 07 0c 09 53 6f 6d 65 77 68 65 72 65 31 15 30
13 06 03 55 04 0a 0c 0c 45 78 61 6d 70 6c 65 20 49 6e 63 2e 31 20 30 1e 06
09 2a 86 48 86 f7 0d 01 09 01 16 11 61 64 6d 69 6e 40 65 78 61 6d 70 6c 65
2e 6f 72 67 31 26 30 24 06 03 55 04 03 0c 1d 45 78 61 6d 70 6c 65 20 43 65
72 74 69 66 69 63 61 74 65 20 41 75 74 68 6f 72 69 74 79 30 1e 17 0d 32 31
30 33 31 36 30 39 32 38 30 38 5a 17 0d 32 31 30 35 31 35 30 39 32 38 30 38
5a 30 71 31 0b 30 09 06 03 55 04 06 13 02 46 52 31 0f 30 0d 06 03 55 04 08
0c 06 52 61 64 69 75 73 31 15 30 13 06 03 55 04 0a 0c 0c 45 78 61 6d 70 6c
65 20 49 6e 63 2e 31 19 30 17 06 03 55 04 03 0c 10 75 73 65 72 40 65 78 61
6d 70 6c 65 2e 6f 72 67 31 1f 30 1d 06 09 2a 86 48 86 f7 0d 01 09 01 16 10
75 73 65 72 40 65 78 61 6d 70 6c 65 2e 6f 72 67 30 82 01 22 30 0d 06 09 2a
86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 b1
0e 9c 59 89 23 56 26 2f 83 59 c2 bf bb 36 80 3b 01 2b dd a2 dc 7c 4a de 6e
47 43 79 e6 bf c6 d2 4a 08 61 48 f5 15 88 c1 21 af dd c6 3b 89 dd 4c 67 3f
60 d8 02 ff 96 3c 7a 43 25 1f ba 3f 38 e8 1e 84 71 94 db 73 39 68 38 f0 46
e1 68 50 21 b1 fc ea 84 42 22 2a 21 9a bb 73 77 a9 6b 02 4e f0 20 8b f9 d0
40 a2 e9 2e 25 d5 e7 6f 1d b2 79 65 37 dd 14 08 ca 6f 75 ce 67 82 20 cc fa
c4 d9 6d 52 a0 e6 bd 13 22 45 49 37 33 fc 3e 33 fc dc 5e 43 b5 e3 6b b2 77
39 aa 04 da bf cc ae b5 70 ab a1 31 81 c5 ed 00 40 70 1e 97 27 bd 03 0a 67
dd ec 87 f9 a8 5a 0d 3e 4c ea 61 35 4e e6 14 4a 6a e7 58 ce 4b 5a b6 63 2a
f2 31 85 e2 e2 d9 5d c1 05 e2 17 71 5b d0 f3 86 1a 93 c7 b1 f8 96 b3 f2 8b
33 86 1e 49 48 6d 94 ab 9b bf 1f 9d a4 5a cb 0d 25 3c 8f 95 bd 42 86 cc c0
e5 dd 52 0c 29 02 03 01 00 01 a3 4f 30 4d 30 13 06 03 55 1d 25 04 0c 30 0a
06 08 2b 06 01 05 05 07 03 02 30 36 06 03 55 1d 1f 04 2f 30 2d 30 2b a0 29
a0 27 86 25 68 74 74 70 3a 2f 2f 77 77 77 2e 65 78 61 6d 70 6c 65 2e 63 6f
6d 2f 65 78 61 6d 70 6c 65 5f 63 61 2e 63 72 6c 30 0d 06 09 2a 86 48 86 f7
0d 01 01 0b 05 00 03 82 01 01 00 27 ec bd 50 cf 4a 7c 05 3d f9 0e 67 50 da
7e 41 0b 98 58 44 fe eb e8 ae 79 b6 c5 b3 d8 41 67 ec 73 3a 57 fd f9 78 e9
2f 8d 28 97 d2 75 ad d1 e0 81 a1 d4 5d 01 e4 57 60 0b b8 31 4c f0 e9 14 5e
c9 34 f2 c7 e2 25 bf f8 bd 86 0a 18 37 1e 6e 79 6f de b7 cd d8 c8 68 f5 0a
44 cc 89 1d 84 08 39 5a d5 83 4c b7 67 1f d7 6c 5a 20 05 9a af 62 4d 34 d5
c4 7f 40 79 8a cb 7c 7d b2 ff 55 f1 48 77 b1 bd 2e ae 92 c4 0c c5 d4 5a 8e
6b 46 1a ca fb 80 93 f4 18 be 2a a2 c3 e9 20 3f 86 ad 57 ef 29 a9 87 26 32
15 2e b8 28 d3 62 84 bc 8a 0c 48 8c c0 dd b2 37 00 44 43 bf 23 80 74 5a 3f
2b e6 28 1e 1f de e4 e0 7d 63 59 ad 22 24 ef 79 9a da ba c0 61 b0 07 f9 9e
72 90 c1 2a 22 67 83 d0 a8 86 8c 21 3b 2e ff 7e 5a 47 30 bd 3d 98 d0 5e 13
64 4f 6a f4 31 99 79 09 4f 20 70 7f 64 d5 36 67 a2 00 04 e8 30 82 04 e4 30
82 03 cc a0 03 02 01 02 02 09 00 bb 0c 92 dd df 3c 43 81 30 0d 06 09 2a 86
48 86 f7 0d 01 01 0b 05 00 30 81 93 31 0b 30 09 06 03 55 04 06 13 02 46 52
31 0f 30 0d 06 03 55 04 08 0c 06 52 61 64 69 75 73 31 12 30 10 06 03 55 04
07 0c 09 53 6f 6d 65 77 68 65 72 65 31 15 30 13 06 03 55 04 0a 0c 0c 45 78
61 6d 70 6c 65 20 49 6e 63 2e 31 20 30 1e 06 09 2a 86 48 86 f7 0d 01 09 01
16 11 61 64 6d 69 6e 40 65 78 61 6d 70 6c 65 2e 6f 72 67 31 26 30 24 06 03
55 04 03 0c 1d 45 78 61 6d 70 6c 65 20 43 65 72 74 69 66 69 63 61 74 65 20
41 75 74 68 6f 72 69 74 79 30 1e 17 0d 32 31 30 33 31 36 30 39 32 38 30 37
5a 17 0d 32 31 30 35 31 35 30 39 32 38 30 37 5a 30 81 93 31 0b 30 09 06 03
55 04 06 13 02 46 52 31 0f 30 0d 06 03 55 04 08 0c 06 52 61 64 69 75 73 31
12 30 10 06 03 55 04 07 0c 09 53 6f 6d 65 77 68 65 72 65 31 15 30 13 06 03
55 04 0a 0c 0c 45 78 61 6d 70 6c 65 20 49 6e 63 2e 31 20 30 1e 06 09 2a 86
48 86 f7 0d 01 09 01 16 11 61 64 6d 69 6e 40 65 78 61 6d 70 6c 65 2e 6f 72
67 31 26 30 24 06 03 55 04 03 0c 1d 45 78 61 6d 70 6c 65 20 43 65 72 74 69
66 69 63 61 74 65 20 41 75 74 68 6f 72 69 74 79 30 82 01 22 30 0d 06 09 2a
86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82
Encapsulating EAP message into a RADIUS packet
Copied RADIUS State Attribute
Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=4 length=1561
Attribute 1 (User-Name) length=18
Value: 'user(a)example.org'
Attribute 4 (NAS-IP-Address) length=6
Value: 127.0.0.1
Attribute 31 (Calling-Station-Id) length=19
Value: '02-00-00-00-00-01'
Attribute 12 (Framed-MTU) length=6
Value: 1400
Attribute 61 (NAS-Port-Type) length=6
Value: 19
Attribute 6 (Service-Type) length=6
Value: 2
Attribute 77 (Connect-Info) length=24
Value: 'CONNECT 11Mbps 802.11b'
Attribute 79 (EAP-Message) length=255
Value:
02db05800dc000000a5816030308c80b0008c40008c10003d3308203cf308202b7a003020102020102300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f72697479301e170d3231303331363039323830385a170d3231303531353039323830385a3071310b3009060355040613024652
Attribute 79 (EAP-Message) length=255
Value:
310f300d06035504080c0652616469757331153013060355040a0c0c4578616d706c6520496e632e3119301706035504030c1075736572406578616d706c652e6f7267311f301d06092a864886f70d010901161075736572406578616d706c652e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100b10e9c59892356262f8359c2bfbb36803b012bdda2dc7c4ade6e474379e6bfc6d24a086148f51588c121afddc63b89dd4c673f60d802ff963c7a43251fba3f38e81e847194db73396838f046e1685021b1fcea8442222a219abb7377a96b024ef0208bf9d040a2e92e25d5e76f1db2796537dd1408ca6f75
Attribute 79 (EAP-Message) length=255
Value:
ce678220ccfac4d96d52a0e6bd132245493733fc3e33fcdc5e43b5e36bb27739aa04dabfccaeb570aba13181c5ed0040701e9727bd030a67ddec87f9a85a0d3e4cea61354ee6144a6ae758ce4b5ab6632af23185e2e2d95dc105e217715bd0f3861a93c7b1f896b3f28b33861e49486d94ab9bbf1f9da45acb0d253c8f95bd4286ccc0e5dd520c290203010001a34f304d30130603551d25040c300a06082b0601050507030230360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d01010b0500038201010027ecbd50cf4a7c053df90e
Attribute 79 (EAP-Message) length=255
Value:
6750da7e410b985844feebe8ae79b6c5b3d84167ec733a57fdf978e92f8d2897d275add1e081a1d45d01e457600bb8314cf0e9145ec934f2c7e225bff8bd860a18371e6e796fdeb7cdd8c868f50a44cc891d8408395ad5834cb7671fd76c5a20059aaf624d34d5c47f40798acb7c7db2ff55f14877b1bd2eae92c40cc5d45a8e6b461acafb8093f418be2aa2c3e9203f86ad57ef29a9872632152eb828d36284bc8a0c488cc0ddb237004443bf2380745a3f2be6281e1fdee4e07d6359ad2224ef799adabac061b007f99e7290c12a226783d0a8868c213b2eff7e5a4730bd3d98d05e13644f6af4319979094f20707f64d53667a20004e8308204e430
Attribute 79 (EAP-Message) length=255
Value:
8203cca003020102020900bb0c92dddf3c4381300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f72697479301e170d3231303331363039323830375a170d3231303531353039323830375a308193310b3009060355040613024652310f300d06035504080c0652616469757331123010
Attribute 79 (EAP-Message) length=145
Value:
06035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282
Attribute 24 (State) length=18
Value: aa347fcea9ef72ef097c289c52522f15
Attribute 80 (Message-Authenticator) length=18
Value: e8905b32e23638a5a14413b6e94e6cbb
Next RADIUS client retransmit in 3 seconds
EAPOL: SUPP_BE entering state RECEIVE
EAPOL: startWhen --> 0
STA 02:00:00:00:00:01: Resending RADIUS message (id=4)
Next RADIUS client retransmit in 6 seconds
STA 02:00:00:00:00:01: Resending RADIUS message (id=4)
Next RADIUS client retransmit in 12 seconds
70d01010b05000382010100043400be038d56a9a2a470
Attribute 79 (EAP-Message) length=255
Value:
9c24b372f768263ee987bc571abda9a3fd2ea03ee924306ae43fd0fe48c40c1174b8d877ae67991d930510819834f6a2b205ebadd7b274973e4e61b063e18111f42d5adf73d24ee67ab41016ca00b58423081272b58522cd5fcc2510bee6ba3c9a65fceda1449f60f82eeb7e9f06a981f780e03024fa99bb205b7519f1a6745a821ccaaf0fc8deab7febfface25e1b6a37d82dafcdbc6f4007fa6667804241c621fd47e2f2b51879bcfce800cdffa2357da7c4b282fcdc2ebcf00e5ef90be4cc3483e12a80c3bcbf2abbecce1affaa444230575ed26a5425d63182764447bcd64f06a8661af5d0f0690841f2e0531853edbd05b0c00004fe308204fa30
Attribute 79 (EAP-Message) length=255
Value:
8203e2a00302010202141e94f1f7a32c45bc413ca334afe12c9e73579783300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f72697479301e170d3231303432323133353331315a170d3231303632313133353331315a308193310b3009060355040613024652310f300d06035504080c
Attribute 79 (EAP-Message) length=145
Value:
065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d0101010500
Attribute 24 (State) length=18
Value: 4f8872594cf77fe7df97951db0a5206c
Attribute 80 (Message-Authenticator) length=18
Value: b6b8cbd33ff838665592d53839bc2a45
Next RADIUS client retransmit in 3 seconds
EAPOL: SUPP_BE entering state RECEIVE
EAPOL: startWhen --> 0
STA 00:11:22:33:44:55: Resending RADIUS message (id=4)
Next RADIUS client retransmit in 6 seconds
STA 00:11:22:33:44:55: Resending RADIUS message (id=4)
Next RADIUS client retransmit in 12 seconds
STA 00:11:22:33:44:55: Resending RADIUS message (id=4)
Next RADIUS client retransmit in 24 seconds
EAPOL test timed out
EAPOL: EAP key not available
EAPOL: EAP Session-Id not available
WPA: Clear old PMK and PTK
EAP: deinitialize previously used EAP method (13, TLS) at EAP deinit
ENGINE: engine deinit
MPPE keys OK: 0 mismatch: 1
FAILURE
Both the client and server are running on Alpine Linux.
If anyone has any ideas how to debug this further, please do let me know. I
regenerated the self signed certificates but that didn't fix the issue,
currently suspecting either latency or miss-configured client.
Kind Regards,
Emile
2
7
Hello all,
I am migrating some radius servers from RHEL6 with freeradius 3.0.16 to
RHEL7 with freeradius 3.0.21. Our backend database is db2 using the
rlm_sql_db2.so driver. On the RHEL6 nodes we were using the pre-built
RedHat RPM packages for the freeradius and the rlm_sql_db2-3.0.0.so that
came from an old installation but I'm not certain of its origins. With
the move the RHEL7 I tried using the RedHat RPMs with the existing
rlm_sql_db2-3.0.0.so but that failed miserably as expected. I built the
rlm_sql_db2-3.0.0.so from source and tried that with the pre-built RPMs
and that also failed miserably. Now I'm running with freeradius that was
built from source code on a RHEL7 box. Freeradius and the rlm_sql_db2.so
driver. This combination works and packets seem to run fine, db2 tables
are updated as expected. Devices accepted/rejected as expected.
However, when I run a load of test traffic through the radius devices I am
getting db2 client errors after about 5500 transactions. The specific
error message I see in the radius logs is this:
Tue Apr 20 18:37:46 2021 : ERROR: (17291) ERROR: rlm_sql_db2:
HY014: [IBM][CLI Driver] CLI0129E An attempt to allocate a handle failed
because there are no more handles to allocate. SQLSTATE=HY014
Below is the debug log with a few transactions that were fine at the
beginning and then I cut out a lot of the log just because it was so
large, and a few transactions at the end after they started failing. If
there is a better way to include the full log please let me know. It is
quite large since it takes a while for the problems to begin.
Thanks in advance for any help,
Michael
FreeRADIUS Version 3.0.21
Copyright (C) 1999-2019 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/edr_raddb/dictionary
including configuration file /etc/edr_raddb/radiusd.conf
including configuration file /etc/edr_raddb/proxy.conf
including configuration file /etc/edr_raddb/clients.conf
including files in directory /etc/edr_raddb/mods-enabled/
including configuration file /etc/edr_raddb/mods-enabled/files
including configuration file /etc/edr_raddb/mods-enabled/sradutmp
including configuration file /etc/edr_raddb/mods-enabled/radutmp
including configuration file /etc/edr_raddb/mods-enabled/echo
including configuration file /etc/edr_raddb/mods-enabled/expr
including configuration file /etc/edr_raddb/mods-enabled/preprocess
including configuration file /etc/edr_raddb/mods-enabled/soh
including configuration file /etc/edr_raddb/mods-enabled/detail
including configuration file /etc/edr_raddb/mods-enabled/unpack
including configuration file /etc/edr_raddb/mods-enabled/replicate
including configuration file /etc/edr_raddb/mods-enabled/mschap
including configuration file /etc/edr_raddb/mods-enabled/digest
including configuration file /etc/edr_raddb/mods-enabled/attr_filter
including configuration file /etc/edr_raddb/mods-enabled/sql
including configuration file
/etc/edr_raddb/mods-config/sql/main/db2/queries.conf
including configuration file /etc/edr_raddb/mods-enabled/detail.log
including configuration file /etc/edr_raddb/mods-enabled/linelog
including configuration file /etc/edr_raddb/mods-enabled/logintime
including configuration file /etc/edr_raddb/mods-enabled/expiration
including configuration file /etc/edr_raddb/mods-enabled/unix
including configuration file /etc/edr_raddb/mods-enabled/date
including configuration file /etc/edr_raddb/mods-enabled/chap
including configuration file /etc/edr_raddb/mods-enabled/exec
including configuration file /etc/edr_raddb/mods-enabled/utf8
including configuration file /etc/edr_raddb/mods-enabled/ntlm_auth
including configuration file /etc/edr_raddb/mods-enabled/passwd
including configuration file /etc/edr_raddb/mods-enabled/cache_eap
including configuration file /etc/edr_raddb/mods-enabled/realm
including configuration file /etc/edr_raddb/mods-enabled/dynamic_clients
including configuration file /etc/edr_raddb/mods-enabled/pap
including configuration file /etc/edr_raddb/mods-enabled/always
including files in directory /etc/edr_raddb/policy.d/
including configuration file /etc/edr_raddb/policy.d/accounting
including configuration file /etc/edr_raddb/policy.d/dhcp
including configuration file /etc/edr_raddb/policy.d/edr
including configuration file /etc/edr_raddb/policy.d/debug
including configuration file /etc/edr_raddb/policy.d/filter
including configuration file /etc/edr_raddb/policy.d/operator-name
including configuration file /etc/edr_raddb/policy.d/eap
including configuration file /etc/edr_raddb/policy.d/cui
including configuration file /etc/edr_raddb/policy.d/rfc7542
including configuration file /etc/edr_raddb/policy.d/abfab-tr
including configuration file /etc/edr_raddb/policy.d/moonshot-targeted-ids
including configuration file /etc/edr_raddb/policy.d/canonicalization
including configuration file /etc/edr_raddb/policy.d/control
including files in directory /etc/edr_raddb/sites-enabled/
including configuration file /etc/edr_raddb/sites-enabled/default
main {
security {
user = "radiusd"
group = "radiusd"
allow_core_dumps = no
}
name = "radiusd"
prefix = "/usr"
localstatedir = "/var/log"
logdir = "/var/log/radiusd"
run_dir = "/var/log/run/radiusd"
}
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/var/log"
sbindir = "/usr/sbin"
logdir = "/var/log/radiusd"
run_dir = "/var/log/run/radiusd"
libdir = "/usr/lib64/freeradius"
radacctdir = "/var/log/radiusd/radacct"
hostname_lookups = no
max_request_time = 5
cleanup_delay = 2
max_requests = 16384
pidfile = "/var/log/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = yes
auth_goodpass = yes
msg_badpass = "%{&reply:Reply-Message}"
msg_goodpass = "%{&reply:Reply-Message}"
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 0.000000
status_server = yes
allow_vulnerable_openssl = "CVE-2016-6304"
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
Ignoring "response_window = 20.000000", forcing to "response_window =
5.000000"
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client IBM-10client {
ipaddr = 10.0.0.0
netmask = 8
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client IBM-9client {
ipaddr = 9.0.0.0
netmask = 8
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
systemd watchdog is disabled
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_files
# Loading module "files" from file /etc/edr_raddb/mods-enabled/files
files {
filename = "/etc/edr_raddb/mods-config/files/authorize"
acctusersfile = "/etc/edr_raddb/mods-config/files/accounting"
preproxy_usersfile = "/etc/edr_raddb/mods-config/files/pre-proxy"
}
# Loaded module rlm_radutmp
# Loading module "sradutmp" from file
/etc/edr_raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/radiusd/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loading module "radutmp" from file /etc/edr_raddb/mods-enabled/radutmp
radutmp {
filename = "/var/log/radiusd/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_exec
# Loading module "echo" from file /etc/edr_raddb/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
timeout = 5
}
# Loaded module rlm_expr
# Loading module "expr" from file /etc/edr_raddb/mods-enabled/expr
expr {
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file
/etc/edr_raddb/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/edr_raddb/mods-config/preprocess/huntgroups"
hints = "/etc/edr_raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_soh
# Loading module "soh" from file /etc/edr_raddb/mods-enabled/soh
soh {
dhcp = yes
}
# Loaded module rlm_detail
# Loading module "detail" from file /etc/edr_raddb/mods-enabled/detail
detail {
filename =
"/var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_unpack
# Loading module "unpack" from file /etc/edr_raddb/mods-enabled/unpack
# Loaded module rlm_replicate
# Loading module "replicate" from file
/etc/edr_raddb/mods-enabled/replicate
# Loaded module rlm_mschap
# Loading module "mschap" from file /etc/edr_raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loaded module rlm_digest
# Loading module "digest" from file /etc/edr_raddb/mods-enabled/digest
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file
/etc/edr_raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/edr_raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file
/etc/edr_raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/edr_raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file
/etc/edr_raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/edr_raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file
/etc/edr_raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename =
"/etc/edr_raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file
/etc/edr_raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename =
"/etc/edr_raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_sql
# Loading module "sql" from file /etc/edr_raddb/mods-enabled/sql
sql {
driver = "rlm_sql_db2"
server = "EDRRADIUS"
port = 0
login = "edribmus"
password = <<< secret >>>
radius_db = "edr"
read_groups = yes
read_profiles = yes
read_clients = no
delete_stale_sessions = yes
sql_user_name = "%{User-Name}"
logfile = ""
default_user_profile = ""
client_query = "SELECT id, nasname, shortname, type, secret,
server FROM nas"
authorize_check_query = "SELECT id, username, attribute, value, op
FROM edr.runstatus WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_reply_query = "SELECT id, username, attribute, value, op
FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_group_check_query = "SELECT id, groupname, attribute,
Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id"
authorize_group_reply_query = "SELECT id, groupname, attribute,
value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id"
group_membership_query = "SELECT groupname FROM radusergroup WHERE
username = '%{SQL-User-Name}' ORDER BY priority"
simul_count_query = "SELECT COUNT(*) FROM radacct WHERE username =
'%{SQL-User-Name}' AND acctstoptime IS NULL"
simul_verify_query = "SELECT radacctid, acctsessionid, username,
nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol
FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL"
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
auto_escape = no
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}.query}"
type {
accounting-on {
query = "UPDATE radacct SET acctstoptime =
FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime =
'%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime),
acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE
acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND
acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})"
}
accounting-off {
query = "UPDATE radacct SET acctstoptime =
FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime =
'%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime),
acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE
acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND
acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})"
}
start {
query = "INSERT INTO radacct (acctsessionid, acctuniqueid,
username, realm, nasipaddress, nasportid,
nasporttype, acctstarttime, acctupdatetime,
acctstoptime, acctsessiontime, acctauthentic,
connectinfo_start, connectinfo_stop, acctinputoctets,
acctoutputoctets, calledstationid, callingstationid,
acctterminatecause, servicetype, framedprotocol,
framedipaddress) VALUES ('%{Acct-Session-Id}',
'%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}',
'%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}',
FROM_UNIXTIME(%{integer:Event-Timestamp}),
FROM_UNIXTIME(%{integer:Event-Timestamp}), NULL, '0', '%{Acct-Authentic}',
'%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}',
'%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}',
'%{Framed-IP-Address}')"
}
interim-update {
query = "UPDATE radacct SET acctupdatetime =
(@acctupdatetime_old:=acctupdatetime), acctupdatetime =
FROM_UNIXTIME(%{integer:Event-Timestamp}), acctinterval =
%{integer:Event-Timestamp} - UNIX_TIMESTAMP(@acctupdatetime_old),
framedipaddress = '%{Framed-IP-Address}', acctsessiontime =
%{%{Acct-Session-Time}:-NULL}, acctinputoctets =
'%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}',
acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 |
'%{%{Acct-Output-Octets}:-0}' WHERE AcctUniqueId =
'%{Acct-Unique-Session-Id}'"
}
stop {
query = "UPDATE radacct SET acctstoptime =
FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime =
%{%{Acct-Session-Time}:-NULL}, acctinputoctets =
'%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}',
acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 |
'%{%{Acct-Output-Octets}:-0}', acctterminatecause =
'%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE
AcctUniqueId = '%{Acct-Unique-Session-Id}'"
}
}
}
post-auth {
reference = ".query"
query = "INSERT INTO radpostauth (username, pass, reply, authdate)
VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S')"
}
}
rlm_sql (sql): Driver rlm_sql_db2 (module rlm_sql_db2) loaded and linked
Creating attribute SQL-Group
# Loading module "auth_log" from file
/etc/edr_raddb/mods-enabled/detail.log
detail auth_log {
filename =
"/var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file
/etc/edr_raddb/mods-enabled/detail.log
detail reply_log {
filename =
"/var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file
/etc/edr_raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename =
"/var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file
/etc/edr_raddb/mods-enabled/detail.log
detail post_proxy_log {
filename =
"/var/log/radiusd/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_linelog
# Loading module "linelog" from file /etc/edr_raddb/mods-enabled/linelog
linelog {
filename = "/var/log/radiusd/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file
/etc/edr_raddb/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/radiusd/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_logintime
# Loading module "logintime" from file
/etc/edr_raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_expiration
# Loading module "expiration" from file
/etc/edr_raddb/mods-enabled/expiration
# Loaded module rlm_unix
# Loading module "unix" from file /etc/edr_raddb/mods-enabled/unix
unix {
radwtmp = "/var/log/radiusd/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_date
# Loading module "date" from file /etc/edr_raddb/mods-enabled/date
date {
format = "%b %e %Y %H:%M:%S %Z"
utc = no
}
# Loading module "wispr2date" from file /etc/edr_raddb/mods-enabled/date
date wispr2date {
format = "%Y-%m-%dT%H:%M:%S"
utc = no
}
# Loaded module rlm_chap
# Loading module "chap" from file /etc/edr_raddb/mods-enabled/chap
# Loading module "exec" from file /etc/edr_raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 5
}
# Loaded module rlm_utf8
# Loading module "utf8" from file /etc/edr_raddb/mods-enabled/utf8
# Loading module "ntlm_auth" from file
/etc/edr_raddb/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN
--username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
timeout = 5
}
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file
/etc/edr_raddb/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_cache
# Loading module "cache_eap" from file
/etc/edr_raddb/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /etc/edr_raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /etc/edr_raddb/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "bangpath" from file /etc/edr_raddb/mods-enabled/realm
realm bangpath {
format = "prefix"
delimiter = "!"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file
/etc/edr_raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /etc/edr_raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file
/etc/edr_raddb/mods-enabled/dynamic_clients
# Loaded module rlm_pap
# Loading module "pap" from file /etc/edr_raddb/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_always
# Loading module "reject" from file /etc/edr_raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /etc/edr_raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /etc/edr_raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /etc/edr_raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /etc/edr_raddb/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /etc/edr_raddb/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /etc/edr_raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /etc/edr_raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /etc/edr_raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
instantiate {
}
# Instantiating module "files" from file
/etc/edr_raddb/mods-enabled/files
reading pairlist file /etc/edr_raddb/mods-config/files/authorize
reading pairlist file /etc/edr_raddb/mods-config/files/accounting
reading pairlist file /etc/edr_raddb/mods-config/files/pre-proxy
# Instantiating module "preprocess" from file
/etc/edr_raddb/mods-enabled/preprocess
reading pairlist file /etc/edr_raddb/mods-config/preprocess/huntgroups
reading pairlist file /etc/edr_raddb/mods-config/preprocess/hints
# Instantiating module "detail" from file
/etc/edr_raddb/mods-enabled/detail
# Instantiating module "mschap" from file
/etc/edr_raddb/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
# Instantiating module "attr_filter.post-proxy" from file
/etc/edr_raddb/mods-enabled/attr_filter
reading pairlist file /etc/edr_raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file
/etc/edr_raddb/mods-enabled/attr_filter
reading pairlist file /etc/edr_raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file
/etc/edr_raddb/mods-enabled/attr_filter
reading pairlist file /etc/edr_raddb/mods-config/attr_filter/access_reject
# Instantiating module "attr_filter.access_challenge" from file
/etc/edr_raddb/mods-enabled/attr_filter
reading pairlist file
/etc/edr_raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file
/etc/edr_raddb/mods-enabled/attr_filter
reading pairlist file
/etc/edr_raddb/mods-config/attr_filter/accounting_response
# Instantiating module "sql" from file /etc/edr_raddb/mods-enabled/sql
rlm_sql (sql): Attempting to connect to database "edr"
rlm_sql (sql): Initialising connection pool
pool {
start = 5
min = 3
max = 128
spare = 10
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 30
spread = no
}
rlm_sql (sql): Opening additional connection (0), 1 of 128 pending slots
used
rlm_sql (sql): Opening additional connection (1), 1 of 127 pending slots
used
rlm_sql (sql): Opening additional connection (2), 1 of 126 pending slots
used
rlm_sql (sql): Opening additional connection (3), 1 of 125 pending slots
used
rlm_sql (sql): Opening additional connection (4), 1 of 124 pending slots
used
# Instantiating module "auth_log" from file
/etc/edr_raddb/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in
detail output
# Instantiating module "reply_log" from file
/etc/edr_raddb/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file
/etc/edr_raddb/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file
/etc/edr_raddb/mods-enabled/detail.log
# Instantiating module "linelog" from file
/etc/edr_raddb/mods-enabled/linelog
# Instantiating module "log_accounting" from file
/etc/edr_raddb/mods-enabled/linelog
# Instantiating module "logintime" from file
/etc/edr_raddb/mods-enabled/logintime
# Instantiating module "expiration" from file
/etc/edr_raddb/mods-enabled/expiration
# Instantiating module "etc_passwd" from file
/etc/edr_raddb/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "cache_eap" from file
/etc/edr_raddb/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree)
loaded and linked
# Instantiating module "IPASS" from file
/etc/edr_raddb/mods-enabled/realm
# Instantiating module "suffix" from file
/etc/edr_raddb/mods-enabled/realm
# Instantiating module "bangpath" from file
/etc/edr_raddb/mods-enabled/realm
# Instantiating module "realmpercent" from file
/etc/edr_raddb/mods-enabled/realm
# Instantiating module "ntdomain" from file
/etc/edr_raddb/mods-enabled/realm
# Instantiating module "pap" from file /etc/edr_raddb/mods-enabled/pap
# Instantiating module "reject" from file
/etc/edr_raddb/mods-enabled/always
# Instantiating module "fail" from file
/etc/edr_raddb/mods-enabled/always
# Instantiating module "ok" from file /etc/edr_raddb/mods-enabled/always
# Instantiating module "handled" from file
/etc/edr_raddb/mods-enabled/always
# Instantiating module "invalid" from file
/etc/edr_raddb/mods-enabled/always
# Instantiating module "userlock" from file
/etc/edr_raddb/mods-enabled/always
# Instantiating module "notfound" from file
/etc/edr_raddb/mods-enabled/always
# Instantiating module "noop" from file
/etc/edr_raddb/mods-enabled/always
# Instantiating module "updated" from file
/etc/edr_raddb/mods-enabled/always
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/edr_raddb/radiusd.conf
} # server
server default { # from file /etc/edr_raddb/sites-enabled/default
# Loading authorize {...}
# Loading post-auth {...}
} # server default
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on proxy address * port 37769
Listening on proxy address :: port 17802
Ready to process requests
(0) Received Access-Request Id 191 from 9.44.14.216:1953 to
9.44.14.148:1812 length 65
(0) User-Name = "SI_radius_keepalive"
(0) User-Password = "oԨW?\014\222\315>I2ꎯ\026\251"
(0) Service-Type = Outbound-User
(0) # Executing section authorize from file
/etc/edr_raddb/sites-enabled/default
(0) authorize {
(0) [files] = noop
(0) update control {
(0) &Auth-Type := Accept
(0) } # update control = noop
(0) } # authorize = noop
(0) Found Auth-Type = Accept
(0) Auth-Type = Accept, accepting the user
(0) # Executing section post-auth from file
/etc/edr_raddb/sites-enabled/default
(0) post-auth {
(0) policy check_sql_status {
(0) update control {
(0) EXPAND %{User-Name}
(0) --> SI_radius_keepalive
(0) SQL-User-Name set to 'SI_radius_keepalive'
rlm_sql (sql): Reserved connection (0)
(0) Executing select query: SELECT COUNT(*) FROM edr.runstatus
WHERE status='NORMALOP' WITH UR
rlm_sql (sql): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (5), 1 of 123 pending slots
used
(0) EXPAND %{sql:SELECT COUNT(*) FROM edr.runstatus WHERE
status='NORMALOP' WITH UR}
(0) --> 1
(0) &Tmp-Integer-0 := 1
(0) } # update control = noop
(0) if (control:Tmp-Integer-0 < 1) {
(0) if (control:Tmp-Integer-0 < 1) -> FALSE
(0) } # policy check_sql_status = noop
(0) check_for_cisco_AP { ... } # empty sub-section is ignored
(0) policy check_for_bypassed_MAC {
(0) if (User-Name == "SI_radius_keepalive") {
(0) if (User-Name == "SI_radius_keepalive") -> TRUE
(0) if (User-Name == "SI_radius_keepalive") {
(0) update reply {
(0) &Reply-Message += "EDR User SI_radius_keepalive bypassed,
EDR Accept"
(0) } # update reply = noop
(0) update control {
(0) &Auth-Type := Accept
(0) } # update control = noop
(0) [handled] = handled
(0) } # if (User-Name == "SI_radius_keepalive") = handled
(0) } # policy check_for_bypassed_MAC = handled
(0) } # post-auth = handled
(0) EXPAND %{&reply:Reply-Message}
(0) --> EDR User SI_radius_keepalive bypassed, EDR Accept
(0) Login OK: [SI_radius_keepalive/oԨW????>I2ꎯ??] (from client
IBM-9client port 0) EDR User SI_radius_keepalive bypassed, EDR Accept
(0) Sent Access-Accept Id 191 from 9.44.14.148:1812 to 9.44.14.216:1953
length 0
(0) Reply-Message += "EDR User SI_radius_keepalive bypassed, EDR Accept"
(0) Finished request
Waking up in 1.9 seconds.
(1) Received Access-Request Id 143 from 9.44.14.217:2000 to
9.44.14.148:1812 length 65
(1) User-Name = "SI_radius_keepalive"
(1) User-Password = "k\037(#\356X\374e\024\334\371\240\365\212\024\262"
(1) Service-Type = Outbound-User
(1) # Executing section authorize from file
/etc/edr_raddb/sites-enabled/default
(1) authorize {
(1) [files] = noop
(1) update control {
(1) &Auth-Type := Accept
(1) } # update control = noop
(1) } # authorize = noop
(1) Found Auth-Type = Accept
(1) Auth-Type = Accept, accepting the user
(1) # Executing section post-auth from file
/etc/edr_raddb/sites-enabled/default
(1) post-auth {
(1) policy check_sql_status {
(1) update control {
(1) EXPAND %{User-Name}
(1) --> SI_radius_keepalive
(1) SQL-User-Name set to 'SI_radius_keepalive'
rlm_sql (sql): Reserved connection (1)
(1) Executing select query: SELECT COUNT(*) FROM edr.runstatus
WHERE status='NORMALOP' WITH UR
rlm_sql (sql): Released connection (1)
(1) EXPAND %{sql:SELECT COUNT(*) FROM edr.runstatus WHERE
status='NORMALOP' WITH UR}
(1) --> 1
(1) &Tmp-Integer-0 := 1
(1) } # update control = noop
(1) if (control:Tmp-Integer-0 < 1) {
(1) if (control:Tmp-Integer-0 < 1) -> FALSE
(1) } # policy check_sql_status = noop
(1) check_for_cisco_AP { ... } # empty sub-section is ignored
(1) policy check_for_bypassed_MAC {
(1) if (User-Name == "SI_radius_keepalive") {
(1) if (User-Name == "SI_radius_keepalive") -> TRUE
(1) if (User-Name == "SI_radius_keepalive") {
(1) update reply {
(1) &Reply-Message += "EDR User SI_radius_keepalive bypassed,
EDR Accept"
(1) } # update reply = noop
(1) update control {
(1) &Auth-Type := Accept
(1) } # update control = noop
(1) [handled] = handled
(1) } # if (User-Name == "SI_radius_keepalive") = handled
(1) } # policy check_for_bypassed_MAC = handled
(1) } # post-auth = handled
(1) EXPAND %{&reply:Reply-Message}
(1) --> EDR User SI_radius_keepalive bypassed, EDR Accept
(1) Login OK: [SI_radius_keepalive/k?(#?X?e????????] (from client
IBM-9client port 0) EDR User SI_radius_keepalive bypassed, EDR Accept
(1) Sent Access-Accept Id 143 from 9.44.14.148:1812 to 9.44.14.217:2000
length 0
(1) Reply-Message += "EDR User SI_radius_keepalive bypassed, EDR Accept"
(1) Finished request
Waking up in 1.9 seconds.
(0) Cleaning up request packet ID 191 with timestamp +4
(1) Cleaning up request packet ID 143 with timestamp +4
Ready to process requests
(2) Received Access-Request Id 192 from 9.44.14.216:1101 to
9.44.14.148:1812 length 65
(2) User-Name = "SI_radius_keepalive"
(2) User-Password =
"\343\022\035\323\355JA\032\232\367\242\026\266\035=\033"
(2) Service-Type = Outbound-User
(2) # Executing section authorize from file
/etc/edr_raddb/sites-enabled/default
(2) authorize {
(2) [files] = noop
(2) update control {
(2) &Auth-Type := Accept
(2) } # update control = noop
(2) } # authorize = noop
(2) Found Auth-Type = Accept
(2) Auth-Type = Accept, accepting the user
(2) # Executing section post-auth from file
/etc/edr_raddb/sites-enabled/default
(2) post-auth {
(2) policy check_sql_status {
(2) update control {
(2) EXPAND %{User-Name}
(2) --> SI_radius_keepalive
(2) SQL-User-Name set to 'SI_radius_keepalive'
rlm_sql (sql): Reserved connection (2)
(2) Executing select query: SELECT COUNT(*) FROM edr.runstatus
WHERE status='NORMALOP' WITH UR
rlm_sql (sql): Released connection (2)
Need 4 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (6), 1 of 122 pending slots
used
(2) EXPAND %{sql:SELECT COUNT(*) FROM edr.runstatus WHERE
status='NORMALOP' WITH UR}
(2) --> 1
(2) &Tmp-Integer-0 := 1
(2) } # update control = noop
(2) if (control:Tmp-Integer-0 < 1) {
(2) if (control:Tmp-Integer-0 < 1) -> FALSE
(2) } # policy check_sql_status = noop
(2) check_for_cisco_AP { ... } # empty sub-section is ignored
(2) policy check_for_bypassed_MAC {
(2) if (User-Name == "SI_radius_keepalive") {
(2) if (User-Name == "SI_radius_keepalive") -> TRUE
(2) if (User-Name == "SI_radius_keepalive") {
(2) update reply {
(2) &Reply-Message += "EDR User SI_radius_keepalive bypassed,
EDR Accept"
(2) } # update reply = noop
(2) update control {
(2) &Auth-Type := Accept
(2) } # update control = noop
(2) [handled] = handled
(2) } # if (User-Name == "SI_radius_keepalive") = handled
(2) } # policy check_for_bypassed_MAC = handled
(2) } # post-auth = handled
(2) EXPAND %{&reply:Reply-Message}
(2) --> EDR User SI_radius_keepalive bypassed, EDR Accept
(2) Login OK: [SI_radius_keepalive/?????JA???????=?] (from client
IBM-9client port 0) EDR User SI_radius_keepalive bypassed, EDR Accept
(2) Sent Access-Accept Id 192 from 9.44.14.148:1812 to 9.44.14.216:1101
length 0
(2) Reply-Message += "EDR User SI_radius_keepalive bypassed, EDR Accept"
(2) Finished request
Waking up in 1.9 seconds.
(2) Cleaning up request packet ID 192 with timestamp +9
Ready to process requests
(3) Received Access-Request Id 144 from 9.44.14.217:1245 to
9.44.14.148:1812 length 65
(3) User-Name = "SI_radius_keepalive"
(3) User-Password = "\345O|H\347\312`a\315\036.\210h\201]\232"
(3) Service-Type = Outbound-User
(3) # Executing section authorize from file
/etc/edr_raddb/sites-enabled/default
(3) authorize {
(3) [files] = noop
(3) update control {
(3) &Auth-Type := Accept
(3) } # update control = noop
(3) } # authorize = noop
(3) Found Auth-Type = Accept
(3) Auth-Type = Accept, accepting the user
(3) # Executing section post-auth from file
/etc/edr_raddb/sites-enabled/default
(3) post-auth {
(3) policy check_sql_status {
(3) update control {
(3) EXPAND %{User-Name}
(3) --> SI_radius_keepalive
(3) SQL-User-Name set to 'SI_radius_keepalive'
rlm_sql (sql): Reserved connection (3)
(3) Executing select query: SELECT COUNT(*) FROM edr.runstatus
WHERE status='NORMALOP' WITH UR
rlm_sql (sql): Released connection (3)
Need 3 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (7), 1 of 121 pending slots
used
(3) EXPAND %{sql:SELECT COUNT(*) FROM edr.runstatus WHERE
status='NORMALOP' WITH UR}
(3) --> 1
(3) &Tmp-Integer-0 := 1
(3) } # update control = noop
(3) if (control:Tmp-Integer-0 < 1) {
(3) if (control:Tmp-Integer-0 < 1) -> FALSE
(3) } # policy check_sql_status = noop
(3) check_for_cisco_AP { ... } # empty sub-section is ignored
(3) policy check_for_bypassed_MAC {
(3) if (User-Name == "SI_radius_keepalive") {
(3) if (User-Name == "SI_radius_keepalive") -> TRUE
(3) if (User-Name == "SI_radius_keepalive") {
(3) update reply {
(3) &Reply-Message += "EDR User SI_radius_keepalive bypassed,
EDR Accept"
(3) } # update reply = noop
(3) update control {
(3) &Auth-Type := Accept
(3) } # update control = noop
(3) [handled] = handled
(3) } # if (User-Name == "SI_radius_keepalive") = handled
(3) } # policy check_for_bypassed_MAC = handled
(3) } # post-auth = handled
(3) EXPAND %{&reply:Reply-Message}
(3) --> EDR User SI_radius_keepalive bypassed, EDR Accept
(3) Login OK: [SI_radius_keepalive/?O|H??`a??.?h?]?] (from client
IBM-9client port 0) EDR User SI_radius_keepalive bypassed, EDR Accept
(3) Sent Access-Accept Id 144 from 9.44.14.148:1812 to 9.44.14.217:1245
length 0
(3) Reply-Message += "EDR User SI_radius_keepalive bypassed, EDR Accept"
(3) Finished request
Waking up in 1.9 seconds.
(3) Cleaning up request packet ID 144 with timestamp +14
Ready to process requests
....
(5502) Cleaning up request packet ID 144 with timestamp +338
(5538) Received Access-Request Id 189 from 127.0.0.1:24740 to
127.0.0.1:1812 length 64
(5538) User-Name = "00000000000R"
(5538) NAS-IP-Address = 9.44.14.137
(5538) NAS-Port = 10
(5538) Message-Authenticator = 0xda40c1552d213d34cc95f4298773670d
(5538) # Executing section authorize from file
/etc/edr_raddb/sites-enabled/default
(5538) authorize {
(5538) [files] = noop
(5538) update control {
(5538) &Auth-Type := Accept
(5538) } # update control = noop
(5538) } # authorize = noop
(5538) Found Auth-Type = Accept
(5538) Auth-Type = Accept, accepting the user
(5538) # Executing section post-auth from file
/etc/edr_raddb/sites-enabled/default
(5538) post-auth {
(5538) policy check_sql_status {
(5538) update control {
(5538) EXPAND %{User-Name}
(5538) --> 00000000000R
(5538) SQL-User-Name set to '00000000000R'
rlm_sql (sql): Reserved connection (7)
(5538) Executing select query: SELECT COUNT(*) FROM edr.runstatus
WHERE status='NORMALOP' WITH UR
rlm_sql (sql): Released connection (7)
(5538) EXPAND %{sql:SELECT COUNT(*) FROM edr.runstatus WHERE
status='NORMALOP' WITH UR}
(5538) --> 1
(5538) &Tmp-Integer-0 := 1
(5538) } # update control = noop
(5538) if (control:Tmp-Integer-0 < 1) {
(5538) if (control:Tmp-Integer-0 < 1) -> FALSE
(5538) } # policy check_sql_status = noop
(5538) check_for_cisco_AP { ... } # empty sub-section is ignored
(5538) policy check_for_bypassed_MAC {
(5538) if (User-Name == "SI_radius_keepalive") {
(5538) if (User-Name == "SI_radius_keepalive") -> FALSE
(5538) if (User-Name == "nessus") {
(5538) if (User-Name == "nessus") -> FALSE
(5538) elsif (User-Name == "00000000000R") {
(5538) elsif (User-Name == "00000000000R") -> TRUE
(5538) elsif (User-Name == "00000000000R") {
(5538) update reply {
(5538) &Reply-Message += "EDR 00000000000R bypassed for AOHCS
Health Check, EDR Reject"
(5538) } # update reply = noop
(5538) update control {
(5538) &Auth-Type := Reject
(5538) } # update control = noop
(5538) [reject] = reject
(5538) } # elsif (User-Name == "00000000000R") = reject
(5538) } # policy check_for_bypassed_MAC = reject
(5538) } # post-auth = reject
(5538) Using Post-Auth-Type Reject
(5538) Post-Auth-Type sub-section not found. Ignoring.
(5538) # Executing group from file /etc/edr_raddb/sites-enabled/default
(5538) EXPAND %{&reply:Reply-Message}
(5538) --> EDR 00000000000R bypassed for AOHCS Health Check, EDR Reject
(5538) Rejected in post-auth: [00000000000R/<via Auth-Type = Reject>]
(from client localhost port 10) EDR 00000000000R bypassed for AOHCS Health
Check, EDR Reject
(5538) EXPAND %{&reply:Reply-Message}
(5538) --> EDR 00000000000R bypassed for AOHCS Health Check, EDR Reject
(5538) Login incorrect: [00000000000R/<via Auth-Type = Reject>] (from
client localhost port 10) EDR 00000000000R bypassed for AOHCS Health
Check, EDR Reject
(5538) Sent Access-Reject Id 189 from 127.0.0.1:1812 to 127.0.0.1:24740
length 0
(5538) Reply-Message += "EDR 00000000000R bypassed for AOHCS Health
Check, EDR Reject"
(5538) Finished request
(5503) Cleaning up request packet ID 142 with timestamp +338
(5539) Received Access-Request Id 118 from 127.0.0.1:40924 to
127.0.0.1:1812 length 64
(5539) User-Name = "000000099999"
(5539) NAS-IP-Address = 9.44.14.137
(5539) NAS-Port = 10
(5539) Message-Authenticator = 0x1bdead5678e95af1770b0b22d7ce5284
(5539) # Executing section authorize from file
/etc/edr_raddb/sites-enabled/default
(5539) authorize {
(5539) [files] = noop
(5539) update control {
(5539) &Auth-Type := Accept
(5539) } # update control = noop
(5539) } # authorize = noop
(5539) Found Auth-Type = Accept
(5539) Auth-Type = Accept, accepting the user
(5539) # Executing section post-auth from file
/etc/edr_raddb/sites-enabled/default
(5539) post-auth {
(5539) policy check_sql_status {
(5539) update control {
(5539) EXPAND %{User-Name}
(5539) --> 000000099999
(5539) SQL-User-Name set to '000000099999'
rlm_sql (sql): Reserved connection (4)
(5539) Executing select query: SELECT COUNT(*) FROM edr.runstatus
WHERE status='NORMALOP' WITH UR
Could not execute statement "SELECT COUNT(*) FROM edr.runstatus WHERE
status='NORMALOP' WITH UR"
(5539) ERROR: rlm_sql_db2: HY014: [IBM][CLI Driver] CLI0129E An
attempt to allocate a handle failed because there are no more handles to
allocate. SQLSTATE=HY014
(5539) ERROR: SQL query failed: server error
rlm_sql (sql): Released connection (4)
(5539) EXPAND %{sql:SELECT COUNT(*) FROM edr.runstatus WHERE
status='NORMALOP' WITH UR}
(5539) -->
(5539) &Tmp-Integer-0 := 0
(5539) } # update control = noop
(5539) if (control:Tmp-Integer-0 < 1) {
(5539) if (control:Tmp-Integer-0 < 1) -> TRUE
(5539) if (control:Tmp-Integer-0 < 1) {
(5539) policy fail_open {
(5539) update reply {
(5539) EXPAND EDR req_num:%n req_id:%I fail_open
(5539) --> EDR req_num:5539 req_id:118 fail_open
(5539) &Reply-Message += EDR req_num:5539 req_id:118 fail_open
(5539) } # update reply = noop
(5539) update control {
(5539) &Auth-Type := Accept
(5539) } # update control = noop
(5539) [handled] = handled
(5539) } # policy fail_open = handled
(5539) } # if (control:Tmp-Integer-0 < 1) = handled
(5539) } # policy check_sql_status = handled
(5539) } # post-auth = handled
(5539) EXPAND %{&reply:Reply-Message}
(5539) --> EDR req_num:5539 req_id:118 fail_open
(5539) Login OK: [000000099999/<via Auth-Type = Accept>] (from client
localhost port 10) EDR req_num:5539 req_id:118 fail_open
(5539) Sent Access-Accept Id 118 from 127.0.0.1:1812 to 127.0.0.1:40924
length 0
(5539) Reply-Message += "EDR req_num:5539 req_id:118 fail_open"
(5539) Finished request
(5504) Cleaning up request packet ID 135 with timestamp +338
(5540) Received Access-Request Id 161 from 127.0.0.1:29338 to
127.0.0.1:1812 length 64
(5540) User-Name = "000000000000"
(5540) NAS-IP-Address = 9.44.14.137
(5540) NAS-Port = 10
(5540) Message-Authenticator = 0x7afd0d4c0f5f7f5939d4b862a7fe7c29
(5540) # Executing section authorize from file
/etc/edr_raddb/sites-enabled/default
(5540) authorize {
(5540) [files] = noop
(5540) update control {
(5540) &Auth-Type := Accept
(5540) } # update control = noop
(5540) } # authorize = noop
(5540) Found Auth-Type = Accept
(5540) Auth-Type = Accept, accepting the user
(5540) # Executing section post-auth from file
/etc/edr_raddb/sites-enabled/default
(5540) post-auth {
(5540) policy check_sql_status {
(5540) update control {
(5540) EXPAND %{User-Name}
(5540) --> 000000000000
(5540) SQL-User-Name set to '000000000000'
rlm_sql (sql): Reserved connection (8)
(5540) Executing select query: SELECT COUNT(*) FROM edr.runstatus
WHERE status='NORMALOP' WITH UR
rlm_sql (sql): Released connection (8)
(5540) EXPAND %{sql:SELECT COUNT(*) FROM edr.runstatus WHERE
status='NORMALOP' WITH UR}
(5540) --> 1
(5540) &Tmp-Integer-0 := 1
(5540) } # update control = noop
(5540) if (control:Tmp-Integer-0 < 1) {
(5540) if (control:Tmp-Integer-0 < 1) -> FALSE
(5540) } # policy check_sql_status = noop
(5540) check_for_cisco_AP { ... } # empty sub-section is ignored
(5540) policy check_for_bypassed_MAC {
(5540) if (User-Name == "SI_radius_keepalive") {
(5540) if (User-Name == "SI_radius_keepalive") -> FALSE
(5540) if (User-Name == "nessus") {
(5540) if (User-Name == "nessus") -> FALSE
(5540) elsif (User-Name == "00000000000R") {
(5540) elsif (User-Name == "00000000000R") -> FALSE
(5540) } # policy check_for_bypassed_MAC = noop
(5540) policy check_for_ignore {
(5540) update control {
rlm_sql (sql): Reserved connection (0)
rlm_sql (sql): Released connection (0)
(5540) EXPAND %{User-Name}
(5540) --> 000000000000
(5540) SQL-User-Name set to '000000000000'
rlm_sql (sql): Reserved connection (9)
(5540) Executing select query: SELECT COUNT(*) FROM edr.failed
WHERE username='000000000000' AND authdate >= (CURRENT TIMESTAMP - 1 DAYS)
WITH UR
rlm_sql (sql): Released connection (9)
(5540) EXPAND %{sql:SELECT COUNT(*) FROM edr.failed WHERE
username='%{User-Name}' AND authdate >= (CURRENT TIMESTAMP - 1 DAYS) WITH
UR }
(5540) --> 36
(5540) &Tmp-Integer-0 := 36
(5540) } # update control = noop
(5540) if (control:Tmp-Integer-0 > 58) {
(5540) if (control:Tmp-Integer-0 > 58) -> FALSE
(5540) } # policy check_for_ignore = noop
(5540) policy check_for_registered_MAC {
(5540) update control {
rlm_sql (sql): Reserved connection (5)
rlm_sql (sql): Released connection (5)
(5540) EXPAND %{User-Name}
(5540) --> 000000000000
(5540) SQL-User-Name set to '000000000000'
rlm_sql (sql): Reserved connection (1)
(5540) Executing select query: SELECT COUNT(*) FROM ldap.ldapsync
WHERE mac='000000000000' WITH UR
rlm_sql (sql): Released connection (1)
(5540) EXPAND %{sql:SELECT COUNT(*) FROM ldap.ldapsync WHERE
mac='%{User-Name}' WITH UR}
(5540) --> 1
(5540) &Tmp-Integer-0 := 1
(5540) } # update control = noop
(5540) if (control:Tmp-Integer-0 > 0) {
(5540) if (control:Tmp-Integer-0 > 0) -> TRUE
(5540) if (control:Tmp-Integer-0 > 0) {
(5540) update reply {
(5540) EXPAND EDR req_num:%n req_id:%I MAC %{User-Name} from
relay %{Packet-Src-IP-Address} is registered, EDR accept
(5540) --> EDR req_num:5540 req_id:161 MAC 000000000000 from
relay 127.0.0.1 is registered, EDR accept
(5540) &Reply-Message := EDR req_num:5540 req_id:161 MAC
000000000000 from relay 127.0.0.1 is registered, EDR accept
(5540) } # update reply = noop
(5540) update control {
(5540) &Auth-Type := Accept
(5540) } # update control = noop
(5540) [handled] = handled
(5540) } # if (control:Tmp-Integer-0 > 0) = handled
(5540) } # policy check_for_registered_MAC = handled
(5540) } # post-auth = handled
(5540) EXPAND %{&reply:Reply-Message}
(5540) --> EDR req_num:5540 req_id:161 MAC 000000000000 from relay
127.0.0.1 is registered, EDR accept
(5540) Login OK: [000000000000/<via Auth-Type = Accept>] (from client
localhost port 10) EDR req_num:5540 req_id:161 MAC 000000000000 from relay
127.0.0.1 is registered, EDR accept
(5540) Sent Access-Accept Id 161 from 127.0.0.1:1812 to 127.0.0.1:29338
length 0
(5540) Reply-Message := "EDR req_num:5540 req_id:161 MAC 000000000000
from relay 127.0.0.1 is registered, EDR accept"
(5540) Finished request
(5505) Cleaning up request packet ID 136 with timestamp +338
(5541) Received Access-Request Id 151 from 127.0.0.1:30962 to
127.0.0.1:1812 length 64
(5541) User-Name = "000000000001"
(5541) NAS-IP-Address = 9.44.14.137
(5541) NAS-Port = 10
(5541) Message-Authenticator = 0x24c78b0147d18e8b4c975734b2daaf1d
(5541) # Executing section authorize from file
/etc/edr_raddb/sites-enabled/default
(5541) authorize {
(5541) [files] = noop
(5541) update control {
(5541) &Auth-Type := Accept
(5541) } # update control = noop
(5541) } # authorize = noop
(5541) Found Auth-Type = Accept
(5541) Auth-Type = Accept, accepting the user
(5541) # Executing section post-auth from file
/etc/edr_raddb/sites-enabled/default
(5541) post-auth {
(5541) policy check_sql_status {
(5541) update control {
(5541) EXPAND %{User-Name}
(5541) --> 000000000001
(5541) SQL-User-Name set to '000000000001'
rlm_sql (sql): Reserved connection (2)
(5541) Executing select query: SELECT COUNT(*) FROM edr.runstatus
WHERE status='NORMALOP' WITH UR
rlm_sql (sql): Released connection (2)
(5541) EXPAND %{sql:SELECT COUNT(*) FROM edr.runstatus WHERE
status='NORMALOP' WITH UR}
(5541) --> 1
(5541) &Tmp-Integer-0 := 1
(5541) } # update control = noop
(5541) if (control:Tmp-Integer-0 < 1) {
(5541) if (control:Tmp-Integer-0 < 1) -> FALSE
(5541) } # policy check_sql_status = noop
(5541) check_for_cisco_AP { ... } # empty sub-section is ignored
(5541) policy check_for_bypassed_MAC {
(5541) if (User-Name == "SI_radius_keepalive") {
(5541) if (User-Name == "SI_radius_keepalive") -> FALSE
(5541) if (User-Name == "nessus") {
(5541) if (User-Name == "nessus") -> FALSE
(5541) elsif (User-Name == "00000000000R") {
(5541) elsif (User-Name == "00000000000R") -> FALSE
(5541) } # policy check_for_bypassed_MAC = noop
(5541) policy check_for_ignore {
(5541) update control {
rlm_sql (sql): Reserved connection (6)
rlm_sql (sql): Released connection (6)
(5541) EXPAND %{User-Name}
(5541) --> 000000000001
(5541) SQL-User-Name set to '000000000001'
rlm_sql (sql): Reserved connection (3)
(5541) Executing select query: SELECT COUNT(*) FROM edr.failed
WHERE username='000000000001' AND authdate >= (CURRENT TIMESTAMP - 1 DAYS)
WITH UR
rlm_sql (sql): Released connection (3)
(5541) EXPAND %{sql:SELECT COUNT(*) FROM edr.failed WHERE
username='%{User-Name}' AND authdate >= (CURRENT TIMESTAMP - 1 DAYS) WITH
UR }
(5541) --> 44
(5541) &Tmp-Integer-0 := 44
(5541) } # update control = noop
(5541) if (control:Tmp-Integer-0 > 58) {
(5541) if (control:Tmp-Integer-0 > 58) -> FALSE
(5541) } # policy check_for_ignore = noop
(5541) policy check_for_registered_MAC {
(5541) update control {
rlm_sql (sql): Reserved connection (7)
rlm_sql (sql): Released connection (7)
(5541) EXPAND %{User-Name}
(5541) --> 000000000001
(5541) SQL-User-Name set to '000000000001'
rlm_sql (sql): Reserved connection (4)
(5541) Executing select query: SELECT COUNT(*) FROM ldap.ldapsync
WHERE mac='000000000001' WITH UR
Could not execute statement "SELECT COUNT(*) FROM ldap.ldapsync WHERE
mac='000000000001' WITH UR"
(5541) ERROR: rlm_sql_db2: HY014: [IBM][CLI Driver] CLI0129E An
attempt to allocate a handle failed because there are no more handles to
allocate. SQLSTATE=HY014
(5541) ERROR: SQL query failed: server error
rlm_sql (sql): Released connection (4)
(5541) EXPAND %{sql:SELECT COUNT(*) FROM ldap.ldapsync WHERE
mac='%{User-Name}' WITH UR}
(5541) -->
(5541) &Tmp-Integer-0 := 0
(5541) } # update control = noop
(5541) if (control:Tmp-Integer-0 > 0) {
(5541) if (control:Tmp-Integer-0 > 0) -> FALSE
(5541) } # policy check_for_registered_MAC = noop
(5541) policy edr_count_and_reject {
(5541) if (Client-Shortname != "L2R") {
(5541) EXPAND Client-Shortname
(5541) --> localhost
(5541) if (Client-Shortname != "L2R") -> TRUE
(5541) if (Client-Shortname != "L2R") {
(5541) update control {
rlm_sql (sql): Reserved connection (8)
rlm_sql (sql): Released connection (8)
rlm_sql (sql): Reserved connection (0)
rlm_sql (sql): Released connection (0)
(5541) EXPAND %{User-Name}
(5541) --> 000000000001
(5541) SQL-User-Name set to '000000000001'
rlm_sql (sql): Reserved connection (9)
(5541) Executing query: INSERT INTO edr.failed
(username,authdate,addr) VALUES ('000000000001', CURRENT TIMESTAMP,
'127.0.0.1')
rlm_sql (sql): Released connection (9)
(5541) EXPAND %{sql:INSERT INTO edr.failed
(username,authdate,addr) VALUES ('%{User-Name}', CURRENT TIMESTAMP,
'%{Packet-Src-IP-Address}')}
(5541) --> 1
(5541) &Tmp-Integer-0 := 1
rlm_sql (sql): Reserved connection (5)
rlm_sql (sql): Released connection (5)
(5541) EXPAND %{User-Name}
(5541) --> 000000000001
(5541) SQL-User-Name set to '000000000001'
rlm_sql (sql): Reserved connection (1)
(5541) Executing select query: SELECT COUNT(*) FROM edr.failed
WHERE username = '000000000001'
rlm_sql (sql): Released connection (1)
(5541) EXPAND %{sql:SELECT COUNT(*) FROM edr.failed WHERE
username = '%{User-Name}' }
(5541) --> 45
(5541) &Tmp-Integer-1 := 45
(5541) EXPAND EDR req_num:%n req_id:%I MAC %{request:User-Name}
from relay %{request:Packet-Src-IP-Address} rejected, failed count =
%{control:Tmp-Integer-1}
(5541) --> EDR req_num:5541 req_id:151 MAC 000000000001 from
relay 127.0.0.1 rejected, failed count = 45
(5541) &Tmp-String-0 := EDR req_num:5541 req_id:151 MAC
000000000001 from relay 127.0.0.1 rejected, failed count = 45
(5541) } # update control = noop
(5541) } # if (Client-Shortname != "L2R") = noop
(5541) ... skipping else: Preceding "if" was taken
(5541) update reply {
(5541) &Reply-Message += &control:Tmp-String-0 -> 'EDR
req_num:5541 req_id:151 MAC 000000000001 from relay 127.0.0.1 rejected,
failed count = 45 '
(5541) No attributes updated for RHS
&request:ENDFORCE-RelayAgentAddr
(5541) } # update reply = noop
(5541) update control {
(5541) &Auth-Type := Reject
(5541) } # update control = noop
(5541) [reject] = reject
(5541) } # policy edr_count_and_reject = reject
(5541) } # post-auth = reject
(5541) Using Post-Auth-Type Reject
(5541) Post-Auth-Type sub-section not found. Ignoring.
(5541) # Executing group from file /etc/edr_raddb/sites-enabled/default
(5541) EXPAND %{&reply:Reply-Message}
(5541) --> EDR req_num:5541 req_id:151 MAC 000000000001 from relay
127.0.0.1 rejected, failed count = 45
(5541) Rejected in post-auth: [000000000001/<via Auth-Type = Reject>]
(from client localhost port 10) EDR req_num:5541 req_id:151 MAC
000000000001 from relay 127.0.0.1 rejected, failed count = 45
(5541) EXPAND %{&reply:Reply-Message}
(5541) --> EDR req_num:5541 req_id:151 MAC 000000000001 from relay
127.0.0.1 rejected, failed count = 45
(5541) Login incorrect (rlm_sql_db2: HY014: [IBM][CLI Driver] CLI0129E An
attempt to allocate a handle failed because there are no more handles to
allocate. SQLSTATE=HY014): [000000000001/<via Auth-Type = Reject>] (from
client localhost port 10) EDR req_num:5541 req_id:151 MAC 000000000001
from relay 127.0.0.1 rejected, failed count = 45
(5541) Sent Access-Reject Id 151 from 127.0.0.1:1812 to 127.0.0.1:30962
length 0
(5541) Reply-Message += "EDR req_num:5541 req_id:151 MAC 000000000001
from relay 127.0.0.1 rejected, failed count = 45 "
(5541) Finished request
(5506) Cleaning up request packet ID 240 with timestamp +338
...
Waking up in 1.9 seconds.
(5672) Cleaning up request packet ID 198 with timestamp +374
Ready to process requests
3
2
Thanks Alan ,
* what I mean with implement SQL query in default config file is just to have slight easy way to fetch data rather than write query that target radacct or radpostauth , it's works for me but is that slow the radius server performance or not .
* I have mikrotik multiple NAS that connected via Radsec I discover something strange ( when I disconnect single user from the radius the mikrotik response to send NAS-REQUEST for disconnect but when I disconnect multiple users via radius or from mikrotik it self the stale sessions are develop and No NAS-REQUEST is sent , my concern is that bug in mikrotik or freeradius has something to do with this issue .
* last question : I want to redirect expire user to portal page normally it's done by FRAM-POOL that mikrotik redirect it via firewall but that may cause issues in mikrotik , I discover Wisrp-redirect but it's only work for hotspot users and it's not work fine by mikrotik My question is how I can manage to do that as practical way for hotspot and broadband users .
Mohammed Almeeshal
Ajrass Networks CTO
2
1
Hello, FR Users
I recently built a lab environment which I want to test 802.1x dynamic vlans
features on our network facility. FreeRadius as the radius server in this
lab, we don't use users file, we want FR to use MS AD 2016 as external user
source, preferred PEAP+mschapv2.
In my lab, I followed guide of this site
http://deployingradius.com/documents/configuration/active_directory.html and
the following tested ok..
1. We configed ntlm_auth auth to get NTkey from MS AD for autheticcation,
this working fine, in lab I installed FR in ubuntu, but I realize in our
production environment, we use FreeRadius in pfsense OS, so it looks
impossible because pfsense doesn't provide samba and krb packages.
2. we also tested use LDAP bind against AD for authentication, this is
tested both worked both in FR in ubuntu and pfsense, however again, this is
limit to EAP-ttls + PAP authentication method, not preferred auth method.
but I was told by one of my colleagues that he did succeed peap&mschap in
Freeradius package in pfsense, I was confused how did he do that, because I
read discussion that MS AD will never disclose NTHASH through ldap protocol,
the only way is join windows domain and get NTKEY with samba, so my question
of this post is:
with requirement of PEAP&MSCHAP, is there a third way of getting Freeradius
working with MS AD in pfsense OS? (without samba/krb support in pfsense) or
did I miss something in FreeRadius configuration?
Thanks in advance.
2
1
Hi everyone
We wrote a Freeradius module which collects data over some less reliable
protocol (talking to property management systems / PMS).
It would be very handy if we could add some PMS related data (e.g.
connection fail count) to the server's status response.
Is there some documentation / best practice examples on how to implement
this?
Cheers,
Till
2
2
Yes. But there are a few gotchas.
View this email in your browser (https://mailchi.mp/83a258fcbc68/does-active-directory-work-with-freeradius-…)
Logo
** Does Active Directory work with FreeRADIUS?
------------------------------------------------------------
The short answer is Yes, Active Directory is compatible with FreeRADIUS. However, there are some constraints and implications for the rest of the system.
Like any technology choice, Active Directory has advantages and disadvantages, as well as consequences for how other network components need to be set up. This article provides an overview of these considerations at a high level and provides pointers to more detailed how-to guides.
Read more… (https://networkradius.us1.list-manage.com/track/click?u=1bc3d38a8ffdcd7ae0e…)
Over the last 20 years, I've personally responded to thousands of questions on FreeRADIUS mailing lists and forums. I've also worked with hundreds of clients and have seen first hand the obstacles and emergencies that network administrators struggle with.
Network RADIUS started this newsletter to share some answers to common issues, our best practices for setting up and maintaining your RADIUS systems, and give you important updates about new releases and features.
** Need RADIUS help?
------------------------------------------------------------
Get commercial support from the team behind FreeRADIUS.
Get commercial support (https://networkradius.us1.list-manage.com/track/click?u=1bc3d38a8ffdcd7ae0e…)
** What is the relationship between Network RADIUS and FreeRADIUS?
------------------------------------------------------------
FreeRADIUS is an open source implementation of the RADIUS protocol and was written by Alan DeKok in 1999.
Network RADIUS is a private, for-profit company founded by Alan DeKok which provides commercial support for FreeRADIUS. The Network RADIUS team has been the primary contributor to FreeRADIUS for the last 20 years. The FreeRADIUS mailing list, wiki, and documentation are all moderated and maintained by the Network RADIUS team.
FreeRADIUS has always been, and will always continue to be, open source. The Network RADIUS team provides commercial support to paying clients, and free product development for the FreeRADIUS community at large.
All of our software development for FreeRADIUS is integrated into the Open Source platform, and will always continue to be.
https://networkradius.us1.list-manage.com/track/click?u=1bc3d38a8ffdcd7ae0e… https://networkradius.us1.list-manage.com/track/click?u=1bc3d38a8ffdcd7ae0e… https://networkradius.us1.list-manage.com/track/click?u=1bc3d38a8ffdcd7ae0e…
Copyright (C) 2021 Network RADIUS. All rights reserved.
You are receiving this email because you opted in via our website.
Network RADIUS
26 Rue Colonel Dumont
GRENOBLE 38000
France
Update Preferences (https://networkradius.us1.list-manage.com/profile?u=1bc3d38a8ffdcd7ae0e89e0…) | Unsubscribe (https://networkradius.us1.list-manage.com/unsubscribe?u=1bc3d38a8ffdcd7ae0e…)
Email Marketing Powered by Mailchimp
http://www.mailchimp.com/email-referral/?utm_source=freemium_newsletter&utm…
1
0
Thanks Alan ...
it's fixed I manage to fix it and handle the inbounds traffics , Sorry For My Miss understand .
Now I have 2 questions :
First :
is it best practice to implement SQL query for billing purpose in sites-available "default" file or it must be handle
By another ways .
Second :
I'm struggle with stale session due to huge load , I usually clear it by cron jop or by SQL query that close the session if the user is try to login with open session it's works but not that clever ?
my questions is what is the best practice to handle stale session ?
Thanks Alan , Thanks Freeradius Team
Mohammed Almess-hal
2
1
> Type=notify
> NotifyAccess=all
> ExecStartPre=/usr/local/sbin/radiusd $FREERADIUS_OPTIONS -Cxm -lstdout
1. Try it without the "-m" flag, that causes a fatal error for us too but everything works fine without it.
2. If that still doesn't work, try "Type=forking", that is what we use.
However, we are on version 3.0.20 and use RHEL 7 so this may not be helpful at all!
Doug
________________________________
From: Freeradius-Users <freeradius-users-bounces+doug.wussler=fsu.edu(a)lists.freeradius.org> on behalf of freeradius-users-request(a)lists.freeradius.org <freeradius-users-request(a)lists.freeradius.org>
Sent: Tuesday, April 20, 2021 5:57 AM
To: freeradius-users(a)lists.freeradius.org <freeradius-users(a)lists.freeradius.org>
Subject: Freeradius-Users Digest, Vol 192, Issue 25
Send Freeradius-Users mailing list submissions to
freeradius-users(a)lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit
https://urldefense.com/v3/__http://lists.freeradius.org/mailman/listinfo/fr…
or, via email, send a message with subject or body 'help' to
freeradius-users-request(a)lists.freeradius.org
You can reach the person managing the list at
freeradius-users-owner(a)lists.freeradius.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Recreate detail file for buffered-sql (Ángel L. Mateo)
2. Re: Recreate detail file for buffered-sql (Alan DeKok)
3. Problems with using Freeradius as systemd (Mark Antony)
4. Re: Problems with using Freeradius as systemd (Marki)
5. Re: Problems with using Freeradius as systemd (Mark Antony)
6. Re: Problems with using Freeradius as systemd (Alan DeKok)
7. Authentication with Vendor-Specific Attribute (Daniel Kastner)
----------------------------------------------------------------------
Message: 1
Date: Mon, 19 Apr 2021 13:47:34 +0200
From: Ángel L. Mateo <amateo(a)um.es>
To: freeradius-users(a)lists.freeradius.org
Subject: Recreate detail file for buffered-sql
Message-ID: <160d4852-1e57-9990-7ddc-87eaca55d6b5(a)um.es>
Content-Type: text/plain; charset=utf-8; format=flowed
Hello,
I have freeradius configured in eduroam to create a detail buffered
wich is read by a buffered-sql site to dump connection logs to a mysql.
My problem is that I have wrongly delete the buffered file that is
created to dump these entries, but I already have the original detail files.
Is there any way to recreate the dump file? May a copy from the detail
file to the buffered input be enough?
--
Angel L. Mateo Martínez
Sección de Telemática
Área de Tecnologías de la Información
y las Comunicaciones Aplicadas (ATICA)
https://urldefense.com/v3/__http://www.um.es/atica__;!!PhOWcWs!n9CwfbRCHf1p…
Tfo: 868889150
Fax: 868888337
------------------------------
Message: 2
Date: Mon, 19 Apr 2021 07:57:12 -0400
From: Alan DeKok <aland(a)deployingradius.com>
To: FreeRadius users mailing list
<freeradius-users(a)lists.freeradius.org>
Subject: Re: Recreate detail file for buffered-sql
Message-ID: <C8B4CC0D-31BC-4488-B98D-6B3B0C2B526B(a)deployingradius.com>
Content-Type: text/plain; charset=utf-8
On Apr 19, 2021, at 7:47 AM, Ángel L. Mateo <amateo(a)um.es> wrote:
> I have freeradius configured in eduroam to create a detail buffered wich is read by a buffered-sql site to dump connection logs to a mysql.
>
> My problem is that I have wrongly delete the buffered file that is created to dump these entries, but I already have the original detail files.
>
> Is there any way to recreate the dump file? May a copy from the detail file to the buffered input be enough?
Yes, that should work.
Alan DeKok.
------------------------------
Message: 3
Date: Mon, 19 Apr 2021 16:41:57 +0000
From: Mark Antony <mark.antony.4(a)protonmail.com>
To: Mark Antony via Freeradius-Users
<freeradius-users(a)lists.freeradius.org>
Subject: Problems with using Freeradius as systemd
Message-ID:
<igsApmMp7QigHcc9VIXqLPKgPeQedMCHRaChTWJiDi6hMiUf0BBJ2y1XMBVGxhp-9qwc-yDd91EjHxb3Flal78kiX7hCFVUi33XuJJuIhlM=(a)protonmail.com>
Content-Type: text/plain; charset=utf-8
Hello,
I have compiled Freeradius 3.0.21 successfully and can run it perfectly as radiusd -X.
However when I want to run it as Systemd it doesn't work.
This is how I have compiled it under Debian 10.9. Do I have to enable any special flag to support systemd?
wget https://urldefense.com/v3/__ftp://ftp.freeradius.org/pub/freeradius/freerad…
tar -xvzf freeradius-server-3.0.21.tar.gz
cd freeradius-server-3.0.21
sudo ./configure
sudo make
sudo make install
/lib/systemd/system/freeradius.service:
[Unit]
Description=FreeRADIUS multi-protocol policy server
After=network.target
[Service]
Type=notify
NotifyAccess=all
EnvironmentFile=-/usr/local/freeradius
ExecStartPre=/usr/local/sbin/radiusd $FREERADIUS_OPTIONS -Cxm -lstdout
ExecStart=/usr/local/sbin/radiusd -f $FREERADIUS_OPTIONS
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
Nothing obvious in syslog:
Apr 19 16:29:25 us-sfo-2 systemd[1]: freeradius.service: Start operation timed out. Terminating.
Apr 19 16:29:25 us-sfo-2 systemd[1]: freeradius.service: Failed with result 'timeout'.
Apr 19 16:29:25 us-sfo-2 systemd[1]: Failed to start FreeRADIUS multi-protocol policy server.
Neither anything useful in journal -x
-- The job identifier is 6355.
Apr 19 16:37:31 us-sfo-2 radiusd[6129]: FreeRADIUS Version 3.0.21
Apr 19 16:37:31 us-sfo-2 radiusd[6129]: Copyright (C) 1999-2019 The FreeRADIUS server project and contributors
Apr 19 16:37:31 us-sfo-2 radiusd[6129]: There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
Apr 19 16:37:31 us-sfo-2 radiusd[6129]: PARTICULAR PURPOSE
Apr 19 16:37:31 us-sfo-2 radiusd[6129]: You may redistribute copies of FreeRADIUS under the terms of the
Apr 19 16:37:31 us-sfo-2 radiusd[6129]: GNU General Public License
Apr 19 16:37:31 us-sfo-2 radiusd[6129]: For more information about these matters, see the file named COPYRIGHT
Apr 19 16:37:31 us-sfo-2 radiusd[6129]: Starting - reading configuration files ...
Apr 19 16:37:31 us-sfo-2 radiusd[6129]: Debugger not attached
Apr 19 16:37:31 us-sfo-2 radiusd[6129]: Built without support for systemd watchdog, but running under systemd.
Apr 19 16:37:31 us-sfo-2 radiusd[6129]: rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
Apr 19 16:37:31 us-sfo-2 radiusd[6129]: Creating attribute SQL-Group
Apr 19 16:37:31 us-sfo-2 radiusd[6129]: Creating attribute Unix-Group
Apr 19 16:37:31 us-sfo-2 radiusd[6129]: rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
Apr 19 16:37:31 us-sfo-2 radiusd[6129]: Please use tls_min_version and tls_max_version instead of disable_tlsv1
Apr 19 16:37:31 us-sfo-2 radiusd[6129]: Please use tls_min_version and tls_max_version instead of disable_tlsv1_2
Apr 19 16:37:31 us-sfo-2 radiusd[6129]: tls: Using cached TLS configuration from previous invocation
Apr 19 16:37:31 us-sfo-2 radiusd[6129]: tls: Using cached TLS configuration from previous invocation
Apr 19 16:37:31 us-sfo-2 radiusd[6129]: rlm_sql_mysql: libmysql version: 10.5.9
Apr 19 16:37:31 us-sfo-2 radiusd[6129]: rlm_sql (sql): Attempting to connect to database "radius_db"
Apr 19 16:37:31 us-sfo-2 radiusd[6129]: rlm_sql (sql): Initialising connection pool
Apr 19 16:37:31 us-sfo-2 radiusd[6129]: rlm_sql (sql): Processing generate_sql_clients
Apr 19 16:37:31 us-sfo-2 radiusd[6129]: rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nas
Apr 19 16:37:31 us-sfo-2 radiusd[6129]: rlm_sql (sql): 0 of 0 connections in use. You may need to increase "spare"
Apr 19 16:37:31 us-sfo-2 radiusd[6129]: rlm_sql (sql): Opening additional connection (0), 1 of 1 pending slots used
Apr 19 16:37:31 us-sfo-2 radiusd[6129]: rlm_sql_mysql: Starting connect to MySQL server
Apr 19 16:37:32 us-sfo-2 radiusd[6129]: rlm_sql (sql): Reserved connection (0)
Apr 19 16:37:32 us-sfo-2 radiusd[6129]: rlm_sql (sql): Released connection (0)
Apr 19 16:37:32 us-sfo-2 radiusd[6129]: rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
Apr 19 16:37:32 us-sfo-2 radiusd[6129]: rlm_mschap (mschap): using internal authentication
Apr 19 16:37:32 us-sfo-2 radiusd[6129]: Ignoring "ldap" (see raddb/mods-available/README.rst)
Apr 19 16:37:32 us-sfo-2 radiusd[6129]: # Skipping contents of 'if' as it is always 'false' -- /usr/local/etc/raddb/sites-enabled/inner-tunnel:336
Apr 19 16:37:32 us-sfo-2 radiusd[6129]: radiusd: #### Skipping IP addresses and Ports ####
Apr 19 16:37:32 us-sfo-2 radiusd[6129]: Configuration appears to be OK
Apr 19 16:37:32 us-sfo-2 radiusd[6129]: rlm_sql (sql): Removing connection pool
Apr 19 16:37:32 us-sfo-2 radiusd[6129]: rlm_sql (sql): Closing connection (0)
Apr 19 16:37:44 us-sfo-2 sudo[6138]: admin : TTY=pts/0 ; PWD=/home/admin ; USER=root ; COMMAND=/usr/bin/journalctl -xe
Apr 19 16:37:44 us-sfo-2 sudo[6138]: pam_unix(sudo:session): session opened for user root by admin(uid=0)
I would really appreciate your help on this.
Thank you
Mark
------------------------------
Message: 4
Date: Mon, 19 Apr 2021 18:55:17 +0200
From: Marki <jm+freeradiususer(a)roth.lu>
To: Mark Antony <mark.antony.4(a)protonmail.com>, FreeRadius users
mailing list <freeradius-users(a)lists.freeradius.org>
Subject: Re: Problems with using Freeradius as systemd
Message-ID: <597410e7-7052-d279-68c8-3b396e1bc529(a)roth.lu>
Content-Type: text/plain; charset=utf-8; format=flowed
In the output you posted (and read before posting I guess), the
following message related to systemd seems to stand out:
On 4/19/2021 6:41 PM, Mark Antony via Freeradius-Users wrote:
> Built without support for systemd watchdog, but running under systemd.
------------------------------
Message: 5
Date: Mon, 19 Apr 2021 17:10:17 +0000
From: Mark Antony <mark.antony.4(a)protonmail.com>
To: Marki <jm+freeradiususer(a)roth.lu>
Cc: FreeRadius users mailing list
<freeradius-users(a)lists.freeradius.org>
Subject: Re: Problems with using Freeradius as systemd
Message-ID:
<1hoyh1PuSjIev4BQsHbylE1DyxRuFzQxZEVDyVj9iP6bLY1OCwrXDg-PVpPVxWqLtJ0Iu_cBFcncI17Xzy2TBOSGexe18RXhVIHkdxUHRr4=(a)protonmail.com>
Content-Type: text/plain; charset=utf-8
Thank you. Hence my question do I need a special flag during compilation to enable systemd support?
https://urldefense.com/v3/__https://wiki.freeradius.org/building/Debian*20a…
I can't find anything on the wiki.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, 19 April 2021 17:55, Marki <jm+freeradiususer(a)roth.lu> wrote:
> In the output you posted (and read before posting I guess), the
> following message related to systemd seems to stand out:
>
> On 4/19/2021 6:41 PM, Mark Antony via Freeradius-Users wrote:
>
> > Built without support for systemd watchdog, but running under systemd.
------------------------------
Message: 6
Date: Mon, 19 Apr 2021 13:11:16 -0400
From: Alan DeKok <aland(a)deployingradius.com>
To: Mark Antony <mark.antony.4(a)protonmail.com>, FreeRadius users
mailing list <freeradius-users(a)lists.freeradius.org>
Subject: Re: Problems with using Freeradius as systemd
Message-ID: <B0046418-E424-4BDB-BD63-8F715A29B93B(a)deployingradius.com>
Content-Type: text/plain; charset=us-ascii
On Apr 19, 2021, at 1:10 PM, Mark Antony via Freeradius-Users <freeradius-users(a)lists.freeradius.org> wrote:
> Thank you. Hence my question do I need a special flag during compilation to enable systemd support?
>
> https://urldefense.com/v3/__https://wiki.freeradius.org/building/Debian*20a…
You need to install the dependencies that systemd needs. See the output of "configure".
Alan DeKok.
------------------------------
Message: 7
Date: Tue, 20 Apr 2021 09:57:41 +0000
From: Daniel Kastner <daniel.kastner(a)karakun.com>
To: "freeradius-users(a)lists.freeradius.org"
<freeradius-users(a)lists.freeradius.org>
Subject: Authentication with Vendor-Specific Attribute
Message-ID:
<AM7P189MB1105C5B7A21199A1F7DB6C0D8D489(a)AM7P189MB1105.EURP189.PROD.OUTLOOK.COM>
Content-Type: text/plain; charset="us-ascii"
I'm totally new to this (free)Radius stuff and trying to achieve authentication based on a vendor-specific attribute send by the client.
I've add the custom attribute in a new dictionary file /opt/share/freeradius/dictionary.myvendor:
VENDOR MyVendor 16132
BEGIN-VENDOR MyVendor
ATTRIBUTE MyVendor -OneTimePassword 1 string
END-VENDOR MyVendor
Included it in the /opt/share/freeradius/dictionary:
$INCLUDE dictionary.myvendor
And now trying the following in file /opt/etc/raddb/mods-config/files/authorize:
bob Cleartext-Password := "hello"
if( &MyVendor-OneTimePassword == "123456" ) {
Auth-Type := Accept
Reply-Message := "Hello %{User-Name}, great to have you here!"
} else {
Auth-Type := Reject
Reply-Message := "Sorry %{User-Name}, wrong OTP"
}
But when I start the server it quits with the following message:
reading pairlist file /opt/etc/raddb/mods-config/files/authorize
/opt/etc/raddb/mods-config/files/authorize[2]: Parse error (reply) for entry bob: Expecting operator
Failed reading /opt/etc/raddb/mods-config/files/authorize
/opt/etc/raddb/mods-enabled/files[9]: Instantiation failed for module "files"
Any advice?
------------------------------
Subject: Digest Footer
-
List info/subscribe/unsubscribe? See https://urldefense.com/v3/__http://www.freeradius.org/list/users.html__;!!P…
------------------------------
End of Freeradius-Users Digest, Vol 192, Issue 25
*************************************************
2
2
Very pleased to see how widely recognized you are for your contributions and. leadership in this space. As subscribers to your listserv, I believe we share a common interest in understanding how things work and we all see the benefit in having such articles curated for our attention. I can't imagine who would not enthusiastically embrace the publication of such material to this listserv. So yes, definitely, please share and many thanks for doing so.
Having said that, my personal preference would be for links to the web page where your material could be enjoyed in a more reader-friendly format than plain text.
Doug
1
0
I'm totally new to this (free)Radius stuff and trying to achieve authentication based on a vendor-specific attribute send by the client.
I've add the custom attribute in a new dictionary file /opt/share/freeradius/dictionary.myvendor:
VENDOR MyVendor 16132
BEGIN-VENDOR MyVendor
ATTRIBUTE MyVendor -OneTimePassword 1 string
END-VENDOR MyVendor
Included it in the /opt/share/freeradius/dictionary:
$INCLUDE dictionary.myvendor
And now trying the following in file /opt/etc/raddb/mods-config/files/authorize:
bob Cleartext-Password := "hello"
if( &MyVendor-OneTimePassword == "123456" ) {
Auth-Type := Accept
Reply-Message := "Hello %{User-Name}, great to have you here!"
} else {
Auth-Type := Reject
Reply-Message := "Sorry %{User-Name}, wrong OTP"
}
But when I start the server it quits with the following message:
reading pairlist file /opt/etc/raddb/mods-config/files/authorize
/opt/etc/raddb/mods-config/files/authorize[2]: Parse error (reply) for entry bob: Expecting operator
Failed reading /opt/etc/raddb/mods-config/files/authorize
/opt/etc/raddb/mods-enabled/files[9]: Instantiation failed for module "files"
Any advice?
2
1