Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
June 2022
- 33 participants
- 37 discussions
Hello,
I've got two different authentication issues. The server is meant to service both mac-based authentication (using authorized_macs file) and eap-tls using certificates. This is for a production environment where I have done my best to mimic our old setup which is working but on EOL software.
In the logs I get "invalid user" for the mac-based auth and "eap_tls: ERROR: TLS alert werite:fatal:internal error.
I've attached below the output of "freeradius -X", minus all the clients we have and with only one attempted auth per type of error. Let me know if you need any other data.
Thanks,
David le Roux
FreeRADIUS Version 3.0.21
Copyright (C) 1999-2019 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/freeradius/3.0/dictionary
including configuration file /etc/freeradius/3.0/radiusd.conf
including configuration file /etc/freeradius/3.0/proxy.conf
including configuration file /etc/freeradius/3.0/clients.conf
including configuration file /etc/freeradius/3.0/mwanclients.conf
including files in directory /etc/freeradius/3.0/mods-enabled/
including configuration file /etc/freeradius/3.0/mods-enabled/unpack
including configuration file /etc/freeradius/3.0/mods-enabled/detail.log
including configuration file /etc/freeradius/3.0/mods-enabled/detail
including configuration file /etc/freeradius/3.0/mods-enabled/cache_eap
including configuration file /etc/freeradius/3.0/mods-enabled/logintime
including configuration file /etc/freeradius/3.0/mods-enabled/files
including configuration file /etc/freeradius/3.0/mods-enabled/ntlm_auth
including configuration file /etc/freeradius/3.0/mods-enabled/replicate
including configuration file /etc/freeradius/3.0/mods-enabled/pap
including configuration file /etc/freeradius/3.0/mods-enabled/sradutmp
including configuration file /etc/freeradius/3.0/mods-enabled/linelog
including configuration file /etc/freeradius/3.0/mods-enabled/realm
including configuration file /etc/freeradius/3.0/mods-enabled/preprocess
including configuration file /etc/freeradius/3.0/mods-enabled/exec
including configuration file /etc/freeradius/3.0/mods-enabled/expr
including configuration file /etc/freeradius/3.0/mods-enabled/echo
including configuration file /etc/freeradius/3.0/mods-enabled/digest
including configuration file /etc/freeradius/3.0/mods-enabled/dynamic_clients
including configuration file /etc/freeradius/3.0/mods-enabled/radutmp
including configuration file /etc/freeradius/3.0/mods-enabled/utf8
including configuration file /etc/freeradius/3.0/mods-enabled/passwd
including configuration file /etc/freeradius/3.0/mods-enabled/unix
including configuration file /etc/freeradius/3.0/mods-enabled/eap
including configuration file /etc/freeradius/3.0/mods-enabled/attr_filter
including configuration file /etc/freeradius/3.0/mods-enabled/expiration
including configuration file /etc/freeradius/3.0/mods-enabled/soh
including configuration file /etc/freeradius/3.0/mods-enabled/always
including configuration file /etc/freeradius/3.0/mods-enabled/mschap
including configuration file /etc/freeradius/3.0/mods-enabled/chap
including files in directory /etc/freeradius/3.0/policy.d/
including configuration file /etc/freeradius/3.0/policy.d/control
including configuration file /etc/freeradius/3.0/policy.d/dhcp
including configuration file /etc/freeradius/3.0/policy.d/debug
including configuration file /etc/freeradius/3.0/policy.d/operator-name
including configuration file /etc/freeradius/3.0/policy.d/filter
including configuration file /etc/freeradius/3.0/policy.d/cui
including configuration file /etc/freeradius/3.0/policy.d/canonicalization
including configuration file /etc/freeradius/3.0/policy.d/abfab-tr
including configuration file /etc/freeradius/3.0/policy.d/moonshot-targeted-ids
including configuration file /etc/freeradius/3.0/policy.d/rfc7542
including configuration file /etc/freeradius/3.0/policy.d/accounting
including configuration file /etc/freeradius/3.0/policy.d/eap
including files in directory /etc/freeradius/3.0/sites-enabled/
including configuration file /etc/freeradius/3.0/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/3.0/sites-enabled/mh-site
main {
security {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
}
main {
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 120
cleanup_delay = 10
max_requests = 80000
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client 127.0.0.1 {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
shortname = "localhost"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
}
Debugger not attached
systemd watchdog is disabled
# Creating Auth-Type = mschap
# Creating Auth-Type = eap
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_unpack
# Loading module "unpack" from file /etc/freeradius/3.0/mods-enabled/unpack
# Loaded module rlm_detail
# Loading module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
detail auth_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
detail reply_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
detail pre_proxy_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
detail post_proxy_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "detail" from file /etc/freeradius/3.0/mods-enabled/detail
detail {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_cache
# Loading module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module rlm_logintime
# Loading module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_files
# Loading module "files" from file /etc/freeradius/3.0/mods-enabled/files
files {
filename = "/etc/freeradius/3.0/mods-config/files/authorize"
acctusersfile = "/etc/freeradius/3.0/mods-config/files/accounting"
preproxy_usersfile = "/etc/freeradius/3.0/mods-config/files/pre-proxy"
}
# Loading module "authorized_macs" from file /etc/freeradius/3.0/mods-enabled/files
files authorized_macs {
usersfile = "/etc/freeradius/3.0/authorized_macs"
key = "%{Calling-Station-ID}"
}
# Loaded module rlm_exec
# Loading module "ntlm_auth" from file /etc/freeradius/3.0/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_replicate
# Loading module "replicate" from file /etc/freeradius/3.0/mods-enabled/replicate
# Loaded module rlm_pap
# Loading module "pap" from file /etc/freeradius/3.0/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_radutmp
# Loading module "sradutmp" from file /etc/freeradius/3.0/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/freeradius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_linelog
# Loading module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog
linelog {
filename = "/var/log/freeradius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/freeradius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "bangpath" from file /etc/freeradius/3.0/mods-enabled/realm
realm bangpath {
format = "prefix"
delimiter = "!"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/freeradius/3.0/mods-config/preprocess/huntgroups"
hints = "/etc/freeradius/3.0/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loading module "exec" from file /etc/freeradius/3.0/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_expr
# Loading module "expr" from file /etc/freeradius/3.0/mods-enabled/expr
expr {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loading module "echo" from file /etc/freeradius/3.0/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loaded module rlm_digest
# Loading module "digest" from file /etc/freeradius/3.0/mods-enabled/digest
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file /etc/freeradius/3.0/mods-enabled/dynamic_clients
# Loading module "radutmp" from file /etc/freeradius/3.0/mods-enabled/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_utf8
# Loading module "utf8" from file /etc/freeradius/3.0/mods-enabled/utf8
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_unix
# Loading module "unix" from file /etc/freeradius/3.0/mods-enabled/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_eap
# Loading module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
eap {
default_eap_type = "tls"
timer_expire = 600
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 80000
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_expiration
# Loading module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration
# Loaded module rlm_soh
# Loading module "soh" from file /etc/freeradius/3.0/mods-enabled/soh
soh {
dhcp = yes
}
# Loaded module rlm_always
# Loading module "reject" from file /etc/freeradius/3.0/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /etc/freeradius/3.0/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /etc/freeradius/3.0/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /etc/freeradius/3.0/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /etc/freeradius/3.0/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /etc/freeradius/3.0/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /etc/freeradius/3.0/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /etc/freeradius/3.0/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /etc/freeradius/3.0/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_mschap
# Loading module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loaded module rlm_chap
# Loading module "chap" from file /etc/freeradius/3.0/mods-enabled/chap
instantiate {
}
# Instantiating module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
# Instantiating module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
# Instantiating module "detail" from file /etc/freeradius/3.0/mods-enabled/detail
# Instantiating module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
# Instantiating module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime
# Instantiating module "files" from file /etc/freeradius/3.0/mods-enabled/files
reading pairlist file /etc/freeradius/3.0/mods-config/files/authorize
reading pairlist file /etc/freeradius/3.0/mods-config/files/accounting
reading pairlist file /etc/freeradius/3.0/mods-config/files/pre-proxy
# Instantiating module "authorized_macs" from file /etc/freeradius/3.0/mods-enabled/files
reading pairlist file /etc/freeradius/3.0/authorized_macs
# Instantiating module "pap" from file /etc/freeradius/3.0/mods-enabled/pap
# Instantiating module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog
# Instantiating module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog
# Instantiating module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "bangpath" from file /etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess
reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/huntgroups
reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/hints
# Instantiating module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
ca_path = "/etc/freeradius/3.0/certs/millerCA/RADIUS_CA/"
pem_file_type = yes
private_key_file = "/etc/freeradius/3.0/certs/radius.millerextra.com.key"
certificate_file = "/etc/freeradius/3.0/certs/radius.millerextra.com.pem"
ca_file = "/etc/freeradius/3.0/certs/millerCA/RADIUS_CA/ca_and_crl.pem"
dh_file = "/etc/freeradius/3.0/certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
check_cert_cn = "%{Cert-CN}"
cipher_list = "DEFAULT"
cipher_server_preference = no
check_cert_issuer = "/C=GB/ST=Edinburgh/L=Edinburgh/O=Miller Group Ltd/OU=Group IT/CN=Intermediate CA"
ecdh_curve = "prime256v1"
tls_max_version = "1.2"
tls_min_version = "1.2"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Instantiating module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_reject
# Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/accounting_response
# Instantiating module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration
# Instantiating module "reject" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "fail" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "ok" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "handled" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "invalid" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "userlock" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "notfound" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "noop" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "updated" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/3.0/radiusd.conf
} # server
server inner-tunnel { # from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
Ignoring "sql" (see raddb/mods-available/README.rst)
Ignoring "ldap" (see raddb/mods-available/README.rst)
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
# Skipping contents of 'if' as it is always 'false' -- /etc/freeradius/3.0/sites-enabled/inner-tunnel:336
} # server inner-tunnel
server mh-site { # from file /etc/freeradius/3.0/sites-enabled/mh-site
# Loading authenticate {...}
# Loading authorize {...}
# Loading post-proxy {...}
} # server mh-site
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
listen {
type = "auth"
ipaddr = 10.10.251.2
port = 1812
}
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on auth address 10.10.251.2 port 1812 bound to server mh-site
Listening on proxy address * port 37879
Ready to process requests
(0) Received Access-Request Id 38 from 10.40.80.11:1812 to 10.10.251.2:1812 length 367
(0) Framed-MTU = 1480
(0) NAS-IP-Address = 10.40.80.11
(0) NAS-Identifier = "no-sw01"
(0) User-Name = "host/mh301435.millerextra.com"
(0) Service-Type = Framed-User
(0) Framed-Protocol = PPP
(0) NAS-Port = 10
(0) NAS-Port-Type = Ethernet
(0) NAS-Port-Id = "10"
(0) Called-Station-Id = "a0-b3-cc-36-17-40"
(0) Calling-Station-Id = "d8-9e-f3-a0-2e-3c"
(0) Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
(0) Tunnel-Type:0 = VLAN
(0) Tunnel-Medium-Type:0 = IEEE-802
(0) Tunnel-Private-Group-Id:0 = "2"
(0) EAP-Message = 0x025e002201686f73742f6d683330313433352e6d696c6c657265787472612e636f6d
(0) Message-Authenticator = 0x20656ac2b36c0cac3359a1e27c6ca340
(0) MS-RAS-Vendor = 11
(0) HP-Capability-Advert = 0x011a0000000b28
(0) HP-Capability-Advert = 0x011a0000000b2e
(0) HP-Capability-Advert = 0x011a0000000b30
(0) HP-Capability-Advert = 0x011a0000000b3d
(0) HP-Capability-Advert = 0x0138
(0) HP-Capability-Advert = 0x013a
(0) HP-Capability-Advert = 0x0140
(0) HP-Capability-Advert = 0x0141
(0) HP-Capability-Advert = 0x0151
(0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/mh-site
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /(a)\./) {
(0) if (&User-Name =~ /(a)\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) eap: Peer sent EAP Response (code 2) ID 94 length 34
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/mh-site
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_tls to process data
(0) eap_tls: Initiating new TLS session
(0) eap_tls: Setting verify mode to require certificate from client
(0) eap_tls: [eaptls start] = request
(0) eap: Sending EAP Request (code 1) ID 95 length 6
(0) eap: EAP session adding &reply:State = 0x6f3168c46f6e65fa
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) Post-Auth-Type sub-section not found. Ignoring.
(0) Sent Access-Challenge Id 38 from 10.10.251.2:1812 to 10.40.80.11:1812 length 0
(0) EAP-Message = 0x015f00060d20
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x6f3168c46f6e65fab733058fe658559c
(0) Finished request
Waking up in 9.9 seconds.
(1) Received Access-Request Id 6 from 10.51.80.11:1812 to 10.10.251.2:1812 length 353
(1) Framed-MTU = 1466
(1) NAS-IP-Address = 10.51.80.11
(1) NAS-Identifier = "yo-sw01"
(1) User-Name = "08-00-0f-82-5f-fb"
(1) Service-Type = Call-Check
(1) Framed-Protocol = PPP
(1) NAS-Port = 18
(1) NAS-Port-Type = Ethernet
(1) NAS-Port-Id = "18"
(1) Called-Station-Id = "ec-9a-74-19-ec-6e"
(1) Calling-Station-Id = "08-00-0f-82-5f-fb"
(1) Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
(1) CHAP-Password = 0x1e8f88798a9393fec47d97801b4dbb8f8b
(1) Message-Authenticator = 0x1ed0a0a02f652f3ea8b045e5d3e28559
(1) MS-RAS-Vendor = 11
(1) HP-Capability-Advert = 0x011a0000000b28
(1) HP-Capability-Advert = 0x011a0000000b2e
(1) HP-Capability-Advert = 0x011a0000000b30
(1) HP-Capability-Advert = 0x011a0000000b3d
(1) HP-Capability-Advert = 0x011a0000000b18
(1) HP-Capability-Advert = 0x011a0000000b19
(1) HP-Capability-Advert = 0x0138
(1) HP-Capability-Advert = 0x013a
(1) HP-Capability-Advert = 0x0140
(1) HP-Capability-Advert = 0x0141
(1) HP-Capability-Advert = 0x0151
(1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/mh-site
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /(a)\./) {
(1) if (&User-Name =~ /(a)\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) chap: &control:Auth-Type := CHAP
(1) [chap] = ok
(1) eap: No EAP-Message, not doing EAP
(1) [eap] = noop
(1) files: users: Matched entry DEFAULT at line 167
(1) [files] = ok
(1) [expiration] = noop
(1) [logintime] = noop
(1) policy rewrite_calling_station_id {
(1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(1) update request {
(1) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(1) --> 08-00-0F-82-5F-FB
(1) &Calling-Station-Id := 08-00-0F-82-5F-FB
(1) } # update request = noop
(1) [updated] = updated
(1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(1) ... skipping else: Preceding "if" was taken
(1) } # policy rewrite_calling_station_id = updated
(1) if (!EAP-Message) {
(1) if (!EAP-Message) -> TRUE
(1) if (!EAP-Message) {
(1) authorized_macs: EXPAND %{Calling-Station-ID}
(1) authorized_macs: --> 08-00-0F-82-5F-FB
(1) [authorized_macs] = noop
(1) if (!ok) {
(1) if (!ok) -> TRUE
(1) if (!ok) {
(1) [reject] = reject
(1) } # if (!ok) = reject
(1) } # if (!EAP-Message) = reject
(1) } # authorize = reject
(1) Invalid user: [08-00-0f-82-5f-fb] (from client yo-sw01 port 18 cli 08-00-0F-82-5F-FB)
(1) Using Post-Auth-Type Reject
(1) Post-Auth-Type sub-section not found. Ignoring.
(1) Delaying response for 1.000000 seconds
________________________________
Miller Homes Limited Registered in Scotland - SC255429
2 Lochside View, Edinburgh Park, Edinburgh, EH12 9DH
Disclaimer: The Information in this e-mail is confidential and for use by the addressee(s) only. It may also be privileged. If you are not the intended recipient please notify us immediately on +44 (0) 870 336 5000 and delete the message from your computer: you may not copy or forward it, or use or disclose its contents to any other person. We do not accept any liability or responsibility for: (1) changes made to this email after it was sent, or (2) viruses transmitted through this email or any attachment.
Miller Homes Limited <https://www.millerhomes.co.uk>
3
18
Hi Experts,
i tried to configure the vlan assignment in Freeradius like explained in many other documentations without luck, do you see the issue why the access accept messages always appear without the attributes i have defined in the Users file ?
config Users file:
DEFAULT NAS-IP-Address == "10.0.10.125"
Tunnel-Private-Group-Id = 4,
Tunnel-Type = 13,
Tunnel-Medium-Type = 6
resulting answer without attributes:
Sent Access-Accept Id 185 from 10.0.10.110:1812 to 10.0.10.125:47686 length 0
(12) MS-MPPE-Recv-Key = 0xd742fc539c2ebcd30a0a7e1047c3792b3539a1323cf08973bca4347aa768b029
(12) MS-MPPE-Send-Key = 0x2a9be3c3eb31236cb201a6196f9d1ab8bb10624c3a3194a815064b7354f2f3ac
(12) EAP-Message = 0x03270004
(12) Message-Authenticator = 0x00000000000000000000000000000000
(12) User-Name = "M.Rudka"
attributes are only visible in one process, in all others they are missing.
(3) files: users: Matched entry DEFAULT at line 1
(3) [files] = ok
(3) [expiration] = noop
(3) [logintime] = noop
(3) } # authorize = updated
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3) authenticate {
(3) eap: Expiring EAP session with state 0x3ee9a9273ef7b3b8
(3) eap: Finished EAP session with state 0x3ee9a9273ef7b3b8
(3) eap: Previous EAP request found for state 0x3ee9a9273ef7b3b8, released from the list
(3) eap: Peer sent packet with method EAP NAK (3)
(3) eap: Found mutually acceptable type PEAP (25)
(3) eap: Calling submodule eap_peap to process data
(3) eap_peap: Initiating new TLS session
(3) eap_peap: [eaptls start] = request
(3) eap: Sending EAP Request (code 1) ID 31 length 6
(3) eap: EAP session adding &reply:State = 0x3ee9a9273ff6b0b8
(3) [eap] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3) Challenge { ... } # empty sub-section is ignored
(3) Sent Access-Challenge Id 176 from 10.0.10.110:1812 to 10.0.10.125:47686 length 0
(3) Tunnel-Private-Group-Id = "4"
(3) Tunnel-Type = VLAN
(3) Tunnel-Medium-Type = IEEE-802
(3) EAP-Message = 0x011f00061920
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0x3ee9a9273ff6b0b89648a8e8466bb781
(3) Finished request
Thank you very much for your help !
Debug log
FreeRADIUS Version 3.0.21
Copyright (C) 1999-2019 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/freeradius/3.0/dictionary
including configuration file /etc/freeradius/3.0/radiusd.conf
including configuration file /etc/freeradius/3.0/proxy.conf
including configuration file /etc/freeradius/3.0/clients.conf
including files in directory /etc/freeradius/3.0/mods-enabled/
including configuration file /etc/freeradius/3.0/mods-enabled/detail.log
including configuration file /etc/freeradius/3.0/mods-enabled/replicate
including configuration file /etc/freeradius/3.0/mods-enabled/files
including configuration file /etc/freeradius/3.0/mods-enabled/preprocess
including configuration file /etc/freeradius/3.0/mods-enabled/expr
including configuration file /etc/freeradius/3.0/mods-enabled/mschap
including configuration file /etc/freeradius/3.0/mods-enabled/always
including configuration file /etc/freeradius/3.0/mods-enabled/eap
including configuration file /etc/freeradius/3.0/mods-enabled/detail
including configuration file /etc/freeradius/3.0/mods-enabled/cache_eap
including configuration file /etc/freeradius/3.0/mods-enabled/logintime
including configuration file /etc/freeradius/3.0/mods-enabled/ntlm_auth
including configuration file /etc/freeradius/3.0/mods-enabled/unix
including configuration file /etc/freeradius/3.0/mods-enabled/exec
including configuration file /etc/freeradius/3.0/mods-enabled/echo
including configuration file /etc/freeradius/3.0/mods-enabled/realm
including configuration file /etc/freeradius/3.0/mods-enabled/ldap
including configuration file /etc/freeradius/3.0/mods-enabled/unpack
including configuration file /etc/freeradius/3.0/mods-enabled/attr_filter
including configuration file /etc/freeradius/3.0/mods-enabled/passwd
including configuration file /etc/freeradius/3.0/mods-enabled/dynamic_clients
including configuration file /etc/freeradius/3.0/mods-enabled/utf8
including configuration file /etc/freeradius/3.0/mods-enabled/linelog
including configuration file /etc/freeradius/3.0/mods-enabled/radutmp
including configuration file /etc/freeradius/3.0/mods-enabled/expiration
including configuration file /etc/freeradius/3.0/mods-enabled/soh
including files in directory /etc/freeradius/3.0/policy.d/
including configuration file /etc/freeradius/3.0/policy.d/control
including configuration file /etc/freeradius/3.0/policy.d/canonicalization
including configuration file /etc/freeradius/3.0/policy.d/eap
including configuration file /etc/freeradius/3.0/policy.d/accounting
including configuration file /etc/freeradius/3.0/policy.d/dhcp
including configuration file /etc/freeradius/3.0/policy.d/abfab-tr
including configuration file /etc/freeradius/3.0/policy.d/debug
including configuration file /etc/freeradius/3.0/policy.d/moonshot-targeted-ids
including configuration file /etc/freeradius/3.0/policy.d/filter
including configuration file /etc/freeradius/3.0/policy.d/rfc7542
including configuration file /etc/freeradius/3.0/policy.d/operator-name
including configuration file /etc/freeradius/3.0/policy.d/cui
including files in directory /etc/freeradius/3.0/sites-enabled/
including configuration file /etc/freeradius/3.0/sites-enabled/default
including configuration file /etc/freeradius/3.0/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/3.0/sites-enabled/control-socket
including configuration file /etc/freeradius/3.0/sites-enabled/status
main {
security {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
}
main {
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = yes
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = yes
auth_goodpass = yes
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
realm RUDKA {
}
realm rudka..xxx.xxx {
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client dedorwangw01 {
ipaddr = 10.0.10.126
require_message_authenticator = no
secret = <<< secret >>>
shortname = "dedorwangw01 IKEv2"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client ap01 {
ipaddr = 10.0.10.125
require_message_authenticator = no
secret = <<< secret >>>
shortname = "ap01"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client dehatap02 {
ipaddr = 10.0.0.121
require_message_authenticator = no
secret = <<< secret >>>
shortname = "dehatap02"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 10.0.10.110 {
ipaddr = 10.0.10.110
require_message_authenticator = no
secret = <<< secret >>>
shortname = "dedorrad01"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client dedorcontrol?01 {
ipaddr = 10.0.10.108
require_message_authenticator = no
secret = <<< secret >>>
shortname = "dedorcontrol01"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client dehatap08 {
ipaddr = 10.0.8.125
require_message_authenticator = no
secret = <<< secret >>>
shortname = "dehatap08"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client dehatap06 {
ipaddr = 10.0.6.125
require_message_authenticator = no
secret = <<< secret >>>
shortname = "dehatap06"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client dehatap05 {
ipaddr = 10.0.5.125
require_message_authenticator = no
secret = <<< secret >>>
shortname = "dehatap05"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client dehatap04 {
ipaddr = 10.0.4.125
require_message_authenticator = no
secret = <<< secret >>>
shortname = "dehatap04"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client dehatap01 {
ipaddr = 10.0.0.123
require_message_authenticator = no
secret = <<< secret >>>
shortname = "dehatap01"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
systemd watchdog is disabled
# Creating Auth-Type = mschap
# Creating Auth-Type = ntlm_auth
# Creating Auth-Type = eap
# Creating Auth-Type = MS-CHAP
# Creating Autz-Type = Status-Server
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_detail
# Loading module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
detail auth_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
detail reply_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
detail pre_proxy_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
detail post_proxy_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_replicate
# Loading module "replicate" from file /etc/freeradius/3.0/mods-enabled/replicate
# Loaded module rlm_files
# Loading module "files" from file /etc/freeradius/3.0/mods-enabled/files
files {
filename = "/etc/freeradius/3.0/mods-config/files/authorize"
acctusersfile = "/etc/freeradius/3.0/mods-config/files/accounting"
preproxy_usersfile = "/etc/freeradius/3.0/mods-config/files/pre-proxy"
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/freeradius/3.0/mods-config/preprocess/huntgroups"
hints = "/etc/freeradius/3.0/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_expr
# Loading module "expr" from file /etc/freeradius/3.0/mods-enabled/expr
expr {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module rlm_mschap
# Loading module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-RUDKA} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loaded module rlm_always
# Loading module "reject" from file /etc/freeradius/3.0/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /etc/freeradius/3.0/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /etc/freeradius/3.0/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /etc/freeradius/3.0/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /etc/freeradius/3.0/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /etc/freeradius/3.0/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /etc/freeradius/3.0/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /etc/freeradius/3.0/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /etc/freeradius/3.0/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_eap
# Loading module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
eap {
default_eap_type = "mschapv2"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 16384
}
# Loading module "detail" from file /etc/freeradius/3.0/mods-enabled/detail
detail {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_cache
# Loading module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module rlm_logintime
# Loading module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_exec
# Loading module "ntlm_auth" from file /etc/freeradius/3.0/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_unix
# Loading module "unix" from file /etc/freeradius/3.0/mods-enabled/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Creating attribute Unix-Group
# Loading module "exec" from file /etc/freeradius/3.0/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loading module "echo" from file /etc/freeradius/3.0/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "bangpath" from file /etc/freeradius/3.0/mods-enabled/realm
realm bangpath {
format = "prefix"
delimiter = "!"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_ldap
# Loading module "ldap" from file /etc/freeradius/3.0/mods-enabled/ldap
ldap {
server = "ldaps://xxxxxxxxxxxxx"
port = 636
identity = "CN=xxxx,OU=xxx,OU=xxxx,DC=xxxx,DC=xxxx,DC=xxxx"
password = <<< secret >>>
sasl {
}
edir = no
edir_autz = no
user {
scope = "sub"
access_positive = yes
sasl {
}
}
group {
filter = "(objectClass=group)"
scope = "sub"
name_attribute = "cn"
membership_filter = "(member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn})"
cacheable_name = no
cacheable_dn = no
allow_dangling_group_ref = no
}
client {
scope = "sub"
base_dn = ""
}
profile {
}
options {
ldap_debug = 0
chase_referrals = no
rebind = yes
net_timeout = 10
res_timeout = 20
srv_timelimit = 20
idle = 60
probes = 3
interval = 30
}
tls {
ca_file = "/etc/ssl/certs/xxx.xxx.xxx.crt"
start_tls = no
}
}
Creating attribute LDAP-Group
# Loaded module rlm_unpack
# Loading module "unpack" from file /etc/freeradius/3.0/mods-enabled/unpack
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file /etc/freeradius/3.0/mods-enabled/dynamic_clients
# Loaded module rlm_utf8
# Loading module "utf8" from file /etc/freeradius/3.0/mods-enabled/utf8
# Loaded module rlm_linelog
# Loading module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog
linelog {
filename = "/var/log/freeradius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/freeradius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_radutmp
# Loading module "radutmp" from file /etc/freeradius/3.0/mods-enabled/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_expiration
# Loading module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration
# Loaded module rlm_soh
# Loading module "soh" from file /etc/freeradius/3.0/mods-enabled/soh
soh {
dhcp = yes
}
instantiate {
}
# Instantiating module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
# Instantiating module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
# Instantiating module "files" from file /etc/freeradius/3.0/mods-enabled/files
reading pairlist file /etc/freeradius/3.0/mods-config/files/authorize
reading pairlist file /etc/freeradius/3.0/mods-config/files/accounting
reading pairlist file /etc/freeradius/3.0/mods-config/files/pre-proxy
# Instantiating module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess
reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/huntgroups
reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/hints
# Instantiating module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap
rlm_mschap (mschap): authenticating by calling 'ntlm_auth'
# Instantiating module "reject" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "fail" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "ok" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "handled" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "invalid" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "userlock" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "notfound" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "noop" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "updated" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
ca_path = "/etc/freeradius/3.0/certs"
pem_file_type = yes
private_key_file = "/etc/ssl/private/server.key"
certificate_file = "/etc/ssl/certs/cert.pem"
ca_file = "/etc/ssl/certs/xxx.xxx.xxx.crt"
private_key_password = <<< secret >>>
dh_file = "/etc/freeradius/3.0/certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
cipher_server_preference = no
ecdh_curve = "prime256v1"
tls_max_version = ""
tls_min_version = "1.0"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
The configuration allows TLS 1.0 and/or TLS 1.1. We STRONGLY recommned using only TLS 1.2 for security
Please set: tls_min_version = "1.2"
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = no
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Instantiating module "detail" from file /etc/freeradius/3.0/mods-enabled/detail
# Instantiating module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
# Instantiating module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime
# Instantiating module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "bangpath" from file /etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "ldap" from file /etc/freeradius/3.0/mods-enabled/ldap
rlm_ldap: libldap vendor: OpenLDAP, version: 20457
rlm_ldap (ldap): Couldn't find configuration for accounting, will return NOOP for calls from this section
rlm_ldap (ldap): Couldn't find configuration for post-auth, will return NOOP for calls from this section
rlm_ldap (ldap): Initialising connection pool
pool {
start = 1
min = 0
max = 32
spare = 0
uses = 0
lifetime = 120
cleanup_interval = 30
idle_timeout = 120
retry_delay = 1
spread = no
}
rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots used
rlm_ldap (ldap): Connecting to ldaps://xxxx.xxx:636
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
# Instantiating module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_reject
# Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/accounting_response
# Instantiating module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog
# Instantiating module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog
# Instantiating module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/3.0/radiusd.conf
} # server
server default { # from file /etc/freeradius/3.0/sites-enabled/default
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server default
server inner-tunnel { # from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server inner-tunnel
server status { # from file /etc/freeradius/3.0/sites-enabled/status
# Loading authorize {...}
} # server status
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "control"
listen {
socket = "/var/run/freeradius/freeradius.sock"
mode = "rw"
peercred = yes
}
}
listen {
type = "auth"
ipv4addr = 10.0.10.110
port = 1812
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipv6addr = xxx:xxx:xxx:xxx::110
port = 1812
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv4addr = 10.0.10.110
port = 1813
limit {
max_pps = 100
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv6addr = xxx:xxx:xxx:xxx::110
port = 1813
limit {
max_pps = 100
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
listen {
type = "status"
ipaddr = *
port = 18121
client admin {
ipaddr = *
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
}
Listening on command file /var/run/freeradius/freeradius.sock
Listening on auth address 10.0.10.110 port 1812 bound to server default
Listening on auth address xxx:xxx:xxx:xxx::xxx port 1812 bound to server default
Listening on acct address 10.0.10.110 port 1813 bound to server default
Listening on acct address xxx:xxx:xxx:xxx::xxx port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on status address * port 18121 bound to server status
Listening on proxy address * port 53011
Listening on proxy address :: port 58700
Ready to process requests
(0) #were from other users
(1) #were from other users
(2) Received Access-Request Id 175 from 10.0.10.125:47686 to 10.0.10.110:1812 length 242
(2) User-Name = "M.Rudka"
(2) NAS-IP-Address = 10.0.10.125
(2) NAS-Identifier = "b6fbe41e2d9f"
(2) Called-Station-Id = "B6-FB-E4-1E-2D-9F:INR"
(2) NAS-Port-Type = Wireless-802.11
(2) Service-Type = Framed-User
(2) Calling-Station-Id = "A0-FB-C5-1E-26-61"
(2) Connect-Info = "CONNECT 0Mbps 802.11a"
(2) Acct-Session-Id = "37B081AEC663FC22"
(2) Acct-Multi-Session-Id = "448B30F6C3BB27FA"
(2) Mobility-Domain-Id = 65534
(2) WLAN-Pairwise-Cipher = 1027076
(2) WLAN-Group-Cipher = 1027076
(2) WLAN-AKM-Suite = 1027075
(2) WLAN-Group-Mgmt-Cipher = 1027078
(2) Framed-MTU = 1400
(2) EAP-Message = 0x021d000c014d2e5275646b61
(2) Message-Authenticator = 0x0a82f05591d68d16c2fdcb0d9c499bf9
(2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /(a)\./) {
(2) if (&User-Name =~ /(a)\./) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) ntdomain: Checking for prefix before "\"
(2) ntdomain: No '\' in User-Name = "M.Rudka", looking up realm NULL
(2) ntdomain: No such realm "NULL"
(2) [ntdomain] = noop
(2) [mschap] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "M.Rudka", looking up realm NULL
(2) suffix: No such realm "NULL"
(2) [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 29 length 12
(2) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) authenticate {
(2) eap: Peer sent packet with method EAP Identity (1)
(2) eap: Calling submodule eap_mschapv2 to process data
(2) eap_mschapv2: Issuing Challenge
(2) eap: Sending EAP Request (code 1) ID 30 length 43
(2) eap: EAP session adding &reply:State = 0x3ee9a9273ef7b3b8
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) Challenge { ... } # empty sub-section is ignored
(2) Sent Access-Challenge Id 175 from 10.0.10.110:1812 to 10.0.10.125:47686 length 0
(2) EAP-Message = 0x011e002b1a011e0026104291a0452781bc999c8f6c4f7d7d9160667265657261646975732d332e302e3231
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x3ee9a9273ef7b3b89648a8e8466bb781
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 176 from 10.0.10.125:47686 to 10.0.10.110:1812 length 256
(3) User-Name = "M.Rudka"
(3) NAS-IP-Address = 10.0.10.125
(3) NAS-Identifier = "b6fbe41e2d9f"
(3) Called-Station-Id = "B6-FB-E4-1E-2D-9F:INR"
(3) NAS-Port-Type = Wireless-802.11
(3) Service-Type = Framed-User
(3) Calling-Station-Id = "A0-FB-C5-1E-26-61"
(3) Connect-Info = "CONNECT 0Mbps 802.11a"
(3) Acct-Session-Id = "37B081AEC663FC22"
(3) Acct-Multi-Session-Id = "448B30F6C3BB27FA"
(3) Mobility-Domain-Id = 65534
(3) WLAN-Pairwise-Cipher = 1027076
(3) WLAN-Group-Cipher = 1027076
(3) WLAN-AKM-Suite = 1027075
(3) WLAN-Group-Mgmt-Cipher = 1027078
(3) Framed-MTU = 1400
(3) EAP-Message = 0x021e00080319152b
(3) State = 0x3ee9a9273ef7b3b89648a8e8466bb781
(3) Message-Authenticator = 0xfc68ca12c17b697c7a3bba494a64857a
(3) session-state: No cached attributes
(3) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(3) authorize {
(3) policy filter_username {
(3) if (&User-Name) {
(3) if (&User-Name) -> TRUE
(3) if (&User-Name) {
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@[^@]*@/ ) {
(3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /(a)\./) {
(3) if (&User-Name =~ /(a)\./) -> FALSE
(3) } # if (&User-Name) = notfound
(3) } # policy filter_username = notfound
(3) [preprocess] = ok
(3) ntdomain: Checking for prefix before "\"
(3) ntdomain: No '\' in User-Name = "M.Rudka", looking up realm NULL
(3) ntdomain: No such realm "NULL"
(3) [ntdomain] = noop
(3) [mschap] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "M.Rudka", looking up realm NULL
(3) suffix: No such realm "NULL"
(3) [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 30 length 8
(3) eap: No EAP Start, assuming it's an on-going EAP conversation
(3) [eap] = updated
(3) files: users: Matched entry DEFAULT at line 1
(3) [files] = ok
(3) [expiration] = noop
(3) [logintime] = noop
(3) } # authorize = updated
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3) authenticate {
(3) eap: Expiring EAP session with state 0x3ee9a9273ef7b3b8
(3) eap: Finished EAP session with state 0x3ee9a9273ef7b3b8
(3) eap: Previous EAP request found for state 0x3ee9a9273ef7b3b8, released from the list
(3) eap: Peer sent packet with method EAP NAK (3)
(3) eap: Found mutually acceptable type PEAP (25)
(3) eap: Calling submodule eap_peap to process data
(3) eap_peap: Initiating new TLS session
(3) eap_peap: [eaptls start] = request
(3) eap: Sending EAP Request (code 1) ID 31 length 6
(3) eap: EAP session adding &reply:State = 0x3ee9a9273ff6b0b8
(3) [eap] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3) Challenge { ... } # empty sub-section is ignored
(3) Sent Access-Challenge Id 176 from 10.0.10.110:1812 to 10.0.10.125:47686 length 0
(3) Tunnel-Private-Group-Id = "4"
(3) Tunnel-Type = VLAN
(3) Tunnel-Medium-Type = IEEE-802
(3) EAP-Message = 0x011f00061920
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0x3ee9a9273ff6b0b89648a8e8466bb781
(3) Finished request
Waking up in 4.9 seconds.
(4) Received Access-Request Id 177 from 10.0.10.125:47686 to 10.0.10.110:1812 length 409
(4) User-Name = "M.Rudka"
(4) NAS-IP-Address = 10.0.10.125
(4) NAS-Identifier = "b6fbe41e2d9f"
(4) Called-Station-Id = "B6-FB-E4-1E-2D-9F:INR"
(4) NAS-Port-Type = Wireless-802.11
(4) Service-Type = Framed-User
(4) Calling-Station-Id = "A0-FB-C5-1E-26-61"
(4) Connect-Info = "CONNECT 0Mbps 802.11a"
(4) Acct-Session-Id = "37B081AEC663FC22"
(4) Acct-Multi-Session-Id = "448B30F6C3BB27FA"
(4) Mobility-Domain-Id = 65534
(4) WLAN-Pairwise-Cipher = 1027076
(4) WLAN-Group-Cipher = 1027076
(4) WLAN-AKM-Suite = 1027075
(4) WLAN-Group-Mgmt-Cipher = 1027078
(4) Framed-MTU = 1400
(4) EAP-Message = 0x021f00a119800000009716030100920100008e030362b7162f3b9efee5a692d015a64590fa2a026adc144623c6f65cc0a3a37c200000002c00ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009d009c003d003c0035002f000a01000039000a00080006001700180019000b00020100000d00120010040102010501060104030203050306030005000501000000000012000000170000
(4) State = 0x3ee9a9273ff6b0b89648a8e8466bb781
(4) Message-Authenticator = 0x26ddef6c589ddc37a6c2759c9867e70d
(4) session-state: No cached attributes
(4) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(4) authorize {
(4) policy filter_username {
(4) if (&User-Name) {
(4) if (&User-Name) -> TRUE
(4) if (&User-Name) {
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@[^@]*@/ ) {
(4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /(a)\./) {
(4) if (&User-Name =~ /(a)\./) -> FALSE
(4) } # if (&User-Name) = notfound
(4) } # policy filter_username = notfound
(4) [preprocess] = ok
(4) ntdomain: Checking for prefix before "\"
(4) ntdomain: No '\' in User-Name = "M.Rudka", looking up realm NULL
(4) ntdomain: No such realm "NULL"
(4) [ntdomain] = noop
(4) [mschap] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "M.Rudka", looking up realm NULL
(4) suffix: No such realm "NULL"
(4) [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 31 length 161
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(4) authenticate {
(4) eap: Expiring EAP session with state 0x3ee9a9273ff6b0b8
(4) eap: Finished EAP session with state 0x3ee9a9273ff6b0b8
(4) eap: Previous EAP request found for state 0x3ee9a9273ff6b0b8, released from the list
(4) eap: Peer sent packet with method EAP PEAP (25)
(4) eap: Calling submodule eap_peap to process data
(4) eap_peap: Continuing EAP-TLS
(4) eap_peap: Peer indicated complete TLS record size will be 151 bytes
(4) eap_peap: Got complete TLS record (151 bytes)
(4) eap_peap: [eaptls verify] = length included
(4) eap_peap: (other): before SSL initialization
(4) eap_peap: TLS_accept: before SSL initialization
(4) eap_peap: TLS_accept: before SSL initialization
(4) eap_peap: <<< recv TLS 1.3 [length 0092]
(4) eap_peap: TLS_accept: SSLv3/TLS read client hello
(4) eap_peap: >>> send TLS 1.2 [length 003d]
(4) eap_peap: TLS_accept: SSLv3/TLS write server hello
(4) eap_peap: >>> send TLS 1.2 [length 08e2]
(4) eap_peap: TLS_accept: SSLv3/TLS write certificate
(4) eap_peap: >>> send TLS 1.2 [length 014d]
(4) eap_peap: TLS_accept: SSLv3/TLS write key exchange
(4) eap_peap: >>> send TLS 1.2 [length 0004]
(4) eap_peap: TLS_accept: SSLv3/TLS write server done
(4) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done
(4) eap_peap: TLS - In Handshake Phase
(4) eap_peap: TLS - got 2692 bytes of data
(4) eap_peap: [eaptls process] = handled
(4) eap: Sending EAP Request (code 1) ID 32 length 1004
(4) eap: EAP session adding &reply:State = 0x3ee9a9273cc9b0b8
(4) [eap] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(4) Challenge { ... } # empty sub-section is ignored
(4) Sent Access-Challenge Id 177 from 10.0.10.110:1812 to 10.0.10.125:47686 length 0
(4) EAP-Message = 0x012003ec19c000000a84160303003d020000390303ece9f79b52a091c764f61bf23eaee859f00e3227141716340ce710c502a4ba7d00c030000011ff01000100000b0004030001020017000016030308e20b0008de0008db00050830820504308203eca003020102020a16e53d42000100000113300d06092a864886f70d01010b0500306b31133011060a0992268993f22c64011916036f726731173015060a0992268993f22c6401191607686f6d65646e7331153013060a0992268993f22c64011916057275646b61312430220603550403131b6465646f72646330312e7275646b612e686f6d65646e732e6f7267301e170d3138303431333039313732365a170d3238303431303039313732365a301e311c301a06035504031313576946692041757468656e7469636174696f6e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a11b699cf4c65a8e1e15d93b76049a579c3d59d92505ef93a27e4d6c3675cdab2171cb355690
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x3ee9a9273cc9b0b89648a8e8466bb781
(4) Finished request
Waking up in 4.9 seconds.
(5) Received Access-Request Id 178 from 10.0.10.125:47686 to 10.0.10.110:1812 length 254
(5) User-Name = "M.Rudka"
(5) NAS-IP-Address = 10.0.10.125
(5) NAS-Identifier = "b6fbe41e2d9f"
(5) Called-Station-Id = "B6-FB-E4-1E-2D-9F:INR"
(5) NAS-Port-Type = Wireless-802.11
(5) Service-Type = Framed-User
(5) Calling-Station-Id = "A0-FB-C5-1E-26-61"
(5) Connect-Info = "CONNECT 0Mbps 802.11a"
(5) Acct-Session-Id = "37B081AEC663FC22"
(5) Acct-Multi-Session-Id = "448B30F6C3BB27FA"
(5) Mobility-Domain-Id = 65534
(5) WLAN-Pairwise-Cipher = 1027076
(5) WLAN-Group-Cipher = 1027076
(5) WLAN-AKM-Suite = 1027075
(5) WLAN-Group-Mgmt-Cipher = 1027078
(5) Framed-MTU = 1400
(5) EAP-Message = 0x022000061900
(5) State = 0x3ee9a9273cc9b0b89648a8e8466bb781
(5) Message-Authenticator = 0x58775c346440473c7d168dd1e1df0cd2
(5) session-state: No cached attributes
(5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(5) authorize {
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /(a)\./) {
(5) if (&User-Name =~ /(a)\./) -> FALSE
(5) } # if (&User-Name) = notfound
(5) } # policy filter_username = notfound
(5) [preprocess] = ok
(5) ntdomain: Checking for prefix before "\"
(5) ntdomain: No '\' in User-Name = "M.Rudka", looking up realm NULL
(5) ntdomain: No such realm "NULL"
(5) [ntdomain] = noop
(5) [mschap] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "M.Rudka", looking up realm NULL
(5) suffix: No such realm "NULL"
(5) [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 32 length 6
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(5) authenticate {
(5) eap: Expiring EAP session with state 0x3ee9a9273cc9b0b8
(5) eap: Finished EAP session with state 0x3ee9a9273cc9b0b8
(5) eap: Previous EAP request found for state 0x3ee9a9273cc9b0b8, released from the list
(5) eap: Peer sent packet with method EAP PEAP (25)
(5) eap: Calling submodule eap_peap to process data
(5) eap_peap: Continuing EAP-TLS
(5) eap_peap: Peer ACKed our handshake fragment
(5) eap_peap: [eaptls verify] = request
(5) eap_peap: [eaptls process] = handled
(5) eap: Sending EAP Request (code 1) ID 33 length 1000
(5) eap: EAP session adding &reply:State = 0x3ee9a9273dc8b0b8
(5) [eap] = handled
(5) } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(5) Challenge { ... } # empty sub-section is ignored
(5) Sent Access-Challenge Id 178 from 10.0.10.110:1812 to 10.0.10.125:47686 length 0
(5) EAP-Message = 0x012103e81940732c434e3d436f6e66696775726174696f6e2c44433d7275646b612c44433d686f6d65646e732c44433d6f72673f634143657274696669636174653f626173653f6f626a656374436c6173733d63657274696669636174696f6e417574686f72697479300d06092a864886f70d01010b050003820101008cc2c27290f0fdb5e8860ee2eaf56f0623d6d521d73a9e095e336ee0956f0131a634860e612746b8f1e4c892ab71c03d365bd6916d25e13b4f5ee90ca3f94b6aaacc23f56dea49be5ca09e87d3b43be44d72afb23bfc236cb47bdefb27c9d20c3cf174ecf8d3e634326174ab9546e98837523c9c7cde15312851755dd2fa7dfeb38f0a1590fcc6bbe43fdd9f4dd3583cca2ee7b891bda13760236d8c3842c5060e724bc75dcb8ea9f7ace2cfb6fbae03f4ac638f73dea5326d14f31463eb8143e71a1fdb73d97bac2f218f1b94a01b234be9d9730b629d191985b97b10a77fd56113fe8a653f3273e645e93979f31a4c33af2db8aabc221019b3
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x3ee9a9273dc8b0b89648a8e8466bb781
(5) Finished request
Waking up in 4.9 seconds.
(6) Received Access-Request Id 179 from 10.0.10.125:47686 to 10.0.10.110:1812 length 254
(6) User-Name = "M.Rudka"
(6) NAS-IP-Address = 10.0.10.125
(6) NAS-Identifier = "b6fbe41e2d9f"
(6) Called-Station-Id = "B6-FB-E4-1E-2D-9F:INR"
(6) NAS-Port-Type = Wireless-802.11
(6) Service-Type = Framed-User
(6) Calling-Station-Id = "A0-FB-C5-1E-26-61"
(6) Connect-Info = "CONNECT 0Mbps 802.11a"
(6) Acct-Session-Id = "37B081AEC663FC22"
(6) Acct-Multi-Session-Id = "448B30F6C3BB27FA"
(6) Mobility-Domain-Id = 65534
(6) WLAN-Pairwise-Cipher = 1027076
(6) WLAN-Group-Cipher = 1027076
(6) WLAN-AKM-Suite = 1027075
(6) WLAN-Group-Mgmt-Cipher = 1027078
(6) Framed-MTU = 1400
(6) EAP-Message = 0x022100061900
(6) State = 0x3ee9a9273dc8b0b89648a8e8466bb781
(6) Message-Authenticator = 0x9819d2dc5d81772c07d1d47e8a08e2e9
(6) session-state: No cached attributes
(6) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(6) authorize {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /(a)\./) {
(6) if (&User-Name =~ /(a)\./) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy filter_username = notfound
(6) [preprocess] = ok
(6) ntdomain: Checking for prefix before "\"
(6) ntdomain: No '\' in User-Name = "M.Rudka", looking up realm NULL
(6) ntdomain: No such realm "NULL"
(6) [ntdomain] = noop
(6) [mschap] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "M.Rudka", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) eap: Peer sent EAP Response (code 2) ID 33 length 6
(6) eap: Continuing tunnel setup
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(6) authenticate {
(6) eap: Expiring EAP session with state 0x3ee9a9273dc8b0b8
(6) eap: Finished EAP session with state 0x3ee9a9273dc8b0b8
(6) eap: Previous EAP request found for state 0x3ee9a9273dc8b0b8, released from the list
(6) eap: Peer sent packet with method EAP PEAP (25)
(6) eap: Calling submodule eap_peap to process data
(6) eap_peap: Continuing EAP-TLS
(6) eap_peap: Peer ACKed our handshake fragment
(6) eap_peap: [eaptls verify] = request
(6) eap_peap: [eaptls process] = handled
(6) eap: Sending EAP Request (code 1) ID 34 length 710
(6) eap: EAP session adding &reply:State = 0x3ee9a9273acbb0b8
(6) [eap] = handled
(6) } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(6) Challenge { ... } # empty sub-section is ignored
(6) Sent Access-Challenge Id 179 from 10.0.10.110:1812 to 10.0.10.125:47686 length 0
(6) EAP-Message = 0x012202c619000e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604143fceda60cfb2fbdb720b04fdb00ec629e04890e7301006092b06010401823715010403020100300d06092a864886f70d0101050500038201010026dad9ce00d6f9a9cff93ef9586b3318bc2bebd3055ad81c3676df7d764c84613126b6b8cba855510ef8c98bf3e12840beb3e780ea80981ff9ee92be3ab40e5ec795d75269de67d593642ab45f052360a7521dfaf8defbfad6d8f7e497f29d437ec8256d7b11ffe4555d852e5091dad182bd219cd368b3da198cead4dce5cc3bac53011867d5c225006edf3c59ff6ec1c3dacd0691980056703de99b99986ba96e801e3a4fa0a4b3ef502b2c0f757f22ef4e6d0ed4f729c887e36e9ba8e3252158e339fad53e64f0720bba34cd6220bad9784bb35020ca7931fd7a6d2e3a9fd2325c8a87c9dd4594d65a2474a189974b41ce3ec26a4f6e8c1cd407d4095fc2a1160303014d0c000149030017
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0x3ee9a9273acbb0b89648a8e8466bb781
(6) Finished request
Waking up in 4.9 seconds.
(7) Received Access-Request Id 180 from 10.0.10.125:47686 to 10.0.10.110:1812 length 384
(7) User-Name = "M.Rudka"
(7) NAS-IP-Address = 10.0.10.125
(7) NAS-Identifier = "b6fbe41e2d9f"
(7) Called-Station-Id = "B6-FB-E4-1E-2D-9F:INR"
(7) NAS-Port-Type = Wireless-802.11
(7) Service-Type = Framed-User
(7) Calling-Station-Id = "A0-FB-C5-1E-26-61"
(7) Connect-Info = "CONNECT 0Mbps 802.11a"
(7) Acct-Session-Id = "37B081AEC663FC22"
(7) Acct-Multi-Session-Id = "448B30F6C3BB27FA"
(7) Mobility-Domain-Id = 65534
(7) WLAN-Pairwise-Cipher = 1027076
(7) WLAN-Group-Cipher = 1027076
(7) WLAN-AKM-Suite = 1027075
(7) WLAN-Group-Mgmt-Cipher = 1027078
(7) Framed-MTU = 1400
(7) EAP-Message = 0x0222008819800000007e160303004610000042410452834d40c9656f50bc1f465f1afa455e5fccfa9648e827ee10dde8a42bb9b3031fa13047f718853f654f81cf3d4e9b4b26cc567b5eadf5464097c0b6e8a2e9021403030001011603030028c867f78c1dfcff1425b79abb3ed9e8f2ecb47b31701e023657a7c9deaa8e88465506f810d0dea246
(7) State = 0x3ee9a9273acbb0b89648a8e8466bb781
(7) Message-Authenticator = 0x189e996029d4e154a08f569724736fb6
(7) session-state: No cached attributes
(7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(7) authorize {
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /(a)\./) {
(7) if (&User-Name =~ /(a)\./) -> FALSE
(7) } # if (&User-Name) = notfound
(7) } # policy filter_username = notfound
(7) [preprocess] = ok
(7) ntdomain: Checking for prefix before "\"
(7) ntdomain: No '\' in User-Name = "M.Rudka", looking up realm NULL
(7) ntdomain: No such realm "NULL"
(7) [ntdomain] = noop
(7) [mschap] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "M.Rudka", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) eap: Peer sent EAP Response (code 2) ID 34 length 136
(7) eap: Continuing tunnel setup
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(7) authenticate {
(7) eap: Expiring EAP session with state 0x3ee9a9273acbb0b8
(7) eap: Finished EAP session with state 0x3ee9a9273acbb0b8
(7) eap: Previous EAP request found for state 0x3ee9a9273acbb0b8, released from the list
(7) eap: Peer sent packet with method EAP PEAP (25)
(7) eap: Calling submodule eap_peap to process data
(7) eap_peap: Continuing EAP-TLS
(7) eap_peap: Peer indicated complete TLS record size will be 126 bytes
(7) eap_peap: Got complete TLS record (126 bytes)
(7) eap_peap: [eaptls verify] = length included
(7) eap_peap: TLS_accept: SSLv3/TLS write server done
(7) eap_peap: <<< recv TLS 1.2 [length 0046]
(7) eap_peap: TLS_accept: SSLv3/TLS read client key exchange
(7) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec
(7) eap_peap: <<< recv TLS 1.2 [length 0010]
(7) eap_peap: TLS_accept: SSLv3/TLS read finished
(7) eap_peap: >>> send TLS 1.2 [length 0001]
(7) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec
(7) eap_peap: >>> send TLS 1.2 [length 0010]
(7) eap_peap: TLS_accept: SSLv3/TLS write finished
(7) eap_peap: (other): SSL negotiation finished successfully
(7) eap_peap: TLS - Connection Established
(7) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(7) eap_peap: TLS-Session-Version = "TLS 1.2"
(7) eap_peap: TLS - got 51 bytes of data
(7) eap_peap: [eaptls process] = handled
(7) eap: Sending EAP Request (code 1) ID 35 length 57
(7) eap: EAP session adding &reply:State = 0x3ee9a9273bcab0b8
(7) [eap] = handled
(7) } # authenticate = handled
(7) Using Post-Auth-Type Challenge
(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(7) Challenge { ... } # empty sub-section is ignored
(7) session-state: Saving cached attributes
(7) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(7) TLS-Session-Version = "TLS 1.2"
(7) Sent Access-Challenge Id 180 from 10.0.10.110:1812 to 10.0.10.125:47686 length 0
(7) EAP-Message = 0x01230039190014030300010116030300286ea59b2818d194f8050a697ac325b1a0f05b111a28157edc721b3648c077cc13e3d7275c87d8e1db
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0x3ee9a9273bcab0b89648a8e8466bb781
(7) Finished request
Waking up in 4.9 seconds.
(8) Received Access-Request Id 181 from 10.0.10.125:47686 to 10.0.10.110:1812 length 254
(8) User-Name = "M.Rudka"
(8) NAS-IP-Address = 10.0.10.125
(8) NAS-Identifier = "b6fbe41e2d9f"
(8) Called-Station-Id = "B6-FB-E4-1E-2D-9F:INR"
(8) NAS-Port-Type = Wireless-802.11
(8) Service-Type = Framed-User
(8) Calling-Station-Id = "A0-FB-C5-1E-26-61"
(8) Connect-Info = "CONNECT 0Mbps 802.11a"
(8) Acct-Session-Id = "37B081AEC663FC22"
(8) Acct-Multi-Session-Id = "448B30F6C3BB27FA"
(8) Mobility-Domain-Id = 65534
(8) WLAN-Pairwise-Cipher = 1027076
(8) WLAN-Group-Cipher = 1027076
(8) WLAN-AKM-Suite = 1027075
(8) WLAN-Group-Mgmt-Cipher = 1027078
(8) Framed-MTU = 1400
(8) EAP-Message = 0x022300061900
(8) State = 0x3ee9a9273bcab0b89648a8e8466bb781
(8) Message-Authenticator = 0x533f3f0f8b069fb91fb2faa97503c7a5
(8) Restoring &session-state
(8) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(8) &session-state:TLS-Session-Version = "TLS 1.2"
(8) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(8) authorize {
(8) policy filter_username {
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /(a)\./) {
(8) if (&User-Name =~ /(a)\./) -> FALSE
(8) } # if (&User-Name) = notfound
(8) } # policy filter_username = notfound
(8) [preprocess] = ok
(8) ntdomain: Checking for prefix before "\"
(8) ntdomain: No '\' in User-Name = "M.Rudka", looking up realm NULL
(8) ntdomain: No such realm "NULL"
(8) [ntdomain] = noop
(8) [mschap] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "M.Rudka", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) eap: Peer sent EAP Response (code 2) ID 35 length 6
(8) eap: Continuing tunnel setup
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(8) authenticate {
(8) eap: Expiring EAP session with state 0x3ee9a9273bcab0b8
(8) eap: Finished EAP session with state 0x3ee9a9273bcab0b8
(8) eap: Previous EAP request found for state 0x3ee9a9273bcab0b8, released from the list
(8) eap: Peer sent packet with method EAP PEAP (25)
(8) eap: Calling submodule eap_peap to process data
(8) eap_peap: Continuing EAP-TLS
(8) eap_peap: Peer ACKed our handshake fragment. handshake is finished
(8) eap_peap: [eaptls verify] = success
(8) eap_peap: [eaptls process] = success
(8) eap_peap: Session established. Decoding tunneled attributes
(8) eap_peap: PEAP state TUNNEL ESTABLISHED
(8) eap: Sending EAP Request (code 1) ID 36 length 40
(8) eap: EAP session adding &reply:State = 0x3ee9a92738cdb0b8
(8) [eap] = handled
(8) } # authenticate = handled
(8) Using Post-Auth-Type Challenge
(8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(8) Challenge { ... } # empty sub-section is ignored
(8) session-state: Saving cached attributes
(8) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(8) TLS-Session-Version = "TLS 1.2"
(8) Sent Access-Challenge Id 181 from 10.0.10.110:1812 to 10.0.10.125:47686 length 0
(8) EAP-Message = 0x012400281900170303001d6ea59b2818d194f9c842ac172d4425645c255f75c3127988fa0f100bab
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0x3ee9a92738cdb0b89648a8e8466bb781
(8) Finished request
Waking up in 4.8 seconds.
(9) Received Access-Request Id 182 from 10.0.10.125:47686 to 10.0.10.110:1812 length 291
(9) User-Name = "M.Rudka"
(9) NAS-IP-Address = 10.0.10.125
(9) NAS-Identifier = "b6fbe41e2d9f"
(9) Called-Station-Id = "B6-FB-E4-1E-2D-9F:INR"
(9) NAS-Port-Type = Wireless-802.11
(9) Service-Type = Framed-User
(9) Calling-Station-Id = "A0-FB-C5-1E-26-61"
(9) Connect-Info = "CONNECT 0Mbps 802.11a"
(9) Acct-Session-Id = "37B081AEC663FC22"
(9) Acct-Multi-Session-Id = "448B30F6C3BB27FA"
(9) Mobility-Domain-Id = 65534
(9) WLAN-Pairwise-Cipher = 1027076
(9) WLAN-Group-Cipher = 1027076
(9) WLAN-AKM-Suite = 1027075
(9) WLAN-Group-Mgmt-Cipher = 1027078
(9) Framed-MTU = 1400
(9) EAP-Message = 0x0224002b19001703030020c867f78c1dfcff159e72fd7990cc2b865ac5e55917f05e0b72282d7f15c81313
(9) State = 0x3ee9a92738cdb0b89648a8e8466bb781
(9) Message-Authenticator = 0x18edb6a6a465da71223d04e76c5f34c1
(9) Restoring &session-state
(9) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(9) &session-state:TLS-Session-Version = "TLS 1.2"
(9) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(9) authorize {
(9) policy filter_username {
(9) if (&User-Name) {
(9) if (&User-Name) -> TRUE
(9) if (&User-Name) {
(9) if (&User-Name =~ / /) {
(9) if (&User-Name =~ / /) -> FALSE
(9) if (&User-Name =~ /@[^@]*@/ ) {
(9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(9) if (&User-Name =~ /\.\./ ) {
(9) if (&User-Name =~ /\.\./ ) -> FALSE
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(9) if (&User-Name =~ /\.$/) {
(9) if (&User-Name =~ /\.$/) -> FALSE
(9) if (&User-Name =~ /(a)\./) {
(9) if (&User-Name =~ /(a)\./) -> FALSE
(9) } # if (&User-Name) = notfound
(9) } # policy filter_username = notfound
(9) [preprocess] = ok
(9) ntdomain: Checking for prefix before "\"
(9) ntdomain: No '\' in User-Name = "M.Rudka", looking up realm NULL
(9) ntdomain: No such realm "NULL"
(9) [ntdomain] = noop
(9) [mschap] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "M.Rudka", looking up realm NULL
(9) suffix: No such realm "NULL"
(9) [suffix] = noop
(9) eap: Peer sent EAP Response (code 2) ID 36 length 43
(9) eap: Continuing tunnel setup
(9) [eap] = ok
(9) } # authorize = ok
(9) Found Auth-Type = eap
(9) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(9) authenticate {
(9) eap: Expiring EAP session with state 0x3ee9a92738cdb0b8
(9) eap: Finished EAP session with state 0x3ee9a92738cdb0b8
(9) eap: Previous EAP request found for state 0x3ee9a92738cdb0b8, released from the list
(9) eap: Peer sent packet with method EAP PEAP (25)
(9) eap: Calling submodule eap_peap to process data
(9) eap_peap: Continuing EAP-TLS
(9) eap_peap: [eaptls verify] = ok
(9) eap_peap: Done initial handshake
(9) eap_peap: [eaptls process] = ok
(9) eap_peap: Session established. Decoding tunneled attributes
(9) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(9) eap_peap: Identity - M.Rudka
(9) eap_peap: Got inner identity 'M.Rudka'
(9) eap_peap: Setting default EAP type for tunneled EAP session
(9) eap_peap: Got tunneled request
(9) eap_peap: EAP-Message = 0x0224000c014d2e5275646b61
(9) eap_peap: Setting User-Name to M.Rudka
(9) eap_peap: Sending tunneled request to inner-tunnel
(9) eap_peap: EAP-Message = 0x0224000c014d2e5275646b61
(9) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(9) eap_peap: User-Name = "M.Rudka"
(9) eap_peap: NAS-IP-Address = 10.0.10.125
(9) eap_peap: NAS-Identifier = "b6fbe41e2d9f"
(9) eap_peap: Called-Station-Id = "B6-FB-E4-1E-2D-9F:INR"
(9) eap_peap: NAS-Port-Type = Wireless-802.11
(9) eap_peap: Service-Type = Framed-User
(9) eap_peap: Calling-Station-Id = "A0-FB-C5-1E-26-61"
(9) eap_peap: Connect-Info = "CONNECT 0Mbps 802.11a"
(9) eap_peap: Acct-Session-Id = "37B081AEC663FC22"
(9) eap_peap: Acct-Multi-Session-Id = "448B30F6C3BB27FA"
(9) eap_peap: Mobility-Domain-Id = 65534
(9) eap_peap: WLAN-Pairwise-Cipher = 1027076
(9) eap_peap: WLAN-Group-Cipher = 1027076
(9) eap_peap: WLAN-AKM-Suite = 1027075
(9) eap_peap: WLAN-Group-Mgmt-Cipher = 1027078
(9) eap_peap: Framed-MTU = 1400
(9) eap_peap: Event-Timestamp = "Jun 25 2022 16:05:35 CEST"
(9) Virtual server inner-tunnel received request
(9) EAP-Message = 0x0224000c014d2e5275646b61
(9) FreeRADIUS-Proxied-To = 127.0.0.1
(9) User-Name = "M.Rudka"
(9) NAS-IP-Address = 10.0.10.125
(9) NAS-Identifier = "b6fbe41e2d9f"
(9) Called-Station-Id = "B6-FB-E4-1E-2D-9F:INR"
(9) NAS-Port-Type = Wireless-802.11
(9) Service-Type = Framed-User
(9) Calling-Station-Id = "A0-FB-C5-1E-26-61"
(9) Connect-Info = "CONNECT 0Mbps 802.11a"
(9) Acct-Session-Id = "37B081AEC663FC22"
(9) Acct-Multi-Session-Id = "448B30F6C3BB27FA"
(9) Mobility-Domain-Id = 65534
(9) WLAN-Pairwise-Cipher = 1027076
(9) WLAN-Group-Cipher = 1027076
(9) WLAN-AKM-Suite = 1027075
(9) WLAN-Group-Mgmt-Cipher = 1027078
(9) Framed-MTU = 1400
(9) Event-Timestamp = "Jun 25 2022 16:05:35 CEST"
(9) WARNING: Outer and inner identities are the same. User privacy is compromised.
(9) server inner-tunnel {
(9) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(9) authorize {
(9) policy filter_username {
(9) if (&User-Name) {
(9) if (&User-Name) -> TRUE
(9) if (&User-Name) {
(9) if (&User-Name =~ / /) {
(9) if (&User-Name =~ / /) -> FALSE
(9) if (&User-Name =~ /@[^@]*@/ ) {
(9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(9) if (&User-Name =~ /\.\./ ) {
(9) if (&User-Name =~ /\.\./ ) -> FALSE
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(9) if (&User-Name =~ /\.$/) {
(9) if (&User-Name =~ /\.$/) -> FALSE
(9) if (&User-Name =~ /(a)\./) {
(9) if (&User-Name =~ /(a)\./) -> FALSE
(9) } # if (&User-Name) = notfound
(9) } # policy filter_username = notfound
(9) [mschap] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "M.Rudka", looking up realm NULL
(9) suffix: No such realm "NULL"
(9) [suffix] = noop
(9) update control {
(9) &Proxy-To-Realm := LOCAL
(9) } # update control = noop
(9) eap: Peer sent EAP Response (code 2) ID 36 length 12
(9) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(9) [eap] = ok
(9) } # authorize = ok
(9) Found Auth-Type = eap
(9) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(9) authenticate {
(9) eap: Peer sent packet with method EAP Identity (1)
(9) eap: Calling submodule eap_mschapv2 to process data
(9) eap_mschapv2: Issuing Challenge
(9) eap: Sending EAP Request (code 1) ID 37 length 43
(9) eap: EAP session adding &reply:State = 0xbe4d7933be6863f4
(9) [eap] = handled
(9) } # authenticate = handled
(9) } # server inner-tunnel
(9) Virtual server sending reply
(9) EAP-Message = 0x0125002b1a0125002610f5157151748540484ae37fd14c53759b667265657261646975732d332e302e3231
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) State = 0xbe4d7933be6863f4edc6d3a9b9603933
(9) eap_peap: Got tunneled reply code 11
(9) eap_peap: EAP-Message = 0x0125002b1a0125002610f5157151748540484ae37fd14c53759b667265657261646975732d332e302e3231
(9) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(9) eap_peap: State = 0xbe4d7933be6863f4edc6d3a9b9603933
(9) eap_peap: Got tunneled reply RADIUS code 11
(9) eap_peap: EAP-Message = 0x0125002b1a0125002610f5157151748540484ae37fd14c53759b667265657261646975732d332e302e3231
(9) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(9) eap_peap: State = 0xbe4d7933be6863f4edc6d3a9b9603933
(9) eap_peap: Got tunneled Access-Challenge
(9) eap: Sending EAP Request (code 1) ID 37 length 74
(9) eap: EAP session adding &reply:State = 0x3ee9a92739ccb0b8
(9) [eap] = handled
(9) } # authenticate = handled
(9) Using Post-Auth-Type Challenge
(9) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(9) Challenge { ... } # empty sub-section is ignored
(9) session-state: Saving cached attributes
(9) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(9) TLS-Session-Version = "TLS 1.2"
(9) Sent Access-Challenge Id 182 from 10.0.10.110:1812 to 10.0.10.125:47686 length 0
(9) EAP-Message = 0x0125004a1900170303003f6ea59b2818d194faaecd07d38ff4d782b06aec18a5c1163da2d8d83f365d156dd9c1d0a511c2ecfa739a3988ae50d0e8a96d5bd1da3b0846e0d2d690a81500
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) State = 0x3ee9a92739ccb0b89648a8e8466bb781
(9) Finished request
Waking up in 4.8 seconds.
(10) Received Access-Request Id 183 from 10.0.10.125:47686 to 10.0.10.110:1812 length 345
(10) User-Name = "M.Rudka"
(10) NAS-IP-Address = 10.0.10.125
(10) NAS-Identifier = "b6fbe41e2d9f"
(10) Called-Station-Id = "B6-FB-E4-1E-2D-9F:INR"
(10) NAS-Port-Type = Wireless-802.11
(10) Service-Type = Framed-User
(10) Calling-Station-Id = "A0-FB-C5-1E-26-61"
(10) Connect-Info = "CONNECT 0Mbps 802.11a"
(10) Acct-Session-Id = "37B081AEC663FC22"
(10) Acct-Multi-Session-Id = "448B30F6C3BB27FA"
(10) Mobility-Domain-Id = 65534
(10) WLAN-Pairwise-Cipher = 1027076
(10) WLAN-Group-Cipher = 1027076
(10) WLAN-AKM-Suite = 1027075
(10) WLAN-Group-Mgmt-Cipher = 1027078
(10) Framed-MTU = 1400
(10) EAP-Message = 0x0225006119001703030056c867f78c1dfcff169ec78a85175115be1aaa14d616eb530d0c0d552b0989677214b7cf2a278c52a343de54935b608832f65911807e3f98bccf608ee0a3e19869b87690fcf428d6232efcf99b2f118057d18a5ed371a5
(10) State = 0x3ee9a92739ccb0b89648a8e8466bb781
(10) Message-Authenticator = 0x7e0a483ecbd4bfe1852e92e06ddf3fdf
(10) Restoring &session-state
(10) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(10) &session-state:TLS-Session-Version = "TLS 1.2"
(10) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(10) authorize {
(10) policy filter_username {
(10) if (&User-Name) {
(10) if (&User-Name) -> TRUE
(10) if (&User-Name) {
(10) if (&User-Name =~ / /) {
(10) if (&User-Name =~ / /) -> FALSE
(10) if (&User-Name =~ /@[^@]*@/ ) {
(10) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(10) if (&User-Name =~ /\.\./ ) {
(10) if (&User-Name =~ /\.\./ ) -> FALSE
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(10) if (&User-Name =~ /\.$/) {
(10) if (&User-Name =~ /\.$/) -> FALSE
(10) if (&User-Name =~ /(a)\./) {
(10) if (&User-Name =~ /(a)\./) -> FALSE
(10) } # if (&User-Name) = notfound
(10) } # policy filter_username = notfound
(10) [preprocess] = ok
(10) ntdomain: Checking for prefix before "\"
(10) ntdomain: No '\' in User-Name = "M.Rudka", looking up realm NULL
(10) ntdomain: No such realm "NULL"
(10) [ntdomain] = noop
(10) [mschap] = noop
(10) suffix: Checking for suffix after "@"
(10) suffix: No '@' in User-Name = "M.Rudka", looking up realm NULL
(10) suffix: No such realm "NULL"
(10) [suffix] = noop
(10) eap: Peer sent EAP Response (code 2) ID 37 length 97
(10) eap: Continuing tunnel setup
(10) [eap] = ok
(10) } # authorize = ok
(10) Found Auth-Type = eap
(10) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(10) authenticate {
(10) eap: Expiring EAP session with state 0xbe4d7933be6863f4
(10) eap: Finished EAP session with state 0x3ee9a92739ccb0b8
(10) eap: Previous EAP request found for state 0x3ee9a92739ccb0b8, released from the list
(10) eap: Peer sent packet with method EAP PEAP (25)
(10) eap: Calling submodule eap_peap to process data
(10) eap_peap: Continuing EAP-TLS
(10) eap_peap: [eaptls verify] = ok
(10) eap_peap: Done initial handshake
(10) eap_peap: [eaptls process] = ok
(10) eap_peap: Session established. Decoding tunneled attributes
(10) eap_peap: PEAP state phase2
(10) eap_peap: EAP method MSCHAPv2 (26)
(10) eap_peap: Got tunneled request
(10) eap_peap: EAP-Message = 0x022500421a0225003d31052b35af9cd014217752deab650f5d8500000000000000009e4e5213110a14934c1176102d7f4bee524c3a7eed42fa72004d2e5275646b61
(10) eap_peap: Setting User-Name to M.Rudka
(10) eap_peap: Sending tunneled request to inner-tunnel
(10) eap_peap: EAP-Message = 0x022500421a0225003d31052b35af9cd014217752deab650f5d8500000000000000009e4e5213110a14934c1176102d7f4bee524c3a7eed42fa72004d2e5275646b61
(10) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(10) eap_peap: User-Name = "M.Rudka"
(10) eap_peap: State = 0xbe4d7933be6863f4edc6d3a9b9603933
(10) eap_peap: NAS-IP-Address = 10.0.10.125
(10) eap_peap: NAS-Identifier = "b6fbe41e2d9f"
(10) eap_peap: Called-Station-Id = "B6-FB-E4-1E-2D-9F:INR"
(10) eap_peap: NAS-Port-Type = Wireless-802.11
(10) eap_peap: Service-Type = Framed-User
(10) eap_peap: Calling-Station-Id = "A0-FB-C5-1E-26-61"
(10) eap_peap: Connect-Info = "CONNECT 0Mbps 802.11a"
(10) eap_peap: Acct-Session-Id = "37B081AEC663FC22"
(10) eap_peap: Acct-Multi-Session-Id = "448B30F6C3BB27FA"
(10) eap_peap: Mobility-Domain-Id = 65534
(10) eap_peap: WLAN-Pairwise-Cipher = 1027076
(10) eap_peap: WLAN-Group-Cipher = 1027076
(10) eap_peap: WLAN-AKM-Suite = 1027075
(10) eap_peap: WLAN-Group-Mgmt-Cipher = 1027078
(10) eap_peap: Framed-MTU = 1400
(10) eap_peap: Event-Timestamp = "Jun 25 2022 16:05:35 CEST"
(10) Virtual server inner-tunnel received request
(10) EAP-Message = 0x022500421a0225003d31052b35af9cd014217752deab650f5d8500000000000000009e4e5213110a14934c1176102d7f4bee524c3a7eed42fa72004d2e5275646b61
(10) FreeRADIUS-Proxied-To = 127.0.0.1
(10) User-Name = "M.Rudka"
(10) State = 0xbe4d7933be6863f4edc6d3a9b9603933
(10) NAS-IP-Address = 10.0.10.125
(10) NAS-Identifier = "b6fbe41e2d9f"
(10) Called-Station-Id = "B6-FB-E4-1E-2D-9F:INR"
(10) NAS-Port-Type = Wireless-802.11
(10) Service-Type = Framed-User
(10) Calling-Station-Id = "A0-FB-C5-1E-26-61"
(10) Connect-Info = "CONNECT 0Mbps 802.11a"
(10) Acct-Session-Id = "37B081AEC663FC22"
(10) Acct-Multi-Session-Id = "448B30F6C3BB27FA"
(10) Mobility-Domain-Id = 65534
(10) WLAN-Pairwise-Cipher = 1027076
(10) WLAN-Group-Cipher = 1027076
(10) WLAN-AKM-Suite = 1027075
(10) WLAN-Group-Mgmt-Cipher = 1027078
(10) Framed-MTU = 1400
(10) Event-Timestamp = "Jun 25 2022 16:05:35 CEST"
(10) WARNING: Outer and inner identities are the same. User privacy is compromised.
(10) server inner-tunnel {
(10) session-state: No cached attributes
(10) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(10) authorize {
(10) policy filter_username {
(10) if (&User-Name) {
(10) if (&User-Name) -> TRUE
(10) if (&User-Name) {
(10) if (&User-Name =~ / /) {
(10) if (&User-Name =~ / /) -> FALSE
(10) if (&User-Name =~ /@[^@]*@/ ) {
(10) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(10) if (&User-Name =~ /\.\./ ) {
(10) if (&User-Name =~ /\.\./ ) -> FALSE
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(10) if (&User-Name =~ /\.$/) {
(10) if (&User-Name =~ /\.$/) -> FALSE
(10) if (&User-Name =~ /(a)\./) {
(10) if (&User-Name =~ /(a)\./) -> FALSE
(10) } # if (&User-Name) = notfound
(10) } # policy filter_username = notfound
(10) [mschap] = noop
(10) suffix: Checking for suffix after "@"
(10) suffix: No '@' in User-Name = "M.Rudka", looking up realm NULL
(10) suffix: No such realm "NULL"
(10) [suffix] = noop
(10) update control {
(10) &Proxy-To-Realm := LOCAL
(10) } # update control = noop
(10) eap: Peer sent EAP Response (code 2) ID 37 length 66
(10) eap: No EAP Start, assuming it's an on-going EAP conversation
(10) [eap] = updated
(10) [expiration] = noop
(10) [logintime] = noop
(10) } # authorize = updated
(10) Found Auth-Type = eap
(10) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(10) authenticate {
(10) eap: Expiring EAP session with state 0xbe4d7933be6863f4
(10) eap: Finished EAP session with state 0xbe4d7933be6863f4
(10) eap: Previous EAP request found for state 0xbe4d7933be6863f4, released from the list
(10) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(10) eap: Calling submodule eap_mschapv2 to process data
(10) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(10) eap_mschapv2: authenticate {
(10) mschap: Creating challenge hash with username: M.Rudka
(10) mschap: Client is using MS-CHAPv2
(10) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-RUDKA} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}:
(10) mschap: EXPAND --username=%{mschap:User-Name:-None}
(10) mschap: --> --username=M.Rudka
(10) mschap: ERROR: No NT-Domain was found in the User-Name
(10) mschap: EXPAND --domain=%{%{mschap:NT-Domain}:-RUDKA}
(10) mschap: --> --domain=RUDKA
(10) mschap: Creating challenge hash with username: M.Rudka
(10) mschap: EXPAND --challenge=%{mschap:Challenge:-00}
(10) mschap: --> --challenge=47ad639a5eb61aa4
(10) mschap: EXPAND --nt-response=%{mschap:NT-Response:-00}
(10) mschap: --> --nt-response=9e4e5213110a14934c1176102d7f4bee524c3a7eed42fa72
debug_lookup_classname(dfsr): Unknown class
debug_lookup_classname(dfsr_meet): Unknown class
(10) mschap: Program returned code (0) and output 'NT_KEY: CFD6E18F125F5418AC102DE58019094F'
(10) mschap: Adding MS-CHAPv2 MPPE keys
(10) eap_mschapv2: [mschap] = ok
(10) eap_mschapv2: } # authenticate = ok
(10) eap_mschapv2: MSCHAP Success
(10) eap: Sending EAP Request (code 1) ID 38 length 51
(10) eap: EAP session adding &reply:State = 0xbe4d7933bf6b63f4
(10) [eap] = handled
(10) } # authenticate = handled
(10) } # server inner-tunnel
(10) Virtual server sending reply
(10) EAP-Message = 0x012600331a0325002e533d32393944384542374245353030414638424244364438393339414636323939424636333741333734
(10) Message-Authenticator = 0x00000000000000000000000000000000
(10) State = 0xbe4d7933bf6b63f4edc6d3a9b9603933
(10) eap_peap: Got tunneled reply code 11
(10) eap_peap: EAP-Message = 0x012600331a0325002e533d32393944384542374245353030414638424244364438393339414636323939424636333741333734
(10) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(10) eap_peap: State = 0xbe4d7933bf6b63f4edc6d3a9b9603933
(10) eap_peap: Got tunneled reply RADIUS code 11
(10) eap_peap: EAP-Message = 0x012600331a0325002e533d32393944384542374245353030414638424244364438393339414636323939424636333741333734
(10) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(10) eap_peap: State = 0xbe4d7933bf6b63f4edc6d3a9b9603933
(10) eap_peap: Got tunneled Access-Challenge
(10) eap: Sending EAP Request (code 1) ID 38 length 82
(10) eap: EAP session adding &reply:State = 0x3ee9a92736cfb0b8
(10) [eap] = handled
(10) } # authenticate = handled
(10) Using Post-Auth-Type Challenge
(10) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(10) Challenge { ... } # empty sub-section is ignored
(10) session-state: Saving cached attributes
(10) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(10) TLS-Session-Version = "TLS 1.2"
(10) Sent Access-Challenge Id 183 from 10.0.10.110:1812 to 10.0.10.125:47686 length 0
(10) EAP-Message = 0x01260052190017030300476ea59b2818d194fbca2453bacf2c2cc5644d778fd488024230f216f2b804c030ebcb128f5c5aa8dd367e737ff56094613dea39c041dbf2cf2739a0caf658c2c4e82ee46cc4ff7d
(10) Message-Authenticator = 0x00000000000000000000000000000000
(10) State = 0x3ee9a92736cfb0b89648a8e8466bb781
(10) Finished request
Waking up in 4.8 seconds.
(11) Received Access-Request Id 184 from 10.0.10.125:47686 to 10.0.10.110:1812 length 285
(11) User-Name = "M.Rudka"
(11) NAS-IP-Address = 10.0.10.125
(11) NAS-Identifier = "b6fbe41e2d9f"
(11) Called-Station-Id = "B6-FB-E4-1E-2D-9F:INR"
(11) NAS-Port-Type = Wireless-802.11
(11) Service-Type = Framed-User
(11) Calling-Station-Id = "A0-FB-C5-1E-26-61"
(11) Connect-Info = "CONNECT 0Mbps 802.11a"
(11) Acct-Session-Id = "37B081AEC663FC22"
(11) Acct-Multi-Session-Id = "448B30F6C3BB27FA"
(11) Mobility-Domain-Id = 65534
(11) WLAN-Pairwise-Cipher = 1027076
(11) WLAN-Group-Cipher = 1027076
(11) WLAN-AKM-Suite = 1027075
(11) WLAN-Group-Mgmt-Cipher = 1027078
(11) Framed-MTU = 1400
(11) EAP-Message = 0x022600251900170303001ac867f78c1dfcff1718a936e054203cd96966d68106434c256e96
(11) State = 0x3ee9a92736cfb0b89648a8e8466bb781
(11) Message-Authenticator = 0xcae5933b3b302ddd11e4e4397000b70f
(11) Restoring &session-state
(11) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(11) &session-state:TLS-Session-Version = "TLS 1.2"
(11) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(11) authorize {
(11) policy filter_username {
(11) if (&User-Name) {
(11) if (&User-Name) -> TRUE
(11) if (&User-Name) {
(11) if (&User-Name =~ / /) {
(11) if (&User-Name =~ / /) -> FALSE
(11) if (&User-Name =~ /@[^@]*@/ ) {
(11) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(11) if (&User-Name =~ /\.\./ ) {
(11) if (&User-Name =~ /\.\./ ) -> FALSE
(11) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(11) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(11) if (&User-Name =~ /\.$/) {
(11) if (&User-Name =~ /\.$/) -> FALSE
(11) if (&User-Name =~ /(a)\./) {
(11) if (&User-Name =~ /(a)\./) -> FALSE
(11) } # if (&User-Name) = notfound
(11) } # policy filter_username = notfound
(11) [preprocess] = ok
(11) ntdomain: Checking for prefix before "\"
(11) ntdomain: No '\' in User-Name = "M.Rudka", looking up realm NULL
(11) ntdomain: No such realm "NULL"
(11) [ntdomain] = noop
(11) [mschap] = noop
(11) suffix: Checking for suffix after "@"
(11) suffix: No '@' in User-Name = "M.Rudka", looking up realm NULL
(11) suffix: No such realm "NULL"
(11) [suffix] = noop
(11) eap: Peer sent EAP Response (code 2) ID 38 length 37
(11) eap: Continuing tunnel setup
(11) [eap] = ok
(11) } # authorize = ok
(11) Found Auth-Type = eap
(11) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(11) authenticate {
(11) eap: Expiring EAP session with state 0xbe4d7933bf6b63f4
(11) eap: Finished EAP session with state 0x3ee9a92736cfb0b8
(11) eap: Previous EAP request found for state 0x3ee9a92736cfb0b8, released from the list
(11) eap: Peer sent packet with method EAP PEAP (25)
(11) eap: Calling submodule eap_peap to process data
(11) eap_peap: Continuing EAP-TLS
(11) eap_peap: [eaptls verify] = ok
(11) eap_peap: Done initial handshake
(11) eap_peap: [eaptls process] = ok
(11) eap_peap: Session established. Decoding tunneled attributes
(11) eap_peap: PEAP state phase2
(11) eap_peap: EAP method MSCHAPv2 (26)
(11) eap_peap: Got tunneled request
(11) eap_peap: EAP-Message = 0x022600061a03
(11) eap_peap: Setting User-Name to M.Rudka
(11) eap_peap: Sending tunneled request to inner-tunnel
(11) eap_peap: EAP-Message = 0x022600061a03
(11) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(11) eap_peap: User-Name = "M.Rudka"
(11) eap_peap: State = 0xbe4d7933bf6b63f4edc6d3a9b9603933
(11) eap_peap: NAS-IP-Address = 10.0.10.125
(11) eap_peap: NAS-Identifier = "b6fbe41e2d9f"
(11) eap_peap: Called-Station-Id = "B6-FB-E4-1E-2D-9F:INR"
(11) eap_peap: NAS-Port-Type = Wireless-802.11
(11) eap_peap: Service-Type = Framed-User
(11) eap_peap: Calling-Station-Id = "A0-FB-C5-1E-26-61"
(11) eap_peap: Connect-Info = "CONNECT 0Mbps 802.11a"
(11) eap_peap: Acct-Session-Id = "37B081AEC663FC22"
(11) eap_peap: Acct-Multi-Session-Id = "448B30F6C3BB27FA"
(11) eap_peap: Mobility-Domain-Id = 65534
(11) eap_peap: WLAN-Pairwise-Cipher = 1027076
(11) eap_peap: WLAN-Group-Cipher = 1027076
(11) eap_peap: WLAN-AKM-Suite = 1027075
(11) eap_peap: WLAN-Group-Mgmt-Cipher = 1027078
(11) eap_peap: Framed-MTU = 1400
(11) eap_peap: Event-Timestamp = "Jun 25 2022 16:05:35 CEST"
(11) Virtual server inner-tunnel received request
(11) EAP-Message = 0x022600061a03
(11) FreeRADIUS-Proxied-To = 127.0.0.1
(11) User-Name = "M.Rudka"
(11) State = 0xbe4d7933bf6b63f4edc6d3a9b9603933
(11) NAS-IP-Address = 10.0.10.125
(11) NAS-Identifier = "b6fbe41e2d9f"
(11) Called-Station-Id = "B6-FB-E4-1E-2D-9F:INR"
(11) NAS-Port-Type = Wireless-802.11
(11) Service-Type = Framed-User
(11) Calling-Station-Id = "A0-FB-C5-1E-26-61"
(11) Connect-Info = "CONNECT 0Mbps 802.11a"
(11) Acct-Session-Id = "37B081AEC663FC22"
(11) Acct-Multi-Session-Id = "448B30F6C3BB27FA"
(11) Mobility-Domain-Id = 65534
(11) WLAN-Pairwise-Cipher = 1027076
(11) WLAN-Group-Cipher = 1027076
(11) WLAN-AKM-Suite = 1027075
(11) WLAN-Group-Mgmt-Cipher = 1027078
(11) Framed-MTU = 1400
(11) Event-Timestamp = "Jun 25 2022 16:05:35 CEST"
(11) WARNING: Outer and inner identities are the same. User privacy is compromised.
(11) server inner-tunnel {
(11) session-state: No cached attributes
(11) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(11) authorize {
(11) policy filter_username {
(11) if (&User-Name) {
(11) if (&User-Name) -> TRUE
(11) if (&User-Name) {
(11) if (&User-Name =~ / /) {
(11) if (&User-Name =~ / /) -> FALSE
(11) if (&User-Name =~ /@[^@]*@/ ) {
(11) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(11) if (&User-Name =~ /\.\./ ) {
(11) if (&User-Name =~ /\.\./ ) -> FALSE
(11) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(11) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(11) if (&User-Name =~ /\.$/) {
(11) if (&User-Name =~ /\.$/) -> FALSE
(11) if (&User-Name =~ /(a)\./) {
(11) if (&User-Name =~ /(a)\./) -> FALSE
(11) } # if (&User-Name) = notfound
(11) } # policy filter_username = notfound
(11) [mschap] = noop
(11) suffix: Checking for suffix after "@"
(11) suffix: No '@' in User-Name = "M.Rudka", looking up realm NULL
(11) suffix: No such realm "NULL"
(11) [suffix] = noop
(11) update control {
(11) &Proxy-To-Realm := LOCAL
(11) } # update control = noop
(11) eap: Peer sent EAP Response (code 2) ID 38 length 6
(11) eap: No EAP Start, assuming it's an on-going EAP conversation
(11) [eap] = updated
(11) [expiration] = noop
(11) [logintime] = noop
(11) } # authorize = updated
(11) Found Auth-Type = eap
(11) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(11) authenticate {
(11) eap: Expiring EAP session with state 0xbe4d7933bf6b63f4
(11) eap: Finished EAP session with state 0xbe4d7933bf6b63f4
(11) eap: Previous EAP request found for state 0xbe4d7933bf6b63f4, released from the list
(11) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(11) eap: Calling submodule eap_mschapv2 to process data
(11) eap: Sending EAP Success (code 3) ID 38 length 4
(11) eap: Freeing handler
(11) [eap] = ok
(11) } # authenticate = ok
(11) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(11) post-auth {
(11) if (1) {
(11) if (1) -> TRUE
(11) if (1) {
(11) update reply {
(11) User-Name !* ANY
(11) Message-Authenticator !* ANY
(11) EAP-Message !* ANY
(11) Proxy-State !* ANY
(11) MS-MPPE-Encryption-Types !* ANY
(11) MS-MPPE-Encryption-Policy !* ANY
(11) MS-MPPE-Send-Key !* ANY
(11) MS-MPPE-Recv-Key !* ANY
(11) } # update reply = noop
(11) update {
(11) No attributes updated for RHS &reply:
(11) } # update = noop
(11) } # if (1) = noop
(11) } # post-auth = noop
(11) Login OK: [M.Rudka/<via Auth-Type = eap>] (from client ap01 port 0 cli A0-FB-C5-1E-26-61 via TLS tunnel)
(11) } # server inner-tunnel
(11) Virtual server sending reply
(11) eap_peap: Got tunneled reply code 2
(11) eap_peap: Got tunneled reply RADIUS code 2
(11) eap_peap: Tunneled authentication was successful
(11) eap_peap: SUCCESS
(11) eap_peap: Saving tunneled attributes for later
(11) eap: Sending EAP Request (code 1) ID 39 length 46
(11) eap: EAP session adding &reply:State = 0x3ee9a92737ceb0b8
(11) [eap] = handled
(11) } # authenticate = handled
(11) Using Post-Auth-Type Challenge
(11) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(11) Challenge { ... } # empty sub-section is ignored
(11) session-state: Saving cached attributes
(11) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(11) TLS-Session-Version = "TLS 1.2"
(11) Sent Access-Challenge Id 184 from 10.0.10.110:1812 to 10.0.10.125:47686 length 0
(11) EAP-Message = 0x0127002e190017030300236ea59b2818d194fca680cac62409492272738126c217037101626227bfde385449773e
(11) Message-Authenticator = 0x00000000000000000000000000000000
(11) State = 0x3ee9a92737ceb0b89648a8e8466bb781
(11) Finished request
Waking up in 4.8 seconds.
(12) Received Access-Request Id 185 from 10.0.10.125:47686 to 10.0.10.110:1812 length 294
(12) User-Name = "M.Rudka"
(12) NAS-IP-Address = 10.0.10.125
(12) NAS-Identifier = "b6fbe41e2d9f"
(12) Called-Station-Id = "B6-FB-E4-1E-2D-9F:INR"
(12) NAS-Port-Type = Wireless-802.11
(12) Service-Type = Framed-User
(12) Calling-Station-Id = "A0-FB-C5-1E-26-61"
(12) Connect-Info = "CONNECT 0Mbps 802.11a"
(12) Acct-Session-Id = "37B081AEC663FC22"
(12) Acct-Multi-Session-Id = "448B30F6C3BB27FA"
(12) Mobility-Domain-Id = 65534
(12) WLAN-Pairwise-Cipher = 1027076
(12) WLAN-Group-Cipher = 1027076
(12) WLAN-AKM-Suite = 1027075
(12) WLAN-Group-Mgmt-Cipher = 1027078
(12) Framed-MTU = 1400
(12) EAP-Message = 0x0227002e19001703030023c867f78c1dfcff1824666237a84129ef0061dd77d55b6dd6651bc1c9af1ea67d42222e
(12) State = 0x3ee9a92737ceb0b89648a8e8466bb781
(12) Message-Authenticator = 0xf51dcd45fd6c3c37809530432b8a0c91
(12) Restoring &session-state
(12) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(12) &session-state:TLS-Session-Version = "TLS 1.2"
(12) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(12) authorize {
(12) policy filter_username {
(12) if (&User-Name) {
(12) if (&User-Name) -> TRUE
(12) if (&User-Name) {
(12) if (&User-Name =~ / /) {
(12) if (&User-Name =~ / /) -> FALSE
(12) if (&User-Name =~ /@[^@]*@/ ) {
(12) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(12) if (&User-Name =~ /\.\./ ) {
(12) if (&User-Name =~ /\.\./ ) -> FALSE
(12) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(12) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(12) if (&User-Name =~ /\.$/) {
(12) if (&User-Name =~ /\.$/) -> FALSE
(12) if (&User-Name =~ /(a)\./) {
(12) if (&User-Name =~ /(a)\./) -> FALSE
(12) } # if (&User-Name) = notfound
(12) } # policy filter_username = notfound
(12) [preprocess] = ok
(12) ntdomain: Checking for prefix before "\"
(12) ntdomain: No '\' in User-Name = "M.Rudka", looking up realm NULL
(12) ntdomain: No such realm "NULL"
(12) [ntdomain] = noop
(12) [mschap] = noop
(12) suffix: Checking for suffix after "@"
(12) suffix: No '@' in User-Name = "M.Rudka", looking up realm NULL
(12) suffix: No such realm "NULL"
(12) [suffix] = noop
(12) eap: Peer sent EAP Response (code 2) ID 39 length 46
(12) eap: Continuing tunnel setup
(12) [eap] = ok
(12) } # authorize = ok
(12) Found Auth-Type = eap
(12) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(12) authenticate {
(12) eap: Expiring EAP session with state 0x3ee9a92737ceb0b8
(12) eap: Finished EAP session with state 0x3ee9a92737ceb0b8
(12) eap: Previous EAP request found for state 0x3ee9a92737ceb0b8, released from the list
(12) eap: Peer sent packet with method EAP PEAP (25)
(12) eap: Calling submodule eap_peap to process data
(12) eap_peap: Continuing EAP-TLS
(12) eap_peap: [eaptls verify] = ok
(12) eap_peap: Done initial handshake
(12) eap_peap: [eaptls process] = ok
(12) eap_peap: Session established. Decoding tunneled attributes
(12) eap_peap: PEAP state send tlv success
(12) eap_peap: Received EAP-TLV response
(12) eap_peap: Success
(12) eap_peap: No saved attributes in the original Access-Accept
(12) eap: Sending EAP Success (code 3) ID 39 length 4
(12) eap: Freeing handler
(12) [eap] = ok
(12) } # authenticate = ok
(12) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default
(12) post-auth {
(12) update {
(12) &reply::TLS-Session-Cipher-Suite += &session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES256-GCM-SHA384'
(12) &reply::TLS-Session-Version += &session-state:TLS-Session-Version[*] -> 'TLS 1.2'
(12) } # update = noop
(12) [exec] = noop
(12) policy remove_reply_message_if_eap {
(12) if (&reply:EAP-Message && &reply:Reply-Message) {
(12) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(12) else {
(12) [noop] = noop
(12) } # else = noop
(12) } # policy remove_reply_message_if_eap = noop
(12) } # post-auth = noop
(12) Login OK: [M.Rudka/<via Auth-Type = eap>] (from client ap01 port 0 cli A0-FB-C5-1E-26-61)
(12) Sent Access-Accept Id 185 from 10.0.10.110:1812 to 10.0.10.125:47686 length 0
(12) MS-MPPE-Recv-Key = 0xd742fc539c2ebcd30a0a7e1047c3792b3539a1323cf08973bca4347aa768b029
(12) MS-MPPE-Send-Key = 0x2a9be3c3eb31236cb201a6196f9d1ab8bb10624c3a3194a815064b7354f2f3ac
(12) EAP-Message = 0x03270004
(12) Message-Authenticator = 0x00000000000000000000000000000000
(12) User-Name = "M.Rudka"
(12) Finished request
Waking up in 4.8 seconds.
(13) Received Accounting-Request Id 186 from 10.0.10.125:34391 to 10.0.10.110:1813 length 234
(13) Acct-Status-Type = Start
(13) Acct-Authentic = RADIUS
(13) User-Name = "M.Rudka"
(13) NAS-IP-Address = 10.0.10.125
(13) Framed-IP-Address = 10.0.10.55
(13) NAS-Identifier = "b6fbe41e2d9f"
(13) Called-Station-Id = "B6-FB-E4-1E-2D-9F:INR"
(13) NAS-Port-Type = Wireless-802.11
(13) Service-Type = Framed-User
(13) Calling-Station-Id = "A0-FB-C5-1E-26-61"
(13) Connect-Info = "CONNECT 0Mbps 802.11a"
(13) Acct-Session-Id = "37B081AEC663FC22"
(13) Acct-Multi-Session-Id = "448B30F6C3BB27FA"
(13) Mobility-Domain-Id = 65534
(13) WLAN-Pairwise-Cipher = 1027076
(13) WLAN-Group-Cipher = 1027076
(13) WLAN-AKM-Suite = 1027075
(13) WLAN-Group-Mgmt-Cipher = 1027078
(13) Event-Timestamp = "Jun 25 2022 16:05:35 CEST"
(13) Acct-Delay-Time = 0
(13) # Executing section preacct from file /etc/freeradius/3.0/sites-enabled/default
(13) preacct {
(13) [preprocess] = ok
(13) policy acct_unique {
(13) update request {
(13) &Tmp-String-9 := "ai:"
(13) } # update request = noop
(13) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {
(13) EXPAND %{hex:&Class}
(13) -->
(13) EXPAND ^%{hex:&Tmp-String-9}
(13) --> ^61693a
(13) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE
(13) else {
(13) update request {
(13) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(13) --> d20c068ce14b253606bfe640b9218c9d
(13) &Acct-Unique-Session-Id := d20c068ce14b253606bfe640b9218c9d
(13) } # update request = noop
(13) } # else = noop
(13) } # policy acct_unique = noop
(13) suffix: Checking for suffix after "@"
(13) suffix: No '@' in User-Name = "M.Rudka", looking up realm NULL
(13) suffix: No such realm "NULL"
(13) [suffix] = noop
(13) [files] = noop
(13) } # preacct = ok
(13) # Executing section accounting from file /etc/freeradius/3.0/sites-enabled/default
(13) accounting {
(13) radutmp: EXPAND /var/log/freeradius/radutmp
(13) radutmp: --> /var/log/freeradius/radutmp
(13) radutmp: EXPAND %{User-Name}
(13) radutmp: --> M.Rudka
(13) radutmp: WARNING: No NAS-Port seen. Cannot do anything. Checkrad will probably not work!
(13) [radutmp] = noop
(13) detail: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail
(13) detail: --> /var/log/freeradius/radacct/10.0.10.125/detail
(13) detail: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail expands to /var/log/freeradius/radacct/10.0.10.125/detail
(13) detail: EXPAND %t
(13) detail: --> Sat Jun 25 16:05:35 2022
(13) [detail] = ok
(13) [unix] = ok
(13) [exec] = noop
(13) attr_filter.accounting_response: EXPAND %{User-Name}
(13) attr_filter.accounting_response: --> M.Rudka
(13) attr_filter.accounting_response: Matched entry DEFAULT at line 12
(13) [attr_filter.accounting_response] = updated
(13) } # accounting = updated
(13) Sent Accounting-Response Id 186 from 10.0.10.110:1813 to 10.0.10.125:34391 length 0
(13) Finished request
(13) Cleaning up request packet ID 186 with timestamp +5
Waking up in 4.6 seconds.
2
2
Hi,
We have an issue about reject message. As seen in the Figure , two reply
messages were received. It must be only ' You are already loged in '
image.png
One from simultaneous check setting (You are already loged in) and the
other(wrong password) from etc/raddb/sites-enable/default file. İf we
deactivate wrong password-check part (in the below) from
..raddb/sites-enable/default file, the replay message is blank returned
to NAS.
...
Post-Auth-Type REJECT {
update reply {
Reply-Message += "%{Reply-Message} Wrong Password..."
}
..
Regards
--
Can Paçacı
pacaci(a)servisnet.com.tr
Servisnet A.Ş.
Tel: 90 216 9999677
90 530 5450952
2
4
Hello everyone,
Routing: MikroTik v6.48.6
freeradius-server-3.0.21
In the actual test, freeradius sends Access-Accept,See the last output section below. The router log shows that the authentication fails. MikroTik tech support can't find a reason so far.
All certificates are created in freeradius and imported into ROS.
[e_zhangiso@myradius ~]$ su Password: [root@myradius e_zhangiso]# radtest vtest1 zsl123 localhost 18120 testing123 Sent Access-Request Id 19 from 0.0.0.0:38185 to 127.0.0.1:1812 length 76 User-Name = "vtest1" User-Password = "zsl123" NAS-IP-Address = 93.191.168.52 NAS-Port = 18120 Message-Authenticator = 0x00 Cleartext-Password = "zsl123" Received Access-Accept Id 19 from 127.0.0.1:1812 to 127.0.0.1:38185 length 20 [root@myradius e_zhangiso]# cd /usr/local/bin/ [root@myradius bin]# ls dbus-cleanup-sockets radattr dbus-daemon radclient dbus-launch radcrypt dbus-monitor radeapclient dbus-run-session radlast dbus-send radsqlrelay dbus-test-tool radtest dbus-update-activation-environment radwho dbus-uuidgen radzap dhcpclient smbencrypt eapol_test ttls-eap-mschapv2.conf map_unit x86_64-unknown-linux-gnu-pkg-config peap-mschapv2.conf xmlwf pkg-config [root@myradius bin]# eapol_test -c peap-mschapv2.conf -s testing123 Reading configuration file 'peap-mschapv2.conf' Line: 4 - start of a new network block ssid - hexdump_ascii(len=7): 65 78 61 6d 70 6c 65 example key_mgmt: 0x1 eap methods - hexdump(len=16): 00 00 00 00 19 00 00 00 00 00 00 00 00 00 00 00 identity - hexdump_ascii(len=6): 76 74 65 73 74 31 vtest1 anonymous_identity - hexdump_ascii(len=9): 61 6e 6f 6e 79 6d 6f 75 73 anonymous password - hexdump_ascii(len=6): 7a 73 6c 31 32 33 zsl123 phase2 - hexdump_ascii(len=13): 61 75 74 68 3d 4d 53 43 48 41 50 56 32 auth=MSCHAPV2 ca_cert - hexdump_ascii(len=33): 2f 75 73 72 2f 6c 6f 63 61 6c 2f 65 74 63 2f 72 /usr/local/etc/r 61 64 64 62 2f 63 65 72 74 73 2f 63 61 2e 64 65 addb/certs/ca.de 72 r Priority group 0 id=0 ssid='example' Authentication server 127.0.0.1:1812 RADIUS local address: 127.0.0.1:39667 ENGINE: Loading builtin engines ENGINE: Loading builtin engines EAPOL: SUPP_PAE entering state DISCONNECTED EAPOL: KEY_RX entering state NO_KEY_RECEIVE EAPOL: SUPP_BE entering state INITIALIZE EAP: EAP entering state DISABLED EAPOL: External notification - portValid=0 EAPOL: External notification - portEnabled=1 EAPOL: SUPP_PAE entering state CONNECTING EAPOL: SUPP_BE entering state IDLE EAP: EAP entering state INITIALIZE EAP: EAP entering state IDLE Sending fake EAP-Request-Identity EAPOL: Received EAP-Packet frame EAPOL: SUPP_PAE entering state RESTART EAP: EAP entering state INITIALIZE EAP: EAP entering state IDLE EAPOL: SUPP_PAE entering state AUTHENTICATING EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=65 method=1 vendor=0 vendorMethod=0 EAP: EAP entering state IDENTITY CTRL-EVENT-EAP-STARTED EAP authentication started EAP: Status notification: started (param=) EAP: EAP-Request Identity data - hexdump_ascii(len=0): EAP: using anonymous identity - hexdump_ascii(len=9): 61 6e 6f 6e 79 6d 6f 75 73 anonymous EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp WPA: eapol_test_eapol_send(type=0 len=14) TX EAP -> RADIUS - hexdump(len=14): 02 41 00 0e 01 61 6e 6f 6e 79 6d 6f 75 73 Encapsulating EAP message into a RADIUS packet Learned identity from EAP-Response-Identity - hexdump(len=9): 61 6e 6f 6e 79 6d 6f 75 73 Sending RADIUS message to authentication server RADIUS message: code=1 (Access-Request) identifier=0 length=132 Attribute 1 (User-Name) length=11 Value: 'anonymous' Attribute 4 (NAS-IP-Address) length=6 Value: 127.0.0.1 Attribute 31 (Calling-Station-Id) length=19 Value: '02-00-00-00-00-01' Attribute 12 (Framed-MTU) length=6 Value: 1400 Attribute 61 (NAS-Port-Type) length=6 Value: 19 Attribute 6 (Service-Type) length=6 Value: 2 Attribute 77 (Connect-Info) length=24 Value: 'CONNECT 11Mbps 802.11b' Attribute 79 (EAP-Message) length=16 Value: 0241000e01616e6f6e796d6f7573 Attribute 80 (Message-Authenticator) length=18 Value: e6fe724b117116e92d8a5d054dede1c6 Next RADIUS client retransmit in 3 seconds EAPOL: SUPP_BE entering state RECEIVE Received 80 bytes from RADIUS server Received RADIUS message RADIUS message: code=11 (Access-Challenge) identifier=0 length=80 Attribute 79 (EAP-Message) length=24 Value: 014200160410a44c9c9a99e40191e15c62409e8d64ea Attribute 80 (Message-Authenticator) length=18 Value: ca0fab2024ada856096ea47d73c8bcee Attribute 24 (State) length=18 Value: efe8f55defaaf11214b7abcd56f4cf59 STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.00 sec RADIUS packet matching with station decapsulated EAP packet (code=1 id=66 len=22) from RADIUS server: EAP-Request-MD5 (4) EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=66 method=4 vendor=0 vendorMethod=0 EAP: EAP entering state GET_METHOD EAP: configuration does not allow: vendor 0 method 4 EAP: vendor 0 method 4 not allowed CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=4 -> NAK EAP: Status notification: refuse proposed method (param=MD5) EAP: Building EAP-Nak (requested type 4 vendor=0 method=0 not allowed) EAP: allowed methods - hexdump(len=1): 19 EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp WPA: eapol_test_eapol_send(type=0 len=6) TX EAP -> RADIUS - hexdump(len=6): 02 42 00 06 03 19 Encapsulating EAP message into a RADIUS packet Copied RADIUS State Attribute Sending RADIUS message to authentication server RADIUS message: code=1 (Access-Request) identifier=1 length=142 Attribute 1 (User-Name) length=11 Value: 'anonymous' Attribute 4 (NAS-IP-Address) length=6 Value: 127.0.0.1 Attribute 31 (Calling-Station-Id) length=19 Value: '02-00-00-00-00-01' Attribute 12 (Framed-MTU) length=6 Value: 1400 Attribute 61 (NAS-Port-Type) length=6 Value: 19 Attribute 6 (Service-Type) length=6 Value: 2 Attribute 77 (Connect-Info) length=24 Value: 'CONNECT 11Mbps 802.11b' Attribute 79 (EAP-Message) length=8 Value: 024200060319 Attribute 24 (State) length=18 Value: efe8f55defaaf11214b7abcd56f4cf59 Attribute 80 (Message-Authenticator) length=18 Value: 0a259313bcbd65dbe29df8ca05e69801 Next RADIUS client retransmit in 3 seconds EAPOL: SUPP_BE entering state RECEIVE Received 64 bytes from RADIUS server Received RADIUS message RADIUS message: code=11 (Access-Challenge) identifier=1 length=64 Attribute 79 (EAP-Message) length=8 Value: 014300061920 Attribute 80 (Message-Authenticator) length=18 Value: ed336a4c7ff6c981769455b7f757a5db Attribute 24 (State) length=18 Value: efe8f55deeabec1214b7abcd56f4cf59 STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.00 sec RADIUS packet matching with station decapsulated EAP packet (code=1 id=67 len=6) from RADIUS server: EAP-Request-PEAP (25) EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=67 method=25 vendor=0 vendorMethod=0 EAP: EAP entering state GET_METHOD CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25 EAP: Status notification: accept proposed method (param=PEAP) EAP: Initialize selected EAP method: vendor 0 method 25 (PEAP) TLS: Phase2 EAP types - hexdump(len=8): 00 00 00 00 1a 00 00 00 TLS: using phase1 config options OpenSSL: tls_connection_ca_cert - Failed to load root certificates error:00000000:lib(0):func(0):reason(0) OpenSSL: tls_connection_ca_cert - loaded DER format CA certificate CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected EAP: EAP entering state METHOD SSL: Received packet(len=6) - Flags 0x20 EAP-PEAP: Start (server ver=0, own ver=1) EAP-PEAP: Using PEAP version 0 SSL: (where=0x10 ret=0x1) SSL: (where=0x1001 ret=0x1) SSL: SSL_connect:before/connect initialization OpenSSL: TX ver=0x303 content_type=256 (TLS header info/) OpenSSL: Message - hexdump(len=5): 16 03 01 01 18 OpenSSL: TX ver=0x303 content_type=22 (handshake/client hello) OpenSSL: Message - hexdump(len=280): 01 00 01 14 03 03 cb 2e 6f 2c 46 d4 84 50 99 20 9b ab 25 1e 7b 1a 70 35 33 42 41 66 70 e9 f8 51 a3 8e bf aa 24 d7 00 00 ac c0 30 c0 2c c0 28 c0 24 c0 14 c0 0a 00 a5 00 a3 00 a1 00 9f 00 6b 00 6a 00 69 00 68 00 39 00 38 00 37 00 36 00 88 00 87 00 86 00 85 c0 32 c0 2e c0 2a c0 26 c0 0f c0 05 00 9d 00 3d 00 35 00 84 c0 2f c0 2b c0 27 c0 23 c0 13 c0 09 00 a4 00 a2 00 a0 00 9e 00 67 00 40 00 3f 00 3e 00 33 00 32 00 31 00 30 00 9a 00 99 00 98 00 97 00 45 00 44 00 43 00 42 c0 31 c0 2d c0 29 c0 25 c0 0e c0 04 00 9c 00 3c 00 2f 00 96 00 41 c0 12 c0 08 00 16 00 13 00 10 00 0d c0 0d c0 03 00 0a 00 07 c0 11 c0 07 c0 0c c0 02 00 05 00 04 00 ff 01 00 00 3f 00 0b 00 04 03 00 01 02 00 0a 00 0a 00 08 00 17 00 19 00 18 00 16 00 0d 00 20 00 1e 06 01 06 02 06 03 05 01 05 02 05 03 04 01 04 02 04 03 03 01 03 02 03 03 02 01 02 02 02 03 00 0f 00 01 01 SSL: (where=0x1001 ret=0x1) SSL: SSL_connect:SSLv2/v3 write client hello A SSL: (where=0x1002 ret=0xffffffff) SSL: SSL_connect:error in SSLv2/v3 read server hello A SSL: SSL_connect - want more data SSL: 285 bytes pending from ssl_out SSL: Using TLS version TLSv1.2 SSL: 285 bytes left to be sent out (of total 285 bytes) EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL eapRespData=0x111f3c0 EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp WPA: eapol_test_eapol_send(type=0 len=295) TX EAP -> RADIUS - hexdump(len=295): 02 43 01 27 19 80 00 00 01 1d 16 03 01 01 18 01 00 01 14 03 03 cb 2e 6f 2c 46 d4 84 50 99 20 9b ab 25 1e 7b 1a 70 35 33 42 41 66 70 e9 f8 51 a3 8e bf aa 24 d7 00 00 ac c0 30 c0 2c c0 28 c0 24 c0 14 c0 0a 00 a5 00 a3 00 a1 00 9f 00 6b 00 6a 00 69 00 68 00 39 00 38 00 37 00 36 00 88 00 87 00 86 00 85 c0 32 c0 2e c0 2a c0 26 c0 0f c0 05 00 9d 00 3d 00 35 00 84 c0 2f c0 2b c0 27 c0 23 c0 13 c0 09 00 a4 00 a2 00 a0 00 9e 00 67 00 40 00 3f 00 3e 00 33 00 32 00 31 00 30 00 9a 00 99 00 98 00 97 00 45 00 44 00 43 00 42 c0 31 c0 2d c0 29 c0 25 c0 0e c0 04 00 9c 00 3c 00 2f 00 96 00 41 c0 12 c0 08 00 16 00 13 00 10 00 0d c0 0d c0 03 00 0a 00 07 c0 11 c0 07 c0 0c c0 02 00 05 00 04 00 ff 01 00 00 3f 00 0b 00 04 03 00 01 02 00 0a 00 0a 00 08 00 17 00 19 00 18 00 16 00 0d 00 20 00 1e 06 01 06 02 06 03 05 01 05 02 05 03 04 01 04 02 04 03 03 01 03 02 03 03 02 01 02 02 02 03 00 0f 00 01 01 Encapsulating EAP message into a RADIUS packet Copied RADIUS State Attribute Sending RADIUS message to authentication server RADIUS message: code=1 (Access-Request) identifier=2 length=433 Attribute 1 (User-Name) length=11 Value: 'anonymous' Attribute 4 (NAS-IP-Address) length=6 Value: 127.0.0.1 Attribute 31 (Calling-Station-Id) length=19 Value: '02-00-00-00-00-01' Attribute 12 (Framed-MTU) length=6 Value: 1400 Attribute 61 (NAS-Port-Type) length=6 Value: 19 Attribute 6 (Service-Type) length=6 Value: 2 Attribute 77 (Connect-Info) length=24 Value: 'CONNECT 11Mbps 802.11b' Attribute 79 (EAP-Message) length=255 Value: 0243012719800000011d1603010118010001140303cb2e6f2c46d4845099209bab251e7b1a70353342416670e9f851a38ebfaa24d70000acc030c02cc028c024c014c00a00a500a300a1009f006b006a0069006800390038003700360088008700860085c032c02ec02ac026c00fc005009d003d00350084c02fc02bc027c023c013c00900a400a200a0009e00670040003f003e0033003200310030009a0099009800970045004400430042c031c02dc029c025c00ec004009c003c002f00960041c012c008001600130010000dc00dc003000a0007c011c007c00cc0020005000400ff0100003f000b000403000102000a000a000800170019001800 Attribute 79 (EAP-Message) length=44 Value: 16000d0020001e060106020603050105020503040104020403030103020303020102020203000f000101 Attribute 24 (State) length=18 Value: efe8f55deeabec1214b7abcd56f4cf59 Attribute 80 (Message-Authenticator) length=18 Value: bcfba080a0d2ea24d52c416ef7ed4722 Next RADIUS client retransmit in 3 seconds EAPOL: SUPP_BE entering state RECEIVE Received 1068 bytes from RADIUS server Received RADIUS message RADIUS message: code=11 (Access-Challenge) identifier=2 length=1068 Attribute 79 (EAP-Message) length=255 Value: 014403ec19c000000ac8160303003e0200003a0303180c45379f01e3aa52ee64a5c27613047f3dfd8d309f8311ff141aa9069219e500c030000012ff01000100000b000403000102000f00010116030309250b00092100091e000459308204553082033da003020102020102300d06092a864886f70d01010b0500308180310b300906035504061302434e310b300906035504080c024744310b300906035504070c02535a31133011060355040a0c0a527569516920496e632e310e300c060355040b0c0552756951693120301e06092a864886f70d0109011611313531313831353634324071712e636f6d3110300e06035504030c0743415f544553 Attribute 79 (EAP-Message) length=255 Value: 54301e170d3232303632313038323335315a170d3233303632313038323335315a308192310b300906035504061302434e310b300906035504080c024744310b300906035504070c02535a31133011060355040a0c0a527569516920496e632e310e300c060355040b0c0552756951693122302006035504030c197261646975732e74657374656e74657270726973652e6e65743120301e06092a864886f70d0109011611313531313831353634324071712e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100c0cf7d9846dfcfdbbd3864f1367ac48a39370ab5ef23f18a8f37d562978272d5a45f29eb3cf4 Attribute 79 (EAP-Message) length=255 Value: 21ed1d1682c6c51d0b5c9015873e20db21cbac31a43a94559adcace11819e0c2d2b7daaa9cec1436f08f7da967badf692f55b3338e32f8174594ce5127042d7530b7b64d5a9a961ffe9be0b3a5404d210dd1cd357b5b7ca20729983042e5be96ac98fff7971b3829324c444d00cb7e23271f05aa4daf93f748a58a5fc528f4c034ef0a0997677de8b385d2d5ed97dfe035115c874935e0e375d8d62c35fd4fff28c3f61431fb3b08db0682965c40edac307c8bea8efd92f6ddb6e0139ac4612093bfbb7184717e3fb50ba2590189bc1bbdfb53cca2d007a706c70203010001a381c53081c230130603551d25040c300a06082b06010505070301303606 Attribute 79 (EAP-Message) length=247 Value: 03551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c30180603551d200411300f300d060b2b0601040182be6801030230090603551d1304023000300b0603551d0f0404030205e030410603551d11043a303882197261646975732e74657374656e74657270726973652e6e6574a01b06082b06010505070808a00f0c0d2a2e6578616d706c652e636f6d300d06092a864886f70d01010b050003820101009f9ce9bd1c2537106c790bfc07290bc8b4b8456372bf63e5a3c37c800ac5eccf01758ce5cc844a35ab43fc8b3762eb5058c1d56e75882f Attribute 80 (Message-Authenticator) length=18 Value: 3cd976898d71efd3776fed6f8454ddad Attribute 24 (State) length=18 Value: efe8f55dedacec1214b7abcd56f4cf59 STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.00 sec RADIUS packet matching with station decapsulated EAP packet (code=1 id=68 len=1004) from RADIUS server: EAP-Request-PEAP (25) EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=68 method=25 vendor=0 vendorMethod=0 EAP: EAP entering state METHOD SSL: Received packet(len=1004) - Flags 0xc0 SSL: TLS Message Length: 2760 SSL: Need 1766 bytes more input data SSL: Building ACK (type=25 id=68 ver=0) EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL eapRespData=0x1110cd0 EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp WPA: eapol_test_eapol_send(type=0 len=6) TX EAP -> RADIUS - hexdump(len=6): 02 44 00 06 19 00 Encapsulating EAP message into a RADIUS packet Copied RADIUS State Attribute Sending RADIUS message to authentication server RADIUS message: code=1 (Access-Request) identifier=3 length=142 Attribute 1 (User-Name) length=11 Value: 'anonymous' Attribute 4 (NAS-IP-Address) length=6 Value: 127.0.0.1 Attribute 31 (Calling-Station-Id) length=19 Value: '02-00-00-00-00-01' Attribute 12 (Framed-MTU) length=6 Value: 1400 Attribute 61 (NAS-Port-Type) length=6 Value: 19 Attribute 6 (Service-Type) length=6 Value: 2 Attribute 77 (Connect-Info) length=24 Value: 'CONNECT 11Mbps 802.11b' Attribute 79 (EAP-Message) length=8 Value: 024400061900 Attribute 24 (State) length=18 Value: efe8f55dedacec1214b7abcd56f4cf59 Attribute 80 (Message-Authenticator) length=18 Value: d8c50f9e864d3c1fc0bb78df5c3185e7 Next RADIUS client retransmit in 3 seconds EAPOL: SUPP_BE entering state RECEIVE Received 1064 bytes from RADIUS server Received RADIUS message RADIUS message: code=11 (Access-Challenge) identifier=3 length=1064 Attribute 79 (EAP-Message) length=255 Value: 014503e81940b09b39422765fcef3f0567ec4d519eb29497db52b64cd89e7bc9768e2a8ef903cf9e328a8bd0cb0bad6aab99e56982d6e8b66ad62f9719c6f0587e7f3835f771c593425e4f78af21dec01a5d490da8e94eba0714b353f0b4806ad935bbdb86e0f7c07195682c5312c6e8e99cf2991d6458c4803ff5b690ca70236a059e18a58aa0f6bb0c5fd0b56f8cb1460aa4c7fcafddc496b2b39544a0eaae299e2385d68518db052784435eff7057a0caec709d809451cf18699ff1a0e11e4d23e7234b60a1e7b2eb93884988f50004bf308204bb308203a3a0030201020209008354c900ae762331300d06092a864886f70d01010b050030818031 Attribute 79 (EAP-Message) length=255 Value: 0b300906035504061302434e310b300906035504080c024744310b300906035504070c02535a31133011060355040a0c0a527569516920496e632e310e300c060355040b0c0552756951693120301e06092a864886f70d0109011611313531313831353634324071712e636f6d3110300e06035504030c0743415f54455354301e170d3232303632313038303833395a170d3233303632313038303833395a308180310b300906035504061302434e310b300906035504080c024744310b300906035504070c02535a31133011060355040a0c0a527569516920496e632e310e300c060355040b0c0552756951693120301e06092a864886f70d010901 Attribute 79 (EAP-Message) length=255 Value: 1611313531313831353634324071712e636f6d3110300e06035504030c0743415f5445535430820122300d06092a864886f70d01010105000382010f003082010a0282010100cc00b60869b4a740477f66a9623b8502a662e1b92461e40d2b8ab293382c9ebd19ab92f3a3aa5b101065c259253e9daf5d9a4b8e74db3651990591d9a0e56f6d7617a41f2e90dbc693c727b8358e949a733c20e9a2494c4dc9459a80f557ccab7adcfef0708cdafcb47aeeee48c491091dd1b4a1a6c3cc78e4c50e5d29c63692fef3689d9e8e9885bc8df63f9bb20c13a151effadbcba35cf4d15b47cf90d19b07ceaa986ff23162011d2d33ab8678a1aa3a145ecd709a Attribute 79 (EAP-Message) length=243 Value: fa00ce72db14ee1b0d5853979b2ee624c57b37dfa49c7e9e25dc51ce83382baa8af693001cc9b3931642c9355c4401f00f7766d862f4fc17a009ed0d8f963b5569c47a21486e4efa950203010001a382013430820130301d0603551d0e041604142df8c42bc2e019ae77764af4179832e75edcb6b93081b50603551d230481ad3081aa80142df8c42bc2e019ae77764af4179832e75edcb6b9a18186a48183308180310b300906035504061302434e310b300906035504080c024744310b300906035504070c02535a31133011060355040a0c0a527569516920496e632e310e300c060355040b0c055275695169312030 Attribute 80 (Message-Authenticator) length=18 Value: a13b568e8e11ba349ae8d0bb27f0f5e4 Attribute 24 (State) length=18 Value: efe8f55decadec1214b7abcd56f4cf59 STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.00 sec RADIUS packet matching with station decapsulated EAP packet (code=1 id=69 len=1000) from RADIUS server: EAP-Request-PEAP (25) EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=69 method=25 vendor=0 vendorMethod=0 EAP: EAP entering state METHOD SSL: Received packet(len=1000) - Flags 0x40 SSL: Need 772 bytes more input data SSL: Building ACK (type=25 id=69 ver=0) EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL eapRespData=0x110fc50 EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp WPA: eapol_test_eapol_send(type=0 len=6) TX EAP -> RADIUS - hexdump(len=6): 02 45 00 06 19 00 Encapsulating EAP message into a RADIUS packet Copied RADIUS State Attribute Sending RADIUS message to authentication server RADIUS message: code=1 (Access-Request) identifier=4 length=142 Attribute 1 (User-Name) length=11 Value: 'anonymous' Attribute 4 (NAS-IP-Address) length=6 Value: 127.0.0.1 Attribute 31 (Calling-Station-Id) length=19 Value: '02-00-00-00-00-01' Attribute 12 (Framed-MTU) length=6 Value: 1400 Attribute 61 (NAS-Port-Type) length=6 Value: 19 Attribute 6 (Service-Type) length=6 Value: 2 Attribute 77 (Connect-Info) length=24 Value: 'CONNECT 11Mbps 802.11b' Attribute 79 (EAP-Message) length=8 Value: 024500061900 Attribute 24 (State) length=18 Value: efe8f55decadec1214b7abcd56f4cf59 Attribute 80 (Message-Authenticator) length=18 Value: a07a7d96fe448cc4f3e58072e370eb5b Next RADIUS client retransmit in 3 seconds EAPOL: SUPP_BE entering state RECEIVE Received 842 bytes from RADIUS server Received RADIUS message RADIUS message: code=11 (Access-Challenge) identifier=4 length=842 Attribute 79 (EAP-Message) length=255 Value: 0146030a19001e06092a864886f70d0109011611313531313831353634324071712e636f6d3110300e06035504030c0743415f544553548209008354c900ae762331300f0603551d130101ff040530030101ff300e0603551d0f0101ff04040302018630360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b05000382010100843e19a985c313869df631f409b95a3654bd10ad0ed41a25cf6998deb19f1b145d824781167bf8f92c98cebe0eb9d549235cee7c4ec2a373ba521944407008d35aa1a90f4f61b74ee3291d3b1817 Attribute 79 (EAP-Message) length=255 Value: 616c1fa48fb7487918e9cad386c743a67159746f91374c7d9f14b8f2f321908d7fd8b20c66d00be01fd1318763acd5a8bd34857bec919ba402c0fcbbda6049eb30053b00c495a95190b47da04ce1a122bfd8bc0d89e467c2852f949430d039b0800e80ac31450de7d5b8076cbff95cec6c4cb84f030543c4557fa2f8ced6e89c990c208a51834740cafdcd707f4c4bf007a431eb073e876e2c02159c8e882ab343df90d564dfc37f21ffe99e30d4e100585a160303014d0c0001490300174104b53c825d838d701b6d4aefe6932d1b1a6a561cb1964fbf8bf085a0d7972707e93f47a9c789cdf25636f0d8aefbbac181c7c983a8236aa4ab7a3aef547e Attribute 79 (EAP-Message) length=255 Value: 4568fb06010100a84c644a3a507800915a12b1ad028d6b0c7630f3734b18a7499da043908651a2d5768fdcb341a1e1c4e83c49ad3448c0622157f0fcbd8a4be9ae05fe8f4963c71501264d359a83debbe9af0f6d15d87f36090446882dc8e7de2ac67e003f8fa339bf9fab0c9c37c29e709c546183557b1a59c37086eedb2ea0d5b389f06165cd9bb315640eb7ae3b77da4f6855b51cbf373951f8d0ff39c99ecb74d6021d695cc4f4ee303275e220d55cc24b31f7aa7d9989f260bde58dadcd2e8ba6c3ed47acd6688543eca490bff1560dcf08c3d7bf6a9446fcad85589b23ad7d804b5843903727c6229e1ed925488cdfb33152b275ec72ca9aa3dc Attribute 79 (EAP-Message) length=21 Value: 9380def39800c6e003d916030300040e000000 Attribute 80 (Message-Authenticator) length=18 Value: 85b347d13ca5839548002780d80a825c Attribute 24 (State) length=18 Value: efe8f55debaeec1214b7abcd56f4cf59 STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.00 sec RADIUS packet matching with station decapsulated EAP packet (code=1 id=70 len=778) from RADIUS server: EAP-Request-PEAP (25) EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=70 method=25 vendor=0 vendorMethod=0 EAP: EAP entering state METHOD SSL: Received packet(len=778) - Flags 0x00 OpenSSL: RX ver=0x0 content_type=256 (TLS header info/) OpenSSL: Message - hexdump(len=5): 16 03 03 00 3e OpenSSL: RX ver=0x303 content_type=22 (handshake/server hello) OpenSSL: Message - hexdump(len=62): 02 00 00 3a 03 03 18 0c 45 37 9f 01 e3 aa 52 ee 64 a5 c2 76 13 04 7f 3d fd 8d 30 9f 83 11 ff 14 1a a9 06 92 19 e5 00 c0 30 00 00 12 ff 01 00 01 00 00 0b 00 04 03 00 01 02 00 0f 00 01 01 SSL: (where=0x1001 ret=0x1) SSL: SSL_connect:SSLv3 read server hello A OpenSSL: RX ver=0x0 content_type=256 (TLS header info/) OpenSSL: Message - hexdump(len=5): 16 03 03 09 25 OpenSSL: RX ver=0x303 content_type=22 (handshake/certificate) OpenSSL: Message - hexdump(len=2341): 0b 00 09 21 00 09 1e 00 04 59 30 82 04 55 30 82 03 3d a0 03 02 01 02 02 01 02 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 81 80 31 0b 30 09 06 03 55 04 06 13 02 43 4e 31 0b 30 09 06 03 55 04 08 0c 02 47 44 31 0b 30 09 06 03 55 04 07 0c 02 53 5a 31 13 30 11 06 03 55 04 0a 0c 0a 52 75 69 51 69 20 49 6e 63 2e 31 0e 30 0c 06 03 55 04 0b 0c 05 52 75 69 51 69 31 20 30 1e 06 09 2a 86 48 86 f7 0d 01 09 01 16 11 31 35 31 31 38 31 35 36 34 32 40 71 71 2e 63 6f 6d 31 10 30 0e 06 03 55 04 03 0c 07 43 41 5f 54 45 53 54 30 1e 17 0d 32 32 30 36 32 31 30 38 32 33 35 31 5a 17 0d 32 33 30 36 32 31 30 38 32 33 35 31 5a 30 81 92 31 0b 30 09 06 03 55 04 06 13 02 43 4e 31 0b 30 09 06 03 55 04 08 0c 02 47 44 31 0b 30 09 06 03 55 04 07 0c 02 53 5a 31 13 30 11 06 03 55 04 0a 0c 0a 52 75 69 51 69 20 49 6e 63 2e 31 0e 30 0c 06 03 55 04 0b 0c 05 52 75 69 51 69 31 22 30 20 06 03 55 04 03 0c 19 72 61 64 69 75 73 2e 74 65 73 74 65 6e 74 65 72 70 72 69 73 65 2e 6e 65 74 31 20 30 1e 06 09 2a 86 48 86 f7 0d 01 09 01 16 11 31 35 31 31 38 31 35 36 34 32 40 71 71 2e 63 6f 6d 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 c0 cf 7d 98 46 df cf db bd 38 64 f1 36 7a c4 8a 39 37 0a b5 ef 23 f1 8a 8f 37 d5 62 97 82 72 d5 a4 5f 29 eb 3c f4 21 ed 1d 16 82 c6 c5 1d 0b 5c 90 15 87 3e 20 db 21 cb ac 31 a4 3a 94 55 9a dc ac e1 18 19 e0 c2 d2 b7 da aa 9c ec 14 36 f0 8f 7d a9 67 ba df 69 2f 55 b3 33 8e 32 f8 17 45 94 ce 51 27 04 2d 75 30 b7 b6 4d 5a 9a 96 1f fe 9b e0 b3 a5 40 4d 21 0d d1 cd 35 7b 5b 7c a2 07 29 98 30 42 e5 be 96 ac 98 ff f7 97 1b 38 29 32 4c 44 4d 00 cb 7e 23 27 1f 05 aa 4d af 93 f7 48 a5 8a 5f c5 28 f4 c0 34 ef 0a 09 97 67 7d e8 b3 85 d2 d5 ed 97 df e0 35 11 5c 87 49 35 e0 e3 75 d8 d6 2c 35 fd 4f ff 28 c3 f6 14 31 fb 3b 08 db 06 82 96 5c 40 ed ac 30 7c 8b ea 8e fd 92 f6 dd b6 e0 13 9a c4 61 20 93 bf bb 71 84 71 7e 3f b5 0b a2 59 01 89 bc 1b bd fb 53 cc a2 d0 07 a7 06 c7 02 03 01 00 01 a3 81 c5 30 81 c2 30 13 06 03 55 1d 25 04 0c 30 0a 06 08 2b 06 01 05 05 07 03 01 30 36 06 03 55 1d 1f 04 2f 30 2d 30 2b a0 29 a0 27 86 25 68 74 74 70 3a 2f 2f 77 77 77 2e 65 78 61 6d 70 6c 65 2e 63 6f 6d 2f 65 78 61 6d 70 6c 65 5f 63 61 2e 63 72 6c 30 18 06 03 55 1d 20 04 11 30 0f 30 0d 06 0b 2b 06 01 04 01 82 be 68 01 03 02 30 09 06 03 55 1d 13 04 02 30 00 30 0b 06 03 55 1d 0f 04 04 03 02 05 e0 30 41 06 03 55 1d 11 04 3a 30 38 82 19 72 61 64 69 75 73 2e 74 65 73 74 65 6e 74 65 72 70 72 69 73 65 2e 6e 65 74 a0 1b 06 08 2b 06 01 05 05 07 08 08 a0 0f 0c 0d 2a 2e 65 78 61 6d 70 6c 65 2e 63 6f 6d 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 82 01 01 00 9f 9c e9 bd 1c 25 37 10 6c 79 0b fc 07 29 0b c8 b4 b8 45 63 72 bf 63 e5 a3 c3 7c 80 0a c5 ec cf 01 75 8c e5 cc 84 4a 35 ab 43 fc 8b 37 62 eb 50 58 c1 d5 6e 75 88 2f b0 9b 39 42 27 65 fc ef 3f 05 67 ec 4d 51 9e b2 94 97 db 52 b6 4c d8 9e 7b c9 76 8e 2a 8e f9 03 cf 9e 32 8a 8b d0 cb 0b ad 6a ab 99 e5 69 82 d6 e8 b6 6a d6 2f 97 19 c6 f0 58 7e 7f 38 35 f7 71 c5 93 42 5e 4f 78 af 21 de c0 1a 5d 49 0d a8 e9 4e ba 07 14 b3 53 f0 b4 80 6a d9 35 bb db 86 e0 f7 c0 71 95 68 2c 53 12 c6 e8 e9 9c f2 99 1d 64 58 c4 80 3f f5 b6 90 ca 70 23 6a 05 9e 18 a5 8a a0 f6 bb 0c 5f d0 b5 6f 8c b1 46 0a a4 c7 fc af dd c4 96 b2 b3 95 44 a0 ea ae 29 9e 23 85 d6 85 18 db 05 27 84 43 5e ff 70 57 a0 ca ec 70 9d 80 94 51 cf 18 69 9f f1 a0 e1 1e 4d 23 e7 23 4b 60 a1 e7 b2 eb 93 88 49 88 f5 00 04 bf 30 82 04 bb 30 82 03 a3 a0 03 02 01 02 02 09 00 83 54 c9 00 ae 76 23 31 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 81 80 31 0b 30 09 06 03 55 04 06 13 02 43 4e 31 0b 30 09 06 03 55 04 08 0c 02 47 44 31 0b 30 09 06 03 55 04 07 0c 02 53 5a 31 13 30 11 06 03 55 04 0a 0c 0a 52 75 69 51 69 20 49 6e 63 2e 31 0e 30 0c 06 03 55 04 0b 0c 05 52 75 69 51 69 31 20 30 1e 06 09 2a 86 48 86 f7 0d 01 09 01 16 11 31 35 31 31 38 31 35 36 34 32 40 71 71 2e 63 6f 6d 31 10 30 0e 06 03 55 04 03 0c 07 43 41 5f 54 45 53 54 30 1e 17 0d 32 32 30 36 32 31 30 38 30 38 33 39 5a 17 0d 32 33 30 36 32 31 30 38 30 38 33 39 5a 30 81 80 31 0b 30 09 06 03 55 04 06 13 02 43 4e 31 0b 30 09 06 03 55 04 08 0c 02 47 44 31 0b 30 09 06 03 55 04 07 0c 02 53 5a 31 13 30 11 06 03 55 04 0a 0c 0a 52 75 69 51 69 20 49 6e 63 2e 31 0e 30 0c 06 03 55 04 0b 0c 05 52 75 69 51 69 31 20 30 1e 06 09 2a 86 48 86 f7 0d 01 09 01 16 11 31 35 31 31 38 31 35 36 34 32 40 71 71 2e 63 6f 6d 31 10 30 0e 06 03 55 04 03 0c 07 43 41 5f 54 45 53 54 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 cc 00 b6 08 69 b4 a7 40 47 7f 66 a9 62 3b 85 02 a6 62 e1 b9 24 61 e4 0d 2b 8a b2 93 38 2c 9e bd 19 ab 92 f3 a3 aa 5b 10 10 65 c2 59 25 3e 9d af 5d 9a 4b 8e 74 db 36 51 99 05 91 d9 a0 e5 6f 6d 76 17 a4 1f 2e 90 db c6 93 c7 27 b8 35 8e 94 9a 73 3c 20 e9 a2 49 4c 4d c9 45 9a 80 f5 57 cc ab 7a dc fe f0 70 8c da fc b4 7a ee ee 48 c4 91 09 1d d1 b4 a1 a6 c3 cc 78 e4 c5 0e 5d 29 c6 36 92 fe f3 68 9d 9e 8e 98 85 bc 8d f6 3f 9b b2 0c 13 a1 51 ef fa db cb a3 5c f4 d1 5b 47 cf 90 d1 9b 07 ce aa 98 6f f2 31 62 01 1d 2d 33 ab 86 78 a1 aa 3a 14 5e cd 70 9a fa 00 ce 72 db 14 ee 1b 0d 58 53 97 9b 2e e6 24 c5 7b 37 df a4 9c 7e 9e 25 dc 51 ce 83 38 2b aa 8a f6 93 00 1c c9 b3 93 16 42 c9 35 5c 44 01 f0 0f 77 66 d8 62 f4 fc 17 a0 09 ed 0d 8f 96 3b 55 69 c4 7a 21 48 6e 4e fa 95 02 03 01 00 01 a3 82 01 34 30 82 01 30 30 1d 06 03 55 1d 0e 04 16 04 14 2d f8 c4 2b c2 e0 19 ae 77 76 4a f4 17 98 32 e7 5e dc b6 b9 30 81 b5 06 03 55 1d 23 04 81 ad 30 81 aa 80 14 2d f8 c4 2b c2 e0 19 ae 77 76 4a f4 17 98 32 e7 5e dc b6 b9 a1 81 86 a4 81 83 30 81 80 31 0b 30 09 06 03 55 04 06 13 02 43 4e 31 0b 30 09 06 03 55 04 08 0c 02 47 44 31 0b 30 09 06 03 55 04 07 0c 02 53 5a 31 13 30 11 06 03 55 04 0a 0c 0a 52 75 69 51 69 20 49 6e 63 2e 31 0e 30 0c 06 03 55 04 0b 0c 05 52 75 69 51 69 31 20 30 1e 06 09 2a 86 48 86 f7 0d 01 09 01 16 11 31 35 31 31 38 31 35 36 34 32 40 71 71 2e 63 6f 6d 31 10 30 0e 06 03 55 04 03 0c 07 43 41 5f 54 45 53 54 82 09 00 83 54 c9 00 ae 76 23 31 30 0f 06 03 55 1d 13 01 01 ff 04 05 30 03 01 01 ff 30 0e 06 03 55 1d 0f 01 01 ff 04 04 03 02 01 86 30 36 06 03 55 1d 1f 04 2f 30 2d 30 2b a0 29 a0 27 86 25 68 74 74 70 3a 2f 2f 77 77 77 2e 65 78 61 6d 70 6c 65 2e 6f 72 67 2f 65 78 61 6d 70 6c 65 5f 63 61 2e 63 72 6c 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 82 01 01 00 84 3e 19 a9 85 c3 13 86 9d f6 31 f4 09 b9 5a 36 54 bd 10 ad 0e d4 1a 25 cf 69 98 de b1 9f 1b 14 5d 82 47 81 16 7b f8 f9 2c 98 ce be 0e b9 d5 49 23 5c ee 7c 4e c2 a3 73 ba 52 19 44 40 70 08 d3 5a a1 a9 0f 4f 61 b7 4e e3 29 1d 3b 18 17 61 6c 1f a4 8f b7 48 79 18 e9 ca d3 86 c7 43 a6 71 59 74 6f 91 37 4c 7d 9f 14 b8 f2 f3 21 90 8d 7f d8 b2 0c 66 d0 0b e0 1f d1 31 87 63 ac d5 a8 bd 34 85 7b ec 91 9b a4 02 c0 fc bb da 60 49 eb 30 05 3b 00 c4 95 a9 51 90 b4 7d a0 4c e1 a1 22 bf d8 bc 0d 89 e4 67 c2 85 2f 94 94 30 d0 39 b0 80 0e 80 ac 31 45 0d e7 d5 b8 07 6c bf f9 5c ec 6c 4c b8 4f 03 05 43 c4 55 7f a2 f8 ce d6 e8 9c 99 0c 20 8a 51 83 47 40 ca fd cd 70 7f 4c 4b f0 07 a4 31 eb 07 3e 87 6e 2c 02 15 9c 8e 88 2a b3 43 df 90 d5 64 df c3 7f 21 ff e9 9e 30 d4 e1 00 58 5a OpenSSL: Peer certificate - depth 1 Certificate: Data: Version: 3 (0x2) Serial Number: 83:54:c9:00:ae:76:23:31 Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=GD, L=SZ, O=RuiQi Inc., OU=RuiQi/emailAddress=1511815642(a)qq.com, CN=CA_TEST Validity Not Before: Jun 21 08:08:39 2022 GMT Not After : Jun 21 08:08:39 2023 GMT Subject: C=CN, ST=GD, L=SZ, O=RuiQi Inc., OU=RuiQi/emailAddress=1511815642(a)qq.com, CN=CA_TEST Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:cc:00:b6:08:69:b4:a7:40:47:7f:66:a9:62:3b: 85:02:a6:62:e1:b9:24:61:e4:0d:2b:8a:b2:93:38: 2c:9e:bd:19:ab:92:f3:a3:aa:5b:10:10:65:c2:59: 25:3e:9d:af:5d:9a:4b:8e:74:db:36:51:99:05:91: d9:a0:e5:6f:6d:76:17:a4:1f:2e:90:db:c6:93:c7: 27:b8:35:8e:94:9a:73:3c:20:e9:a2:49:4c:4d:c9: 45:9a:80:f5:57:cc:ab:7a:dc:fe:f0:70:8c:da:fc: b4:7a:ee:ee:48:c4:91:09:1d:d1:b4:a1:a6:c3:cc: 78:e4:c5:0e:5d:29:c6:36:92:fe:f3:68:9d:9e:8e: 98:85:bc:8d:f6:3f:9b:b2:0c:13:a1:51:ef:fa:db: cb:a3:5c:f4:d1:5b:47:cf:90:d1:9b:07:ce:aa:98: 6f:f2:31:62:01:1d:2d:33:ab:86:78:a1:aa:3a:14: 5e:cd:70:9a:fa:00:ce:72:db:14:ee:1b:0d:58:53: 97:9b:2e:e6:24:c5:7b:37:df:a4:9c:7e:9e:25:dc: 51:ce:83:38:2b:aa:8a:f6:93:00:1c:c9:b3:93:16: 42:c9:35:5c:44:01:f0:0f:77:66:d8:62:f4:fc:17: a0:09:ed:0d:8f:96:3b:55:69:c4:7a:21:48:6e:4e: fa:95 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 2D:F8:C4:2B:C2:E0:19:AE:77:76:4A:F4:17:98:32:E7:5E:DC:B6:B9 X509v3 Authority Key Identifier: keyid:2D:F8:C4:2B:C2:E0:19:AE:77:76:4A:F4:17:98:32:E7:5E:DC:B6:B9 DirName:/C=CN/ST=GD/L=SZ/O=RuiQi Inc./OU=RuiQi/emailAddress=1511815642(a)qq.com/CN=CA_TEST serial:83:54:C9:00:AE:76:23:31 X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Digital Signature, Certificate Sign, CRL Sign X509v3 CRL Distribution Points: Full Name: URI:http://www.example.org/example_ca.crl Signature Algorithm: sha256WithRSAEncryption 84:3e:19:a9:85:c3:13:86:9d:f6:31:f4:09:b9:5a:36:54:bd: 10:ad:0e:d4:1a:25:cf:69:98:de:b1:9f:1b:14:5d:82:47:81: 16:7b:f8:f9:2c:98:ce:be:0e:b9:d5:49:23:5c:ee:7c:4e:c2: a3:73:ba:52:19:44:40:70:08:d3:5a:a1:a9:0f:4f:61:b7:4e: e3:29:1d:3b:18:17:61:6c:1f:a4:8f:b7:48:79:18:e9:ca:d3: 86:c7:43:a6:71:59:74:6f:91:37:4c:7d:9f:14:b8:f2:f3:21: 90:8d:7f:d8:b2:0c:66:d0:0b:e0:1f:d1:31:87:63:ac:d5:a8: bd:34:85:7b:ec:91:9b:a4:02:c0:fc:bb:da:60:49:eb:30:05: 3b:00:c4:95:a9:51:90:b4:7d:a0:4c:e1:a1:22:bf:d8:bc:0d: 89:e4:67:c2:85:2f:94:94:30:d0:39:b0:80:0e:80:ac:31:45: 0d:e7:d5:b8:07:6c:bf:f9:5c:ec:6c:4c:b8:4f:03:05:43:c4: 55:7f:a2:f8:ce:d6:e8:9c:99:0c:20:8a:51:83:47:40:ca:fd: cd:70:7f:4c:4b:f0:07:a4:31:eb:07:3e:87:6e:2c:02:15:9c: 8e:88:2a:b3:43:df:90:d5:64:df:c3:7f:21:ff:e9:9e:30:d4: e1:00:58:5a CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/C=CN/ST=GD/L=SZ/O=RuiQi Inc./OU=RuiQi/emailAddress=1511815642(a)qq.com/CN=CA_TEST' hash=cf803820f0de23195a5a995b6de5517777b404df7d1e680754b49676687edebf TLS: tls_verify_cb - preverify_ok=1 err=0 (ok) ca_cert_verify=1 depth=1 buf='/C=CN/ST=GD/L=SZ/O=RuiQi Inc./OU=RuiQi/emailAddress=1511815642(a)qq.com/CN=CA_TEST' OpenSSL: Peer certificate - depth 0 Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=GD, L=SZ, O=RuiQi Inc., OU=RuiQi/emailAddress=1511815642(a)qq.com, CN=CA_TEST Validity Not Before: Jun 21 08:23:51 2022 GMT Not After : Jun 21 08:23:51 2023 GMT Subject: C=CN, ST=GD, L=SZ, O=RuiQi Inc., OU=RuiQi, CN=radius.testenterprise.net/emailAddress=1511815642@qq.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:c0:cf:7d:98:46:df:cf:db:bd:38:64:f1:36:7a: c4:8a:39:37:0a:b5:ef:23:f1:8a:8f:37:d5:62:97: 82:72:d5:a4:5f:29:eb:3c:f4:21:ed:1d:16:82:c6: c5:1d:0b:5c:90:15:87:3e:20:db:21:cb:ac:31:a4: 3a:94:55:9a:dc:ac:e1:18:19:e0:c2:d2:b7:da:aa: 9c:ec:14:36:f0:8f:7d:a9:67:ba:df:69:2f:55:b3: 33:8e:32:f8:17:45:94:ce:51:27:04:2d:75:30:b7: b6:4d:5a:9a:96:1f:fe:9b:e0:b3:a5:40:4d:21:0d: d1:cd:35:7b:5b:7c:a2:07:29:98:30:42:e5:be:96: ac:98:ff:f7:97:1b:38:29:32:4c:44:4d:00:cb:7e: 23:27:1f:05:aa:4d:af:93:f7:48:a5:8a:5f:c5:28: f4:c0:34:ef:0a:09:97:67:7d:e8:b3:85:d2:d5:ed: 97:df:e0:35:11:5c:87:49:35:e0:e3:75:d8:d6:2c: 35:fd:4f:ff:28:c3:f6:14:31:fb:3b:08:db:06:82: 96:5c:40:ed:ac:30:7c:8b:ea:8e:fd:92:f6:dd:b6: e0:13:9a:c4:61:20:93:bf:bb:71:84:71:7e:3f:b5: 0b:a2:59:01:89:bc:1b:bd:fb:53:cc:a2:d0:07:a7: 06:c7 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 CRL Distribution Points: Full Name: URI:http://www.example.com/example_ca.crl X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.40808.1.3.2 X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment X509v3 Subject Alternative Name: DNS:radius.testenterprise.net, othername:<unsupported> Signature Algorithm: sha256WithRSAEncryption 9f:9c:e9:bd:1c:25:37:10:6c:79:0b:fc:07:29:0b:c8:b4:b8: 45:63:72:bf:63:e5:a3:c3:7c:80:0a:c5:ec:cf:01:75:8c:e5: cc:84:4a:35:ab:43:fc:8b:37:62:eb:50:58:c1:d5:6e:75:88: 2f:b0:9b:39:42:27:65:fc:ef:3f:05:67:ec:4d:51:9e:b2:94: 97:db:52:b6:4c:d8:9e:7b:c9:76:8e:2a:8e:f9:03:cf:9e:32: 8a:8b:d0:cb:0b:ad:6a:ab:99:e5:69:82:d6:e8:b6:6a:d6:2f: 97:19:c6:f0:58:7e:7f:38:35:f7:71:c5:93:42:5e:4f:78:af: 21:de:c0:1a:5d:49:0d:a8:e9:4e:ba:07:14:b3:53:f0:b4:80: 6a:d9:35:bb:db:86:e0:f7:c0:71:95:68:2c:53:12:c6:e8:e9: 9c:f2:99:1d:64:58:c4:80:3f:f5:b6:90:ca:70:23:6a:05:9e: 18:a5:8a:a0:f6:bb:0c:5f:d0:b5:6f:8c:b1:46:0a:a4:c7:fc: af:dd:c4:96:b2:b3:95:44:a0:ea:ae:29:9e:23:85:d6:85:18: db:05:27:84:43:5e:ff:70:57:a0:ca:ec:70:9d:80:94:51:cf: 18:69:9f:f1:a0:e1:1e:4d:23:e7:23:4b:60:a1:e7:b2:eb:93: 88:49:88:f5 OpenSSL: Certificate Policy 1.3.6.1.4.1.40808.1.3.2 CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=CN/ST=GD/L=SZ/O=RuiQi Inc./OU=RuiQi/CN=radius.testenterprise.net/emailAddress=1511815642@qq.com' hash=e5a34c125494ec5850da2acbfcd943c1ff0640e80d87d1e73dab9cd00218a4fd CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:radius.testenterprise.net TLS: tls_verify_cb - preverify_ok=1 err=0 (ok) ca_cert_verify=1 depth=0 buf='/C=CN/ST=GD/L=SZ/O=RuiQi Inc./OU=RuiQi/CN=radius.testenterprise.net/emailAddress=1511815642@qq.com' EAP: Status notification: remote certificate verification (param=success) SSL: (where=0x1001 ret=0x1) SSL: SSL_connect:SSLv3 read server certificate A OpenSSL: RX ver=0x0 content_type=256 (TLS header info/) OpenSSL: Message - hexdump(len=5): 16 03 03 01 4d OpenSSL: RX ver=0x303 content_type=22 (handshake/server key exchange) OpenSSL: Message - hexdump(len=333): 0c 00 01 49 03 00 17 41 04 b5 3c 82 5d 83 8d 70 1b 6d 4a ef e6 93 2d 1b 1a 6a 56 1c b1 96 4f bf 8b f0 85 a0 d7 97 27 07 e9 3f 47 a9 c7 89 cd f2 56 36 f0 d8 ae fb ba c1 81 c7 c9 83 a8 23 6a a4 ab 7a 3a ef 54 7e 45 68 fb 06 01 01 00 a8 4c 64 4a 3a 50 78 00 91 5a 12 b1 ad 02 8d 6b 0c 76 30 f3 73 4b 18 a7 49 9d a0 43 90 86 51 a2 d5 76 8f dc b3 41 a1 e1 c4 e8 3c 49 ad 34 48 c0 62 21 57 f0 fc bd 8a 4b e9 ae 05 fe 8f 49 63 c7 15 01 26 4d 35 9a 83 de bb e9 af 0f 6d 15 d8 7f 36 09 04 46 88 2d c8 e7 de 2a c6 7e 00 3f 8f a3 39 bf 9f ab 0c 9c 37 c2 9e 70 9c 54 61 83 55 7b 1a 59 c3 70 86 ee db 2e a0 d5 b3 89 f0 61 65 cd 9b b3 15 64 0e b7 ae 3b 77 da 4f 68 55 b5 1c bf 37 39 51 f8 d0 ff 39 c9 9e cb 74 d6 02 1d 69 5c c4 f4 ee 30 32 75 e2 20 d5 5c c2 4b 31 f7 aa 7d 99 89 f2 60 bd e5 8d ad cd 2e 8b a6 c3 ed 47 ac d6 68 85 43 ec a4 90 bf f1 56 0d cf 08 c3 d7 bf 6a 94 46 fc ad 85 58 9b 23 ad 7d 80 4b 58 43 90 37 27 c6 22 9e 1e d9 25 48 8c df b3 31 52 b2 75 ec 72 ca 9a a3 dc 93 80 de f3 98 00 c6 e0 03 d9 SSL: (where=0x1001 ret=0x1) SSL: SSL_connect:SSLv3 read server key exchange A OpenSSL: RX ver=0x0 content_type=256 (TLS header info/) OpenSSL: Message - hexdump(len=5): 16 03 03 00 04 OpenSSL: RX ver=0x303 content_type=22 (handshake/server hello done) OpenSSL: Message - hexdump(len=4): 0e 00 00 00 SSL: (where=0x1001 ret=0x1) SSL: SSL_connect:SSLv3 read server done A OpenSSL: TX ver=0x0 content_type=256 (TLS header info/) OpenSSL: Message - hexdump(len=5): 16 03 03 00 46 OpenSSL: TX ver=0x303 content_type=22 (handshake/client key exchange) OpenSSL: Message - hexdump(len=70): 10 00 00 42 41 04 f9 4d 13 c6 79 8d ab c9 ac fd c0 a7 78 3d 66 72 4f 87 5f 91 f1 59 8e 41 63 d2 0b 3b 00 bb 33 4c e3 dd f2 6b 0c c9 7c cf c8 3f 95 27 48 f2 ec b0 18 af 6b 57 e6 fa a5 81 c5 47 aa b7 20 2a 2b 64 SSL: (where=0x1001 ret=0x1) SSL: SSL_connect:SSLv3 write client key exchange A OpenSSL: TX ver=0x0 content_type=256 (TLS header info/) OpenSSL: Message - hexdump(len=5): 14 03 03 00 01 OpenSSL: TX ver=0x303 content_type=20 (change cipher spec/) OpenSSL: Message - hexdump(len=1): 01 SSL: (where=0x1001 ret=0x1) SSL: SSL_connect:SSLv3 write change cipher spec A OpenSSL: TX ver=0x0 content_type=256 (TLS header info/) OpenSSL: Message - hexdump(len=5): 16 03 03 00 28 OpenSSL: TX ver=0x303 content_type=22 (handshake/finished) OpenSSL: Message - hexdump(len=16): 14 00 00 0c 85 72 11 bb cd af ed 5b 6c 66 9f 62 SSL: (where=0x1001 ret=0x1) SSL: SSL_connect:SSLv3 write finished A SSL: (where=0x1001 ret=0x1) SSL: SSL_connect:SSLv3 flush data SSL: (where=0x1002 ret=0xffffffff) SSL: SSL_connect:error in SSLv3 read finished A SSL: (where=0x1002 ret=0xffffffff) SSL: SSL_connect:error in SSLv3 read finished A SSL: SSL_connect - want more data SSL: 126 bytes pending from ssl_out SSL: Using TLS version TLSv1.2 SSL: 126 bytes left to be sent out (of total 126 bytes) EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL eapRespData=0x112a4f0 EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp WPA: eapol_test_eapol_send(type=0 len=136) TX EAP -> RADIUS - hexdump(len=136): 02 46 00 88 19 80 00 00 00 7e 16 03 03 00 46 10 00 00 42 41 04 f9 4d 13 c6 79 8d ab c9 ac fd c0 a7 78 3d 66 72 4f 87 5f 91 f1 59 8e 41 63 d2 0b 3b 00 bb 33 4c e3 dd f2 6b 0c c9 7c cf c8 3f 95 27 48 f2 ec b0 18 af 6b 57 e6 fa a5 81 c5 47 aa b7 20 2a 2b 64 14 03 03 00 01 01 16 03 03 00 28 88 d9 f3 3b 8b ea 0b 89 ae 52 46 98 12 79 71 6b ba 3b 8e 6c a7 0e 59 d7 ae 79 49 60 ef 81 c3 6b d3 7e 98 91 7f f0 e3 5a Encapsulating EAP message into a RADIUS packet Copied RADIUS State Attribute Sending RADIUS message to authentication server RADIUS message: code=1 (Access-Request) identifier=5 length=272 Attribute 1 (User-Name) length=11 Value: 'anonymous' Attribute 4 (NAS-IP-Address) length=6 Value: 127.0.0.1 Attribute 31 (Calling-Station-Id) length=19 Value: '02-00-00-00-00-01' Attribute 12 (Framed-MTU) length=6 Value: 1400 Attribute 61 (NAS-Port-Type) length=6 Value: 19 Attribute 6 (Service-Type) length=6 Value: 2 Attribute 77 (Connect-Info) length=24 Value: 'CONNECT 11Mbps 802.11b' Attribute 79 (EAP-Message) length=138 Value: 0246008819800000007e1603030046100000424104f94d13c6798dabc9acfdc0a7783d66724f875f91f1598e4163d20b3b00bb334ce3ddf26b0cc97ccfc83f952748f2ecb018af6b57e6faa581c547aab7202a2b64140303000101160303002888d9f33b8bea0b89ae5246981279716bba3b8e6ca70e59d7ae794960ef81c36bd37e98917ff0e35a Attribute 24 (State) length=18 Value: efe8f55debaeec1214b7abcd56f4cf59 Attribute 80 (Message-Authenticator) length=18 Value: 5b6fac27bc8eed000d3583be3cbc3d89 Next RADIUS client retransmit in 3 seconds EAPOL: SUPP_BE entering state RECEIVE Received 115 bytes from RADIUS server Received RADIUS message RADIUS message: code=11 (Access-Challenge) identifier=5 length=115 Attribute 79 (EAP-Message) length=59 Value: 0147003919001403030001011603030028928fc7eaaf149c20f409fa31ae0382a5ad74524dd1117d4019f35ba350f27f42d03839545957681e Attribute 80 (Message-Authenticator) length=18 Value: e29d980e66948096a9317cf7ece69db6 Attribute 24 (State) length=18 Value: efe8f55deaafec1214b7abcd56f4cf59 STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.00 sec RADIUS packet matching with station decapsulated EAP packet (code=1 id=71 len=57) from RADIUS server: EAP-Request-PEAP (25) EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=71 method=25 vendor=0 vendorMethod=0 EAP: EAP entering state METHOD SSL: Received packet(len=57) - Flags 0x00 OpenSSL: RX ver=0x0 content_type=256 (TLS header info/) OpenSSL: Message - hexdump(len=5): 14 03 03 00 01 OpenSSL: RX ver=0x303 content_type=20 (change cipher spec/) OpenSSL: Message - hexdump(len=1): 01 OpenSSL: RX ver=0x0 content_type=256 (TLS header info/) OpenSSL: Message - hexdump(len=5): 16 03 03 00 28 OpenSSL: RX ver=0x303 content_type=22 (handshake/finished) OpenSSL: Message - hexdump(len=16): 14 00 00 0c b1 ea 13 95 ae f1 6f e7 91 ef 48 01 SSL: (where=0x1001 ret=0x1) SSL: SSL_connect:SSLv3 read finished A SSL: (where=0x20 ret=0x1) SSL: (where=0x1002 ret=0x1) SSL: 0 bytes pending from ssl_out OpenSSL: Handshake finished - resumed=0 SSL: No Application Data included SSL: Using TLS version TLSv1.2 SSL: No data to be sent out EAP-PEAP: TLS done, proceed to Phase 2 EAP-PEAP: using label 'client EAP encryption' in key derivation EAP-PEAP: Derived key - hexdump(len=64): d7 3d 78 a8 00 46 b8 4f 1a 7a b0 3d 8d 91 d6 99 f3 f2 b2 e4 9f 7d 1b db 26 c1 e4 87 f4 c4 bc b9 cc 3b 4d 83 a6 cc 38 2a 34 22 99 b7 99 ab c1 ed bf b3 da f5 0d 16 91 11 e0 00 ff ac 07 56 38 dc EAP-PEAP: Derived EMSK - hexdump(len=64): 3d 67 3a 3b cd 60 8f 0d c7 c0 da 46 36 9e f2 ef cf 6e 44 c2 43 40 bf 14 bf a2 8f 84 d7 ff 32 9e a0 5b 91 58 77 be 7f a5 f0 65 0d 5c f1 fa 6f f9 c3 aa 3b ec 93 01 9a df eb 9e f6 d1 1e cd a1 a0 EAP-PEAP: Derived Session-Id - hexdump(len=65): 19 cb 2e 6f 2c 46 d4 84 50 99 20 9b ab 25 1e 7b 1a 70 35 33 42 41 66 70 e9 f8 51 a3 8e bf aa 24 d7 18 0c 45 37 9f 01 e3 aa 52 ee 64 a5 c2 76 13 04 7f 3d fd 8d 30 9f 83 11 ff 14 1a a9 06 92 19 e5 SSL: Building ACK (type=25 id=71 ver=0) EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL eapRespData=0x1110570 EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp WPA: eapol_test_eapol_send(type=0 len=6) TX EAP -> RADIUS - hexdump(len=6): 02 47 00 06 19 00 Encapsulating EAP message into a RADIUS packet Copied RADIUS State Attribute Sending RADIUS message to authentication server RADIUS message: code=1 (Access-Request) identifier=6 length=142 Attribute 1 (User-Name) length=11 Value: 'anonymous' Attribute 4 (NAS-IP-Address) length=6 Value: 127.0.0.1 Attribute 31 (Calling-Station-Id) length=19 Value: '02-00-00-00-00-01' Attribute 12 (Framed-MTU) length=6 Value: 1400 Attribute 61 (NAS-Port-Type) length=6 Value: 19 Attribute 6 (Service-Type) length=6 Value: 2 Attribute 77 (Connect-Info) length=24 Value: 'CONNECT 11Mbps 802.11b' Attribute 79 (EAP-Message) length=8 Value: 024700061900 Attribute 24 (State) length=18 Value: efe8f55deaafec1214b7abcd56f4cf59 Attribute 80 (Message-Authenticator) length=18 Value: 114302babf729e4196c4b4e4f951c43d Next RADIUS client retransmit in 3 seconds EAPOL: SUPP_BE entering state RECEIVE Received 98 bytes from RADIUS server Received RADIUS message RADIUS message: code=11 (Access-Challenge) identifier=6 length=98 Attribute 79 (EAP-Message) length=42 Value: 014800281900170303001d928fc7eaaf149c21a411db5fc7c795b368ca70bd3ada1fcd7a6c9d6fbd Attribute 80 (Message-Authenticator) length=18 Value: a2265a42cf8b563971fd5392506b51a2 Attribute 24 (State) length=18 Value: efe8f55de9a0ec1214b7abcd56f4cf59 STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.00 sec RADIUS packet matching with station decapsulated EAP packet (code=1 id=72 len=40) from RADIUS server: EAP-Request-PEAP (25) EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=72 method=25 vendor=0 vendorMethod=0 EAP: EAP entering state METHOD SSL: Received packet(len=40) - Flags 0x00 EAP-PEAP: received 34 bytes encrypted data for Phase 2 OpenSSL: RX ver=0x0 content_type=256 (TLS header info/) OpenSSL: Message - hexdump(len=5): 17 03 03 00 1d EAP-PEAP: Decrypted Phase 2 EAP - hexdump(len=5): 01 48 00 05 01 EAP-PEAP: received Phase 2: code=1 identifier=72 length=5 EAP-PEAP: Phase 2 Request: type=1 EAP: using real identity - hexdump_ascii(len=6): 76 74 65 73 74 31 vtest1 EAP-PEAP: Encrypting Phase 2 data - hexdump(len=11): 02 48 00 0b 01 76 74 65 73 74 31 OpenSSL: TX ver=0x0 content_type=256 (TLS header info/) OpenSSL: Message - hexdump(len=5): 17 03 03 00 1f SSL: 36 bytes left to be sent out (of total 36 bytes) EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL eapRespData=0x112b080 EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp WPA: eapol_test_eapol_send(type=0 len=42) TX EAP -> RADIUS - hexdump(len=42): 02 48 00 2a 19 00 17 03 03 00 1f 88 d9 f3 3b 8b ea 0b 8a be 0e 1e 58 a3 26 fb 94 9c e0 b0 e5 99 bf 8e e6 ce f1 7b a4 6a 6f 77 Encapsulating EAP message into a RADIUS packet Copied RADIUS State Attribute Sending RADIUS message to authentication server RADIUS message: code=1 (Access-Request) identifier=7 length=178 Attribute 1 (User-Name) length=11 Value: 'anonymous' Attribute 4 (NAS-IP-Address) length=6 Value: 127.0.0.1 Attribute 31 (Calling-Station-Id) length=19 Value: '02-00-00-00-00-01' Attribute 12 (Framed-MTU) length=6 Value: 1400 Attribute 61 (NAS-Port-Type) length=6 Value: 19 Attribute 6 (Service-Type) length=6 Value: 2 Attribute 77 (Connect-Info) length=24 Value: 'CONNECT 11Mbps 802.11b' Attribute 79 (EAP-Message) length=44 Value: 0248002a1900170303001f88d9f33b8bea0b8abe0e1e58a326fb949ce0b0e599bf8ee6cef17ba46a6f77 Attribute 24 (State) length=18 Value: efe8f55de9a0ec1214b7abcd56f4cf59 Attribute 80 (Message-Authenticator) length=18 Value: 1cd5aad9eaead9661eba6a71f930d048 Next RADIUS client retransmit in 3 seconds EAPOL: SUPP_BE entering state RECEIVE Received 132 bytes from RADIUS server Received RADIUS message RADIUS message: code=11 (Access-Challenge) identifier=7 length=132 Attribute 79 (EAP-Message) length=76 Value: 0149004a1900170303003f928fc7eaaf149c22ef5d7394626b2244b5692fec656242a2bd5243a3ad76cb554306e4647d9c3c626e04021a623972c53b8321ad62d482710a80245fa079ac Attribute 80 (Message-Authenticator) length=18 Value: b723eb4f8324d9a031c5bd4d6702af6c Attribute 24 (State) length=18 Value: efe8f55de8a1ec1214b7abcd56f4cf59 STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.00 sec RADIUS packet matching with station decapsulated EAP packet (code=1 id=73 len=74) from RADIUS server: EAP-Request-PEAP (25) EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=73 method=25 vendor=0 vendorMethod=0 EAP: EAP entering state METHOD SSL: Received packet(len=74) - Flags 0x00 EAP-PEAP: received 68 bytes encrypted data for Phase 2 OpenSSL: RX ver=0x0 content_type=256 (TLS header info/) OpenSSL: Message - hexdump(len=5): 17 03 03 00 3f EAP-PEAP: Decrypted Phase 2 EAP - hexdump(len=39): 1a 01 49 00 26 10 63 84 b7 ca bc bd 3d da 7c 7a 86 82 a5 00 c0 d2 66 72 65 65 72 61 64 69 75 73 2d 33 2e 30 2e 32 31 EAP-PEAP: received Phase 2: code=1 identifier=73 length=43 EAP-PEAP: Phase 2 Request: type=26 EAP-PEAP: Selected Phase 2 EAP vendor 0 method 26 EAP-MSCHAPV2: RX identifier 73 mschapv2_id 73 EAP-MSCHAPV2: Received challenge EAP-MSCHAPV2: Authentication Servername - hexdump_ascii(len=17): 66 72 65 65 72 61 64 69 75 73 2d 33 2e 30 2e 32 freeradius-3.0.2 31 1 EAP-MSCHAPV2: Generating Challenge Response Get randomness: len=16 entropy=0 random from os_get_random - hexdump(len=16): f2 78 69 1d 8c 98 c5 58 60 8a d5 56 dc b6 c5 53 random_mix_pool - hexdump(len=20): 0d b9 b1 bf 70 7c bd fa 8b 8c 0a 46 d8 96 87 a4 8e 89 0d 7d random from internal pool - hexdump(len=16): 52 c7 66 0a bf 85 ed d3 d8 c1 5b 8c 5d 36 f0 8e mixed random - hexdump(len=16): a0 bf 0f 17 33 1d 28 8b b8 4b 8e da 81 80 35 dd MSCHAPV2: Identity - hexdump_ascii(len=6): 76 74 65 73 74 31 vtest1 MSCHAPV2: Username - hexdump_ascii(len=6): 76 74 65 73 74 31 vtest1 MSCHAPV2: auth_challenge - hexdump(len=16): 63 84 b7 ca bc bd 3d da 7c 7a 86 82 a5 00 c0 d2 MSCHAPV2: peer_challenge - hexdump(len=16): a0 bf 0f 17 33 1d 28 8b b8 4b 8e da 81 80 35 dd MSCHAPV2: username - hexdump_ascii(len=6): 76 74 65 73 74 31 vtest1 MSCHAPV2: password - hexdump_ascii(len=6): 7a 73 6c 31 32 33 zsl123 MSCHAPV2: NT Response - hexdump(len=24): 4e ba c2 65 72 e6 70 43 7d 32 ee 45 a7 32 2e 4f 09 5e cd f0 e0 ad cf 04 MSCHAPV2: Auth Response - hexdump(len=20): 3a 3e 84 42 57 48 e2 b8 bb 73 be 5d 5b 65 52 eb 77 6c 28 d6 MSCHAPV2: Master Key - hexdump(len=16): 02 91 df 83 5f 20 a3 85 ad 76 df 6a b6 e7 f3 d6 EAP-MSCHAPV2: TX identifier 73 mschapv2_id 73 (response) EAP-PEAP: Encrypting Phase 2 data - hexdump(len=65): 02 49 00 41 1a 02 49 00 3c 31 a0 bf 0f 17 33 1d 28 8b b8 4b 8e da 81 80 35 dd 00 00 00 00 00 00 00 00 4e ba c2 65 72 e6 70 43 7d 32 ee 45 a7 32 2e 4f 09 5e cd f0 e0 ad cf 04 00 76 74 65 73 74 31 OpenSSL: TX ver=0x0 content_type=256 (TLS header info/) OpenSSL: Message - hexdump(len=5): 17 03 03 00 55 SSL: 90 bytes left to be sent out (of total 90 bytes) EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL eapRespData=0x112b7c0 EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp WPA: eapol_test_eapol_send(type=0 len=96) TX EAP -> RADIUS - hexdump(len=96): 02 49 00 60 19 00 17 03 03 00 55 88 d9 f3 3b 8b ea 0b 8b 2c d5 2c 10 62 b5 66 b2 7e 85 35 f9 98 d0 24 69 b7 57 da 36 b3 3d 93 35 22 6f 71 46 8d 62 b5 87 10 78 07 b7 66 3e b9 5b df 21 b3 df dd 02 be 49 3f ee 24 80 b4 fc 94 96 49 f1 5f c2 51 62 3b 7f 1b e1 03 20 9f 49 bc b5 6e 38 78 51 e1 Encapsulating EAP message into a RADIUS packet Copied RADIUS State Attribute Sending RADIUS message to authentication server RADIUS message: code=1 (Access-Request) identifier=8 length=232 Attribute 1 (User-Name) length=11 Value: 'anonymous' Attribute 4 (NAS-IP-Address) length=6 Value: 127.0.0.1 Attribute 31 (Calling-Station-Id) length=19 Value: '02-00-00-00-00-01' Attribute 12 (Framed-MTU) length=6 Value: 1400 Attribute 61 (NAS-Port-Type) length=6 Value: 19 Attribute 6 (Service-Type) length=6 Value: 2 Attribute 77 (Connect-Info) length=24 Value: 'CONNECT 11Mbps 802.11b' Attribute 79 (EAP-Message) length=98 Value: 024900601900170303005588d9f33b8bea0b8b2cd52c1062b566b27e8535f998d02469b757da36b33d9335226f71468d62b587107807b7663eb95bdf21b3dfdd02be493fee2480b4fc949649f15fc251623b7f1be103209f49bcb56e387851e1 Attribute 24 (State) length=18 Value: efe8f55de8a1ec1214b7abcd56f4cf59 Attribute 80 (Message-Authenticator) length=18 Value: 0edb87959e291938fe8d8654f558761b Next RADIUS client retransmit in 3 seconds EAPOL: SUPP_BE entering state RECEIVE Received 140 bytes from RADIUS server Received RADIUS message RADIUS message: code=11 (Access-Challenge) identifier=8 length=140 Attribute 79 (EAP-Message) length=84 Value: 014a005219001703030047928fc7eaaf149c235370eaa911f51c86fca36c3768b4513fb9497cfe2c88a641ceab3575b5d4bb3f2e97d9eca41ea824a1d4e3b9a710e3c98349ce5bdc7121cce2123b3304e850 Attribute 80 (Message-Authenticator) length=18 Value: 6eb4fdfb2c1c5ef913f2e52bf339bb41 Attribute 24 (State) length=18 Value: efe8f55de7a2ec1214b7abcd56f4cf59 STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.00 sec RADIUS packet matching with station decapsulated EAP packet (code=1 id=74 len=82) from RADIUS server: EAP-Request-PEAP (25) EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=74 method=25 vendor=0 vendorMethod=0 EAP: EAP entering state METHOD SSL: Received packet(len=82) - Flags 0x00 EAP-PEAP: received 76 bytes encrypted data for Phase 2 OpenSSL: RX ver=0x0 content_type=256 (TLS header info/) OpenSSL: Message - hexdump(len=5): 17 03 03 00 47 EAP-PEAP: Decrypted Phase 2 EAP - hexdump(len=47): 1a 03 49 00 2e 53 3d 33 41 33 45 38 34 34 32 35 37 34 38 45 32 42 38 42 42 37 33 42 45 35 44 35 42 36 35 35 32 45 42 37 37 36 43 32 38 44 36 EAP-PEAP: received Phase 2: code=1 identifier=74 length=51 EAP-PEAP: Phase 2 Request: type=26 EAP-MSCHAPV2: RX identifier 74 mschapv2_id 73 EAP-MSCHAPV2: Received success EAP-MSCHAPV2: Success message - hexdump_ascii(len=0): EAP-MSCHAPV2: Authentication succeeded EAP-PEAP: Encrypting Phase 2 data - hexdump(len=6): 02 4a 00 06 1a 03 OpenSSL: TX ver=0x0 content_type=256 (TLS header info/) OpenSSL: Message - hexdump(len=5): 17 03 03 00 1a SSL: 31 bytes left to be sent out (of total 31 bytes) EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL eapRespData=0x1129320 EAP: Session-Id - hexdump(len=65): 19 cb 2e 6f 2c 46 d4 84 50 99 20 9b ab 25 1e 7b 1a 70 35 33 42 41 66 70 e9 f8 51 a3 8e bf aa 24 d7 18 0c 45 37 9f 01 e3 aa 52 ee 64 a5 c2 76 13 04 7f 3d fd 8d 30 9f 83 11 ff 14 1a a9 06 92 19 e5 EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp WPA: eapol_test_eapol_send(type=0 len=37) TX EAP -> RADIUS - hexdump(len=37): 02 4a 00 25 19 00 17 03 03 00 1a 88 d9 f3 3b 8b ea 0b 8c 0d dd 43 bc c4 d9 54 94 ab de cb 9c 25 7f ea 30 38 3b Encapsulating EAP message into a RADIUS packet Copied RADIUS State Attribute Sending RADIUS message to authentication server RADIUS message: code=1 (Access-Request) identifier=9 length=173 Attribute 1 (User-Name) length=11 Value: 'anonymous' Attribute 4 (NAS-IP-Address) length=6 Value: 127.0.0.1 Attribute 31 (Calling-Station-Id) length=19 Value: '02-00-00-00-00-01' Attribute 12 (Framed-MTU) length=6 Value: 1400 Attribute 61 (NAS-Port-Type) length=6 Value: 19 Attribute 6 (Service-Type) length=6 Value: 2 Attribute 77 (Connect-Info) length=24 Value: 'CONNECT 11Mbps 802.11b' Attribute 79 (EAP-Message) length=39 Value: 024a00251900170303001a88d9f33b8bea0b8c0ddd43bcc4d95494abdecb9c257fea30383b Attribute 24 (State) length=18 Value: efe8f55de7a2ec1214b7abcd56f4cf59 Attribute 80 (Message-Authenticator) length=18 Value: a9c37720b1a796dc832de0dd1106d3af Next RADIUS client retransmit in 3 seconds EAPOL: SUPP_BE entering state RECEIVE Received 104 bytes from RADIUS server Received RADIUS message RADIUS message: code=11 (Access-Challenge) identifier=9 length=104 Attribute 79 (EAP-Message) length=48 Value: 014b002e19001703030023928fc7eaaf149c24a561a91ca0a7d43d986492197bc383d3e93d99cf48fa096f3e9061 Attribute 80 (Message-Authenticator) length=18 Value: 49faaa5adc5ad4ad980f4c7d2e73ea01 Attribute 24 (State) length=18 Value: efe8f55de6a3ec1214b7abcd56f4cf59 STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.00 sec RADIUS packet matching with station decapsulated EAP packet (code=1 id=75 len=46) from RADIUS server: EAP-Request-PEAP (25) EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=75 method=25 vendor=0 vendorMethod=0 EAP: EAP entering state METHOD SSL: Received packet(len=46) - Flags 0x00 EAP-PEAP: received 40 bytes encrypted data for Phase 2 OpenSSL: RX ver=0x0 content_type=256 (TLS header info/) OpenSSL: Message - hexdump(len=5): 17 03 03 00 23 EAP-PEAP: Decrypted Phase 2 EAP - hexdump(len=11): 01 4b 00 0b 21 80 03 00 02 00 01 EAP-PEAP: received Phase 2: code=1 identifier=75 length=11 EAP-PEAP: Phase 2 Request: type=33 EAP-TLV: Received TLVs - hexdump(len=6): 80 03 00 02 00 01 EAP-TLV: Result TLV - hexdump(len=2): 00 01 EAP-TLV: TLV Result - Success - EAP-TLV/Phase2 Completed EAP-PEAP: Encrypting Phase 2 data - hexdump(len=11): 02 4b 00 0b 21 80 03 00 02 00 01 OpenSSL: TX ver=0x0 content_type=256 (TLS header info/) OpenSSL: Message - hexdump(len=5): 17 03 03 00 23 SSL: 40 bytes left to be sent out (of total 40 bytes) EAP: method process -> ignore=FALSE methodState=DONE decision=UNCOND_SUCC eapRespData=0x1110f20 EAP: Session-Id - hexdump(len=65): 19 cb 2e 6f 2c 46 d4 84 50 99 20 9b ab 25 1e 7b 1a 70 35 33 42 41 66 70 e9 f8 51 a3 8e bf aa 24 d7 18 0c 45 37 9f 01 e3 aa 52 ee 64 a5 c2 76 13 04 7f 3d fd 8d 30 9f 83 11 ff 14 1a a9 06 92 19 e5 EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp WPA: eapol_test_eapol_send(type=0 len=46) TX EAP -> RADIUS - hexdump(len=46): 02 4b 00 2e 19 00 17 03 03 00 23 88 d9 f3 3b 8b ea 0b 8d b1 fa 7e 67 b9 6d 6e d1 13 06 bf 21 e5 7c b3 d2 2f dc ea 0e 57 c9 09 dd eb 63 d5 Encapsulating EAP message into a RADIUS packet Copied RADIUS State Attribute Sending RADIUS message to authentication server RADIUS message: code=1 (Access-Request) identifier=10 length=182 Attribute 1 (User-Name) length=11 Value: 'anonymous' Attribute 4 (NAS-IP-Address) length=6 Value: 127.0.0.1 Attribute 31 (Calling-Station-Id) length=19 Value: '02-00-00-00-00-01' Attribute 12 (Framed-MTU) length=6 Value: 1400 Attribute 61 (NAS-Port-Type) length=6 Value: 19 Attribute 6 (Service-Type) length=6 Value: 2 Attribute 77 (Connect-Info) length=24 Value: 'CONNECT 11Mbps 802.11b' Attribute 79 (EAP-Message) length=48 Value: 024b002e1900170303002388d9f33b8bea0b8db1fa7e67b96d6ed11306bf21e57cb3d22fdcea0e57c909ddeb63d5 Attribute 24 (State) length=18 Value: efe8f55de6a3ec1214b7abcd56f4cf59 Attribute 80 (Message-Authenticator) length=18 Value: 8c7c7590d523c8464d550b15de0202e7 Next RADIUS client retransmit in 3 seconds EAPOL: SUPP_BE entering state RECEIVE Received 168 bytes from RADIUS server Received RADIUS message RADIUS message: code=2 (Access-Accept) identifier=10 length=168 Attribute 1 (User-Name) length=8 Value: 'vtest1' Attribute 26 (Vendor-Specific) length=58 Value: 000001371134816f3d39758459c26d572cb441d0f94e379e354c9f7362cc24f0a6dac1852f364065dc89cd8c2d717b7868032ab014e0d550 Attribute 26 (Vendor-Specific) length=58 Value: 0000013710348eca20c889493135f9230cb4258d1ec7af7c516b928608f54387b53b287de1a0aa15630d8b5008067f8638f5142f86766a21 Attribute 79 (EAP-Message) length=6 Value: 034b0004 Attribute 80 (Message-Authenticator) length=18 Value: f480b1e1131dfb9e5aabd0924d6e3c3e STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.00 sec RADIUS packet matching with station MS-MPPE-Send-Key (sign) - hexdump(len=32): cc 3b 4d 83 a6 cc 38 2a 34 22 99 b7 99 ab c1 ed bf b3 da f5 0d 16 91 11 e0 00 ff ac 07 56 38 dc MS-MPPE-Recv-Key (crypt) - hexdump(len=32): d7 3d 78 a8 00 46 b8 4f 1a 7a b0 3d 8d 91 d6 99 f3 f2 b2 e4 9f 7d 1b db 26 c1 e4 87 f4 c4 bc b9 decapsulated EAP packet (code=3 id=75 len=4) from RADIUS server: EAP Success EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Success EAP: Status notification: completion (param=success) EAP: EAP entering state SUCCESS CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully EAPOL: IEEE 802.1X for plaintext connection; no EAPOL-Key frames required WPA: EAPOL processing complete Cancelling authentication timeout State: DISCONNECTED -> COMPLETED EAPOL: SUPP_PAE entering state AUTHENTICATED EAPOL: SUPP_BE entering state RECEIVE EAPOL: SUPP_BE entering state SUCCESS EAPOL: SUPP_BE entering state IDLE eapol_sm_cb: result=1 EAPOL: Successfully fetched key (len=32) PMK from EAPOL - hexdump(len=32): d7 3d 78 a8 00 46 b8 4f 1a 7a b0 3d 8d 91 d6 99 f3 f2 b2 e4 9f 7d 1b db 26 c1 e4 87 f4 c4 bc b9 No EAP-Key-Name received from server WPA: Clear old PMK and PTK EAP: deinitialize previously used EAP method (25, PEAP) at EAP deinit ENGINE: engine deinit MPPE keys OK: 1 mismatch: 0 SUCCESS [root@myradius bin]# ip address 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:0c:29:2e:e0:45 brd ff:ff:ff:ff:ff:ff inet 10.0.8.22/24 brd 10.0.8.255 scope global noprefixroute dynamic ens33 valid_lft 404sec preferred_lft 404sec inet6 fe80::1222:d3d2:1f4c:1819/64 scope link noprefixroute valid_lft forever preferred_lft forever 3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000 link/ether 52:54:00:05:20:8f brd ff:ff:ff:ff:ff:ff inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0 valid_lft forever preferred_lft forever 4: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr0 state DOWN group default qlen 1000 link/ether 52:54:00:05:20:8f brd ff:ff:ff:ff:ff:ff [root@myradius bin]# lsof -i:1812 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME radiusd 3370 root 7u IPv4 43176 0t0 UDP *:radius radiusd 3370 root 9u IPv6 43178 0t0 UDP *:radius [root@myradius bin]# kill 3370 [root@myradius bin]# radiusd -X FreeRADIUS Version 3.0.21 Copyright (C) 1999-2019 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/local/share/freeradius/dictionary including dictionary file /usr/local/share/freeradius/dictionary.dhcp including dictionary file /usr/local/share/freeradius/dictionary.vqp including dictionary file /usr/local/etc/raddb/dictionary including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/mods-enabled/ including configuration file /usr/local/etc/raddb/mods-enabled/always including configuration file /usr/local/etc/raddb/mods-enabled/attr_filter including configuration file /usr/local/etc/raddb/mods-enabled/cache_eap including configuration file /usr/local/etc/raddb/mods-enabled/chap including configuration file /usr/local/etc/raddb/mods-enabled/date including configuration file /usr/local/etc/raddb/mods-enabled/detail including configuration file /usr/local/etc/raddb/mods-enabled/detail.log including configuration file /usr/local/etc/raddb/mods-enabled/digest including configuration file /usr/local/etc/raddb/mods-enabled/dynamic_clients including configuration file /usr/local/etc/raddb/mods-enabled/eap including configuration file /usr/local/etc/raddb/mods-enabled/echo including configuration file /usr/local/etc/raddb/mods-enabled/exec including configuration file /usr/local/etc/raddb/mods-enabled/expiration including configuration file /usr/local/etc/raddb/mods-enabled/expr including configuration file /usr/local/etc/raddb/mods-enabled/files including configuration file /usr/local/etc/raddb/mods-enabled/linelog including configuration file /usr/local/etc/raddb/mods-enabled/logintime including configuration file /usr/local/etc/raddb/mods-enabled/mschap including configuration file /usr/local/etc/raddb/mods-enabled/ntlm_auth including configuration file /usr/local/etc/raddb/mods-enabled/pap including configuration file /usr/local/etc/raddb/mods-enabled/passwd including configuration file /usr/local/etc/raddb/mods-enabled/preprocess including configuration file /usr/local/etc/raddb/mods-enabled/radutmp including configuration file /usr/local/etc/raddb/mods-enabled/realm including configuration file /usr/local/etc/raddb/mods-enabled/replicate including configuration file /usr/local/etc/raddb/mods-enabled/soh including configuration file /usr/local/etc/raddb/mods-enabled/sradutmp including configuration file /usr/local/etc/raddb/mods-enabled/unix including configuration file /usr/local/etc/raddb/mods-enabled/unpack including configuration file /usr/local/etc/raddb/mods-enabled/utf8 including files in directory /usr/local/etc/raddb/policy.d/ including configuration file /usr/local/etc/raddb/policy.d/abfab-tr including configuration file /usr/local/etc/raddb/policy.d/accounting including configuration file /usr/local/etc/raddb/policy.d/canonicalization including configuration file /usr/local/etc/raddb/policy.d/control including configuration file /usr/local/etc/raddb/policy.d/cui including configuration file /usr/local/etc/raddb/policy.d/debug including configuration file /usr/local/etc/raddb/policy.d/dhcp including configuration file /usr/local/etc/raddb/policy.d/eap including configuration file /usr/local/etc/raddb/policy.d/filter including configuration file /usr/local/etc/raddb/policy.d/moonshot-targeted-ids including configuration file /usr/local/etc/raddb/policy.d/operator-name including configuration file /usr/local/etc/raddb/policy.d/rfc7542 including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/default including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel main { security { allow_core_dumps = no } name = "radiusd" prefix = "/usr/local" localstatedir = "/usr/local/var" logdir = "/usr/local/var/log/radius" run_dir = "/usr/local/var/run/radiusd" } main { name = "radiusd" prefix = "/usr/local" localstatedir = "/usr/local/var" sbindir = "/usr/local/sbin" logdir = "/usr/local/var/log/radius" run_dir = "/usr/local/var/run/radiusd" libdir = "/usr/local/lib" radacctdir = "/usr/local/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 16384 pidfile = "/usr/local/var/run/radiusd/radiusd.pid" checkrad = "/usr/local/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no colourise = yes msg_denied = "You are already logged in - access denied" } resources { } security { max_attributes = 200 reject_delay = 1.000000 status_server = yes allow_vulnerable_openssl = "no" } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = <<< secret >>> response_window = 20.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 120 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = <<< secret >>> nas_type = "other" proto = "*" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client localhost_ipv6 { ipv6addr = ::1 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client socket_client { ipaddr = 10.0.8.18 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Debugger not attached # Creating Auth-Type = mschap # Creating Auth-Type = digest # Creating Auth-Type = eap # Creating Auth-Type = PAP # Creating Auth-Type = CHAP # Creating Auth-Type = MS-CHAP radiusd: #### Instantiating modules #### modules { # Loaded module rlm_always # Loading module "reject" from file /usr/local/etc/raddb/mods-enabled/always always reject { rcode = "reject" simulcount = 0 mpp = no } # Loading module "fail" from file /usr/local/etc/raddb/mods-enabled/always always fail { rcode = "fail" simulcount = 0 mpp = no } # Loading module "ok" from file /usr/local/etc/raddb/mods-enabled/always always ok { rcode = "ok" simulcount = 0 mpp = no } # Loading module "handled" from file /usr/local/etc/raddb/mods-enabled/always always handled { rcode = "handled" simulcount = 0 mpp = no } # Loading module "invalid" from file /usr/local/etc/raddb/mods-enabled/always always invalid { rcode = "invalid" simulcount = 0 mpp = no } # Loading module "userlock" from file /usr/local/etc/raddb/mods-enabled/always always userlock { rcode = "userlock" simulcount = 0 mpp = no } # Loading module "notfound" from file /usr/local/etc/raddb/mods-enabled/always always notfound { rcode = "notfound" simulcount = 0 mpp = no } # Loading module "noop" from file /usr/local/etc/raddb/mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } # Loading module "updated" from file /usr/local/etc/raddb/mods-enabled/always always updated { rcode = "updated" simulcount = 0 mpp = no } # Loaded module rlm_attr_filter # Loading module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.post-proxy { filename = "/usr/local/etc/raddb/mods-config/attr_filter/post-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.pre-proxy { filename = "/usr/local/etc/raddb/mods-config/attr_filter/pre-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_reject { filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_reject" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_challenge { filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_challenge" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.accounting_response { filename = "/usr/local/etc/raddb/mods-config/attr_filter/accounting_response" key = "%{User-Name}" relaxed = no } # Loaded module rlm_cache # Loading module "cache_eap" from file /usr/local/etc/raddb/mods-enabled/cache_eap cache cache_eap { driver = "rlm_cache_rbtree" key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}" ttl = 15 max_entries = 0 epoch = 0 add_stats = no } # Loaded module rlm_chap # Loading module "chap" from file /usr/local/etc/raddb/mods-enabled/chap # Loaded module rlm_date # Loading module "date" from file /usr/local/etc/raddb/mods-enabled/date date { format = "%b %e %Y %H:%M:%S %Z" utc = no } # Loading module "wispr2date" from file /usr/local/etc/raddb/mods-enabled/date date wispr2date { format = "%Y-%m-%dT%H:%M:%S" utc = no } # Loaded module rlm_detail # Loading module "detail" from file /usr/local/etc/raddb/mods-enabled/detail detail { filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log detail auth_log { filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log detail reply_log { filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log detail pre_proxy_log { filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log detail post_proxy_log { filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loaded module rlm_digest # Loading module "digest" from file /usr/local/etc/raddb/mods-enabled/digest # Loaded module rlm_dynamic_clients # Loading module "dynamic_clients" from file /usr/local/etc/raddb/mods-enabled/dynamic_clients # Loaded module rlm_eap # Loading module "eap" from file /usr/local/etc/raddb/mods-enabled/eap eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 16384 } # Loaded module rlm_exec # Loading module "echo" from file /usr/local/etc/raddb/mods-enabled/echo exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = "request" output_pairs = "reply" shell_escape = yes } # Loading module "exec" from file /usr/local/etc/raddb/mods-enabled/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } # Loaded module rlm_expiration # Loading module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration # Loaded module rlm_expr # Loading module "expr" from file /usr/local/etc/raddb/mods-enabled/expr expr { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /盲茅枚眉脿芒忙莽猫茅锚毛卯茂么艙霉没眉a每脛脡脰脺脽脌脗脝脟脠脡脢脣脦脧脭艗脵脹脺鸥" } # Loaded module rlm_files # Loading module "files" from file /usr/local/etc/raddb/mods-enabled/files files { filename = "/usr/local/etc/raddb/mods-config/files/authorize" acctusersfile = "/usr/local/etc/raddb/mods-config/files/accounting" preproxy_usersfile = "/usr/local/etc/raddb/mods-config/files/pre-proxy" } # Loaded module rlm_linelog # Loading module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog linelog { filename = "/usr/local/var/log/radius/linelog" escape_filenames = no syslog_severity = "info" permissions = 384 format = "This is a log message for %{User-Name}" reference = "messages.%{%{reply:Packet-Type}:-default}" } # Loading module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog linelog log_accounting { filename = "/usr/local/var/log/radius/linelog-accounting" escape_filenames = no syslog_severity = "info" permissions = 384 format = "" reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}" } # Loaded module rlm_logintime # Loading module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime logintime { minimum_timeout = 60 } # Loaded module rlm_mschap # Loading module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes passchange { } allow_retry = yes winbind_retry_with_normalised_username = no } # Loading module "ntlm_auth" from file /usr/local/etc/raddb/mods-enabled/ntlm_auth exec ntlm_auth { wait = yes program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" shell_escape = yes } # Loaded module rlm_pap # Loading module "pap" from file /usr/local/etc/raddb/mods-enabled/pap pap { normalise = yes } # Loaded module rlm_passwd # Loading module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd passwd etc_passwd { filename = "/etc/passwd" format = "*User-Name:Crypt-Password:" delimiter = ":" ignore_nislike = no ignore_empty = yes allow_multiple_keys = no hash_size = 100 } # Loaded module rlm_preprocess # Loading module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess preprocess { huntgroups = "/usr/local/etc/raddb/mods-config/preprocess/huntgroups" hints = "/usr/local/etc/raddb/mods-config/preprocess/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } # Loaded module rlm_radutmp # Loading module "radutmp" from file /usr/local/etc/raddb/mods-enabled/radutmp radutmp { filename = "/usr/local/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 384 caller_id = yes } # Loaded module rlm_realm # Loading module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no } # Loading module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } # Loading module "bangpath" from file /usr/local/etc/raddb/mods-enabled/realm realm bangpath { format = "prefix" delimiter = "!" ignore_default = no ignore_null = no } # Loading module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = no } # Loading module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm realm ntdomain { format = "prefix" delimiter = "\\" ignore_default = no ignore_null = no } # Loaded module rlm_replicate # Loading module "replicate" from file /usr/local/etc/raddb/mods-enabled/replicate # Loaded module rlm_soh # Loading module "soh" from file /usr/local/etc/raddb/mods-enabled/soh soh { dhcp = yes } # Loading module "sradutmp" from file /usr/local/etc/raddb/mods-enabled/sradutmp radutmp sradutmp { filename = "/usr/local/var/log/radius/sradutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = no } # Loaded module rlm_unix # Loading module "unix" from file /usr/local/etc/raddb/mods-enabled/unix unix { radwtmp = "/usr/local/var/log/radius/radwtmp" } Creating attribute Unix-Group # Loaded module rlm_unpack # Loading module "unpack" from file /usr/local/etc/raddb/mods-enabled/unpack # Loaded module rlm_utf8 # Loading module "utf8" from file /usr/local/etc/raddb/mods-enabled/utf8 instantiate { } # Instantiating module "reject" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "fail" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "ok" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "handled" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "invalid" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "userlock" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "notfound" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "noop" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "updated" from file /usr/local/etc/raddb/mods-enabled/always # Instantiating module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/post-proxy # Instantiating module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/pre-proxy # Instantiating module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_reject # Instantiating module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_challenge # Instantiating module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/accounting_response # Instantiating module "cache_eap" from file /usr/local/etc/raddb/mods-enabled/cache_eap rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked # Instantiating module "detail" from file /usr/local/etc/raddb/mods-enabled/detail # Instantiating module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output # Instantiating module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log # Instantiating module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log # Instantiating module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log # Instantiating module "eap" from file /usr/local/etc/raddb/mods-enabled/eap # Linked to sub-module rlm_eap_md5 # Linked to sub-module rlm_eap_leap # Linked to sub-module rlm_eap_gtc gtc { challenge = "Password: " auth_type = "PAP" } # Linked to sub-module rlm_eap_tls tls { tls = "tls-common" } tls-config tls-common { verify_depth = 0 ca_path = "/usr/local/etc/raddb/certs" pem_file_type = yes private_key_file = "/usr/local/etc/raddb/certs/server.pem" certificate_file = "/usr/local/etc/raddb/certs/server.pem" ca_file = "/usr/local/etc/raddb/certs/ca.pem" private_key_password = <<< secret >>> dh_file = "/usr/local/etc/raddb/certs/dh" fragment_size = 1024 include_length = yes auto_chain = yes check_crl = no check_all_crl = no cipher_list = "DEFAULT" cipher_server_preference = no ecdh_curve = "prime256v1" disable_tlsv1 = yes disable_tlsv1_1 = yes tls_max_version = "1.2" tls_min_version = "1.2" cache { enable = no lifetime = 24 max_entries = 255 } verify { skip_if_ocsp_ok = no } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } # Linked to sub-module rlm_eap_ttls ttls { tls = "tls-common" default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = yes virtual_server = "inner-tunnel" include_length = yes require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = yes proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } # Instantiating module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration # Instantiating module "files" from file /usr/local/etc/raddb/mods-enabled/files reading pairlist file /usr/local/etc/raddb/mods-config/files/authorize reading pairlist file /usr/local/etc/raddb/mods-config/files/accounting reading pairlist file /usr/local/etc/raddb/mods-config/files/pre-proxy # Instantiating module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog # Instantiating module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog # Instantiating module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime # Instantiating module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap rlm_mschap (mschap): using internal authentication # Instantiating module "pap" from file /usr/local/etc/raddb/mods-enabled/pap # Instantiating module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no # Instantiating module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/huntgroups reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/hints # Instantiating module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm # Instantiating module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm # Instantiating module "bangpath" from file /usr/local/etc/raddb/mods-enabled/realm # Instantiating module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm # Instantiating module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm } # modules radiusd: #### Loading Virtual Servers #### server { # from file /usr/local/etc/raddb/radiusd.conf } # server server default { # from file /usr/local/etc/raddb/sites-enabled/default # Loading authenticate {...} # Loading authorize {...} Ignoring "sql" (see raddb/mods-available/README.rst) Ignoring "ldap" (see raddb/mods-available/README.rst) # Loading preacct {...} # Loading accounting {...} # Loading post-proxy {...} # Loading post-auth {...} } # server default server inner-tunnel { # from file /usr/local/etc/raddb/sites-enabled/inner-tunnel # Loading authenticate {...} # Loading authorize {...} # Loading session {...} # Loading post-proxy {...} # Loading post-auth {...} # Skipping contents of 'if' as it is always 'false' -- /usr/local/etc/raddb/sites-enabled/inner-tunnel:336 } # server inner-tunnel radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on auth address * port 1812 bound to server default Listening on acct address * port 1813 bound to server default Listening on auth address :: port 1812 bound to server default Listening on acct address :: port 1813 bound to server default Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel Listening on proxy address * port 50665 Listening on proxy address :: port 41272 Ready to process requests (0) Received Access-Request Id 4 from 10.0.8.18:40336 to 10.0.8.22:1812 length 156 (0) User-Name = "vtest1" (0) Called-Station-Id = "113.92.158.79" (0) Calling-Station-Id = "183.8.207.18" (0) NAS-Port-Id = "\000\000\000V" (0) NAS-Port-Type = Virtual (0) Service-Type = Framed-User (0) Event-Timestamp = "Jun 21 2022 17:11:05 CST" (0) Framed-MTU = 1400 (0) EAP-Message = 0x0200000b01767465737431 (0) Message-Authenticator = 0x6dcc9c62349a7c00498c6bde78e00196 (0) NAS-Identifier = "IKEv2 vpn for freeradius_test1" (0) NAS-IP-Address = 10.0.8.18 (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /(a)\./) { (0) if (&User-Name =~ /(a)\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "vtest1", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: Peer sent EAP Response (code 2) ID 0 length 11 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_md5 to process data (0) eap_md5: Issuing MD5 Challenge (0) eap: Sending EAP Request (code 1) ID 1 length 22 (0) eap: EAP session adding &reply:State = 0x43ff295343fe2dbb (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (0) Challenge { ... } # empty sub-section is ignored (0) Sent Access-Challenge Id 4 from 10.0.8.22:1812 to 10.0.8.18:40336 length 0 (0) EAP-Message = 0x01010016041080b249cf2b7ef5d05c2815a8741d7bf9 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x43ff295343fe2dbbe50302a434929314 (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 5 from 10.0.8.18:49996 to 10.0.8.22:1812 length 185 (1) User-Name = "vtest1" (1) Called-Station-Id = "113.92.158.79" (1) Calling-Station-Id = "183.8.207.18" (1) NAS-Port-Id = "\000\000\000V" (1) NAS-Port-Type = Virtual (1) Service-Type = Framed-User (1) Event-Timestamp = "Jun 21 2022 17:11:05 CST" (1) Framed-MTU = 1400 (1) State = 0x43ff295343fe2dbbe50302a434929314 (1) EAP-Message = 0x020100160410023116a7d5e0ab9c8cbea470f88e05b5 (1) Message-Authenticator = 0x5ad2da08899da66d3b26f543f019b8ec (1) NAS-Identifier = "IKEv2 vpn for freeradius_test1" (1) NAS-IP-Address = 10.0.8.18 (1) session-state: No cached attributes (1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /(a)\./) { (1) if (&User-Name =~ /(a)\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "vtest1", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: Peer sent EAP Response (code 2) ID 1 length 22 (1) eap: No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) files: users: Matched entry vtest1 at line 1 (1) [files] = ok (1) [expiration] = noop (1) [logintime] = noop (1) pap: WARNING: Auth-Type already set. Not setting to PAP (1) [pap] = noop (1) } # authorize = updated (1) Found Auth-Type = eap (1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0x43ff295343fe2dbb (1) eap: Finished EAP session with state 0x43ff295343fe2dbb (1) eap: Previous EAP request found for state 0x43ff295343fe2dbb, released from the list (1) eap: Peer sent packet with method EAP MD5 (4) (1) eap: Calling submodule eap_md5 to process data (1) eap: Sending EAP Success (code 3) ID 1 length 4 (1) eap: Freeing handler (1) [eap] = ok (1) } # authenticate = ok (1) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default (1) post-auth { (1) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { (1) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE (1) update { (1) No attributes updated for RHS &session-state: (1) } # update = noop (1) [exec] = noop (1) policy remove_reply_message_if_eap { (1) if (&reply:EAP-Message && &reply:Reply-Message) { (1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (1) else { (1) [noop] = noop (1) } # else = noop (1) } # policy remove_reply_message_if_eap = noop (1) } # post-auth = noop (1) Sent Access-Accept Id 5 from 10.0.8.22:1812 to 10.0.8.18:49996 length 0 (1) EAP-Message = 0x03010004 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) User-Name = "vtest1" (1) Finished request Waking up in 4.9 seconds. (0) Cleaning up request packet ID 4 with timestamp +152 (1) Cleaning up request packet ID 5 with timestamp +152 Ready to process requests
2
1
Hi all,
I have been working on a project that we need to support more than 10000
tenants. I tried to create multiple virtual servers and each listen to
different ports and I found that I can only create up to 300 virtual
servers due to the limitation of FD_SETSIZE. In this case I will need to
have more than 300 servers running which doesn't seem to make much sense.
I also consider the option of creating multiple client sections to specify
the source IP addresses and the corresponding virtual server. However, I
don't seem to find a way to identify tenants if the incoming traffic is
from the same proxy server.
I am running out of options and hoping that you may share your experience
or suggestions.
thank you very much
Cecil
6
17
Hello everyone,
I’m currently setting up a freeradius, and i would need some information on how to setup EAP-TTLS-PAP for a wired usage. Users will be identified via an LDAP database on the accounting will by via MySQL.
I already understood how works EAP-TTLS and how to set it as the default_eap_type, but it is mainly for the PAP part, do i have to configure it myself in /etc/raddb/mods-enabled/eap in the ttls section, if so, what do i have to activate ? , or is it default-activated without having to configure it, otherwise where do i have to configure it ?
Also, do i necessarily need to have 2 servers enabled in the module /etc/raddb/sites-enabled/, or can i have just one configured ?
Could i communicate in PAP with my MySQL database, or do i have to authorize another protcol of communication ?
Thank you all for your help,
Florent VERCOURT
2
1
Hi there,
Need some help with using freeradius as a proxy to two radius server pools.
The requirement is like below:
* There are two server pools, identified with host names: primary.radius.myorg.com and secondary.radius.myorg.com.
* DNS request to the two host names returns the IP addresses of several servers in the pool in a round robin fashion, i.e, “host primary.radius.myorg.com” command returns 3 IP addresses.
* IP address of each server may get changed. Need to honor DNS TTL timer.
* All auth requests should be directed to the hosts in the primary pool round robin, and only fail over to the secondary if all hosts behind the primary are unresponsive.
Is there any way to accomplish these requirements without restarting the process? How should I create the home_server pools in proxy.conf to do this?
Thanks,
Yushu
3
5
Hello,
System version: Centos linux release 7.9.2009
Radius version: Freeradius-server-3.0.21 source code compilation and installation
Routing: MikroTik v 6.48.6
I want to replace the certificate generated by Freeradius with the certificate made by "MikroTik".
Let me introduce the process of replacing the certificate, enter the certificate directory, use "$ rm -f *.pem *.der *.csr *.crt *.key *.p12 serial* index.txt*", delete the old certificate, Use SFTP to upload the certificate file produced by MikroTik and convert it into a certificate file with the corresponding name and format. The uploaded certificate category is shown in the screenshot below, and the final debugging output will report an error.
Where am I doing wrong?
Best regards
}
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on proxy address * port 51441
Listening on proxy address :: port 40927
Ready to process requests
Ready to process requests
Signalled to terminate
Exiting normally
[root@myradius e_zhangiso]# cd /usr/local/etc/raddb/certs/
[root@myradius certs]# ls
01.pem ca.der index.txt Makefile server.cnf server.pem
02.pem ca.key index.txt.attr passwords.mk server.crt xpextensions
bootstrap ca.pem index.txt.attr.old README server.csr
ca.cnf client.cnf index.txt.old serial server.key
ca.crl dh inner-server.cnf serial.old server.p12
[root@myradius certs]# rm -f *.pem *.der *.csr *.crt *.key *.p12 serial* index.txt*
[root@myradius certs]# ls
bootstrap ca.crl dh Makefile README xpextensions
ca.cnf client.cnf inner-server.cnf passwords.mk server.cnf
[root@myradius certs]# ls
bootstrap ca.crt client.cnf Makefile server.cnf server.p12
ca.cnf ca.key dh passwords.mk server.crt server.pem
ca.crl ca.pem inner-server.cnf README server.key xpextensions
[root@myradius certs]# radiusd -X
FreeRADIUS Version 3.0.21
Copyright (C) 1999-2019 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/local/share/freeradius/dictionary
including dictionary file /usr/local/share/freeradius/dictionary.dhcp
including dictionary file /usr/local/share/freeradius/dictionary.vqp
including dictionary file /usr/local/etc/raddb/dictionary
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/mods-enabled/
including configuration file /usr/local/etc/raddb/mods-enabled/always
including configuration file /usr/local/etc/raddb/mods-enabled/attr_filter
including configuration file /usr/local/etc/raddb/mods-enabled/cache_eap
including configuration file /usr/local/etc/raddb/mods-enabled/chap
including configuration file /usr/local/etc/raddb/mods-enabled/date
including configuration file /usr/local/etc/raddb/mods-enabled/detail
including configuration file /usr/local/etc/raddb/mods-enabled/detail.log
including configuration file /usr/local/etc/raddb/mods-enabled/digest
including configuration file /usr/local/etc/raddb/mods-enabled/dynamic_clients
including configuration file /usr/local/etc/raddb/mods-enabled/eap
including configuration file /usr/local/etc/raddb/mods-enabled/echo
including configuration file /usr/local/etc/raddb/mods-enabled/exec
including configuration file /usr/local/etc/raddb/mods-enabled/expiration
including configuration file /usr/local/etc/raddb/mods-enabled/expr
including configuration file /usr/local/etc/raddb/mods-enabled/files
including configuration file /usr/local/etc/raddb/mods-enabled/linelog
including configuration file /usr/local/etc/raddb/mods-enabled/logintime
including configuration file /usr/local/etc/raddb/mods-enabled/mschap
including configuration file /usr/local/etc/raddb/mods-enabled/ntlm_auth
including configuration file /usr/local/etc/raddb/mods-enabled/pap
including configuration file /usr/local/etc/raddb/mods-enabled/passwd
including configuration file /usr/local/etc/raddb/mods-enabled/preprocess
including configuration file /usr/local/etc/raddb/mods-enabled/radutmp
including configuration file /usr/local/etc/raddb/mods-enabled/realm
including configuration file /usr/local/etc/raddb/mods-enabled/replicate
including configuration file /usr/local/etc/raddb/mods-enabled/soh
including configuration file /usr/local/etc/raddb/mods-enabled/sradutmp
including configuration file /usr/local/etc/raddb/mods-enabled/unix
including configuration file /usr/local/etc/raddb/mods-enabled/unpack
including configuration file /usr/local/etc/raddb/mods-enabled/utf8
including files in directory /usr/local/etc/raddb/policy.d/
including configuration file /usr/local/etc/raddb/policy.d/abfab-tr
including configuration file /usr/local/etc/raddb/policy.d/accounting
including configuration file /usr/local/etc/raddb/policy.d/canonicalization
including configuration file /usr/local/etc/raddb/policy.d/control
including configuration file /usr/local/etc/raddb/policy.d/cui
including configuration file /usr/local/etc/raddb/policy.d/debug
including configuration file /usr/local/etc/raddb/policy.d/dhcp
including configuration file /usr/local/etc/raddb/policy.d/eap
including configuration file /usr/local/etc/raddb/policy.d/filter
including configuration file /usr/local/etc/raddb/policy.d/moonshot-targeted-ids
including configuration file /usr/local/etc/raddb/policy.d/operator-name
including configuration file /usr/local/etc/raddb/policy.d/rfc7542
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
main {
security {
allow_core_dumps = no
}
name = "radiusd"
prefix = "/usr/local"
localstatedir = "/usr/local/var"
logdir = "/usr/local/var/log/radius"
run_dir = "/usr/local/var/run/radiusd"
}
main {
name = "radiusd"
prefix = "/usr/local"
localstatedir = "/usr/local/var"
sbindir = "/usr/local/sbin"
logdir = "/usr/local/var/log/radius"
run_dir = "/usr/local/var/run/radiusd"
libdir = "/usr/local/lib"
radacctdir = "/usr/local/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
allow_vulnerable_openssl = "no"
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client socket_client {
ipaddr = 172.18.30.1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
# Creating Auth-Type = mschap
# Creating Auth-Type = digest
# Creating Auth-Type = eap
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_always
# Loading module "reject" from file /usr/local/etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /usr/local/etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /usr/local/etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /usr/local/etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /usr/local/etc/raddb/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /usr/local/etc/raddb/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /usr/local/etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /usr/local/etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /usr/local/etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_cache
# Loading module "cache_eap" from file /usr/local/etc/raddb/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module rlm_chap
# Loading module "chap" from file /usr/local/etc/raddb/mods-enabled/chap
# Loaded module rlm_date
# Loading module "date" from file /usr/local/etc/raddb/mods-enabled/date
date {
format = "%b %e %Y %H:%M:%S %Z"
utc = no
}
# Loading module "wispr2date" from file /usr/local/etc/raddb/mods-enabled/date
date wispr2date {
format = "%Y-%m-%dT%H:%M:%S"
utc = no
}
# Loaded module rlm_detail
# Loading module "detail" from file /usr/local/etc/raddb/mods-enabled/detail
detail {
filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
detail auth_log {
filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
detail reply_log {
filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
detail post_proxy_log {
filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_digest
# Loading module "digest" from file /usr/local/etc/raddb/mods-enabled/digest
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file /usr/local/etc/raddb/mods-enabled/dynamic_clients
# Loaded module rlm_eap
# Loading module "eap" from file /usr/local/etc/raddb/mods-enabled/eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 16384
}
# Loaded module rlm_exec
# Loading module "echo" from file /usr/local/etc/raddb/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loading module "exec" from file /usr/local/etc/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_expiration
# Loading module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration
# Loaded module rlm_expr
# Loading module "expr" from file /usr/local/etc/raddb/mods-enabled/expr
expr {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module rlm_files
# Loading module "files" from file /usr/local/etc/raddb/mods-enabled/files
files {
filename = "/usr/local/etc/raddb/mods-config/files/authorize"
acctusersfile = "/usr/local/etc/raddb/mods-config/files/accounting"
preproxy_usersfile = "/usr/local/etc/raddb/mods-config/files/pre-proxy"
}
# Loaded module rlm_linelog
# Loading module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog
linelog {
filename = "/usr/local/var/log/radius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog
linelog log_accounting {
filename = "/usr/local/var/log/radius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_logintime
# Loading module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_mschap
# Loading module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loading module "ntlm_auth" from file /usr/local/etc/raddb/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_pap
# Loading module "pap" from file /usr/local/etc/raddb/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess
preprocess {
huntgroups = "/usr/local/etc/raddb/mods-config/preprocess/huntgroups"
hints = "/usr/local/etc/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_radutmp
# Loading module "radutmp" from file /usr/local/etc/raddb/mods-enabled/radutmp
radutmp {
filename = "/usr/local/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "bangpath" from file /usr/local/etc/raddb/mods-enabled/realm
realm bangpath {
format = "prefix"
delimiter = "!"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_replicate
# Loading module "replicate" from file /usr/local/etc/raddb/mods-enabled/replicate
# Loaded module rlm_soh
# Loading module "soh" from file /usr/local/etc/raddb/mods-enabled/soh
soh {
dhcp = yes
}
# Loading module "sradutmp" from file /usr/local/etc/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/usr/local/var/log/radius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_unix
# Loading module "unix" from file /usr/local/etc/raddb/mods-enabled/unix
unix {
radwtmp = "/usr/local/var/log/radius/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_unpack
# Loading module "unpack" from file /usr/local/etc/raddb/mods-enabled/unpack
# Loaded module rlm_utf8
# Loading module "utf8" from file /usr/local/etc/raddb/mods-enabled/utf8
instantiate {
}
# Instantiating module "reject" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "fail" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "ok" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "handled" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "invalid" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "userlock" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "notfound" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "noop" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "updated" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_reject
# Instantiating module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/accounting_response
# Instantiating module "cache_eap" from file /usr/local/etc/raddb/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
# Instantiating module "detail" from file /usr/local/etc/raddb/mods-enabled/detail
# Instantiating module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
# Instantiating module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
# Instantiating module "eap" from file /usr/local/etc/raddb/mods-enabled/eap
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_leap
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
ca_path = "/usr/local/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/usr/local/etc/raddb/certs/server.pem"
certificate_file = "/usr/local/etc/raddb/certs/server.pem"
ca_file = "/usr/local/etc/raddb/certs/ca.pem"
private_key_password = <<< secret >>>
dh_file = "/usr/local/etc/raddb/certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
cipher_server_preference = no
ecdh_curve = "prime256v1"
disable_tlsv1 = yes
disable_tlsv1_1 = yes
tls_max_version = "1.2"
tls_min_version = "1.2"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
tls: Failed reading private key file "/usr/local/etc/raddb/certs/server.pem"
tls: error:0906D06C:PEM routines:PEM_read_bio:no start line
tls: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib
rlm_eap_tls: Failed initializing SSL context
rlm_eap (EAP): Failed to initialise rlm_eap_tls
/usr/local/etc/raddb/mods-enabled/eap[14]: Instantiation failed for module "eap"
[root@myradius certs]#
2
1
Hi, I'm having a behavior that I don't fully understand when using proxy
timers. I am using radclient to do the tests and I find that if radclient
sends, for example, 3 retransmissions (timeout) the timers do not add up.
I have the following configuration for home_server:
response_window = 20
zombie_period = 40
check_interval = 30
num_answers_to_alive = 3
fail no response no
response
------>|-------------------------------->|---------------------------------->|--------------------
req. response_window zombie_period
(dead)
20s 40s
The part that doesn't work for me is the response_window, if only one
request is sent with radclient it goes well, the problem comes if more are
sent, I add the debug:
(0) Mon Jun 13 13:02:59 2022: Debug: Received Access-Request Id 205 from
127.0.0.1:60690 to 127.0.0.1:1812 length 236
(0) Mon Jun 13 13:02:59 2022: Debug: User-Name = "000a0b0c0d0f"
...
(0) Mon Jun 13 13:02:59 2022: Debug: NAS-IP-Address = 10.10.36.50
(0) Mon Jun 13 13:02:59 2022: Debug: # Executing section authorize from
file /etc/raddb/sites-enabled/default
(0) Mon Jun 13 13:02:59 2022: Debug: authorize {
...
(0) Mon Jun 13 13:02:59 2022: Debug: } # authorize = updated
(0) Mon Jun 13 13:02:59 2022: Debug: Starting proxy to home server
10.10.39.211 port 1812
(0) Mon Jun 13 13:02:59 2022: Debug: server default {
(0) Mon Jun 13 13:02:59 2022: Debug: }
(0) Mon Jun 13 13:02:59 2022: Debug: Sent Access-Request Id 145 from
0.0.0.0:42987 to 10.10.39.211:1812 length 237
(0) Mon Jun 13 13:02:59 2022: Debug: User-Name = "000a0b0c0d0f"
...
(0) Mon Jun 13 13:02:59 2022: Debug: Proxy-State = 0x323035
(0) Mon Jun 13 13:02:59 2022: Debug: Expecting proxy response no later than
19.673084 seconds from now
(0) Mon Jun 13 13:03:04 2022: Debug: Sending duplicate proxied request to
home server 10.10.39.211 port 1812 - ID: 145
(0) Mon Jun 13 13:03:04 2022: Debug: Sent Access-Request Id 145 from
0.0.0.0:42987 to 10.10.39.211:1812 length 237
(0) Mon Jun 13 13:03:04 2022: Debug: User-Name = "000a0b0c0d0f"
...
(0) Mon Jun 13 13:03:04 2022: Debug: Event-Timestamp = "Jun 13 2022
13:02:59 CEST"
(0) Mon Jun 13 13:03:04 2022: Debug: Proxy-State = 0x323035
(0) Mon Jun 13 13:03:09 2022: Debug: Sending duplicate proxied request to
home server 10.10.39.211 port 1812 - ID: 145
(0) Mon Jun 13 13:03:09 2022: Debug: Sent Access-Request Id 145 from
0.0.0.0:42987 to 10.10.39.211:1812 length 237
(0) Mon Jun 13 13:03:09 2022: Debug: User-Name = "000a0b0c0d0f"
...
(0) Mon Jun 13 13:03:09 2022: Debug: Event-Timestamp = "Jun 13 2022
13:02:59 CEST"
(0) Mon Jun 13 13:03:09 2022: Debug: Proxy-State = 0x323035
(0) Mon Jun 13 13:03:19 2022: Debug: Expecting proxy response no later than
9.993284 seconds from now
(0) Mon Jun 13 13:03:29 2022: Debug: No proxy response, giving up on
request and marking it done
(0) Mon Jun 13 13:03:29 2022: ERROR: Failing proxied request for user
"000a0b0c0d0f", due to lack of any response from home server 10.10.39.211
port 1812
(0) Mon Jun 13 13:03:29 2022: Debug: Clearing existing &reply: attributes
(0) Mon Jun 13 13:03:29 2022: Debug: Found Post-Proxy-Type
Fail-Authentication
(0) Mon Jun 13 13:03:29 2022: Debug: server default {
(0) Mon Jun 13 13:03:29 2022: Debug: # Executing group from file
/etc/raddb/sites-enabled/default
(0) Mon Jun 13 13:03:29 2022: Debug: Post-Proxy-Type
Fail-Authentication {
(0) Mon Jun 13 13:03:29 2022: Debug: policy accept {
(0) Mon Jun 13 13:03:29 2022: Debug: update control {
(0) Mon Jun 13 13:03:29 2022: Debug: } # update control = noop
(0) Mon Jun 13 13:03:29 2022: Debug: [handled] = handled
(0) Mon Jun 13 13:03:29 2022: Debug: } # policy accept = handled
(0) Mon Jun 13 13:03:29 2022: Debug: } # Post-Proxy-Type
Fail-Authentication = handled
(0) Mon Jun 13 13:03:29 2022: Debug: }
(0) Mon Jun 13 13:03:29 2022: Debug: # Executing section post-auth from
file /etc/raddb/sites-enabled/default
(0) Mon Jun 13 13:03:29 2022: Debug: Sent Access-Accept Id 205 from
127.0.0.1:1812 to 127.0.0.1:60690 length 0
(0) Mon Jun 13 13:03:29 2022: Debug: Finished request
(0) Mon Jun 13 13:03:34 2022: Debug: Cleaning up request packet ID 205 with
timestamp +7
I can see in the first request that the timer starts at 20s (13:02:59) but
when I receive the third request, the timer has 10s left (13:03:19) when it
should have finished, right?
What are these extra 10s due to? Thanks!
2
5
Hello,
System version: Centos linux release 7.9.2009
Radius version: Freeradius-server-3.0.21 source code compilation and installation
Routing: MikroTik v 6.48.6
As shown in the image below, the certificate with the red box is created by Freeradius and imported into MikroTik, with the "MikroTik" flag, created for the router itself.
As can be seen from the comparison in the figure, the certificate created by Freeradius and imported into MikroTik is relative to the certificate created by the router itself, and there are no relevant parameters in the red box.
1. Is it normal that there is no "Key Usage" in the ca certificate? If not, how to modify ca.cnf?
2. Is it normal that the CA item in the status of the server certificate is empty? In addition, how to modify server.cnf and add the DNS parameter in "Subject Alt. Name"?
Best regards
1
0