Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
- 12 participants
- 27047 discussions
Hi,
I'm trying to use acct_unique from the default accounting policy with FR
3.0.13:
acct_unique {
update request {
&Tmp-String-9 := "${policy.class_value_prefix}"
}
if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && \
("%{string:&Class}" =~
/^${policy.class_value_prefix}([0-9a-f]{32})/i)) {
update request {
&Acct-Unique-Session-Id := "%{md5:%{1},%{Acct-Session-ID}}"
}
}
else {
update request {
&Acct-Unique-Session-Id :=
"%{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},
%{NAS-Port}}"
}
}
}
Currently I already use the Class attribute to deliver some QoS, and so
this policy doesn't work. Any hint to modify it to manage multi value
Class atttibute?
Thanks,
Andrea
--
----------------------------------------------------------------
Hit any user to continue.
----------------------------------------------------------------
Ing. Andrea Gabellini
Email: andrea.gabellini(a)telecomitalia.sm
Skype: andreagabellini
Tel: (+378) 0549 886111
Fax: (+378) 0549 886188
Telecom Italia San Marino S.p.A.
Via XXVIII Luglio, 212 - Piano -2
47893 Borgo Maggiore
Republic of San Marino
http://www.telecomitalia.sm
2
8
(5) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
by jaseywang 27 Mar '17
by jaseywang 27 Mar '17
27 Mar '17
I need to use radius as the backend of pptp vpn for auth/login/accounting
etc. and I try to figure it out with the help of this doc:
http://www.sajithpn.com/2016/08/centos-7-installing-pptp-freeradius.html
freeradius:
# rpm -qa | grep radius
freeradius-3.0.4-7.el7_3.x86_64
radiusclient-ng-0.5.6-9.el7.x86_64
freeradius-utils-3.0.4-7.el7_3.x86_64
freeradius-mysql-3.0.4-7.el7_3.x86_64
with daloradius-0.9.9 as the web interface, both running on localhost, the
system is centos 7.2.
I use daloradius to add a new user wyx1(cleartext-password), and it passed
"test user connectivity" test, below is the daloradius/radtest and radiusd
-X output:
daloradius output:
*Executed:*
echo "User-Name='wyx1',User-Password='wyx1'" | radclient -c '1' -n '3' -r
'3' -t '3' -x '127.0.0.1:1812' 'auth' 'testing123' 2>&1
*Results:*
Sending Access-Request Id 12 from 0.0.0.0:33948 to 127.0.0.1:1812
User-Name = 'wyx1'
User-Password = 'wyx1'
Received Access-Accept Id 12 from 127.0.0.1:1812 to 127.0.0.1:33948 length
20
radtest output:
# radtest wyx1 wyx1 127.0.0.1 0 testing123
Sending Access-Request Id 127 from 0.0.0.0:38206 to 127.0.0.1:1812
User-Name = 'wyx1'
User-Password = 'wyx1'
NAS-IP-Address = 10.44.55.2
NAS-Port = 0
Message-Authenticator = 0x00
Received Access-Accept Id 127 from 127.0.0.1:1812 to 127.0.0.1:38206 length
20
radius -X output:
Received Access-Request Id 32 from 127.0.0.1:46310 to 127.0.0.1:1812 length
44
User-Name = 'wyx1'
User-Password = 'wyx1'
(6) Received Access-Request packet from host 127.0.0.1 port 46310, id=32,
length=44
(6) User-Name = 'wyx1'
(6) User-Password = 'wyx1'
(6) # Executing section authorize from file /etc/raddb/sites-enabled/default
(6) authorize {
(6) filter_username filter_username {
(6) if (!&User-Name)
(6) if (!&User-Name) -> FALSE
(6) if (&User-Name =~ / /)
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@.*@/ )
(6) if (&User-Name =~ /@.*@/ ) -> FALSE
(6) if (&User-Name =~ /\\.\\./ )
(6) if (&User-Name =~ /\\.\\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) ->
FALSE
(6) if (&User-Name =~ /\\.$/)
(6) if (&User-Name =~ /\\.$/) -> FALSE
(6) if (&User-Name =~ /(a)\\./)
(6) if (&User-Name =~ /(a)\\./) -> FALSE
(6) } # filter_username filter_username = notfound
(6) [preprocess] = ok
(6) auth_log : EXPAND
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(6) auth_log : --> /var/log/radius/radacct/
127.0.0.1/auth-detail-20170327
(6) auth_log :
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20170327
(6) auth_log : EXPAND %t
(6) auth_log : --> Mon Mar 27 00:53:15 2017
(6) [auth_log] = ok
(6) [chap] = noop
(6) [mschap] = noop
(6) [digest] = noop
(6) suffix : Checking for suffix after "@"
(6) suffix : No '@' in User-Name = "wyx1", looking up realm NULL
(6) suffix : No such realm "NULL"
(6) [suffix] = noop
(6) eap : No EAP-Message, not doing EAP
(6) [eap] = noop
(6) sql : EXPAND %{User-Name}
(6) sql : --> wyx1
(6) sql : SQL-User-Name set to 'wyx1'
rlm_sql (sql): Reserved connection (7)
(6) sql : EXPAND SELECT id, username, attribute, value, op FROM radcheck
WHERE username = '%{SQL-User-Name}' ORDER BY id
(6) sql : --> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'wyx1' ORDER BY id
rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'wyx1' ORDER BY id'
(6) sql : User found in radcheck table
(6) sql : Check items matched
(6) sql : EXPAND SELECT id, username, attribute, value, op FROM radreply
WHERE username = '%{SQL-User-Name}' ORDER BY id
(6) sql : --> SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'wyx1' ORDER BY id
rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value, op
FROM radreply WHERE username = 'wyx1' ORDER BY id'
(6) sql : EXPAND SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority
(6) sql : --> SELECT groupname FROM radusergroup WHERE username =
'wyx1' ORDER BY priority
rlm_sql (sql): Executing query: 'SELECT groupname FROM radusergroup WHERE
username = 'wyx1' ORDER BY priority'
(6) sql : User not found in any groups
rlm_sql (sql): Released connection (7)
rlm_sql (sql): 0 of 3 connections in use. Need more spares
rlm_sql (sql): Opening additional connection (8)
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql (sql): Closing connection (6): Hit idle_timeout, was idle for 933
seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (5): Hit idle_timeout, was idle for 967
seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_mysql: Socket destructor called, closing socket
(6) [sql] = ok
(6) [expiration] = noop
(6) [logintime] = noop
(6) [pap] = updated
(6) } # authorize = updated
(6) Found Auth-Type = PAP
(6) # Executing group from file /etc/raddb/sites-enabled/default
(6) Auth-Type PAP {
(6) pap : Login attempt with password
(6) pap : User authenticated successfully
(6) [pap] = ok
(6) } # Auth-Type PAP = ok
(6) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(6) post-auth {
(6) reply_log : EXPAND
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
(6) reply_log : --> /var/log/radius/radacct/
127.0.0.1/reply-detail-20170327
(6) reply_log :
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
expands to /var/log/radius/radacct/127.0.0.1/reply-detail-20170327
(6) reply_log : EXPAND %t
(6) reply_log : --> Mon Mar 27 00:53:15 2017
(6) [reply_log] = ok
(6) sql : EXPAND .query
(6) sql : --> .query
(6) sql : Using query template 'query'
rlm_sql (sql): Reserved connection (8)
(6) sql : EXPAND %{User-Name}
(6) sql : --> wyx1
(6) sql : SQL-User-Name set to 'wyx1'
(6) sql : EXPAND INSERT INTO radpostauth (username, pass, reply, authdate)
VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S')
(6) sql : --> INSERT INTO radpostauth (username, pass, reply, authdate)
VALUES ( 'wyx1', 'wyx1', 'Access-Accept', '2017-03-27 00:53:15')
rlm_sql (sql): Executing query: 'INSERT INTO radpostauth (username, pass,
reply, authdate) VALUES ( 'wyx1', 'wyx1', 'Access-Accept', '2017-03-27
00:53:15')'
rlm_sql (sql): Released connection (8)
(6) [sql] = ok
(6) [exec] = noop
(6) remove_reply_message_if_eap remove_reply_message_if_eap {
(6) if (&reply:EAP-Message && &reply:Reply-Message)
(6) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(6) else else {
(6) [noop] = noop
(6) } # else else = noop
(6) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(6) } # post-auth = ok
(6) Sending Access-Accept packet to host 127.0.0.1 port 46310, id=32,
length=0
Sending Access-Accept Id 32 from 127.0.0.1:1812 to 127.0.0.1:46310
(6) Finished request
Waking up in 0.3 seconds.
Waking up in 4.6 seconds.
(6) Cleaning up request packet ID 32 with timestamp +1053
Ready to process requests
Now, everything seems fine.
But when I use the same account to connect the pptp server, it
says Authentication failed:
Received Access-Request Id 232 from 127.0.0.1:39104 to 127.0.0.1:1812
length 65
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = 'wyx1'
Calling-Station-Id = '117.73.147.49'
NAS-IP-Address = 10.44.55.2
NAS-Port = 0
(7) Received Access-Request packet from host 127.0.0.1 port 39104, id=232,
length=65
(7) Service-Type = Framed-User
(7) Framed-Protocol = PPP
(7) User-Name = 'wyx1'
(7) Calling-Station-Id = '117.73.147.49'
(7) NAS-IP-Address = 10.44.55.2
(7) NAS-Port = 0
(7) # Executing section authorize from file /etc/raddb/sites-enabled/default
(7) authorize {
(7) filter_username filter_username {
(7) if (!&User-Name)
(7) if (!&User-Name) -> FALSE
(7) if (&User-Name =~ / /)
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@.*@/ )
(7) if (&User-Name =~ /@.*@/ ) -> FALSE
(7) if (&User-Name =~ /\\.\\./ )
(7) if (&User-Name =~ /\\.\\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) ->
FALSE
(7) if (&User-Name =~ /\\.$/)
(7) if (&User-Name =~ /\\.$/) -> FALSE
(7) if (&User-Name =~ /(a)\\./)
(7) if (&User-Name =~ /(a)\\./) -> FALSE
(7) } # filter_username filter_username = notfound
(7) [preprocess] = ok
(7) auth_log : EXPAND
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(7) auth_log : --> /var/log/radius/radacct/
127.0.0.1/auth-detail-20170327
(7) auth_log :
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20170327
(7) auth_log : EXPAND %t
(7) auth_log : --> Mon Mar 27 00:56:06 2017
(7) [auth_log] = ok
(7) [chap] = noop
(7) [mschap] = noop
(7) [digest] = noop
(7) suffix : Checking for suffix after "@"
(7) suffix : No '@' in User-Name = "wyx1", looking up realm NULL
(7) suffix : No such realm "NULL"
(7) [suffix] = noop
(7) eap : No EAP-Message, not doing EAP
(7) [eap] = noop
(7) sql : EXPAND %{User-Name}
(7) sql : --> wyx1
(7) sql : SQL-User-Name set to 'wyx1'
rlm_sql (sql): Reserved connection (8)
(7) sql : EXPAND SELECT id, username, attribute, value, op FROM radcheck
WHERE username = '%{SQL-User-Name}' ORDER BY id
(7) sql : --> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'wyx1' ORDER BY id
rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'wyx1' ORDER BY id'
(7) sql : User found in radcheck table
(7) sql : Check items matched
(7) sql : EXPAND SELECT id, username, attribute, value, op FROM radreply
WHERE username = '%{SQL-User-Name}' ORDER BY id
(7) sql : --> SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'wyx1' ORDER BY id
rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value, op
FROM radreply WHERE username = 'wyx1' ORDER BY id'
(7) sql : EXPAND SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority
(7) sql : --> SELECT groupname FROM radusergroup WHERE username =
'wyx1' ORDER BY priority
rlm_sql (sql): Executing query: 'SELECT groupname FROM radusergroup WHERE
username = 'wyx1' ORDER BY priority'
(7) sql : User not found in any groups
rlm_sql (sql): Released connection (8)
rlm_sql (sql): 0 of 2 connections in use. Need more spares
rlm_sql (sql): Opening additional connection (9)
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql (sql): Closing connection (7): Hit idle_timeout, was idle for 171
seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_mysql: Socket destructor called, closing socket
(7) [sql] = ok
(7) [expiration] = noop
(7) [logintime] = noop
(7) pap : No cleartext password in the request. Not performing PAP
(7) [pap] = noop
(7) } # authorize = ok
(7) WARNING: Please update your configuration, and remove 'Auth-Type =
Local'
(7) WARNING: Use the PAP or CHAP modules instead
(7) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type =
Reject
(7) Failed to authenticate the user
(7) Using Post-Auth-Type Reject
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7) Post-Auth-Type REJECT {
(7) sql : EXPAND .query
(7) sql : --> .query
(7) sql : Using query template 'query'
rlm_sql (sql): Reserved connection (9)
(7) sql : EXPAND %{User-Name}
(7) sql : --> wyx1
(7) sql : SQL-User-Name set to 'wyx1'
(7) sql : EXPAND INSERT INTO radpostauth (username, pass, reply, authdate)
VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S')
(7) sql : --> INSERT INTO radpostauth (username, pass, reply, authdate)
VALUES ( 'wyx1', '', 'Access-Reject', '2017-03-27 00:56:06')
rlm_sql (sql): Executing query: 'INSERT INTO radpostauth (username, pass,
reply, authdate) VALUES ( 'wyx1', '', 'Access-Reject', '2017-03-27
00:56:06')'
rlm_sql (sql): Released connection (9)
(7) [sql] = ok
(7) attr_filter.access_reject : EXPAND %{User-Name}
(7) attr_filter.access_reject : --> wyx1
(7) attr_filter.access_reject : Matched entry DEFAULT at line 11
(7) [attr_filter.access_reject] = updated
(7) eap : Request didn't contain an EAP-Message, not inserting EAP-Failure
(7) [eap] = noop
(7) remove_reply_message_if_eap remove_reply_message_if_eap {
(7) if (&reply:EAP-Message && &reply:Reply-Message)
(7) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(7) else else {
(7) [noop] = noop
(7) } # else else = noop
(7) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(7) } # Post-Auth-Type REJECT = updated
(7) Delaying response for 1 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(7) Sending delayed response
(7) Sending Access-Reject packet to host 127.0.0.1 port 39104, id=232,
length=0
Sending Access-Reject Id 232 from 127.0.0.1:1812 to 127.0.0.1:39104
Waking up in 3.9 seconds.
(7) Cleaning up request packet ID 232 with timestamp +1224
Ready to process requests
And the responding pptp log:
Mar 27 00:56:06 iZ2597ft3dqZ pptpd[23202]: CTRL: Client control connection
started
Mar 27 00:56:06 iZ2597ft3dqZ pptpd[23202]: CTRL: Starting call (launching
pppd, opening GRE)
Mar 27 00:56:06 iZ2597ft3dqZ pppd[23203]: Plugin radius.so loaded.
Mar 27 00:56:06 iZ2597ft3dqZ pppd[23203]: RADIUS plugin initialized.
Mar 27 00:56:06 iZ2597ft3dqZ pppd[23203]: Plugin radattr.so loaded.
Mar 27 00:56:06 iZ2597ft3dqZ pppd[23203]: RADATTR plugin initialized.
Mar 27 00:56:06 iZ2597ft3dqZ pppd[23203]: Plugin
/usr/lib64/pptpd/pptpd-logwtmp.so loaded.
Mar 27 00:56:06 iZ2597ft3dqZ pppd[23203]: pptpd-logwtmp: $Version$
Mar 27 00:56:06 iZ2597ft3dqZ pppd[23203]: pppd 2.4.5 started by root, uid 0
Mar 27 00:56:06 iZ2597ft3dqZ pppd[23203]: Using interface ppp0
Mar 27 00:56:06 iZ2597ft3dqZ pppd[23203]: Connect: ppp0 <--> /dev/pts/0
Mar 27 00:56:06 iZ2597ft3dqZ pppd[23203]: rc_avpair_new: unknown attribute
11
Mar 27 00:56:06 iZ2597ft3dqZ pppd[23203]: rc_avpair_new: unknown attribute
25
Mar 27 00:56:07 iZ2597ft3dqZ pppd[23203]: Peer wyx1 failed CHAP
authentication
Mar 27 00:56:07 iZ2597ft3dqZ pptpd[23202]: CTRL: EOF or bad error reading
ctrl packet length.
Mar 27 00:56:07 iZ2597ft3dqZ pptpd[23202]: CTRL: couldn't read packet
header (exit)
Mar 27 00:56:07 iZ2597ft3dqZ pptpd[23202]: CTRL: CTRL read failed
Mar 27 00:56:07 iZ2597ft3dqZ pppd[23203]: Modem hangup
Mar 27 00:56:07 iZ2597ft3dqZ pppd[23203]: Connection terminated.
Mar 27 00:56:07 iZ2597ft3dqZ pppd[23203]: Exit.
Mar 27 00:56:07 iZ2597ft3dqZ pptpd[23202]: CTRL: Client control connection
finished
config file:
# cat /etc/raddb/clients.conf:
client localhost {
ipaddr = 127.0.0.1
proto = *
secret = testing123
require_message_authenticator = no
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
secret = testing123
}
# cat /etc/raddb/radiusd.conf
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
name = radiusd
confdir = ${raddbdir}
modconfdir = ${confdir}/mods-config
certdir = ${confdir}/certs
cadir = ${confdir}/certs
run_dir = ${localstatedir}/run/${name}
db_dir = ${localstatedir}/lib/radiusd
libdir = /usr/lib64/freeradius
pidfile = ${run_dir}/${name}.pid
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
hostname_lookups = no
log {
destination = files
colourise = yes
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
msg_denied = "You are already logged in - access denied"
}
checkrad = ${sbindir}/checkrad
security {
user = radiusd
group = radiusd
allow_core_dumps = no
max_attributes = 200
reject_delay = 1
status_server = yes
}
proxy_requests = yes
$INCLUDE proxy.conf
$INCLUDE clients.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
auto_limit_acct = no
}
modules {
$INCLUDE mods-enabled/
}
instantiate {
}
policy {
$INCLUDE policy.d/
}
$INCLUDE sites-enabled/
cat /etc/raddb/users
bob Cleartext-Password := "hello"
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "CSLIP"
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "SLIP"
Framed-Protocol = SLIP
cat /etc/raddb/site-enabled/default
server default {
listen {
type = auth
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
ipaddr = *
port = 0
type = acct
limit {
}
}
listen {
type = auth
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
ipv6addr = ::
port = 0
type = acct
limit {
}
}
authorize {
filter_username
preprocess
auth_log
chap
mschap
digest
suffix
eap {
ok = return
}
sql
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
digest
eap
}
preacct {
preprocess
acct_unique
suffix
}
accounting {
detail
unix
sql
exec
attr_filter.accounting_response
}
session {
radutmp
sql
}
post-auth {
reply_log
sql
exec
remove_reply_message_if_eap
Post-Auth-Type REJECT {
-sql
attr_filter.access_reject
eap
remove_reply_message_if_eap
}
}
pre-proxy {
}
post-proxy {
eap
}
}
# cat /etc/ppp/options.pptpd
name pptpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
ms-dns 8.8.8.8
ms-dns 8.8.4.4
proxyarp
debug
lock
nobsdcomp
novj
novjccomp
nologfd
plugin radius.so
plugin radattr.so
radius-config-file /etc/radiusclient-ng/radiusclient.conf
# cat /usr/share/radiusclient-ng/dictionary
# grep -v "#" dictionary | grep -v ^$
ATTRIBUTE User-Name 1 string
ATTRIBUTE Password 2 string
ATTRIBUTE CHAP-Password 3 string
ATTRIBUTE NAS-IP-Address 4 ipaddr
ATTRIBUTE NAS-Port-Id 5 integer
ATTRIBUTE Service-Type 6 integer
ATTRIBUTE Framed-Protocol 7 integer
ATTRIBUTE Framed-IP-Address 8 ipaddr
ATTRIBUTE Framed-IP-Netmask 9 ipaddr
ATTRIBUTE Framed-Routing 10 integer
ATTRIBUTE Filter-Id 11 string
ATTRIBUTE Framed-MTU 12 integer
ATTRIBUTE Framed-Compression 13 integer
ATTRIBUTE Login-IP-Host 14 ipaddr
ATTRIBUTE Login-Service 15 integer
ATTRIBUTE Login-TCP-Port 16 integer
ATTRIBUTE Reply-Message 18 string
ATTRIBUTE Callback-Number 19 string
ATTRIBUTE Callback-Id 20 string
ATTRIBUTE Framed-Route 22 string
ATTRIBUTE Framed-IPX-Network 23 ipaddr
ATTRIBUTE State 24 string
ATTRIBUTE Class 25 string
ATTRIBUTE Vendor-Specific 26 string
ATTRIBUTE Session-Timeout 27 integer
ATTRIBUTE Idle-Timeout 28 integer
ATTRIBUTE Termination-Action 29 integer
ATTRIBUTE Called-Station-Id 30 string
ATTRIBUTE Calling-Station-Id 31 string
ATTRIBUTE NAS-Identifier 32 string
ATTRIBUTE Proxy-State 33 string
ATTRIBUTE Login-LAT-Service 34 string
ATTRIBUTE Login-LAT-Node 35 string
ATTRIBUTE Login-LAT-Group 36 string
ATTRIBUTE Framed-AppleTalk-Link 37 integer
ATTRIBUTE Framed-AppleTalk-Network 38 integer
ATTRIBUTE Framed-AppleTalk-Zone 39 string
ATTRIBUTE Acct-Status-Type 40 integer
ATTRIBUTE Acct-Delay-Time 41 integer
ATTRIBUTE Acct-Input-Octets 42 integer
ATTRIBUTE Acct-Output-Octets 43 integer
ATTRIBUTE Acct-Session-Id 44 string
ATTRIBUTE Acct-Authentic 45 integer
ATTRIBUTE Acct-Session-Time 46 integer
ATTRIBUTE Acct-Input-Packets 47 integer
ATTRIBUTE Acct-Output-Packets 48 integer
ATTRIBUTE Acct-Terminate-Cause 49 integer
ATTRIBUTE Acct-Multi-Session-Id 50 string
ATTRIBUTE Acct-Link-Count 51 integer
ATTRIBUTE Event-Timestamp 55 integer
ATTRIBUTE CHAP-Challenge 60 string
ATTRIBUTE NAS-Port-Type 61 integer
ATTRIBUTE Port-Limit 62 integer
ATTRIBUTE Login-LAT-Port 63 integer
ATTRIBUTE Connect-Info 77 string
ATTRIBUTE NAS-IPv6-Address 95 string
ATTRIBUTE Framed-Interface-Id 96 string
ATTRIBUTE Framed-IPv6-Prefix 97 string
ATTRIBUTE Login-IPv6-Host 98 string
ATTRIBUTE Framed-IPv6-Route 99 string
ATTRIBUTE Framed-IPv6-Pool 100 string
ATTRIBUTE Huntgroup-Name 221 string
ATTRIBUTE User-Category 1029 string
ATTRIBUTE Group-Name 1030 string
ATTRIBUTE Simultaneous-Use 1034 integer
ATTRIBUTE Strip-User-Name 1035 integer
ATTRIBUTE Fall-Through 1036 integer
ATTRIBUTE Add-Port-To-IP-Address 1037 integer
ATTRIBUTE Exec-Program 1038 string
ATTRIBUTE Exec-Program-Wait 1039 string
ATTRIBUTE Hint 1040 string
ATTRIBUTE Expiration 21 date
ATTRIBUTE Auth-Type 1000 integer
ATTRIBUTE Menu 1001 string
ATTRIBUTE Termination-Menu 1002 string
ATTRIBUTE Prefix 1003 string
ATTRIBUTE Suffix 1004 string
ATTRIBUTE Group 1005 string
ATTRIBUTE Crypt-Password 1006 string
ATTRIBUTE Connect-Rate 1007 integer
VALUE Service-Type Login-User 1
VALUE Service-Type Framed-User 2
VALUE Service-Type Callback-Login-User 3
VALUE Service-Type Callback-Framed-User 4
VALUE Service-Type Outbound-User 5
VALUE Service-Type Administrative-User 6
VALUE Service-Type NAS-Prompt-User 7
VALUE Framed-Protocol PPP 1
VALUE Framed-Protocol SLIP 2
VALUE Framed-Routing None 0
VALUE Framed-Routing Broadcast 1
VALUE Framed-Routing Listen 2
VALUE Framed-Routing Broadcast-Listen 3
VALUE Framed-Compression None 0
VALUE Framed-Compression Van-Jacobson-TCP-IP 1
VALUE Login-Service Telnet 0
VALUE Login-Service Rlogin 1
VALUE Login-Service TCP-Clear 2
VALUE Login-Service PortMaster 3
VALUE Acct-Status-Type Start 1
VALUE Acct-Status-Type Stop 2
VALUE Acct-Status-Type Alive 3
VALUE Acct-Status-Type Accounting-On 7
VALUE Acct-Status-Type Accounting-Off 8
VALUE Acct-Authentic RADIUS 1
VALUE Acct-Authentic Local 2
VALUE Acct-Authentic PowerLink128 100
VALUE Termination-Action Default 0
VALUE Termination-Action RADIUS-Request 1
VALUE NAS-Port-Type Async 0
VALUE NAS-Port-Type Sync 1
VALUE NAS-Port-Type ISDN 2
VALUE NAS-Port-Type ISDN-V120 3
VALUE NAS-Port-Type ISDN-V110 4
VALUE Acct-Terminate-Cause User-Request 1
VALUE Acct-Terminate-Cause Lost-Carrier 2
VALUE Acct-Terminate-Cause Lost-Service 3
VALUE Acct-Terminate-Cause Idle-Timeout 4
VALUE Acct-Terminate-Cause Session-Timeout 5
VALUE Acct-Terminate-Cause Admin-Reset 6
VALUE Acct-Terminate-Cause Admin-Reboot 7
VALUE Acct-Terminate-Cause Port-Error 8
VALUE Acct-Terminate-Cause NAS-Error 9
VALUE Acct-Terminate-Cause NAS-Request 10
VALUE Acct-Terminate-Cause NAS-Reboot 11
VALUE Acct-Terminate-Cause Port-Unneeded 12
VALUE Acct-Terminate-Cause Port-Preempted 13
VALUE Acct-Terminate-Cause Port-Suspended 14
VALUE Acct-Terminate-Cause Service-Unavailable 15
VALUE Acct-Terminate-Cause Callback 16
VALUE Acct-Terminate-Cause User-Error 17
VALUE Acct-Terminate-Cause Host-Request 18
VALUE Auth-Type Local 0
VALUE Auth-Type System 1
VALUE Auth-Type SecurID 2
VALUE Auth-Type Crypt-Local 3
VALUE Auth-Type Reject 4
VALUE Auth-Type Pam 253
VALUE Auth-Type Accept 254
VALUE Fall-Through No 0
VALUE Fall-Through Yes 1
VALUE Add-Port-To-IP-Address No 0
VALUE Add-Port-To-IP-Address Yes 1
INCLUDE /usr/share/radiusclient-ng/dictionary.merit
INCLUDE /usr/share/radiusclient-ng/dictionary.microsoft
INCLUDE /usr/share/radiusclient-ng/dictionary.ascend
INCLUDE /usr/share/radiusclient-ng/dictionary.compat
I have googled a lot, but no big progress, any help is appreciated.
2
2
Hi,
iOS issues in my network aren't related with certs. I think it because TLS
tunnel was established successful. I don' understand why it happens only
iOS devices.
Alan DeKok-2
<http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=user…>
wrote if I turned off session resumption. I've search in eap config about
"session resumption" and I've find in "cache" block. To disable session
resumption is only change attribute on "enable" field to "no" like example
below? In my case this field "enable" is "yes".
cache {
#
# Enable it. The default is "no". Deleting the
entire "cache"
# subsection also disables caching.
#
# You can disallow resumption for a particular
user by adding the
# following attribute to the control item list:
#
# Allow-Session-Resumption = No
#
# If "enable = no" below, you CANNOT enable
resumption for just one
# user by setting the above attribute to "yes".
#
#enable = yes
enable = no
Glad to your help,
1
0
>I've read a lot messages in Freeradius Forum and I continued misunderstand why iOS devices (iPhone, iPad) doesn't connect in my >WPA-Enterprise wifi network. I've installed and configured a freeradius server, version 3.0.14, over openssl 1.1.0e (both have >installed from sources on Debian 8). I've tested connect Android devices to my wifi network and everytime they can connect to >the network, but iOS devices have mysterious issues.
With PEAP you should *always* use Publicly recognised TLS/SSL certificates, preferably with a well-known CA source or one that your University supports. Also it should be at least 2048 bits and uses the SHA256 hash algorithm, SHA1 should be phased out. For example, we use JISC service which uses Quo Vadis CA. Do not use self-signed or internal CA certificates.
>When I try connect iOS device to my wifi in first time, they can connect perfectly. Though, if this same iOS device lost >connection (because it's out of range AP signal or air plane mode turn on by the user for 30 minutes or hours) and try connect >again the device doesn't connect. When I've saw the debug mode, I've noticed that EAP-PEAP tunnel athentication was successful >and server sent Access-Challenge, but device doesn't answer this challenge. I don't understand why the android devices doesn't >this issues.
> Maybe it's related to session resumption? Have you turned that off?
When switched between Aps, session resumption should be enabled to provide seemless connections.
The APS should be using the same SSIDs and
Peter Hutchison MCP
Senior Network Systems SpecialistS
S 01484 473716
Networks Team
University of Huddersfield | Queensgate | Huddersfield | HD1 3DH
University of Huddersfield inspiring tomorrow's professionals.
[http://marketing.hud.ac.uk/_HOSTED/EmailSig2014/EmailSigFooter.jpg]
This transmission is confidential and may be legally privileged. If you receive it in error, please notify us immediately by e-mail and remove it from your system. If the content of this e-mail does not relate to the business of the University of Huddersfield, then we do not endorse it and will accept no liability.
8
22
Hello.
This problem is not specifically of freeradius but maybe someone can help
me.
After a painful process I finally got my Freeradius 2.2.8 server to run
with only EAP-TLS authentication (my experience with freeradius is still
short). But I've found a problem: when I install ca and user certificates
in an antroid terminal all goes well first time i connect, but if I restart
the device, or even if I switch from a wifi conection to another, or i set
"forget" the conection, my device loses the certificates, so i have to
install it again in order to access the network, it happens me with various
devices of different models and brands, after i google it a little i've
found some people with the same problem, but no solution.
Could anyone help me with this issue? What is causing this behaviour?
Has anyone a succesfull experience with eap-tls and android devices?
Any help will be appretiated. Thanks in advance.
4
5
Re: RadPerf '-A delay,lifetime' arg does not copy the 'Calling-Station-Id' from Accept-Request
by Jay Cedrone (jcedrone) 24 Mar '17
by Jay Cedrone (jcedrone) 24 Mar '17
24 Mar '17
Do you have any information on how to have radperf send a calling station ID? Attribute 31.
Thanks a lot,
- Jay
1
0
Hi everyone,
Our (Red Hat) QA was testing the effect of this entry in 3.0.4 ChangeLog:
* Modify pairparsevalue to deal with embedded NULLs better,
and use the binary versions of attribute values in rlm_ldap.
They have noticed that binary LDAP values get truncated on embedded zero
characters (\0) in RADIUS replies, in radiusReplyMessage in particular.
I.e. for
radiusReplyMessage:: cmVwbHkgd2l0aCBhAGI=
The response output by radtest was
Reply-Message = 'reply with a'
The network capture also showed that RADIUS reply packets contained truncated
values. Is this intended, or was there a fix for this?
In related discoveries, it seems that backslashes get removed from LDAP
attribute values in RADIUS replies, so
radiusReplyMessage: reply with a\0b
becomes
Reply-Message = 'reply with a0b'
in radtest output.
Is this intended?
Thank you.
Nick
4
12
24 Mar '17
Hi,
Version:
FreeRADIUS Version 3.0.13
Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
Some client sends value + \0 character at the end of the attribute
Calling-Station-Id (e.g. 421945411479\0 ).
I am trying to fix / workaround this issue via unlang (in pre-proxy
section):
update {
&proxy-request:Calling-Station-Id :=
"%{string:&proxy-request:Calling-Station-Id}"
}
Debug output:
update {
(0) EXPAND %{string:&proxy-request:Calling-Station-Id}
(0) --> 421945411479
(0) &proxy-request:Calling-Station-Id := 421945411479
(0) } # update = noop
Is it good approach ?
I have tried also fix it via following peace of unlang code (doesnt work):
if (&proxy-request:Calling-Station-Id && &proxy-request:Calling-Station-Id
=~ /([0-9]+)/) {
update {
&proxy-request:Calling-Station-Id := "%{0}"
}
}
Debug ouput:
if (&proxy-request:Calling-Station-Id && &proxy-request:Calling-Station-Id
=~ /([0-9]+)/) {
(0) ERROR: regex failed: Found null in subject at offset 12. String
unsafe for evaluation
(0) ERROR: Failed retrieving values required to evaluate condition
Could you please give me advice how to add \0 character at the end of the
attribute value, if i want to send (test request) via radclient ?
Thank you very much.
2
1
<quote author='Alan DeKok-2'>
On Mar 22, 2017, at 7:39 AM, Igor Sousa <igorvolt(a)gmail.com> wrote:
> PLEASE follow the instructions, and use "radiusd -X". Doing "-Xx" just
makes the debug output harder to read.
</quote>
Quoted from:
http://freeradius.1045715.n5.nabble.com/iOS-mysterious-issues-on-Freeradius…
I'm so sorry. I used use "radiusd -Xx" because I like see timestamp, but it
turns debug output harder to read and I agree with you. Now, I get two
debug's output where the first when Iphone can't connect to network and
second when I reboot the same Iphone and it can connect to the same network
(same AP device too).
PS: The certificate was generated during freeradius install. I think that
certificate isn't problem because tunneled authentication was successful
Glad to your help,
Igor Sousa
Debug outputs
IPHONE CANNOT CONNECT TO WIFI NETWORK
(19) Received Access-Request Id 0 from 10.41.17.64:1086 to 10.41.110.86:1812
length 210
(19) Message-Authenticator = 0xaff68abbae7d1c7ec3845b6e82d7820b
(19) Service-Type = Framed-User
(19) User-Name = "userTest"
(19) Framed-MTU = 1488
(19) Called-Station-Id = "40-01-C6-D8-5C-00:AAA-Teste"
(19) Calling-Station-Id = "4C-57-CA-E2-E9-8D"
(19) NAS-Identifier = "3Com Access Point 7760"
(19) NAS-Port-Type = Wireless-802.11
(19) Connect-Info = "CONNECT 54Mbps 802.11g"
(19) EAP-Message = 0x02000010013031383239353036333832
(19) NAS-IP-Address = 10.41.17.64
(19) NAS-Port = 1
(19) NAS-Port-Id = "STA port # 1"
(19) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(19) authorize {
(19) [preprocess] = ok
(19) eap: Peer sent EAP Response (code 2) ID 0 length 16
(19) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(19) [eap] = ok
(19) } # authorize = ok
(19) Found Auth-Type = eap
(19) # Executing group from file /etc/raddb/sites-enabled/default
(19) authenticate {
(19) eap: Peer sent packet with method EAP Identity (1)
(19) eap: Calling submodule eap_peap to process data
(19) eap_peap: Initiating new EAP-TLS session
(19) eap_peap: [eaptls start] = request
(19) eap: Sending EAP Request (code 1) ID 1 length 6
(19) eap: EAP session adding &reply:State = 0x82e4cb1b82e5d244
(19) [eap] = handled
(19) } # authenticate = handled
(19) Using Post-Auth-Type Challenge
(19) Post-Auth-Type sub-section not found. Ignoring.
(19) # Executing group from file /etc/raddb/sites-enabled/default
(19) Sent Access-Challenge Id 0 from 10.41.110.86:1812 to 10.41.17.64:1086
length 0
(19) EAP-Message = 0x010100061920
(19) Message-Authenticator = 0x00000000000000000000000000000000
(19) State = 0x82e4cb1b82e5d244ae1bb12a174a7e27
(19) Finished request
Waking up in 1.0 seconds.
(20) Received Access-Request Id 1 from 10.41.17.64:1086 to 10.41.110.86:1812
length 339
(20) Message-Authenticator = 0x06ed06a6edcefe165e317699f3ab93bf
(20) Service-Type = Framed-User
(20) User-Name = "userTest"
(20) Framed-MTU = 1488
(20) State = 0x82e4cb1b82e5d244ae1bb12a174a7e27
(20) Called-Station-Id = "40-01-C6-D8-5C-00:AAA-Teste"
(20) Calling-Station-Id = "4C-57-CA-E2-E9-8D"
(20) NAS-Identifier = "3Com Access Point 7760"
(20) NAS-Port-Type = Wireless-802.11
(20) Connect-Info = "CONNECT 54Mbps 802.11g"
(20) EAP-Message =
0x0201007f19800000007516030100700100006c030158d2b994740bc0e95df6bd9e51c89c348c9061a2001932506837a83a2b96e1f800002000ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f000a01000023000a00080006001700180019000b00020100000500050100000000
(20) NAS-IP-Address = 10.41.17.64
(20) NAS-Port = 1
(20) NAS-Port-Id = "STA port # 1"
(20) session-state: No cached attributes
(20) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(20) authorize {
(20) [preprocess] = ok
(20) eap: Peer sent EAP Response (code 2) ID 1 length 127
(20) eap: Continuing tunnel setup
(20) [eap] = ok
(20) } # authorize = ok
(20) Found Auth-Type = eap
(20) # Executing group from file /etc/raddb/sites-enabled/default
(20) authenticate {
(20) eap: Expiring EAP session with state 0xfaf55ea1f2e347c8
(20) eap: Finished EAP session with state 0x82e4cb1b82e5d244
(20) eap: Previous EAP request found for state 0x82e4cb1b82e5d244, released
from the list
(20) eap: Peer sent packet with method EAP PEAP (25)
(20) eap: Calling submodule eap_peap to process data
(20) eap_peap: Continuing EAP-TLS
(20) eap_peap: Peer indicated complete TLS record size will be 117 bytes
(20) eap_peap: Got complete TLS record (117 bytes)
(20) eap_peap: [eaptls verify] = length included
(20) eap_peap: (other): before SSL initialization
(20) eap_peap: TLS_accept: before SSL initialization
(20) eap_peap: TLS_accept: before SSL initialization
(20) eap_peap: <<< recv TLS 1.2 [length 0070]
(20) eap_peap: TLS_accept: SSLv3/TLS read client hello
(20) eap_peap: >>> send TLS 1.0 Handshake [length 005d], ServerHello
(20) eap_peap: TLS_accept: SSLv3/TLS write server hello
(20) eap_peap: >>> send TLS 1.0 Handshake [length 08d3], Certificate
(20) eap_peap: TLS_accept: SSLv3/TLS write certificate
(20) eap_peap: >>> send TLS 1.0 Handshake [length 014b], ServerKeyExchange
(20) eap_peap: TLS_accept: SSLv3/TLS write key exchange
(20) eap_peap: >>> send TLS 1.0 Handshake [length 0004], ServerHelloDone
(20) eap_peap: TLS_accept: SSLv3/TLS write server done
(20) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server
done
(20) eap_peap: In SSL Handshake Phase
(20) eap_peap: In SSL Accept mode
(20) eap_peap: [eaptls process] = handled
(20) eap: Sending EAP Request (code 1) ID 2 length 1004
(20) eap: EAP session adding &reply:State = 0x82e4cb1b83e6d244
(20) [eap] = handled
(20) } # authenticate = handled
(20) Using Post-Auth-Type Challenge
(20) Post-Auth-Type sub-section not found. Ignoring.
(20) # Executing group from file /etc/raddb/sites-enabled/default
(20) Sent Access-Challenge Id 1 from 10.41.110.86:1812 to 10.41.17.64:1086
length 0
(20) EAP-Message =
0x010203ec19c000000a93160301005d02000059030137ff0e7945d630b967660ce9dfe075ed12322d81c073d418449d657776955cef20ad6b30ad91ec1d4a1cb29d7bcca8c64ffca1d37b284636e0af73a499a87943b5c014000011ff01000100000b0004030001020017000016030108d30b0008cf0008
(20) Message-Authenticator = 0x00000000000000000000000000000000
(20) State = 0x82e4cb1b83e6d244ae1bb12a174a7e27
(20) Finished request
Waking up in 1.0 seconds.
(21) Received Access-Request Id 2 from 10.41.17.64:1086 to 10.41.110.86:1812
length 218
(21) Message-Authenticator = 0x9e08ee72ba04c092cc95e8dc3c2b126d
(21) Service-Type = Framed-User
(21) User-Name = "userTest"
(21) Framed-MTU = 1488
(21) State = 0x82e4cb1b83e6d244ae1bb12a174a7e27
(21) Called-Station-Id = "40-01-C6-D8-5C-00:AAA-Teste"
(21) Calling-Station-Id = "4C-57-CA-E2-E9-8D"
(21) NAS-Identifier = "3Com Access Point 7760"
(21) NAS-Port-Type = Wireless-802.11
(21) Connect-Info = "CONNECT 54Mbps 802.11g"
(21) EAP-Message = 0x020200061900
(21) NAS-IP-Address = 10.41.17.64
(21) NAS-Port = 1
(21) NAS-Port-Id = "STA port # 1"
(21) session-state: No cached attributes
(21) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(21) authorize {
(21) [preprocess] = ok
(21) eap: Peer sent EAP Response (code 2) ID 2 length 6
(21) eap: Continuing tunnel setup
(21) [eap] = ok
(21) } # authorize = ok
(21) Found Auth-Type = eap
(21) # Executing group from file /etc/raddb/sites-enabled/default
(21) authenticate {
(21) eap: Expiring EAP session with state 0xfaf55ea1f2e347c8
(21) eap: Finished EAP session with state 0x82e4cb1b83e6d244
(21) eap: Previous EAP request found for state 0x82e4cb1b83e6d244, released
from the list
(21) eap: Peer sent packet with method EAP PEAP (25)
(21) eap: Calling submodule eap_peap to process data
(21) eap_peap: Continuing EAP-TLS
(21) eap_peap: Peer ACKed our handshake fragment
(21) eap_peap: [eaptls verify] = request
(21) eap_peap: [eaptls process] = handled
(21) eap: Sending EAP Request (code 1) ID 3 length 1000
(21) eap: EAP session adding &reply:State = 0x82e4cb1b80e7d244
(21) [eap] = handled
(21) } # authenticate = handled
(21) Using Post-Auth-Type Challenge
(21) Post-Auth-Type sub-section not found. Ignoring.
(21) # Executing group from file /etc/raddb/sites-enabled/default
(21) Sent Access-Challenge Id 2 from 10.41.110.86:1812 to 10.41.17.64:1086
length 0
(21) EAP-Message =
0x010303e81940b2c16fe1b0d484179f9cdaaba928edbe85ea947176542ea9646d2f16b8803f26bf43aa9d60ff2c5d4d9ec84c4c511d64d81b360765cd88159cbe3831e7f63102d7e95becbf76520288a093eefd7080eb3f1c6936e347b508b9916d3e4e10615ad52b4601565fedd7e976bdf1ec0004e830
(21) Message-Authenticator = 0x00000000000000000000000000000000
(21) State = 0x82e4cb1b80e7d244ae1bb12a174a7e27
(21) Finished request
Waking up in 1.0 seconds.
(22) Received Access-Request Id 3 from 10.41.17.64:1086 to 10.41.110.86:1812
length 218
(22) Message-Authenticator = 0x0e187ddb9e28534049f07abe7b3a792a
(22) Service-Type = Framed-User
(22) User-Name = "userTest"
(22) Framed-MTU = 1488
(22) State = 0x82e4cb1b80e7d244ae1bb12a174a7e27
(22) Called-Station-Id = "40-01-C6-D8-5C-00:AAA-Teste"
(22) Calling-Station-Id = "4C-57-CA-E2-E9-8D"
(22) NAS-Identifier = "3Com Access Point 7760"
(22) NAS-Port-Type = Wireless-802.11
(22) Connect-Info = "CONNECT 54Mbps 802.11g"
(22) EAP-Message = 0x020300061900
(22) NAS-IP-Address = 10.41.17.64
(22) NAS-Port = 1
(22) NAS-Port-Id = "STA port # 1"
(22) session-state: No cached attributes
(22) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(22) authorize {
(22) [preprocess] = ok
(22) eap: Peer sent EAP Response (code 2) ID 3 length 6
(22) eap: Continuing tunnel setup
(22) [eap] = ok
(22) } # authorize = ok
(22) Found Auth-Type = eap
(22) # Executing group from file /etc/raddb/sites-enabled/default
(22) authenticate {
(22) eap: Expiring EAP session with state 0xfaf55ea1f2e347c8
(22) eap: Finished EAP session with state 0x82e4cb1b80e7d244
(22) eap: Previous EAP request found for state 0x82e4cb1b80e7d244, released
from the list
(22) eap: Peer sent packet with method EAP PEAP (25)
(22) eap: Calling submodule eap_peap to process data
(22) eap_peap: Continuing EAP-TLS
(22) eap_peap: Peer ACKed our handshake fragment
(22) eap_peap: [eaptls verify] = request
(22) eap_peap: [eaptls process] = handled
(22) eap: Sending EAP Request (code 1) ID 4 length 725
(22) eap: EAP session adding &reply:State = 0x82e4cb1b81e0d244
(22) [eap] = handled
(22) } # authenticate = handled
(22) Using Post-Auth-Type Challenge
(22) Post-Auth-Type sub-section not found. Ignoring.
(22) # Executing group from file /etc/raddb/sites-enabled/default
(22) Sent Access-Challenge Id 3 from 10.41.110.86:1812 to 10.41.17.64:1086
length 0
(22) EAP-Message =
0x010402d519006361746520417574686f72697479820900f29e29fc64450db1300f0603551d130101ff040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b0500
(22) Message-Authenticator = 0x00000000000000000000000000000000
(22) State = 0x82e4cb1b81e0d244ae1bb12a174a7e27
(22) Finished request
Waking up in 1.0 seconds.
(23) Received Access-Request Id 4 from 10.41.17.64:1086 to 10.41.110.86:1812
length 356
(23) Message-Authenticator = 0xc77ca6450207ee96bc701c3e80013fa2
(23) Service-Type = Framed-User
(23) User-Name = "userTest"
(23) Framed-MTU = 1488
(23) State = 0x82e4cb1b81e0d244ae1bb12a174a7e27
(23) Called-Station-Id = "40-01-C6-D8-5C-00:AAA-Teste"
(23) Calling-Station-Id = "4C-57-CA-E2-E9-8D"
(23) NAS-Identifier = "3Com Access Point 7760"
(23) NAS-Port-Type = Wireless-802.11
(23) Connect-Info = "CONNECT 54Mbps 802.11g"
(23) EAP-Message =
0x020400901980000000861603010046100000424104fc94c086c80412f32f419d7f1071bd4863294987aebe7139a5d92849080b9c602c5a61b8f8b8e65d7b8f08d5b4f75c942d77f7b0bfba1eb3c64cd9a4f24c9d4114030100010116030100304daead77f0532e3562ea1b4b112348d124a28151794774
(23) NAS-IP-Address = 10.41.17.64
(23) NAS-Port = 1
(23) NAS-Port-Id = "STA port # 1"
(23) session-state: No cached attributes
(23) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(23) authorize {
(23) [preprocess] = ok
(23) eap: Peer sent EAP Response (code 2) ID 4 length 144
(23) eap: Continuing tunnel setup
(23) [eap] = ok
(23) } # authorize = ok
(23) Found Auth-Type = eap
(23) # Executing group from file /etc/raddb/sites-enabled/default
(23) authenticate {
(23) eap: Expiring EAP session with state 0xfaf55ea1f2e347c8
(23) eap: Finished EAP session with state 0x82e4cb1b81e0d244
(23) eap: Previous EAP request found for state 0x82e4cb1b81e0d244, released
from the list
(23) eap: Peer sent packet with method EAP PEAP (25)
(23) eap: Calling submodule eap_peap to process data
(23) eap_peap: Continuing EAP-TLS
(23) eap_peap: Peer indicated complete TLS record size will be 134 bytes
(23) eap_peap: Got complete TLS record (134 bytes)
(23) eap_peap: [eaptls verify] = length included
(23) eap_peap: TLS_accept: SSLv3/TLS write server done
(23) eap_peap: <<< recv TLS 1.0 Handshake [length 0046], ClientKeyExchange
(23) eap_peap: TLS_accept: SSLv3/TLS read client key exchange
(23) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec
(23) eap_peap: <<< recv TLS 1.0 Handshake [length 0010], Finished
(23) eap_peap: TLS_accept: SSLv3/TLS read finished
(23) eap_peap: >>> send TLS 1.0 ChangeCipherSpec [length 0001]
(23) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec
(23) eap_peap: >>> send TLS 1.0 Handshake [length 0010], Finished
(23) eap_peap: TLS_accept: SSLv3/TLS write finished
(23) eap_peap: (other): SSL negotiation finished successfully
(23) eap_peap: SSL Connection Established
(23) eap_peap: [eaptls process] = handled
(23) eap: Sending EAP Request (code 1) ID 5 length 65
(23) eap: EAP session adding &reply:State = 0x82e4cb1b86e1d244
(23) [eap] = handled
(23) } # authenticate = handled
(23) Using Post-Auth-Type Challenge
(23) Post-Auth-Type sub-section not found. Ignoring.
(23) # Executing group from file /etc/raddb/sites-enabled/default
(23) Sent Access-Challenge Id 4 from 10.41.110.86:1812 to 10.41.17.64:1086
length 0
(23) EAP-Message =
0x010500411900140301000101160301003092e53f04b9660df09297508db8e8fb3b4ad05e7b6ae5ec5d0120facf25d35fd262b1706180c33f72e235b2c3f3724cd9
(23) Message-Authenticator = 0x00000000000000000000000000000000
(23) State = 0x82e4cb1b86e1d244ae1bb12a174a7e27
(23) Finished request
Waking up in 1.0 seconds.
(24) Received Access-Request Id 5 from 10.41.17.64:1086 to 10.41.110.86:1812
length 218
(24) Message-Authenticator = 0x7b0940b6625998f02f43527bb1725e77
(24) Service-Type = Framed-User
(24) User-Name = "userTest"
(24) Framed-MTU = 1488
(24) State = 0x82e4cb1b86e1d244ae1bb12a174a7e27
(24) Called-Station-Id = "40-01-C6-D8-5C-00:AAA-Teste"
(24) Calling-Station-Id = "4C-57-CA-E2-E9-8D"
(24) NAS-Identifier = "3Com Access Point 7760"
(24) NAS-Port-Type = Wireless-802.11
(24) Connect-Info = "CONNECT 54Mbps 802.11g"
(24) EAP-Message = 0x020500061900
(24) NAS-IP-Address = 10.41.17.64
(24) NAS-Port = 1
(24) NAS-Port-Id = "STA port # 1"
(24) session-state: No cached attributes
(24) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(24) authorize {
(24) [preprocess] = ok
(24) eap: Peer sent EAP Response (code 2) ID 5 length 6
(24) eap: Continuing tunnel setup
(24) [eap] = ok
(24) } # authorize = ok
(24) Found Auth-Type = eap
(24) # Executing group from file /etc/raddb/sites-enabled/default
(24) authenticate {
(24) eap: Expiring EAP session with state 0xfaf55ea1f2e347c8
(24) eap: Finished EAP session with state 0x82e4cb1b86e1d244
(24) eap: Previous EAP request found for state 0x82e4cb1b86e1d244, released
from the list
(24) eap: Peer sent packet with method EAP PEAP (25)
(24) eap: Calling submodule eap_peap to process data
(24) eap_peap: Continuing EAP-TLS
(24) eap_peap: Peer ACKed our handshake fragment. handshake is finished
(24) eap_peap: [eaptls verify] = success
(24) eap_peap: [eaptls process] = success
(24) eap_peap: Session established. Decoding tunneled attributes
(24) eap_peap: PEAP state TUNNEL ESTABLISHED
(24) eap: Sending EAP Request (code 1) ID 6 length 43
(24) eap: EAP session adding &reply:State = 0x82e4cb1b87e2d244
(24) [eap] = handled
(24) } # authenticate = handled
(24) Using Post-Auth-Type Challenge
(24) Post-Auth-Type sub-section not found. Ignoring.
(24) # Executing group from file /etc/raddb/sites-enabled/default
(24) Sent Access-Challenge Id 5 from 10.41.110.86:1812 to 10.41.17.64:1086
length 0
(24) EAP-Message =
0x0106002b19001703010020afa714d51b4477ae4fc0c892baab98cb04bd0762d895080477d237e60fdae1cb
(24) Message-Authenticator = 0x00000000000000000000000000000000
(24) State = 0x82e4cb1b87e2d244ae1bb12a174a7e27
(24) Finished request
Waking up in 0.9 seconds.
(25) Received Access-Request Id 6 from 10.41.17.64:1086 to 10.41.110.86:1812
length 271
(25) Message-Authenticator = 0xdec0a89429f16c15bc1dc8a9a9a272c1
(25) Service-Type = Framed-User
(25) User-Name = "userTest"
(25) Framed-MTU = 1488
(25) State = 0x82e4cb1b87e2d244ae1bb12a174a7e27
(25) Called-Station-Id = "40-01-C6-D8-5C-00:AAA-Teste"
(25) Calling-Station-Id = "4C-57-CA-E2-E9-8D"
(25) NAS-Identifier = "3Com Access Point 7760"
(25) NAS-Port-Type = Wireless-802.11
(25) Connect-Info = "CONNECT 54Mbps 802.11g"
(25) EAP-Message =
0x0206003b19001703010030657aea9089cf393fccfa7cce8b305fa7c1265fa8174415a9b45527c898b1b5178cb30fa0081511f2f971c4f46af30621
(25) NAS-IP-Address = 10.41.17.64
(25) NAS-Port = 1
(25) NAS-Port-Id = "STA port # 1"
(25) session-state: No cached attributes
(25) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(25) authorize {
(25) [preprocess] = ok
(25) eap: Peer sent EAP Response (code 2) ID 6 length 59
(25) eap: Continuing tunnel setup
(25) [eap] = ok
(25) } # authorize = ok
(25) Found Auth-Type = eap
(25) # Executing group from file /etc/raddb/sites-enabled/default
(25) authenticate {
(25) eap: Expiring EAP session with state 0xfaf55ea1f2e347c8
(25) eap: Finished EAP session with state 0x82e4cb1b87e2d244
(25) eap: Previous EAP request found for state 0x82e4cb1b87e2d244, released
from the list
(25) eap: Peer sent packet with method EAP PEAP (25)
(25) eap: Calling submodule eap_peap to process data
(25) eap_peap: Continuing EAP-TLS
(25) eap_peap: [eaptls verify] = ok
(25) eap_peap: Done initial handshake
(25) eap_peap: [eaptls process] = ok
(25) eap_peap: Session established. Decoding tunneled attributes
(25) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(25) eap_peap: Identity - userTest
(25) eap_peap: Got inner identity 'userTest'
(25) eap_peap: Setting default EAP type for tunneled EAP session
(25) eap_peap: Got tunneled request
(25) eap_peap: EAP-Message = 0x02060010013031383239353036333832
(25) eap_peap: Setting User-Name to userTest
(25) eap_peap: Sending tunneled request to inner-tunnel
(25) eap_peap: EAP-Message = 0x02060010013031383239353036333832
(25) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(25) eap_peap: User-Name = "userTest"
(25) eap_peap: Service-Type = Framed-User
(25) eap_peap: Framed-MTU = 1488
(25) eap_peap: Called-Station-Id = "40-01-C6-D8-5C-00:AAA-Teste"
(25) eap_peap: Calling-Station-Id = "4C-57-CA-E2-E9-8D"
(25) eap_peap: NAS-Identifier = "3Com Access Point 7760"
(25) eap_peap: NAS-Port-Type = Wireless-802.11
(25) eap_peap: Connect-Info = "CONNECT 54Mbps 802.11g"
(25) eap_peap: NAS-IP-Address = 10.41.17.64
(25) eap_peap: NAS-Port = 1
(25) eap_peap: NAS-Port-Id = "STA port # 1"
(25) eap_peap: Event-Timestamp = "Mar 22 2017 14:51:08 -03"
(25) Virtual server inner-tunnel received request
(25) EAP-Message = 0x02060010013031383239353036333832
(25) FreeRADIUS-Proxied-To = 127.0.0.1
(25) User-Name = "userTest"
(25) Service-Type = Framed-User
(25) Framed-MTU = 1488
(25) Called-Station-Id = "40-01-C6-D8-5C-00:AAA-Teste"
(25) Calling-Station-Id = "4C-57-CA-E2-E9-8D"
(25) NAS-Identifier = "3Com Access Point 7760"
(25) NAS-Port-Type = Wireless-802.11
(25) Connect-Info = "CONNECT 54Mbps 802.11g"
(25) NAS-IP-Address = 10.41.17.64
(25) NAS-Port = 1
(25) NAS-Port-Id = "STA port # 1"
(25) Event-Timestamp = "Mar 22 2017 14:51:08 -03"
(25) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(25) server inner-tunnel {
(25) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(25) authorize {
(25) eap: Peer sent EAP Response (code 2) ID 6 length 16
(25) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(25) [eap] = ok
(25) } # authorize = ok
(25) Found Auth-Type = eap
(25) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(25) authenticate {
(25) eap: Peer sent packet with method EAP Identity (1)
(25) eap: Calling submodule eap_mschapv2 to process data
(25) eap_mschapv2: Issuing Challenge
(25) eap: Sending EAP Request (code 1) ID 7 length 43
(25) eap: EAP session adding &reply:State = 0xed05353eed022fbe
(25) [eap] = handled
(25) } # authenticate = handled
(25) } # server inner-tunnel
(25) Virtual server sending reply
(25) EAP-Message =
0x0107002b1a01070026109ac249a45bf691de7fc75a3feed0cb60667265657261646975732d332e302e3134
(25) Message-Authenticator = 0x00000000000000000000000000000000
(25) State = 0xed05353eed022fbe5b1d8e8a916c26a0
(25) eap_peap: Got tunneled reply code 11
(25) eap_peap: EAP-Message =
0x0107002b1a01070026109ac249a45bf691de7fc75a3feed0cb60667265657261646975732d332e302e3134
(25) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(25) eap_peap: State = 0xed05353eed022fbe5b1d8e8a916c26a0
(25) eap_peap: Got tunneled reply RADIUS code 11
(25) eap_peap: EAP-Message =
0x0107002b1a01070026109ac249a45bf691de7fc75a3feed0cb60667265657261646975732d332e302e3134
(25) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(25) eap_peap: State = 0xed05353eed022fbe5b1d8e8a916c26a0
(25) eap_peap: Got tunneled Access-Challenge
(25) eap: Sending EAP Request (code 1) ID 7 length 75
(25) eap: EAP session adding &reply:State = 0x82e4cb1b84e3d244
(25) [eap] = handled
(25) } # authenticate = handled
(25) Using Post-Auth-Type Challenge
(25) Post-Auth-Type sub-section not found. Ignoring.
(25) # Executing group from file /etc/raddb/sites-enabled/default
(25) Sent Access-Challenge Id 6 from 10.41.110.86:1812 to 10.41.17.64:1086
length 0
(25) EAP-Message =
0x0107004b190017030100400bebb44427586f4cbdcaad23463df25a067c4d45afc5e95fc61702ed797b15c868c9c4e14426bc4990166d0694dc72a2ba6e331ddf04fc1789e72561fe224c6d
(25) Message-Authenticator = 0x00000000000000000000000000000000
(25) State = 0x82e4cb1b84e3d244ae1bb12a174a7e27
(25) Finished request
Waking up in 0.9 seconds.
(26) Received Access-Request Id 7 from 10.41.17.64:1086 to 10.41.110.86:1812
length 319
(26) Message-Authenticator = 0x4840c791be0e158ada74c3f7a5b1becf
(26) Service-Type = Framed-User
(26) User-Name = "userTest"
(26) Framed-MTU = 1488
(26) State = 0x82e4cb1b84e3d244ae1bb12a174a7e27
(26) Called-Station-Id = "40-01-C6-D8-5C-00:AAA-Teste"
(26) Calling-Station-Id = "4C-57-CA-E2-E9-8D"
(26) NAS-Identifier = "3Com Access Point 7760"
(26) NAS-Port-Type = Wireless-802.11
(26) Connect-Info = "CONNECT 54Mbps 802.11g"
(26) EAP-Message =
0x0207006b190017030100601e8bbbaa319f1ffc13c3fe11332e7601429bf2a151d6c4d99d3f91e0a79b3b59bc57498e3bf95cdcf978ffd69c15bc6ad68251cc197b0acbc713895da4ea84bb9abc0de37ab3c81c6819b636dae5e12fca59c5704d52cae6fd568351fe2c06d8
(26) NAS-IP-Address = 10.41.17.64
(26) NAS-Port = 1
(26) NAS-Port-Id = "STA port # 1"
(26) session-state: No cached attributes
(26) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(26) authorize {
(26) [preprocess] = ok
(26) eap: Peer sent EAP Response (code 2) ID 7 length 107
(26) eap: Continuing tunnel setup
(26) [eap] = ok
(26) } # authorize = ok
(26) Found Auth-Type = eap
(26) # Executing group from file /etc/raddb/sites-enabled/default
(26) authenticate {
(26) eap: Expiring EAP session with state 0xfaf55ea1f2e347c8
(26) eap: Finished EAP session with state 0x82e4cb1b84e3d244
(26) eap: Previous EAP request found for state 0x82e4cb1b84e3d244, released
from the list
(26) eap: Peer sent packet with method EAP PEAP (25)
(26) eap: Calling submodule eap_peap to process data
(26) eap_peap: Continuing EAP-TLS
(26) eap_peap: [eaptls verify] = ok
(26) eap_peap: Done initial handshake
(26) eap_peap: [eaptls process] = ok
(26) eap_peap: Session established. Decoding tunneled attributes
(26) eap_peap: PEAP state phase2
(26) eap_peap: EAP method MSCHAPv2 (26)
(26) eap_peap: Got tunneled request
(26) eap_peap: EAP-Message =
0x020700461a02070041312878ab53f5a3bfc536df80a0cba47d180000000000000000613251667b283074a5abb46f3f3469403d8ba8a992319ef4003031383239353036333832
(26) eap_peap: Setting User-Name to userTest
(26) eap_peap: Sending tunneled request to inner-tunnel
(26) eap_peap: EAP-Message =
0x020700461a02070041312878ab53f5a3bfc536df80a0cba47d180000000000000000613251667b283074a5abb46f3f3469403d8ba8a992319ef4003031383239353036333832
(26) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(26) eap_peap: User-Name = "userTest"
(26) eap_peap: State = 0xed05353eed022fbe5b1d8e8a916c26a0
(26) eap_peap: Service-Type = Framed-User
(26) eap_peap: Framed-MTU = 1488
(26) eap_peap: Called-Station-Id = "40-01-C6-D8-5C-00:AAA-Teste"
(26) eap_peap: Calling-Station-Id = "4C-57-CA-E2-E9-8D"
(26) eap_peap: NAS-Identifier = "3Com Access Point 7760"
(26) eap_peap: NAS-Port-Type = Wireless-802.11
(26) eap_peap: Connect-Info = "CONNECT 54Mbps 802.11g"
(26) eap_peap: NAS-IP-Address = 10.41.17.64
(26) eap_peap: NAS-Port = 1
(26) eap_peap: NAS-Port-Id = "STA port # 1"
(26) eap_peap: Event-Timestamp = "Mar 22 2017 14:51:08 -03"
(26) Virtual server inner-tunnel received request
(26) EAP-Message =
0x020700461a02070041312878ab53f5a3bfc536df80a0cba47d180000000000000000613251667b283074a5abb46f3f3469403d8ba8a992319ef4003031383239353036333832
(26) FreeRADIUS-Proxied-To = 127.0.0.1
(26) User-Name = "userTest"
(26) State = 0xed05353eed022fbe5b1d8e8a916c26a0
(26) Service-Type = Framed-User
(26) Framed-MTU = 1488
(26) Called-Station-Id = "40-01-C6-D8-5C-00:AAA-Teste"
(26) Calling-Station-Id = "4C-57-CA-E2-E9-8D"
(26) NAS-Identifier = "3Com Access Point 7760"
(26) NAS-Port-Type = Wireless-802.11
(26) Connect-Info = "CONNECT 54Mbps 802.11g"
(26) NAS-IP-Address = 10.41.17.64
(26) NAS-Port = 1
(26) NAS-Port-Id = "STA port # 1"
(26) Event-Timestamp = "Mar 22 2017 14:51:08 -03"
(26) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(26) server inner-tunnel {
(26) session-state: No cached attributes
(26) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(26) authorize {
(26) eap: Peer sent EAP Response (code 2) ID 7 length 70
(26) eap: No EAP Start, assuming it's an on-going EAP conversation
(26) [eap] = updated
rlm_ldap (ldap): Reserved connection (4)
(26) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(26) ldap: --> (uid=userTest)
(26) ldap: Performing search in "ou=people,dc=test,dc=br" with filter
"(uid=userTest)", scope "sub"
(26) ldap: Waiting for search result...
(26) ldap: User object found at DN "uid=userTest,ou=people,dc=test,dc=br"
(26) ldap: Processing user attributes
(26) ldap: control:NT-Password :=
0x3145333941394139324632423038413045363942344435414441374535333332
rlm_ldap (ldap): Released connection (4)
Need 1 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (9), 1 of 23 pending slots
used
rlm_ldap (ldap): Connecting to ldap://10.0.0.2:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(26) [ldap] = updated
(26) [expiration] = noop
(26) [logintime] = noop
(26) pap: Normalizing NT-Password from hex encoding, 32 bytes -> 16 bytes
(26) pap: WARNING: Auth-Type already set. Not setting to PAP
(26) [pap] = noop
(26) } # authorize = updated
(26) Found Auth-Type = eap
(26) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(26) authenticate {
(26) eap: Expiring EAP session with state 0xfaf55ea1f2e347c8
(26) eap: Finished EAP session with state 0xed05353eed022fbe
(26) eap: Previous EAP request found for state 0xed05353eed022fbe, released
from the list
(26) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(26) eap: Calling submodule eap_mschapv2 to process data
(26) eap_mschapv2: # Executing group from file
/etc/raddb/sites-enabled/inner-tunnel
(26) eap_mschapv2: authenticate {
(26) mschap: Found NT-Password
(26) mschap: Creating challenge hash with username: userTest
(26) mschap: Client is using MS-CHAPv2
(26) mschap: Adding MS-CHAPv2 MPPE keys
(26) [mschap] = ok
(26) } # authenticate = ok
(26) MSCHAP Success
(26) eap: Sending EAP Request (code 1) ID 8 length 51
(26) eap: EAP session adding &reply:State = 0xed05353eec0d2fbe
(26) [eap] = handled
(26) } # authenticate = handled
(26) } # server inner-tunnel
(26) Virtual server sending reply
(26) EAP-Message =
0x010800331a0307002e533d38314538303844334446353432374642333142393841314444463533333238304435363930443534
(26) Message-Authenticator = 0x00000000000000000000000000000000
(26) State = 0xed05353eec0d2fbe5b1d8e8a916c26a0
(26) eap_peap: Got tunneled reply code 11
(26) eap_peap: EAP-Message =
0x010800331a0307002e533d38314538303844334446353432374642333142393841314444463533333238304435363930443534
(26) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(26) eap_peap: State = 0xed05353eec0d2fbe5b1d8e8a916c26a0
(26) eap_peap: Got tunneled reply RADIUS code 11
(26) eap_peap: EAP-Message =
0x010800331a0307002e533d38314538303844334446353432374642333142393841314444463533333238304435363930443534
(26) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(26) eap_peap: State = 0xed05353eec0d2fbe5b1d8e8a916c26a0
(26) eap_peap: Got tunneled Access-Challenge
(26) eap: Sending EAP Request (code 1) ID 8 length 91
(26) eap: EAP session adding &reply:State = 0x82e4cb1b85ecd244
(26) [eap] = handled
(26) } # authenticate = handled
(26) Using Post-Auth-Type Challenge
(26) Post-Auth-Type sub-section not found. Ignoring.
(26) # Executing group from file /etc/raddb/sites-enabled/default
(26) Sent Access-Challenge Id 7 from 10.41.110.86:1812 to 10.41.17.64:1086
length 0
(26) EAP-Message =
0x0108005b19001703010050bf2b1c25d323d4882835f598fcfe8da6173e706e4c1d66b36965789bb836b404e89b5b21fa01ea32c48497cc0de0c17c7d2e5197be5bb9e75fec85fc9d6dce20211bc026bc74a7724da41853c158244e
(26) Message-Authenticator = 0x00000000000000000000000000000000
(26) State = 0x82e4cb1b85ecd244ae1bb12a174a7e27
(26) Finished request
(17) Cleaning up request packet ID 20 with timestamp +10
Waking up in 1.8 seconds.
(27) Received Access-Request Id 8 from 10.41.17.64:1086 to 10.41.110.86:1812
length 255
(27) Message-Authenticator = 0xfa367a6fa8cf063157e227ebc3a6dc7c
(27) Service-Type = Framed-User
(27) User-Name = "userTest"
(27) Framed-MTU = 1488
(27) State = 0x82e4cb1b85ecd244ae1bb12a174a7e27
(27) Called-Station-Id = "40-01-C6-D8-5C-00:AAA-Teste"
(27) Calling-Station-Id = "4C-57-CA-E2-E9-8D"
(27) NAS-Identifier = "3Com Access Point 7760"
(27) NAS-Port-Type = Wireless-802.11
(27) Connect-Info = "CONNECT 54Mbps 802.11g"
(27) EAP-Message =
0x0208002b19001703010020051c0ad98ab4c77d2d4580c0e7e07c4055a8762345473a564dab19aafc402cb1
(27) NAS-IP-Address = 10.41.17.64
(27) NAS-Port = 1
(27) NAS-Port-Id = "STA port # 1"
(27) session-state: No cached attributes
(27) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(27) authorize {
(27) [preprocess] = ok
(27) eap: Peer sent EAP Response (code 2) ID 8 length 43
(27) eap: Continuing tunnel setup
(27) [eap] = ok
(27) } # authorize = ok
(27) Found Auth-Type = eap
(27) # Executing group from file /etc/raddb/sites-enabled/default
(27) authenticate {
(27) eap: Expiring EAP session with state 0xfaf55ea1f2e347c8
(27) eap: Finished EAP session with state 0x82e4cb1b85ecd244
(27) eap: Previous EAP request found for state 0x82e4cb1b85ecd244, released
from the list
(27) eap: Peer sent packet with method EAP PEAP (25)
(27) eap: Calling submodule eap_peap to process data
(27) eap_peap: Continuing EAP-TLS
(27) eap_peap: [eaptls verify] = ok
(27) eap_peap: Done initial handshake
(27) eap_peap: [eaptls process] = ok
(27) eap_peap: Session established. Decoding tunneled attributes
(27) eap_peap: PEAP state phase2
(27) eap_peap: EAP method MSCHAPv2 (26)
(27) eap_peap: Got tunneled request
(27) eap_peap: EAP-Message = 0x020800061a03
(27) eap_peap: Setting User-Name to userTest
(27) eap_peap: Sending tunneled request to inner-tunnel
(27) eap_peap: EAP-Message = 0x020800061a03
(27) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(27) eap_peap: User-Name = "userTest"
(27) eap_peap: State = 0xed05353eec0d2fbe5b1d8e8a916c26a0
(27) eap_peap: Service-Type = Framed-User
(27) eap_peap: Framed-MTU = 1488
(27) eap_peap: Called-Station-Id = "40-01-C6-D8-5C-00:AAA-Teste"
(27) eap_peap: Calling-Station-Id = "4C-57-CA-E2-E9-8D"
(27) eap_peap: NAS-Identifier = "3Com Access Point 7760"
(27) eap_peap: NAS-Port-Type = Wireless-802.11
(27) eap_peap: Connect-Info = "CONNECT 54Mbps 802.11g"
(27) eap_peap: NAS-IP-Address = 10.41.17.64
(27) eap_peap: NAS-Port = 1
(27) eap_peap: NAS-Port-Id = "STA port # 1"
(27) eap_peap: Event-Timestamp = "Mar 22 2017 14:51:12 -03"
(27) Virtual server inner-tunnel received request
(27) EAP-Message = 0x020800061a03
(27) FreeRADIUS-Proxied-To = 127.0.0.1
(27) User-Name = "userTest"
(27) State = 0xed05353eec0d2fbe5b1d8e8a916c26a0
(27) Service-Type = Framed-User
(27) Framed-MTU = 1488
(27) Called-Station-Id = "40-01-C6-D8-5C-00:AAA-Teste"
(27) Calling-Station-Id = "4C-57-CA-E2-E9-8D"
(27) NAS-Identifier = "3Com Access Point 7760"
(27) NAS-Port-Type = Wireless-802.11
(27) Connect-Info = "CONNECT 54Mbps 802.11g"
(27) NAS-IP-Address = 10.41.17.64
(27) NAS-Port = 1
(27) NAS-Port-Id = "STA port # 1"
(27) Event-Timestamp = "Mar 22 2017 14:51:12 -03"
(27) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(27) server inner-tunnel {
(27) session-state: No cached attributes
(27) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(27) authorize {
(27) eap: Peer sent EAP Response (code 2) ID 8 length 6
(27) eap: No EAP Start, assuming it's an on-going EAP conversation
(27) [eap] = updated
rlm_ldap (ldap): Reserved connection (0)
(27) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(27) ldap: --> (uid=userTest)
(27) ldap: Performing search in "ou=people,dc=test,dc=br" with filter
"(uid=userTest)", scope "sub"
(27) ldap: Waiting for search result...
(27) ldap: User object found at DN "uid=userTest,ou=people,dc=test,dc=br"
(27) ldap: Processing user attributes
(27) ldap: control:NT-Password :=
0x3145333941394139324632423038413045363942344435414441374535333332
rlm_ldap (ldap): Released connection (0)
(27) [ldap] = updated
(27) [expiration] = noop
(27) [logintime] = noop
(27) pap: Normalizing NT-Password from hex encoding, 32 bytes -> 16 bytes
(27) pap: WARNING: Auth-Type already set. Not setting to PAP
(27) [pap] = noop
(27) } # authorize = updated
(27) Found Auth-Type = eap
(27) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(27) authenticate {
(27) eap: Expiring EAP session with state 0xfaf55ea1f2e347c8
(27) eap: Finished EAP session with state 0xed05353eec0d2fbe
(27) eap: Previous EAP request found for state 0xed05353eec0d2fbe, released
from the list
(27) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(27) eap: Calling submodule eap_mschapv2 to process data
(27) eap: Sending EAP Success (code 3) ID 8 length 4
(27) eap: Freeing handler
(27) [eap] = ok
(27) } # authenticate = ok
(27) # Executing section post-auth from file
/etc/raddb/sites-enabled/inner-tunnel
(27) post-auth { ... } # empty sub-section is ignored
(27) } # server inner-tunnel
(27) Virtual server sending reply
(27) MS-MPPE-Encryption-Policy = Encryption-Allowed
(27) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(27) MS-MPPE-Send-Key = 0x9753abfe82235c4216a0c1a4a959646f
(27) MS-MPPE-Recv-Key = 0x757fbfa227358f8e820817a60ccf472c
(27) EAP-Message = 0x03080004
(27) Message-Authenticator = 0x00000000000000000000000000000000
(27) User-Name = "userTest"
(27) eap_peap: Got tunneled reply code 2
(27) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(27) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(27) eap_peap: MS-MPPE-Send-Key = 0x9753abfe82235c4216a0c1a4a959646f
(27) eap_peap: MS-MPPE-Recv-Key = 0x757fbfa227358f8e820817a60ccf472c
(27) eap_peap: EAP-Message = 0x03080004
(27) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(27) eap_peap: User-Name = "userTest"
(27) eap_peap: Got tunneled reply RADIUS code 2
(27) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(27) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(27) eap_peap: MS-MPPE-Send-Key = 0x9753abfe82235c4216a0c1a4a959646f
(27) eap_peap: MS-MPPE-Recv-Key = 0x757fbfa227358f8e820817a60ccf472c
(27) eap_peap: EAP-Message = 0x03080004
(27) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(27) eap_peap: User-Name = "userTest"
(27) eap_peap: Tunneled authentication was successful
(27) eap_peap: SUCCESS
(27) eap_peap: Saving tunneled attributes for later
(27) eap: Sending EAP Request (code 1) ID 9 length 43
(27) eap: EAP session adding &reply:State = 0x82e4cb1b8aedd244
(27) [eap] = handled
(27) } # authenticate = handled
(27) Using Post-Auth-Type Challenge
(27) Post-Auth-Type sub-section not found. Ignoring.
(27) # Executing group from file /etc/raddb/sites-enabled/default
(27) Sent Access-Challenge Id 8 from 10.41.110.86:1812 to 10.41.17.64:1086
length 0
(27) EAP-Message =
0x0109002b190017030100207a38b4c9aef9e5676a7616149de4a7c75be717b173d6106d60fe592bedcf7088
(27) Message-Authenticator = 0x00000000000000000000000000000000
(27) State = 0x82e4cb1b8aedd244ae1bb12a174a7e27
(27) Finished request
(19) Cleaning up request packet ID 0 with timestamp +22
(20) Cleaning up request packet ID 1 with timestamp +22
(21) Cleaning up request packet ID 2 with timestamp +22
(22) Cleaning up request packet ID 3 with timestamp +22
(23) Cleaning up request packet ID 4 with timestamp +22
(24) Cleaning up request packet ID 5 with timestamp +22
(25) Cleaning up request packet ID 6 with timestamp +22
Waking up in 4.9 seconds.
(27) Cleaning up request packet ID 8 with timestamp +26
Waking up in 1.8 seconds.
(26) Cleaning up request packet ID 7 with timestamp +22
Ready to process requests
=================================
IPHONE CAN CONNECT TO THE WIFI NETWORK
OBS: I ran again "radiusd -X" to clear and understand where is the first
request, but Iphone can connect everytime when I rebooted it.
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on proxy address * port 44713
Listening on proxy address :: port 42886
Ready to process requests
(0) Received Access-Request Id 0 from 10.41.17.64:1090 to 10.41.110.86:1812
length 210
(0) Message-Authenticator = 0xdcad4806f8bc8cf27df0bfcbcabb5c3f
(0) Service-Type = Framed-User
(0) User-Name = "userTest"
(0) Framed-MTU = 1488
(0) Called-Station-Id = "40-01-C6-D8-5C-00:AAA-Teste"
(0) Calling-Station-Id = "4C-57-CA-E2-E9-8D"
(0) NAS-Identifier = "3Com Access Point 7760"
(0) NAS-Port-Type = Wireless-802.11
(0) Connect-Info = "CONNECT 54Mbps 802.11g"
(0) EAP-Message = 0x02000010013031383239353036333832
(0) NAS-IP-Address = 10.41.17.64
(0) NAS-Port = 1
(0) NAS-Port-Id = "STA port # 1"
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0) authorize {
(0) [preprocess] = ok
(0) eap: Peer sent EAP Response (code 2) ID 0 length 16
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_peap to process data
(0) eap_peap: Initiating new EAP-TLS session
(0) eap_peap: Flushing SSL sessions (of #0)
(0) eap_peap: [eaptls start] = request
(0) eap: Sending EAP Request (code 1) ID 1 length 6
(0) eap: EAP session adding &reply:State = 0x4f424a324f4353ce
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) Post-Auth-Type sub-section not found. Ignoring.
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) Sent Access-Challenge Id 0 from 10.41.110.86:1812 to 10.41.17.64:1090
length 0
(0) EAP-Message = 0x010100061920
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x4f424a324f4353ce43a0ba7c4354ed56
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 1 from 10.41.17.64:1090 to 10.41.110.86:1812
length 339
(1) Message-Authenticator = 0xdea1c2b48107147dddcaaddb6be770f0
(1) Service-Type = Framed-User
(1) User-Name = "userTest"
(1) Framed-MTU = 1488
(1) State = 0x4f424a324f4353ce43a0ba7c4354ed56
(1) Called-Station-Id = "40-01-C6-D8-5C-00:AAA-Teste"
(1) Calling-Station-Id = "4C-57-CA-E2-E9-8D"
(1) NAS-Identifier = "3Com Access Point 7760"
(1) NAS-Port-Type = Wireless-802.11
(1) Connect-Info = "CONNECT 54Mbps 802.11g"
(1) EAP-Message =
0x0201007f19800000007516030100700100006c030158d2baf622703ad19984e484f38f9c0ff088678cca0370b25a5e56693df17d4a00002000ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f000a01000023000a00080006001700180019000b00020100000500050100000000
(1) NAS-IP-Address = 10.41.17.64
(1) NAS-Port = 1
(1) NAS-Port-Id = "STA port # 1"
(1) session-state: No cached attributes
(1) # Executing section authorize from file /etc/raddb/sites-enabled/default
(1) authorize {
(1) [preprocess] = ok
(1) eap: Peer sent EAP Response (code 2) ID 1 length 127
(1) eap: Continuing tunnel setup
(1) [eap] = ok
(1) } # authorize = ok
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0x4f424a324f4353ce
(1) eap: Finished EAP session with state 0x4f424a324f4353ce
(1) eap: Previous EAP request found for state 0x4f424a324f4353ce, released
from the list
(1) eap: Peer sent packet with method EAP PEAP (25)
(1) eap: Calling submodule eap_peap to process data
(1) eap_peap: Continuing EAP-TLS
(1) eap_peap: Peer indicated complete TLS record size will be 117 bytes
(1) eap_peap: Got complete TLS record (117 bytes)
(1) eap_peap: [eaptls verify] = length included
(1) eap_peap: (other): before SSL initialization
(1) eap_peap: TLS_accept: before SSL initialization
(1) eap_peap: TLS_accept: before SSL initialization
(1) eap_peap: <<< recv TLS 1.2 [length 0070]
(1) eap_peap: TLS_accept: SSLv3/TLS read client hello
(1) eap_peap: >>> send TLS 1.0 Handshake [length 005d], ServerHello
(1) eap_peap: TLS_accept: SSLv3/TLS write server hello
(1) eap_peap: >>> send TLS 1.0 Handshake [length 08d3], Certificate
(1) eap_peap: TLS_accept: SSLv3/TLS write certificate
(1) eap_peap: >>> send TLS 1.0 Handshake [length 014b], ServerKeyExchange
(1) eap_peap: TLS_accept: SSLv3/TLS write key exchange
(1) eap_peap: >>> send TLS 1.0 Handshake [length 0004], ServerHelloDone
(1) eap_peap: TLS_accept: SSLv3/TLS write server done
(1) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server
done
(1) eap_peap: In SSL Handshake Phase
(1) eap_peap: In SSL Accept mode
(1) eap_peap: [eaptls process] = handled
(1) eap: Sending EAP Request (code 1) ID 2 length 1004
(1) eap: EAP session adding &reply:State = 0x4f424a324e4053ce
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) Post-Auth-Type sub-section not found. Ignoring.
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) Sent Access-Challenge Id 1 from 10.41.110.86:1812 to 10.41.17.64:1090
length 0
(1) EAP-Message =
0x010203ec19c000000a93160301005d020000590301a36dd518f829f99eb9d0363fe456ae7cb1723abe53d9b74ce635ba187578a6122069bc2cddecdc894b088e0f0e198964b4b15264826ce476af949a2aeabbc4a531c014000011ff01000100000b0004030001020017000016030108d30b0008cf0008
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x4f424a324e4053ce43a0ba7c4354ed56
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 2 from 10.41.17.64:1090 to 10.41.110.86:1812
length 218
(2) Message-Authenticator = 0x708523ad3b241d8cb3cd6109c2210206
(2) Service-Type = Framed-User
(2) User-Name = "userTest"
(2) Framed-MTU = 1488
(2) State = 0x4f424a324e4053ce43a0ba7c4354ed56
(2) Called-Station-Id = "40-01-C6-D8-5C-00:AAA-Teste"
(2) Calling-Station-Id = "4C-57-CA-E2-E9-8D"
(2) NAS-Identifier = "3Com Access Point 7760"
(2) NAS-Port-Type = Wireless-802.11
(2) Connect-Info = "CONNECT 54Mbps 802.11g"
(2) EAP-Message = 0x020200061900
(2) NAS-IP-Address = 10.41.17.64
(2) NAS-Port = 1
(2) NAS-Port-Id = "STA port # 1"
(2) session-state: No cached attributes
(2) # Executing section authorize from file /etc/raddb/sites-enabled/default
(2) authorize {
(2) [preprocess] = ok
(2) eap: Peer sent EAP Response (code 2) ID 2 length 6
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0x4f424a324e4053ce
(2) eap: Finished EAP session with state 0x4f424a324e4053ce
(2) eap: Previous EAP request found for state 0x4f424a324e4053ce, released
from the list
(2) eap: Peer sent packet with method EAP PEAP (25)
(2) eap: Calling submodule eap_peap to process data
(2) eap_peap: Continuing EAP-TLS
(2) eap_peap: Peer ACKed our handshake fragment
(2) eap_peap: [eaptls verify] = request
(2) eap_peap: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 3 length 1000
(2) eap: EAP session adding &reply:State = 0x4f424a324d4153ce
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) Post-Auth-Type sub-section not found. Ignoring.
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2) Sent Access-Challenge Id 2 from 10.41.110.86:1812 to 10.41.17.64:1090
length 0
(2) EAP-Message =
0x010303e81940b2c16fe1b0d484179f9cdaaba928edbe85ea947176542ea9646d2f16b8803f26bf43aa9d60ff2c5d4d9ec84c4c511d64d81b360765cd88159cbe3831e7f63102d7e95becbf76520288a093eefd7080eb3f1c6936e347b508b9916d3e4e10615ad52b4601565fedd7e976bdf1ec0004e830
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x4f424a324d4153ce43a0ba7c4354ed56
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 3 from 10.41.17.64:1090 to 10.41.110.86:1812
length 218
(3) Message-Authenticator = 0x694b1490f6e3cd21dfc9199ca65ad6bb
(3) Service-Type = Framed-User
(3) User-Name = "userTest"
(3) Framed-MTU = 1488
(3) State = 0x4f424a324d4153ce43a0ba7c4354ed56
(3) Called-Station-Id = "40-01-C6-D8-5C-00:AAA-Teste"
(3) Calling-Station-Id = "4C-57-CA-E2-E9-8D"
(3) NAS-Identifier = "3Com Access Point 7760"
(3) NAS-Port-Type = Wireless-802.11
(3) Connect-Info = "CONNECT 54Mbps 802.11g"
(3) EAP-Message = 0x020300061900
(3) NAS-IP-Address = 10.41.17.64
(3) NAS-Port = 1
(3) NAS-Port-Id = "STA port # 1"
(3) session-state: No cached attributes
(3) # Executing section authorize from file /etc/raddb/sites-enabled/default
(3) authorize {
(3) [preprocess] = ok
(3) eap: Peer sent EAP Response (code 2) ID 3 length 6
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3) authenticate {
(3) eap: Expiring EAP session with state 0x4f424a324d4153ce
(3) eap: Finished EAP session with state 0x4f424a324d4153ce
(3) eap: Previous EAP request found for state 0x4f424a324d4153ce, released
from the list
(3) eap: Peer sent packet with method EAP PEAP (25)
(3) eap: Calling submodule eap_peap to process data
(3) eap_peap: Continuing EAP-TLS
(3) eap_peap: Peer ACKed our handshake fragment
(3) eap_peap: [eaptls verify] = request
(3) eap_peap: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 4 length 725
(3) eap: EAP session adding &reply:State = 0x4f424a324c4653ce
(3) [eap] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) Post-Auth-Type sub-section not found. Ignoring.
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3) Sent Access-Challenge Id 3 from 10.41.110.86:1812 to 10.41.17.64:1090
length 0
(3) EAP-Message =
0x010402d519006361746520417574686f72697479820900f29e29fc64450db1300f0603551d130101ff040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b0500
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0x4f424a324c4653ce43a0ba7c4354ed56
(3) Finished request
Waking up in 4.8 seconds.
(4) Received Access-Request Id 4 from 10.41.17.64:1090 to 10.41.110.86:1812
length 356
(4) Message-Authenticator = 0x78b058e28b654994f016c8e6d6856262
(4) Service-Type = Framed-User
(4) User-Name = "userTest"
(4) Framed-MTU = 1488
(4) State = 0x4f424a324c4653ce43a0ba7c4354ed56
(4) Called-Station-Id = "40-01-C6-D8-5C-00:AAA-Teste"
(4) Calling-Station-Id = "4C-57-CA-E2-E9-8D"
(4) NAS-Identifier = "3Com Access Point 7760"
(4) NAS-Port-Type = Wireless-802.11
(4) Connect-Info = "CONNECT 54Mbps 802.11g"
(4) EAP-Message =
0x020400901980000000861603010046100000424104343bd0b5232f0b5e71d7c23886a9010adf7356a99fd44cc2cd7f07bf38ff2cc3c22b73845842ed44f3b0a7537745ab07ff8a5adf41d4580e95f2c49e45d7fdf5140301000101160301003094eb3ac531aaff7dc61a1544092a6491d5bd260cea28aa
(4) NAS-IP-Address = 10.41.17.64
(4) NAS-Port = 1
(4) NAS-Port-Id = "STA port # 1"
(4) session-state: No cached attributes
(4) # Executing section authorize from file /etc/raddb/sites-enabled/default
(4) authorize {
(4) [preprocess] = ok
(4) eap: Peer sent EAP Response (code 2) ID 4 length 144
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/raddb/sites-enabled/default
(4) authenticate {
(4) eap: Expiring EAP session with state 0x4f424a324c4653ce
(4) eap: Finished EAP session with state 0x4f424a324c4653ce
(4) eap: Previous EAP request found for state 0x4f424a324c4653ce, released
from the list
(4) eap: Peer sent packet with method EAP PEAP (25)
(4) eap: Calling submodule eap_peap to process data
(4) eap_peap: Continuing EAP-TLS
(4) eap_peap: Peer indicated complete TLS record size will be 134 bytes
(4) eap_peap: Got complete TLS record (134 bytes)
(4) eap_peap: [eaptls verify] = length included
(4) eap_peap: TLS_accept: SSLv3/TLS write server done
(4) eap_peap: <<< recv TLS 1.0 Handshake [length 0046], ClientKeyExchange
(4) eap_peap: TLS_accept: SSLv3/TLS read client key exchange
(4) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec
(4) eap_peap: <<< recv TLS 1.0 Handshake [length 0010], Finished
(4) eap_peap: TLS_accept: SSLv3/TLS read finished
(4) eap_peap: >>> send TLS 1.0 ChangeCipherSpec [length 0001]
(4) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec
(4) eap_peap: >>> send TLS 1.0 Handshake [length 0010], Finished
(4) eap_peap: TLS_accept: SSLv3/TLS write finished
(4) eap_peap: (other): SSL negotiation finished successfully
(4) eap_peap: SSL Connection Established
(4) eap_peap: [eaptls process] = handled
(4) eap: Sending EAP Request (code 1) ID 5 length 65
(4) eap: EAP session adding &reply:State = 0x4f424a324b4753ce
(4) [eap] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) Post-Auth-Type sub-section not found. Ignoring.
(4) # Executing group from file /etc/raddb/sites-enabled/default
(4) Sent Access-Challenge Id 4 from 10.41.110.86:1812 to 10.41.17.64:1090
length 0
(4) EAP-Message =
0x01050041190014030100010116030100305ebd2608873fda32398dd285b4a181b94f12bc58d9f201e22d6dbdb53d406a52ca38c60ba0c717896b1a8901ef563f22
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x4f424a324b4753ce43a0ba7c4354ed56
(4) Finished request
Waking up in 4.8 seconds.
(5) Received Access-Request Id 5 from 10.41.17.64:1090 to 10.41.110.86:1812
length 218
(5) Message-Authenticator = 0x5db7e290140e326df8eab08383d2e765
(5) Service-Type = Framed-User
(5) User-Name = "userTest"
(5) Framed-MTU = 1488
(5) State = 0x4f424a324b4753ce43a0ba7c4354ed56
(5) Called-Station-Id = "40-01-C6-D8-5C-00:AAA-Teste"
(5) Calling-Station-Id = "4C-57-CA-E2-E9-8D"
(5) NAS-Identifier = "3Com Access Point 7760"
(5) NAS-Port-Type = Wireless-802.11
(5) Connect-Info = "CONNECT 54Mbps 802.11g"
(5) EAP-Message = 0x020500061900
(5) NAS-IP-Address = 10.41.17.64
(5) NAS-Port = 1
(5) NAS-Port-Id = "STA port # 1"
(5) session-state: No cached attributes
(5) # Executing section authorize from file /etc/raddb/sites-enabled/default
(5) authorize {
(5) [preprocess] = ok
(5) eap: Peer sent EAP Response (code 2) ID 5 length 6
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5) authenticate {
(5) eap: Expiring EAP session with state 0x4f424a324b4753ce
(5) eap: Finished EAP session with state 0x4f424a324b4753ce
(5) eap: Previous EAP request found for state 0x4f424a324b4753ce, released
from the list
(5) eap: Peer sent packet with method EAP PEAP (25)
(5) eap: Calling submodule eap_peap to process data
(5) eap_peap: Continuing EAP-TLS
(5) eap_peap: Peer ACKed our handshake fragment. handshake is finished
(5) eap_peap: [eaptls verify] = success
(5) eap_peap: [eaptls process] = success
(5) eap_peap: Session established. Decoding tunneled attributes
(5) eap_peap: PEAP state TUNNEL ESTABLISHED
(5) eap: Sending EAP Request (code 1) ID 6 length 43
(5) eap: EAP session adding &reply:State = 0x4f424a324a4453ce
(5) [eap] = handled
(5) } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) Post-Auth-Type sub-section not found. Ignoring.
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5) Sent Access-Challenge Id 5 from 10.41.110.86:1812 to 10.41.17.64:1090
length 0
(5) EAP-Message =
0x0106002b190017030100204fbeb67ecdd80f0d14c8533df8a2921cf85689339ba802443fbb7b4143c6e638
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x4f424a324a4453ce43a0ba7c4354ed56
(5) Finished request
Waking up in 4.8 seconds.
(6) Received Access-Request Id 6 from 10.41.17.64:1090 to 10.41.110.86:1812
length 271
(6) Message-Authenticator = 0xe7b6266a72b2b6fc9b8f7c67f8405d94
(6) Service-Type = Framed-User
(6) User-Name = "userTest"
(6) Framed-MTU = 1488
(6) State = 0x4f424a324a4453ce43a0ba7c4354ed56
(6) Called-Station-Id = "40-01-C6-D8-5C-00:AAA-Teste"
(6) Calling-Station-Id = "4C-57-CA-E2-E9-8D"
(6) NAS-Identifier = "3Com Access Point 7760"
(6) NAS-Port-Type = Wireless-802.11
(6) Connect-Info = "CONNECT 54Mbps 802.11g"
(6) EAP-Message =
0x0206003b19001703010030b1075bb4e12c13ae0e337bfca6841195aa45827fac9d354863e7706d5e066c1de365265b054e4374f86d3cd8ad7f0a14
(6) NAS-IP-Address = 10.41.17.64
(6) NAS-Port = 1
(6) NAS-Port-Id = "STA port # 1"
(6) session-state: No cached attributes
(6) # Executing section authorize from file /etc/raddb/sites-enabled/default
(6) authorize {
(6) [preprocess] = ok
(6) eap: Peer sent EAP Response (code 2) ID 6 length 59
(6) eap: Continuing tunnel setup
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/raddb/sites-enabled/default
(6) authenticate {
(6) eap: Expiring EAP session with state 0x4f424a324a4453ce
(6) eap: Finished EAP session with state 0x4f424a324a4453ce
(6) eap: Previous EAP request found for state 0x4f424a324a4453ce, released
from the list
(6) eap: Peer sent packet with method EAP PEAP (25)
(6) eap: Calling submodule eap_peap to process data
(6) eap_peap: Continuing EAP-TLS
(6) eap_peap: [eaptls verify] = ok
(6) eap_peap: Done initial handshake
(6) eap_peap: [eaptls process] = ok
(6) eap_peap: Session established. Decoding tunneled attributes
(6) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(6) eap_peap: Identity - userTest
(6) eap_peap: Got inner identity 'userTest'
(6) eap_peap: Setting default EAP type for tunneled EAP session
(6) eap_peap: Got tunneled request
(6) eap_peap: EAP-Message = 0x02060010013031383239353036333832
(6) eap_peap: Setting User-Name to userTest
(6) eap_peap: Sending tunneled request to inner-tunnel
(6) eap_peap: EAP-Message = 0x02060010013031383239353036333832
(6) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(6) eap_peap: User-Name = "userTest"
(6) eap_peap: Service-Type = Framed-User
(6) eap_peap: Framed-MTU = 1488
(6) eap_peap: Called-Station-Id = "40-01-C6-D8-5C-00:AAA-Teste"
(6) eap_peap: Calling-Station-Id = "4C-57-CA-E2-E9-8D"
(6) eap_peap: NAS-Identifier = "3Com Access Point 7760"
(6) eap_peap: NAS-Port-Type = Wireless-802.11
(6) eap_peap: Connect-Info = "CONNECT 54Mbps 802.11g"
(6) eap_peap: NAS-IP-Address = 10.41.17.64
(6) eap_peap: NAS-Port = 1
(6) eap_peap: NAS-Port-Id = "STA port # 1"
(6) eap_peap: Event-Timestamp = "Mar 22 2017 14:57:02 -03"
(6) Virtual server inner-tunnel received request
(6) EAP-Message = 0x02060010013031383239353036333832
(6) FreeRADIUS-Proxied-To = 127.0.0.1
(6) User-Name = "userTest"
(6) Service-Type = Framed-User
(6) Framed-MTU = 1488
(6) Called-Station-Id = "40-01-C6-D8-5C-00:AAA-Teste"
(6) Calling-Station-Id = "4C-57-CA-E2-E9-8D"
(6) NAS-Identifier = "3Com Access Point 7760"
(6) NAS-Port-Type = Wireless-802.11
(6) Connect-Info = "CONNECT 54Mbps 802.11g"
(6) NAS-IP-Address = 10.41.17.64
(6) NAS-Port = 1
(6) NAS-Port-Id = "STA port # 1"
(6) Event-Timestamp = "Mar 22 2017 14:57:02 -03"
(6) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(6) server inner-tunnel {
(6) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(6) authorize {
(6) eap: Peer sent EAP Response (code 2) ID 6 length 16
(6) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(6) authenticate {
(6) eap: Peer sent packet with method EAP Identity (1)
(6) eap: Calling submodule eap_mschapv2 to process data
(6) eap_mschapv2: Issuing Challenge
(6) eap: Sending EAP Request (code 1) ID 7 length 43
(6) eap: EAP session adding &reply:State = 0xf3cd2f37f3ca35ba
(6) [eap] = handled
(6) } # authenticate = handled
(6) } # server inner-tunnel
(6) Virtual server sending reply
(6) EAP-Message =
0x0107002b1a010700261067d8cf1d5c0b22de6dca819f0ed63a21667265657261646975732d332e302e3134
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0xf3cd2f37f3ca35bae612626d1b2654f3
(6) eap_peap: Got tunneled reply code 11
(6) eap_peap: EAP-Message =
0x0107002b1a010700261067d8cf1d5c0b22de6dca819f0ed63a21667265657261646975732d332e302e3134
(6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(6) eap_peap: State = 0xf3cd2f37f3ca35bae612626d1b2654f3
(6) eap_peap: Got tunneled reply RADIUS code 11
(6) eap_peap: EAP-Message =
0x0107002b1a010700261067d8cf1d5c0b22de6dca819f0ed63a21667265657261646975732d332e302e3134
(6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(6) eap_peap: State = 0xf3cd2f37f3ca35bae612626d1b2654f3
(6) eap_peap: Got tunneled Access-Challenge
(6) eap: Sending EAP Request (code 1) ID 7 length 75
(6) eap: EAP session adding &reply:State = 0x4f424a32494553ce
(6) [eap] = handled
(6) } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) Post-Auth-Type sub-section not found. Ignoring.
(6) # Executing group from file /etc/raddb/sites-enabled/default
(6) Sent Access-Challenge Id 6 from 10.41.110.86:1812 to 10.41.17.64:1090
length 0
(6) EAP-Message =
0x0107004b190017030100407ee01304c4502480e19242c7f750d012d233a5ea2d1d549713c489b9d008af01dc3ade2bce7451513c3505e6521aa348070036f24b83077b93713aeba346e895
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0x4f424a32494553ce43a0ba7c4354ed56
(6) Finished request
Waking up in 4.7 seconds.
(7) Received Access-Request Id 7 from 10.41.17.64:1090 to 10.41.110.86:1812
length 319
(7) Message-Authenticator = 0x580b6f53691af232921c599c20c2aa51
(7) Service-Type = Framed-User
(7) User-Name = "userTest"
(7) Framed-MTU = 1488
(7) State = 0x4f424a32494553ce43a0ba7c4354ed56
(7) Called-Station-Id = "40-01-C6-D8-5C-00:AAA-Teste"
(7) Calling-Station-Id = "4C-57-CA-E2-E9-8D"
(7) NAS-Identifier = "3Com Access Point 7760"
(7) NAS-Port-Type = Wireless-802.11
(7) Connect-Info = "CONNECT 54Mbps 802.11g"
(7) EAP-Message =
0x0207006b19001703010060c669e7ab79aa07c8499bfa9213bcaebc2d5d1e6e3430c227434a92ef9373471f606a32894c516daacea3cce9b586f7ce7c9d84961e2b80c3de6fa40766f4504a26b64e8fcf20c0a2f2e8dc4711e7e678c6d8a9a86ff7df602dc8286f128b7d2a
(7) NAS-IP-Address = 10.41.17.64
(7) NAS-Port = 1
(7) NAS-Port-Id = "STA port # 1"
(7) session-state: No cached attributes
(7) # Executing section authorize from file /etc/raddb/sites-enabled/default
(7) authorize {
(7) [preprocess] = ok
(7) eap: Peer sent EAP Response (code 2) ID 7 length 107
(7) eap: Continuing tunnel setup
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7) authenticate {
(7) eap: Expiring EAP session with state 0xf3cd2f37f3ca35ba
(7) eap: Finished EAP session with state 0x4f424a32494553ce
(7) eap: Previous EAP request found for state 0x4f424a32494553ce, released
from the list
(7) eap: Peer sent packet with method EAP PEAP (25)
(7) eap: Calling submodule eap_peap to process data
(7) eap_peap: Continuing EAP-TLS
(7) eap_peap: [eaptls verify] = ok
(7) eap_peap: Done initial handshake
(7) eap_peap: [eaptls process] = ok
(7) eap_peap: Session established. Decoding tunneled attributes
(7) eap_peap: PEAP state phase2
(7) eap_peap: EAP method MSCHAPv2 (26)
(7) eap_peap: Got tunneled request
(7) eap_peap: EAP-Message =
0x020700461a0207004131e4c34eceb5730484764dfd45bce48ff100000000000000009faa4c5cb899c5231ce4957cf16fc309db17b07a773a6342003031383239353036333832
(7) eap_peap: Setting User-Name to userTest
(7) eap_peap: Sending tunneled request to inner-tunnel
(7) eap_peap: EAP-Message =
0x020700461a0207004131e4c34eceb5730484764dfd45bce48ff100000000000000009faa4c5cb899c5231ce4957cf16fc309db17b07a773a6342003031383239353036333832
(7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(7) eap_peap: User-Name = "userTest"
(7) eap_peap: State = 0xf3cd2f37f3ca35bae612626d1b2654f3
(7) eap_peap: Service-Type = Framed-User
(7) eap_peap: Framed-MTU = 1488
(7) eap_peap: Called-Station-Id = "40-01-C6-D8-5C-00:AAA-Teste"
(7) eap_peap: Calling-Station-Id = "4C-57-CA-E2-E9-8D"
(7) eap_peap: NAS-Identifier = "3Com Access Point 7760"
(7) eap_peap: NAS-Port-Type = Wireless-802.11
(7) eap_peap: Connect-Info = "CONNECT 54Mbps 802.11g"
(7) eap_peap: NAS-IP-Address = 10.41.17.64
(7) eap_peap: NAS-Port = 1
(7) eap_peap: NAS-Port-Id = "STA port # 1"
(7) eap_peap: Event-Timestamp = "Mar 22 2017 14:57:02 -03"
(7) Virtual server inner-tunnel received request
(7) EAP-Message =
0x020700461a0207004131e4c34eceb5730484764dfd45bce48ff100000000000000009faa4c5cb899c5231ce4957cf16fc309db17b07a773a6342003031383239353036333832
(7) FreeRADIUS-Proxied-To = 127.0.0.1
(7) User-Name = "userTest"
(7) State = 0xf3cd2f37f3ca35bae612626d1b2654f3
(7) Service-Type = Framed-User
(7) Framed-MTU = 1488
(7) Called-Station-Id = "40-01-C6-D8-5C-00:AAA-Teste"
(7) Calling-Station-Id = "4C-57-CA-E2-E9-8D"
(7) NAS-Identifier = "3Com Access Point 7760"
(7) NAS-Port-Type = Wireless-802.11
(7) Connect-Info = "CONNECT 54Mbps 802.11g"
(7) NAS-IP-Address = 10.41.17.64
(7) NAS-Port = 1
(7) NAS-Port-Id = "STA port # 1"
(7) Event-Timestamp = "Mar 22 2017 14:57:02 -03"
(7) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(7) server inner-tunnel {
(7) session-state: No cached attributes
(7) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(7) authorize {
(7) eap: Peer sent EAP Response (code 2) ID 7 length 70
(7) eap: No EAP Start, assuming it's an on-going EAP conversation
(7) [eap] = updated
rlm_ldap (ldap): Reserved connection (0)
(7) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(7) ldap: --> (uid=userTest)
(7) ldap: Performing search in "ou=people,dc=test,dc=br" with filter
"(uid=userTest)", scope "sub"
(7) ldap: Waiting for search result...
(7) ldap: User object found at DN "uid=userTest,ou=people,dc=test,dc=br"
(7) ldap: Processing user attributes
(7) ldap: control:NT-Password :=
0x3145333941394139324632423038413045363942344435414441374535333332
rlm_ldap (ldap): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots
used
rlm_ldap (ldap): Connecting to ldap://10.0.0.2:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(7) [ldap] = updated
(7) [expiration] = noop
(7) [logintime] = noop
(7) pap: Normalizing NT-Password from hex encoding, 32 bytes -> 16 bytes
(7) pap: WARNING: Auth-Type already set. Not setting to PAP
(7) [pap] = noop
(7) } # authorize = updated
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(7) authenticate {
(7) eap: Expiring EAP session with state 0xf3cd2f37f3ca35ba
(7) eap: Finished EAP session with state 0xf3cd2f37f3ca35ba
(7) eap: Previous EAP request found for state 0xf3cd2f37f3ca35ba, released
from the list
(7) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(7) eap: Calling submodule eap_mschapv2 to process data
(7) eap_mschapv2: # Executing group from file
/etc/raddb/sites-enabled/inner-tunnel
(7) eap_mschapv2: authenticate {
(7) mschap: Found NT-Password
(7) mschap: Creating challenge hash with username: userTest
(7) mschap: Client is using MS-CHAPv2
(7) mschap: Adding MS-CHAPv2 MPPE keys
(7) [mschap] = ok
(7) } # authenticate = ok
(7) MSCHAP Success
(7) eap: Sending EAP Request (code 1) ID 8 length 51
(7) eap: EAP session adding &reply:State = 0xf3cd2f37f2c535ba
(7) [eap] = handled
(7) } # authenticate = handled
(7) } # server inner-tunnel
(7) Virtual server sending reply
(7) EAP-Message =
0x010800331a0307002e533d36353643383034344335374539324431353934314344333337323737433135443633453939343543
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0xf3cd2f37f2c535bae612626d1b2654f3
(7) eap_peap: Got tunneled reply code 11
(7) eap_peap: EAP-Message =
0x010800331a0307002e533d36353643383034344335374539324431353934314344333337323737433135443633453939343543
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: State = 0xf3cd2f37f2c535bae612626d1b2654f3
(7) eap_peap: Got tunneled reply RADIUS code 11
(7) eap_peap: EAP-Message =
0x010800331a0307002e533d36353643383034344335374539324431353934314344333337323737433135443633453939343543
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: State = 0xf3cd2f37f2c535bae612626d1b2654f3
(7) eap_peap: Got tunneled Access-Challenge
(7) eap: Sending EAP Request (code 1) ID 8 length 91
(7) eap: EAP session adding &reply:State = 0x4f424a32484a53ce
(7) [eap] = handled
(7) } # authenticate = handled
(7) Using Post-Auth-Type Challenge
(7) Post-Auth-Type sub-section not found. Ignoring.
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7) Sent Access-Challenge Id 7 from 10.41.110.86:1812 to 10.41.17.64:1090
length 0
(7) EAP-Message =
0x0108005b19001703010050ac2f44e2a3ed7acba66a1267f323eb6eae71a2bd254a14b8c51eea8b179c1a0ec40cc59af04ad38b953ba3e697ab8357949e573623914e6e5f3c1f165eddacca08316a41b4bfb822bd25c92ee3130e73
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0x4f424a32484a53ce43a0ba7c4354ed56
(7) Finished request
Waking up in 1.5 seconds.
Waking up in 1.5 seconds.
(8) Received Access-Request Id 8 from 10.41.17.64:1090 to 10.41.110.86:1812
length 255
(8) Message-Authenticator = 0x7dcc3d33a8e6f5ac1e603cc17197c534
(8) Service-Type = Framed-User
(8) User-Name = "userTest"
(8) Framed-MTU = 1488
(8) State = 0x4f424a32484a53ce43a0ba7c4354ed56
(8) Called-Station-Id = "40-01-C6-D8-5C-00:AAA-Teste"
(8) Calling-Station-Id = "4C-57-CA-E2-E9-8D"
(8) NAS-Identifier = "3Com Access Point 7760"
(8) NAS-Port-Type = Wireless-802.11
(8) Connect-Info = "CONNECT 54Mbps 802.11g"
(8) EAP-Message =
0x0208002b19001703010020abc7b9d4379a98cc113dd952442471dc9a0a7631401d09e2600bae46ef769ad8
(8) NAS-IP-Address = 10.41.17.64
(8) NAS-Port = 1
(8) NAS-Port-Id = "STA port # 1"
(8) session-state: No cached attributes
(8) # Executing section authorize from file /etc/raddb/sites-enabled/default
(8) authorize {
(8) [preprocess] = ok
(8) eap: Peer sent EAP Response (code 2) ID 8 length 43
(8) eap: Continuing tunnel setup
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/raddb/sites-enabled/default
(8) authenticate {
(8) eap: Expiring EAP session with state 0xf3cd2f37f2c535ba
(8) eap: Finished EAP session with state 0x4f424a32484a53ce
(8) eap: Previous EAP request found for state 0x4f424a32484a53ce, released
from the list
(8) eap: Peer sent packet with method EAP PEAP (25)
(8) eap: Calling submodule eap_peap to process data
(8) eap_peap: Continuing EAP-TLS
(8) eap_peap: [eaptls verify] = ok
(8) eap_peap: Done initial handshake
(8) eap_peap: [eaptls process] = ok
(8) eap_peap: Session established. Decoding tunneled attributes
(8) eap_peap: PEAP state phase2
(8) eap_peap: EAP method MSCHAPv2 (26)
(8) eap_peap: Got tunneled request
(8) eap_peap: EAP-Message = 0x020800061a03
(8) eap_peap: Setting User-Name to userTest
(8) eap_peap: Sending tunneled request to inner-tunnel
(8) eap_peap: EAP-Message = 0x020800061a03
(8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(8) eap_peap: User-Name = "userTest"
(8) eap_peap: State = 0xf3cd2f37f2c535bae612626d1b2654f3
(8) eap_peap: Service-Type = Framed-User
(8) eap_peap: Framed-MTU = 1488
(8) eap_peap: Called-Station-Id = "40-01-C6-D8-5C-00:AAA-Teste"
(8) eap_peap: Calling-Station-Id = "4C-57-CA-E2-E9-8D"
(8) eap_peap: NAS-Identifier = "3Com Access Point 7760"
(8) eap_peap: NAS-Port-Type = Wireless-802.11
(8) eap_peap: Connect-Info = "CONNECT 54Mbps 802.11g"
(8) eap_peap: NAS-IP-Address = 10.41.17.64
(8) eap_peap: NAS-Port = 1
(8) eap_peap: NAS-Port-Id = "STA port # 1"
(8) eap_peap: Event-Timestamp = "Mar 22 2017 14:57:06 -03"
(8) Virtual server inner-tunnel received request
(8) EAP-Message = 0x020800061a03
(8) FreeRADIUS-Proxied-To = 127.0.0.1
(8) User-Name = "userTest"
(8) State = 0xf3cd2f37f2c535bae612626d1b2654f3
(8) Service-Type = Framed-User
(8) Framed-MTU = 1488
(8) Called-Station-Id = "40-01-C6-D8-5C-00:AAA-Teste"
(8) Calling-Station-Id = "4C-57-CA-E2-E9-8D"
(8) NAS-Identifier = "3Com Access Point 7760"
(8) NAS-Port-Type = Wireless-802.11
(8) Connect-Info = "CONNECT 54Mbps 802.11g"
(8) NAS-IP-Address = 10.41.17.64
(8) NAS-Port = 1
(8) NAS-Port-Id = "STA port # 1"
(8) Event-Timestamp = "Mar 22 2017 14:57:06 -03"
(8) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(8) server inner-tunnel {
(8) session-state: No cached attributes
(8) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(8) authorize {
(8) eap: Peer sent EAP Response (code 2) ID 8 length 6
(8) eap: No EAP Start, assuming it's an on-going EAP conversation
(8) [eap] = updated
rlm_ldap (ldap): Reserved connection (1)
(8) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(8) ldap: --> (uid=userTest)
(8) ldap: Performing search in "ou=people,dc=test,dc=br" with filter
"(uid=userTest)", scope "sub"
(8) ldap: Waiting for search result...
(8) ldap: User object found at DN "uid=userTest,ou=people,dc=test,dc=br"
(8) ldap: Processing user attributes
(8) ldap: control:NT-Password :=
0x3145333941394139324632423038413045363942344435414441374535333332
rlm_ldap (ldap): Released connection (1)
Need 4 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (6), 1 of 26 pending slots
used
rlm_ldap (ldap): Connecting to ldap://10.0.0.2:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(8) [ldap] = updated
(8) [expiration] = noop
(8) [logintime] = noop
(8) pap: Normalizing NT-Password from hex encoding, 32 bytes -> 16 bytes
(8) pap: WARNING: Auth-Type already set. Not setting to PAP
(8) [pap] = noop
(8) } # authorize = updated
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(8) authenticate {
(8) eap: Expiring EAP session with state 0xf3cd2f37f2c535ba
(8) eap: Finished EAP session with state 0xf3cd2f37f2c535ba
(8) eap: Previous EAP request found for state 0xf3cd2f37f2c535ba, released
from the list
(8) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(8) eap: Calling submodule eap_mschapv2 to process data
(8) eap: Sending EAP Success (code 3) ID 8 length 4
(8) eap: Freeing handler
(8) [eap] = ok
(8) } # authenticate = ok
(8) # Executing section post-auth from file
/etc/raddb/sites-enabled/inner-tunnel
(8) post-auth { ... } # empty sub-section is ignored
(8) } # server inner-tunnel
(8) Virtual server sending reply
(8) MS-MPPE-Encryption-Policy = Encryption-Allowed
(8) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(8) MS-MPPE-Send-Key = 0x4aa9e16bdd36625e16a0d830524217af
(8) MS-MPPE-Recv-Key = 0x0a5d092cf0335597ba092c656391f8ce
(8) EAP-Message = 0x03080004
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) User-Name = "userTest"
(8) eap_peap: Got tunneled reply code 2
(8) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(8) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(8) eap_peap: MS-MPPE-Send-Key = 0x4aa9e16bdd36625e16a0d830524217af
(8) eap_peap: MS-MPPE-Recv-Key = 0x0a5d092cf0335597ba092c656391f8ce
(8) eap_peap: EAP-Message = 0x03080004
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: User-Name = "userTest"
(8) eap_peap: Got tunneled reply RADIUS code 2
(8) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(8) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(8) eap_peap: MS-MPPE-Send-Key = 0x4aa9e16bdd36625e16a0d830524217af
(8) eap_peap: MS-MPPE-Recv-Key = 0x0a5d092cf0335597ba092c656391f8ce
(8) eap_peap: EAP-Message = 0x03080004
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: User-Name = "userTest"
(8) eap_peap: Tunneled authentication was successful
(8) eap_peap: SUCCESS
(8) eap_peap: Saving tunneled attributes for later
(8) eap: Sending EAP Request (code 1) ID 9 length 43
(8) eap: EAP session adding &reply:State = 0x4f424a32474b53ce
(8) [eap] = handled
(8) } # authenticate = handled
(8) Using Post-Auth-Type Challenge
(8) Post-Auth-Type sub-section not found. Ignoring.
(8) # Executing group from file /etc/raddb/sites-enabled/default
(8) Sent Access-Challenge Id 8 from 10.41.110.86:1812 to 10.41.17.64:1090
length 0
(8) EAP-Message =
0x0109002b19001703010020eae9a042828d4a49005b266a1f74f0a2bf7014f3c8490968e2346a1102a797f0
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0x4f424a32474b53ce43a0ba7c4354ed56
(8) Finished request
(0) Cleaning up request packet ID 0 with timestamp +13
(1) Cleaning up request packet ID 1 with timestamp +13
(2) Cleaning up request packet ID 2 with timestamp +13
(3) Cleaning up request packet ID 3 with timestamp +13
(4) Cleaning up request packet ID 4 with timestamp +13
(5) Cleaning up request packet ID 5 with timestamp +13
(6) Cleaning up request packet ID 6 with timestamp +13
Waking up in 6.6 seconds.
(9) Received Access-Request Id 9 from 10.41.17.64:1090 to 10.41.110.86:1812
length 255
(9) Message-Authenticator = 0x58645e92fdfebfe5a07ee2ca9e76d058
(9) Service-Type = Framed-User
(9) User-Name = "userTest"
(9) Framed-MTU = 1488
(9) State = 0x4f424a32474b53ce43a0ba7c4354ed56
(9) Called-Station-Id = "40-01-C6-D8-5C-00:AAA-Teste"
(9) Calling-Station-Id = "4C-57-CA-E2-E9-8D"
(9) NAS-Identifier = "3Com Access Point 7760"
(9) NAS-Port-Type = Wireless-802.11
(9) Connect-Info = "CONNECT 54Mbps 802.11g"
(9) EAP-Message =
0x0209002b19001703010020392369a6b70c5ffc43a71c35e3a7fdfedb1358e8be6145c943f3c8f7c084f2aa
(9) NAS-IP-Address = 10.41.17.64
(9) NAS-Port = 1
(9) NAS-Port-Id = "STA port # 1"
(9) session-state: No cached attributes
(9) # Executing section authorize from file /etc/raddb/sites-enabled/default
(9) authorize {
(9) [preprocess] = ok
(9) eap: Peer sent EAP Response (code 2) ID 9 length 43
(9) eap: Continuing tunnel setup
(9) [eap] = ok
(9) } # authorize = ok
(9) Found Auth-Type = eap
(9) # Executing group from file /etc/raddb/sites-enabled/default
(9) authenticate {
(9) eap: Expiring EAP session with state 0x4f424a32474b53ce
(9) eap: Finished EAP session with state 0x4f424a32474b53ce
(9) eap: Previous EAP request found for state 0x4f424a32474b53ce, released
from the list
(9) eap: Peer sent packet with method EAP PEAP (25)
(9) eap: Calling submodule eap_peap to process data
(9) eap_peap: Continuing EAP-TLS
(9) eap_peap: [eaptls verify] = ok
(9) eap_peap: Done initial handshake
(9) eap_peap: [eaptls process] = ok
(9) eap_peap: Session established. Decoding tunneled attributes
(9) eap_peap: PEAP state send tlv success
(9) eap_peap: Received EAP-TLV response
(9) eap_peap: Success
(9) eap_peap: Using saved attributes from the original Access-Accept
(9) eap_peap: User-Name = "userTest"
(9) eap_peap: caching User-Name = "userTest"
(9) eap_peap: Failed to find 'persist_dir' in TLS configuration. Session
will not be cached on disk.
(9) eap: Sending EAP Success (code 3) ID 9 length 4
(9) eap: Freeing handler
(9) [eap] = ok
(9) } # authenticate = ok
(9) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(9) post-auth {
(9) update {
(9) No attributes updated
(9) } # update = noop
(9) [exec] = noop
(9) policy remove_reply_message_if_eap {
(9) if (&reply:EAP-Message && &reply:Reply-Message) {
(9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(9) else {
(9) [noop] = noop
(9) } # else = noop
(9) } # policy remove_reply_message_if_eap = noop
(9) } # post-auth = noop
(9) Sent Access-Accept Id 9 from 10.41.110.86:1812 to 10.41.17.64:1090
length 0
(9) User-Name = "userTest"
(9) MS-MPPE-Recv-Key =
0x00a4bdf20b6b9a550a36b016997d3bb3bd83c0fdfdbcc0ddd6026d3daa2019bb
(9) MS-MPPE-Send-Key =
0xaf0e20d1649dba2bd275bae0ce54905287ec784004b438eac1d71335a6a5df64
(9) EAP-Message = 0x03090004
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) Finished request
Waking up in 4.9 seconds.
(9) Cleaning up request packet ID 9 with timestamp +20
Waking up in 1.6 seconds.
(7) Cleaning up request packet ID 7 with timestamp +13
Waking up in 3.3 seconds.
1
0
hi,
I think I must thanks for FR project @Alan DeKok and @others.it is a great and prefect job.
I hava two ssid,SSID-TMP for temporary user and the SSID-EMP for employee-user,they both use the realm_sql for auth.
the data in radcheck as follows:
current,in raddb/sq/mysql/dialup.conf,
authorize_check_query = "SELECT id, username, attribute, value, op FROM ${authcheck_table} WHERE username = '%{SQL-User-Name}' ORDER BY id"
so when a temporary user tmp_user connect SSID-EMP(for employee),he also get the correct password for connecting the SSID-EMP.that should be disabled.
the problem is:how can I map the user to the correct record?
I have extented radcheck tables with field user_ssid,so the records like:
and change the authorize_check_query statement to:
"SELECT id, username, attribute, value, op FROM ${authcheck_table} WHERE username = '%{SQL-User-Name}' and ssid='%{Aruba_Essid_Name}' ORDER BY id"
but I donot get the correct sql statement:
SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'emp' and ssid='' ORDER BY id
another approach:
I define another virtual server,but they use the same sql realm,and use the same sql_query statement,
How can I achieve the resule what I want?
I am confused about this,thanks for any suggestion or advise,
apologize for my english,
gh.li
tel:+8613910260406
email:gh.li@microshield.com.cn
3
2