Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
- 13 participants
- 27047 discussions
PERL and EAL-TLS Modul -> Failed to create pair &request:EAP-Message = $RAD_REQUEST{'EAP-Message'}
by Poltorak, Paul (CT DD DS EVO O BFD TM&ISEC 1) 07 Nov '16
by Poltorak, Paul (CT DD DS EVO O BFD TM&ISEC 1) 07 Nov '16
07 Nov '16
Hello all,
i'm using source complied version 3.0.12 on an SUSE SLES 12 SP1 x64.
EAP-TLS is working fine without PERL.
Now I would like to add PERL to do some stuff too.
But with enabled perl module it results in error and REJECT.
This is my default server
server default {
listen {
type = auth
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
ipaddr = *
port = 0
type = acct
limit {
}
}
authorize {
filter_username
preprocess
auth_log
GoPerl
EAP
}
authenticate {
EAP
}
accounting {
detail
}
}
This is a snip of the perl script the authorize part.
It default return "OK" for testing.
I have added RAD_REPLY values for testing too.
sub authorize {
# # For debugging purposes only
# &log_request_attributes;
#
# # Here's where your authorization code comes
# # You can call another function from here:
# &test_call;
$RAD_REPLY{"Tunnel-Private-Group-id"} = "2";
$RAD_REPLY{"Tunnel-Type"} = "VLAN";
$RAD_REPLY{"Tunnel-Medium-Type"} = "IEEE-802";
return RLM_MODULE_OK;
}
In that constellation I've got the error " ERROR: (5) GoPerl: Failed to create pair &request:EAP-Message = $RAD_REQUEST{'EAP-Message'} ->" and "There was no response configured: rejecting request ... Using Post-Auth-Type Reject"
I have found this https://github.com/FreeRADIUS/freeradius-server/issues/1697, I have changed as "dhpark21" described but then I have many errors at perl modul RAD_REQUEST and RAD_REPLY -> undef then perl modul will not be executed but working with EAP-TLS.
Hope someone could help.
That is a snip of the debug:
---------------------------------------
Fri Nov 4 09:09:42 2016 : Debug: (5) GoPerl: $RAD_REQUEST{'User-Name'} = &request:User-Name -> 'host/~~~~~~~~~'
Fri Nov 4 09:09:42 2016 : Debug: (5) GoPerl: $RAD_REQUEST{'NAS-IP-Address'} = &request:NAS-IP-Address -> ~~~~~~~~~
Fri Nov 4 09:09:42 2016 : Debug: (5) GoPerl: $RAD_REQUEST{'NAS-Port'} = &request:NAS-Port -> '60000'
Fri Nov 4 09:09:42 2016 : Debug: (5) GoPerl: $RAD_REQUEST{'Service-Type'} = &request:Service-Type -> 'Framed-User'
Fri Nov 4 09:09:42 2016 : Debug: (5) GoPerl: $RAD_REQUEST{'Framed-MTU'} = &request:Framed-MTU -> '9216'
Fri Nov 4 09:09:42 2016 : Debug: (5) GoPerl: $RAD_REQUEST{'State'} = &request:State -> '0x217dacef257ba1999dff0cf1ce39de5f'
Fri Nov 4 09:09:42 2016 : Debug: (5) GoPerl: $RAD_REQUEST{'Called-Station-Id'} = &request:Called-Station-Id -> ~~~~~~~~~
Fri Nov 4 09:09:42 2016 : Debug: (5) GoPerl: $RAD_REQUEST{'Calling-Station-Id'} = &request:Calling-Station-Id -> ~~~~~~~~~
Fri Nov 4 09:09:42 2016 : Debug: (5) GoPerl: $RAD_REQUEST{'Proxy-State'} = &request:Proxy-State -> '0x8b16a47700000efc'
Fri Nov 4 09:09:42 2016 : Debug: (5) GoPerl: $RAD_REQUEST{'NAS-Port-Type'} = &request:NAS-Port-Type -> 'Ethernet'
Fri Nov 4 09:09:42 2016 : Debug: (5) GoPerl: $RAD_REQUEST{'Event-Timestamp'} = &request:Event-Timestamp -> 'Nov 4 2016 09:09:42 CET'
Fri Nov 4 09:09:42 2016 : Debug: (5) GoPerl: $RAD_REQUEST{'EAP-Message'} = &request:EAP-Message -> '0x020605d40dc00000073016030106f00b0005a000059d00059a30820596308204ffa0030201020213160000d0096957d9bd45cc808400060000d009300d06092a864886f70d01010b0500308198311e301c06092a864886f70d010901160f6564764065766f736f66742e636f6d310b30090603550406130244453110300e060355040813074261766172696131123010060355040713094e7572656d6265726731153013060355040a130c45766f736f667420476d624831153013060355040b130c45766f736f667420476d6248311530130603550403130c45766f736f667420476d6248301e170d3136303831353134303134305a170d3138303831353134303134305a301f311d301b0603550403131445564f30323130302e65766f736f66742e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100afc52515cdb53d2173c492869d2fdf296c2afde310c301240746d2140f93482d2a08c4cda93eed450533635c932804c1776fd15f69ac8942a15a529b4689adf2a0f9db8613f250e91601a964e7611e0815e10d225df9e22ca0119c58f9dede6cc8775ef0f5add475325cd3ad87a93065a1948f9a53d01f10e66ec141fc83a32b571b5ad910a98a016044c39c8832e40fcf6d88cbb5b11a4173877464016d1fc786c28c5d2a04a215e8eecaa6b62241d88bf6d0ca789def'
Fri Nov 4 09:09:42 2016 : Debug: (5) GoPerl: $RAD_REQUEST{'Message-Authenticator'} = &request:Message-Authenticator -> '0x2bebafeecaeb11596c759f7208148ddf'
Fri Nov 4 09:09:42 2016 : Debug: (5) GoPerl: $RAD_REQUEST{'NAS-Port-Id'} = &request:NAS-Port-Id -> ~~~~~~~~~
Fri Nov 4 09:09:42 2016 : Debug: (5) GoPerl: $RAD_REQUEST{'Cisco-AVPair'}[0] = &request:Cisco-AVPair -> 'service-type=Framed'
Fri Nov 4 09:09:42 2016 : Debug: (5) GoPerl: $RAD_REQUEST{'Cisco-AVPair'}[1] = &request:Cisco-AVPair -> 'audit-session-id=0A016E020002255B4748D1E8'
Fri Nov 4 09:09:42 2016 : Debug: (5) GoPerl: $RAD_REQUEST{'Cisco-AVPair'}[2] = &request:Cisco-AVPair -> 'method=dot1x'
SOFT ASSERT FAILED src/modules/rlm_perl/rlm_perl.c[703]: *vps
Fri Nov 4 09:09:42 2016 : Debug: (5) GoPerl: &request:Message-Authenticator = $RAD_REQUEST{'Message-Authenticator'} -> '0x2bebafeecaeb11596c759f7208148ddf'
Fri Nov 4 09:09:42 2016 : Debug: (5) GoPerl: &request:NAS-Port-Type = $RAD_REQUEST{'NAS-Port-Type'} -> 'Ethernet'
Fri Nov 4 09:09:42 2016 : ERROR: (5) GoPerl: Failed to create pair &request:EAP-Message = $RAD_REQUEST{'EAP-Message'} -> '0x020605d40dc00000073016030106f00b0005a000059d00059a30820596308204ffa0030201020213160000d0096957d9bd45cc808400060000d009300d06092a864886f70d01010b0500308198311e301c06092a864886f70d010901160f6564764065766f736f66742e636f6d310b30090603550406130244453110300e060355040813074261766172696131123010060355040713094e7572656d6265726731153013060355040a130c45766f736f667420476d624831153013060355040b130c45766f736f667420476d6248311530130603550403130c45766f736f667420476d6248301e170d3136303831353134303134305a170d3138303831353134303134305a301f311d301b0603550403131445564f30323130302e65766f736f66742e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100afc52515cdb53d2173c492869d2fdf296c2afde310c301240746d2140f93482d2a08c4cda93eed450533635c932804c1776fd15f69ac8942a15a529b4689adf2a0f9db8613f250e91601a964e7611e0815e10d225df9e22ca0119c58f9dede6cc8775ef0f5add475325cd3ad87a93065a1948f9a53d01f10e66ec141fc83a32b571b5ad910a98a016044c39c8832e40fcf6d88cbb5b11a4173877464016d1fc786c28c5d2a04a215e8eecaa6b62241d88bf6d0ca789def'
Fri Nov 4 09:09:42 2016 : Debug: (5) GoPerl: &request:Calling-Station-Id = $RAD_REQUEST{'Calling-Station-Id'} -> ~~~~~~~~~
Fri Nov 4 09:09:42 2016 : Debug: (5) GoPerl: &request:Proxy-State = $RAD_REQUEST{'Proxy-State'} -> '0x8b16a47700000efc'
Fri Nov 4 09:09:42 2016 : Debug: (5) GoPerl: &request:Event-Timestamp = $RAD_REQUEST{'Event-Timestamp'} -> 'Nov 4 2016 09:09:42 CET'
Fri Nov 4 09:09:42 2016 : Debug: (5) GoPerl: &request:Framed-MTU = $RAD_REQUEST{'Framed-MTU'} -> '9216'
Fri Nov 4 09:09:42 2016 : Debug: (5) GoPerl: &request:NAS-IP-Address = $RAD_REQUEST{'NAS-IP-Address'} -> ~~~~~~~~~
Fri Nov 4 09:09:42 2016 : Debug: (5) GoPerl: &request:Cisco-AVPair += $RAD_REQUEST{'Cisco-AVPair'} -> 'service-type=Framed'
Fri Nov 4 09:09:42 2016 : Debug: (5) GoPerl: &request:Cisco-AVPair += $RAD_REQUEST{'Cisco-AVPair'} -> 'audit-session-id=0A016E020002255B4748D1E8'
Fri Nov 4 09:09:42 2016 : Debug: (5) GoPerl: &request:Cisco-AVPair += $RAD_REQUEST{'Cisco-AVPair'} -> 'method=dot1x'
Fri Nov 4 09:09:42 2016 : Debug: (5) GoPerl: &request:User-Name = $RAD_REQUEST{'User-Name'} -> ~~~~~~~~~
Fri Nov 4 09:09:42 2016 : Debug: (5) GoPerl: &request:State = $RAD_REQUEST{'State'} -> '0x217dacef257ba1999dff0cf1ce39de5f'
Fri Nov 4 09:09:42 2016 : Debug: (5) GoPerl: &request:Called-Station-Id = $RAD_REQUEST{'Called-Station-Id'} -> ~~~~~~~~~
Fri Nov 4 09:09:42 2016 : Debug: (5) GoPerl: &request:NAS-Port-Id = $RAD_REQUEST{'NAS-Port-Id'} -> ~~~~~~~~~
Fri Nov 4 09:09:42 2016 : Debug: (5) GoPerl: &request:NAS-Port = $RAD_REQUEST{'NAS-Port'} -> '60000'
Fri Nov 4 09:09:42 2016 : Debug: (5) GoPerl: &request:Service-Type = $RAD_REQUEST{'Service-Type'} -> 'Framed-User'
SOFT ASSERT FAILED src/modules/rlm_perl/rlm_perl.c[703]: *vps
Fri Nov 4 09:09:42 2016 : Debug: (5) GoPerl: &reply:Tunnel-Type = $RAD_REPLY{'Tunnel-Type'} -> 'VLAN'
Fri Nov 4 09:09:42 2016 : Debug: (5) GoPerl: &reply:Tunnel-Private-Group-id = $RAD_REPLY{'Tunnel-Private-Group-id'} -> '2'
Fri Nov 4 09:09:42 2016 : Debug: (5) GoPerl: &reply:Tunnel-Medium-Type = $RAD_REPLY{'Tunnel-Medium-Type'} -> 'IEEE-802'
Fri Nov 4 09:09:42 2016 : Debug: (5) modsingle[authorize]: returned from GoPerl (rlm_perl)
Fri Nov 4 09:09:42 2016 : Debug: (5) [GoPerl] = ok
Fri Nov 4 09:09:42 2016 : Debug: (5) modsingle[authorize]: calling EAP (rlm_eap)
Fri Nov 4 09:09:42 2016 : Debug: (5) EAP: Got EAP_START message
Fri Nov 4 09:09:42 2016 : Debug: (5) modsingle[authorize]: returned from EAP (rlm_eap)
Fri Nov 4 09:09:42 2016 : Debug: (5) [EAP] = handled
Fri Nov 4 09:09:42 2016 : Debug: (5) } # authorize = handled
Fri Nov 4 09:09:42 2016 : Debug: (5) There was no response configured: rejecting request
Fri Nov 4 09:09:42 2016 : Debug: (5) Using Post-Auth-Type Reject
Fri Nov 4 09:09:42 2016 : Debug: (5) Post-Auth-Type sub-section not found. Ignoring.
Fri Nov 4 09:09:42 2016 : Debug: (5) Delaying response for 1.000000 seconds
Fri Nov 4 09:09:42 2016 : Debug: Waking up in 0.3 seconds.
Fri Nov 4 09:09:43 2016 : Debug: Waking up in 0.6 seconds.
Fri Nov 4 09:09:43 2016 : Debug: (5) Sending delayed response
Fri Nov 4 09:09:43 2016 : Debug: (5) Sent Access-Reject Id 113 from ~~~~~~~~~to ~~~~~~~~~length 52
Fri Nov 4 09:09:43 2016 : Debug: (5) Tunnel-Type = VLAN
Fri Nov 4 09:09:43 2016 : Debug: (5) Tunnel-Private-Group-Id = "2"
Fri Nov 4 09:09:43 2016 : Debug: (5) Tunnel-Medium-Type = IEEE-802
Fri Nov 4 09:09:43 2016 : Debug: (5) EAP-Message = 0x0100000501
Fri Nov 4 09:09:43 2016 : Debug: (5) Proxy-State = 0x8b16a47700000efc
Fri Nov 4 09:09:43 2016 : Debug: Waking up in 3.9 seconds.
Fri Nov 4 09:09:47 2016 : Debug: (0) Cleaning up request packet ID 108 with timestamp +21
Fri Nov 4 09:09:47 2016 : Debug: (1) Cleaning up request packet ID 109 with timestamp +21
Fri Nov 4 09:09:47 2016 : Debug: (2) Cleaning up request packet ID 110 with timestamp +21
Fri Nov 4 09:09:47 2016 : Debug: (3) Cleaning up request packet ID 111 with timestamp +21
Fri Nov 4 09:09:47 2016 : Debug: (4) Cleaning up request packet ID 112 with timestamp +21
Fri Nov 4 09:09:47 2016 : Debug: (5) Cleaning up request packet ID 113 with timestamp +21
Fri Nov 4 09:09:47 2016 : Info: Ready to process requests
Fri Nov 4 09:09:47 2016 : Debug: (6) Received Access-Request Id 114 from ~~~~~~~~~to ~~~~~~~~~length 300
Fri Nov 4 09:09:47 2016 : Debug: (6) User-Name = "host/EVO02100.evosoft.com"
Fri Nov 4 09:09:47 2016 : Debug: (6) Service-Type = Framed-User
Fri Nov 4 09:09:47 2016 : Debug: (6) Framed-MTU = 9216
Fri Nov 4 09:09:47 2016 : Debug: (6) Called-Station-Id = "~~~~~~~~~"
Fri Nov 4 09:09:47 2016 : Debug: (6) Calling-Station-Id = "~~~~~~~~~"
Fri Nov 4 09:09:47 2016 : Debug: (6) EAP-Message = 0x0201001e01686f73742f45564f30323130302e65766f736f66742e636f6d
Fri Nov 4 09:09:47 2016 : Debug: (6) Message-Authenticator = 0xe22b7d268bf88355559f7445f864ad63
Fri Nov 4 09:09:47 2016 : Debug: (6) NAS-IP-Address = ~~~~~~~~~
Fri Nov 4 09:09:47 2016 : Debug: (6) NAS-Port = 60000
Fri Nov 4 09:09:47 2016 : Debug: (6) NAS-Port-Id = "~~~~~~~~~"
Fri Nov 4 09:09:47 2016 : Debug: (6) NAS-Port-Type = Ethernet
Fri Nov 4 09:09:47 2016 : Debug: (6) Cisco-AVPair = "service-type=Framed"
Fri Nov 4 09:09:47 2016 : Debug: (6) Cisco-AVPair = "audit-session-id=0A016E020002255B4748D1E8"
Fri Nov 4 09:09:47 2016 : Debug: (6) Cisco-AVPair = "method=dot1x"
Fri Nov 4 09:09:47 2016 : Debug: (6) Proxy-State = 0x8b16a47700000efd
Fri Nov 4 09:09:47 2016 : Debug: (6) session-state: No State attribute
Best Regards,
Paul
3
8
Would you please assist me to get rid of this problem,
When I am forwarding request from my NAS/router to radius server, getting
below error, attached is complete logs.
Thanks in advance for the kind help.
(31) sql: ERROR: Error fetching row
(31) sql: ERROR: rlm_sql_oracle: ORA-01403: no data found
(31) sql: EXPAND SELECT GroupName FROM usergroup WHERE
UserName='%{SQL-User-Name}'
(31) sql: --> SELECT GroupName FROM usergroup WHERE UserName=''
(31) sql: Executing select query: SELECT GroupName FROM usergroup WHERE
UserName=''
(31) sql: ERROR: Error fetching row
(31) sql: ERROR: rlm_sql_oracle: ORA-01403: no data found
(31) sql: User not found in any groups
rlm_sql (sql): Released connection (9)
(31) [sql] = notfound
(31) [expiration] = noop
(31) [logintime] = noop
(31) pap: WARNING: No "known good" password found for the user. Not setting
Auth-Type
(31) pap: WARNING: Authentication will fail unless a "known good" password
is available
(31) [pap] = noop
(31) } # authorize = ok
(31) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type =
Reject
(31) Failed to authenticate the user
(31) Using Post-Auth-Type Reject
(31) # Executing group from file
/usr/local/freeradius3/etc/raddb/sites-enabled/default
4
4
>
*What you probably need to do (I'm guessing, because you didn't really
describe your requirements), is to set up *two* SQL modules:**> *
*> *
>
*# normal RADIUS sql module> sql {> ....**> *
*}**> *
*> *
*# and an SQL module for DHCP**> *
*#**> *
*sql sql_dhcp {**> *
*...**> *
*}**> *
*> *
* The "sql_dhcp" module should initially be copied from "sql", and then
modified to work with DHCP.**> *
*> *
* Then, in the DHCP virtual server, use "sql_dhcp" instead of "sql". And
in the RADIUS virtual server, use "sql".**> *
*> ** Using two different configurations like this means that they don't
conflict with each other.*
Thanks Alan, that did the trick nicely. It's spawned a new question so I'll
start a new thread.
Toby
1
0
I'm new to Freeradius. I'm trying to set up a back-end to talk nicely with
a pfSense router and walking through various tutorials and doco pages. I
had EAP working nicely but wanted to use DHCP and assign static IPs to
devices based on MAC stored in either mac2ip or mysql (mostly mysql since
that's what I'm trying to use for config).
I get to a stage where, after following the DHCP tutorial I set
sql_user_name = "%{DHCP-Client-Hardware-Address}". This works for the
purpose of assigning an IP, I assume. But then when FR tries to
authenticate EAP, it uses sql_user_name as a query into the radcheck table
and by that stage sql_user_name has been set to '' (an empty string) by the
EAP process I presume. So my EAP user name is ignored and the
authentication fails.
Do I rewrite the queries to use 'User-name', or is there someone who has
combined DHCP/EAP and has a better method I should use?
Bear in mind I'm new to FR, DHCP, EAP, pretty much all of it and just doing
home networking for fun here so maybe I'm on the wrong track altogether.
Here's sudo freeradius -X that hopefully helps (sorry for the duplicates,
it's quick enough that it tried to login several times before I killed it)
http://pastebin.com/raw/hGSjjD6j
Thanks in advance.
2
1
Having a hard time setting up my new freeRADIUS 3.0.12 on Ubuntu 16.04. I am trying to turn on ldap; I altered the file in sites-available, and hand created a symlink to it from sites-enabled. But now I am getting an error in radiusd -X of
/usr/local/etc/raddb/mods-enabled/ldap[8]: Failed to link to module 'rlm_ldap': /usr/local/lib/rlm_ldap.so: cannot open shared object file: No such file or directory
I have verified that there is no rlm-ldap.so file in /usr/local/lib. This site (https://access.redhat.com/solutions/2262901) suggests that I missed something during the make process. Are shared objects only created during the make process? How do I get one when it is missing? All the stuff I am reading implies all that is needed to make any module work is the symlink.
Daniel Wruck
7
12
Hello,
I am running CentOS7, Samba 4.2.10, FreeRADIUS 3.0.4 The client I'm having
trouble with is an iPhone 6 running iOS 10.1.1
With help from this list I was able to get LDAP queries and EAP-TLS certificates working on
Windows devices. Now I am on to iPhones and running into EAP-TLS/SSL errors that I was hoping to get
insight on as well. I've added the full radius -X below but the part I think is the issue is the following:
(11) eap : Peer sent method TLS (13)
(11) eap : EAP TLS (13)
(11) eap : Calling eap_tls to process EAP data
(11) eap_tls : Authenticate
(11) eap_tls : processing EAP-TLS
TLS Length 7
(11) eap_tls : Length Included
(11) eap_tls : eaptls_verify returned 11
(11) eap_tls : <<< TLS 1.0 Alert [length 0002], warning close_notify
(11) ERROR: eap_tls : TLS_accept: Failed in SSLv3 read client certificate A
(11) ERROR: eap_tls : SSL says: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
SSL: SSL_read failed in a system call (-1), TLS session fails.
TLS receive handshake failed during operation
(11) eap_tls : eaptls_process returned 4
(11) ERROR: eap : Failed continuing EAP TLS (13) session. EAP sub-module failed
(11) eap : Failed in EAP select
(11) [eap] = invalid
(11) } # authenticate = invalid
(11) Failed to authenticate the user
(11) Using Post-Auth-Type Reject
At this point I don't know if the issue is the certificates I'm using such as
Apple/iOS devices requiring additional attributes for certificates the
way WindowsXP does, or perhaps a configuration issue on my FreeRADIUS server
that I can change to allow the iPhone to connect successfully?
I have added the individual .p12 certificate for the iPhone and the root
CA of the FreeRADIUS server to the iPhone via MobileIron. The WiFi network shows
up on the iPhone and when I click the WPA2 Enterprise test network to join,
it spins for a little bit before failing.
As always, any help or insights would be greatly appreciated.
Thank you,
Travis
***** radius -X *****
Ready to process requests
Received Access-Request Id 102 from 10.10.2.164:50046 to 10.10.0.238:1812 length 169
User-Name = 'telsberry'
NAS-IP-Address = 10.10.2.164
NAS-Identifier = '24a43c08fe80'
NAS-Port = 0
Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
Calling-Station-Id = '70-3E-AC-5D-F0-08'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 0Mbps 802.11b'
EAP-Message = 0x02a8000e0174656c736265727279
Message-Authenticator = 0xf92f238034e67c450f8ae544f95a1c15
(0) Received Access-Request packet from host 10.10.2.164 port 50046, id=102, length=169
(0) User-Name = 'telsberry'
(0) NAS-IP-Address = 10.10.2.164
(0) NAS-Identifier = '24a43c08fe80'
(0) NAS-Port = 0
(0) Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
(0) Calling-Station-Id = '70-3E-AC-5D-F0-08'
(0) Framed-MTU = 1400
(0) NAS-Port-Type = Wireless-802.11
(0) Connect-Info = 'CONNECT 0Mbps 802.11b'
(0) EAP-Message = 0x02a8000e0174656c736265727279
(0) Message-Authenticator = 0xf92f238034e67c450f8ae544f95a1c15
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0) authorize {
(0) filter_username filter_username {
(0) if (!&User-Name)
(0) if (!&User-Name) -> FALSE
(0) if (&User-Name =~ / /)
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@.*@/ )
(0) if (&User-Name =~ /@.*@/ ) -> FALSE
(0) if (&User-Name =~ /\\.\\./ )
(0) if (&User-Name =~ /\\.\\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\\.$/)
(0) if (&User-Name =~ /\\.$/) -> FALSE
(0) if (&User-Name =~ /(a)\\./)
(0) if (&User-Name =~ /(a)\\./) -> FALSE
(0) } # filter_username filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix : Checking for suffix after "@"
(0) suffix : No '@' in User-Name = "telsberry", looking up realm NULL
(0) suffix : No such realm "NULL"
(0) [suffix] = noop
(0) ntdomain : Checking for prefix before "\"
(0) ntdomain : No '\' in User-Name = "telsberry", looking up realm NULL
(0) ntdomain : No such realm "NULL"
(0) [ntdomain] = noop
(0) eap : Peer sent code Response (2) ID 168 length 14
(0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = EAP
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) authenticate {
(0) eap : Peer sent method Identity (1)
(0) eap : Calling eap_peap to process EAP data
(0) eap_peap : Flushing SSL sessions (of #0)
(0) eap_peap : Initiate
(0) eap_peap : Start returned 1
(0) eap : New EAP session, adding 'State' attribute to reply 0x38b7b867381ea1e6
(0) [eap] = handled
(0) } # authenticate = handled
(0) Sending Access-Challenge packet to host 10.10.2.164 port 50046, id=102, length=0
(0) EAP-Message = 0x01a900061920
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x38b7b867381ea1e69a6c9c1f62dac08f
Sending Access-Challenge Id 102 from 10.10.0.238:1812 to 10.10.2.164:50046
EAP-Message = 0x01a900061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x38b7b867381ea1e69a6c9c1f62dac08f
(0) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 103 from 10.10.2.164:50046 to 10.10.0.238:1812 length 179
User-Name = 'telsberry'
NAS-IP-Address = 10.10.2.164
NAS-Identifier = '24a43c08fe80'
NAS-Port = 0
Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
Calling-Station-Id = '70-3E-AC-5D-F0-08'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 0Mbps 802.11b'
EAP-Message = 0x02a90006030d
State = 0x38b7b867381ea1e69a6c9c1f62dac08f
Message-Authenticator = 0xc53947fd81bdbd9218fb95ecdd62cf70
(1) Received Access-Request packet from host 10.10.2.164 port 50046, id=103, length=179
(1) User-Name = 'telsberry'
(1) NAS-IP-Address = 10.10.2.164
(1) NAS-Identifier = '24a43c08fe80'
(1) NAS-Port = 0
(1) Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
(1) Calling-Station-Id = '70-3E-AC-5D-F0-08'
(1) Framed-MTU = 1400
(1) NAS-Port-Type = Wireless-802.11
(1) Connect-Info = 'CONNECT 0Mbps 802.11b'
(1) EAP-Message = 0x02a90006030d
(1) State = 0x38b7b867381ea1e69a6c9c1f62dac08f
(1) Message-Authenticator = 0xc53947fd81bdbd9218fb95ecdd62cf70
(1) # Executing section authorize from file /etc/raddb/sites-enabled/default
(1) authorize {
(1) filter_username filter_username {
(1) if (!&User-Name)
(1) if (!&User-Name) -> FALSE
(1) if (&User-Name =~ / /)
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@.*@/ )
(1) if (&User-Name =~ /@.*@/ ) -> FALSE
(1) if (&User-Name =~ /\\.\\./ )
(1) if (&User-Name =~ /\\.\\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(1) if (&User-Name =~ /\\.$/)
(1) if (&User-Name =~ /\\.$/) -> FALSE
(1) if (&User-Name =~ /(a)\\./)
(1) if (&User-Name =~ /(a)\\./) -> FALSE
(1) } # filter_username filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix : Checking for suffix after "@"
(1) suffix : No '@' in User-Name = "telsberry", looking up realm NULL
(1) suffix : No such realm "NULL"
(1) [suffix] = noop
(1) ntdomain : Checking for prefix before "\"
(1) ntdomain : No '\' in User-Name = "telsberry", looking up realm NULL
(1) ntdomain : No such realm "NULL"
(1) [ntdomain] = noop
(1) eap : Peer sent code Response (2) ID 169 length 6
(1) eap : No EAP Start, assuming it's an on-going EAP conversation
(1) [eap] = updated
(1) [files] = noop
(1) [expiration] = noop
(1) [logintime] = noop
(1) WARNING: pap : No "known good" password found for the user. Not setting Auth-Type
(1) WARNING: pap : Authentication will fail unless a "known good" password is available
(1) [pap] = noop
(1) } # authorize = updated
(1) Found Auth-Type = EAP
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) authenticate {
(1) eap : Expiring EAP session with state 0x38b7b867381ea1e6
(1) eap : Finished EAP session with state 0x38b7b867381ea1e6
(1) eap : Previous EAP request found for state 0x38b7b867381ea1e6, released from the list
(1) eap : Peer sent method NAK (3)
(1) eap : Found mutually acceptable type TLS (13)
(1) eap : Calling eap_tls to process EAP data
(1) eap_tls : Requiring client certificate
(1) eap_tls : Initiate
(1) eap_tls : Requiring client certificate
(1) eap_tls : Start returned 1
(1) eap : New EAP session, adding 'State' attribute to reply 0x38b7b867391db5e6
(1) [eap] = handled
(1) } # authenticate = handled
(1) Sending Access-Challenge packet to host 10.10.2.164 port 50046, id=103, length=0
(1) EAP-Message = 0x01aa00060d20
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x38b7b867391db5e69a6c9c1f62dac08f
Sending Access-Challenge Id 103 from 10.10.0.238:1812 to 10.10.2.164:50046
EAP-Message = 0x01aa00060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x38b7b867391db5e69a6c9c1f62dac08f
(1) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 104 from 10.10.2.164:50046 to 10.10.0.238:1812 length 300
User-Name = 'telsberry'
NAS-IP-Address = 10.10.2.164
NAS-Identifier = '24a43c08fe80'
NAS-Port = 0
Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
Calling-Station-Id = '70-3E-AC-5D-F0-08'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 0Mbps 802.11b'
EAP-Message = 0x02aa007f0d800000007516030100700100006c0301581cbf0ca2d28cea68d276805042fd88c6e95061393ba9592634261687604d5500002000ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f000a01000023000a00080006001700180019000b000201000005000501000000000012000000170000
State = 0x38b7b867391db5e69a6c9c1f62dac08f
Message-Authenticator = 0xa1e0bcb1d1b00775ebbc1ce4a245048b
(2) Received Access-Request packet from host 10.10.2.164 port 50046, id=104, length=300
(2) User-Name = 'telsberry'
(2) NAS-IP-Address = 10.10.2.164
(2) NAS-Identifier = '24a43c08fe80'
(2) NAS-Port = 0
(2) Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
(2) Calling-Station-Id = '70-3E-AC-5D-F0-08'
(2) Framed-MTU = 1400
(2) NAS-Port-Type = Wireless-802.11
(2) Connect-Info = 'CONNECT 0Mbps 802.11b'
(2) EAP-Message = 0x02aa007f0d800000007516030100700100006c0301581cbf0ca2d28cea68d276805042fd88c6e95061393ba9592634261687604d5500002000ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f000a01000023000a00080006001700180019000b000201000005000501000000000012000000170000
(2) State = 0x38b7b867391db5e69a6c9c1f62dac08f
(2) Message-Authenticator = 0xa1e0bcb1d1b00775ebbc1ce4a245048b
(2) # Executing section authorize from file /etc/raddb/sites-enabled/default
(2) authorize {
(2) filter_username filter_username {
(2) if (!&User-Name)
(2) if (!&User-Name) -> FALSE
(2) if (&User-Name =~ / /)
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@.*@/ )
(2) if (&User-Name =~ /@.*@/ ) -> FALSE
(2) if (&User-Name =~ /\\.\\./ )
(2) if (&User-Name =~ /\\.\\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(2) if (&User-Name =~ /\\.$/)
(2) if (&User-Name =~ /\\.$/) -> FALSE
(2) if (&User-Name =~ /(a)\\./)
(2) if (&User-Name =~ /(a)\\./) -> FALSE
(2) } # filter_username filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix : Checking for suffix after "@"
(2) suffix : No '@' in User-Name = "telsberry", looking up realm NULL
(2) suffix : No such realm "NULL"
(2) [suffix] = noop
(2) ntdomain : Checking for prefix before "\"
(2) ntdomain : No '\' in User-Name = "telsberry", looking up realm NULL
(2) ntdomain : No such realm "NULL"
(2) [ntdomain] = noop
(2) eap : Peer sent code Response (2) ID 170 length 127
(2) eap : No EAP Start, assuming it's an on-going EAP conversation
(2) [eap] = updated
(2) [files] = noop
(2) [expiration] = noop
(2) [logintime] = noop
(2) [pap] = noop
(2) } # authorize = updated
(2) Found Auth-Type = EAP
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2) authenticate {
(2) eap : Expiring EAP session with state 0x38b7b867391db5e6
(2) eap : Finished EAP session with state 0x38b7b867391db5e6
(2) eap : Previous EAP request found for state 0x38b7b867391db5e6, released from the list
(2) eap : Peer sent method TLS (13)
(2) eap : EAP TLS (13)
(2) eap : Calling eap_tls to process EAP data
(2) eap_tls : Authenticate
(2) eap_tls : processing EAP-TLS
TLS Length 117
(2) eap_tls : Length Included
(2) eap_tls : eaptls_verify returned 11
(2) eap_tls : (other): before/accept initialization
(2) eap_tls : TLS_accept: before/accept initialization
(2) eap_tls : <<< TLS 1.0 Handshake [length 0070], ClientHello
(2) eap_tls : TLS_accept: SSLv3 read client hello A
(2) eap_tls : >>> TLS 1.0 Handshake [length 0059], ServerHello
(2) eap_tls : TLS_accept: SSLv3 write server hello A
(2) eap_tls : >>> TLS 1.0 Handshake [length 085c], Certificate
(2) eap_tls : TLS_accept: SSLv3 write certificate A
(2) eap_tls : >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
(2) eap_tls : TLS_accept: SSLv3 write key exchange A
(2) eap_tls : >>> TLS 1.0 Handshake [length 00a6], CertificateRequest
(2) eap_tls : TLS_accept: SSLv3 write certificate request A
(2) eap_tls : TLS_accept: SSLv3 flush data
(2) eap_tls : TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
(2) eap_tls : eaptls_process returned 13
(2) eap : New EAP session, adding 'State' attribute to reply 0x38b7b8673a1cb5e6
(2) [eap] = handled
(2) } # authenticate = handled
(2) Sending Access-Challenge packet to host 10.10.2.164 port 50046, id=104, length=0
(2) EAP-Message = 0x01ab03ec0dc000000aba1603010059020000550301581cbf0c713c6d11a66cdaf995b78d1e16b7d6082961572ccef3d6d0d516ea042031b33b78ae02c8c96ff5b159bd6c35ede39fef7f157adcca7cdb804adedd0bc5c01400000dff01000100000b000403000102160301085c0b0008580008550003a4308203a030820288a003020102020103300d06092a864886f70d0101050500308193310b3009060355040613025553311330110603550408130a43616c69666f726e6961311430120603550407130b4c616b6520466f72657374310c300a060355040a13035253443120301e06092a864886f70d010901161174656c736265727279407273642e6e657431293027060355040313205253442052414449555320436572746966696361746520417574686f72697479301e170d3133313031343231323431305a170d3430303331363231323431305a307a310b3009060355040613025553311330110603550408130a43616c69666f726e6961310c300a060355040a1303525344312630240603550403131d52534420524144495553205365727665722043657274696669636174653120301e06092a864886f70d010901161174656c736265727279407273642e6e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100c808fa56d1dbe367d186b614040b
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x38b7b8673a1cb5e69a6c9c1f62dac08f
Sending Access-Challenge Id 104 from 10.10.0.238:1812 to 10.10.2.164:50046
EAP-Message = 0x01ab03ec0dc000000aba1603010059020000550301581cbf0c713c6d11a66cdaf995b78d1e16b7d6082961572ccef3d6d0d516ea042031b33b78ae02c8c96ff5b159bd6c35ede39fef7f157adcca7cdb804adedd0bc5c01400000dff01000100000b000403000102160301085c0b0008580008550003a4308203a030820288a003020102020103300d06092a864886f70d0101050500308193310b3009060355040613025553311330110603550408130a43616c69666f726e6961311430120603550407130b4c616b6520466f72657374310c300a060355040a13035253443120301e06092a864886f70d010901161174656c736265727279407273642e6e657431293027060355040313205253442052414449555320436572746966696361746520417574686f72697479301e170d3133313031343231323431305a170d3430303331363231323431305a307a310b3009060355040613025553311330110603550408130a43616c69666f726e6961310c300a060355040a1303525344312630240603550403131d52534420524144495553205365727665722043657274696669636174653120301e06092a864886f70d010901161174656c736265727279407273642e6e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100c808fa56d1dbe367d186b614040
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x38b7b8673a1cb5e69a6c9c1f62dac08f
(2) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 105 from 10.10.2.164:50046 to 10.10.0.238:1812 length 179
User-Name = 'telsberry'
NAS-IP-Address = 10.10.2.164
NAS-Identifier = '24a43c08fe80'
NAS-Port = 0
Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
Calling-Station-Id = '70-3E-AC-5D-F0-08'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 0Mbps 802.11b'
EAP-Message = 0x02ab00060d00
State = 0x38b7b8673a1cb5e69a6c9c1f62dac08f
Message-Authenticator = 0x9b16c07977b90cec214cdd76a5845ebd
(3) Received Access-Request packet from host 10.10.2.164 port 50046, id=105, length=179
(3) User-Name = 'telsberry'
(3) NAS-IP-Address = 10.10.2.164
(3) NAS-Identifier = '24a43c08fe80'
(3) NAS-Port = 0
(3) Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
(3) Calling-Station-Id = '70-3E-AC-5D-F0-08'
(3) Framed-MTU = 1400
(3) NAS-Port-Type = Wireless-802.11
(3) Connect-Info = 'CONNECT 0Mbps 802.11b'
(3) EAP-Message = 0x02ab00060d00
(3) State = 0x38b7b8673a1cb5e69a6c9c1f62dac08f
(3) Message-Authenticator = 0x9b16c07977b90cec214cdd76a5845ebd
(3) # Executing section authorize from file /etc/raddb/sites-enabled/default
(3) authorize {
(3) filter_username filter_username {
(3) if (!&User-Name)
(3) if (!&User-Name) -> FALSE
(3) if (&User-Name =~ / /)
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@.*@/ )
(3) if (&User-Name =~ /@.*@/ ) -> FALSE
(3) if (&User-Name =~ /\\.\\./ )
(3) if (&User-Name =~ /\\.\\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(3) if (&User-Name =~ /\\.$/)
(3) if (&User-Name =~ /\\.$/) -> FALSE
(3) if (&User-Name =~ /(a)\\./)
(3) if (&User-Name =~ /(a)\\./) -> FALSE
(3) } # filter_username filter_username = notfound
(3) [preprocess] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix : Checking for suffix after "@"
(3) suffix : No '@' in User-Name = "telsberry", looking up realm NULL
(3) suffix : No such realm "NULL"
(3) [suffix] = noop
(3) ntdomain : Checking for prefix before "\"
(3) ntdomain : No '\' in User-Name = "telsberry", looking up realm NULL
(3) ntdomain : No such realm "NULL"
(3) [ntdomain] = noop
(3) eap : Peer sent code Response (2) ID 171 length 6
(3) eap : No EAP Start, assuming it's an on-going EAP conversation
(3) [eap] = updated
(3) [files] = noop
(3) [expiration] = noop
(3) [logintime] = noop
(3) [pap] = noop
(3) } # authorize = updated
(3) Found Auth-Type = EAP
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3) authenticate {
(3) eap : Expiring EAP session with state 0x38b7b8673a1cb5e6
(3) eap : Finished EAP session with state 0x38b7b8673a1cb5e6
(3) eap : Previous EAP request found for state 0x38b7b8673a1cb5e6, released from the list
(3) eap : Peer sent method TLS (13)
(3) eap : EAP TLS (13)
(3) eap : Calling eap_tls to process EAP data
(3) eap_tls : Authenticate
(3) eap_tls : processing EAP-TLS
(3) eap_tls : Received TLS ACK
(3) eap_tls : Received TLS ACK
(3) eap_tls : ACK handshake fragment handler
(3) eap_tls : eaptls_verify returned 1
(3) eap_tls : eaptls_process returned 13
(3) eap : New EAP session, adding 'State' attribute to reply 0x38b7b8673b1bb5e6
(3) [eap] = handled
(3) } # authenticate = handled
(3) Sending Access-Challenge packet to host 10.10.2.164 port 50046, id=105, length=0
(3) EAP-Message = 0x01ac03ec0dc000000aba3d020af37f4d5ca6683ed1bb3c3f0126e81cbf4dca7685005045586f807a4afae217d51b520f606f936e43f1123b8f0004ab308204a73082038fa003020102020900a793227a08ee79ec300d06092a864886f70d0101050500308193310b3009060355040613025553311330110603550408130a43616c69666f726e6961311430120603550407130b4c616b6520466f72657374310c300a060355040a13035253443120301e06092a864886f70d010901161174656c736265727279407273642e6e657431293027060355040313205253442052414449555320436572746966696361746520417574686f72697479301e170d3133313031343231323430345a170d3430303331363231323430345a308193310b3009060355040613025553311330110603550408130a43616c69666f726e6961311430120603550407130b4c616b6520466f72657374310c300a060355040a13035253443120301e06092a864886f70d010901161174656c736265727279407273642e6e657431293027060355040313205253442052414449555320436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100e43eb98242ab168e7d82505a8e27744ba7bb5fe0b12b8926ed1867163d7626a748fe1eab67fd82
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0x38b7b8673b1bb5e69a6c9c1f62dac08f
Sending Access-Challenge Id 105 from 10.10.0.238:1812 to 10.10.2.164:50046
EAP-Message = 0x01ac03ec0dc000000aba3d020af37f4d5ca6683ed1bb3c3f0126e81cbf4dca7685005045586f807a4afae217d51b520f606f936e43f1123b8f0004ab308204a73082038fa003020102020900a793227a08ee79ec300d06092a864886f70d0101050500308193310b3009060355040613025553311330110603550408130a43616c69666f726e6961311430120603550407130b4c616b6520466f72657374310c300a060355040a13035253443120301e06092a864886f70d010901161174656c736265727279407273642e6e657431293027060355040313205253442052414449555320436572746966696361746520417574686f72697479301e170d3133313031343231323430345a170d3430303331363231323430345a308193310b3009060355040613025553311330110603550408130a43616c69666f726e6961311430120603550407130b4c616b6520466f72657374310c300a060355040a13035253443120301e06092a864886f70d010901161174656c736265727279407273642e6e657431293027060355040313205253442052414449555320436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100e43eb98242ab168e7d82505a8e27744ba7bb5fe0b12b8926ed1867163d7626a748fe1eab67fd8
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x38b7b8673b1bb5e69a6c9c1f62dac08f
(3) Finished request
Waking up in 0.1 seconds.
Received Access-Request Id 106 from 10.10.2.164:50046 to 10.10.0.238:1812 length 179
User-Name = 'telsberry'
NAS-IP-Address = 10.10.2.164
NAS-Identifier = '24a43c08fe80'
NAS-Port = 0
Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
Calling-Station-Id = '70-3E-AC-5D-F0-08'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 0Mbps 802.11b'
EAP-Message = 0x02ac00060d00
State = 0x38b7b8673b1bb5e69a6c9c1f62dac08f
Message-Authenticator = 0xa8b6c078c03a7583b4a4cc5628fe3e44
(4) Received Access-Request packet from host 10.10.2.164 port 50046, id=106, length=179
(4) User-Name = 'telsberry'
(4) NAS-IP-Address = 10.10.2.164
(4) NAS-Identifier = '24a43c08fe80'
(4) NAS-Port = 0
(4) Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
(4) Calling-Station-Id = '70-3E-AC-5D-F0-08'
(4) Framed-MTU = 1400
(4) NAS-Port-Type = Wireless-802.11
(4) Connect-Info = 'CONNECT 0Mbps 802.11b'
(4) EAP-Message = 0x02ac00060d00
(4) State = 0x38b7b8673b1bb5e69a6c9c1f62dac08f
(4) Message-Authenticator = 0xa8b6c078c03a7583b4a4cc5628fe3e44
(4) # Executing section authorize from file /etc/raddb/sites-enabled/default
(4) authorize {
(4) filter_username filter_username {
(4) if (!&User-Name)
(4) if (!&User-Name) -> FALSE
(4) if (&User-Name =~ / /)
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@.*@/ )
(4) if (&User-Name =~ /@.*@/ ) -> FALSE
(4) if (&User-Name =~ /\\.\\./ )
(4) if (&User-Name =~ /\\.\\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(4) if (&User-Name =~ /\\.$/)
(4) if (&User-Name =~ /\\.$/) -> FALSE
(4) if (&User-Name =~ /(a)\\./)
(4) if (&User-Name =~ /(a)\\./) -> FALSE
(4) } # filter_username filter_username = notfound
(4) [preprocess] = ok
(4) [chap] = noop
(4) [mschap] = noop
(4) [digest] = noop
(4) suffix : Checking for suffix after "@"
(4) suffix : No '@' in User-Name = "telsberry", looking up realm NULL
(4) suffix : No such realm "NULL"
(4) [suffix] = noop
(4) ntdomain : Checking for prefix before "\"
(4) ntdomain : No '\' in User-Name = "telsberry", looking up realm NULL
(4) ntdomain : No such realm "NULL"
(4) [ntdomain] = noop
(4) eap : Peer sent code Response (2) ID 172 length 6
(4) eap : No EAP Start, assuming it's an on-going EAP conversation
(4) [eap] = updated
(4) [files] = noop
(4) [expiration] = noop
(4) [logintime] = noop
(4) [pap] = noop
(4) } # authorize = updated
(4) Found Auth-Type = EAP
(4) # Executing group from file /etc/raddb/sites-enabled/default
(4) authenticate {
(4) eap : Expiring EAP session with state 0x38b7b8673b1bb5e6
(4) eap : Finished EAP session with state 0x38b7b8673b1bb5e6
(4) eap : Previous EAP request found for state 0x38b7b8673b1bb5e6, released from the list
(4) eap : Peer sent method TLS (13)
(4) eap : EAP TLS (13)
(4) eap : Calling eap_tls to process EAP data
(4) eap_tls : Authenticate
(4) eap_tls : processing EAP-TLS
(4) eap_tls : Received TLS ACK
(4) eap_tls : Received TLS ACK
(4) eap_tls : ACK handshake fragment handler
(4) eap_tls : eaptls_verify returned 1
(4) eap_tls : eaptls_process returned 13
(4) eap : New EAP session, adding 'State' attribute to reply 0x38b7b8673c1ab5e6
(4) [eap] = handled
(4) } # authenticate = handled
(4) Sending Access-Challenge packet to host 10.10.2.164 port 50046, id=106, length=0
(4) EAP-Message = 0x01ad03000d8000000aba57cffcd6a6e267773915e7f022918d87964b4e86868ffa7591f71fbab5286049316c8d7073ea5adbf3c6906964d21f07b7052d41b86ae3f55e0708864a12e874d436f993b3ac1be6258aaa41f5af26b93b9feb744ca9b3920c3c177703388abcfbc89202f0bc22c65f8efa13292881e1839df045c53e73eeb2e5eb51454e5d95df924b25c9d854d18bb3e297454430f4fa6d6dc5023e6b8710567b6f0560576818ffd6641065e02937dc7c0efa5b82f98f475d907d54eb73065217c5bc00e733a6c98c81159e55de1b1a833d5ddb5291d40b6a87376b130be2b1cd25522cad7a675e85b0c30dd84b13a0dcee44e39ed95be27daf75626172ef2d5a160301014b0c0001470300174104b184fa4f5e15c47e7630f58784864684ffa82c705bcfcb18ad213d6717e9535cc5dcc6c88028ee1297ee239cdc3830363c77b0954d93bdf1cd22bf0811229a6601009edeaa4f60d6d84718ebedf5108c9135b0c0f0165eef4fd3de4bb036a4af81f8cf5348c71d87a43aa9ac9720690827bd408a149644be7c6dd89859fe65160ea309e5678bd60c03484a54436b27221ea45811938bf1cae5698f6e24d8d4ffbcae82da1d82a97978cd7eda7c590e55f7b1acd0146bcb515e719062b65564d8472ad74a5925524a89b978aa60b60c1e967a2c3ed6aa8d4f612d85209dbb346217108ea7
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x38b7b8673c1ab5e69a6c9c1f62dac08f
Sending Access-Challenge Id 106 from 10.10.0.238:1812 to 10.10.2.164:50046
EAP-Message = 0x01ad03000d8000000aba57cffcd6a6e267773915e7f022918d87964b4e86868ffa7591f71fbab5286049316c8d7073ea5adbf3c6906964d21f07b7052d41b86ae3f55e0708864a12e874d436f993b3ac1be6258aaa41f5af26b93b9feb744ca9b3920c3c177703388abcfbc89202f0bc22c65f8efa13292881e1839df045c53e73eeb2e5eb51454e5d95df924b25c9d854d18bb3e297454430f4fa6d6dc5023e6b8710567b6f0560576818ffd6641065e02937dc7c0efa5b82f98f475d907d54eb73065217c5bc00e733a6c98c81159e55de1b1a833d5ddb5291d40b6a87376b130be2b1cd25522cad7a675e85b0c30dd84b13a0dcee44e39ed95be27daf75626172ef2d5a160301014b0c0001470300174104b184fa4f5e15c47e7630f58784864684ffa82c705bcfcb18ad213d6717e9535cc5dcc6c88028ee1297ee239cdc3830363c77b0954d93bdf1cd22bf0811229a6601009edeaa4f60d6d84718ebedf5108c9135b0c0f0165eef4fd3de4bb036a4af81f8cf5348c71d87a43aa9ac9720690827bd408a149644be7c6dd89859fe65160ea309e5678bd60c03484a54436b27221ea45811938bf1cae5698f6e24d8d4ffbcae82da1d82a97978cd7eda7c590e55f7b1acd0146bcb515e719062b65564d8472ad74a5925524a89b978aa60b60c1e967a2c3ed6aa8d4f612d85209dbb346217108ea
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x38b7b8673c1ab5e69a6c9c1f62dac08f
(4) Finished request
Received Access-Request Id 107 from 10.10.2.164:50046 to 10.10.0.238:1812 length 190
User-Name = 'telsberry'
NAS-IP-Address = 10.10.2.164
NAS-Identifier = '24a43c08fe80'
NAS-Port = 0
Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
Calling-Station-Id = '70-3E-AC-5D-F0-08'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 0Mbps 802.11b'
EAP-Message = 0x02ad00110d800000000715030100020100
State = 0x38b7b8673c1ab5e69a6c9c1f62dac08f
Message-Authenticator = 0xcf2e8ffdeba30f091aaace4d30d50867
(5) Received Access-Request packet from host 10.10.2.164 port 50046, id=107, length=190
(5) User-Name = 'telsberry'
(5) NAS-IP-Address = 10.10.2.164
(5) NAS-Identifier = '24a43c08fe80'
(5) NAS-Port = 0
(5) Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
(5) Calling-Station-Id = '70-3E-AC-5D-F0-08'
(5) Framed-MTU = 1400
(5) NAS-Port-Type = Wireless-802.11
(5) Connect-Info = 'CONNECT 0Mbps 802.11b'
(5) EAP-Message = 0x02ad00110d800000000715030100020100
(5) State = 0x38b7b8673c1ab5e69a6c9c1f62dac08f
(5) Message-Authenticator = 0xcf2e8ffdeba30f091aaace4d30d50867
(5) # Executing section authorize from file /etc/raddb/sites-enabled/default
(5) authorize {
(5) filter_username filter_username {
(5) if (!&User-Name)
(5) if (!&User-Name) -> FALSE
(5) if (&User-Name =~ / /)
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@.*@/ )
(5) if (&User-Name =~ /@.*@/ ) -> FALSE
(5) if (&User-Name =~ /\\.\\./ )
(5) if (&User-Name =~ /\\.\\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(5) if (&User-Name =~ /\\.$/)
(5) if (&User-Name =~ /\\.$/) -> FALSE
(5) if (&User-Name =~ /(a)\\./)
(5) if (&User-Name =~ /(a)\\./) -> FALSE
(5) } # filter_username filter_username = notfound
(5) [preprocess] = ok
(5) [chap] = noop
(5) [mschap] = noop
(5) [digest] = noop
(5) suffix : Checking for suffix after "@"
(5) suffix : No '@' in User-Name = "telsberry", looking up realm NULL
(5) suffix : No such realm "NULL"
(5) [suffix] = noop
(5) ntdomain : Checking for prefix before "\"
(5) ntdomain : No '\' in User-Name = "telsberry", looking up realm NULL
(5) ntdomain : No such realm "NULL"
(5) [ntdomain] = noop
(5) eap : Peer sent code Response (2) ID 173 length 17
(5) eap : No EAP Start, assuming it's an on-going EAP conversation
(5) [eap] = updated
(5) [files] = noop
(5) [expiration] = noop
(5) [logintime] = noop
(5) [pap] = noop
(5) } # authorize = updated
(5) Found Auth-Type = EAP
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5) authenticate {
(5) eap : Expiring EAP session with state 0x38b7b8673c1ab5e6
(5) eap : Finished EAP session with state 0x38b7b8673c1ab5e6
(5) eap : Previous EAP request found for state 0x38b7b8673c1ab5e6, released from the list
(5) eap : Peer sent method TLS (13)
(5) eap : EAP TLS (13)
(5) eap : Calling eap_tls to process EAP data
(5) eap_tls : Authenticate
(5) eap_tls : processing EAP-TLS
TLS Length 7
(5) eap_tls : Length Included
(5) eap_tls : eaptls_verify returned 11
(5) eap_tls : <<< TLS 1.0 Alert [length 0002], warning close_notify
(5) ERROR: eap_tls : TLS_accept: Failed in SSLv3 read client certificate A
(5) ERROR: eap_tls : SSL says: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
SSL: SSL_read failed in a system call (-1), TLS session fails.
TLS receive handshake failed during operation
(5) eap_tls : eaptls_process returned 4
(5) ERROR: eap : Failed continuing EAP TLS (13) session. EAP sub-module failed
(5) eap : Failed in EAP select
(5) [eap] = invalid
(5) } # authenticate = invalid
(5) Failed to authenticate the user
(5) Using Post-Auth-Type Reject
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5) Post-Auth-Type REJECT {
(5) attr_filter.access_reject : EXPAND %{User-Name}
(5) attr_filter.access_reject : --> telsberry
(5) attr_filter.access_reject : Matched entry DEFAULT at line 11
(5) [attr_filter.access_reject] = updated
(5) eap : Reply already contained an EAP-Message, not inserting EAP-Failure
(5) [eap] = noop
(5) remove_reply_message_if_eap remove_reply_message_if_eap {
(5) if (&reply:EAP-Message && &reply:Reply-Message)
(5) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(5) else else {
(5) [noop] = noop
(5) } # else else = noop
(5) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(5) } # Post-Auth-Type REJECT = updated
(5) Delaying response for 1 seconds
Waking up in 0.1 seconds.
Waking up in 0.6 seconds.
Received Access-Request Id 108 from 10.10.2.164:50046 to 10.10.0.238:1812 length 169
User-Name = 'telsberry'
NAS-IP-Address = 10.10.2.164
NAS-Identifier = '24a43c08fe80'
NAS-Port = 0
Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
Calling-Station-Id = '70-3E-AC-5D-F0-08'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 0Mbps 802.11b'
EAP-Message = 0x02b3000e0174656c736265727279
Message-Authenticator = 0xf5f62dd56d143761a4e9a7897c7a981a
(6) Received Access-Request packet from host 10.10.2.164 port 50046, id=108, length=169
(6) User-Name = 'telsberry'
(6) NAS-IP-Address = 10.10.2.164
(6) NAS-Identifier = '24a43c08fe80'
(6) NAS-Port = 0
(6) Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
(6) Calling-Station-Id = '70-3E-AC-5D-F0-08'
(6) Framed-MTU = 1400
(6) NAS-Port-Type = Wireless-802.11
(6) Connect-Info = 'CONNECT 0Mbps 802.11b'
(6) EAP-Message = 0x02b3000e0174656c736265727279
(6) Message-Authenticator = 0xf5f62dd56d143761a4e9a7897c7a981a
(6) # Executing section authorize from file /etc/raddb/sites-enabled/default
(6) authorize {
(6) filter_username filter_username {
(6) if (!&User-Name)
(6) if (!&User-Name) -> FALSE
(6) if (&User-Name =~ / /)
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@.*@/ )
(6) if (&User-Name =~ /@.*@/ ) -> FALSE
(6) if (&User-Name =~ /\\.\\./ )
(6) if (&User-Name =~ /\\.\\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(6) if (&User-Name =~ /\\.$/)
(6) if (&User-Name =~ /\\.$/) -> FALSE
(6) if (&User-Name =~ /(a)\\./)
(6) if (&User-Name =~ /(a)\\./) -> FALSE
(6) } # filter_username filter_username = notfound
(6) [preprocess] = ok
(6) [chap] = noop
(6) [mschap] = noop
(6) [digest] = noop
(6) suffix : Checking for suffix after "@"
(6) suffix : No '@' in User-Name = "telsberry", looking up realm NULL
(6) suffix : No such realm "NULL"
(6) [suffix] = noop
(6) ntdomain : Checking for prefix before "\"
(6) ntdomain : No '\' in User-Name = "telsberry", looking up realm NULL
(6) ntdomain : No such realm "NULL"
(6) [ntdomain] = noop
(6) eap : Peer sent code Response (2) ID 179 length 14
(6) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = EAP
(6) # Executing group from file /etc/raddb/sites-enabled/default
(6) authenticate {
(6) eap : Peer sent method Identity (1)
(6) eap : Calling eap_peap to process EAP data
(6) eap_peap : Initiate
(6) eap_peap : Start returned 1
(6) eap : New EAP session, adding 'State' attribute to reply 0x496f1c9349db05d0
(6) [eap] = handled
(6) } # authenticate = handled
(6) Sending Access-Challenge packet to host 10.10.2.164 port 50046, id=108, length=0
(6) EAP-Message = 0x01b400061920
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0x496f1c9349db05d0cb25530063a54d60
Sending Access-Challenge Id 108 from 10.10.0.238:1812 to 10.10.2.164:50046
EAP-Message = 0x01b400061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x496f1c9349db05d0cb25530063a54d60
(6) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 109 from 10.10.2.164:50046 to 10.10.0.238:1812 length 179
User-Name = 'telsberry'
NAS-IP-Address = 10.10.2.164
NAS-Identifier = '24a43c08fe80'
NAS-Port = 0
Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
Calling-Station-Id = '70-3E-AC-5D-F0-08'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 0Mbps 802.11b'
EAP-Message = 0x02b40006030d
State = 0x496f1c9349db05d0cb25530063a54d60
Message-Authenticator = 0x8765dc04efcb9e3eecd759231b4e5766
(7) Received Access-Request packet from host 10.10.2.164 port 50046, id=109, length=179
(7) User-Name = 'telsberry'
(7) NAS-IP-Address = 10.10.2.164
(7) NAS-Identifier = '24a43c08fe80'
(7) NAS-Port = 0
(7) Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
(7) Calling-Station-Id = '70-3E-AC-5D-F0-08'
(7) Framed-MTU = 1400
(7) NAS-Port-Type = Wireless-802.11
(7) Connect-Info = 'CONNECT 0Mbps 802.11b'
(7) EAP-Message = 0x02b40006030d
(7) State = 0x496f1c9349db05d0cb25530063a54d60
(7) Message-Authenticator = 0x8765dc04efcb9e3eecd759231b4e5766
(7) # Executing section authorize from file /etc/raddb/sites-enabled/default
(7) authorize {
(7) filter_username filter_username {
(7) if (!&User-Name)
(7) if (!&User-Name) -> FALSE
(7) if (&User-Name =~ / /)
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@.*@/ )
(7) if (&User-Name =~ /@.*@/ ) -> FALSE
(7) if (&User-Name =~ /\\.\\./ )
(7) if (&User-Name =~ /\\.\\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(7) if (&User-Name =~ /\\.$/)
(7) if (&User-Name =~ /\\.$/) -> FALSE
(7) if (&User-Name =~ /(a)\\./)
(7) if (&User-Name =~ /(a)\\./) -> FALSE
(7) } # filter_username filter_username = notfound
(7) [preprocess] = ok
(7) [chap] = noop
(7) [mschap] = noop
(7) [digest] = noop
(7) suffix : Checking for suffix after "@"
(7) suffix : No '@' in User-Name = "telsberry", looking up realm NULL
(7) suffix : No such realm "NULL"
(7) [suffix] = noop
(7) ntdomain : Checking for prefix before "\"
(7) ntdomain : No '\' in User-Name = "telsberry", looking up realm NULL
(7) ntdomain : No such realm "NULL"
(7) [ntdomain] = noop
(7) eap : Peer sent code Response (2) ID 180 length 6
(7) eap : No EAP Start, assuming it's an on-going EAP conversation
(7) [eap] = updated
(7) [files] = noop
(7) [expiration] = noop
(7) [logintime] = noop
(7) WARNING: pap : No "known good" password found for the user. Not setting Auth-Type
(7) WARNING: pap : Authentication will fail unless a "known good" password is available
(7) [pap] = noop
(7) } # authorize = updated
(7) Found Auth-Type = EAP
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7) authenticate {
(7) eap : Expiring EAP session with state 0x496f1c9349db05d0
(7) eap : Finished EAP session with state 0x496f1c9349db05d0
(7) eap : Previous EAP request found for state 0x496f1c9349db05d0, released from the list
(7) eap : Peer sent method NAK (3)
(7) eap : Found mutually acceptable type TLS (13)
(7) eap : Calling eap_tls to process EAP data
(7) eap_tls : Requiring client certificate
(7) eap_tls : Initiate
(7) eap_tls : Requiring client certificate
(7) eap_tls : Start returned 1
(7) eap : New EAP session, adding 'State' attribute to reply 0x496f1c9348da11d0
(7) [eap] = handled
(7) } # authenticate = handled
(7) Sending Access-Challenge packet to host 10.10.2.164 port 50046, id=109, length=0
(7) EAP-Message = 0x01b500060d20
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0x496f1c9348da11d0cb25530063a54d60
Sending Access-Challenge Id 109 from 10.10.0.238:1812 to 10.10.2.164:50046
EAP-Message = 0x01b500060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x496f1c9348da11d0cb25530063a54d60
(7) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 110 from 10.10.2.164:50046 to 10.10.0.238:1812 length 300
User-Name = 'telsberry'
NAS-IP-Address = 10.10.2.164
NAS-Identifier = '24a43c08fe80'
NAS-Port = 0
Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
Calling-Station-Id = '70-3E-AC-5D-F0-08'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 0Mbps 802.11b'
EAP-Message = 0x02b5007f0d800000007516030100700100006c0301581cbf0d7c0a3ef4383e83be2721cea5e727c278e92dc39373b4a32067950d6700002000ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f000a01000023000a00080006001700180019000b000201000005000501000000000012000000170000
State = 0x496f1c9348da11d0cb25530063a54d60
Message-Authenticator = 0x43af2747bf3cf6edd237f2ab70dae62a
(8) Received Access-Request packet from host 10.10.2.164 port 50046, id=110, length=300
(8) User-Name = 'telsberry'
(8) NAS-IP-Address = 10.10.2.164
(8) NAS-Identifier = '24a43c08fe80'
(8) NAS-Port = 0
(8) Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
(8) Calling-Station-Id = '70-3E-AC-5D-F0-08'
(8) Framed-MTU = 1400
(8) NAS-Port-Type = Wireless-802.11
(8) Connect-Info = 'CONNECT 0Mbps 802.11b'
(8) EAP-Message = 0x02b5007f0d800000007516030100700100006c0301581cbf0d7c0a3ef4383e83be2721cea5e727c278e92dc39373b4a32067950d6700002000ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f000a01000023000a00080006001700180019000b000201000005000501000000000012000000170000
(8) State = 0x496f1c9348da11d0cb25530063a54d60
(8) Message-Authenticator = 0x43af2747bf3cf6edd237f2ab70dae62a
(8) # Executing section authorize from file /etc/raddb/sites-enabled/default
(8) authorize {
(8) filter_username filter_username {
(8) if (!&User-Name)
(8) if (!&User-Name) -> FALSE
(8) if (&User-Name =~ / /)
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@.*@/ )
(8) if (&User-Name =~ /@.*@/ ) -> FALSE
(8) if (&User-Name =~ /\\.\\./ )
(8) if (&User-Name =~ /\\.\\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(8) if (&User-Name =~ /\\.$/)
(8) if (&User-Name =~ /\\.$/) -> FALSE
(8) if (&User-Name =~ /(a)\\./)
(8) if (&User-Name =~ /(a)\\./) -> FALSE
(8) } # filter_username filter_username = notfound
(8) [preprocess] = ok
(8) [chap] = noop
(8) [mschap] = noop
(8) [digest] = noop
(8) suffix : Checking for suffix after "@"
(8) suffix : No '@' in User-Name = "telsberry", looking up realm NULL
(8) suffix : No such realm "NULL"
(8) [suffix] = noop
(8) ntdomain : Checking for prefix before "\"
(8) ntdomain : No '\' in User-Name = "telsberry", looking up realm NULL
(8) ntdomain : No such realm "NULL"
(8) [ntdomain] = noop
(8) eap : Peer sent code Response (2) ID 181 length 127
(8) eap : No EAP Start, assuming it's an on-going EAP conversation
(8) [eap] = updated
(8) [files] = noop
(8) [expiration] = noop
(8) [logintime] = noop
(8) [pap] = noop
(8) } # authorize = updated
(8) Found Auth-Type = EAP
(8) # Executing group from file /etc/raddb/sites-enabled/default
(8) authenticate {
(8) eap : Expiring EAP session with state 0x496f1c9348da11d0
(8) eap : Finished EAP session with state 0x496f1c9348da11d0
(8) eap : Previous EAP request found for state 0x496f1c9348da11d0, released from the list
(8) eap : Peer sent method TLS (13)
(8) eap : EAP TLS (13)
(8) eap : Calling eap_tls to process EAP data
(8) eap_tls : Authenticate
(8) eap_tls : processing EAP-TLS
TLS Length 117
(8) eap_tls : Length Included
(8) eap_tls : eaptls_verify returned 11
(8) eap_tls : (other): before/accept initialization
(8) eap_tls : TLS_accept: before/accept initialization
(8) eap_tls : <<< TLS 1.0 Handshake [length 0070], ClientHello
(8) eap_tls : TLS_accept: SSLv3 read client hello A
(8) eap_tls : >>> TLS 1.0 Handshake [length 0059], ServerHello
(8) eap_tls : TLS_accept: SSLv3 write server hello A
(8) eap_tls : >>> TLS 1.0 Handshake [length 085c], Certificate
(8) eap_tls : TLS_accept: SSLv3 write certificate A
(8) eap_tls : >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
(8) eap_tls : TLS_accept: SSLv3 write key exchange A
(8) eap_tls : >>> TLS 1.0 Handshake [length 00a6], CertificateRequest
(8) eap_tls : TLS_accept: SSLv3 write certificate request A
(8) eap_tls : TLS_accept: SSLv3 flush data
(8) eap_tls : TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
(8) eap_tls : eaptls_process returned 13
(8) eap : New EAP session, adding 'State' attribute to reply 0x496f1c934bd911d0
(8) [eap] = handled
(8) } # authenticate = handled
(8) Sending Access-Challenge packet to host 10.10.2.164 port 50046, id=110, length=0
(8) EAP-Message = 0x01b603ec0dc000000aba1603010059020000550301581cbf0d57eb94540f06eeb5ca253a8c46ed8a0268ae406f100b51543d43862e205d7bfdb9f03c2696da98fe2978c7284475f07f7a9b886e24124d2f87efffdf0cc01400000dff01000100000b000403000102160301085c0b0008580008550003a4308203a030820288a003020102020103300d06092a864886f70d0101050500308193310b3009060355040613025553311330110603550408130a43616c69666f726e6961311430120603550407130b4c616b6520466f72657374310c300a060355040a13035253443120301e06092a864886f70d010901161174656c736265727279407273642e6e657431293027060355040313205253442052414449555320436572746966696361746520417574686f72697479301e170d3133313031343231323431305a170d3430303331363231323431305a307a310b3009060355040613025553311330110603550408130a43616c69666f726e6961310c300a060355040a1303525344312630240603550403131d52534420524144495553205365727665722043657274696669636174653120301e06092a864886f70d010901161174656c736265727279407273642e6e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100c808fa56d1dbe367d186b614040b
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0x496f1c934bd911d0cb25530063a54d60
Sending Access-Challenge Id 110 from 10.10.0.238:1812 to 10.10.2.164:50046
EAP-Message = 0x01b603ec0dc000000aba1603010059020000550301581cbf0d57eb94540f06eeb5ca253a8c46ed8a0268ae406f100b51543d43862e205d7bfdb9f03c2696da98fe2978c7284475f07f7a9b886e24124d2f87efffdf0cc01400000dff01000100000b000403000102160301085c0b0008580008550003a4308203a030820288a003020102020103300d06092a864886f70d0101050500308193310b3009060355040613025553311330110603550408130a43616c69666f726e6961311430120603550407130b4c616b6520466f72657374310c300a060355040a13035253443120301e06092a864886f70d010901161174656c736265727279407273642e6e657431293027060355040313205253442052414449555320436572746966696361746520417574686f72697479301e170d3133313031343231323431305a170d3430303331363231323431305a307a310b3009060355040613025553311330110603550408130a43616c69666f726e6961310c300a060355040a1303525344312630240603550403131d52534420524144495553205365727665722043657274696669636174653120301e06092a864886f70d010901161174656c736265727279407273642e6e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100c808fa56d1dbe367d186b614040
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x496f1c934bd911d0cb25530063a54d60
(8) Finished request
Waking up in 0.1 seconds.
Received Access-Request Id 111 from 10.10.2.164:50046 to 10.10.0.238:1812 length 179
User-Name = 'telsberry'
NAS-IP-Address = 10.10.2.164
NAS-Identifier = '24a43c08fe80'
NAS-Port = 0
Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
Calling-Station-Id = '70-3E-AC-5D-F0-08'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 0Mbps 802.11b'
EAP-Message = 0x02b600060d00
State = 0x496f1c934bd911d0cb25530063a54d60
Message-Authenticator = 0x145d45b6eaa3bb1fbdfccbd08721ef5a
(9) Received Access-Request packet from host 10.10.2.164 port 50046, id=111, length=179
(9) User-Name = 'telsberry'
(9) NAS-IP-Address = 10.10.2.164
(9) NAS-Identifier = '24a43c08fe80'
(9) NAS-Port = 0
(9) Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
(9) Calling-Station-Id = '70-3E-AC-5D-F0-08'
(9) Framed-MTU = 1400
(9) NAS-Port-Type = Wireless-802.11
(9) Connect-Info = 'CONNECT 0Mbps 802.11b'
(9) EAP-Message = 0x02b600060d00
(9) State = 0x496f1c934bd911d0cb25530063a54d60
(9) Message-Authenticator = 0x145d45b6eaa3bb1fbdfccbd08721ef5a
(9) # Executing section authorize from file /etc/raddb/sites-enabled/default
(9) authorize {
(9) filter_username filter_username {
(9) if (!&User-Name)
(9) if (!&User-Name) -> FALSE
(9) if (&User-Name =~ / /)
(9) if (&User-Name =~ / /) -> FALSE
(9) if (&User-Name =~ /@.*@/ )
(9) if (&User-Name =~ /@.*@/ ) -> FALSE
(9) if (&User-Name =~ /\\.\\./ )
(9) if (&User-Name =~ /\\.\\./ ) -> FALSE
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(9) if (&User-Name =~ /\\.$/)
(9) if (&User-Name =~ /\\.$/) -> FALSE
(9) if (&User-Name =~ /(a)\\./)
(9) if (&User-Name =~ /(a)\\./) -> FALSE
(9) } # filter_username filter_username = notfound
(9) [preprocess] = ok
(9) [chap] = noop
(9) [mschap] = noop
(9) [digest] = noop
(9) suffix : Checking for suffix after "@"
(9) suffix : No '@' in User-Name = "telsberry", looking up realm NULL
(9) suffix : No such realm "NULL"
(9) [suffix] = noop
(9) ntdomain : Checking for prefix before "\"
(9) ntdomain : No '\' in User-Name = "telsberry", looking up realm NULL
(9) ntdomain : No such realm "NULL"
(9) [ntdomain] = noop
(9) eap : Peer sent code Response (2) ID 182 length 6
(9) eap : No EAP Start, assuming it's an on-going EAP conversation
(9) [eap] = updated
(9) [files] = noop
(9) [expiration] = noop
(9) [logintime] = noop
(9) [pap] = noop
(9) } # authorize = updated
(9) Found Auth-Type = EAP
(9) # Executing group from file /etc/raddb/sites-enabled/default
(9) authenticate {
(9) eap : Expiring EAP session with state 0x496f1c934bd911d0
(9) eap : Finished EAP session with state 0x496f1c934bd911d0
(9) eap : Previous EAP request found for state 0x496f1c934bd911d0, released from the list
(9) eap : Peer sent method TLS (13)
(9) eap : EAP TLS (13)
(9) eap : Calling eap_tls to process EAP data
(9) eap_tls : Authenticate
(9) eap_tls : processing EAP-TLS
(9) eap_tls : Received TLS ACK
(9) eap_tls : Received TLS ACK
(9) eap_tls : ACK handshake fragment handler
(9) eap_tls : eaptls_verify returned 1
(9) eap_tls : eaptls_process returned 13
(9) eap : New EAP session, adding 'State' attribute to reply 0x496f1c934ad811d0
(9) [eap] = handled
(9) } # authenticate = handled
(9) Sending Access-Challenge packet to host 10.10.2.164 port 50046, id=111, length=0
(9) EAP-Message = 0x01b703ec0dc000000aba3d020af37f4d5ca6683ed1bb3c3f0126e81cbf4dca7685005045586f807a4afae217d51b520f606f936e43f1123b8f0004ab308204a73082038fa003020102020900a793227a08ee79ec300d06092a864886f70d0101050500308193310b3009060355040613025553311330110603550408130a43616c69666f726e6961311430120603550407130b4c616b6520466f72657374310c300a060355040a13035253443120301e06092a864886f70d010901161174656c736265727279407273642e6e657431293027060355040313205253442052414449555320436572746966696361746520417574686f72697479301e170d3133313031343231323430345a170d3430303331363231323430345a308193310b3009060355040613025553311330110603550408130a43616c69666f726e6961311430120603550407130b4c616b6520466f72657374310c300a060355040a13035253443120301e06092a864886f70d010901161174656c736265727279407273642e6e657431293027060355040313205253442052414449555320436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100e43eb98242ab168e7d82505a8e27744ba7bb5fe0b12b8926ed1867163d7626a748fe1eab67fd82
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) State = 0x496f1c934ad811d0cb25530063a54d60
Sending Access-Challenge Id 111 from 10.10.0.238:1812 to 10.10.2.164:50046
EAP-Message = 0x01b703ec0dc000000aba3d020af37f4d5ca6683ed1bb3c3f0126e81cbf4dca7685005045586f807a4afae217d51b520f606f936e43f1123b8f0004ab308204a73082038fa003020102020900a793227a08ee79ec300d06092a864886f70d0101050500308193310b3009060355040613025553311330110603550408130a43616c69666f726e6961311430120603550407130b4c616b6520466f72657374310c300a060355040a13035253443120301e06092a864886f70d010901161174656c736265727279407273642e6e657431293027060355040313205253442052414449555320436572746966696361746520417574686f72697479301e170d3133313031343231323430345a170d3430303331363231323430345a308193310b3009060355040613025553311330110603550408130a43616c69666f726e6961311430120603550407130b4c616b6520466f72657374310c300a060355040a13035253443120301e06092a864886f70d010901161174656c736265727279407273642e6e657431293027060355040313205253442052414449555320436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100e43eb98242ab168e7d82505a8e27744ba7bb5fe0b12b8926ed1867163d7626a748fe1eab67fd8
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x496f1c934ad811d0cb25530063a54d60
(9) Finished request
Waking up in 0.1 seconds.
Received Access-Request Id 112 from 10.10.2.164:50046 to 10.10.0.238:1812 length 179
User-Name = 'telsberry'
NAS-IP-Address = 10.10.2.164
NAS-Identifier = '24a43c08fe80'
NAS-Port = 0
Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
Calling-Station-Id = '70-3E-AC-5D-F0-08'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 0Mbps 802.11b'
EAP-Message = 0x02b700060d00
State = 0x496f1c934ad811d0cb25530063a54d60
Message-Authenticator = 0xafbed7e2c8772e0c8c2b6969bcee3283
(10) Received Access-Request packet from host 10.10.2.164 port 50046, id=112, length=179
(10) User-Name = 'telsberry'
(10) NAS-IP-Address = 10.10.2.164
(10) NAS-Identifier = '24a43c08fe80'
(10) NAS-Port = 0
(10) Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
(10) Calling-Station-Id = '70-3E-AC-5D-F0-08'
(10) Framed-MTU = 1400
(10) NAS-Port-Type = Wireless-802.11
(10) Connect-Info = 'CONNECT 0Mbps 802.11b'
(10) EAP-Message = 0x02b700060d00
(10) State = 0x496f1c934ad811d0cb25530063a54d60
(10) Message-Authenticator = 0xafbed7e2c8772e0c8c2b6969bcee3283
(10) # Executing section authorize from file /etc/raddb/sites-enabled/default
(10) authorize {
(10) filter_username filter_username {
(10) if (!&User-Name)
(10) if (!&User-Name) -> FALSE
(10) if (&User-Name =~ / /)
(10) if (&User-Name =~ / /) -> FALSE
(10) if (&User-Name =~ /@.*@/ )
(10) if (&User-Name =~ /@.*@/ ) -> FALSE
(10) if (&User-Name =~ /\\.\\./ )
(10) if (&User-Name =~ /\\.\\./ ) -> FALSE
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(10) if (&User-Name =~ /\\.$/)
(10) if (&User-Name =~ /\\.$/) -> FALSE
(10) if (&User-Name =~ /(a)\\./)
(10) if (&User-Name =~ /(a)\\./) -> FALSE
(10) } # filter_username filter_username = notfound
(10) [preprocess] = ok
(10) [chap] = noop
(10) [mschap] = noop
(10) [digest] = noop
(10) suffix : Checking for suffix after "@"
(10) suffix : No '@' in User-Name = "telsberry", looking up realm NULL
(10) suffix : No such realm "NULL"
(10) [suffix] = noop
(10) ntdomain : Checking for prefix before "\"
(10) ntdomain : No '\' in User-Name = "telsberry", looking up realm NULL
(10) ntdomain : No such realm "NULL"
(10) [ntdomain] = noop
(10) eap : Peer sent code Response (2) ID 183 length 6
(10) eap : No EAP Start, assuming it's an on-going EAP conversation
(10) [eap] = updated
(10) [files] = noop
(10) [expiration] = noop
(10) [logintime] = noop
(10) [pap] = noop
(10) } # authorize = updated
(10) Found Auth-Type = EAP
(10) # Executing group from file /etc/raddb/sites-enabled/default
(10) authenticate {
(10) eap : Expiring EAP session with state 0x496f1c934ad811d0
(10) eap : Finished EAP session with state 0x496f1c934ad811d0
(10) eap : Previous EAP request found for state 0x496f1c934ad811d0, released from the list
(10) eap : Peer sent method TLS (13)
(10) eap : EAP TLS (13)
(10) eap : Calling eap_tls to process EAP data
(10) eap_tls : Authenticate
(10) eap_tls : processing EAP-TLS
(10) eap_tls : Received TLS ACK
(10) eap_tls : Received TLS ACK
(10) eap_tls : ACK handshake fragment handler
(10) eap_tls : eaptls_verify returned 1
(10) eap_tls : eaptls_process returned 13
(10) eap : New EAP session, adding 'State' attribute to reply 0x496f1c934dd711d0
(10) [eap] = handled
(10) } # authenticate = handled
(10) Sending Access-Challenge packet to host 10.10.2.164 port 50046, id=112, length=0
(10) EAP-Message = 0x01b803000d8000000aba57cffcd6a6e267773915e7f022918d87964b4e86868ffa7591f71fbab5286049316c8d7073ea5adbf3c6906964d21f07b7052d41b86ae3f55e0708864a12e874d436f993b3ac1be6258aaa41f5af26b93b9feb744ca9b3920c3c177703388abcfbc89202f0bc22c65f8efa13292881e1839df045c53e73eeb2e5eb51454e5d95df924b25c9d854d18bb3e297454430f4fa6d6dc5023e6b8710567b6f0560576818ffd6641065e02937dc7c0efa5b82f98f475d907d54eb73065217c5bc00e733a6c98c81159e55de1b1a833d5ddb5291d40b6a87376b130be2b1cd25522cad7a675e85b0c30dd84b13a0dcee44e39ed95be27daf75626172ef2d5a160301014b0c000147030017410477eb6ee541e20125c5bf56e361d9d976353033a965436e6a02c7a30a428f83d53751abadebe6e3e7479a08568b4d5eabef8e9bd8453eafdf1d1d4ed6f4333b2601005ffd822d10df944a4af656d9df0c52e96838cc722aa8856847b1bc815bf9f0db28925b2c4cd290084f31665cf88fdbb01917d8e6e06647a2b32ee3c3cb3dd359b857478a2b4e8cfb703e3b3b4cbb6c8357c42addca951a2dd6df116ef891f2b309fb83b68f47c96076cb8231767904099477fbb17801902b578ccf0b6090572436e9f6a201bd66a7780bc627192f9e82b74353fc158a635c20d9913e3ef512c4b3c5
(10) Message-Authenticator = 0x00000000000000000000000000000000
(10) State = 0x496f1c934dd711d0cb25530063a54d60
Sending Access-Challenge Id 112 from 10.10.0.238:1812 to 10.10.2.164:50046
EAP-Message = 0x01b803000d8000000aba57cffcd6a6e267773915e7f022918d87964b4e86868ffa7591f71fbab5286049316c8d7073ea5adbf3c6906964d21f07b7052d41b86ae3f55e0708864a12e874d436f993b3ac1be6258aaa41f5af26b93b9feb744ca9b3920c3c177703388abcfbc89202f0bc22c65f8efa13292881e1839df045c53e73eeb2e5eb51454e5d95df924b25c9d854d18bb3e297454430f4fa6d6dc5023e6b8710567b6f0560576818ffd6641065e02937dc7c0efa5b82f98f475d907d54eb73065217c5bc00e733a6c98c81159e55de1b1a833d5ddb5291d40b6a87376b130be2b1cd25522cad7a675e85b0c30dd84b13a0dcee44e39ed95be27daf75626172ef2d5a160301014b0c000147030017410477eb6ee541e20125c5bf56e361d9d976353033a965436e6a02c7a30a428f83d53751abadebe6e3e7479a08568b4d5eabef8e9bd8453eafdf1d1d4ed6f4333b2601005ffd822d10df944a4af656d9df0c52e96838cc722aa8856847b1bc815bf9f0db28925b2c4cd290084f31665cf88fdbb01917d8e6e06647a2b32ee3c3cb3dd359b857478a2b4e8cfb703e3b3b4cbb6c8357c42addca951a2dd6df116ef891f2b309fb83b68f47c96076cb8231767904099477fbb17801902b578ccf0b6090572436e9f6a201bd66a7780bc627192f9e82b74353fc158a635c20d9913e3ef512c4b3c
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x496f1c934dd711d0cb25530063a54d60
(10) Finished request
Waking up in 0.1 seconds.
Received Access-Request Id 113 from 10.10.2.164:50046 to 10.10.0.238:1812 length 190
User-Name = 'telsberry'
NAS-IP-Address = 10.10.2.164
NAS-Identifier = '24a43c08fe80'
NAS-Port = 0
Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
Calling-Station-Id = '70-3E-AC-5D-F0-08'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 0Mbps 802.11b'
EAP-Message = 0x02b800110d800000000715030100020100
State = 0x496f1c934dd711d0cb25530063a54d60
Message-Authenticator = 0x876249358ed2813eb58000dda097472f
(11) Received Access-Request packet from host 10.10.2.164 port 50046, id=113, length=190
(11) User-Name = 'telsberry'
(11) NAS-IP-Address = 10.10.2.164
(11) NAS-Identifier = '24a43c08fe80'
(11) NAS-Port = 0
(11) Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
(11) Calling-Station-Id = '70-3E-AC-5D-F0-08'
(11) Framed-MTU = 1400
(11) NAS-Port-Type = Wireless-802.11
(11) Connect-Info = 'CONNECT 0Mbps 802.11b'
(11) EAP-Message = 0x02b800110d800000000715030100020100
(11) State = 0x496f1c934dd711d0cb25530063a54d60
(11) Message-Authenticator = 0x876249358ed2813eb58000dda097472f
(11) # Executing section authorize from file /etc/raddb/sites-enabled/default
(11) authorize {
(11) filter_username filter_username {
(11) if (!&User-Name)
(11) if (!&User-Name) -> FALSE
(11) if (&User-Name =~ / /)
(11) if (&User-Name =~ / /) -> FALSE
(11) if (&User-Name =~ /@.*@/ )
(11) if (&User-Name =~ /@.*@/ ) -> FALSE
(11) if (&User-Name =~ /\\.\\./ )
(11) if (&User-Name =~ /\\.\\./ ) -> FALSE
(11) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/))
(11) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\\.(.+)$/)) -> FALSE
(11) if (&User-Name =~ /\\.$/)
(11) if (&User-Name =~ /\\.$/) -> FALSE
(11) if (&User-Name =~ /(a)\\./)
(11) if (&User-Name =~ /(a)\\./) -> FALSE
(11) } # filter_username filter_username = notfound
(11) [preprocess] = ok
(11) [chap] = noop
(11) [mschap] = noop
(11) [digest] = noop
(11) suffix : Checking for suffix after "@"
(11) suffix : No '@' in User-Name = "telsberry", looking up realm NULL
(11) suffix : No such realm "NULL"
(11) [suffix] = noop
(11) ntdomain : Checking for prefix before "\"
(11) ntdomain : No '\' in User-Name = "telsberry", looking up realm NULL
(11) ntdomain : No such realm "NULL"
(11) [ntdomain] = noop
(11) eap : Peer sent code Response (2) ID 184 length 17
(11) eap : No EAP Start, assuming it's an on-going EAP conversation
(11) [eap] = updated
(11) [files] = noop
(11) [expiration] = noop
(11) [logintime] = noop
(11) [pap] = noop
(11) } # authorize = updated
(11) Found Auth-Type = EAP
(11) # Executing group from file /etc/raddb/sites-enabled/default
(11) authenticate {
(11) eap : Expiring EAP session with state 0x496f1c934dd711d0
(11) eap : Finished EAP session with state 0x496f1c934dd711d0
(11) eap : Previous EAP request found for state 0x496f1c934dd711d0, released from the list
(11) eap : Peer sent method TLS (13)
(11) eap : EAP TLS (13)
(11) eap : Calling eap_tls to process EAP data
(11) eap_tls : Authenticate
(11) eap_tls : processing EAP-TLS
TLS Length 7
(11) eap_tls : Length Included
(11) eap_tls : eaptls_verify returned 11
(11) eap_tls : <<< TLS 1.0 Alert [length 0002], warning close_notify
(11) ERROR: eap_tls : TLS_accept: Failed in SSLv3 read client certificate A
(11) ERROR: eap_tls : SSL says: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
SSL: SSL_read failed in a system call (-1), TLS session fails.
TLS receive handshake failed during operation
(11) eap_tls : eaptls_process returned 4
(11) ERROR: eap : Failed continuing EAP TLS (13) session. EAP sub-module failed
(11) eap : Failed in EAP select
(11) [eap] = invalid
(11) } # authenticate = invalid
(11) Failed to authenticate the user
(11) Using Post-Auth-Type Reject
(11) # Executing group from file /etc/raddb/sites-enabled/default
(11) Post-Auth-Type REJECT {
(11) attr_filter.access_reject : EXPAND %{User-Name}
(11) attr_filter.access_reject : --> telsberry
(11) attr_filter.access_reject : Matched entry DEFAULT at line 11
(11) [attr_filter.access_reject] = updated
(11) eap : Reply already contained an EAP-Message, not inserting EAP-Failure
(11) [eap] = noop
(11) remove_reply_message_if_eap remove_reply_message_if_eap {
(11) if (&reply:EAP-Message && &reply:Reply-Message)
(11) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(11) else else {
(11) [noop] = noop
(11) } # else else = noop
(11) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(11) } # Post-Auth-Type REJECT = updated
(11) Delaying response for 1 seconds
Waking up in 0.1 seconds.
(5) Sending delayed response
(5) Sending Access-Reject packet to host 10.10.2.164 port 50046, id=107, length=0
(5) EAP-Message = 0x04ad0004
(5) Message-Authenticator = 0x00000000000000000000000000000000
Sending Access-Reject Id 107 from 10.10.0.238:1812 to 10.10.2.164:50046
EAP-Message = 0x04ad0004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 0.6 seconds.
(11) Sending delayed response
(11) Sending Access-Reject packet to host 10.10.2.164 port 50046, id=113, length=0
(11) EAP-Message = 0x04b80004
(11) Message-Authenticator = 0x00000000000000000000000000000000
Sending Access-Reject Id 113 from 10.10.0.238:1812 to 10.10.2.164:50046
EAP-Message = 0x04b80004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 2.8 seconds.
(0) Cleaning up request packet ID 102 with timestamp +10
(1) Cleaning up request packet ID 103 with timestamp +10
(2) Cleaning up request packet ID 104 with timestamp +10
(3) Cleaning up request packet ID 105 with timestamp +10
(4) Cleaning up request packet ID 106 with timestamp +10
Waking up in 0.1 seconds.
(5) Cleaning up request packet ID 107 with timestamp +10
Waking up in 0.4 seconds.
(6) Cleaning up request packet ID 108 with timestamp +11
Waking up in 0.1 seconds.
(7) Cleaning up request packet ID 109 with timestamp +11
(8) Cleaning up request packet ID 110 with timestamp +11
(9) Cleaning up request packet ID 111 with timestamp +11
(10) Cleaning up request packet ID 112 with timestamp +11
(11) Cleaning up request packet ID 113 with timestamp +11
Ready to process requests
2
1
RE: EAP-TLS and LDAP with Windows Server 2012R2 Native Functional Level
by tj2718ï¼ aol.com 04 Nov '16
by tj2718ï¼ aol.com 04 Nov '16
04 Nov '16
> On Tue, Oct 25, 2016 at 08:15:11PM -0400, Travis via Freeradius-Users wrote:
> > > I was bitten by that too. Try changing it to:
>
> Personally (and what I do here) I would use the check-eap-tls virtual server
> so you can check the actual contents of the certificate with LDAP, rather than
> relying on the contents of the User-Name attribute. Which a clients could
> easily spoof, but they can't spoof the certificate subject.
Many thanks Matthew! I didn't know there even was a check-eap-tls virtual
server that I could use. Once I created a soft link and configured that I started getting
more of what I was expecting to see.
>
> For plain users, just call "ldap" in the inner tunnel as usual.
> Possibly wrapped around with a if EAP-Type == PEAP so it doesn't get called
> for hosts (check-eap-tls won't get called for PEAP as there is no client
> certificate, so you don't need that the other way around).
>
> But essentially - look at the LDAP lookups that FreeRADIUS is doing, and then
> go update the configuration so it does the right lookups with the data it has
> available.
I had to do some minor tweaks to my sites-enabled\default config with some
if statements:
if (&User-Name == "host/%{TLS-Client-Cert-Common-Name}") {
noop
}
elsif (!(&Ldap-Group == "CN=WiFi,OU=RSD Groups,DC=rsdtc,DC=com")) {
reject
}
but now all the tablets with certificates are working along with users in a LDAP-Group.
Thank you to everyone who responded with their insight and guidance.
Now on to my next post regarding iPhones with certificates doing EAP-TLS failing.
Travis
1
0
Hi,
Sometimes I do some networking downtimes and during these periods I'm
getting pretty much stale sessions in radwho output. I understand why it
happens, but all I want to do is to clear them automatically, when user
logs in.
So what I've done is added this line:
*exec("/usr/bin/radzap", "-u", $ARGV[3], "127.0.0.1", "secret");*
to this part of checkrad code for mikrotik sub.
#lets return something
if ($username_seen > 0) {
return 1;
} else {
exec("/usr/bin/radzap", "-u", $ARGV[3], "127.0.0.1", "secret");
return 0;
}
}
If I understand it right, this code works like:
if there is a username logged in on NAS, then we return 1, which means
error, I guess?
if there are none, we return 0, which is OK I guess? So I just want to
clear (if there any) the stale session for user, if he's not logged in on
NAS, but for some reason has stale session on freeradius server (visible in
radwho)
But.. nothing happens. If I execute the command from the shell, it works..
So as I'm not a programmer, I think, that I must be added this line to the
wrong place of radcheck script. Any help?
--
Best regards,
Roman.
4
13
Is it possible to jump out of a policy.d function, without exiting the
whole request?
For example, suppose I have policy.d/foo which contains
foo {
if (..some complex condition..) {
...
if (..another condition..) {
...
ok
/* I WANT TO RETURN FROM HERE */
}
...
... more logic
...
reject
}
}
At the place given, I want to finish processing the 'foo' policy and
continue.
However if I use "return", it terminates the whole enclosing authorize
section:
authorize {
...
foo
bar # "bar" is not executed if "foo" says "return"
}
I can possibly write the policy I want entirely as carefully written if
... elsif ... elsif ... sections, but it would give me some more options
for writing it clearly if there were a way for the policy to return. I
just haven't been able to work out how to do that.
Thanks,
Brian.
2
1
Hi experts,
I'm running a Radius 3.0.10, the config it's working fine, I just ask for advice to do one step in a faster way.
I've declared multiple LDAP instances "vlan1,vlan2....vlanN" in /etc/raddb/mods-enabled/ldap .
Each one queries just the ldap subtree assigned to a particular vlan.
Each vlan subtree contains it's allowed mac's (uid=mac)
Each mac (uid) has all needed radius attributes for the radius accept packet, that are populated from ldap.
Actually, all ldap instancies are asked for every "uid=mac" in order sequence, so if there's a match, the attributes are updated from the ldap.
Unfortunately , If one "mac" matches two ldap instances (ex: vlan1 & vlan2), the last matched instance(vlan2) overwrites the previous populated attributes(vlan1).
My goal is somehow to stop ldap executing the next instances(vlan2,vlan3...N) if the actual one(vlan 1) got the jackpot, to avoid so many ldap queries.
Right now I'm forced to use a inverse priority ( the last match got the jackpot), that is not the right solution.
Any clues, or advice?
/etc/raddb/sites-available/default
(...)
authorize {
filter_username
preprocess
chap
mschap
digest
suffix
eap {
ok = return
}
#ldap instance asking for mac in vlan1
vlan1 {
ok = return
#noop = return
}
#ldap instance asking for mac in vlan2
vlan2 {
ok = return
}
(...)
#ldap instance asking for mac in vlanN
vlanN {
ok = return
}
files
expiration
logintime
}
(....)
2
6