Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
- 10 participants
- 27050 discussions
16 Jan '26
Hi FreeRADIUS:
I've compiled/installed FreeRADIUS 3.2.8 on Ubuntu 24.04 (Linux 6.8.0
and OpenSSL 3.0.13), and it gives the attached "MS-CHAP2 Response is
incorrect" error during inner tunnel negotiation in Phase 0 (PAC file
creation) of EAP-FAST. Upgrading the Linux kernel to 6.16 and OpenSSL
3.0.16 gives the same result. Compiling the latest FreeRADIUS 3.2.x
branch head (3.2.9 dev) as of a few days ago also gives the same
result.
Note that EAP-PEAP/MSCHAPV2 works fine (log also attached) on the
identical supplicant / authenticator / authentication server platform.
The supplicant is also on a Ubuntu 24.04 platform (OpenSSL 3.0.13),
running the latest snapshot of wpa_supplicant, and TLS 1.3 has been
confirmed working with EAP-PEAP when tls_max is set to 1.3 in
FreeRADIUS on the authentication server.
Supplicant version:
dbland@NUC13-Linux2:~$ wpa_supplicant -v
wpa_supplicant v2.12-devel-20251221-hostap_2_11-1307-g3ea5c0df5+
Copyright (c) 2003-2024, Jouni Malinen <j(a)w1.fi> and contributors
dbland@NUC13-Linux2:~$
Supplicant EAP-FAST configuration:
network={
ssid="asus6e_5"
proto=RSN
key_mgmt=WPA-EAP
bgscan="simple:5:-70:60"
eap=FAST
identity="bob_loblaw"
anonymous_identity="FAST-123456789012"
password="password"
phase1="fast_provisioning=1"
phase2="auth=MSCHAPV2"
pac_file="/home/dbland/certs_nuc13/bob_loblaw.pac"
}
Background: Recent Ubuntu versions have forcibly disabled TLS 1.0 and
TLS 1.1, and EAP-FAST support with TLS 1.2 was first introduced in
FreeRADIUS 3.2.8. However, the FreeRADIUS package version bundled
with Ubuntu 24.04 is version 3.2.5, and version 3.2.7 with Ubuntu
25.10. This unfortunately leaves a gap in EAP-FAST support. Until a
newer FreeRADIUS package is available on Ubuntu, compiling the 3.2.8
source seems to be the only option in order to support BOTH TLS 1.3
with EAP-PEAP and TLS 1.2 with EAP-FAST.
Any further troubleshooting suggestions? From reading the mailing
list archives, I've seen this EAP-FAST issue pop up a few times in the
past on earlier 3.0.x versions, but with no resolution.
Best regards,
Dennis Bland
2
7
Dear,
Freeradius Team
I need your support in order to help me to achieve the challenge.
I am trying to run more then 30000 sessions but every time I run the sessions I am reaching the 28232.
Do you know maybe where it can be issue?
Thanks,
Filip
2
3
Hi,
In FR 3.0, in the NAS network link interruptions, I receive the error
*"rlm_sql (sql): Cannot open new connection, already at max"*.
What should I pay attention to when increasing the *max_requests*
value?
Is increasing this value sufficient, or are there any parameters in
the SQL pool settings that I also need to increase?
Regards
2
5
14 Jan '26
Hi,
I would like to get your input on a structural change we are planning.
In our current setup, we have 8 RADIUS instances handling both Authentication (Auth) and Accounting (Acct) on the same server, utilizing PostgreSQL as the storage backend. We are planning to migrate to a scenario where we decouple these responsibilities into dedicated RADIUS instances for Auth and Acct.
Currently, we store only the latest sessions in RadAcct to support functions like simultaneous-use. The rest of the accounting data is generally forwarded through RADIUS to a Kafka server.
My goal is to eliminate SQL from the accounting process entirely. Ideally, I want to forward incoming accounting packets directly to Kafka and immediately return a response. I can find a workaround for maintaining session states without writing them to SQL, but I am stuck on how to manage IP pool (ippool) operations efficiently.
It seems there might be no way to avoid using a database for IP management, and it might not even be logical to do so, but I wanted to hear your perspective on this.
Looking forward to your thoughts.
Best regards,
3
2
Authentication with rlm_python module failes for iphone, works for android, windows, linux
by The2nd 13 Jan '26
by The2nd 13 Jan '26
13 Jan '26
Hello list,
i hope this is the right list for this question.
I've written a python module to be used with freeradius and it works for
wlan authentication (mschapv2) with windows, linux and android devices.
But it fails with iphone/ios. With iOS is see the request in my python
module and it authenticates against my server successfully but the
iPhone always tells me "Unable to join the network <ssid>".
My python module can be found here:
https://github.com/the2nd/otpme/blob/main/otpme/lib/freeradius/otpme.py
As it works with linux, windows and android i think its not completely
wrong.
Debug log of a successful authentication with my android device:
FreeRADIUS Version 3.2.6
Copyright (C) 1999-2023 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including configuration file /var/run/otpme/freeradius/radiusd.conf
including configuration file /var/run/otpme/freeradius/clients.conf
main {
security {
user = "otpme"
group = "otpme"
allow_core_dumps = no
}
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/otpme"
run_dir = "/var/run/otpme"
}
main {
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/otpme"
run_dir = "/var/run/otpme"
libdir = "/usr/lib"
radacctdir = "/var/log/otpme/radacct"
hostname_lookups = no
max_request_time = 30
proxy_dedup_window = 1
cleanup_delay = 5
max_requests = 16384
max_fds = 512
postauth_client_lost = no
pidfile = "/var/run/otpme/pidfiles/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = no
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
require_message_authenticator = "auto"
limit_proxy_state = "auto"
}
}
radiusd: #### Loading Realms and Home Servers ####
radiusd: #### Loading Clients ####
Debugger not attached
# Creating Auth-Type = python_otpme
# Creating Auth-Type = EAP
# Creating Auth-Type = MS-CHAP
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_mschap
# Loading module "mschap" from file
/var/run/otpme/freeradius/radiusd.conf
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loaded module rlm_eap
# Loading module "eap" from file /var/run/otpme/freeradius/radiusd.conf
eap {
default_eap_type = "mschapv2"
timer_expire = 60
max_eap_type = 52
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 16384
dedup_key = ""
}
# Loading module "mschap_otp" from file
/var/run/otpme/freeradius/radiusd.conf
mschap mschap_otp {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
ntlm_auth = "/usr/local/bin/otpme-auth verify_mschap --socket
'%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}'
'%{%{mschap_otp:Challenge}:-00}' '%{%{mschap_otp:NT-Response}:-00}'
'%{NAS-Identifier}' '%{Client-IP-Address}'"
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loaded module rlm_python3
# Loading module "python_otpme" from file
/var/run/otpme/freeradius/radiusd.conf
python3 python_otpme {
mod_instantiate = "otpme.lib.freeradius.otpme"
func_instantiate = "instantiate"
mod_authorize = "otpme.lib.freeradius.otpme"
func_authorize = "authorize"
mod_authenticate = "otpme.lib.freeradius.otpme"
func_authenticate = "authenticate"
python_path =
"/var/run/otpme/freeradius/mods-config/python3:/opt/otpme/lib/python3.11/site-packages"
cext_compat = yes
pass_all_vps = no
pass_all_vps_dict = no
}
# Instantiating module "mschap" from file
/var/run/otpme/freeradius/radiusd.conf
rlm_mschap (mschap): using internal authentication
# Instantiating module "eap" from file
/var/run/otpme/freeradius/radiusd.conf
# Linked to sub-module rlm_eap_md5
rlm_eap (EAP): Ignoring EAP method 'leap', because it is no longer supported
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
pem_file_type = yes
private_key_file = "/var/run/otpme/freeradius/key.pem"
certificate_file = "/var/run/otpme/freeradius/cert.pem"
ca_file = "/var/run/otpme/freeradius/ca.pem"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
ca_path_reload_interval = 0
cipher_list = "DEFAULT"
cipher_server_preference = no
reject_unknown_intermediate_ca = no
ecdh_curve = "prime256v1"
disable_tlsv1 = yes
disable_tlsv1_1 = yes
tls_max_version = "1.2"
tls_min_version = "1.2"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = no
use_nonce = yes
timeout = 0
softfail = no
}
}
tls: Please use 'tls_min_version' and 'tls_max_version' instead of
'disable_tlsv1'
tls: Please use 'tls_min_version' and 'tls_max_version' instead of
'disable_tlsv1_1'
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "otpme"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
virtual_server = "otpme"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Instantiating module "mschap_otp" from file
/var/run/otpme/freeradius/radiusd.conf
rlm_mschap (mschap_otp): authenticating by calling 'ntlm_auth'
# Instantiating module "python_otpme" from file
/var/run/otpme/freeradius/radiusd.conf
Python version: 3.11.13 (main, Jul 3 2025, 11:31:00) [GCC 12.2.1 20230428]
otpme.py: OTPme config verfied successful.
otpme.py: Instantiated OTPme module.
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /var/run/otpme/freeradius/radiusd.conf
} # server
server otpme { # from file /var/run/otpme/freeradius/radiusd.conf
# Loading authenticate {...}
Compiling Auth-Type EAP for attr Auth-Type
Compiling Auth-Type MS-CHAP for attr Auth-Type
# Loading authorize {...}
} # server otpme
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 1812
client 10.219.195.225 {
ipv4addr = 10.219.195.225
secret = <<< secret >>>
shortname = "ap01-hbap-1"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 10.219.195.223 {
ipv4addr = 10.219.195.223
secret = <<< secret >>>
shortname = "cloudix-nextcloud-1"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 127.0.0.1 {
ipv4addr = 127.0.0.1
secret = <<< secret >>>
shortname = "localhost-1"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 10.219.195.100 {
ipv4addr = 10.219.195.100
secret = <<< secret >>>
shortname = "sharewatcher-1"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 10.219.195.254 {
ipv4addr = 10.219.195.254
secret = <<< secret >>>
shortname = "smtp-1"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
}
Listening on auth address * port 1812 bound to server otpme
Ready to process requests
(0) Received Access-Request Id 162 from 10.219.195.225:38276 to
10.219.195.1:1812 length 204
(0) User-Name = "anonymous"
(0) NAS-Identifier = "ap01-hbap"
(0) Called-Station-Id = "B4-4B-D6-26-BA-86:hboss"
(0) NAS-Port-Type = Wireless-802.11
(0) Service-Type = Framed-User
(0) NAS-Port = 1
(0) Calling-Station-Id = "42-33-75-43-BE-2D"
(0) Connect-Info = "CONNECT 54Mbps 802.11a"
(0) Acct-Session-Id = "BF0C189E956F9999"
(0) WLAN-Pairwise-Cipher = 1027076
(0) WLAN-Group-Cipher = 1027076
(0) WLAN-AKM-Suite = 1027073
(0) Framed-MTU = 1400
(0) EAP-Message = 0x0277000e01616e6f6e796d6f7573
(0) Message-Authenticator = 0xe8db3a835195304aa1c2e8655f6cea44
(0) # Executing section authorize from file
/var/run/otpme/freeradius/radiusd.conf
(0) authorize {
(0) eap: Peer sent EAP Response (code 2) ID 119 length 14
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0) [eap] = ok
(0) if (!control:Auth-Type) {
(0) if (!control:Auth-Type) -> FALSE
(0) } # authorize = ok
(0) Found Auth-Type = EAP
(0) # Executing group from file /var/run/otpme/freeradius/radiusd.conf
(0) Auth-Type EAP {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_mschapv2 to process data
(0) eap_mschapv2: Issuing Challenge
(0) eap: Sending EAP Request (code 1) ID 120 length 42
(0) eap: EAP session adding &reply:State = 0x64b8ac1d64c0b641
(0) [eap] = handled
(0) } # Auth-Type EAP = handled
(0) Using Post-Auth-Type Challenge
(0) Post-Auth-Type sub-section not found. Ignoring.
(0) Sent Access-Challenge Id 162 from 10.219.195.1:1812 to
10.219.195.225:38276 length 100
(0) EAP-Message =
0x0178002a1a0178002510784b2270bd2bafab1ed5f5a37c9ae5e8667265657261646975732d332e322e36
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x64b8ac1d64c0b641aa9dae41afb34712
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 163 from 10.219.195.225:38276 to
10.219.195.1:1812 length 214
(1) User-Name = "anonymous"
(1) NAS-Identifier = "ap01-hbap"
(1) Called-Station-Id = "B4-4B-D6-26-BA-86:hboss"
(1) NAS-Port-Type = Wireless-802.11
(1) Service-Type = Framed-User
(1) NAS-Port = 1
(1) Calling-Station-Id = "42-33-75-43-BE-2D"
(1) Connect-Info = "CONNECT 54Mbps 802.11a"
(1) Acct-Session-Id = "BF0C189E956F9999"
(1) WLAN-Pairwise-Cipher = 1027076
(1) WLAN-Group-Cipher = 1027076
(1) WLAN-AKM-Suite = 1027073
(1) Framed-MTU = 1400
(1) EAP-Message = 0x027800060319
(1) State = 0x64b8ac1d64c0b641aa9dae41afb34712
(1) Message-Authenticator = 0x2bd3281b58e070552d01366780334918
(1) session-state: No cached attributes
(1) # Executing section authorize from file
/var/run/otpme/freeradius/radiusd.conf
(1) authorize {
(1) eap: Peer sent EAP Response (code 2) ID 120 length 6
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1) [eap] = updated
(1) if (!control:Auth-Type) {
(1) if (!control:Auth-Type) -> FALSE
(1) } # authorize = updated
(1) Found Auth-Type = EAP
(1) # Executing group from file /var/run/otpme/freeradius/radiusd.conf
(1) Auth-Type EAP {
(1) eap: Removing EAP session with state 0x64b8ac1d64c0b641
(1) eap: Previous EAP request found for state 0x64b8ac1d64c0b641,
released from the list
(1) eap: Peer sent packet with method EAP NAK (3)
(1) eap: Found mutually acceptable type PEAP (25)
(1) eap: Calling submodule eap_peap to process data
(1) eap_peap: (TLS) PEAP -Initiating new session
(1) eap: Sending EAP Request (code 1) ID 121 length 6
(1) eap: EAP session adding &reply:State = 0x64b8ac1d65c1b541
(1) [eap] = handled
(1) } # Auth-Type EAP = handled
(1) Using Post-Auth-Type Challenge
(1) Post-Auth-Type sub-section not found. Ignoring.
(1) session-state: Saving cached attributes
(1) Framed-MTU = 994
(1) Sent Access-Challenge Id 163 from 10.219.195.1:1812 to
10.219.195.225:38276 length 64
(1) EAP-Message = 0x017900061920
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x64b8ac1d65c1b541aa9dae41afb34712
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 164 from 10.219.195.225:38276 to
10.219.195.1:1812 length 446
(2) User-Name = "anonymous"
(2) NAS-Identifier = "ap01-hbap"
(2) Called-Station-Id = "B4-4B-D6-26-BA-86:hboss"
(2) NAS-Port-Type = Wireless-802.11
(2) Service-Type = Framed-User
(2) NAS-Port = 1
(2) Calling-Station-Id = "42-33-75-43-BE-2D"
(2) Connect-Info = "CONNECT 54Mbps 802.11a"
(2) Acct-Session-Id = "BF0C189E956F9999"
(2) WLAN-Pairwise-Cipher = 1027076
(2) WLAN-Group-Cipher = 1027076
(2) WLAN-AKM-Suite = 1027073
(2) Framed-MTU = 1400
(2) EAP-Message =
0x027900ee1980000000e416030100df010000db0303204b82994ddeede4b1efd09220705397da7cefa712c268070e9c45dd100931cd20e74544c9e44528171eb11e711a721ac7bce002642c974be41e1cbc3625b7f02d0022130113021303c02bc02fc02cc030cca9cca8c009c013c00ac014009c009d002f00350100007000170000ff01000100000a00080006001d00170018000b00020100000d00140012040308040401050308050501080606010201003300260024001d002032c7b45122c64b455fb50da767a2cc4ce59b726e3cd9bd403abba61c883ac722002d00020101002b0009080304030303020301
(2) State = 0x64b8ac1d65c1b541aa9dae41afb34712
(2) Message-Authenticator = 0xcc735b6b3bf60fe0d35655caee8b130a
(2) Restoring &session-state
(2) &session-state:Framed-MTU = 994
(2) # Executing section authorize from file
/var/run/otpme/freeradius/radiusd.conf
(2) authorize {
(2) eap: Peer sent EAP Response (code 2) ID 121 length 238
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) if (!control:Auth-Type) {
(2) if (!control:Auth-Type) -> FALSE
(2) } # authorize = ok
(2) Found Auth-Type = EAP
(2) # Executing group from file /var/run/otpme/freeradius/radiusd.conf
(2) Auth-Type EAP {
(2) eap: Removing EAP session with state 0x64b8ac1d65c1b541
(2) eap: Previous EAP request found for state 0x64b8ac1d65c1b541,
released from the list
(2) eap: Peer sent packet with method EAP PEAP (25)
(2) eap: Calling submodule eap_peap to process data
(2) eap_peap: (TLS) EAP Peer says that the final record size will be 228
bytes
(2) eap_peap: (TLS) EAP Got all data (228 bytes)
(2) eap_peap: (TLS) PEAP - Handshake state - before SSL initialization
(2) eap_peap: (TLS) PEAP - Handshake state - Server before SSL
initialization
(2) eap_peap: (TLS) PEAP - Handshake state - Server before SSL
initialization
(2) eap_peap: (TLS) PEAP - recv TLS 1.3 Handshake, ClientHello
(2) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read
client hello
(2) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerHello
(2) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write
server hello
(2) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, Certificate
(2) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write
certificate
(2) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange
(2) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write key
exchange
(2) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone
(2) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write
server done
(2) eap_peap: (TLS) PEAP - Server : Need to read more data: SSLv3/TLS
write server done
(2) eap_peap: (TLS) PEAP - In Handshake Phase
(2) eap: Sending EAP Request (code 1) ID 122 length 1004
(2) eap: EAP session adding &reply:State = 0x64b8ac1d66c2b541
(2) [eap] = handled
(2) } # Auth-Type EAP = handled
(2) Using Post-Auth-Type Challenge
(2) Post-Auth-Type sub-section not found. Ignoring.
(2) session-state: Saving cached attributes
(2) Framed-MTU = 994
(2) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake,
ClientHello"
(2) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerHello"
(2) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
Certificate"
(2) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerKeyExchange"
(2) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerHelloDone"
(2) Sent Access-Challenge Id 164 from 10.219.195.1:1812 to
10.219.195.225:38276 length 1068
(2) EAP-Message =
0x017a03ec19c000000bd7160303003d020000390303406d024d9f92625990729dd1d0d2b54f155819983be5efc77c0843cfd0c7410400c02f000011ff01000100000b000403000102001700001603030a350b000a31000a2e000499308204953082027da003020102020705fea02d221361300d06092a864886f70d01010b05003076312a302806035504030c212f68626f73732e696e7465726e2f6b6f626c656e7a2f6361732f534954455f4341310b3009060355040613024445310c300a06035504080c03524c503110300e06035504070c074b6f626c656e7a310e300c060355040a0c0548424f5353310b3009060355040b0c024954301e170d3233303632313039313330395a170d3338303631373039313330395a3069311d301b06035504030c146b6f626c656e7a2e68626f73732e696e7465726e310b3009060355040613024445310c300a06035504080c03524c503110300e06035504070c074b6f626c656e7a310e300c060355040a0c0548424f535331
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x64b8ac1d66c2b541aa9dae41afb34712
(2) Finished request
Waking up in 4.8 seconds.
(3) Received Access-Request Id 165 from 10.219.195.225:38276 to
10.219.195.1:1812 length 214
(3) User-Name = "anonymous"
(3) NAS-Identifier = "ap01-hbap"
(3) Called-Station-Id = "B4-4B-D6-26-BA-86:hboss"
(3) NAS-Port-Type = Wireless-802.11
(3) Service-Type = Framed-User
(3) NAS-Port = 1
(3) Calling-Station-Id = "42-33-75-43-BE-2D"
(3) Connect-Info = "CONNECT 54Mbps 802.11a"
(3) Acct-Session-Id = "BF0C189E956F9999"
(3) WLAN-Pairwise-Cipher = 1027076
(3) WLAN-Group-Cipher = 1027076
(3) WLAN-AKM-Suite = 1027073
(3) Framed-MTU = 1400
(3) EAP-Message = 0x027a00061900
(3) State = 0x64b8ac1d66c2b541aa9dae41afb34712
(3) Message-Authenticator = 0xeb39f94920377984aec242aa3813e06a
(3) Restoring &session-state
(3) &session-state:Framed-MTU = 994
(3) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS
1.3 Handshake, ClientHello"
(3) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerHello"
(3) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, Certificate"
(3) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerKeyExchange"
(3) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerHelloDone"
(3) # Executing section authorize from file
/var/run/otpme/freeradius/radiusd.conf
(3) authorize {
(3) eap: Peer sent EAP Response (code 2) ID 122 length 6
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) if (!control:Auth-Type) {
(3) if (!control:Auth-Type) -> FALSE
(3) } # authorize = ok
(3) Found Auth-Type = EAP
(3) # Executing group from file /var/run/otpme/freeradius/radiusd.conf
(3) Auth-Type EAP {
(3) eap: Removing EAP session with state 0x64b8ac1d66c2b541
(3) eap: Previous EAP request found for state 0x64b8ac1d66c2b541,
released from the list
(3) eap: Peer sent packet with method EAP PEAP (25)
(3) eap: Calling submodule eap_peap to process data
(3) eap_peap: (TLS) Peer ACKed our handshake fragment
(3) eap: Sending EAP Request (code 1) ID 123 length 1000
(3) eap: EAP session adding &reply:State = 0x64b8ac1d67c3b541
(3) [eap] = handled
(3) } # Auth-Type EAP = handled
(3) Using Post-Auth-Type Challenge
(3) Post-Auth-Type sub-section not found. Ignoring.
(3) session-state: Saving cached attributes
(3) Framed-MTU = 994
(3) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake,
ClientHello"
(3) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerHello"
(3) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
Certificate"
(3) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerKeyExchange"
(3) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerHelloDone"
(3) Sent Access-Challenge Id 165 from 10.219.195.1:1812 to
10.219.195.225:38276 length 1064
(3) EAP-Message =
0x017b03e819406729c41ca39fed55f40b0703e590f4ef3fe75165ed505d0e8e33187c7f82a4fa97311282257e3dca08d5818a76cee90d8aea88403b1d62eda2f8ed0e7cc7d72ce4f25e3497d7cbb88d5fb3e76fd5eb2cb7c29126896e5cf175ca9a6b177812f14e4ad1acc69c7a07a33ad3e880179c3971584f08442b7bfe40153886a8e68f88b2ebd088522f0214474a905d560fa04a8f20a966b67e072e644b106f92e95d3fc468afe1b60ff5b30eabfd9eb217f1847f6a24ab5f922365ecc2bb16be43951cbf4cf33735cd9fc4a0337c1632c68690fb8748b78e6f1fe6534e092fc9b9f25123a0a3ed26215dc6b0b765bbe2272058c9bf0935cb8ac47c5b1f7bd20e474f71a760f1db1b8a45da00058f3082058b30820373a003020102020705fea02cf10b27300d06092a864886f70d01010b05003077312b302906035504030c222f68626f73732e696e7465726e2f6b6f626c656e7a2f6361732f5245414c4d5f4341310b3009060355040613024445310c300a06
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0x64b8ac1d67c3b541aa9dae41afb34712
(3) Finished request
Waking up in 4.8 seconds.
(4) Received Access-Request Id 166 from 10.219.195.225:38276 to
10.219.195.1:1812 length 214
(4) User-Name = "anonymous"
(4) NAS-Identifier = "ap01-hbap"
(4) Called-Station-Id = "B4-4B-D6-26-BA-86:hboss"
(4) NAS-Port-Type = Wireless-802.11
(4) Service-Type = Framed-User
(4) NAS-Port = 1
(4) Calling-Station-Id = "42-33-75-43-BE-2D"
(4) Connect-Info = "CONNECT 54Mbps 802.11a"
(4) Acct-Session-Id = "BF0C189E956F9999"
(4) WLAN-Pairwise-Cipher = 1027076
(4) WLAN-Group-Cipher = 1027076
(4) WLAN-AKM-Suite = 1027073
(4) Framed-MTU = 1400
(4) EAP-Message = 0x027b00061900
(4) State = 0x64b8ac1d67c3b541aa9dae41afb34712
(4) Message-Authenticator = 0xed6b5266742723e30e700e8b4f75739f
(4) Restoring &session-state
(4) &session-state:Framed-MTU = 994
(4) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS
1.3 Handshake, ClientHello"
(4) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerHello"
(4) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, Certificate"
(4) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerKeyExchange"
(4) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerHelloDone"
(4) # Executing section authorize from file
/var/run/otpme/freeradius/radiusd.conf
(4) authorize {
(4) eap: Peer sent EAP Response (code 2) ID 123 length 6
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) if (!control:Auth-Type) {
(4) if (!control:Auth-Type) -> FALSE
(4) } # authorize = ok
(4) Found Auth-Type = EAP
(4) # Executing group from file /var/run/otpme/freeradius/radiusd.conf
(4) Auth-Type EAP {
(4) eap: Removing EAP session with state 0x64b8ac1d67c3b541
(4) eap: Previous EAP request found for state 0x64b8ac1d67c3b541,
released from the list
(4) eap: Peer sent packet with method EAP PEAP (25)
(4) eap: Calling submodule eap_peap to process data
(4) eap_peap: (TLS) Peer ACKed our handshake fragment
(4) eap: Sending EAP Request (code 1) ID 124 length 1000
(4) eap: EAP session adding &reply:State = 0x64b8ac1d60c4b541
(4) [eap] = handled
(4) } # Auth-Type EAP = handled
(4) Using Post-Auth-Type Challenge
(4) Post-Auth-Type sub-section not found. Ignoring.
(4) session-state: Saving cached attributes
(4) Framed-MTU = 994
(4) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake,
ClientHello"
(4) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerHello"
(4) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
Certificate"
(4) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerKeyExchange"
(4) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerHelloDone"
(4) Sent Access-Challenge Id 166 from 10.219.195.1:1812 to
10.219.195.225:38276 length 1064
(4) EAP-Message =
0x017c03e81940603ef2f2884b299ace212671ea16a0df8d30640875c03aaef2ac1e4cd0b45487fcb99234083e915ecded1171c41b3eb10b7c736e781a97f17e3aa3b85d0f5b5f35d09ce1570d621b9dc5be4b4f9ecae899a6d0949b7eed4ebcbf64a48aa40d41d3c07d33da2e8d816dd2eba719a8b75d53dfa7ecb5a35b7cec093710efea7ff30203010001a31d301b300c0603551d13040530030101ff300b0603551d0f040403020106300d06092a864886f70d01010b0500038202010048ed80b6b8d9f45c988d3a8c439f33112acf5a1a90a3e79a8622a919c7fa078d6bcfcb743a26ddd8bc1bc56f9071c89b8a986b33eeb0c6defe6f99834b9a90da8089c002815951b451f4b9d4ed8225888e5b77b04f9131487a830c71082209525143b143d9335eb02b382660f462e5b6d5e4dd2991b894148e23f6ce2be12f76406890fe48dba3e0c97b33089c20f7466a37daa34eb110f7d9cf47553fae6f7453ad44e48fa154f1db59066d3250216bde12320eed158d5197
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x64b8ac1d60c4b541aa9dae41afb34712
(4) Finished request
Waking up in 4.8 seconds.
(5) Received Access-Request Id 167 from 10.219.195.225:38276 to
10.219.195.1:1812 length 214
(5) User-Name = "anonymous"
(5) NAS-Identifier = "ap01-hbap"
(5) Called-Station-Id = "B4-4B-D6-26-BA-86:hboss"
(5) NAS-Port-Type = Wireless-802.11
(5) Service-Type = Framed-User
(5) NAS-Port = 1
(5) Calling-Station-Id = "42-33-75-43-BE-2D"
(5) Connect-Info = "CONNECT 54Mbps 802.11a"
(5) Acct-Session-Id = "BF0C189E956F9999"
(5) WLAN-Pairwise-Cipher = 1027076
(5) WLAN-Group-Cipher = 1027076
(5) WLAN-AKM-Suite = 1027073
(5) Framed-MTU = 1400
(5) EAP-Message = 0x027c00061900
(5) State = 0x64b8ac1d60c4b541aa9dae41afb34712
(5) Message-Authenticator = 0xd495f330c78e196eb11dc3995b88a242
(5) Restoring &session-state
(5) &session-state:Framed-MTU = 994
(5) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS
1.3 Handshake, ClientHello"
(5) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerHello"
(5) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, Certificate"
(5) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerKeyExchange"
(5) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerHelloDone"
(5) # Executing section authorize from file
/var/run/otpme/freeradius/radiusd.conf
(5) authorize {
(5) eap: Peer sent EAP Response (code 2) ID 124 length 6
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) if (!control:Auth-Type) {
(5) if (!control:Auth-Type) -> FALSE
(5) } # authorize = ok
(5) Found Auth-Type = EAP
(5) # Executing group from file /var/run/otpme/freeradius/radiusd.conf
(5) Auth-Type EAP {
(5) eap: Removing EAP session with state 0x64b8ac1d60c4b541
(5) eap: Previous EAP request found for state 0x64b8ac1d60c4b541,
released from the list
(5) eap: Peer sent packet with method EAP PEAP (25)
(5) eap: Calling submodule eap_peap to process data
(5) eap_peap: (TLS) Peer ACKed our handshake fragment
(5) eap: Sending EAP Request (code 1) ID 125 length 55
(5) eap: EAP session adding &reply:State = 0x64b8ac1d61c5b541
(5) [eap] = handled
(5) } # Auth-Type EAP = handled
(5) Using Post-Auth-Type Challenge
(5) Post-Auth-Type sub-section not found. Ignoring.
(5) session-state: Saving cached attributes
(5) Framed-MTU = 994
(5) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake,
ClientHello"
(5) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerHello"
(5) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
Certificate"
(5) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerKeyExchange"
(5) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerHelloDone"
(5) Sent Access-Challenge Id 167 from 10.219.195.1:1812 to
10.219.195.225:38276 length 113
(5) EAP-Message =
0x017d00371900501263aad1ec47677b3c48e295891733e13224af67d346d25d68f13a27dd1b6060701aa6f7a4003816030300040e000000
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x64b8ac1d61c5b541aa9dae41afb34712
(5) Finished request
Waking up in 4.8 seconds.
(6) Received Access-Request Id 168 from 10.219.195.225:38276 to
10.219.195.1:1812 length 344
(6) User-Name = "anonymous"
(6) NAS-Identifier = "ap01-hbap"
(6) Called-Station-Id = "B4-4B-D6-26-BA-86:hboss"
(6) NAS-Port-Type = Wireless-802.11
(6) Service-Type = Framed-User
(6) NAS-Port = 1
(6) Calling-Station-Id = "42-33-75-43-BE-2D"
(6) Connect-Info = "CONNECT 54Mbps 802.11a"
(6) Acct-Session-Id = "BF0C189E956F9999"
(6) WLAN-Pairwise-Cipher = 1027076
(6) WLAN-Group-Cipher = 1027076
(6) WLAN-AKM-Suite = 1027073
(6) Framed-MTU = 1400
(6) EAP-Message =
0x027d008819800000007e1603030046100000424104d03773246fb4ee58f2b210f0d7e78f044a507dfb457b56f714c4f99379b7b54a81c78f01ba73c7a855d726a53e8e06b20bcdd4e9ff3eb63d2aab0e6075f697e114030300010116030300280000000000000000eb102ea08ec0ea6bf3ef1493251569d7fb91064e446e30581e1839c200c0883c
(6) State = 0x64b8ac1d61c5b541aa9dae41afb34712
(6) Message-Authenticator = 0x06debe813bbb88b569740faf21dbdcb9
(6) Restoring &session-state
(6) &session-state:Framed-MTU = 994
(6) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS
1.3 Handshake, ClientHello"
(6) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerHello"
(6) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, Certificate"
(6) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerKeyExchange"
(6) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerHelloDone"
(6) # Executing section authorize from file
/var/run/otpme/freeradius/radiusd.conf
(6) authorize {
(6) eap: Peer sent EAP Response (code 2) ID 125 length 136
(6) eap: Continuing tunnel setup
(6) [eap] = ok
(6) if (!control:Auth-Type) {
(6) if (!control:Auth-Type) -> FALSE
(6) } # authorize = ok
(6) Found Auth-Type = EAP
(6) # Executing group from file /var/run/otpme/freeradius/radiusd.conf
(6) Auth-Type EAP {
(6) eap: Removing EAP session with state 0x64b8ac1d61c5b541
(6) eap: Previous EAP request found for state 0x64b8ac1d61c5b541,
released from the list
(6) eap: Peer sent packet with method EAP PEAP (25)
(6) eap: Calling submodule eap_peap to process data
(6) eap_peap: (TLS) EAP Peer says that the final record size will be 126
bytes
(6) eap_peap: (TLS) EAP Got all data (126 bytes)
(6) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write
server done
(6) eap_peap: (TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange
(6) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read
client key exchange
(6) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read
change cipher spec
(6) eap_peap: (TLS) PEAP - recv TLS 1.2 Handshake, Finished
(6) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read finished
(6) eap_peap: (TLS) PEAP - send TLS 1.2 ChangeCipherSpec
(6) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write
change cipher spec
(6) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, Finished
(6) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write finished
(6) eap_peap: (TLS) PEAP - Handshake state - SSL negotiation finished
successfully
(6) eap_peap: (TLS) PEAP - Connection Established
(6) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256"
(6) eap_peap: TLS-Session-Version = "TLS 1.2"
(6) eap: Sending EAP Request (code 1) ID 126 length 57
(6) eap: EAP session adding &reply:State = 0x64b8ac1d62c6b541
(6) [eap] = handled
(6) } # Auth-Type EAP = handled
(6) Using Post-Auth-Type Challenge
(6) Post-Auth-Type sub-section not found. Ignoring.
(6) session-state: Saving cached attributes
(6) Framed-MTU = 994
(6) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake,
ClientHello"
(6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerHello"
(6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
Certificate"
(6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerKeyExchange"
(6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerHelloDone"
(6) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake,
ClientKeyExchange"
(6) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake,
Finished"
(6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec"
(6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
Finished"
(6) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256"
(6) TLS-Session-Version = "TLS 1.2"
(6) Sent Access-Challenge Id 168 from 10.219.195.1:1812 to
10.219.195.225:38276 length 115
(6) EAP-Message =
0x017e0039190014030300010116030300283fbfcc47e7ff15335d94fe3f3b7f1d2683dbacec358f9dfdd26341970bf6679ebf855cd4a6aafe17
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0x64b8ac1d62c6b541aa9dae41afb34712
(6) Finished request
Waking up in 4.8 seconds.
(7) Received Access-Request Id 169 from 10.219.195.225:38276 to
10.219.195.1:1812 length 214
(7) User-Name = "anonymous"
(7) NAS-Identifier = "ap01-hbap"
(7) Called-Station-Id = "B4-4B-D6-26-BA-86:hboss"
(7) NAS-Port-Type = Wireless-802.11
(7) Service-Type = Framed-User
(7) NAS-Port = 1
(7) Calling-Station-Id = "42-33-75-43-BE-2D"
(7) Connect-Info = "CONNECT 54Mbps 802.11a"
(7) Acct-Session-Id = "BF0C189E956F9999"
(7) WLAN-Pairwise-Cipher = 1027076
(7) WLAN-Group-Cipher = 1027076
(7) WLAN-AKM-Suite = 1027073
(7) Framed-MTU = 1400
(7) EAP-Message = 0x027e00061900
(7) State = 0x64b8ac1d62c6b541aa9dae41afb34712
(7) Message-Authenticator = 0xe942008c55e4659b864a6a49b1848ae5
(7) Restoring &session-state
(7) &session-state:Framed-MTU = 994
(7) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS
1.3 Handshake, ClientHello"
(7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerHello"
(7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, Certificate"
(7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerKeyExchange"
(7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerHelloDone"
(7) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS
1.2 Handshake, ClientKeyExchange"
(7) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS
1.2 Handshake, Finished"
(7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 ChangeCipherSpec"
(7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, Finished"
(7) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES128-GCM-SHA256"
(7) &session-state:TLS-Session-Version = "TLS 1.2"
(7) # Executing section authorize from file
/var/run/otpme/freeradius/radiusd.conf
(7) authorize {
(7) eap: Peer sent EAP Response (code 2) ID 126 length 6
(7) eap: Continuing tunnel setup
(7) [eap] = ok
(7) if (!control:Auth-Type) {
(7) if (!control:Auth-Type) -> FALSE
(7) } # authorize = ok
(7) Found Auth-Type = EAP
(7) # Executing group from file /var/run/otpme/freeradius/radiusd.conf
(7) Auth-Type EAP {
(7) eap: Removing EAP session with state 0x64b8ac1d62c6b541
(7) eap: Previous EAP request found for state 0x64b8ac1d62c6b541,
released from the list
(7) eap: Peer sent packet with method EAP PEAP (25)
(7) eap: Calling submodule eap_peap to process data
(7) eap_peap: (TLS) Peer ACKed our handshake fragment. handshake is
finished
(7) eap_peap: Session established. Decoding tunneled attributes
(7) eap_peap: PEAP state TUNNEL ESTABLISHED
(7) eap: Sending EAP Request (code 1) ID 127 length 40
(7) eap: EAP session adding &reply:State = 0x64b8ac1d63c7b541
(7) [eap] = handled
(7) } # Auth-Type EAP = handled
(7) Using Post-Auth-Type Challenge
(7) Post-Auth-Type sub-section not found. Ignoring.
(7) session-state: Saving cached attributes
(7) Framed-MTU = 994
(7) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake,
ClientHello"
(7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerHello"
(7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
Certificate"
(7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerKeyExchange"
(7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerHelloDone"
(7) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake,
ClientKeyExchange"
(7) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake,
Finished"
(7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec"
(7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
Finished"
(7) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256"
(7) TLS-Session-Version = "TLS 1.2"
(7) Sent Access-Challenge Id 169 from 10.219.195.1:1812 to
10.219.195.225:38276 length 98
(7) EAP-Message =
0x017f00281900170303001d3fbfcc47e7ff15344cfac04ed63722fa13bff21b90d93b042ce8c29282
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0x64b8ac1d63c7b541aa9dae41afb34712
(7) Finished request
Waking up in 4.8 seconds.
(8) Received Access-Request Id 170 from 10.219.195.225:38276 to
10.219.195.1:1812 length 257
(8) User-Name = "anonymous"
(8) NAS-Identifier = "ap01-hbap"
(8) Called-Station-Id = "B4-4B-D6-26-BA-86:hboss"
(8) NAS-Port-Type = Wireless-802.11
(8) Service-Type = Framed-User
(8) NAS-Port = 1
(8) Calling-Station-Id = "42-33-75-43-BE-2D"
(8) Connect-Info = "CONNECT 54Mbps 802.11a"
(8) Acct-Session-Id = "BF0C189E956F9999"
(8) WLAN-Pairwise-Cipher = 1027076
(8) WLAN-Group-Cipher = 1027076
(8) WLAN-AKM-Suite = 1027073
(8) Framed-MTU = 1400
(8) EAP-Message =
0x027f0031190017030300260000000000000001c658b8d37ccad3ed1c1cb348b9a92784ffb1c57cf6dfcd328673aaf30788
(8) State = 0x64b8ac1d63c7b541aa9dae41afb34712
(8) Message-Authenticator = 0x4db29f5f022a1b50adf137196caea97c
(8) Restoring &session-state
(8) &session-state:Framed-MTU = 994
(8) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS
1.3 Handshake, ClientHello"
(8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerHello"
(8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, Certificate"
(8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerKeyExchange"
(8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerHelloDone"
(8) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS
1.2 Handshake, ClientKeyExchange"
(8) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS
1.2 Handshake, Finished"
(8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 ChangeCipherSpec"
(8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, Finished"
(8) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES128-GCM-SHA256"
(8) &session-state:TLS-Session-Version = "TLS 1.2"
(8) # Executing section authorize from file
/var/run/otpme/freeradius/radiusd.conf
(8) authorize {
(8) eap: Peer sent EAP Response (code 2) ID 127 length 49
(8) eap: Continuing tunnel setup
(8) [eap] = ok
(8) if (!control:Auth-Type) {
(8) if (!control:Auth-Type) -> FALSE
(8) } # authorize = ok
(8) Found Auth-Type = EAP
(8) # Executing group from file /var/run/otpme/freeradius/radiusd.conf
(8) Auth-Type EAP {
(8) eap: Removing EAP session with state 0x64b8ac1d63c7b541
(8) eap: Previous EAP request found for state 0x64b8ac1d63c7b541,
released from the list
(8) eap: Peer sent packet with method EAP PEAP (25)
(8) eap: Calling submodule eap_peap to process data
(8) eap_peap: (TLS) EAP Done initial handshake
(8) eap_peap: Session established. Decoding tunneled attributes
(8) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(8) eap_peap: Identity - heiko.baumann
(8) eap_peap: Got inner identity 'heiko.baumann'
(8) eap_peap: Setting default EAP type for tunneled EAP session
(8) eap_peap: Got tunneled request
(8) eap_peap: EAP-Message = 0x027f0012016865696b6f2e6261756d616e6e
(8) eap_peap: Setting User-Name to heiko.baumann
(8) eap_peap: Sending tunneled request to otpme
(8) eap_peap: EAP-Message = 0x027f0012016865696b6f2e6261756d616e6e
(8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(8) eap_peap: User-Name = "heiko.baumann"
(8) eap_peap: NAS-Identifier = "ap01-hbap"
(8) eap_peap: Called-Station-Id = "B4-4B-D6-26-BA-86:hboss"
(8) eap_peap: NAS-Port-Type = Wireless-802.11
(8) eap_peap: Service-Type = Framed-User
(8) eap_peap: NAS-Port = 1
(8) eap_peap: Calling-Station-Id = "42-33-75-43-BE-2D"
(8) eap_peap: Connect-Info = "CONNECT 54Mbps 802.11a"
(8) eap_peap: Acct-Session-Id = "BF0C189E956F9999"
(8) eap_peap: WLAN-Pairwise-Cipher = 1027076
(8) eap_peap: WLAN-Group-Cipher = 1027076
(8) eap_peap: WLAN-AKM-Suite = 1027073
(8) eap_peap: Framed-MTU = 1400
(8) Virtual server otpme received request
(8) EAP-Message = 0x027f0012016865696b6f2e6261756d616e6e
(8) FreeRADIUS-Proxied-To = 127.0.0.1
(8) User-Name = "heiko.baumann"
(8) NAS-Identifier = "ap01-hbap"
(8) Called-Station-Id = "B4-4B-D6-26-BA-86:hboss"
(8) NAS-Port-Type = Wireless-802.11
(8) Service-Type = Framed-User
(8) NAS-Port = 1
(8) Calling-Station-Id = "42-33-75-43-BE-2D"
(8) Connect-Info = "CONNECT 54Mbps 802.11a"
(8) Acct-Session-Id = "BF0C189E956F9999"
(8) WLAN-Pairwise-Cipher = 1027076
(8) WLAN-Group-Cipher = 1027076
(8) WLAN-AKM-Suite = 1027073
(8) Framed-MTU = 1400
(8) server otpme {
(8) # Executing section authorize from file
/var/run/otpme/freeradius/radiusd.conf
(8) authorize {
(8) eap: Peer sent EAP Response (code 2) ID 127 length 18
(8) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(8) [eap] = ok
(8) if (!control:Auth-Type) {
(8) if (!control:Auth-Type) -> FALSE
(8) } # authorize = ok
(8) Found Auth-Type = EAP
(8) # Executing group from file /var/run/otpme/freeradius/radiusd.conf
(8) Auth-Type EAP {
(8) eap: Peer sent packet with method EAP Identity (1)
(8) eap: Calling submodule eap_mschapv2 to process data
(8) eap_mschapv2: Issuing Challenge
(8) eap: Sending EAP Request (code 1) ID 128 length 42
(8) eap: EAP session adding &reply:State = 0xfae70ce5fa67161a
(8) [eap] = handled
(8) } # Auth-Type EAP = handled
(8) Using Post-Auth-Type Challenge
(8) Post-Auth-Type sub-section not found. Ignoring.
(8) } # server otpme
(8) Virtual server sending reply
(8) EAP-Message =
0x0180002a1a0180002510920798cb42b9ebd036cf4ec5f867de88667265657261646975732d332e322e36
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0xfae70ce5fa67161a0a330e080f4ac17b
(8) eap_peap: Got tunneled reply code 11
(8) eap_peap: EAP-Message =
0x0180002a1a0180002510920798cb42b9ebd036cf4ec5f867de88667265657261646975732d332e322e36
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: State = 0xfae70ce5fa67161a0a330e080f4ac17b
(8) eap_peap: Got tunneled reply RADIUS code 11
(8) eap_peap: EAP-Message =
0x0180002a1a0180002510920798cb42b9ebd036cf4ec5f867de88667265657261646975732d332e322e36
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: State = 0xfae70ce5fa67161a0a330e080f4ac17b
(8) eap_peap: Got tunneled Access-Challenge
(8) eap: Sending EAP Request (code 1) ID 128 length 73
(8) eap: EAP session adding &reply:State = 0x64b8ac1d6c38b541
(8) [eap] = handled
(8) } # Auth-Type EAP = handled
(8) Using Post-Auth-Type Challenge
(8) Post-Auth-Type sub-section not found. Ignoring.
(8) session-state: Saving cached attributes
(8) Framed-MTU = 994
(8) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake,
ClientHello"
(8) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerHello"
(8) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
Certificate"
(8) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerKeyExchange"
(8) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerHelloDone"
(8) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake,
ClientKeyExchange"
(8) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake,
Finished"
(8) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec"
(8) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
Finished"
(8) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256"
(8) TLS-Session-Version = "TLS 1.2"
(8) Sent Access-Challenge Id 170 from 10.219.195.1:1812 to
10.219.195.225:38276 length 131
(8) EAP-Message =
0x018000491900170303003e3fbfcc47e7ff15357d447a7f7984baab3d24cc5e608d3e9b1f1732d6a0ca80dc81cb5017596f1ecb3eb7dab2ad8c55187f67c2271843c3645767e378659b
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0x64b8ac1d6c38b541aa9dae41afb34712
(8) Finished request
Waking up in 4.8 seconds.
(9) Received Access-Request Id 171 from 10.219.195.225:38276 to
10.219.195.1:1812 length 311
(9) User-Name = "anonymous"
(9) NAS-Identifier = "ap01-hbap"
(9) Called-Station-Id = "B4-4B-D6-26-BA-86:hboss"
(9) NAS-Port-Type = Wireless-802.11
(9) Service-Type = Framed-User
(9) NAS-Port = 1
(9) Calling-Station-Id = "42-33-75-43-BE-2D"
(9) Connect-Info = "CONNECT 54Mbps 802.11a"
(9) Acct-Session-Id = "BF0C189E956F9999"
(9) WLAN-Pairwise-Cipher = 1027076
(9) WLAN-Group-Cipher = 1027076
(9) WLAN-AKM-Suite = 1027073
(9) Framed-MTU = 1400
(9) EAP-Message =
0x028000671900170303005c00000000000000020b045bbce75f04f16e2985586e3d8ddbb45c4e798479b6033a504fc6a1cb4e043e8039b454a3da869b72d32d72c5c2654d8c11604829788b46e22513ff41d8a0e6b4d9fcd835b3c3cdfe90e8d4b22b911d2c7298
(9) State = 0x64b8ac1d6c38b541aa9dae41afb34712
(9) Message-Authenticator = 0x3118fa5cac060f01aad3516f4dfc5902
(9) Restoring &session-state
(9) &session-state:Framed-MTU = 994
(9) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS
1.3 Handshake, ClientHello"
(9) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerHello"
(9) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, Certificate"
(9) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerKeyExchange"
(9) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerHelloDone"
(9) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS
1.2 Handshake, ClientKeyExchange"
(9) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS
1.2 Handshake, Finished"
(9) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 ChangeCipherSpec"
(9) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, Finished"
(9) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES128-GCM-SHA256"
(9) &session-state:TLS-Session-Version = "TLS 1.2"
(9) # Executing section authorize from file
/var/run/otpme/freeradius/radiusd.conf
(9) authorize {
(9) eap: Peer sent EAP Response (code 2) ID 128 length 103
(9) eap: Continuing tunnel setup
(9) [eap] = ok
(9) if (!control:Auth-Type) {
(9) if (!control:Auth-Type) -> FALSE
(9) } # authorize = ok
(9) Found Auth-Type = EAP
(9) # Executing group from file /var/run/otpme/freeradius/radiusd.conf
(9) Auth-Type EAP {
(9) eap: Removing EAP session with state 0x64b8ac1d6c38b541
(9) eap: Previous EAP request found for state 0x64b8ac1d6c38b541,
released from the list
(9) eap: Peer sent packet with method EAP PEAP (25)
(9) eap: Calling submodule eap_peap to process data
(9) eap_peap: (TLS) EAP Done initial handshake
(9) eap_peap: Session established. Decoding tunneled attributes
(9) eap_peap: PEAP state phase2
(9) eap_peap: EAP method MSCHAPv2 (26)
(9) eap_peap: Got tunneled request
(9) eap_peap: EAP-Message =
0x028000481a028000433172039eb9ff06e5540b22dd821eaa1c9d0000000000000000f106b113ed0eb2328181e98bcff722c56cee58e54f33ca1c006865696b6f2e6261756d616e6e
(9) eap_peap: Setting User-Name to heiko.baumann
(9) eap_peap: Sending tunneled request to otpme
(9) eap_peap: EAP-Message =
0x028000481a028000433172039eb9ff06e5540b22dd821eaa1c9d0000000000000000f106b113ed0eb2328181e98bcff722c56cee58e54f33ca1c006865696b6f2e6261756d616e6e
(9) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(9) eap_peap: User-Name = "heiko.baumann"
(9) eap_peap: State = 0xfae70ce5fa67161a0a330e080f4ac17b
(9) eap_peap: NAS-Identifier = "ap01-hbap"
(9) eap_peap: Called-Station-Id = "B4-4B-D6-26-BA-86:hboss"
(9) eap_peap: NAS-Port-Type = Wireless-802.11
(9) eap_peap: Service-Type = Framed-User
(9) eap_peap: NAS-Port = 1
(9) eap_peap: Calling-Station-Id = "42-33-75-43-BE-2D"
(9) eap_peap: Connect-Info = "CONNECT 54Mbps 802.11a"
(9) eap_peap: Acct-Session-Id = "BF0C189E956F9999"
(9) eap_peap: WLAN-Pairwise-Cipher = 1027076
(9) eap_peap: WLAN-Group-Cipher = 1027076
(9) eap_peap: WLAN-AKM-Suite = 1027073
(9) eap_peap: Framed-MTU = 1400
(9) Virtual server otpme received request
(9) EAP-Message =
0x028000481a028000433172039eb9ff06e5540b22dd821eaa1c9d0000000000000000f106b113ed0eb2328181e98bcff722c56cee58e54f33ca1c006865696b6f2e6261756d616e6e
(9) FreeRADIUS-Proxied-To = 127.0.0.1
(9) User-Name = "heiko.baumann"
(9) State = 0xfae70ce5fa67161a0a330e080f4ac17b
(9) NAS-Identifier = "ap01-hbap"
(9) Called-Station-Id = "B4-4B-D6-26-BA-86:hboss"
(9) NAS-Port-Type = Wireless-802.11
(9) Service-Type = Framed-User
(9) NAS-Port = 1
(9) Calling-Station-Id = "42-33-75-43-BE-2D"
(9) Connect-Info = "CONNECT 54Mbps 802.11a"
(9) Acct-Session-Id = "BF0C189E956F9999"
(9) WLAN-Pairwise-Cipher = 1027076
(9) WLAN-Group-Cipher = 1027076
(9) WLAN-AKM-Suite = 1027073
(9) Framed-MTU = 1400
(9) server otpme {
(9) session-state: No cached attributes
(9) # Executing section authorize from file
/var/run/otpme/freeradius/radiusd.conf
(9) authorize {
(9) eap: Peer sent EAP Response (code 2) ID 128 length 72
(9) eap: No EAP Start, assuming it's an on-going EAP conversation
(9) [eap] = updated
(9) if (!control:Auth-Type) {
(9) if (!control:Auth-Type) -> FALSE
(9) } # authorize = updated
(9) Found Auth-Type = EAP
(9) # Executing group from file /var/run/otpme/freeradius/radiusd.conf
(9) Auth-Type EAP {
(9) eap: Removing EAP session with state 0xfae70ce5fa67161a
(9) eap: Previous EAP request found for state 0xfae70ce5fa67161a,
released from the list
(9) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(9) eap: Calling submodule eap_mschapv2 to process data
(9) eap_mschapv2: # Executing group from file
/var/run/otpme/freeradius/radiusd.conf
(9) eap_mschapv2: Auth-Type MS-CHAP {
otpme.py: adding MS-CHAP2-Success:
'3S=44f6bccdca0cf8377cbd06122065d7f895050076'
otpme.py: adding MS-MPPE-Send-Key: '99420b0d55925232c6c62e7e8b913301'
otpme.py: adding MS-MPPE-Recv-Key: '1114b25f146360e67f9bad689e3e9c88'
otpme.py: adding MS-MPPE-Encryption-Policy: '0x00000001'
otpme.py: adding MS-MPPE-Encryption-Types: '0x00000006'
otpme.py: adding Auth-Type: 'MS-CHAP'
authenticate - 'reply:Reply-Message' = 'Authentication successful'
authenticate - 'reply:MS-CHAP2-Success' =
'0x33533d34346636626363646361306366383337376362643036313232303635643766383935303530303736'
authenticate - 'reply:MS-MPPE-Encryption-Policy' = '0x00000001'
authenticate - 'reply:MS-MPPE-Encryption-Types' = '0x00000006'
authenticate - 'reply:MS-MPPE-Send-Key' =
'0x99420b0d55925232c6c62e7e8b913301'
authenticate - 'reply:MS-MPPE-Recv-Key' =
'0x1114b25f146360e67f9bad689e3e9c88'
authenticate - 'config:Auth-Type' = 'MS-CHAP'
(9) eap_mschapv2: [python_otpme] = ok
(9) eap_mschapv2: } # Auth-Type MS-CHAP = ok
(9) eap_mschapv2: MSCHAP Success
(9) eap: Sending EAP Request (code 1) ID 129 length 51
(9) eap: EAP session adding &reply:State = 0xfae70ce5fb66161a
(9) [eap] = handled
(9) } # Auth-Type EAP = handled
(9) Using Post-Auth-Type Challenge
(9) Post-Auth-Type sub-section not found. Ignoring.
(9) } # server otpme
(9) Virtual server sending reply
(9) Reply-Message = "Authentication successful"
(9) EAP-Message =
0x018100331a0380002e533d34346636626363646361306366383337376362643036313232303635643766383935303530303736
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) State = 0xfae70ce5fb66161a0a330e080f4ac17b
(9) eap_peap: Got tunneled reply code 11
(9) eap_peap: Reply-Message = "Authentication successful"
(9) eap_peap: EAP-Message =
0x018100331a0380002e533d34346636626363646361306366383337376362643036313232303635643766383935303530303736
(9) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(9) eap_peap: State = 0xfae70ce5fb66161a0a330e080f4ac17b
(9) eap_peap: Got tunneled reply RADIUS code 11
(9) eap_peap: Reply-Message = "Authentication successful"
(9) eap_peap: EAP-Message =
0x018100331a0380002e533d34346636626363646361306366383337376362643036313232303635643766383935303530303736
(9) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(9) eap_peap: State = 0xfae70ce5fb66161a0a330e080f4ac17b
(9) eap_peap: Got tunneled Access-Challenge
(9) eap: Sending EAP Request (code 1) ID 129 length 82
(9) eap: EAP session adding &reply:State = 0x64b8ac1d6d39b541
(9) [eap] = handled
(9) } # Auth-Type EAP = handled
(9) Using Post-Auth-Type Challenge
(9) Post-Auth-Type sub-section not found. Ignoring.
(9) session-state: Saving cached attributes
(9) Framed-MTU = 994
(9) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake,
ClientHello"
(9) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerHello"
(9) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
Certificate"
(9) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerKeyExchange"
(9) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerHelloDone"
(9) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake,
ClientKeyExchange"
(9) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake,
Finished"
(9) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec"
(9) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
Finished"
(9) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256"
(9) TLS-Session-Version = "TLS 1.2"
(9) Sent Access-Challenge Id 171 from 10.219.195.1:1812 to
10.219.195.225:38276 length 140
(9) EAP-Message =
0x01810052190017030300473fbfcc47e7ff153625de7e663dc1113d94046a6050434ba068b90ab3a11c1d9f82ea1de4187ef8e19cf8f9fbc5dbf084c02faa214014b226b04d2f410be0964a728ea31d7d7d6d
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) State = 0x64b8ac1d6d39b541aa9dae41afb34712
(9) Finished request
Waking up in 3.4 seconds.
(10) Received Access-Request Id 172 from 10.219.195.225:38276 to
10.219.195.1:1812 length 245
(10) User-Name = "anonymous"
(10) NAS-Identifier = "ap01-hbap"
(10) Called-Station-Id = "B4-4B-D6-26-BA-86:hboss"
(10) NAS-Port-Type = Wireless-802.11
(10) Service-Type = Framed-User
(10) NAS-Port = 1
(10) Calling-Station-Id = "42-33-75-43-BE-2D"
(10) Connect-Info = "CONNECT 54Mbps 802.11a"
(10) Acct-Session-Id = "BF0C189E956F9999"
(10) WLAN-Pairwise-Cipher = 1027076
(10) WLAN-Group-Cipher = 1027076
(10) WLAN-AKM-Suite = 1027073
(10) Framed-MTU = 1400
(10) EAP-Message =
0x028100251900170303001a00000000000000031685834550dd6a5554a79de46d67b072c3cb
(10) State = 0x64b8ac1d6d39b541aa9dae41afb34712
(10) Message-Authenticator = 0xce20e30f4de7c6a5a7563cd6ac38935f
(10) Restoring &session-state
(10) &session-state:Framed-MTU = 994
(10) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS
1.3 Handshake, ClientHello"
(10) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerHello"
(10) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, Certificate"
(10) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerKeyExchange"
(10) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerHelloDone"
(10) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS
1.2 Handshake, ClientKeyExchange"
(10) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS
1.2 Handshake, Finished"
(10) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 ChangeCipherSpec"
(10) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, Finished"
(10) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES128-GCM-SHA256"
(10) &session-state:TLS-Session-Version = "TLS 1.2"
(10) # Executing section authorize from file
/var/run/otpme/freeradius/radiusd.conf
(10) authorize {
(10) eap: Peer sent EAP Response (code 2) ID 129 length 37
(10) eap: Continuing tunnel setup
(10) [eap] = ok
(10) if (!control:Auth-Type) {
(10) if (!control:Auth-Type) -> FALSE
(10) } # authorize = ok
(10) Found Auth-Type = EAP
(10) # Executing group from file /var/run/otpme/freeradius/radiusd.conf
(10) Auth-Type EAP {
(10) eap: Removing EAP session with state 0x64b8ac1d6d39b541
(10) eap: Previous EAP request found for state 0x64b8ac1d6d39b541,
released from the list
(10) eap: Peer sent packet with method EAP PEAP (25)
(10) eap: Calling submodule eap_peap to process data
(10) eap_peap: (TLS) EAP Done initial handshake
(10) eap_peap: Session established. Decoding tunneled attributes
(10) eap_peap: PEAP state phase2
(10) eap_peap: EAP method MSCHAPv2 (26)
(10) eap_peap: Got tunneled request
(10) eap_peap: EAP-Message = 0x028100061a03
(10) eap_peap: Setting User-Name to heiko.baumann
(10) eap_peap: Sending tunneled request to otpme
(10) eap_peap: EAP-Message = 0x028100061a03
(10) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(10) eap_peap: User-Name = "heiko.baumann"
(10) eap_peap: State = 0xfae70ce5fb66161a0a330e080f4ac17b
(10) eap_peap: NAS-Identifier = "ap01-hbap"
(10) eap_peap: Called-Station-Id = "B4-4B-D6-26-BA-86:hboss"
(10) eap_peap: NAS-Port-Type = Wireless-802.11
(10) eap_peap: Service-Type = Framed-User
(10) eap_peap: NAS-Port = 1
(10) eap_peap: Calling-Station-Id = "42-33-75-43-BE-2D"
(10) eap_peap: Connect-Info = "CONNECT 54Mbps 802.11a"
(10) eap_peap: Acct-Session-Id = "BF0C189E956F9999"
(10) eap_peap: WLAN-Pairwise-Cipher = 1027076
(10) eap_peap: WLAN-Group-Cipher = 1027076
(10) eap_peap: WLAN-AKM-Suite = 1027073
(10) eap_peap: Framed-MTU = 1400
(10) Virtual server otpme received request
(10) EAP-Message = 0x028100061a03
(10) FreeRADIUS-Proxied-To = 127.0.0.1
(10) User-Name = "heiko.baumann"
(10) State = 0xfae70ce5fb66161a0a330e080f4ac17b
(10) NAS-Identifier = "ap01-hbap"
(10) Called-Station-Id = "B4-4B-D6-26-BA-86:hboss"
(10) NAS-Port-Type = Wireless-802.11
(10) Service-Type = Framed-User
(10) NAS-Port = 1
(10) Calling-Station-Id = "42-33-75-43-BE-2D"
(10) Connect-Info = "CONNECT 54Mbps 802.11a"
(10) Acct-Session-Id = "BF0C189E956F9999"
(10) WLAN-Pairwise-Cipher = 1027076
(10) WLAN-Group-Cipher = 1027076
(10) WLAN-AKM-Suite = 1027073
(10) Framed-MTU = 1400
(10) server otpme {
(10) session-state: No cached attributes
(10) # Executing section authorize from file
/var/run/otpme/freeradius/radiusd.conf
(10) authorize {
(10) eap: Peer sent EAP Response (code 2) ID 129 length 6
(10) eap: No EAP Start, assuming it's an on-going EAP conversation
(10) [eap] = updated
(10) if (!control:Auth-Type) {
(10) if (!control:Auth-Type) -> FALSE
(10) } # authorize = updated
(10) Found Auth-Type = EAP
(10) # Executing group from file /var/run/otpme/freeradius/radiusd.conf
(10) Auth-Type EAP {
(10) eap: Removing EAP session with state 0xfae70ce5fb66161a
(10) eap: Previous EAP request found for state 0xfae70ce5fb66161a,
released from the list
(10) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(10) eap: Calling submodule eap_mschapv2 to process data
(10) eap: Sending EAP Success (code 3) ID 129 length 4
(10) eap: Freeing handler
(10) [eap] = ok
(10) } # Auth-Type EAP = ok
(10) } # server otpme
(10) Virtual server sending reply
(10) MS-MPPE-Encryption-Policy = Encryption-Allowed
(10) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(10) MS-MPPE-Send-Key = 0x99420b0d55925232c6c62e7e8b913301
(10) MS-MPPE-Recv-Key = 0x1114b25f146360e67f9bad689e3e9c88
(10) EAP-Message = 0x03810004
(10) Message-Authenticator = 0x00000000000000000000000000000000
(10) User-Name = "heiko.baumann"
(10) eap_peap: Got tunneled reply code 2
(10) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(10) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(10) eap_peap: MS-MPPE-Send-Key = 0x99420b0d55925232c6c62e7e8b913301
(10) eap_peap: MS-MPPE-Recv-Key = 0x1114b25f146360e67f9bad689e3e9c88
(10) eap_peap: EAP-Message = 0x03810004
(10) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(10) eap_peap: User-Name = "heiko.baumann"
(10) eap_peap: Got tunneled reply RADIUS code 2
(10) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(10) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(10) eap_peap: MS-MPPE-Send-Key = 0x99420b0d55925232c6c62e7e8b913301
(10) eap_peap: MS-MPPE-Recv-Key = 0x1114b25f146360e67f9bad689e3e9c88
(10) eap_peap: EAP-Message = 0x03810004
(10) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(10) eap_peap: User-Name = "heiko.baumann"
(10) eap_peap: Tunneled authentication was successful
(10) eap_peap: SUCCESS
(10) eap_peap: Saving tunneled attributes for later
(10) eap: Sending EAP Request (code 1) ID 130 length 46
(10) eap: EAP session adding &reply:State = 0x64b8ac1d6e3ab541
(10) [eap] = handled
(10) } # Auth-Type EAP = handled
(10) Using Post-Auth-Type Challenge
(10) Post-Auth-Type sub-section not found. Ignoring.
(10) session-state: Saving cached attributes
(10) Framed-MTU = 994
(10) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake,
ClientHello"
(10) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerHello"
(10) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
Certificate"
(10) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerKeyExchange"
(10) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerHelloDone"
(10) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake,
ClientKeyExchange"
(10) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake,
Finished"
(10) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2
ChangeCipherSpec"
(10) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
Finished"
(10) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256"
(10) TLS-Session-Version = "TLS 1.2"
(10) Sent Access-Challenge Id 172 from 10.219.195.1:1812 to
10.219.195.225:38276 length 104
(10) EAP-Message =
0x0182002e190017030300233fbfcc47e7ff153753fdd6108d64e215a21d55da7ef02d5dee925bc76d6a4e6392574b
(10) Message-Authenticator = 0x00000000000000000000000000000000
(10) State = 0x64b8ac1d6e3ab541aa9dae41afb34712
(10) Finished request
Waking up in 3.4 seconds.
(11) Received Access-Request Id 173 from 10.219.195.225:38276 to
10.219.195.1:1812 length 254
(11) User-Name = "anonymous"
(11) NAS-Identifier = "ap01-hbap"
(11) Called-Station-Id = "B4-4B-D6-26-BA-86:hboss"
(11) NAS-Port-Type = Wireless-802.11
(11) Service-Type = Framed-User
(11) NAS-Port = 1
(11) Calling-Station-Id = "42-33-75-43-BE-2D"
(11) Connect-Info = "CONNECT 54Mbps 802.11a"
(11) Acct-Session-Id = "BF0C189E956F9999"
(11) WLAN-Pairwise-Cipher = 1027076
(11) WLAN-Group-Cipher = 1027076
(11) WLAN-AKM-Suite = 1027073
(11) Framed-MTU = 1400
(11) EAP-Message =
0x0282002e190017030300230000000000000004f4cfa29e4ec86e3245b7e5cbd0fb74dea5e8ff12c7bc2100be801a
(11) State = 0x64b8ac1d6e3ab541aa9dae41afb34712
(11) Message-Authenticator = 0x8353375023b7e469efb93d9e282cd1a3
(11) Restoring &session-state
(11) &session-state:Framed-MTU = 994
(11) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS
1.3 Handshake, ClientHello"
(11) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerHello"
(11) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, Certificate"
(11) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerKeyExchange"
(11) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerHelloDone"
(11) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS
1.2 Handshake, ClientKeyExchange"
(11) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS
1.2 Handshake, Finished"
(11) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 ChangeCipherSpec"
(11) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, Finished"
(11) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES128-GCM-SHA256"
(11) &session-state:TLS-Session-Version = "TLS 1.2"
(11) # Executing section authorize from file
/var/run/otpme/freeradius/radiusd.conf
(11) authorize {
(11) eap: Peer sent EAP Response (code 2) ID 130 length 46
(11) eap: Continuing tunnel setup
(11) [eap] = ok
(11) if (!control:Auth-Type) {
(11) if (!control:Auth-Type) -> FALSE
(11) } # authorize = ok
(11) Found Auth-Type = EAP
(11) # Executing group from file /var/run/otpme/freeradius/radiusd.conf
(11) Auth-Type EAP {
(11) eap: Removing EAP session with state 0x64b8ac1d6e3ab541
(11) eap: Previous EAP request found for state 0x64b8ac1d6e3ab541,
released from the list
(11) eap: Peer sent packet with method EAP PEAP (25)
(11) eap: Calling submodule eap_peap to process data
(11) eap_peap: (TLS) EAP Done initial handshake
(11) eap_peap: Session established. Decoding tunneled attributes
(11) eap_peap: PEAP state send tlv success
(11) eap_peap: Received EAP-TLV response
(11) eap_peap: Success
(11) eap_peap: Using saved attributes from the original Access-Accept
(11) eap_peap: User-Name = "heiko.baumann"
(11) eap: Sending EAP Success (code 3) ID 130 length 4
(11) eap: Freeing handler
(11) [eap] = ok
(11) } # Auth-Type EAP = ok
(11) Sent Access-Accept Id 173 from 10.219.195.1:1812 to
10.219.195.225:38276 length 175
(11) User-Name = "heiko.baumann"
(11) MS-MPPE-Recv-Key =
0x7fd1806ac0bae3a4dce0733ee3ba2285ec93eb01ffaa19010f48e0bdabebb623
(11) MS-MPPE-Send-Key =
0x833cfac00c66d42a0bcbc62e008e5591890e585ae00c8d3b56707e5b49a140f5
(11) EAP-Message = 0x03820004
(11) Message-Authenticator = 0x00000000000000000000000000000000
(11) Finished request
Waking up in 3.4 seconds.
Debug output of a failed request with an iPhone:
FreeRADIUS Version 3.2.6
Copyright (C) 1999-2023 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including configuration file /var/run/otpme/freeradius/radiusd.conf
including configuration file /var/run/otpme/freeradius/clients.conf
main {
security {
user = "otpme"
group = "otpme"
allow_core_dumps = no
}
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/otpme"
run_dir = "/var/run/otpme"
}
main {
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/otpme"
run_dir = "/var/run/otpme"
libdir = "/usr/lib"
radacctdir = "/var/log/otpme/radacct"
hostname_lookups = no
max_request_time = 30
proxy_dedup_window = 1
cleanup_delay = 5
max_requests = 16384
max_fds = 512
postauth_client_lost = no
pidfile = "/var/run/otpme/pidfiles/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = no
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
require_message_authenticator = "auto"
limit_proxy_state = "auto"
}
}
radiusd: #### Loading Realms and Home Servers ####
radiusd: #### Loading Clients ####
Debugger not attached
# Creating Auth-Type = python_otpme
# Creating Auth-Type = EAP
# Creating Auth-Type = MS-CHAP
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_mschap
# Loading module "mschap" from file
/var/run/otpme/freeradius/radiusd.conf
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loaded module rlm_eap
# Loading module "eap" from file /var/run/otpme/freeradius/radiusd.conf
eap {
default_eap_type = "mschapv2"
timer_expire = 60
max_eap_type = 52
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 16384
dedup_key = ""
}
# Loading module "mschap_otp" from file
/var/run/otpme/freeradius/radiusd.conf
mschap mschap_otp {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
ntlm_auth = "/usr/local/bin/otpme-auth verify_mschap --socket
'%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}'
'%{%{mschap_otp:Challenge}:-00}' '%{%{mschap_otp:NT-Response}:-00}'
'%{NAS-Identifier}' '%{Client-IP-Address}'"
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loaded module rlm_python3
# Loading module "python_otpme" from file
/var/run/otpme/freeradius/radiusd.conf
python3 python_otpme {
mod_instantiate = "otpme.lib.freeradius.otpme"
func_instantiate = "instantiate"
mod_authorize = "otpme.lib.freeradius.otpme"
func_authorize = "authorize"
mod_authenticate = "otpme.lib.freeradius.otpme"
func_authenticate = "authenticate"
python_path =
"/var/run/otpme/freeradius/mods-config/python3:/opt/otpme/lib/python3.11/site-packages"
cext_compat = yes
pass_all_vps = no
pass_all_vps_dict = no
}
# Instantiating module "mschap" from file
/var/run/otpme/freeradius/radiusd.conf
rlm_mschap (mschap): using internal authentication
# Instantiating module "eap" from file
/var/run/otpme/freeradius/radiusd.conf
# Linked to sub-module rlm_eap_md5
rlm_eap (EAP): Ignoring EAP method 'leap', because it is no longer supported
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
pem_file_type = yes
private_key_file = "/var/run/otpme/freeradius/key.pem"
certificate_file = "/var/run/otpme/freeradius/cert.pem"
ca_file = "/var/run/otpme/freeradius/ca.pem"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
ca_path_reload_interval = 0
cipher_list = "DEFAULT"
cipher_server_preference = no
reject_unknown_intermediate_ca = no
ecdh_curve = "prime256v1"
disable_tlsv1 = yes
disable_tlsv1_1 = yes
tls_max_version = "1.2"
tls_min_version = "1.2"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = no
use_nonce = yes
timeout = 0
softfail = no
}
}
tls: Please use 'tls_min_version' and 'tls_max_version' instead of
'disable_tlsv1'
tls: Please use 'tls_min_version' and 'tls_max_version' instead of
'disable_tlsv1_1'
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "otpme"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
virtual_server = "otpme"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Instantiating module "mschap_otp" from file
/var/run/otpme/freeradius/radiusd.conf
rlm_mschap (mschap_otp): authenticating by calling 'ntlm_auth'
# Instantiating module "python_otpme" from file
/var/run/otpme/freeradius/radiusd.conf
Python version: 3.11.13 (main, Jul 3 2025, 11:31:00) [GCC 12.2.1 20230428]
otpme.py: OTPme config verfied successful.
otpme.py: Instantiated OTPme module.
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /var/run/otpme/freeradius/radiusd.conf
} # server
server otpme { # from file /var/run/otpme/freeradius/radiusd.conf
# Loading authenticate {...}
Compiling Auth-Type EAP for attr Auth-Type
Compiling Auth-Type MS-CHAP for attr Auth-Type
# Loading authorize {...}
} # server otpme
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 1812
client 10.219.195.225 {
ipv4addr = 10.219.195.225
secret = <<< secret >>>
shortname = "ap01-hbap-1"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 10.219.195.223 {
ipv4addr = 10.219.195.223
secret = <<< secret >>>
shortname = "cloudix-nextcloud-1"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 127.0.0.1 {
ipv4addr = 127.0.0.1
secret = <<< secret >>>
shortname = "localhost-1"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 10.219.195.100 {
ipv4addr = 10.219.195.100
secret = <<< secret >>>
shortname = "sharewatcher-1"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 10.219.195.254 {
ipv4addr = 10.219.195.254
secret = <<< secret >>>
shortname = "smtp-1"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
}
Listening on auth address * port 1812 bound to server otpme
Ready to process requests
(0) Received Access-Request Id 204 from 10.219.195.225:38276 to
10.219.195.1:1812 length 194
(0) User-Name = "test"
(0) NAS-Identifier = "ap01-hbap"
(0) Called-Station-Id = "B4-4B-D6-26-BA-86:hboss"
(0) NAS-Port-Type = Wireless-802.11
(0) Service-Type = Framed-User
(0) NAS-Port = 3
(0) Calling-Station-Id = "A6-5F-75-98-A5-06"
(0) Connect-Info = "CONNECT 54Mbps 802.11a"
(0) Acct-Session-Id = "EEFF590BE3BB6A1C"
(0) WLAN-Pairwise-Cipher = 1027076
(0) WLAN-Group-Cipher = 1027076
(0) WLAN-AKM-Suite = 1027073
(0) Framed-MTU = 1400
(0) EAP-Message = 0x022200090174657374
(0) Message-Authenticator = 0x7dfcffdfd9fbf339765f6ac0c092a78d
(0) # Executing section authorize from file
/var/run/otpme/freeradius/radiusd.conf
(0) authorize {
(0) eap: Peer sent EAP Response (code 2) ID 34 length 9
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0) [eap] = ok
(0) if (!control:Auth-Type) {
(0) if (!control:Auth-Type) -> FALSE
(0) } # authorize = ok
(0) Found Auth-Type = EAP
(0) # Executing group from file /var/run/otpme/freeradius/radiusd.conf
(0) Auth-Type EAP {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_mschapv2 to process data
(0) eap_mschapv2: Issuing Challenge
(0) eap: Sending EAP Request (code 1) ID 35 length 42
(0) eap: EAP session adding &reply:State = 0xac2b487aac085271
(0) [eap] = handled
(0) } # Auth-Type EAP = handled
(0) Using Post-Auth-Type Challenge
(0) Post-Auth-Type sub-section not found. Ignoring.
(0) Sent Access-Challenge Id 204 from 10.219.195.1:1812 to
10.219.195.225:38276 length 100
(0) EAP-Message =
0x0123002a1a0123002510807cf25a7f0593f308104a2a7f1bbe28667265657261646975732d332e322e36
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0xac2b487aac0852714e974a6b4baa7cab
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 205 from 10.219.195.225:38276 to
10.219.195.1:1812 length 211
(1) User-Name = "test"
(1) NAS-Identifier = "ap01-hbap"
(1) Called-Station-Id = "B4-4B-D6-26-BA-86:hboss"
(1) NAS-Port-Type = Wireless-802.11
(1) Service-Type = Framed-User
(1) NAS-Port = 3
(1) Calling-Station-Id = "A6-5F-75-98-A5-06"
(1) Connect-Info = "CONNECT 54Mbps 802.11a"
(1) Acct-Session-Id = "EEFF590BE3BB6A1C"
(1) WLAN-Pairwise-Cipher = 1027076
(1) WLAN-Group-Cipher = 1027076
(1) WLAN-AKM-Suite = 1027073
(1) Framed-MTU = 1400
(1) EAP-Message = 0x022300080319152b
(1) State = 0xac2b487aac0852714e974a6b4baa7cab
(1) Message-Authenticator = 0x87e934652733a17be1765b4b6f4f24c4
(1) session-state: No cached attributes
(1) # Executing section authorize from file
/var/run/otpme/freeradius/radiusd.conf
(1) authorize {
(1) eap: Peer sent EAP Response (code 2) ID 35 length 8
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1) [eap] = updated
(1) if (!control:Auth-Type) {
(1) if (!control:Auth-Type) -> FALSE
(1) } # authorize = updated
(1) Found Auth-Type = EAP
(1) # Executing group from file /var/run/otpme/freeradius/radiusd.conf
(1) Auth-Type EAP {
(1) eap: Removing EAP session with state 0xac2b487aac085271
(1) eap: Previous EAP request found for state 0xac2b487aac085271,
released from the list
(1) eap: Peer sent packet with method EAP NAK (3)
(1) eap: Found mutually acceptable type PEAP (25)
(1) eap: Calling submodule eap_peap to process data
(1) eap_peap: (TLS) PEAP -Initiating new session
(1) eap: Sending EAP Request (code 1) ID 36 length 6
(1) eap: EAP session adding &reply:State = 0xac2b487aad0f5171
(1) [eap] = handled
(1) } # Auth-Type EAP = handled
(1) Using Post-Auth-Type Challenge
(1) Post-Auth-Type sub-section not found. Ignoring.
(1) session-state: Saving cached attributes
(1) Framed-MTU = 994
(1) Sent Access-Challenge Id 205 from 10.219.195.1:1812 to
10.219.195.225:38276 length 64
(1) EAP-Message = 0x012400061920
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0xac2b487aad0f51714e974a6b4baa7cab
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 206 from 10.219.195.225:38276 to
10.219.195.1:1812 length 364
(2) User-Name = "test"
(2) NAS-Identifier = "ap01-hbap"
(2) Called-Station-Id = "B4-4B-D6-26-BA-86:hboss"
(2) NAS-Port-Type = Wireless-802.11
(2) Service-Type = Framed-User
(2) NAS-Port = 3
(2) Calling-Station-Id = "A6-5F-75-98-A5-06"
(2) Connect-Info = "CONNECT 54Mbps 802.11a"
(2) Acct-Session-Id = "EEFF590BE3BB6A1C"
(2) WLAN-Pairwise-Cipher = 1027076
(2) WLAN-Group-Cipher = 1027076
(2) WLAN-AKM-Suite = 1027073
(2) Framed-MTU = 1400
(2) EAP-Message =
0x022400a119800000009716030100920100008e0303696381086bafdecf86b47ad4c93e56a3b253ab52e8d2d1935c21005877f5eeb700002c00ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009d009c003d003c0035002f000a01000039000a00080006001700180019000b00020100000d00120010040102010501060104030203050306030005000501000000000012000000170000
(2) State = 0xac2b487aad0f51714e974a6b4baa7cab
(2) Message-Authenticator = 0x8d8adccff2d8071b49b73e04caacb294
(2) Restoring &session-state
(2) &session-state:Framed-MTU = 994
(2) # Executing section authorize from file
/var/run/otpme/freeradius/radiusd.conf
(2) authorize {
(2) eap: Peer sent EAP Response (code 2) ID 36 length 161
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) if (!control:Auth-Type) {
(2) if (!control:Auth-Type) -> FALSE
(2) } # authorize = ok
(2) Found Auth-Type = EAP
(2) # Executing group from file /var/run/otpme/freeradius/radiusd.conf
(2) Auth-Type EAP {
(2) eap: Removing EAP session with state 0xac2b487aad0f5171
(2) eap: Previous EAP request found for state 0xac2b487aad0f5171,
released from the list
(2) eap: Peer sent packet with method EAP PEAP (25)
(2) eap: Calling submodule eap_peap to process data
(2) eap_peap: (TLS) EAP Peer says that the final record size will be 151
bytes
(2) eap_peap: (TLS) EAP Got all data (151 bytes)
(2) eap_peap: (TLS) PEAP - Handshake state - before SSL initialization
(2) eap_peap: (TLS) PEAP - Handshake state - Server before SSL
initialization
(2) eap_peap: (TLS) PEAP - Handshake state - Server before SSL
initialization
(2) eap_peap: (TLS) PEAP - recv TLS 1.3 Handshake, ClientHello
(2) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read
client hello
(2) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerHello
(2) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write
server hello
(2) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, Certificate
(2) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write
certificate
(2) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange
(2) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write key
exchange
(2) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone
(2) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write
server done
(2) eap_peap: (TLS) PEAP - Server : Need to read more data: SSLv3/TLS
write server done
(2) eap_peap: (TLS) PEAP - In Handshake Phase
(2) eap: Sending EAP Request (code 1) ID 37 length 1004
(2) eap: EAP session adding &reply:State = 0xac2b487aae0e5171
(2) [eap] = handled
(2) } # Auth-Type EAP = handled
(2) Using Post-Auth-Type Challenge
(2) Post-Auth-Type sub-section not found. Ignoring.
(2) session-state: Saving cached attributes
(2) Framed-MTU = 994
(2) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake,
ClientHello"
(2) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerHello"
(2) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
Certificate"
(2) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerKeyExchange"
(2) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerHelloDone"
(2) Sent Access-Challenge Id 206 from 10.219.195.1:1812 to
10.219.195.225:38276 length 1068
(2) EAP-Message =
0x012503ec19c000000bd7160303003d0200003903037d9615ce8191f6cead070312ee58c68647bb340519841c210fc1a6f586ebbff400c030000011ff01000100000b000403000102001700001603030a350b000a31000a2e000499308204953082027da003020102020705fea02d221361300d06092a864886f70d01010b05003076312a302806035504030c212f68626f73732e696e7465726e2f6b6f626c656e7a2f6361732f534954455f4341310b3009060355040613024445310c300a06035504080c03524c503110300e06035504070c074b6f626c656e7a310e300c060355040a0c0548424f5353310b3009060355040b0c024954301e170d3233303632313039313330395a170d3338303631373039313330395a3069311d301b06035504030c146b6f626c656e7a2e68626f73732e696e7465726e310b3009060355040613024445310c300a06035504080c03524c503110300e06035504070c074b6f626c656e7a310e300c060355040a0c0548424f535331
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0xac2b487aae0e51714e974a6b4baa7cab
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 207 from 10.219.195.225:38276 to
10.219.195.1:1812 length 209
(3) User-Name = "test"
(3) NAS-Identifier = "ap01-hbap"
(3) Called-Station-Id = "B4-4B-D6-26-BA-86:hboss"
(3) NAS-Port-Type = Wireless-802.11
(3) Service-Type = Framed-User
(3) NAS-Port = 3
(3) Calling-Station-Id = "A6-5F-75-98-A5-06"
(3) Connect-Info = "CONNECT 54Mbps 802.11a"
(3) Acct-Session-Id = "EEFF590BE3BB6A1C"
(3) WLAN-Pairwise-Cipher = 1027076
(3) WLAN-Group-Cipher = 1027076
(3) WLAN-AKM-Suite = 1027073
(3) Framed-MTU = 1400
(3) EAP-Message = 0x022500061900
(3) State = 0xac2b487aae0e51714e974a6b4baa7cab
(3) Message-Authenticator = 0xbfa1456c3a23563d3ae031e3ab7b871c
(3) Restoring &session-state
(3) &session-state:Framed-MTU = 994
(3) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS
1.3 Handshake, ClientHello"
(3) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerHello"
(3) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, Certificate"
(3) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerKeyExchange"
(3) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerHelloDone"
(3) # Executing section authorize from file
/var/run/otpme/freeradius/radiusd.conf
(3) authorize {
(3) eap: Peer sent EAP Response (code 2) ID 37 length 6
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) if (!control:Auth-Type) {
(3) if (!control:Auth-Type) -> FALSE
(3) } # authorize = ok
(3) Found Auth-Type = EAP
(3) # Executing group from file /var/run/otpme/freeradius/radiusd.conf
(3) Auth-Type EAP {
(3) eap: Removing EAP session with state 0xac2b487aae0e5171
(3) eap: Previous EAP request found for state 0xac2b487aae0e5171,
released from the list
(3) eap: Peer sent packet with method EAP PEAP (25)
(3) eap: Calling submodule eap_peap to process data
(3) eap_peap: (TLS) Peer ACKed our handshake fragment
(3) eap: Sending EAP Request (code 1) ID 38 length 1000
(3) eap: EAP session adding &reply:State = 0xac2b487aaf0d5171
(3) [eap] = handled
(3) } # Auth-Type EAP = handled
(3) Using Post-Auth-Type Challenge
(3) Post-Auth-Type sub-section not found. Ignoring.
(3) session-state: Saving cached attributes
(3) Framed-MTU = 994
(3) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake,
ClientHello"
(3) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerHello"
(3) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
Certificate"
(3) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerKeyExchange"
(3) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerHelloDone"
(3) Sent Access-Challenge Id 207 from 10.219.195.1:1812 to
10.219.195.225:38276 length 1064
(3) EAP-Message =
0x012603e819406729c41ca39fed55f40b0703e590f4ef3fe75165ed505d0e8e33187c7f82a4fa97311282257e3dca08d5818a76cee90d8aea88403b1d62eda2f8ed0e7cc7d72ce4f25e3497d7cbb88d5fb3e76fd5eb2cb7c29126896e5cf175ca9a6b177812f14e4ad1acc69c7a07a33ad3e880179c3971584f08442b7bfe40153886a8e68f88b2ebd088522f0214474a905d560fa04a8f20a966b67e072e644b106f92e95d3fc468afe1b60ff5b30eabfd9eb217f1847f6a24ab5f922365ecc2bb16be43951cbf4cf33735cd9fc4a0337c1632c68690fb8748b78e6f1fe6534e092fc9b9f25123a0a3ed26215dc6b0b765bbe2272058c9bf0935cb8ac47c5b1f7bd20e474f71a760f1db1b8a45da00058f3082058b30820373a003020102020705fea02cf10b27300d06092a864886f70d01010b05003077312b302906035504030c222f68626f73732e696e7465726e2f6b6f626c656e7a2f6361732f5245414c4d5f4341310b3009060355040613024445310c300a06
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0xac2b487aaf0d51714e974a6b4baa7cab
(3) Finished request
Waking up in 4.9 seconds.
(4) Received Access-Request Id 208 from 10.219.195.225:38276 to
10.219.195.1:1812 length 209
(4) User-Name = "test"
(4) NAS-Identifier = "ap01-hbap"
(4) Called-Station-Id = "B4-4B-D6-26-BA-86:hboss"
(4) NAS-Port-Type = Wireless-802.11
(4) Service-Type = Framed-User
(4) NAS-Port = 3
(4) Calling-Station-Id = "A6-5F-75-98-A5-06"
(4) Connect-Info = "CONNECT 54Mbps 802.11a"
(4) Acct-Session-Id = "EEFF590BE3BB6A1C"
(4) WLAN-Pairwise-Cipher = 1027076
(4) WLAN-Group-Cipher = 1027076
(4) WLAN-AKM-Suite = 1027073
(4) Framed-MTU = 1400
(4) EAP-Message = 0x022600061900
(4) State = 0xac2b487aaf0d51714e974a6b4baa7cab
(4) Message-Authenticator = 0x5cb8800c3a7ed09d207a2ef341573028
(4) Restoring &session-state
(4) &session-state:Framed-MTU = 994
(4) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS
1.3 Handshake, ClientHello"
(4) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerHello"
(4) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, Certificate"
(4) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerKeyExchange"
(4) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerHelloDone"
(4) # Executing section authorize from file
/var/run/otpme/freeradius/radiusd.conf
(4) authorize {
(4) eap: Peer sent EAP Response (code 2) ID 38 length 6
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) if (!control:Auth-Type) {
(4) if (!control:Auth-Type) -> FALSE
(4) } # authorize = ok
(4) Found Auth-Type = EAP
(4) # Executing group from file /var/run/otpme/freeradius/radiusd.conf
(4) Auth-Type EAP {
(4) eap: Removing EAP session with state 0xac2b487aaf0d5171
(4) eap: Previous EAP request found for state 0xac2b487aaf0d5171,
released from the list
(4) eap: Peer sent packet with method EAP PEAP (25)
(4) eap: Calling submodule eap_peap to process data
(4) eap_peap: (TLS) Peer ACKed our handshake fragment
(4) eap: Sending EAP Request (code 1) ID 39 length 1000
(4) eap: EAP session adding &reply:State = 0xac2b487aa80c5171
(4) [eap] = handled
(4) } # Auth-Type EAP = handled
(4) Using Post-Auth-Type Challenge
(4) Post-Auth-Type sub-section not found. Ignoring.
(4) session-state: Saving cached attributes
(4) Framed-MTU = 994
(4) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake,
ClientHello"
(4) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerHello"
(4) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
Certificate"
(4) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerKeyExchange"
(4) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerHelloDone"
(4) Sent Access-Challenge Id 208 from 10.219.195.1:1812 to
10.219.195.225:38276 length 1064
(4) EAP-Message =
0x012703e81940603ef2f2884b299ace212671ea16a0df8d30640875c03aaef2ac1e4cd0b45487fcb99234083e915ecded1171c41b3eb10b7c736e781a97f17e3aa3b85d0f5b5f35d09ce1570d621b9dc5be4b4f9ecae899a6d0949b7eed4ebcbf64a48aa40d41d3c07d33da2e8d816dd2eba719a8b75d53dfa7ecb5a35b7cec093710efea7ff30203010001a31d301b300c0603551d13040530030101ff300b0603551d0f040403020106300d06092a864886f70d01010b0500038202010048ed80b6b8d9f45c988d3a8c439f33112acf5a1a90a3e79a8622a919c7fa078d6bcfcb743a26ddd8bc1bc56f9071c89b8a986b33eeb0c6defe6f99834b9a90da8089c002815951b451f4b9d4ed8225888e5b77b04f9131487a830c71082209525143b143d9335eb02b382660f462e5b6d5e4dd2991b894148e23f6ce2be12f76406890fe48dba3e0c97b33089c20f7466a37daa34eb110f7d9cf47553fae6f7453ad44e48fa154f1db59066d3250216bde12320eed158d5197
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0xac2b487aa80c51714e974a6b4baa7cab
(4) Finished request
Waking up in 4.9 seconds.
(5) Received Access-Request Id 209 from 10.219.195.225:38276 to
10.219.195.1:1812 length 209
(5) User-Name = "test"
(5) NAS-Identifier = "ap01-hbap"
(5) Called-Station-Id = "B4-4B-D6-26-BA-86:hboss"
(5) NAS-Port-Type = Wireless-802.11
(5) Service-Type = Framed-User
(5) NAS-Port = 3
(5) Calling-Station-Id = "A6-5F-75-98-A5-06"
(5) Connect-Info = "CONNECT 54Mbps 802.11a"
(5) Acct-Session-Id = "EEFF590BE3BB6A1C"
(5) WLAN-Pairwise-Cipher = 1027076
(5) WLAN-Group-Cipher = 1027076
(5) WLAN-AKM-Suite = 1027073
(5) Framed-MTU = 1400
(5) EAP-Message = 0x022700061900
(5) State = 0xac2b487aa80c51714e974a6b4baa7cab
(5) Message-Authenticator = 0x4904b50139129c9ee3d149be137fb45e
(5) Restoring &session-state
(5) &session-state:Framed-MTU = 994
(5) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS
1.3 Handshake, ClientHello"
(5) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerHello"
(5) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, Certificate"
(5) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerKeyExchange"
(5) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerHelloDone"
(5) # Executing section authorize from file
/var/run/otpme/freeradius/radiusd.conf
(5) authorize {
(5) eap: Peer sent EAP Response (code 2) ID 39 length 6
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) if (!control:Auth-Type) {
(5) if (!control:Auth-Type) -> FALSE
(5) } # authorize = ok
(5) Found Auth-Type = EAP
(5) # Executing group from file /var/run/otpme/freeradius/radiusd.conf
(5) Auth-Type EAP {
(5) eap: Removing EAP session with state 0xac2b487aa80c5171
(5) eap: Previous EAP request found for state 0xac2b487aa80c5171,
released from the list
(5) eap: Peer sent packet with method EAP PEAP (25)
(5) eap: Calling submodule eap_peap to process data
(5) eap_peap: (TLS) Peer ACKed our handshake fragment
(5) eap: Sending EAP Request (code 1) ID 40 length 55
(5) eap: EAP session adding &reply:State = 0xac2b487aa9035171
(5) [eap] = handled
(5) } # Auth-Type EAP = handled
(5) Using Post-Auth-Type Challenge
(5) Post-Auth-Type sub-section not found. Ignoring.
(5) session-state: Saving cached attributes
(5) Framed-MTU = 994
(5) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake,
ClientHello"
(5) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerHello"
(5) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
Certificate"
(5) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerKeyExchange"
(5) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerHelloDone"
(5) Sent Access-Challenge Id 209 from 10.219.195.1:1812 to
10.219.195.225:38276 length 113
(5) EAP-Message =
0x012800371900b048c07ac17f86f9c727014f0cc6a508653ff99a95e6e84a4829d48058b9132be05c9c1b68de733316030300040e000000
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0xac2b487aa90351714e974a6b4baa7cab
(5) Finished request
Waking up in 4.9 seconds.
(6) Received Access-Request Id 210 from 10.219.195.225:38276 to
10.219.195.1:1812 length 339
(6) User-Name = "test"
(6) NAS-Identifier = "ap01-hbap"
(6) Called-Station-Id = "B4-4B-D6-26-BA-86:hboss"
(6) NAS-Port-Type = Wireless-802.11
(6) Service-Type = Framed-User
(6) NAS-Port = 3
(6) Calling-Station-Id = "A6-5F-75-98-A5-06"
(6) Connect-Info = "CONNECT 54Mbps 802.11a"
(6) Acct-Session-Id = "EEFF590BE3BB6A1C"
(6) WLAN-Pairwise-Cipher = 1027076
(6) WLAN-Group-Cipher = 1027076
(6) WLAN-AKM-Suite = 1027073
(6) Framed-MTU = 1400
(6) EAP-Message =
0x0228008819800000007e16030300461000004241041914318456c90b3eed960cc0f427749a4a58dea1c45b04d88e0d4aa358aa753149db3707404dba0da11104816db305bfb16c221d10d02ca05f66f05e90868b1914030300010116030300284ae33342f449b98c815966dbee60f4bfb147c6898c284415f0f4f449d2ff033a5ec9027ddb4ce85f
(6) State = 0xac2b487aa90351714e974a6b4baa7cab
(6) Message-Authenticator = 0x4765ff00e4d57c7b8098fe86dc4fa440
(6) Restoring &session-state
(6) &session-state:Framed-MTU = 994
(6) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS
1.3 Handshake, ClientHello"
(6) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerHello"
(6) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, Certificate"
(6) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerKeyExchange"
(6) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerHelloDone"
(6) # Executing section authorize from file
/var/run/otpme/freeradius/radiusd.conf
(6) authorize {
(6) eap: Peer sent EAP Response (code 2) ID 40 length 136
(6) eap: Continuing tunnel setup
(6) [eap] = ok
(6) if (!control:Auth-Type) {
(6) if (!control:Auth-Type) -> FALSE
(6) } # authorize = ok
(6) Found Auth-Type = EAP
(6) # Executing group from file /var/run/otpme/freeradius/radiusd.conf
(6) Auth-Type EAP {
(6) eap: Removing EAP session with state 0xac2b487aa9035171
(6) eap: Previous EAP request found for state 0xac2b487aa9035171,
released from the list
(6) eap: Peer sent packet with method EAP PEAP (25)
(6) eap: Calling submodule eap_peap to process data
(6) eap_peap: (TLS) EAP Peer says that the final record size will be 126
bytes
(6) eap_peap: (TLS) EAP Got all data (126 bytes)
(6) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write
server done
(6) eap_peap: (TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange
(6) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read
client key exchange
(6) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read
change cipher spec
(6) eap_peap: (TLS) PEAP - recv TLS 1.2 Handshake, Finished
(6) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read finished
(6) eap_peap: (TLS) PEAP - send TLS 1.2 ChangeCipherSpec
(6) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write
change cipher spec
(6) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, Finished
(6) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write finished
(6) eap_peap: (TLS) PEAP - Handshake state - SSL negotiation finished
successfully
(6) eap_peap: (TLS) PEAP - Connection Established
(6) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(6) eap_peap: TLS-Session-Version = "TLS 1.2"
(6) eap: Sending EAP Request (code 1) ID 41 length 57
(6) eap: EAP session adding &reply:State = 0xac2b487aaa025171
(6) [eap] = handled
(6) } # Auth-Type EAP = handled
(6) Using Post-Auth-Type Challenge
(6) Post-Auth-Type sub-section not found. Ignoring.
(6) session-state: Saving cached attributes
(6) Framed-MTU = 994
(6) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake,
ClientHello"
(6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerHello"
(6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
Certificate"
(6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerKeyExchange"
(6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerHelloDone"
(6) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake,
ClientKeyExchange"
(6) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake,
Finished"
(6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec"
(6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
Finished"
(6) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(6) TLS-Session-Version = "TLS 1.2"
(6) Sent Access-Challenge Id 210 from 10.219.195.1:1812 to
10.219.195.225:38276 length 115
(6) EAP-Message =
0x01290039190014030300010116030300282209ea55626d5fee2bc36d1a8a06ba29ee44eb2847cffb3da18d6d212b1f8b681bddb7d42c7dc10a
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0xac2b487aaa0251714e974a6b4baa7cab
(6) Finished request
Waking up in 4.8 seconds.
(7) Received Access-Request Id 211 from 10.219.195.225:38276 to
10.219.195.1:1812 length 209
(7) User-Name = "test"
(7) NAS-Identifier = "ap01-hbap"
(7) Called-Station-Id = "B4-4B-D6-26-BA-86:hboss"
(7) NAS-Port-Type = Wireless-802.11
(7) Service-Type = Framed-User
(7) NAS-Port = 3
(7) Calling-Station-Id = "A6-5F-75-98-A5-06"
(7) Connect-Info = "CONNECT 54Mbps 802.11a"
(7) Acct-Session-Id = "EEFF590BE3BB6A1C"
(7) WLAN-Pairwise-Cipher = 1027076
(7) WLAN-Group-Cipher = 1027076
(7) WLAN-AKM-Suite = 1027073
(7) Framed-MTU = 1400
(7) EAP-Message = 0x022900061900
(7) State = 0xac2b487aaa0251714e974a6b4baa7cab
(7) Message-Authenticator = 0xb01820edd9de0eb9ebd79cea4c818884
(7) Restoring &session-state
(7) &session-state:Framed-MTU = 994
(7) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS
1.3 Handshake, ClientHello"
(7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerHello"
(7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, Certificate"
(7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerKeyExchange"
(7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerHelloDone"
(7) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS
1.2 Handshake, ClientKeyExchange"
(7) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS
1.2 Handshake, Finished"
(7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 ChangeCipherSpec"
(7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, Finished"
(7) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(7) &session-state:TLS-Session-Version = "TLS 1.2"
(7) # Executing section authorize from file
/var/run/otpme/freeradius/radiusd.conf
(7) authorize {
(7) eap: Peer sent EAP Response (code 2) ID 41 length 6
(7) eap: Continuing tunnel setup
(7) [eap] = ok
(7) if (!control:Auth-Type) {
(7) if (!control:Auth-Type) -> FALSE
(7) } # authorize = ok
(7) Found Auth-Type = EAP
(7) # Executing group from file /var/run/otpme/freeradius/radiusd.conf
(7) Auth-Type EAP {
(7) eap: Removing EAP session with state 0xac2b487aaa025171
(7) eap: Previous EAP request found for state 0xac2b487aaa025171,
released from the list
(7) eap: Peer sent packet with method EAP PEAP (25)
(7) eap: Calling submodule eap_peap to process data
(7) eap_peap: (TLS) Peer ACKed our handshake fragment. handshake is
finished
(7) eap_peap: Session established. Decoding tunneled attributes
(7) eap_peap: PEAP state TUNNEL ESTABLISHED
(7) eap: Sending EAP Request (code 1) ID 42 length 40
(7) eap: EAP session adding &reply:State = 0xac2b487aab015171
(7) [eap] = handled
(7) } # Auth-Type EAP = handled
(7) Using Post-Auth-Type Challenge
(7) Post-Auth-Type sub-section not found. Ignoring.
(7) session-state: Saving cached attributes
(7) Framed-MTU = 994
(7) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake,
ClientHello"
(7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerHello"
(7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
Certificate"
(7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerKeyExchange"
(7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerHelloDone"
(7) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake,
ClientKeyExchange"
(7) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake,
Finished"
(7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec"
(7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
Finished"
(7) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(7) TLS-Session-Version = "TLS 1.2"
(7) Sent Access-Challenge Id 211 from 10.219.195.1:1812 to
10.219.195.225:38276 length 98
(7) EAP-Message =
0x012a00281900170303001d2209ea55626d5fef324c805c6b28f660cb29d8bd4026022faedaf16c29
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0xac2b487aab0151714e974a6b4baa7cab
(7) Finished request
Waking up in 4.8 seconds.
(8) Received Access-Request Id 212 from 10.219.195.225:38276 to
10.219.195.1:1812 length 243
(8) User-Name = "test"
(8) NAS-Identifier = "ap01-hbap"
(8) Called-Station-Id = "B4-4B-D6-26-BA-86:hboss"
(8) NAS-Port-Type = Wireless-802.11
(8) Service-Type = Framed-User
(8) NAS-Port = 3
(8) Calling-Station-Id = "A6-5F-75-98-A5-06"
(8) Connect-Info = "CONNECT 54Mbps 802.11a"
(8) Acct-Session-Id = "EEFF590BE3BB6A1C"
(8) WLAN-Pairwise-Cipher = 1027076
(8) WLAN-Group-Cipher = 1027076
(8) WLAN-AKM-Suite = 1027073
(8) Framed-MTU = 1400
(8) EAP-Message =
0x022a00281900170303001d4ae33342f449b98d13c961f594f00dcb253fa40f83e7aec02fab3fb55a
(8) State = 0xac2b487aab0151714e974a6b4baa7cab
(8) Message-Authenticator = 0xcea0cff4f6afbee50b7007acbe9993a1
(8) Restoring &session-state
(8) &session-state:Framed-MTU = 994
(8) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS
1.3 Handshake, ClientHello"
(8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerHello"
(8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, Certificate"
(8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerKeyExchange"
(8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerHelloDone"
(8) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS
1.2 Handshake, ClientKeyExchange"
(8) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS
1.2 Handshake, Finished"
(8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 ChangeCipherSpec"
(8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, Finished"
(8) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(8) &session-state:TLS-Session-Version = "TLS 1.2"
(8) # Executing section authorize from file
/var/run/otpme/freeradius/radiusd.conf
(8) authorize {
(8) eap: Peer sent EAP Response (code 2) ID 42 length 40
(8) eap: Continuing tunnel setup
(8) [eap] = ok
(8) if (!control:Auth-Type) {
(8) if (!control:Auth-Type) -> FALSE
(8) } # authorize = ok
(8) Found Auth-Type = EAP
(8) # Executing group from file /var/run/otpme/freeradius/radiusd.conf
(8) Auth-Type EAP {
(8) eap: Removing EAP session with state 0xac2b487aab015171
(8) eap: Previous EAP request found for state 0xac2b487aab015171,
released from the list
(8) eap: Peer sent packet with method EAP PEAP (25)
(8) eap: Calling submodule eap_peap to process data
(8) eap_peap: (TLS) EAP Done initial handshake
(8) eap_peap: Session established. Decoding tunneled attributes
(8) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(8) eap_peap: Identity - test
(8) eap_peap: Got inner identity 'test'
(8) eap_peap: Setting default EAP type for tunneled EAP session
(8) eap_peap: Got tunneled request
(8) eap_peap: EAP-Message = 0x022a00090174657374
(8) eap_peap: Setting User-Name to test
(8) eap_peap: Sending tunneled request to otpme
(8) eap_peap: EAP-Message = 0x022a00090174657374
(8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(8) eap_peap: User-Name = "test"
(8) eap_peap: NAS-Identifier = "ap01-hbap"
(8) eap_peap: Called-Station-Id = "B4-4B-D6-26-BA-86:hboss"
(8) eap_peap: NAS-Port-Type = Wireless-802.11
(8) eap_peap: Service-Type = Framed-User
(8) eap_peap: NAS-Port = 3
(8) eap_peap: Calling-Station-Id = "A6-5F-75-98-A5-06"
(8) eap_peap: Connect-Info = "CONNECT 54Mbps 802.11a"
(8) eap_peap: Acct-Session-Id = "EEFF590BE3BB6A1C"
(8) eap_peap: WLAN-Pairwise-Cipher = 1027076
(8) eap_peap: WLAN-Group-Cipher = 1027076
(8) eap_peap: WLAN-AKM-Suite = 1027073
(8) eap_peap: Framed-MTU = 1400
(8) Virtual server otpme received request
(8) EAP-Message = 0x022a00090174657374
(8) FreeRADIUS-Proxied-To = 127.0.0.1
(8) User-Name = "test"
(8) NAS-Identifier = "ap01-hbap"
(8) Called-Station-Id = "B4-4B-D6-26-BA-86:hboss"
(8) NAS-Port-Type = Wireless-802.11
(8) Service-Type = Framed-User
(8) NAS-Port = 3
(8) Calling-Station-Id = "A6-5F-75-98-A5-06"
(8) Connect-Info = "CONNECT 54Mbps 802.11a"
(8) Acct-Session-Id = "EEFF590BE3BB6A1C"
(8) WLAN-Pairwise-Cipher = 1027076
(8) WLAN-Group-Cipher = 1027076
(8) WLAN-AKM-Suite = 1027073
(8) Framed-MTU = 1400
(8) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(8) server otpme {
(8) # Executing section authorize from file
/var/run/otpme/freeradius/radiusd.conf
(8) authorize {
(8) eap: Peer sent EAP Response (code 2) ID 42 length 9
(8) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(8) [eap] = ok
(8) if (!control:Auth-Type) {
(8) if (!control:Auth-Type) -> FALSE
(8) } # authorize = ok
(8) Found Auth-Type = EAP
(8) # Executing group from file /var/run/otpme/freeradius/radiusd.conf
(8) Auth-Type EAP {
(8) eap: Peer sent packet with method EAP Identity (1)
(8) eap: Calling submodule eap_mschapv2 to process data
(8) eap_mschapv2: Issuing Challenge
(8) eap: Sending EAP Request (code 1) ID 43 length 42
(8) eap: EAP session adding &reply:State = 0x4d7ab8054d51a258
(8) [eap] = handled
(8) } # Auth-Type EAP = handled
(8) Using Post-Auth-Type Challenge
(8) Post-Auth-Type sub-section not found. Ignoring.
(8) } # server otpme
(8) Virtual server sending reply
(8) EAP-Message =
0x012b002a1a012b002510b158d692e01e55d324fba4bd46d9b3a1667265657261646975732d332e322e36
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0x4d7ab8054d51a258be49ba37bb208c58
(8) eap_peap: Got tunneled reply code 11
(8) eap_peap: EAP-Message =
0x012b002a1a012b002510b158d692e01e55d324fba4bd46d9b3a1667265657261646975732d332e322e36
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: State = 0x4d7ab8054d51a258be49ba37bb208c58
(8) eap_peap: Got tunneled reply RADIUS code 11
(8) eap_peap: EAP-Message =
0x012b002a1a012b002510b158d692e01e55d324fba4bd46d9b3a1667265657261646975732d332e322e36
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: State = 0x4d7ab8054d51a258be49ba37bb208c58
(8) eap_peap: Got tunneled Access-Challenge
(8) eap: Sending EAP Request (code 1) ID 43 length 73
(8) eap: EAP session adding &reply:State = 0xac2b487aa4005171
(8) [eap] = handled
(8) } # Auth-Type EAP = handled
(8) Using Post-Auth-Type Challenge
(8) Post-Auth-Type sub-section not found. Ignoring.
(8) session-state: Saving cached attributes
(8) Framed-MTU = 994
(8) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake,
ClientHello"
(8) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerHello"
(8) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
Certificate"
(8) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerKeyExchange"
(8) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerHelloDone"
(8) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake,
ClientKeyExchange"
(8) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake,
Finished"
(8) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec"
(8) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
Finished"
(8) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(8) TLS-Session-Version = "TLS 1.2"
(8) Sent Access-Challenge Id 212 from 10.219.195.1:1812 to
10.219.195.225:38276 length 131
(8) EAP-Message =
0x012b00491900170303003e2209ea55626d5ff0baf80a2c42ec6788dd5d4663e3245c6aaaef10c2c1deb1d2ad96fab8a4438ea319ff3f70d6d27ae2c8a9d4aa8dc68429000232767ded
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0xac2b487aa40051714e974a6b4baa7cab
(8) Finished request
Waking up in 4.8 seconds.
(9) Received Access-Request Id 213 from 10.219.195.225:38276 to
10.219.195.1:1812 length 297
(9) User-Name = "test"
(9) NAS-Identifier = "ap01-hbap"
(9) Called-Station-Id = "B4-4B-D6-26-BA-86:hboss"
(9) NAS-Port-Type = Wireless-802.11
(9) Service-Type = Framed-User
(9) NAS-Port = 3
(9) Calling-Station-Id = "A6-5F-75-98-A5-06"
(9) Connect-Info = "CONNECT 54Mbps 802.11a"
(9) Acct-Session-Id = "EEFF590BE3BB6A1C"
(9) WLAN-Pairwise-Cipher = 1027076
(9) WLAN-Group-Cipher = 1027076
(9) WLAN-AKM-Suite = 1027073
(9) Framed-MTU = 1400
(9) EAP-Message =
0x022b005e190017030300534ae33342f449b98e94136a54fa9773216317d2ebacdd3c8cea4603265909a0054c9dbb0bc8083fe2bd3ff8548dde3574e03c15d2b5a9ba2568d6711d69a8859b8fe148f477919afc4ccdbd64664e50b2cf5a5f
(9) State = 0xac2b487aa40051714e974a6b4baa7cab
(9) Message-Authenticator = 0x70ed0ad4ec446ceb8871e3c49ec3026a
(9) Restoring &session-state
(9) &session-state:Framed-MTU = 994
(9) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS
1.3 Handshake, ClientHello"
(9) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerHello"
(9) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, Certificate"
(9) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerKeyExchange"
(9) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerHelloDone"
(9) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS
1.2 Handshake, ClientKeyExchange"
(9) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS
1.2 Handshake, Finished"
(9) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 ChangeCipherSpec"
(9) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, Finished"
(9) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(9) &session-state:TLS-Session-Version = "TLS 1.2"
(9) # Executing section authorize from file
/var/run/otpme/freeradius/radiusd.conf
(9) authorize {
(9) eap: Peer sent EAP Response (code 2) ID 43 length 94
(9) eap: Continuing tunnel setup
(9) [eap] = ok
(9) if (!control:Auth-Type) {
(9) if (!control:Auth-Type) -> FALSE
(9) } # authorize = ok
(9) Found Auth-Type = EAP
(9) # Executing group from file /var/run/otpme/freeradius/radiusd.conf
(9) Auth-Type EAP {
(9) eap: Removing EAP session with state 0xac2b487aa4005171
(9) eap: Previous EAP request found for state 0xac2b487aa4005171,
released from the list
(9) eap: Peer sent packet with method EAP PEAP (25)
(9) eap: Calling submodule eap_peap to process data
(9) eap_peap: (TLS) EAP Done initial handshake
(9) eap_peap: Session established. Decoding tunneled attributes
(9) eap_peap: PEAP state phase2
(9) eap_peap: EAP method MSCHAPv2 (26)
(9) eap_peap: Got tunneled request
(9) eap_peap: EAP-Message =
0x022b003f1a022b003a3106a05c6e463eb6c51b322211d9918db400000000000000002d5a72c8ea7f1462f326cb9167cd3ef55e1d254c2141aafa0074657374
(9) eap_peap: Setting User-Name to test
(9) eap_peap: Sending tunneled request to otpme
(9) eap_peap: EAP-Message =
0x022b003f1a022b003a3106a05c6e463eb6c51b322211d9918db400000000000000002d5a72c8ea7f1462f326cb9167cd3ef55e1d254c2141aafa0074657374
(9) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(9) eap_peap: User-Name = "test"
(9) eap_peap: State = 0x4d7ab8054d51a258be49ba37bb208c58
(9) eap_peap: NAS-Identifier = "ap01-hbap"
(9) eap_peap: Called-Station-Id = "B4-4B-D6-26-BA-86:hboss"
(9) eap_peap: NAS-Port-Type = Wireless-802.11
(9) eap_peap: Service-Type = Framed-User
(9) eap_peap: NAS-Port = 3
(9) eap_peap: Calling-Station-Id = "A6-5F-75-98-A5-06"
(9) eap_peap: Connect-Info = "CONNECT 54Mbps 802.11a"
(9) eap_peap: Acct-Session-Id = "EEFF590BE3BB6A1C"
(9) eap_peap: WLAN-Pairwise-Cipher = 1027076
(9) eap_peap: WLAN-Group-Cipher = 1027076
(9) eap_peap: WLAN-AKM-Suite = 1027073
(9) eap_peap: Framed-MTU = 1400
(9) Virtual server otpme received request
(9) EAP-Message =
0x022b003f1a022b003a3106a05c6e463eb6c51b322211d9918db400000000000000002d5a72c8ea7f1462f326cb9167cd3ef55e1d254c2141aafa0074657374
(9) FreeRADIUS-Proxied-To = 127.0.0.1
(9) User-Name = "test"
(9) State = 0x4d7ab8054d51a258be49ba37bb208c58
(9) NAS-Identifier = "ap01-hbap"
(9) Called-Station-Id = "B4-4B-D6-26-BA-86:hboss"
(9) NAS-Port-Type = Wireless-802.11
(9) Service-Type = Framed-User
(9) NAS-Port = 3
(9) Calling-Station-Id = "A6-5F-75-98-A5-06"
(9) Connect-Info = "CONNECT 54Mbps 802.11a"
(9) Acct-Session-Id = "EEFF590BE3BB6A1C"
(9) WLAN-Pairwise-Cipher = 1027076
(9) WLAN-Group-Cipher = 1027076
(9) WLAN-AKM-Suite = 1027073
(9) Framed-MTU = 1400
(9) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(9) server otpme {
(9) session-state: No cached attributes
(9) # Executing section authorize from file
/var/run/otpme/freeradius/radiusd.conf
(9) authorize {
(9) eap: Peer sent EAP Response (code 2) ID 43 length 63
(9) eap: No EAP Start, assuming it's an on-going EAP conversation
(9) [eap] = updated
(9) if (!control:Auth-Type) {
(9) if (!control:Auth-Type) -> FALSE
(9) } # authorize = updated
(9) Found Auth-Type = EAP
(9) # Executing group from file /var/run/otpme/freeradius/radiusd.conf
(9) Auth-Type EAP {
(9) eap: Removing EAP session with state 0x4d7ab8054d51a258
(9) eap: Previous EAP request found for state 0x4d7ab8054d51a258,
released from the list
(9) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(9) eap: Calling submodule eap_mschapv2 to process data
(9) eap_mschapv2: # Executing group from file
/var/run/otpme/freeradius/radiusd.conf
(9) eap_mschapv2: Auth-Type MS-CHAP {
otpme.py: adding MS-CHAP2-Success:
'3S=c3971529e7869293a9a388ede7e667182aeaa22c'
otpme.py: adding MS-MPPE-Send-Key: 'c7726ce0b854c17314668bc50df88203'
otpme.py: adding MS-MPPE-Recv-Key: '7019a1e6577898bd8acfecd45e55a41d'
otpme.py: adding MS-MPPE-Encryption-Policy: '0x00000001'
otpme.py: adding MS-MPPE-Encryption-Types: '0x00000006'
otpme.py: adding Auth-Type: 'MS-CHAP'
authenticate - 'reply:Reply-Message' = 'Authentication successful'
authenticate - 'reply:MS-CHAP2-Success' =
'0x33533d63333937313532396537383639323933613961333838656465376536363731383261656161323263'
authenticate - 'reply:MS-MPPE-Encryption-Policy' = '0x00000001'
authenticate - 'reply:MS-MPPE-Encryption-Types' = '0x00000006'
authenticate - 'reply:MS-MPPE-Send-Key' =
'0xc7726ce0b854c17314668bc50df88203'
authenticate - 'reply:MS-MPPE-Recv-Key' =
'0x7019a1e6577898bd8acfecd45e55a41d'
authenticate - 'config:Auth-Type' = 'MS-CHAP'
(9) eap_mschapv2: [python_otpme] = ok
(9) eap_mschapv2: } # Auth-Type MS-CHAP = ok
(9) eap_mschapv2: MSCHAP Success
(9) eap: Sending EAP Request (code 1) ID 44 length 51
(9) eap: EAP session adding &reply:State = 0x4d7ab8054c56a258
(9) [eap] = handled
(9) } # Auth-Type EAP = handled
(9) Using Post-Auth-Type Challenge
(9) Post-Auth-Type sub-section not found. Ignoring.
(9) } # server otpme
(9) Virtual server sending reply
(9) Reply-Message = "Authentication successful"
(9) EAP-Message =
0x012c00331a032b002e533d63333937313532396537383639323933613961333838656465376536363731383261656161323263
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) State = 0x4d7ab8054c56a258be49ba37bb208c58
(9) eap_peap: Got tunneled reply code 11
(9) eap_peap: Reply-Message = "Authentication successful"
(9) eap_peap: EAP-Message =
0x012c00331a032b002e533d63333937313532396537383639323933613961333838656465376536363731383261656161323263
(9) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(9) eap_peap: State = 0x4d7ab8054c56a258be49ba37bb208c58
(9) eap_peap: Got tunneled reply RADIUS code 11
(9) eap_peap: Reply-Message = "Authentication successful"
(9) eap_peap: EAP-Message =
0x012c00331a032b002e533d63333937313532396537383639323933613961333838656465376536363731383261656161323263
(9) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(9) eap_peap: State = 0x4d7ab8054c56a258be49ba37bb208c58
(9) eap_peap: Got tunneled Access-Challenge
(9) eap: Sending EAP Request (code 1) ID 44 length 82
(9) eap: EAP session adding &reply:State = 0xac2b487aa5075171
(9) [eap] = handled
(9) } # Auth-Type EAP = handled
(9) Using Post-Auth-Type Challenge
(9) Post-Auth-Type sub-section not found. Ignoring.
(9) session-state: Saving cached attributes
(9) Framed-MTU = 994
(9) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake,
ClientHello"
(9) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerHello"
(9) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
Certificate"
(9) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerKeyExchange"
(9) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerHelloDone"
(9) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake,
ClientKeyExchange"
(9) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake,
Finished"
(9) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec"
(9) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
Finished"
(9) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(9) TLS-Session-Version = "TLS 1.2"
(9) Sent Access-Challenge Id 213 from 10.219.195.1:1812 to
10.219.195.225:38276 length 140
(9) EAP-Message =
0x012c0052190017030300472209ea55626d5ff1c5bfe6da41424c37ee71bb77118b8f1f51e7bdb050466709030848e8afe46e99cd47ef4337957aa870e14a5a42c006d97a017640d76c88fd54daf3585dae47
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) State = 0xac2b487aa50751714e974a6b4baa7cab
(9) Finished request
Waking up in 4.0 seconds.
2
3
Hi,
I have a FreeRADIUS backend–proxy setup which I was previously running on FreeRADIUS 3.2.1 without any issues.
After upgrading the backend-proxy to FreeRADIUS 3.2.8, I noticed a change in behavior:
for users with static IP addresses, a Message-Authenticator attribute suddenly appears in Accounting-Response packets.
This only happens for sessions where the IP address is not present in radippool (i.e. static IP users).
Dynamic IP (CGNAT) users do not show this behavior.
My configuration has always been the same, and the default behavior did not change on my side.
Below is the debug output from the proxy side showing where the Message-Authenticator is added to the Accounting-Response:
56) Proxy-State = 0x323533
(56) Clearing existing &reply: attributes
(56) Received Access-Accept Id 3 from 10.2.134.250:1813 to 172.18.0.2:50949 length 43
(56) Message-Authenticator = 0xcb7e447acd6eb189578d5ec25a844b36
(56) Proxy-State = 0x323533
(56) server default {
(56) }
(56) Sent Accounting-Response Id 253 from 172.18.0.2:1813 to 193.192.126.156:1646 length 38
(56) Message-Authenticator = 0xcb7e447acd6eb189578d5ec25a844b36
(56) Finished request
(56) Cleaning up request packet ID 253 with timestamp +5 due to done
Below is the relevant part of my accounting configuration.
This has been in place for a long time, and I am not sure why accept was originally used here:
ippoolv4 {
fail = 1
noop = 2
notfound = 3
}
if (fail) {
accept
}
if (noop) {
accept
}
if (notfound) {
accept
}
I could not find clear documentation explaining what accept actually does in the accounting section, and how it affects the generated response.
My questions are:
Does using accept here cause FreeRADIUS to internally treat this as an Access-Accept, even though this is an Accounting-Request?
Could this be the reason why an Access-Accept is received from the backend on the accounting port, and why a Message-Authenticator is added to the Accounting-Response?
Has the behavior of accept in accounting changed between 3.2.1 and 3.2.8?
Any clarification on the semantics of accept in accounting, or pointers to relevant documentation or changelogs, would be greatly appreciated.
Thanks in advance.
3
2
Hi,
I try to configure a private network with a WiFi Access Point using WPA3-Enterprise with a RADIUS server on a Raspberry Pi 3 Model B with FreeRADIUS (v3.2.7) and EAP-TLS 1.3 as authentication protocol. I ran the bootstrap script file to generate the example PKI, I installed client key/certificate and CA certificate on my Windows 11 PC. It works well.
However, after generating my own PKI with the same pattern (One CA generating a server certificate and a client certificate), and installing client key/certificate and CA certificate in my certificate store the same way I did for example ones, it doesn't work.
>From the debug output it seems that client PC says that the server certificate is issued by an unknown CA but it is installed the same way that the example one. Also, I verified that the server certificate from my custom PKI is correct and has been issued by the custom CA whose certificate is installed in my PC's certificate store. I made sure also I added the correct usage extension for WiFi.
I can't find solution on the web or similar problem, neither from Chat-GPT.
Attached to this email, you will find both freeradius -X outputs from the example CA and the custom one. Also, you will find the certificates from both PKI.
Have a good day,
D. AUBIN
3
2
Unless there is significant support for updates to 3.0.x, we are going to declare it "EOL". The only changes to it will be patches to address any security flaws which may be discovered. There are a few reasons for this decision:
* The OpenSSL APIs have changed significantly in recent years. v3.2.x has been updated to support the new APIs, but the changes have not been back-ported to the v3.0.x branch.
* Back-porting these changes would require a fair bit of work.
* 3.0.x currently works on older operating systems, so it can continue to be used there.
* However, if the OS is upgraded, you will like need to upgrade to 3.2.x.
* 3.2.x has a number of changes to the RadSec code, and it would take a significant effort to back-port those to 3.0.x.
* most new OS distributions have moved to 3.2.x already.
We will continue to support 3.0.x for people who are using it. But any new functionality will be in 3.2, and any new OS distributions are shipping 3.2.x.
Questions or comments are welcome.
Alan DeKok.
2
1
04 Dec '25
Hello
I just installed : *Ubuntu *24.04.2 LTS" and *FreeRADIUS *Version 3.2.5
We use our LDAP directory for authentication using the `userpasswd`
field, which is encoded in SCYPT (EAP/TTLS/PAP).
Everything works fine, but it's impossible to perform "LDAP over TLS
or SSL" (start_tls = yes in module ldap )
Here's the error message :
*!! libldap is using GnuTLS, while FreeRADIUS is using OpenSSL
!! There may be random issues with TLS connections due to this
conflict.
!! The server may also crash.
*
* !! See https://wiki.freeradius.org/modules/Rlm_ldap for more
information.*
How can I fix ? Should I install another library like `libldap`?
Thanks, Marc
--
2
1
freeradius 3.2.8 on debian 13 Trixie Depends libperl5.36 (>= 5.36.0) while libperl5.40/stable,now 5.40.1-6 amd64 is installed
by Joost Ringoot 03 Dec '25
by Joost Ringoot 03 Dec '25
03 Dec '25
Hi,
In Debian 13, the stable freeradius is 3.2.7 and no update in the backports
On the https://www.freeradius.org/ website, the recommended stable version is 3.2.8
There is a repo for debian 12 and for ubuntu 24.04 on
https://packages.inkbridgenetworks.com/#fr32-debian-bookworm
https://packages.inkbridgenetworks.com/#fr32-ubuntu-noble
The procedure looks identical.
I tried that procedure
https://packages.inkbridgenetworks.com/#fr32-debian-bookworm
root@radius:/etc/apt# apt install freeradius
Solving dependencies... Error!
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:
Unsatisfied dependencies:
freeradius : Depends: libperl5.36 (>= 5.36.0) but it is not installable
Depends: libfreeradius3 (= 3.2.8-2) but it is not going to be installed
Recommends: freeradius-utils but it is not going to be installed
Recommends: freeradius-python3 but it is not going to be installed
Error: Unable to correct problems, you have held broken packages.
Error: The following information from --solver 3.0 may provide additional context:
Unable to satisfy dependencies. Reached two conflicting decisions:
1. freeradius:amd64=3.2.8-2 is selected for install
2. freeradius:amd64=3.2.8-2 Depends libperl5.36 (>= 5.36.0)
but none of the choices are installable:
[no choices]
root@radius:/etc/apt#
root@radius:/etc/apt# apt search libperl5
libperl5.40/stable,now 5.40.1-6 amd64 [installed,automatic]
shared Perl library
root@radius:/etc/apt#
I am now considering: what would be the best option:
1. install radius 3.2.7 on debian trixie from it's standard repository
2. install debian 12 and try to install radius 3.2.8 from the inkbridge repo
3. try to fool the 3.2.8 inkbridge debian package into believing that the installed libperl5.40 is libperl5.36
4. try to install freeradius 3.2.8 from the tgz on https://www.freeradius.org/releases/ on debian trixie 13
What do you suggest? Any issues that you had?
Best regards,
Joost
2
1